[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Clients not registering in correct DNS zone in Active Directory

Posted on 2004-10-22
19
Medium Priority
?
761 Views
Last Modified: 2008-09-18
My workstations (1500+) are not registering in the correct DNS zone in Active Directory:

Here's the scenario-

We have ONE Active Directory zone
It has multiple DNS 'subzones' for each physical site (NOT other domains in a trust relationship)
Each 'subzone' is related to the IP subnet that each site has
Multiple DHCP scopes (each with the correct DNS suffix) hand out IP addresses to each site
(ip helper-address on Cisco router)

Three 2003 Active Directory servers centrally located

The following are TRUE statements
Each XP machine is getting the RIGHT ip address  from the right DHCP scope for that site
Each XP machine is getting the RIGHT DNS suffix  from the right DHCP scope for that site
The DHCP server is updating the DNS server (same server, actually) correctly for REVERSE lookup-
that is, the IP address of the workstation goes into the right reverse lookup zone.


Where things go wrong:

As XP clients register with the DNS server, they are all going into the 'top-level' zone - not the DNS zone associated with their
own site, in spite of the fact that they are registering from the right IP subnet and with the correct DNS suffix

Problems occuring:
XP clients can no longer do DNS lookups on hostname alone- they must use the FQDN to find a hostname that _should_ be in their own local zone (would be if they were registering correctly)-
this means that several hundred workstations now cannot print...
0
Comment
Question by:acsit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 5
  • 4
  • +1
19 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12380450

Are the computers appearing in DNS as

<hostname>.<sitename>?

It's not the clients themselves providing the updates because DHCP Clients don't support that. Instead the DHCP Server is adding all those PCs to DNS.

Are all your Zone Files AD Integrated? Or just primary zones?

Or are they just sub folders of the main zone file?

Can clients ping between computers on the same site? That is, can computer1.site1 ping computer2.site1?
0
 

Author Comment

by:acsit
ID: 12381466
>>Are the computers appearing in DNS as

>><hostname>.<sitename>?

Hmm... I'm looking in the actual zonefiles, so they just appear as hostnames (the zone file itself describes the rest of the <.sitename>

>>It's not the clients themselves providing the updates because DHCP Clients don't support that. Instead the DHCP Server is >>adding all those PCs to DNS.

Ah, OK- that makes sense...


>>Are all your Zone Files AD Integrated? Or just primary zones?

Yes- "Active Directory-Integrated" on the Properties tab of any given zonefile.



Can clients ping between computers on the same site? That is, can computer1.site1 ping computer2.site1?

Hmm.. will try to check this-
At this time, we have printers that we manually create in each subzone-
Hosts not in that subzone can't ping the printer in the subzone (that the PC is _supposed_ to be in)
My own workstation is in that 'top-level' zone, and I can ping various of the workstations listed there-
If I try to ping one of the printers in another subzone, I have to use the FQDN, as expected...

So it's working like it looks like- the  question is why isn't the DHCP server (or the client) putting PCs in the right subzone based on the DHCP scope that was used to give the PC an IP address....


0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12381662

Sub zone placement aside (not quite sure on the answer to that one yet).

To get them to ping correctly by hostname only you might have to add each subdomain to the DNS search list.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 71

Expert Comment

by:Chris Dent
ID: 12381894

Okay... a few things to try...

We need to check if the resolver is dependant on a Search List to get the right answers. From your computer try:

nslookup

Then:

nosearch
<enter a name for a PC on the same domain level>
<enter a name for a PC in a subdomain>

Then try:

search
<enter a name for a PC on the same domain level>
<enter a name for a PC in a subdomain>

Let me know if they all resolve correctly?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12382005

Ack... sorry.. those commands should be:

set search
and
set nosearch
0
 

Author Comment

by:acsit
ID: 12383394
Made no difference Chris-

I tried one of the servers, which is in my same zone, and that worked fine both times.

I tried 'dicofchplj1200' which is an A record in one of the school subzones....

that was 'no go' both with and without 'set search' and 'set nosearch'

I tried passing set search the zonefile to search....

btw- This used to work-
I think you might be on the right track as to why

the zone 'city.k12.nc.us'
and the zone 'elemschool.city.k12.nc.us'
aren't both searching each other...

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12383441

Yeah, the folders I have no idea with. I've only done subdomains on Linux and BIND I'm afraid.

But the Search Order is important for them to be able to get addresses from the subdomains.

You should be able to add a Search List in nslookup with:

set srchlist=city.k12.nc.us/elemschool.city.k12.nc.us

Then maybe try again with

set search
and
set nosearch

It may be that you have to push out a DNS Search List to all your clients. A bit of a pain, but there are ways to do it.
0
 

Author Comment

by:acsit
ID: 12383590
well, that srchlist did make my local PC start finding things in other zones.. so that's the right idea- the PCs aren't able to hunt in other zones if needed...

I don't know if it's possible to 'send out' a srchlist for Windows...

I think there's some problem with the AD DNS configuration- this feels like a server-side problem.. especially since it worked before...

Of course, the REAL problem is why aren't the PCs getting put into the right DNS zonefile...
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12383676

It is possible to push one out. One sec, I'll find some links to it.

Here we go:

http://support.microsoft.com/default.aspx?scid=kb;en-us;275553

Let me know if you need any help with scripting that at all.

I'm not sure I'll be able to help much with the second bit, as far as I'm concerned all those folders do is change the Origin (to elemschool.city.k12.nc.us instead of city.k12.nc.us for instance). Why it isn't filing them into the right place is a little puzzling. Has that ever worked?

I assume at the moment it's just adding them to the main section with both the hostname and the subdomain name?

Like:

Computer1.elemschool

Is that correct?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12383707

Just a thought...

You could actually push the registry setting for the Search List out with Group Policy if you're interested?

It requires a customized policy, but it should be possible.
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12387455
Did your configure the domainname option on your DHCP?
is the fqdn entered as the pcname? (left click on "My computer" -> Properties -> Computer Name -> Change -> More)
Did you enable Registering this connections address in DNS at Properties of TCPIP Protoco?
Disable the DNS update feature of your DHCP Server.
Does any of the above help?
0
 

Author Comment

by:acsit
ID: 12474536
Just an update-

Still not awarding points on this since no one has suggested what's wrong with the way MS DNS is registering workstations
(WeHe got close, but no actual solution)

Now, one set of clients works right- they are able to do what I'll term 'cross-zonefile' lookups by specifying hostname only-
the DNS server correctly figures out that the hostname is actually in a different zonefile and supplies the answer-
but it does so like this

True statements:
Workstation 'petlab26' has a DNS suffix of 'jones.elemschool.city.k12.state.us'

The DNS snapin shows that the workstation's A record in DNS is in the top-level (name of domain)
'city.k12.state.us' (rather than the workstation being listed in the forward zone 'elemschool.city.k12.state.us' as it seems that it should be, based on it's IP address and DNS suffix)

pinging the workstation resolves it as 'petlab26.city.k12.state.us' NOT what it should be 'elemschool.city.k12.state.nc.us'
(ie, pinging returns exactly what DNS says)

If I ask a workstation (in the city.k12.state.us zonefile) for a host 'jobpetm410' (a manually created A record that is IN the elemschool.city.k12.state.us zonefile) it cannot resolve it.
If I then ping or nslookup by FQDN, it works...


I need to figure out why clients aren't getting placed in their correct zonefile.

I have checked the things mentioned by WeHe, and nothing helped there
(sorry for the late response WeHe, we've ALSO had a virus attack us, so I'd gotten a little distracted from this)

Anyone have any other ideas on why workstations do not get registered with the correct DNS zonefile based on the one handed them by DHCP?
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12475919
just saw this:
> It has multiple DNS 'subzones' for each physical site
you can use subzones only for subdomains inside your AD.
it is not supported to use sub-dns-zones in a single forest, single domain configuration.
as they do now, all clients would register in the top-level zone of your AD.
the reverse zone does only fit, because the dhcp servers are updating it (in the wrong zone)
0
 

Author Comment

by:acsit
ID: 12476094
so you mean that in order to have the following zones

city.k12.state.us  (also the name of the domain)
elemschool.city.k12.state.us -one of the elementary schools
middle.city.k12.state.us - the middle school
high.city.k12.state.us - the high school.

What you're saying is that AD will never register PCs in anything except the
city.k12.state.us zone?

We had planned to have the PCs (and printers, and other network devices at each school)
be listed in their own zonefile, so that direct hostname lookup would be possible if you're a PC at
elemschool.city.k12.state.us
you can find the printer in your lab (printerhp4100.elemschool.city.k12.state.us)
by just the hostname 'printerhp4100'
 but if you're a PC in some other zone, like 'middle.city....' you have to specify that printer at the elementary school by
printerhp4100.elemschool.city.k12.state.us in order to get to it..

This is how I've understood DNS to work -
Changing that involves messing with the 'search domain' (at least in Bind 9, with which I'm most familiar)

IF I understand you right, I'm OK with that I guess- it's not as organized as I'd like, but I'll live with that..

The question pertains then, where in MS DNS are the settings to allow ALL the subzones to 'search' each other, such that
_no_ device registered in ANY of the subzones (certainly not in the 'top-level' zone)
have to use FQDN...

Once upon a time it was this way- now it's not that way....
I was looking at this from the point of view that having all the PCs showing up in 'city.k12.state.us' was wrong, and I should fix the 'real' problem, not just fix the 'search' problem...


Gotcha on the reverse lookups, btw - that makes sense...
0
 
LVL 11

Accepted Solution

by:
WeHe earned 1000 total points
ID: 12476650
city.k12.state.us  <- this is your root domain
elemschool.city.k12.state.us  <- this can only be used as a child domain in ad
middle.city.k12.state.us <- this can only be used as child domain in ad
high.city.k12.state.us <- this can only be used as child domain in ad

you have to create a new w2k3 child domain for each sub domain you want to use in dns

>What you're saying is that AD will never register PCs in anything except the
>city.k12.state.us zone?
yes

this is configured on each client with "domain search order" entries.
you find this in tcp-ip settings -> advanced -> dns.
Enter your wanna-search-domains here :)
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12476671
The question pertains then, where in MS DNS are the settings to allow ALL the subzones to 'search' each other, such that
_no_ device registered in ANY of the subzones (certainly not in the 'top-level' zone)
have to use FQDN...

this is configured on each client with "domain search order" entries.
you find this in tcp-ip settings -> advanced -> dns.
Enter your wanna-search-domains here :)
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1000 total points
ID: 12476684

Setting search domains on the clients is back above again ;)

For DNS as a whole... BIND is better than Windows DNS in my opinion, but it's more of an AD requirement you're looking at here than DNS functionality.
0
 

Expert Comment

by:yccdadmins
ID: 22502169
Gentlemen,

I am currently dealing with this exact same issue.  I have read the posts and was unable to determine if you had foudn a solution?  In my situation, I need the subzones to allow remote administrators the ability to update their own zones without touching the top zone.  At this time I do not want to create subdomains - not needed right now and we have third party application restrictions.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22509217

Hey,

Ahh that was a long time ago...

Active Directory?

And are the sub-zones actual sub-domains / child domains in Active Directory?

If they're sub-zones and not part of a child domain you don't stand much chance of getting it to work.

Chris
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question