DNS/Active Directory Communication Breakdown

Win2003 Server Std. SP1 installed on Dell PowerEdge 1800 as Domain Controller, primary with no subforests.  Can add Win2k and NT 4.0 clients w/o a problem.  But when trying to add WinXP Pro SP2 clients, first logon takes over 3 minutes. Next symptom: For both W2k and WinXP clients, in Manage Computer, cannot add Domain Users to local Administrators group -- get "Processing of object Domain Users failed with the following error: the specified domain does not exist or could not be contacted."  I've used the wizard to setup DNS but seem to feel that DNS is either misconfigured or the source of the problem.  Am I on the right track?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Very probably; I guess you're using your ISP's DNS in your TCP/IP settings somewhere.
First make sure the Windows Firewall Service is disabled (the service itself, not just disabled in Control Panel) on your XP SP2 machines.
Then configure your DNS like this:

*** TCP/IP-Settings ***
* On your DC/DNS, make sure the only DNS listed in the TCP/IP properties is itself.
* On your domain members, enter *only* your DC as primary DNS.
* Do NOT enter your ISP's DNS server in the TCP/IP settings on any domain member. All DNS resolution needs to be done by your internal DNS server(s) *only*.

*** DNS Server Settings ***
* Delete the root zone (if present) in your DNS servers' forward lookup zones (the single dot, "."), to enable external lookups.
* Right-click your forward and reverse lookup zones, go to Properties, and make sure that Dynamic Updates are enabled.
* In the properties page of your DNS servers, configure forwarders to point to your ISP's DNS. The forwarders section is the *only* entry in your network where your ISP's DNS should be listed.
* It's recommended (but not necessary) to set your zones to Active Directory integrated (this can be done in the properties of the zones as well).

Once you've checked this, open a command prompt and enter "ipconfig /registerdns", then stop and re-start the netlogon service. Check if the SRV records have been created (see link below).
For further troubleshooting, you can use dcdiag.exe and netdiag.exe (W2k3 Support Tools) to check your system for errors in the domain setup.

10 DNS Errors That Will Kill Your Network

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003

How to Verify the Creation of SRV Records for a Domain Controller

SRV Resource Records May Not Be Created on Domain Controller

How Domain Controllers Are Located in Windows

How Domain Controllers Are Located in Windows XP

HOW TO: Configure DNS for Internet Access in Windows Server 2003

HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kevin HaysIT AnalystCommented:
Very good post oBdA !

rsmcomputerAuthor Commented:

Our DNS was configured correctly, without our ISP's DNS servers.  Apparently, the wizard glitched when creating the original zone.  Here's what I found: The root zone had no folders nor records below it (such as CNAME, etc.).  Running DCDIAG, however, really shined light on the issue as it indicated little or no communication with AD.  Instead of our server name (TNTSERVER) at the front of the FQDN, it listed a long serial number.  
I decided to start over with DNS and recreated the zone.  After following your suggestions on configuring the DNS Server, restarting DNS Server service, all folders and records recreated normally and DNS began to communicate properly with the clients.
However, I still notice that running NSLOOKUP generates the error message: Can't find server name for address Non-existent domain
Default server: unknown
Server address:
Since I've seen this most every time I run NSLOOKUP on other, seemingly normal operating, domains, I'm not sure of the concern, but I am curious as to the reason.  Any input would be greatly treasured!

Thanks again.
The error message is mostly harmless.
All you have to do to get rid of it is create a reverse lookup zone for your network (enable dynamic updates there as well).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.