Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4587
  • Last Modified:

DNS is resolving a domain name to an incorrect IP address

From a certain workstation I can't join the doman, while from a different workstation I can.  
Meanwhile, from the defective workstation I can ping the server using its FULLY Qualified Domain Name.  However, the IP address it comes back with is the wrong one.   (I have NO IDEA where the wrong address comes from.)
From the defective workstation, I can see the server in My Network Places, I can connect to it using a domain username, and I can see and access the files on it.  I just can't connect to the domain.
I think the problem may have to do with how I set up DNS.

Following, I have included:  
A.  Evidence of the IP address confusion
B.  Evidence of the error message produced when I try to join the domain from this machine
C.  A clue - Error message from the Event Viewer that there is a redundant DNS zone laying around

A.  Evidence of the IP address confusion:
C:\ping server1.godslake.local.com
   Pinging server1.godslake.local.com [63.251.207.31] with 32 bytes of data:
   Reply from 63.251.207.31: bytes=32 time=698ms TTL=107
(I have NO IDEA where it's getting that 63.251.207.31 IP address!)
>>>
C:\Ping server1
   Pinging server1 [192.168.0.9] with 32 bytes of data:
   Reply from 192.168.0.9: bytes=32 time<1ms TTL=128
(192.168.0.9 is the correct IP address for Server1).

B.  More evidence - Here's the error message I get when trying to join the domain:
Error when trying to join the domain:
An error occurred when DNS was queried for the service location (SRV)
resource record used to locate an Active Directory Domain Controller
for domain GodsLake.local.com.

The error was: "No records found for given DNS query."
(error code 0x0000251D DNS_INFO_NO_RECORDS)

The query was for the SRV record for _ldap._tcp.dc._msdcs.GodsLake.local.com

C.  Clue - There may be a redundant DNS zone laying around:
From the DNS Event Viewer:  Event ID - 4515 -
The zone GodsLake.local.com was previously loaded from the directory partition MicrosoftDNS but another copy of the zone has been found in directory partition DomainDnsZones.GodsLake.local.com. The DNS Server will ignore this new copy of the zone. Please resolve this conflict as soon as possible.
 
If an administrator has moved this zone from one directory partition to another this may be a harmless transient condition. In this case, no action is necessary. The deletion of the original copy of the zone should soon replicate to this server.
0
Dwight Baer
Asked:
Dwight Baer
  • 17
  • 8
  • 2
  • +1
3 Solutions
 
jwphillips80Commented:
run nslookup from the client and post back here.  

Also, it looks like the client is using something other than your DNS server for its primary.  It appears to be looking at an Internet DNS.  Change your primary DNS on the client to your local/Intranet DNS.
0
 
Dwight BaerStudentAuthor Commented:
OK, here are two more clues.  I had two workstations where the problem occurred, plus at least one workstation where "everything's fine", and I can join the domain.
Now I've fixed the problem on the Vista workstation, but it still exists with the XP workstation.

1.  On my Windows Vista machine, when I change TCP/IP Properties from "Automatically assign the DNS name" and specify the IP address of Server1 as its Preferred DNS server, then the problem goes away.  I can properly ping the server with its FQDN, and I can join the domain.

2.  However, on my Windows XP machine, applying the same solution (specify the  preferred DNS address), even after a reboot, it still can ping the server with its FQDN and it can't join the domain.  The error message continues to be "A domain controller for the domain godslake.local.com could not be contacted."
0
 
Netman66Commented:
godslake.local.com is a Public entity.

You're getting a registered name replying to that ping request.

Make sure the workstation that can't join is only pointing to your DNS server and NO PUBLIC DNS server.

You really should have named your AD Namespace godslake.local  (less the .com).

0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
trippleO7Commented:
Hi,

so are you somehow tied in with http://www.local.com?  (godslake.local.com which pings 63.251.207.31 for me also).

I'm still a bit confused.  Are you trying to join the domain across the internet, or is this local?  Generally, most internal Domain names would be godslake.local, and the public Domain would be godslake.com or even godslake.local.com if you truely are a part of the local.com domain.

Pinging server1.godslake.local.com appears to exist to the rest of the world (which can be OK if that's what you want), so I'm just asking for some clarification on how your domain/forrest is set up.

Thanks,

0007
0
 
trippleO7Commented:
I'm too slow I see :)
0
 
Dwight BaerStudentAuthor Commented:
Ooops ... OK, on the Windows XP machine I had mistyped the Preferred DNS Server.  Now everything works on both machines.
But I still have a theoretical question:  Why must I specify the DNS server?  Why doesn't "Automatically get the Preferred DNS Server" work?
DHCP is done from my router, which someone else manages.  I don't know how it actually is set up.  
When I do "IPCONFIG /ALL" from the command-line, instead of seeing the DHCP server, I get:
DHCPv6 IAID  followed by a 9-digit number.
0
 
Netman66Commented:
Probably because your DHCP server (be it the router or server) is giving the public ISP DNS address to the client.

You need to have whomever manages this set DNS to your server not the ISP.

0
 
Dwight BaerStudentAuthor Commented:
OK ... My error in setting up my DNS.  I actually was just guessing what to use, now I know I should have omitted the ".com" suffix since this is strictly a private network.
No, I am in no way connected to "local.com".
Wow.
So how do I fix it?  Do I have to completely reinstall DNS on all my Domain Controllers?  I guess so.
0
 
jwphillips80Commented:
Yepp, they need to add an entry pointing all DNS lookups on your subdomain to your DNS.
0
 
Netman66Commented:
No, you have to completely reinstall the DC - or rename the domain.

http://technet.microsoft.com/en-us/windowsserver/bb405948.aspx

I've done this before, but you require a member server running 2003 and the forest and domain in Native mode.  Kind of a bit of work.

0
 
Dwight BaerStudentAuthor Commented:
(I LOVE Experts-Exchange!  I thought I was going to have to pay Microsoft $310 for a Support issue to figure out why that DNS error message was occurring.)
0
 
Netman66Commented:
I'll only send you a $250 invoice... :o)

0
 
Dwight BaerStudentAuthor Commented:
OK ... I've downloaded the tools from
http://technet.microsoft.com/en-us/windowsserver/bb405948.aspx.
(Thanks, all!)

This is going to take a while.  I guess I should leave the question open for now so any issues I encounter will be included on this same post.
The good news is that my forest structure is not complex.  I simply have three domain controllers in one domain, one forest, no child domains.

0
 
Netman66Commented:
OK, give 'er hell.

Make absolutely certain to read all the documents properly FIRST!

You have to recreate new DNS zones, change forest and domain functional levels, and run the tools from a MEMBER server (not a DC).

Allow sufficient time for replication between each step.
0
 
Dwight BaerStudentAuthor Commented:
The document "Understanding How Domain Rename Works" is 29 pages.  
But the "Step-by-Step Guide to Implementing Domain Rename" is 81 pages including quite a few procedures that seem to be written in English except I don't have a clue what they're talking about.

I have a bright idea:  I think I'll just demote all my domain controllers to member servers and re-install Active Directory on each.  That will take maybe three hours total, and it's a procedure that I'm more comfortable with.  Meanwhile I've already got them all backed up and imaged so I'm safe regardless.
0
 
Netman66Commented:
It's really pretty simple.  Don't be intimidated by the fluff in those docs.

0
 
Dwight BaerStudentAuthor Commented:
Thanks Netman66.  I'm debating this weekend which way I'll go.  At the moment I'm inclined to do the Domain Rename thing, but I need to ask my software Support guy first.
0
 
Dwight BaerStudentAuthor Commented:
OK ... I'm at Step 9 of the Domain Rename procedure (in the MS document "Step-by-Step Guide to Implementing Domain Rename" and I received the following error when I performed "rendom /end":
Failed to delete rename script on the DN: CN=Partitions,CN=Configuration,DC=GodsLake,DC=local on host server1.GodsLake.local.com.  
00002077: SvcErr: DSID-030F0B0E, problem 5003 (WILL_NOT_PERFORM), data 0
: Cannot complete this function. :1003

To recap, I have successfully performed the following rendom commands from the command prompt:
rendom /list
rendom /showforest
rendom /upload
rendom /prepare
rendom /execute

Help, please!  I'm so close to the end of this procedure ...  Thanks

0
 
Dwight BaerStudentAuthor Commented:
OK ... Here's a clue:
I have Server1 (which has all the roles - schema master, domain naming master, RID master, PDC emulator and Infrastructure master) and I have Server3 as Domain Controllers.
Server2 I demoted to a Member server in order to do the Domain Renaming.
So ... When I'm on Server2, I can ping Server1 and it returns successfully with the correct IP address (192.168.0.9).
But when I'm on Server3 when I ping  Server1 I get the following return:
Pinging server1.GodsLake.local.com [63.251.207.31] with 32 bytes of data:
Reply from 63.251.207.31: bytes=32 time=784ms TTL=101

For the same reason, I suppose, replication fails from Server3 to Server1.
0
 
Dwight BaerStudentAuthor Commented:
... (more clues)
I tried to force replication "pushing" the changes from Server1 to Server3.  The error was, it couldn't find Server3.
When I'm at Server1 and I ping Server3, I get:
Pinging server3.GodsLake.local.com [192.168.0.8] with 32 bytes of data:
Reply from 192.168.0.8: bytes=32 time<1ms TTL=128
(good)
But when I ping server3.GodsLake.local (GodsLake.local is SUPPOSED to be our new private domain name, so as not to conflict with the publicly-registered godslake.local.com which is out there somewhere) ...
I get:
Pinging server3.godslake.local.local.com [63.251.207.31] with 32 bytes of data:
Reply from 63.251.207.31: bytes=32 time=713ms TTL=100

0
 
Dwight BaerStudentAuthor Commented:
NSLOOKUP produces:
Default Server:  server1.godslake.local.com
Address:  192.168.0.9
(I get the same result on both Server1 and Server3)
0
 
Netman66Commented:
server3.godslake.local.local.com

All servers now require you to change the DNS suffix.  
Right click My Computer and select Properties.
On the Computer Name tab, click the More button.
Change the DNS suffix to godslake.local.
Reboot the servers.
Make sure they only point to your internal DNS - not the ISP - so remove any secondary addresses on the NIC.

Once complete, delete the godslake.local.com lookup zones.

You did create the _msdcs.godslake.local and godslake.local zones - correct?  They are both Primary and Active Directory integrated.  The _msdcs zone should replicate to All DNS servers in the Forest and the rest should be All DNS server in the Domain.

Advise.
0
 
Dwight BaerStudentAuthor Commented:
You guessed it.  I didn't create my new zones.  (You're very polite.)
I'm setting up the new zones now.
Question:  I don't know how to answer the question "Should this  DNS server forward queries?"
I don't know of a DNS server "out there" that my server should forward a query to.  So what will my server do when it can't resolve a query?  
0
 
Dwight BaerStudentAuthor Commented:
Another question:  I created my GodsLake.local zone;  I had to edit the SOA and NS records to get rid of the ".com" suffix that snuck in.
Then I created an _msdcs.godslake.local zone.  But I may not have done it right.  At the moment it only contains two records:  an SOA and an NS record, just like the GodsLake.local zone.
Why does it not have sub-folders such as "dc", "domains", "gc", and "pdc" like my _msdcs.GodsLake.local.com has.  I suppose it's because these are the roles I asked this domain controller to accept:  domain controller, domain naming master (?), global catalog, and pdc emulator.  When will my new zone become equally distinguished?
0
 
Dwight BaerStudentAuthor Commented:
(For my own future reference):  I think I found the purpose for the _msdcs zone:  "Active Directory uses a special set of locator records, the forest-wide locator records, to help replication partners find each other and to help clients find global catalog servers. Active Directory stores all the forest-wide locator records in the zone _msdcs.<forest_name>. Because the information in the zone must be widely available, this zone is replicated to all DNS servers in the forest."  ... from
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspx 
0
 
Dwight BaerStudentAuthor Commented:
Answer to my question of "When will my new GodsLake.local zone have sub-folders such as dc, domains, gc and pdc?  The anser is, "After replication happens" ... which it just did, successfully, after I changed the DNS suffix name on all my servers and rebooted them.
I still have the nagging little theoretical questions of:
1.  I don't know how to answer the question "Should this  DNS server forward queries?"
(At the moment I can't find where to edit this setting on my existing structure)  ... and ...
2.  At both my _msdcs.GodsLake.local as well as my GodsLake.local zones, under Properties, Zone Transfers, the default (current) setting is to NOT allow transfers.  Why would I want to allow zone transfers, and to what server should I be transferring?  Other DCs within my own network?
But as I said, these are theoretical questions.  My project is almost done.  I'm going to re-install Active Directory and DNS on Server2, the one I demoted to do the domain rename control thing, and then I'm going to close this question and call it a day.  Whew.
0
 
Dwight BaerStudentAuthor Commented:
Thanks a WHOLE lot IWPhillips80, Netman66 and Triple07.  
0
 
Netman66Commented:
1) It doesn't have to, no.  It will use the Root Hints servers to query internet resources but it tends to be a little slower.  You're better to use your ISP's DNS address to forward to as it may be a bit quicker.

2) Leave Zone transfers unchecked.  If the zones are AD Integrated (which they should be) then they'll replicate.  You use the zone transfer only if you are replicating a zone to a server outside your AD (or not on a DC).

0
 
Dwight BaerStudentAuthor Commented:
Thanks very much, Netman66!
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 17
  • 8
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now