• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 254
  • Last Modified:

Weird DNS issue; any help?


I have a Windows 2000 domain with a couple 2003 Member Servers including an Exchange Server.  The domain controller is 2000.  There is another domain that we use for testing which is running via Virtual Server.  In the drop down list for domains on a client machine, it shows.  (I thought that might be important.)

Many of our client pc's can not connect to the 2003 Servers via netbios name or dns name.  There are times if I ping the entire name including suffix, it will work.  This is a sporadic issue too, which makes it tougher to chase down.  The DNS server is obviously the domain controller and it has the correct records for these two servers.

Why could this be happening?  I'm having to go around and add hosts file entries which I don't like doing!  :)
  • 3
  • 2
1 Solution
This could be due to the client and/or servers in your LAN that have the ISP DNS address on their NICs rather than your own DNS.

Just to confirm:

1)  No ISP DNS address anywhere - on any NIC - inside your LAN.
2)  All zones in DNS to accept Dyamic Updates (Secure if only used for your domain-joined PCs).
3)  All zones are AD Integrated.
4)  On the Forwarder tab - this is the only place to enter the ISP DNS addresses.
5)  DHCP should be checked to ensure the subnet mask, gateway and DNS entries are correct.  Options 003, 005 and 006 should be set.

Let us know.

wylde342Author Commented:
I believe you might have it Net.  Just to make sure, the Forwarder tab is in the properties of the DNS server correct?
Yes, you are correct.
wylde342Author Commented:

That was the fix.  Points!  If you wouldn't mind, why would that cause the issue?  There is no internet address for these unreachable servers?

What specifically out of the list did you change?

I'll take a guess that you had ISP addressing internally.

You have to understand AD a bit to understand why the ISP DNS server should not be used internally.  Starting in Windows 2000 with the introduction of AD, domains became DNS-based.  What this means in general terms is that your clients will now ALWAYS look to the DNS server when they are trying to find a service for domain-based transactions.  These services are Kerberos, LDAP, KPassword, and even DNS itself - to name only a few.  Anything that is a service creates a service (SRV) record in DNS to help client computers find resources in the domain.

If you introduce the ISP DNS into the network then the client will attempt to do a domain-based lookup to find a service from the ISP's server.  Since the ISP's server has absolutely no idea what is internal to your network then all internal lookups fail.  Since AD depends on DNS, then your clients cannot function within the domain since they cannot find the services they require.

You always use your internal DNS for everything inside your network.  The Forwarder simply tells your DNS server to send anything it cannot resolve and that it is NOT authoritative for (think your AD namespace) to an upstream server (your ISP).  This "Forwarding" is how your internal network is able to resolve Internet namespaces since they do not exist on your server.

Hope this helps a bit.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now