Group Policy/DNS

Posted on 2004-11-25
Last Modified: 2010-03-18
I have a problem with Group policy not working and soemone suggested that I might have a DNS problem on my domain controller so here I am.

When I try nslookup using my DC it times out.

Can anyone help check if my dns is set up ok?


Question by:daveamour
    LVL 70

    Expert Comment

    by:Chris Dent

    Just a few basics first then...

    Do you only have one Server?

    If so...

    In DNS Manager on your server do you have a Forward Lookup Zone for your domain?

    In Revese Lookup Zones, do you have a zone for your IP Range?

    In your IP Configuration (for both the Server and any PCs), do you use the Server as the Primary DNS?

    In the properties for your Zone, is Dynamic Updates enabled and set to Secure Updates only?

    Do you have any problems getting external address (for browsing the web and such)?
    LVL 19

    Author Comment


    1 server

    I have a forward lookup zone but no reverse lookup zone

    I dont use the server as the DNS.  I have a router with DHCP and I use that.  Tried useing the server as DNS but didn't work.

    Dynamic updates, secure only, is enabled in the forward lookup zone.

    I browse the web fine using the router as DNS.  Using nslookup with the server timesout though.

    LVL 70

    Accepted Solution


    For Active Directory (and consequently Group Policy) to function you must use the local server as DNS. Afraid that part isn't optional.

    So instead we can see if the local DNS can be set-up to work for the rest of your network.

    Does the Server itself use the local DNS? If not that's the first thing you need to change. Once you've done it go to the command prompt and run:

    ipconfig /registerdns

    Then load DNS Manager and check and see if there's an Address Record for your server. At this point you should also check and see if it's figured out the Reverse Lookup Zone.

    If it hasn't, under Reverse Lookup Zones can you add a new Active Directory Integrated zone for your IP Range?

    Once that's done head back to the command prompt and type (ignore the C:\> and > bits, they just represent the command prompts you'll get):

    C:\> nslookup

    When you first connect to NSLookup it tries to connect to the first DNS listed in your IP Configuration. If it times out here then some information is still missing from the zones in DNS Manager.

    If it gives you a new prompt:


    Then try typing in:

    > your-server-name-here
    > your-servers-ip-address



    And see what errors, if any, it pops up with.

    If it works internally but doesn't for something like can you confirm that your server is allowed to go out on Port 53 through your router. Can you also see what's listed under the Forwarders and Root Hints tabs in the Properties for your DNS Server (DNS Manager)?

    If you haven't set anything up you should have 13 (I think) entries under Root Hints and nothing under Forwarders.
    LVL 70

    Expert Comment

    by:Chris Dent

    One update to the above. You can use another device or server as DNS, however there are requirements for Active Directory:

    1. The DNS must support Service Records
    2. The DNS should ideally support Dynamic Updates

    It's possible to make it work with only 1, however, you'd have to manually add all the Service Records for the Domain (these are used to locate the Domain Controller for things like Kerberos authentication (logon servers), Directory updates and other services) - generally not fun so 2 becomes more of a requirement.
    LVL 19

    Author Comment


    I got a technical friend to have a look at this and he did some messing around and managed to get things working.  Not sure what he did but I did do the ipconfig /registerdns prior to him having a look and then we did a reboot and everythings working.  He said the ipconfig /registerdns probably was the key.

    Thanks very much for your help.

    LVL 70

    Expert Comment

    by:Chris Dent

    Pleasure, glad it's working :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
    This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now