Windows 2000 DC DNS needs help

Posted on 2006-06-02
Last Modified: 2010-04-13
I am expereincing lots of connectivity issues in a small Win 2000 domain with Win XP Pro workstations.

The server has been in place for a long time and I do not have access to the individual who set it up, but it appears that the DNS server is the problem. The ISP is Birch and for some crazy reason the DC machine is named, but the domain is named hance. DHCP is coming from the Birch DSL router, which I do not yet have a password for so that I could turn this off and use the DC server provide DHCP. In the meantime I have given the workstations static IP addresses and given them the DC server's IP for their DNS server.

When I look at the the DNS on the server there is one foward lookup zone, but it doesn't seem to have the records that should be there (services like kerberos, kpassword, ldap, etc. are missing) Accordingly, I don't think there is any way the workstations can access the Active Directory, and this is what is causing the connectivity problems.

I don't know if this is something that can be fixed at all due to the wierd naming of the machine, or if the DNS zone can be reconfigured to work. If it can be fixed does this mean manually adding the missing records, or is there something that will do this for me?

See dcdiag.exe /v below:

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine viper, is a DC.
   * Connecting to directory service on server viper.
   * Collecting site info.
   * Identifying all servers.
   * Found 1 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   Testing server: Default-First-Site-Name\VIPER
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         VIPER's server GUID DNS name could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name

         (2aad8f3a-7a0f-4c36-83d6-777487074608._msdcs.hance) couldn't be

         resolved, the server name ( resolved to the IP address

         ( and was pingable.  Check that the IP address is

         registered correctly with the DNS server.
         ......................... VIPER failed test Connectivity

Doing primary tests
   Testing server: Default-First-Site-Name\VIPER
      Skipping all tests, because server VIPER is
      not responding to directory service requests
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Test omitted by user request: OutboundSecureChannels
   Running enterprise tests on : hance
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope

         provided by the command line arguments provided.
         ......................... hance passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\
         Locator Flags: 0xe00001fd
         PDC Name: \\
         Locator Flags: 0xe00001fd
         Time Server Name: \\
         Locator Flags: 0xe00001fd
         Preferred Time Server Name: \\
         Locator Flags: 0xe00001fd
         KDC Name: \\
         Locator Flags: 0xe00001fd
         ......................... hance passed test FsmoCheck
Question by:haident
    LVL 20

    Expert Comment

    If you check the server name in system properties - network identification, what's the full computer name? It sounds like it's in a different domain to the workstations - and hance is what? A disparate single label domain? Very confusing! It looks like this was set up by someone who didn't have a clue what they were doing. How many workstations are there?

    Deb :))
    LVL 16

    Expert Comment

    Boy, sounds like a real mess to say the least.

    Have you tried to delete the forward and reverse lookup zones and then recreate them as active directory integrated for starters?

    kshays :)
    LVL 13

    Expert Comment

    by:Kini pradeep
    so there is a forward lookup zone and there is also the Alias CNAME  (guid) as it says in the dcdiag.
    can you ping the FQDN ?
    where is the DC pointing to for DNS?
    it should point to itself and the ISP info if any like DNS address should be added as forwarder.
    you should be able to ping the GUID as well as the domain name.
    if the guid exists and is not pingable, you could delete the existing guid and stop & start the netlogon service on the DC, the guid should be registered.
    check the full computer name of the domain ( should not have a single label or disjointed name space)
    does the zone allow dynamic update if not enable it.
    is there a .zone as well in DNS if so then delete the .zone'
    i have also seen cases where in ppl have deleted the root hints so also check the root hints.
    you can always uninstall and reinstall DNS, and recreate the zone. since its a small domain should not be much of a hassle.

    can you also run netdiag /v and dcdiag /v and check for errors or failures.
    you could also run netdiag /fix and any minor things would be fixed.

    can you also post any errors in the eventvwr and any login errors.

    Author Comment

    network identification:

    Full computer name -

    Domain - hance

    Yes, its a single label domain.
    I can ping sucessfully.
    The DC points to itself for DNS.
    The ISP DNS servers are set-up as forwarders, and root hints are intact.
    The DNS zone is set to allow dynamic update.
    There is no "." zone.

    In the event viewer there are netlogon warnings that state: Dynamic registration or deregistration of one or more DNS records failed because no DNS servers are available.

    I suppose that I can't really screw this up more than it already is, but I am reluctant to uninstall DNS as I am now only reomotely connecting to the server.
    LVL 20

    Expert Comment

    This IS a mess. I'm trying to get my head round what you've got here. If you open up active directory users and computers on viper - there's the domain object at the top of the tree - what's it's full name?
    Then if you right click the domain object - click operations masters - where are each of the roles pointing for rid, pdc and infrastructure? If you check the full computername for one of the workstations in system properties - what is it?

    When you create a dc you can't give it a name that consists of characters like "." - so by rights if the dc is in a domain it should be in the domain. Where hance comes into it is what I'm having trouble figuring out. The errors that you're getting though are consistent with having a single label domain - never a good idea at all, although this is fixable so long as you're not going to expand the domain.
    Information about configuring Windows for domains with single-label DNS names

    Author Comment

    The domain object at the top of the active direcotry tree is "hance"

    In operations masters all (rid, pdc and infrastructure) point to ""

    full computer name for a workstation  - "HANCE-DESKTOP01.hance"

    Author Comment

    I followed the KB referenced above using method 1 to resolve the single label domain by editing the UpdateTopLevelDomainZones value in the registry, but I am not sure what benefical effect(s) should be obvious after doing this? Is there some amount of time that needs to pass for the DNS to be updated? Can I force this to occur more quickly?

    I am still experiencing the same connectivity issues: logging on to the domain is very slow, as though the workstation tries and finally decides it is really not connected to the domain, shares from the DC server do not automatically reconnect after loggin on, and the printer shared from the server is not available until the shares are reconnected manually.
    LVL 20

    Accepted Solution

    I've got to admit - I'm at a loss as how to fix this other than to rebuild the domain which is probably not what you want to hear. But I can't imagine any other way of getting this stable. One dc managing a single label domain that it doesn't actually appear to be a member of? If there's only one dc and not too many workstations then I'd advocate starting it from scratch - at least that way here'd be much less work to do over the long term - ie short term pain for long term gain. Right now it's not working - and I can't see a way of fixing it as it is. However I've asked for a couple of second opinions on this - let's see what they think.
    LVL 48

    Assisted Solution

    >>>>>>>The ISP is Birch and for some crazy reason the DC machine is named, but the domain is named hance.

    DING DING DING! here is a nice big spanner in your works! What in the world was this guy thinking - youa re confusing the heck out of your server, your domain and your clients! poor old suckers!

    quickest solution i can see here and the route i would be taking is similar to what Deb has already mentioned

    1. Demote your Domain Controller
    2. Decide on a Domain Name!!! then Name your Server appropriately
    3. Repromote your Server with the new Domain Name - by this stage your Server FQDN should match that of your domain name!
       NB - let DCPROMO look after your DNS, delete any zones that you have and leave it as a standard clean install of DNS, when you run DCPROMO it will ask to configure DNS and you will find it creates a much more stable structure for you....
       NB - Make sure you add your ISP DNS servers as forwarders in yoru FLZ
    4. Get the password for the router.. either that or do a hard reset and start a new, hell, buy a new router if you need to, Get DHCP off your router completely and let windows handle it

    Run your diags and see what condition your Domain is now in, i think you will find that suddenly a lot more things are working the way they should!

    Thats just my opinion - sorry if i sounded blunt i just typed that as if i were directing myself :) I personally wouldnt spend any more time trying to troubleshoot a mess like this, so much more efficient to heal the wound completely rather than stick a band aid on it - you are going to have to rebuild this at some stage

    good luck and all the best

    LVL 48

    Expert Comment

    haident how did you go with this mate? did you end up rebuilding?

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    Suggested Solutions

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    It Is not possible to enable LLDP in vSwitch(at least is not supported by VMware), so in this article we will enable this, and also go trough how to enabled CDP and how to get this information in vSwitches and also in vDS.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now