DNS is resolving a domain name to an incorrect IP address
From a certain workstation I can't join the doman, while from a different workstation I can.
Meanwhile, from the defective workstation I can ping the server using its FULLY Qualified Domain Name. However, the IP address it comes back with is the wrong one. (I have NO IDEA where the wrong address comes from.)
From the defective workstation, I can see the server in My Network Places, I can connect to it using a domain username, and I can see and access the files on it. I just can't connect to the domain.
I think the problem may have to do with how I set up DNS.
Following, I have included:
A. Evidence of the IP address confusion
B. Evidence of the error message produced when I try to join the domain from this machine
C. A clue - Error message from the Event Viewer that there is a redundant DNS zone laying around
A. Evidence of the IP address confusion:
C:\ping server1.godslake.local.com
Pinging server1.godslake.local.com
Reply from 63.251.207.31: bytes=32 time=698ms TTL=107
(I have NO IDEA where it's getting that 63.251.207.31 IP address!)
>>>
C:\Ping server1
Pinging server1 [192.168.0.9] with 32 bytes of data:
Reply from 192.168.0.9: bytes=32 time<1ms TTL=128
(192.168.0.9 is the correct IP address for Server1).
B. More evidence - Here's the error message I get when trying to join the domain:
Error when trying to join the domain:
An error occurred when DNS was queried for the service location (SRV)
resource record used to locate an Active Directory Domain Controller
for domain GodsLake.local.com.
The error was: "No records found for given DNS query."
(error code 0x0000251D DNS_INFO_NO_RECORDS)
The query was for the SRV record for _ldap._tcp.dc._msdcs.GodsL
C. Clue - There may be a redundant DNS zone laying around:
From the DNS Event Viewer: Event ID - 4515 -
The zone GodsLake.local.com was previously loaded from the directory partition MicrosoftDNS but another copy of the zone has been found in directory partition DomainDnsZones.GodsLake.lo
If an administrator has moved this zone from one directory partition to another this may be a harmless transient condition. In this case, no action is necessary. The deletion of the original copy of the zone should soon replicate to this server.
Meanwhile, from the defective workstation I can ping the server using its FULLY Qualified Domain Name. However, the IP address it comes back with is the wrong one. (I have NO IDEA where the wrong address comes from.)
From the defective workstation, I can see the server in My Network Places, I can connect to it using a domain username, and I can see and access the files on it. I just can't connect to the domain.
I think the problem may have to do with how I set up DNS.
Following, I have included:
A. Evidence of the IP address confusion
B. Evidence of the error message produced when I try to join the domain from this machine
C. A clue - Error message from the Event Viewer that there is a redundant DNS zone laying around
A. Evidence of the IP address confusion:
C:\ping server1.godslake.local.com
Pinging server1.godslake.local.com
Reply from 63.251.207.31: bytes=32 time=698ms TTL=107
(I have NO IDEA where it's getting that 63.251.207.31 IP address!)
>>>
C:\Ping server1
Pinging server1 [192.168.0.9] with 32 bytes of data:
Reply from 192.168.0.9: bytes=32 time<1ms TTL=128
(192.168.0.9 is the correct IP address for Server1).
B. More evidence - Here's the error message I get when trying to join the domain:
Error when trying to join the domain:
An error occurred when DNS was queried for the service location (SRV)
resource record used to locate an Active Directory Domain Controller
for domain GodsLake.local.com.
The error was: "No records found for given DNS query."
(error code 0x0000251D DNS_INFO_NO_RECORDS)
The query was for the SRV record for _ldap._tcp.dc._msdcs.GodsL
C. Clue - There may be a redundant DNS zone laying around:
From the DNS Event Viewer: Event ID - 4515 -
The zone GodsLake.local.com was previously loaded from the directory partition MicrosoftDNS but another copy of the zone has been found in directory partition DomainDnsZones.GodsLake.lo
If an administrator has moved this zone from one directory partition to another this may be a harmless transient condition. In this case, no action is necessary. The deletion of the original copy of the zone should soon replicate to this server.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm too slow I see :)
ASKER
Ooops ... OK, on the Windows XP machine I had mistyped the Preferred DNS Server. Now everything works on both machines.
But I still have a theoretical question: Why must I specify the DNS server? Why doesn't "Automatically get the Preferred DNS Server" work?
DHCP is done from my router, which someone else manages. I don't know how it actually is set up.
When I do "IPCONFIG /ALL" from the command-line, instead of seeing the DHCP server, I get:
DHCPv6 IAID followed by a 9-digit number.
But I still have a theoretical question: Why must I specify the DNS server? Why doesn't "Automatically get the Preferred DNS Server" work?
DHCP is done from my router, which someone else manages. I don't know how it actually is set up.
When I do "IPCONFIG /ALL" from the command-line, instead of seeing the DHCP server, I get:
DHCPv6 IAID followed by a 9-digit number.
Probably because your DHCP server (be it the router or server) is giving the public ISP DNS address to the client.
You need to have whomever manages this set DNS to your server not the ISP.
You need to have whomever manages this set DNS to your server not the ISP.
ASKER
OK ... My error in setting up my DNS. I actually was just guessing what to use, now I know I should have omitted the ".com" suffix since this is strictly a private network.
No, I am in no way connected to "local.com".
Wow.
So how do I fix it? Do I have to completely reinstall DNS on all my Domain Controllers? I guess so.
No, I am in no way connected to "local.com".
Wow.
So how do I fix it? Do I have to completely reinstall DNS on all my Domain Controllers? I guess so.
Yepp, they need to add an entry pointing all DNS lookups on your subdomain to your DNS.
No, you have to completely reinstall the DC - or rename the domain.
http://technet.microsoft.com/en-us/windowsserver/bb405948.aspx
I've done this before, but you require a member server running 2003 and the forest and domain in Native mode. Kind of a bit of work.
http://technet.microsoft.com/en-us/windowsserver/bb405948.aspx
I've done this before, but you require a member server running 2003 and the forest and domain in Native mode. Kind of a bit of work.
ASKER
(I LOVE Experts-Exchange! I thought I was going to have to pay Microsoft $310 for a Support issue to figure out why that DNS error message was occurring.)
I'll only send you a $250 invoice... :o)
ASKER
OK ... I've downloaded the tools from
http://technet.microsoft.com/en-us/windowsserver/bb405948.aspx.
(Thanks, all!)
This is going to take a while. I guess I should leave the question open for now so any issues I encounter will be included on this same post.
The good news is that my forest structure is not complex. I simply have three domain controllers in one domain, one forest, no child domains.
http://technet.microsoft.com/en-us/windowsserver/bb405948.aspx.
(Thanks, all!)
This is going to take a while. I guess I should leave the question open for now so any issues I encounter will be included on this same post.
The good news is that my forest structure is not complex. I simply have three domain controllers in one domain, one forest, no child domains.
OK, give 'er hell.
Make absolutely certain to read all the documents properly FIRST!
You have to recreate new DNS zones, change forest and domain functional levels, and run the tools from a MEMBER server (not a DC).
Allow sufficient time for replication between each step.
Make absolutely certain to read all the documents properly FIRST!
You have to recreate new DNS zones, change forest and domain functional levels, and run the tools from a MEMBER server (not a DC).
Allow sufficient time for replication between each step.
ASKER
The document "Understanding How Domain Rename Works" is 29 pages.
But the "Step-by-Step Guide to Implementing Domain Rename" is 81 pages including quite a few procedures that seem to be written in English except I don't have a clue what they're talking about.
I have a bright idea: I think I'll just demote all my domain controllers to member servers and re-install Active Directory on each. That will take maybe three hours total, and it's a procedure that I'm more comfortable with. Meanwhile I've already got them all backed up and imaged so I'm safe regardless.
But the "Step-by-Step Guide to Implementing Domain Rename" is 81 pages including quite a few procedures that seem to be written in English except I don't have a clue what they're talking about.
I have a bright idea: I think I'll just demote all my domain controllers to member servers and re-install Active Directory on each. That will take maybe three hours total, and it's a procedure that I'm more comfortable with. Meanwhile I've already got them all backed up and imaged so I'm safe regardless.
It's really pretty simple. Don't be intimidated by the fluff in those docs.
ASKER
Thanks Netman66. I'm debating this weekend which way I'll go. At the moment I'm inclined to do the Domain Rename thing, but I need to ask my software Support guy first.
ASKER
OK ... I'm at Step 9 of the Domain Rename procedure (in the MS document "Step-by-Step Guide to Implementing Domain Rename" and I received the following error when I performed "rendom /end":
Failed to delete rename script on the DN: CN=Partitions,CN=Configura
00002077: SvcErr: DSID-030F0B0E, problem 5003 (WILL_NOT_PERFORM), data 0
: Cannot complete this function. :1003
To recap, I have successfully performed the following rendom commands from the command prompt:
rendom /list
rendom /showforest
rendom /upload
rendom /prepare
rendom /execute
Help, please! I'm so close to the end of this procedure ... Thanks
Failed to delete rename script on the DN: CN=Partitions,CN=Configura
00002077: SvcErr: DSID-030F0B0E, problem 5003 (WILL_NOT_PERFORM), data 0
: Cannot complete this function. :1003
To recap, I have successfully performed the following rendom commands from the command prompt:
rendom /list
rendom /showforest
rendom /upload
rendom /prepare
rendom /execute
Help, please! I'm so close to the end of this procedure ... Thanks
ASKER
OK ... Here's a clue:
I have Server1 (which has all the roles - schema master, domain naming master, RID master, PDC emulator and Infrastructure master) and I have Server3 as Domain Controllers.
Server2 I demoted to a Member server in order to do the Domain Renaming.
So ... When I'm on Server2, I can ping Server1 and it returns successfully with the correct IP address (192.168.0.9).
But when I'm on Server3 when I ping Server1 I get the following return:
Pinging server1.GodsLake.local.com
Reply from 63.251.207.31: bytes=32 time=784ms TTL=101
For the same reason, I suppose, replication fails from Server3 to Server1.
I have Server1 (which has all the roles - schema master, domain naming master, RID master, PDC emulator and Infrastructure master) and I have Server3 as Domain Controllers.
Server2 I demoted to a Member server in order to do the Domain Renaming.
So ... When I'm on Server2, I can ping Server1 and it returns successfully with the correct IP address (192.168.0.9).
But when I'm on Server3 when I ping Server1 I get the following return:
Pinging server1.GodsLake.local.com
Reply from 63.251.207.31: bytes=32 time=784ms TTL=101
For the same reason, I suppose, replication fails from Server3 to Server1.
ASKER
... (more clues)
I tried to force replication "pushing" the changes from Server1 to Server3. The error was, it couldn't find Server3.
When I'm at Server1 and I ping Server3, I get:
Pinging server3.GodsLake.local.com
Reply from 192.168.0.8: bytes=32 time<1ms TTL=128
(good)
But when I ping server3.GodsLake.local (GodsLake.local is SUPPOSED to be our new private domain name, so as not to conflict with the publicly-registered godslake.local.com which is out there somewhere) ...
I get:
Pinging server3.godslake.local.loc
Reply from 63.251.207.31: bytes=32 time=713ms TTL=100
I tried to force replication "pushing" the changes from Server1 to Server3. The error was, it couldn't find Server3.
When I'm at Server1 and I ping Server3, I get:
Pinging server3.GodsLake.local.com
Reply from 192.168.0.8: bytes=32 time<1ms TTL=128
(good)
But when I ping server3.GodsLake.local (GodsLake.local is SUPPOSED to be our new private domain name, so as not to conflict with the publicly-registered godslake.local.com which is out there somewhere) ...
I get:
Pinging server3.godslake.local.loc
Reply from 63.251.207.31: bytes=32 time=713ms TTL=100
ASKER
NSLOOKUP produces:
Default Server: server1.godslake.local.com
Address: 192.168.0.9
(I get the same result on both Server1 and Server3)
Default Server: server1.godslake.local.com
Address: 192.168.0.9
(I get the same result on both Server1 and Server3)
server3.godslake.local.loc
All servers now require you to change the DNS suffix.
Right click My Computer and select Properties.
On the Computer Name tab, click the More button.
Change the DNS suffix to godslake.local.
Reboot the servers.
Make sure they only point to your internal DNS - not the ISP - so remove any secondary addresses on the NIC.
Once complete, delete the godslake.local.com lookup zones.
You did create the _msdcs.godslake.local and godslake.local zones - correct? They are both Primary and Active Directory integrated. The _msdcs zone should replicate to All DNS servers in the Forest and the rest should be All DNS server in the Domain.
Advise.
All servers now require you to change the DNS suffix.
Right click My Computer and select Properties.
On the Computer Name tab, click the More button.
Change the DNS suffix to godslake.local.
Reboot the servers.
Make sure they only point to your internal DNS - not the ISP - so remove any secondary addresses on the NIC.
Once complete, delete the godslake.local.com lookup zones.
You did create the _msdcs.godslake.local and godslake.local zones - correct? They are both Primary and Active Directory integrated. The _msdcs zone should replicate to All DNS servers in the Forest and the rest should be All DNS server in the Domain.
Advise.
ASKER
You guessed it. I didn't create my new zones. (You're very polite.)
I'm setting up the new zones now.
Question: I don't know how to answer the question "Should this DNS server forward queries?"
I don't know of a DNS server "out there" that my server should forward a query to. So what will my server do when it can't resolve a query?
I'm setting up the new zones now.
Question: I don't know how to answer the question "Should this DNS server forward queries?"
I don't know of a DNS server "out there" that my server should forward a query to. So what will my server do when it can't resolve a query?
ASKER
Another question: I created my GodsLake.local zone; I had to edit the SOA and NS records to get rid of the ".com" suffix that snuck in.
Then I created an _msdcs.godslake.local zone. But I may not have done it right. At the moment it only contains two records: an SOA and an NS record, just like the GodsLake.local zone.
Why does it not have sub-folders such as "dc", "domains", "gc", and "pdc" like my _msdcs.GodsLake.local.com has. I suppose it's because these are the roles I asked this domain controller to accept: domain controller, domain naming master (?), global catalog, and pdc emulator. When will my new zone become equally distinguished?
Then I created an _msdcs.godslake.local zone. But I may not have done it right. At the moment it only contains two records: an SOA and an NS record, just like the GodsLake.local zone.
Why does it not have sub-folders such as "dc", "domains", "gc", and "pdc" like my _msdcs.GodsLake.local.com has. I suppose it's because these are the roles I asked this domain controller to accept: domain controller, domain naming master (?), global catalog, and pdc emulator. When will my new zone become equally distinguished?
ASKER
(For my own future reference): I think I found the purpose for the _msdcs zone: "Active Directory uses a special set of locator records, the forest-wide locator records, to help replication partners find each other and to help clients find global catalog servers. Active Directory stores all the forest-wide locator records in the zone _msdcs.<forest_name>. Because the information in the zone must be widely available, this zone is replicated to all DNS servers in the forest." ... from
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspx
ASKER
Answer to my question of "When will my new GodsLake.local zone have sub-folders such as dc, domains, gc and pdc? The anser is, "After replication happens" ... which it just did, successfully, after I changed the DNS suffix name on all my servers and rebooted them.
I still have the nagging little theoretical questions of:
1. I don't know how to answer the question "Should this DNS server forward queries?"
(At the moment I can't find where to edit this setting on my existing structure) ... and ...
2. At both my _msdcs.GodsLake.local as well as my GodsLake.local zones, under Properties, Zone Transfers, the default (current) setting is to NOT allow transfers. Why would I want to allow zone transfers, and to what server should I be transferring? Other DCs within my own network?
But as I said, these are theoretical questions. My project is almost done. I'm going to re-install Active Directory and DNS on Server2, the one I demoted to do the domain rename control thing, and then I'm going to close this question and call it a day. Whew.
I still have the nagging little theoretical questions of:
1. I don't know how to answer the question "Should this DNS server forward queries?"
(At the moment I can't find where to edit this setting on my existing structure) ... and ...
2. At both my _msdcs.GodsLake.local as well as my GodsLake.local zones, under Properties, Zone Transfers, the default (current) setting is to NOT allow transfers. Why would I want to allow zone transfers, and to what server should I be transferring? Other DCs within my own network?
But as I said, these are theoretical questions. My project is almost done. I'm going to re-install Active Directory and DNS on Server2, the one I demoted to do the domain rename control thing, and then I'm going to close this question and call it a day. Whew.
ASKER
Thanks a WHOLE lot IWPhillips80, Netman66 and Triple07.
1) It doesn't have to, no. It will use the Root Hints servers to query internet resources but it tends to be a little slower. You're better to use your ISP's DNS address to forward to as it may be a bit quicker.
2) Leave Zone transfers unchecked. If the zones are AD Integrated (which they should be) then they'll replicate. You use the zone transfer only if you are replicating a zone to a server outside your AD (or not on a DC).
2) Leave Zone transfers unchecked. If the zones are AD Integrated (which they should be) then they'll replicate. You use the zone transfer only if you are replicating a zone to a server outside your AD (or not on a DC).
ASKER
Thanks very much, Netman66!
ASKER
Now I've fixed the problem on the Vista workstation, but it still exists with the XP workstation.
1. On my Windows Vista machine, when I change TCP/IP Properties from "Automatically assign the DNS name" and specify the IP address of Server1 as its Preferred DNS server, then the problem goes away. I can properly ping the server with its FQDN, and I can join the domain.
2. However, on my Windows XP machine, applying the same solution (specify the preferred DNS address), even after a reboot, it still can ping the server with its FQDN and it can't join the domain. The error message continues to be "A domain controller for the domain godslake.local.com could not be contacted."