Solved

Clients not registering in correct DNS zone in Active Directory

Posted on 2004-10-22
744 Views
Last Modified: 2008-09-18
My workstations (1500+) are not registering in the correct DNS zone in Active Directory:

Here's the scenario-

We have ONE Active Directory zone
It has multiple DNS 'subzones' for each physical site (NOT other domains in a trust relationship)
Each 'subzone' is related to the IP subnet that each site has
Multiple DHCP scopes (each with the correct DNS suffix) hand out IP addresses to each site
(ip helper-address on Cisco router)

Three 2003 Active Directory servers centrally located

The following are TRUE statements
Each XP machine is getting the RIGHT ip address  from the right DHCP scope for that site
Each XP machine is getting the RIGHT DNS suffix  from the right DHCP scope for that site
The DHCP server is updating the DNS server (same server, actually) correctly for REVERSE lookup-
that is, the IP address of the workstation goes into the right reverse lookup zone.


Where things go wrong:

As XP clients register with the DNS server, they are all going into the 'top-level' zone - not the DNS zone associated with their
own site, in spite of the fact that they are registering from the right IP subnet and with the correct DNS suffix

Problems occuring:
XP clients can no longer do DNS lookups on hostname alone- they must use the FQDN to find a hostname that _should_ be in their own local zone (would be if they were registering correctly)-
this means that several hundred workstations now cannot print...
0
Question by:acsit
    19 Comments
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Are the computers appearing in DNS as

    <hostname>.<sitename>?

    It's not the clients themselves providing the updates because DHCP Clients don't support that. Instead the DHCP Server is adding all those PCs to DNS.

    Are all your Zone Files AD Integrated? Or just primary zones?

    Or are they just sub folders of the main zone file?

    Can clients ping between computers on the same site? That is, can computer1.site1 ping computer2.site1?
    0
     

    Author Comment

    by:acsit
    >>Are the computers appearing in DNS as

    >><hostname>.<sitename>?

    Hmm... I'm looking in the actual zonefiles, so they just appear as hostnames (the zone file itself describes the rest of the <.sitename>

    >>It's not the clients themselves providing the updates because DHCP Clients don't support that. Instead the DHCP Server is >>adding all those PCs to DNS.

    Ah, OK- that makes sense...


    >>Are all your Zone Files AD Integrated? Or just primary zones?

    Yes- "Active Directory-Integrated" on the Properties tab of any given zonefile.



    Can clients ping between computers on the same site? That is, can computer1.site1 ping computer2.site1?

    Hmm.. will try to check this-
    At this time, we have printers that we manually create in each subzone-
    Hosts not in that subzone can't ping the printer in the subzone (that the PC is _supposed_ to be in)
    My own workstation is in that 'top-level' zone, and I can ping various of the workstations listed there-
    If I try to ping one of the printers in another subzone, I have to use the FQDN, as expected...

    So it's working like it looks like- the  question is why isn't the DHCP server (or the client) putting PCs in the right subzone based on the DHCP scope that was used to give the PC an IP address....


    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Sub zone placement aside (not quite sure on the answer to that one yet).

    To get them to ping correctly by hostname only you might have to add each subdomain to the DNS search list.
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Okay... a few things to try...

    We need to check if the resolver is dependant on a Search List to get the right answers. From your computer try:

    nslookup

    Then:

    nosearch
    <enter a name for a PC on the same domain level>
    <enter a name for a PC in a subdomain>

    Then try:

    search
    <enter a name for a PC on the same domain level>
    <enter a name for a PC in a subdomain>

    Let me know if they all resolve correctly?
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Ack... sorry.. those commands should be:

    set search
    and
    set nosearch
    0
     

    Author Comment

    by:acsit
    Made no difference Chris-

    I tried one of the servers, which is in my same zone, and that worked fine both times.

    I tried 'dicofchplj1200' which is an A record in one of the school subzones....

    that was 'no go' both with and without 'set search' and 'set nosearch'

    I tried passing set search the zonefile to search....

    btw- This used to work-
    I think you might be on the right track as to why

    the zone 'city.k12.nc.us'
    and the zone 'elemschool.city.k12.nc.us'
    aren't both searching each other...

    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Yeah, the folders I have no idea with. I've only done subdomains on Linux and BIND I'm afraid.

    But the Search Order is important for them to be able to get addresses from the subdomains.

    You should be able to add a Search List in nslookup with:

    set srchlist=city.k12.nc.us/elemschool.city.k12.nc.us

    Then maybe try again with

    set search
    and
    set nosearch

    It may be that you have to push out a DNS Search List to all your clients. A bit of a pain, but there are ways to do it.
    0
     

    Author Comment

    by:acsit
    well, that srchlist did make my local PC start finding things in other zones.. so that's the right idea- the PCs aren't able to hunt in other zones if needed...

    I don't know if it's possible to 'send out' a srchlist for Windows...

    I think there's some problem with the AD DNS configuration- this feels like a server-side problem.. especially since it worked before...

    Of course, the REAL problem is why aren't the PCs getting put into the right DNS zonefile...
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    It is possible to push one out. One sec, I'll find some links to it.

    Here we go:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;275553

    Let me know if you need any help with scripting that at all.

    I'm not sure I'll be able to help much with the second bit, as far as I'm concerned all those folders do is change the Origin (to elemschool.city.k12.nc.us instead of city.k12.nc.us for instance). Why it isn't filing them into the right place is a little puzzling. Has that ever worked?

    I assume at the moment it's just adding them to the main section with both the hostname and the subdomain name?

    Like:

    Computer1.elemschool

    Is that correct?
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Just a thought...

    You could actually push the registry setting for the Search List out with Group Policy if you're interested?

    It requires a customized policy, but it should be possible.
    0
     
    LVL 11

    Expert Comment

    by:WeHe
    Did your configure the domainname option on your DHCP?
    is the fqdn entered as the pcname? (left click on "My computer" -> Properties -> Computer Name -> Change -> More)
    Did you enable Registering this connections address in DNS at Properties of TCPIP Protoco?
    Disable the DNS update feature of your DHCP Server.
    Does any of the above help?
    0
     

    Author Comment

    by:acsit
    Just an update-

    Still not awarding points on this since no one has suggested what's wrong with the way MS DNS is registering workstations
    (WeHe got close, but no actual solution)

    Now, one set of clients works right- they are able to do what I'll term 'cross-zonefile' lookups by specifying hostname only-
    the DNS server correctly figures out that the hostname is actually in a different zonefile and supplies the answer-
    but it does so like this

    True statements:
    Workstation 'petlab26' has a DNS suffix of 'jones.elemschool.city.k12.state.us'

    The DNS snapin shows that the workstation's A record in DNS is in the top-level (name of domain)
    'city.k12.state.us' (rather than the workstation being listed in the forward zone 'elemschool.city.k12.state.us' as it seems that it should be, based on it's IP address and DNS suffix)

    pinging the workstation resolves it as 'petlab26.city.k12.state.us' NOT what it should be 'elemschool.city.k12.state.nc.us'
    (ie, pinging returns exactly what DNS says)

    If I ask a workstation (in the city.k12.state.us zonefile) for a host 'jobpetm410' (a manually created A record that is IN the elemschool.city.k12.state.us zonefile) it cannot resolve it.
    If I then ping or nslookup by FQDN, it works...


    I need to figure out why clients aren't getting placed in their correct zonefile.

    I have checked the things mentioned by WeHe, and nothing helped there
    (sorry for the late response WeHe, we've ALSO had a virus attack us, so I'd gotten a little distracted from this)

    Anyone have any other ideas on why workstations do not get registered with the correct DNS zonefile based on the one handed them by DHCP?
    0
     
    LVL 11

    Expert Comment

    by:WeHe
    just saw this:
    > It has multiple DNS 'subzones' for each physical site
    you can use subzones only for subdomains inside your AD.
    it is not supported to use sub-dns-zones in a single forest, single domain configuration.
    as they do now, all clients would register in the top-level zone of your AD.
    the reverse zone does only fit, because the dhcp servers are updating it (in the wrong zone)
    0
     

    Author Comment

    by:acsit
    so you mean that in order to have the following zones

    city.k12.state.us  (also the name of the domain)
    elemschool.city.k12.state.us -one of the elementary schools
    middle.city.k12.state.us - the middle school
    high.city.k12.state.us - the high school.

    What you're saying is that AD will never register PCs in anything except the
    city.k12.state.us zone?

    We had planned to have the PCs (and printers, and other network devices at each school)
    be listed in their own zonefile, so that direct hostname lookup would be possible if you're a PC at
    elemschool.city.k12.state.us
    you can find the printer in your lab (printerhp4100.elemschool.city.k12.state.us)
    by just the hostname 'printerhp4100'
     but if you're a PC in some other zone, like 'middle.city....' you have to specify that printer at the elementary school by
    printerhp4100.elemschool.city.k12.state.us in order to get to it..

    This is how I've understood DNS to work -
    Changing that involves messing with the 'search domain' (at least in Bind 9, with which I'm most familiar)

    IF I understand you right, I'm OK with that I guess- it's not as organized as I'd like, but I'll live with that..

    The question pertains then, where in MS DNS are the settings to allow ALL the subzones to 'search' each other, such that
    _no_ device registered in ANY of the subzones (certainly not in the 'top-level' zone)
    have to use FQDN...

    Once upon a time it was this way- now it's not that way....
    I was looking at this from the point of view that having all the PCs showing up in 'city.k12.state.us' was wrong, and I should fix the 'real' problem, not just fix the 'search' problem...


    Gotcha on the reverse lookups, btw - that makes sense...
    0
     
    LVL 11

    Accepted Solution

    by:
    city.k12.state.us  <- this is your root domain
    elemschool.city.k12.state.us  <- this can only be used as a child domain in ad
    middle.city.k12.state.us <- this can only be used as child domain in ad
    high.city.k12.state.us <- this can only be used as child domain in ad

    you have to create a new w2k3 child domain for each sub domain you want to use in dns

    >What you're saying is that AD will never register PCs in anything except the
    >city.k12.state.us zone?
    yes

    this is configured on each client with "domain search order" entries.
    you find this in tcp-ip settings -> advanced -> dns.
    Enter your wanna-search-domains here :)
    0
     
    LVL 11

    Expert Comment

    by:WeHe
    The question pertains then, where in MS DNS are the settings to allow ALL the subzones to 'search' each other, such that
    _no_ device registered in ANY of the subzones (certainly not in the 'top-level' zone)
    have to use FQDN...

    this is configured on each client with "domain search order" entries.
    you find this in tcp-ip settings -> advanced -> dns.
    Enter your wanna-search-domains here :)
    0
     
    LVL 70

    Assisted Solution

    by:Chris Dent

    Setting search domains on the clients is back above again ;)

    For DNS as a whole... BIND is better than Windows DNS in my opinion, but it's more of an AD requirement you're looking at here than DNS functionality.
    0
     

    Expert Comment

    by:yccdadmins
    Gentlemen,

    I am currently dealing with this exact same issue.  I have read the posts and was unable to determine if you had foudn a solution?  In my situation, I need the subzones to allow remote administrators the ability to update their own zones without touching the top zone.  At this time I do not want to create subdomains - not needed right now and we have third party application restrictions.
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Hey,

    Ahh that was a long time ago...

    Active Directory?

    And are the sub-zones actual sub-domains / child domains in Active Directory?

    If they're sub-zones and not part of a child domain you don't stand much chance of getting it to work.

    Chris
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    It is a known fact that servers reach the end of their lives. Some get there quicker than others, based on age, manufacturer, usage and several other factors. However, if your organization has spent time deploying Microsoft's Active Directory server…
    This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!

    875 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now