TacomaVA
asked on
Modifying a hosts file - DNS Issue?
Every time I add a computer to my WIndows 2000 domain, I have to modify the hosts file and add an entry for the domain server. If I don't do that, I receive a pop up message when trying to add the machine to the domain. Once I modify the hosts file, the machine is added to the domain with no problems.
Is this a DNS issue? Can you please provide some steps for how I can resolve this issue?
Is this a DNS issue? Can you please provide some steps for how I can resolve this issue?
ASKER
Each machine has one DNS server configured and that DNS server is the DC. I do not have any secondary DNS servers configured on the machines.
Sounds like the host (a) record for the DC is missing/incorrect, or you have more than one. Since all your machines then have the correct IP in their hosts file it's going unnoticed.
Does your DC have multiple NICs/IP addresses?
On the DC in question, ensure it's using itself as it's own primary DNS server and run:
ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon
Then check in the DNS console in your forward lookup zone for Host (A) records for the DC. There should only be one, and it should be the correct IP address. If you have more that one, if you don't have multiple IP addresses for the DC, then manually delete the incorrect record.
If you do have multiple NICs for the DC, then you need to stop the offending NIC registering in DNS. This is done the properties of the NIC in question.
Does your DC have multiple NICs/IP addresses?
On the DC in question, ensure it's using itself as it's own primary DNS server and run:
ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon
Then check in the DNS console in your forward lookup zone for Host (A) records for the DC. There should only be one, and it should be the correct IP address. If you have more that one, if you don't have multiple IP addresses for the DC, then manually delete the incorrect record.
If you do have multiple NICs for the DC, then you need to stop the offending NIC registering in DNS. This is done the properties of the NIC in question.
ASKER
1)I have two NICs in the machine, but one of those is disabled.
2)In the forward lookup zone, I have a host record and a name server record for the DC with correct IP address. I also have a host record and name server record for a machine that used to be a SDC, based on information I have here.
Should I delete the SDC host and name server records?
2)In the forward lookup zone, I have a host record and a name server record for the DC with correct IP address. I also have a host record and name server record for a machine that used to be a SDC, based on information I have here.
Should I delete the SDC host and name server records?
What does an nslookup test yield? Run the following command:
nslookup dc.domain.local
(where dc.domain.local is the FQDN of your current DC). Do you get a correct response back? What if you run the same test on a non-domain computer, using the DC for DNS?
With regards to the records for the old DC, yes, I would remove them, but I'm not sure if these would be the cause of your problems.
It may be worth running a metadata cleanup to remove any traces of the old server, just in case other remnants of it were left over: http://www.petri.co.il/del
nslookup dc.domain.local
(where dc.domain.local is the FQDN of your current DC). Do you get a correct response back? What if you run the same test on a non-domain computer, using the DC for DNS?
With regards to the records for the old DC, yes, I would remove them, but I'm not sure if these would be the cause of your problems.
It may be worth running a metadata cleanup to remove any traces of the old server, just in case other remnants of it were left over: http://www.petri.co.il/del
ASKER
On the DC and a non-domain computer, I get a response after using the nslookup command.
The server is listed and the IP address is listed. Then a message appears that says "DNS request timed out. timeout was 2 seconds"
The server is listed and the IP address is listed. Then a message appears that says "DNS request timed out. timeout was 2 seconds"
Sorry, I meant to run the command on a workstation on the domain, and a workstation not on the domain, each time trying to resolve the name of the DC. Could you post the results of both of these tests? It sounds like nslookup's initial reverse lookup is successful, but the actual query is timing out.
Can you successfully perform an nslookup test for another server/workstation in your domain? Does this name resolve to the correct IP address?
Also ensure that windows firewall is off on both the client you are trying to join and the DC. See if this helps.
Try deleting the A record for the DC,and then run the four commands I posted earlier to re-create it.
Can you successfully perform an nslookup test for another server/workstation in your domain? Does this name resolve to the correct IP address?
Also ensure that windows firewall is off on both the client you are trying to join and the DC. See if this helps.
Try deleting the A record for the DC,and then run the four commands I posted earlier to re-create it.
ASKER
Okay, I ran the NSLOOKUP command and here are the results:
1) Machine not on the domain.
Server name and IP address returned (both correct).
DNS request timed out. timeout was 2 seconds. (domain here) can't find (domain here): Server failed
2) Machine on the domain.
Server name and IP address returned (both correct).
DNS request timed out. timeout was 2 seconds.
1) Machine not on the domain.
Server name and IP address returned (both correct).
DNS request timed out. timeout was 2 seconds. (domain here) can't find (domain here): Server failed
2) Machine on the domain.
Server name and IP address returned (both correct).
DNS request timed out. timeout was 2 seconds.
Can you do one thing as a test. Rename the hosts file so it cannot be used.
Make sure your DC DNS IP Is pointing to itself
Make sure your client DNS IP is the same as the DC
run from the command line on the DC 'stop netlogon' and then 'start netlogon'
run the command line on the DC 'ipconfig/flushdns'
run the command line on the client 'ipconfigt/flushdns'
Run NSLOOKUP from the command line *******NSLOOKUP only works properly with a reverse lookup zone******* Do you have one?
Now what happens?
Make sure your DC DNS IP Is pointing to itself
Make sure your client DNS IP is the same as the DC
run from the command line on the DC 'stop netlogon' and then 'start netlogon'
run the command line on the DC 'ipconfig/flushdns'
run the command line on the client 'ipconfigt/flushdns'
Run NSLOOKUP from the command line *******NSLOOKUP only works properly with a reverse lookup zone******* Do you have one?
Now what happens?
Hi there.
What do you have in the DNS field, TCP/IP properties on your DC?
I bet that's your problem :)
What do you have in the DNS field, TCP/IP properties on your DC?
I bet that's your problem :)
run from the command line on the DC 'stop netlogon' and then 'start netlogon' SHOULD BE
run from the command line on the DC 'netstop netlogon' and then 'netstart netlogon'
APOLOGIES
OK, that shows that the forward lookup is timing out for some reason.
Have you tried the four commands on the DC after deleting the host (a) record from DNS as I suggested earlier?
Have you also tried to resolve another DNS name (a workstation for example)? Have you also checked the windows firewall on both machines?
Colin - NSLOOKUP does work without a reverse lookup. The only thing that fails without one is the initial attempt to resolve the specified primary DNS server's IP address to a name, but this is inconsequential. The actual forward lookup query you give the command will resolve without one.
Have you tried the four commands on the DC after deleting the host (a) record from DNS as I suggested earlier?
Have you also tried to resolve another DNS name (a workstation for example)? Have you also checked the windows firewall on both machines?
Colin - NSLOOKUP does work without a reverse lookup. The only thing that fails without one is the initial attempt to resolve the specified primary DNS server's IP address to a name, but this is inconsequential. The actual forward lookup query you give the command will resolve without one.
bluntTony -
Colin - NSLOOKUP does work without a reverse lookup. The only thing that fails without one is the initial attempt to resolve the specified primary DNS server's IP address to a name, but this is inconsequential. The actual forward lookup query you give the command will resolve without one.
My mistake for not being succinct. Without a reverse zone NSLOOKUP throws an error at the end of the first output, and can give an inexperienced person the feeling there is something wrong. By having a reverse zone configured, it just eliminates erroneous error messages.
Colin - NSLOOKUP does work without a reverse lookup. The only thing that fails without one is the initial attempt to resolve the specified primary DNS server's IP address to a name, but this is inconsequential. The actual forward lookup query you give the command will resolve without one.
My mistake for not being succinct. Without a reverse zone NSLOOKUP throws an error at the end of the first output, and can give an inexperienced person the feeling there is something wrong. By having a reverse zone configured, it just eliminates erroneous error messages.
No worries - just wanted to clarify. Although it looks like there must be a reverse lookup as the DNS server IP address is apparently resolving to a name accoridng to TacomaVA. The strange thing is that this is resolving, but then the subsequent forward lookup is timing out.
As I said before, to stop any erroneous entries. rename host file.
Then point DC to itself and clients to DC.
Go to DNS Advanced settings and configure DNS as the pic, replacing my domain with yours.
Send back results.
dns-settings.bmp
Then point DC to itself and clients to DC.
Go to DNS Advanced settings and configure DNS as the pic, replacing my domain with yours.
Send back results.
dns-settings.bmp
ASKER
Okay here's my update, sorry it is late.
1)Windows firewall was off each time.
2)I attempted to use the NSLOOKUP command from the DC and I used the name of a workstation. I got a return that said "non existent domain." I double checked my workstation name and then I went into the DNS and noticed that my workstation did not have a host record listed.
Is my issue that my workstations are not registering within the DNS forward lookup zone?
1)Windows firewall was off each time.
2)I attempted to use the NSLOOKUP command from the DC and I used the name of a workstation. I got a return that said "non existent domain." I double checked my workstation name and then I went into the DNS and noticed that my workstation did not have a host record listed.
Is my issue that my workstations are not registering within the DNS forward lookup zone?
ASKER
Okay this is getting strange.
I took a workstation, removed it from the domain, and the hosts file was clear. The only entry in the hosts file was for the local IP. I opened my DNS, there was no host record for this workstation's IP address. I rebooted and added the workstation to the domain and it was added successfully with no error!!! I then opened my DNS console, refreshed, and a host record for the workstation is not listed. Any ideas? Do I need to just manually add a host record for the workstation?
I took a workstation, removed it from the domain, and the hosts file was clear. The only entry in the hosts file was for the local IP. I opened my DNS, there was no host record for this workstation's IP address. I rebooted and added the workstation to the domain and it was added successfully with no error!!! I then opened my DNS console, refreshed, and a host record for the workstation is not listed. Any ideas? Do I need to just manually add a host record for the workstation?
check aging and scavaging.
A DNS entry for the workstation being missing sounds like a symptom of the same problem, although this in itself would not stop you joining a domain.
Sometimes the host record for a machine does not immediately appear in DNS. Try manually registering by running 'ipconfig -registerdns' on the client.
Have you tried deleting the host record for the DC then running the four commands I posted? Just to eliminate issues, run the metadata cleanup as in the article I linked earlier, and remove any DNS records relating to the old DC.
Also, as cheifIT has mentioned, do you have aging/scavenging enabled on the DNS server? If so, what period is being used?
Sometimes the host record for a machine does not immediately appear in DNS. Try manually registering by running 'ipconfig -registerdns' on the client.
Have you tried deleting the host record for the DC then running the four commands I posted? Just to eliminate issues, run the metadata cleanup as in the article I linked earlier, and remove any DNS records relating to the old DC.
Also, as cheifIT has mentioned, do you have aging/scavenging enabled on the DNS server? If so, what period is being used?
ASKER
I'll try deleting the host record for the DC and running the four commands in just a bit. I did try the "ipconfig -registerdns" on the workstation, but that did not register it into the DNS. Any ideas on that one?
ASKER
No aging/scavenging enabled on the DNS server.
can u load some screenshots of your cmd line and dns settings?
Do you have DHCP handing out IP addresses? If so, what other options ar you pushing out? Any DNS suffix settings? Could possibly post the results of an ipconfig -all from a worksation on the domain, one not on the domain, and from the DC/DNS server? (change anything publicly sensitive...)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you everyone for helping, I know it's not easy solving these issues over the web.
No DHCP is running.
Attached are my files - OnDomain (ipconfig /all for workstation on domain), DC (ipconfig /all for DC/DNS and I blacked out the host name), OffDomain (ipconfig /all for off domain PC and I blacked out the host name).
OnDomain.JPG
DC.JPG
OffDomain.JPG
No DHCP is running.
Attached are my files - OnDomain (ipconfig /all for workstation on domain), DC (ipconfig /all for DC/DNS and I blacked out the host name), OffDomain (ipconfig /all for off domain PC and I blacked out the host name).
OnDomain.JPG
DC.JPG
OffDomain.JPG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I checked the security permissions for the host record for the DC and found something interesting. Everyone is listed and the read box is checked. However, under security for the DC host record, I do not have Authenticated Users listed. Should I add it?
Now if I view properties on the Name Server or Start of Auth... entries and then click on the security tab, I have everyone and Authenticated Users listed. Everyone has read checked and Authenticated Users has "Create all Child Objects" checked. What should I do here?
Also, I'm including a screenshot of my DNS window. If you view it, under my forward lookup zones, you'll see domaindnszones.xxxx and forestdnszones.xxxx. I have one of those selections highlighted and as you see on the right, there are three entries. It looks the same if you select forestdnszones. Can I delete domaindnszones and forestdnszones? I only have one domain, no child domains.
DNS.gif
Now if I view properties on the Name Server or Start of Auth... entries and then click on the security tab, I have everyone and Authenticated Users listed. Everyone has read checked and Authenticated Users has "Create all Child Objects" checked. What should I do here?
Also, I'm including a screenshot of my DNS window. If you view it, under my forward lookup zones, you'll see domaindnszones.xxxx and forestdnszones.xxxx. I have one of those selections highlighted and as you see on the right, there are three entries. It looks the same if you select forestdnszones. Can I delete domaindnszones and forestdnszones? I only have one domain, no child domains.
DNS.gif
Were is your MSDCS file folder that holds your DNS SRV records? Is it within the forward lookup zone?
So try this:
go to the command prompt and type
Netdiag /fix
So try this:
go to the command prompt and type
Netdiag /fix
Are your AD/domain controller servers also serving as DNS servers?
Thanks
Mike