Solved

Modifying a hosts file - DNS Issue?

Posted on 2009-06-29
28
396 Views
Last Modified: 2013-12-05
Every time I add a computer to my WIndows 2000 domain, I have to modify the hosts file and add an entry for the domain server.  If I don't do that, I receive a pop up message when trying to add the machine to the domain.  Once I modify the hosts file, the machine is added to the domain with no problems.

Is this a DNS issue?  Can you please provide some steps for how I can resolve this issue?
0
Comment
Question by:TacomaVA
  • 10
  • 8
  • 5
  • +3
28 Comments
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
What DNS servers do you have configured on those machines for primary and secondary DNS?
Are your AD/domain controller servers also serving as DNS servers?
Thanks
Mike
0
 

Author Comment

by:TacomaVA
Comment Utility
Each machine has one DNS server configured and that DNS server is the DC.  I do not have any secondary DNS servers configured on the machines.
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
Sounds like the host (a) record for the DC is missing/incorrect, or you have more than one. Since all your machines then have the correct IP in their hosts file it's going unnoticed.
Does your DC have multiple NICs/IP addresses?
On the DC in question, ensure it's using itself as it's own primary DNS server and run:
ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon
Then check in the DNS console in your forward lookup zone for Host (A) records for the DC. There should only be one, and it should be the correct IP address. If you have more that one, if you don't have multiple IP addresses for the DC, then manually delete the incorrect record.
If you do have multiple NICs for the DC, then you need to stop the offending NIC registering in DNS. This is done the properties of the NIC in question.
0
 

Author Comment

by:TacomaVA
Comment Utility
1)I have two NICs in the machine, but one of those is disabled.

2)In the forward lookup zone, I have a host record and a name server record for the DC with correct IP address.  I also have a host record and name server record for a machine that used to be a SDC, based on information I have here.  

Should I delete the SDC host and name server records?
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
What does an nslookup test yield? Run the following command:
nslookup dc.domain.local
(where dc.domain.local is the FQDN of your current DC). Do you get a correct response back? What if you run the same test on a non-domain computer, using the DC for DNS?
With regards to the records for the old DC, yes, I would remove them, but I'm not sure if these would be the cause of your problems.
It may be worth running a metadata cleanup to remove any traces of the old server, just in case other remnants of it were left over: http://www.petri.co.il/delete_failed_dcs_from_ad.htm. Like I say, though, I'm not sure this will solve your problem but worth doing anyway.
0
 

Author Comment

by:TacomaVA
Comment Utility
On the DC and a non-domain computer, I get a response after using the nslookup command.
The server is listed and the IP address is listed.  Then a message appears that says "DNS request timed out.  timeout was 2 seconds"
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
Sorry, I meant to run the command on a workstation on the domain, and a workstation not on the domain, each time trying to resolve the name of the DC. Could you post the results of both of these tests? It sounds like nslookup's initial reverse lookup is successful, but the actual query is timing out.
Can you successfully perform an nslookup test for another server/workstation in your domain? Does this name resolve to the correct IP address?
Also ensure that windows firewall is off on both the client you are trying to join and the DC. See if this helps.
Try deleting the A record for the DC,and then run the four commands I posted earlier to re-create it.
0
 

Author Comment

by:TacomaVA
Comment Utility
Okay, I ran the NSLOOKUP command and here are the results:

1) Machine not on the domain.
Server name and IP address returned (both correct).
DNS request timed out.  timeout was 2 seconds.  (domain here) can't find (domain here): Server failed

2) Machine on the domain.
Server name and IP address returned (both correct).
DNS request timed out.  timeout was 2 seconds.  
0
 
LVL 1

Expert Comment

by:Colin_A_Moulder
Comment Utility
Can you do one thing as a test. Rename the hosts file so it cannot be used.
Make sure your DC DNS IP Is pointing to itself
Make sure your client DNS IP is the same as the DC
run from the command line on the DC 'stop netlogon' and then 'start netlogon'
run the command line on the DC 'ipconfig/flushdns'
run the command line on the client 'ipconfigt/flushdns'
Run NSLOOKUP from the command line *******NSLOOKUP only works properly with a reverse lookup zone******* Do you have one?
Now what happens?
 
0
 
LVL 7

Expert Comment

by:MariusSunchaser
Comment Utility
Hi there.
What do you have in the DNS field, TCP/IP properties on your DC?
I bet that's your problem :)
0
 
LVL 1

Expert Comment

by:Colin_A_Moulder
Comment Utility

run from the command line on the DC 'stop netlogon' and then 'start netlogon' SHOULD BE
run from the command line on the DC 'netstop netlogon' and then 'netstart netlogon'
APOLOGIES
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
OK, that shows that the forward lookup is timing out for some reason.
Have you tried the four commands on the DC after deleting the host (a) record from DNS as I suggested earlier?
Have you also tried to resolve another DNS name (a workstation for example)? Have you also checked the windows firewall on both machines?
Colin - NSLOOKUP does work without a reverse lookup. The only thing that fails without one is the initial attempt to resolve the specified primary DNS server's IP address to a name, but this is inconsequential. The actual forward lookup query you give the command will resolve without one.
0
 
LVL 1

Expert Comment

by:Colin_A_Moulder
Comment Utility
bluntTony -
Colin - NSLOOKUP does work without a reverse lookup. The only thing that fails without one is the initial attempt to resolve the specified primary DNS server's IP address to a name, but this is inconsequential. The actual forward lookup query you give the command will resolve without one.
My mistake for not being succinct. Without a reverse zone NSLOOKUP throws an error at the end of the first output, and can give an inexperienced person the feeling there is something wrong. By having a reverse zone configured, it just eliminates erroneous error messages.
 
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
No worries - just wanted to clarify. Although it looks like there must be a reverse lookup as the DNS server IP address is apparently resolving to a name accoridng to TacomaVA. The strange thing is that this is resolving, but then the subsequent forward lookup is timing out.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Expert Comment

by:Colin_A_Moulder
Comment Utility
As I said before, to stop any erroneous entries. rename host file.
Then point DC to itself and clients to DC.
Go to DNS Advanced settings and configure DNS as the pic, replacing my domain with yours.
Send back results.

dns-settings.bmp
0
 

Author Comment

by:TacomaVA
Comment Utility
Okay here's my update, sorry it is late.

1)Windows firewall was off each time.

2)I attempted to use the NSLOOKUP command from the DC and I used the name of a workstation.  I got a return that said "non existent domain."  I double checked my workstation name and then I went into the DNS and noticed that my workstation did not have a host record listed.  

Is my issue that my workstations are not registering within the DNS forward lookup zone?

0
 

Author Comment

by:TacomaVA
Comment Utility
Okay this is getting strange.

I took a workstation, removed it from the domain, and the hosts file was clear.  The only entry in the hosts file was for the local IP.  I opened my DNS, there was no host record for this workstation's IP address.  I rebooted and added the workstation to the domain and it was added successfully with no error!!!  I then opened my DNS console, refreshed, and a host record for the workstation is not listed.  Any ideas?  Do I need to just manually add a host record for the workstation?
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
check aging and scavaging.
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
A DNS entry for the workstation being missing sounds like a symptom of the same problem, although this in itself would not stop you joining a domain.
Sometimes the host record for a machine does not immediately appear in DNS. Try manually registering by running 'ipconfig -registerdns' on the client.
Have you tried deleting the host record for the DC then running the four commands I posted? Just to eliminate issues, run the metadata cleanup as in the article I linked earlier, and remove any DNS records relating to the old DC.
Also, as cheifIT has mentioned, do you have aging/scavenging enabled on the DNS server? If so, what period is being used?
0
 

Author Comment

by:TacomaVA
Comment Utility
I'll try deleting the host record for the DC and running the four commands in just a bit.  I did try the "ipconfig -registerdns" on the workstation, but that did not register it into the DNS.  Any ideas on that one?
0
 

Author Comment

by:TacomaVA
Comment Utility
No aging/scavenging enabled on the DNS server.
0
 
LVL 1

Expert Comment

by:Colin_A_Moulder
Comment Utility
can u load some screenshots of your cmd line and dns settings?
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
Do you have DHCP handing out IP addresses? If so, what other options ar you pushing out? Any DNS suffix settings? Could possibly post the results of an ipconfig -all from a worksation on the domain, one not on the domain, and from the DC/DNS server? (change anything publicly sensitive...)
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 150 total points
Comment Utility
I was watching Chris Dent on something like this because I had a similar problem where HOST A records would just dissapear.

If you have a server to replicate your DNS settings with, you may have "lingering objects" and your replication set is a little confused.

http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24265262.html
__________________________________________________________
My problem is I attempted to prevent the DHCP server from dynamically update DNS and make that the responsibility of the clients.

"How to perform Dynamic DNS registration" ((Also by Chris Dent)).  Hey what can I say, He's awesome at DNS.
http://www.experts-exchange.com/articles/Networking/Protocols/DNS/MS-DNS-Dynamic-Record-Registration.html
________________________________________________________
I also heard that you can deny NON-encrypted DNS registration and only allow encrypted registration. I haven't really looked into this. I stuck with the defaults of setting up DNS.
0
 

Author Comment

by:TacomaVA
Comment Utility
Thank you everyone for helping, I know it's not easy solving these issues over the web.

No DHCP is running.

Attached are my files - OnDomain (ipconfig /all for workstation on domain), DC (ipconfig /all for DC/DNS and I blacked out the host name), OffDomain (ipconfig /all for off domain PC and I blacked out the host name).

OnDomain.JPG
DC.JPG
OffDomain.JPG
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 350 total points
Comment Utility
OK, it all looks in order.
Just to sum up (if only for me!) you've got three problems (or symptoms) really:
1. When joining a domain, then initial SRV query for the DC returns OK, but then the query for the Host (a) for the same DC fails, even though the record exists in DNS. Adding a record to the Hosts file resolves this problem.
2. When performing an nslookup test for the DC's host record, the request times out. It doesn't return false, it actually times out. But the reverse lookup to find the name of the DNS server is successful.
3. When you do manage to join a machine to the domain, it fails to dynamically update DNS. You're not using DHCP so the client is attempting to do this directly.
Looking at this logically, it looks like the issue is with your main forward lookup zone, as an SRV and PTR query are successful (both different zones). It's like you are being refused permission to read/write to the zone data.
I would check the links provided by ChiefIT. When you said that when you check DNS after removing a machine from the domain, and the Host record for it wasn't there, had you checked that it was there before disjoining? If not, I think that maybe it never was in the first place.
Stab in the dark here, but try checking the security permissions for the Host (A) record for the DC (how to here: http://technet.microsoft.com/en-us/library/cc759029(WS.10).aspx). Authenticated Users and Everyone should have at least Read permissions.
Here is a table showing what the default permissions for a resource record should be: http://technet.microsoft.com/en-us/library/cc758380(WS.10).aspx
I'm leaving the office now but will have a think and get back to you...
0
 

Author Comment

by:TacomaVA
Comment Utility
I checked the security permissions for the host record for the DC and found something interesting.  Everyone is listed and the read box is checked.  However, under security for the DC host record, I do not have Authenticated Users listed.  Should I add it?

Now if I view properties on the Name Server or Start of Auth... entries and then click on the security tab, I have everyone and Authenticated Users listed.  Everyone has read checked and Authenticated Users has "Create all Child Objects" checked.  What should I do here?

Also, I'm including a screenshot of my DNS window.  If you view it, under my forward lookup zones, you'll see domaindnszones.xxxx and forestdnszones.xxxx.  I have one of those selections highlighted and as you see on the right, there are three entries.  It looks the same if you select forestdnszones.  Can I delete domaindnszones and forestdnszones?  I only have one domain, no child domains.
DNS.gif
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Were is your MSDCS file folder that holds your DNS SRV records? Is it within the forward lookup zone?

So try this:

go to the command prompt and type

Netdiag /fix

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now