• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 442
  • Last Modified:

Windows 2000 DC DNS needs help

I am expereincing lots of connectivity issues in a small Win 2000 domain with Win XP Pro workstations.

The server has been in place for a long time and I do not have access to the individual who set it up, but it appears that the DNS server is the problem. The ISP is Birch and for some crazy reason the DC machine is named viper.birch.net, but the domain is named hance. DHCP is coming from the Birch DSL router, which I do not yet have a password for so that I could turn this off and use the DC server provide DHCP. In the meantime I have given the workstations static IP addresses and given them the DC server's IP for their DNS server.

When I look at the the DNS on the server there is one foward lookup zone, but it doesn't seem to have the records that should be there (services like kerberos, kpassword, ldap, etc. are missing) Accordingly, I don't think there is any way the workstations can access the Active Directory, and this is what is causing the connectivity problems.

I don't know if this is something that can be fixed at all due to the wierd naming of the machine, or if the DNS zone can be reconfigured to work. If it can be fixed does this mean manually adding the missing records, or is there something that will do this for me?

See dcdiag.exe /v below:

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine viper, is a DC.
   * Connecting to directory service on server viper.
   * Collecting site info.
   * Identifying all servers.
   * Found 1 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   Testing server: Default-First-Site-Name\VIPER
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         VIPER's server GUID DNS name could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name

         (2aad8f3a-7a0f-4c36-83d6-777487074608._msdcs.hance) couldn't be

         resolved, the server name (viper.birch.net) resolved to the IP address

         ( and was pingable.  Check that the IP address is

         registered correctly with the DNS server.
         ......................... VIPER failed test Connectivity

Doing primary tests
   Testing server: Default-First-Site-Name\VIPER
      Skipping all tests, because server VIPER is
      not responding to directory service requests
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Test omitted by user request: OutboundSecureChannels
   Running enterprise tests on : hance
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope

         provided by the command line arguments provided.
         ......................... hance passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\viper.birch.net
         Locator Flags: 0xe00001fd
         PDC Name: \\viper.birch.net
         Locator Flags: 0xe00001fd
         Time Server Name: \\viper.birch.net
         Locator Flags: 0xe00001fd
         Preferred Time Server Name: \\viper.birch.net
         Locator Flags: 0xe00001fd
         KDC Name: \\viper.birch.net
         Locator Flags: 0xe00001fd
         ......................... hance passed test FsmoCheck
  • 3
  • 3
  • 2
  • +2
2 Solutions
If you check the server name in system properties - network identification, what's the full computer name? It sounds like it's in a different domain to the workstations - and hance is what? A disparate single label domain? Very confusing! It looks like this was set up by someone who didn't have a clue what they were doing. How many workstations are there?

Deb :))
Kevin HaysIT AnalystCommented:
Boy, sounds like a real mess to say the least.

Have you tried to delete the forward and reverse lookup zones and then recreate them as active directory integrated for starters?

kshays :)
Kini pradeepPrincipal Cloud and security consultantCommented:
so there is a forward lookup zone and there is also the Alias CNAME  (guid) as it says in the dcdiag.
can you ping the FQDN ?
where is the DC pointing to for DNS?
it should point to itself and the ISP info if any like DNS address should be added as forwarder.
you should be able to ping the GUID as well as the domain name.
if the guid exists and is not pingable, you could delete the existing guid and stop & start the netlogon service on the DC, the guid should be registered.
check the full computer name of the domain ( should not have a single label or disjointed name space)
does the zone allow dynamic update if not enable it.
is there a .zone as well in DNS if so then delete the .zone'
i have also seen cases where in ppl have deleted the root hints so also check the root hints.
you can always uninstall and reinstall DNS, and recreate the zone. since its a small domain should not be much of a hassle.

can you also run netdiag /v and dcdiag /v and check for errors or failures.
you could also run netdiag /fix and any minor things would be fixed.

can you also post any errors in the eventvwr and any login errors.
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

haidentAuthor Commented:
network identification:

Full computer name - viper.birch.net

Domain - hance

Yes, its a single label domain.
I can ping viper.birch.net sucessfully.
The DC points to itself for DNS.
The ISP DNS servers are set-up as forwarders, and root hints are intact.
The DNS zone is set to allow dynamic update.
There is no "." zone.

In the event viewer there are netlogon warnings that state: Dynamic registration or deregistration of one or more DNS records failed because no DNS servers are available.

I suppose that I can't really screw this up more than it already is, but I am reluctant to uninstall DNS as I am now only reomotely connecting to the server.
This IS a mess. I'm trying to get my head round what you've got here. If you open up active directory users and computers on viper - there's the domain object at the top of the tree - what's it's full name?
Then if you right click the domain object - click operations masters - where are each of the roles pointing for rid, pdc and infrastructure? If you check the full computername for one of the workstations in system properties - what is it?

When you create a dc you can't give it a name that consists of characters like "." - so by rights if the dc is in a domain it should be in the birch.net domain. Where hance comes into it is what I'm having trouble figuring out. The errors that you're getting though are consistent with having a single label domain - never a good idea at all, although this is fixable so long as you're not going to expand the domain.
Information about configuring Windows for domains with single-label DNS names
haidentAuthor Commented:
The domain object at the top of the active direcotry tree is "hance"

In operations masters all (rid, pdc and infrastructure) point to "viper.birch.net"

full computer name for a workstation  - "HANCE-DESKTOP01.hance"
haidentAuthor Commented:
I followed the KB referenced above using method 1 to resolve the single label domain by editing the UpdateTopLevelDomainZones value in the registry, but I am not sure what benefical effect(s) should be obvious after doing this? Is there some amount of time that needs to pass for the DNS to be updated? Can I force this to occur more quickly?

I am still experiencing the same connectivity issues: logging on to the domain is very slow, as though the workstation tries and finally decides it is really not connected to the domain, shares from the DC server do not automatically reconnect after loggin on, and the printer shared from the server is not available until the shares are reconnected manually.
I've got to admit - I'm at a loss as how to fix this other than to rebuild the domain which is probably not what you want to hear. But I can't imagine any other way of getting this stable. One dc managing a single label domain that it doesn't actually appear to be a member of? If there's only one dc and not too many workstations then I'd advocate starting it from scratch - at least that way here'd be much less work to do over the long term - ie short term pain for long term gain. Right now it's not working - and I can't see a way of fixing it as it is. However I've asked for a couple of second opinions on this - let's see what they think.
>>>>>>>The ISP is Birch and for some crazy reason the DC machine is named viper.birch.net, but the domain is named hance.

DING DING DING! here is a nice big spanner in your works! What in the world was this guy thinking - youa re confusing the heck out of your server, your domain and your clients! poor old suckers!

quickest solution i can see here and the route i would be taking is similar to what Deb has already mentioned

1. Demote your Domain Controller
2. Decide on a Domain Name!!! then Name your Server appropriately
3. Repromote your Server with the new Domain Name - by this stage your Server FQDN should match that of your domain name!
   NB - let DCPROMO look after your DNS, delete any zones that you have and leave it as a standard clean install of DNS, when you run DCPROMO it will ask to configure DNS and you will find it creates a much more stable structure for you....
   NB - Make sure you add your ISP DNS servers as forwarders in yoru FLZ
4. Get the password for the router.. either that or do a hard reset and start a new, hell, buy a new router if you need to, Get DHCP off your router completely and let windows handle it

Run your diags and see what condition your Domain is now in, i think you will find that suddenly a lot more things are working the way they should!

Thats just my opinion - sorry if i sounded blunt i just typed that as if i were directing myself :) I personally wouldnt spend any more time trying to troubleshoot a mess like this, so much more efficient to heal the wound completely rather than stick a band aid on it - you are going to have to rebuild this at some stage

good luck and all the best

haident how did you go with this mate? did you end up rebuilding?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

  • 3
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now