We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Modifying a hosts file - DNS Issue?

Medium Priority
439 Views
Last Modified: 2013-12-05
Every time I add a computer to my WIndows 2000 domain, I have to modify the hosts file and add an entry for the domain server.  If I don't do that, I receive a pop up message when trying to add the machine to the domain.  Once I modify the hosts file, the machine is added to the domain with no problems.

Is this a DNS issue?  Can you please provide some steps for how I can resolve this issue?
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2013

Commented:
What DNS servers do you have configured on those machines for primary and secondary DNS?
Are your AD/domain controller servers also serving as DNS servers?
Thanks
Mike

Author

Commented:
Each machine has one DNS server configured and that DNS server is the DC.  I do not have any secondary DNS servers configured on the machines.
bluntTonyHead of ICT
Top Expert 2009

Commented:
Sounds like the host (a) record for the DC is missing/incorrect, or you have more than one. Since all your machines then have the correct IP in their hosts file it's going unnoticed.
Does your DC have multiple NICs/IP addresses?
On the DC in question, ensure it's using itself as it's own primary DNS server and run:
ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon
Then check in the DNS console in your forward lookup zone for Host (A) records for the DC. There should only be one, and it should be the correct IP address. If you have more that one, if you don't have multiple IP addresses for the DC, then manually delete the incorrect record.
If you do have multiple NICs for the DC, then you need to stop the offending NIC registering in DNS. This is done the properties of the NIC in question.

Author

Commented:
1)I have two NICs in the machine, but one of those is disabled.

2)In the forward lookup zone, I have a host record and a name server record for the DC with correct IP address.  I also have a host record and name server record for a machine that used to be a SDC, based on information I have here.  

Should I delete the SDC host and name server records?
bluntTonyHead of ICT
Top Expert 2009

Commented:
What does an nslookup test yield? Run the following command:
nslookup dc.domain.local
(where dc.domain.local is the FQDN of your current DC). Do you get a correct response back? What if you run the same test on a non-domain computer, using the DC for DNS?
With regards to the records for the old DC, yes, I would remove them, but I'm not sure if these would be the cause of your problems.
It may be worth running a metadata cleanup to remove any traces of the old server, just in case other remnants of it were left over: http://www.petri.co.il/delete_failed_dcs_from_ad.htm. Like I say, though, I'm not sure this will solve your problem but worth doing anyway.

Author

Commented:
On the DC and a non-domain computer, I get a response after using the nslookup command.
The server is listed and the IP address is listed.  Then a message appears that says "DNS request timed out.  timeout was 2 seconds"
bluntTonyHead of ICT
Top Expert 2009

Commented:
Sorry, I meant to run the command on a workstation on the domain, and a workstation not on the domain, each time trying to resolve the name of the DC. Could you post the results of both of these tests? It sounds like nslookup's initial reverse lookup is successful, but the actual query is timing out.
Can you successfully perform an nslookup test for another server/workstation in your domain? Does this name resolve to the correct IP address?
Also ensure that windows firewall is off on both the client you are trying to join and the DC. See if this helps.
Try deleting the A record for the DC,and then run the four commands I posted earlier to re-create it.

Author

Commented:
Okay, I ran the NSLOOKUP command and here are the results:

1) Machine not on the domain.
Server name and IP address returned (both correct).
DNS request timed out.  timeout was 2 seconds.  (domain here) can't find (domain here): Server failed

2) Machine on the domain.
Server name and IP address returned (both correct).
DNS request timed out.  timeout was 2 seconds.  
Can you do one thing as a test. Rename the hosts file so it cannot be used.
Make sure your DC DNS IP Is pointing to itself
Make sure your client DNS IP is the same as the DC
run from the command line on the DC 'stop netlogon' and then 'start netlogon'
run the command line on the DC 'ipconfig/flushdns'
run the command line on the client 'ipconfigt/flushdns'
Run NSLOOKUP from the command line *******NSLOOKUP only works properly with a reverse lookup zone******* Do you have one?
Now what happens?
 
Hi there.
What do you have in the DNS field, TCP/IP properties on your DC?
I bet that's your problem :)

run from the command line on the DC 'stop netlogon' and then 'start netlogon' SHOULD BE
run from the command line on the DC 'netstop netlogon' and then 'netstart netlogon'
APOLOGIES
bluntTonyHead of ICT
Top Expert 2009

Commented:
OK, that shows that the forward lookup is timing out for some reason.
Have you tried the four commands on the DC after deleting the host (a) record from DNS as I suggested earlier?
Have you also tried to resolve another DNS name (a workstation for example)? Have you also checked the windows firewall on both machines?
Colin - NSLOOKUP does work without a reverse lookup. The only thing that fails without one is the initial attempt to resolve the specified primary DNS server's IP address to a name, but this is inconsequential. The actual forward lookup query you give the command will resolve without one.
bluntTony -
Colin - NSLOOKUP does work without a reverse lookup. The only thing that fails without one is the initial attempt to resolve the specified primary DNS server's IP address to a name, but this is inconsequential. The actual forward lookup query you give the command will resolve without one.
My mistake for not being succinct. Without a reverse zone NSLOOKUP throws an error at the end of the first output, and can give an inexperienced person the feeling there is something wrong. By having a reverse zone configured, it just eliminates erroneous error messages.
 
bluntTonyHead of ICT
Top Expert 2009

Commented:
No worries - just wanted to clarify. Although it looks like there must be a reverse lookup as the DNS server IP address is apparently resolving to a name accoridng to TacomaVA. The strange thing is that this is resolving, but then the subsequent forward lookup is timing out.
As I said before, to stop any erroneous entries. rename host file.
Then point DC to itself and clients to DC.
Go to DNS Advanced settings and configure DNS as the pic, replacing my domain with yours.
Send back results.

dns-settings.bmp

Author

Commented:
Okay here's my update, sorry it is late.

1)Windows firewall was off each time.

2)I attempted to use the NSLOOKUP command from the DC and I used the name of a workstation.  I got a return that said "non existent domain."  I double checked my workstation name and then I went into the DNS and noticed that my workstation did not have a host record listed.  

Is my issue that my workstations are not registering within the DNS forward lookup zone?

Author

Commented:
Okay this is getting strange.

I took a workstation, removed it from the domain, and the hosts file was clear.  The only entry in the hosts file was for the local IP.  I opened my DNS, there was no host record for this workstation's IP address.  I rebooted and added the workstation to the domain and it was added successfully with no error!!!  I then opened my DNS console, refreshed, and a host record for the workstation is not listed.  Any ideas?  Do I need to just manually add a host record for the workstation?

Commented:
check aging and scavaging.
bluntTonyHead of ICT
Top Expert 2009

Commented:
A DNS entry for the workstation being missing sounds like a symptom of the same problem, although this in itself would not stop you joining a domain.
Sometimes the host record for a machine does not immediately appear in DNS. Try manually registering by running 'ipconfig -registerdns' on the client.
Have you tried deleting the host record for the DC then running the four commands I posted? Just to eliminate issues, run the metadata cleanup as in the article I linked earlier, and remove any DNS records relating to the old DC.
Also, as cheifIT has mentioned, do you have aging/scavenging enabled on the DNS server? If so, what period is being used?

Author

Commented:
I'll try deleting the host record for the DC and running the four commands in just a bit.  I did try the "ipconfig -registerdns" on the workstation, but that did not register it into the DNS.  Any ideas on that one?

Author

Commented:
No aging/scavenging enabled on the DNS server.
can u load some screenshots of your cmd line and dns settings?
bluntTonyHead of ICT
Top Expert 2009

Commented:
Do you have DHCP handing out IP addresses? If so, what other options ar you pushing out? Any DNS suffix settings? Could possibly post the results of an ipconfig -all from a worksation on the domain, one not on the domain, and from the DC/DNS server? (change anything publicly sensitive...)
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
Thank you everyone for helping, I know it's not easy solving these issues over the web.

No DHCP is running.

Attached are my files - OnDomain (ipconfig /all for workstation on domain), DC (ipconfig /all for DC/DNS and I blacked out the host name), OffDomain (ipconfig /all for off domain PC and I blacked out the host name).

OnDomain.JPG
DC.JPG
OffDomain.JPG
Head of ICT
Top Expert 2009
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
I checked the security permissions for the host record for the DC and found something interesting.  Everyone is listed and the read box is checked.  However, under security for the DC host record, I do not have Authenticated Users listed.  Should I add it?

Now if I view properties on the Name Server or Start of Auth... entries and then click on the security tab, I have everyone and Authenticated Users listed.  Everyone has read checked and Authenticated Users has "Create all Child Objects" checked.  What should I do here?

Also, I'm including a screenshot of my DNS window.  If you view it, under my forward lookup zones, you'll see domaindnszones.xxxx and forestdnszones.xxxx.  I have one of those selections highlighted and as you see on the right, there are three entries.  It looks the same if you select forestdnszones.  Can I delete domaindnszones and forestdnszones?  I only have one domain, no child domains.
DNS.gif

Commented:
Were is your MSDCS file folder that holds your DNS SRV records? Is it within the forward lookup zone?

So try this:

go to the command prompt and type

Netdiag /fix

Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.