Group Policy/DNS

I have a problem with Group policy not working and soemone suggested that I might have a DNS problem on my domain controller so here I am.

When I try nslookup using my DC it times out.

Can anyone help check if my dns is set up ok?

Thanks

Dave
LVL 19
daveamourAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:

Just a few basics first then...

Do you only have one Server?

If so...

In DNS Manager on your server do you have a Forward Lookup Zone for your domain?

In Revese Lookup Zones, do you have a zone for your IP Range?

In your IP Configuration (for both the Server and any PCs), do you use the Server as the Primary DNS?

In the properties for your Zone, is Dynamic Updates enabled and set to Secure Updates only?

Do you have any problems getting external address (for browsing the web and such)?
0
daveamourAuthor Commented:
Hi

1 server

I have a forward lookup zone but no reverse lookup zone

I dont use the server as the DNS.  I have a router with DHCP and I use that.  Tried useing the server as DNS but didn't work.

Dynamic updates, secure only, is enabled in the forward lookup zone.

I browse the web fine using the router as DNS.  Using nslookup with the server timesout though.

0
Chris DentPowerShell DeveloperCommented:

For Active Directory (and consequently Group Policy) to function you must use the local server as DNS. Afraid that part isn't optional.

So instead we can see if the local DNS can be set-up to work for the rest of your network.

Does the Server itself use the local DNS? If not that's the first thing you need to change. Once you've done it go to the command prompt and run:

ipconfig /registerdns

Then load DNS Manager and check and see if there's an Address Record for your server. At this point you should also check and see if it's figured out the Reverse Lookup Zone.

If it hasn't, under Reverse Lookup Zones can you add a new Active Directory Integrated zone for your IP Range?

Once that's done head back to the command prompt and type (ignore the C:\> and > bits, they just represent the command prompts you'll get):

C:\> nslookup

When you first connect to NSLookup it tries to connect to the first DNS listed in your IP Configuration. If it times out here then some information is still missing from the zones in DNS Manager.

If it gives you a new prompt:

>

Then try typing in:

> your-server-name-here
> your-servers-ip-address

Then:

www.google.com

And see what errors, if any, it pops up with.

If it works internally but doesn't for something like www.google.com can you confirm that your server is allowed to go out on Port 53 through your router. Can you also see what's listed under the Forwarders and Root Hints tabs in the Properties for your DNS Server (DNS Manager)?

If you haven't set anything up you should have 13 (I think) entries under Root Hints and nothing under Forwarders.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Chris DentPowerShell DeveloperCommented:

One update to the above. You can use another device or server as DNS, however there are requirements for Active Directory:

1. The DNS must support Service Records
2. The DNS should ideally support Dynamic Updates

It's possible to make it work with only 1, however, you'd have to manually add all the Service Records for the Domain (these are used to locate the Domain Controller for things like Kerberos authentication (logon servers), Directory updates and other services) - generally not fun so 2 becomes more of a requirement.
0
daveamourAuthor Commented:
Hi

I got a technical friend to have a look at this and he did some messing around and managed to get things working.  Not sure what he did but I did do the ipconfig /registerdns prior to him having a look and then we did a reboot and everythings working.  He said the ipconfig /registerdns probably was the key.

Thanks very much for your help.

Dave
0
Chris DentPowerShell DeveloperCommented:

Pleasure, glad it's working :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.