?
Solved

New Subnet and DNS problems

Posted on 2005-04-11
16
Medium Priority
?
354 Views
Last Modified: 2012-06-22
Our Network is all XP workstations and 2003 Servers.  We have static IPs set up on the 192.168.1.x network.  There are 2 Domain Controllers running AD.  Both DCs are DNS servers and are on the 192.168.1.x subnet.

I have configured our routers and Firewall for the 192.168.0.0/24 subnet (192.168.0.1 - 192.168.0.254).

When I configure an XP workstation with a 192.168.0.x IP address, I cannot join the Domain.  From the Workstation, I can ping the DNS/DCs only by IP address.  I can access nslookup but when I run a query I get "server failed". The workstations IP is not registering in DNS.  I can, however, enter the Domain FQDN (mydomain.lcl) and join our Domain.

If I have a workstation on the 192.168.1.x subnet, I can join the domain without the FQDN (mydomain)

Any reason why I have to enter the FQDN on the 192.168.0.x subnet and not on the 192.168.1.x subnet?
0
Comment
Question by:daveyd123
  • 6
  • 4
  • 3
  • +1
16 Comments
 
LVL 7

Expert Comment

by:corneliup
ID: 13759904
Can you detail a little bit the physical lay out of your network?
between the 192.168.0.x network and the 192.168.1.x network there has to be a router. I seams that this router don't let the DNS updates passing through.
Also do you have a reverse lookup zone in the DNS for the 192.168.0.x network, and is it updated?
It seams that the DNS is not able to find a PTR record for the 192.168.0.x workstations to map the IP address to the FQDN.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13760259

All client machines have a DNS Suffix Search Order. If you don't have your domain name listed, and generally if you're not a member of the domain you won't, then it will be unable to resolve the name without you typing in the FQDN. The same applies to resolution of the Domain Name itself.

Now if they were all on the same subnet, or rather, not seperated by a Firewall (which very probably doesn't relay broadcast traffic), then you probably wouldn't notice this as it falls back on NetBIOS resolution via Broadcast to pick up the names.

When you join the domain the Domain Name is configured on the PC and from then on it should happily be able to resolve by just computer name.

For registering in DNS you must make sure your DNS allows dynamic registration ("ipconfig /registerdns" will force a registration attempt) and of course make sure your Firewall allows the traffic through.
0
 
LVL 9

Expert Comment

by:joedoe58
ID: 13760292
Hi,
As both previous posts indicate you have to have some sort of routing between your both subnets and a gateway address enterd in the workstations so that they can reach the router. You also have to open up ports for any traffic involved in intranet communication
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 1

Author Comment

by:daveyd123
ID: 13763795
The 192.168.0.x and the 192.168.1.x subnets are on the same router located in the same building.  Both the 1.x and 0.x are listed as secondary on the router.

I have a Reverse lookup zone setup for the 192.168.0.x and 192.168.1.x subnets

Like I said, i can join any workstation on the 192.168.1.x subnet by using the NetBios name (mydomain) with no DNS suffix attached

On the 192.168.0.x subnet (on the same local router and firewall) I have use the FQDN (mydomain.lcl) to join the Domain

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13764424

If they're defined as seperate subnets the traffic goes through the router, regardless of whether or not the physical network is the same. Remember broadcast traffic is sent to the network broadcast address, i.e. 192.168.0.255 and 192.168.1.255 respectively.

If you had 192.168.0/23 then it wouldn't touch the router. But with 192.168.0/24 and 192.168.1/24 the router cannot be skipped - something has to tell the traffic where it's supposed to go.

So.... broadcast traffic will not be getting through unless you have set it up to relay on the router. And for anyone on the 192.168.0/24 network you either have to use the FQDN or give it a DNS suffix search list - both achieve the same end result.
0
 
LVL 7

Accepted Solution

by:
corneliup earned 400 total points
ID: 13769715
If the interface on the router and the interface on the server are on the same layer 2 device (switch), as I understand there are secondary interfaces defined on the router, then the easiest way so solve this is put a secondary IP address from the 192.168.0.x network on the server, so the packets from the 192.168.0.x network will reach the server directly. Also you will have to configure the DNS to listen on the new address also.
0
 
LVL 1

Author Comment

by:daveyd123
ID: 13776236
I added 192.168.0.2 to the DC/DNS server1 and 192.168.0.3 to the DC/DNS server2

From a worktation not yet joined to the domain and with a 192.168.0.x IP address, I can ping both servers using IP addresses.  I cannont ping them using their NETBIOS names.  I can ping them using the FQDN

Even with the above configuration, I still cannot join the Domain using NETBIOS (mydomain) while on the 192.168.0.x subnet...only join the Domain by FQDN (mydomain.lcl)

We even have 7 other subnets (192.168.2.x, 3.x, 4.x, 5.x. 6.x, 7.x) in our WAN that can use (mydomain) instead of (mydomain.lcl) when joining the Domain.
0
 
LVL 9

Expert Comment

by:joedoe58
ID: 13776492
Did you check the routing table on the switch to make sure that you do have a routing between the two subnets
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13776711

Routing must be in place for pings and DNS traffic to get through.

I would still point the finger at no relaying of Broadcast traffic over the router.
0
 
LVL 1

Author Comment

by:daveyd123
ID: 13780697
Routing is definitely setup.  I had the router guy force broadcasts from the 192.168.0.x subnet to the 192.168.1.x subnet on the router....still no luck

0
 
LVL 1

Author Comment

by:daveyd123
ID: 13780717
Now with a secondary IP on each of the DC/DNS servers, I am getting an error message in Event Viewer that a duplicate name exists on the Network
0
 
LVL 1

Author Comment

by:daveyd123
ID: 13780765
One more thing...

When I added the secondary IPs to the Domain Controllers/DNS servers, the IPs (192.168.0.2, 192.168.0.3) registered themselves in DNS as Host (A) records and are set to update the associated PTR record....but in the Reverse Lookup 0.168.192.in-addr.arpa, the PTR record is not present.  The only records that are in the reverse lookup are the SOA and 2 NS.
0
 
LVL 7

Expert Comment

by:corneliup
ID: 13788250
Check on the properties of the reverse zone if and how do you allow dynamic updates, you must accept them, and select Nonsecure and secure or secure only depending on how you setup communications between your workstations and the server.
Also under Security check if you have the appropriate rights for authenticated users.
And finally on the workstations the dns settings must point the the new 192.168.0.x addresses on the servers.
In my network I have DHCP , and configured it to update the dns records both for forward and reverse zones, so a never had this kind o issues.

0
 
LVL 1

Author Comment

by:daveyd123
ID: 13789929
I wish we had DHCP, it would make my life 10x easier but for some reason my boss wants all static.  

Everything is setup in DNS correctly.  I did find out that the being that the 2 subnets are on the same router, the router is having issues with bassing NETBIOS from one subnet to the other.  If the 2 subnets were on different routers, it would be easier to accomplish.  I think for now, I am going to inform my people to just use the FQDN when joining anything to the Domain
0
 
LVL 9

Expert Comment

by:joedoe58
ID: 13791761
Do you have enable NetBios over TCP/IP selected on the workstations?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13793079

FQDN is more secure...

Really it would be better (both in terms of security and network load) to deny broadcast over the routers.

A bit situational though...
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…

755 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question