Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 412
  • Last Modified:

Modifying a hosts file - DNS Issue?

Every time I add a computer to my WIndows 2000 domain, I have to modify the hosts file and add an entry for the domain server.  If I don't do that, I receive a pop up message when trying to add the machine to the domain.  Once I modify the hosts file, the machine is added to the domain with no problems.

Is this a DNS issue?  Can you please provide some steps for how I can resolve this issue?
0
TacomaVA
Asked:
TacomaVA
  • 10
  • 8
  • 5
  • +3
2 Solutions
 
Mike KlineCommented:
What DNS servers do you have configured on those machines for primary and secondary DNS?
Are your AD/domain controller servers also serving as DNS servers?
Thanks
Mike
0
 
TacomaVAAuthor Commented:
Each machine has one DNS server configured and that DNS server is the DC.  I do not have any secondary DNS servers configured on the machines.
0
 
bluntTonyCommented:
Sounds like the host (a) record for the DC is missing/incorrect, or you have more than one. Since all your machines then have the correct IP in their hosts file it's going unnoticed.
Does your DC have multiple NICs/IP addresses?
On the DC in question, ensure it's using itself as it's own primary DNS server and run:
ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon
Then check in the DNS console in your forward lookup zone for Host (A) records for the DC. There should only be one, and it should be the correct IP address. If you have more that one, if you don't have multiple IP addresses for the DC, then manually delete the incorrect record.
If you do have multiple NICs for the DC, then you need to stop the offending NIC registering in DNS. This is done the properties of the NIC in question.
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
TacomaVAAuthor Commented:
1)I have two NICs in the machine, but one of those is disabled.

2)In the forward lookup zone, I have a host record and a name server record for the DC with correct IP address.  I also have a host record and name server record for a machine that used to be a SDC, based on information I have here.  

Should I delete the SDC host and name server records?
0
 
bluntTonyCommented:
What does an nslookup test yield? Run the following command:
nslookup dc.domain.local
(where dc.domain.local is the FQDN of your current DC). Do you get a correct response back? What if you run the same test on a non-domain computer, using the DC for DNS?
With regards to the records for the old DC, yes, I would remove them, but I'm not sure if these would be the cause of your problems.
It may be worth running a metadata cleanup to remove any traces of the old server, just in case other remnants of it were left over: http://www.petri.co.il/delete_failed_dcs_from_ad.htm. Like I say, though, I'm not sure this will solve your problem but worth doing anyway.
0
 
TacomaVAAuthor Commented:
On the DC and a non-domain computer, I get a response after using the nslookup command.
The server is listed and the IP address is listed.  Then a message appears that says "DNS request timed out.  timeout was 2 seconds"
0
 
bluntTonyCommented:
Sorry, I meant to run the command on a workstation on the domain, and a workstation not on the domain, each time trying to resolve the name of the DC. Could you post the results of both of these tests? It sounds like nslookup's initial reverse lookup is successful, but the actual query is timing out.
Can you successfully perform an nslookup test for another server/workstation in your domain? Does this name resolve to the correct IP address?
Also ensure that windows firewall is off on both the client you are trying to join and the DC. See if this helps.
Try deleting the A record for the DC,and then run the four commands I posted earlier to re-create it.
0
 
TacomaVAAuthor Commented:
Okay, I ran the NSLOOKUP command and here are the results:

1) Machine not on the domain.
Server name and IP address returned (both correct).
DNS request timed out.  timeout was 2 seconds.  (domain here) can't find (domain here): Server failed

2) Machine on the domain.
Server name and IP address returned (both correct).
DNS request timed out.  timeout was 2 seconds.  
0
 
Colin_A_MoulderCommented:
Can you do one thing as a test. Rename the hosts file so it cannot be used.
Make sure your DC DNS IP Is pointing to itself
Make sure your client DNS IP is the same as the DC
run from the command line on the DC 'stop netlogon' and then 'start netlogon'
run the command line on the DC 'ipconfig/flushdns'
run the command line on the client 'ipconfigt/flushdns'
Run NSLOOKUP from the command line *******NSLOOKUP only works properly with a reverse lookup zone******* Do you have one?
Now what happens?
 
0
 
MariusSunchaserCommented:
Hi there.
What do you have in the DNS field, TCP/IP properties on your DC?
I bet that's your problem :)
0
 
Colin_A_MoulderCommented:

run from the command line on the DC 'stop netlogon' and then 'start netlogon' SHOULD BE
run from the command line on the DC 'netstop netlogon' and then 'netstart netlogon'
APOLOGIES
0
 
bluntTonyCommented:
OK, that shows that the forward lookup is timing out for some reason.
Have you tried the four commands on the DC after deleting the host (a) record from DNS as I suggested earlier?
Have you also tried to resolve another DNS name (a workstation for example)? Have you also checked the windows firewall on both machines?
Colin - NSLOOKUP does work without a reverse lookup. The only thing that fails without one is the initial attempt to resolve the specified primary DNS server's IP address to a name, but this is inconsequential. The actual forward lookup query you give the command will resolve without one.
0
 
Colin_A_MoulderCommented:
bluntTony -
Colin - NSLOOKUP does work without a reverse lookup. The only thing that fails without one is the initial attempt to resolve the specified primary DNS server's IP address to a name, but this is inconsequential. The actual forward lookup query you give the command will resolve without one.
My mistake for not being succinct. Without a reverse zone NSLOOKUP throws an error at the end of the first output, and can give an inexperienced person the feeling there is something wrong. By having a reverse zone configured, it just eliminates erroneous error messages.
 
0
 
bluntTonyCommented:
No worries - just wanted to clarify. Although it looks like there must be a reverse lookup as the DNS server IP address is apparently resolving to a name accoridng to TacomaVA. The strange thing is that this is resolving, but then the subsequent forward lookup is timing out.
0
 
Colin_A_MoulderCommented:
As I said before, to stop any erroneous entries. rename host file.
Then point DC to itself and clients to DC.
Go to DNS Advanced settings and configure DNS as the pic, replacing my domain with yours.
Send back results.

dns-settings.bmp
0
 
TacomaVAAuthor Commented:
Okay here's my update, sorry it is late.

1)Windows firewall was off each time.

2)I attempted to use the NSLOOKUP command from the DC and I used the name of a workstation.  I got a return that said "non existent domain."  I double checked my workstation name and then I went into the DNS and noticed that my workstation did not have a host record listed.  

Is my issue that my workstations are not registering within the DNS forward lookup zone?

0
 
TacomaVAAuthor Commented:
Okay this is getting strange.

I took a workstation, removed it from the domain, and the hosts file was clear.  The only entry in the hosts file was for the local IP.  I opened my DNS, there was no host record for this workstation's IP address.  I rebooted and added the workstation to the domain and it was added successfully with no error!!!  I then opened my DNS console, refreshed, and a host record for the workstation is not listed.  Any ideas?  Do I need to just manually add a host record for the workstation?
0
 
ChiefITCommented:
check aging and scavaging.
0
 
bluntTonyCommented:
A DNS entry for the workstation being missing sounds like a symptom of the same problem, although this in itself would not stop you joining a domain.
Sometimes the host record for a machine does not immediately appear in DNS. Try manually registering by running 'ipconfig -registerdns' on the client.
Have you tried deleting the host record for the DC then running the four commands I posted? Just to eliminate issues, run the metadata cleanup as in the article I linked earlier, and remove any DNS records relating to the old DC.
Also, as cheifIT has mentioned, do you have aging/scavenging enabled on the DNS server? If so, what period is being used?
0
 
TacomaVAAuthor Commented:
I'll try deleting the host record for the DC and running the four commands in just a bit.  I did try the "ipconfig -registerdns" on the workstation, but that did not register it into the DNS.  Any ideas on that one?
0
 
TacomaVAAuthor Commented:
No aging/scavenging enabled on the DNS server.
0
 
Colin_A_MoulderCommented:
can u load some screenshots of your cmd line and dns settings?
0
 
bluntTonyCommented:
Do you have DHCP handing out IP addresses? If so, what other options ar you pushing out? Any DNS suffix settings? Could possibly post the results of an ipconfig -all from a worksation on the domain, one not on the domain, and from the DC/DNS server? (change anything publicly sensitive...)
0
 
ChiefITCommented:
I was watching Chris Dent on something like this because I had a similar problem where HOST A records would just dissapear.

If you have a server to replicate your DNS settings with, you may have "lingering objects" and your replication set is a little confused.

http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24265262.html
__________________________________________________________
My problem is I attempted to prevent the DHCP server from dynamically update DNS and make that the responsibility of the clients.

"How to perform Dynamic DNS registration" ((Also by Chris Dent)).  Hey what can I say, He's awesome at DNS.
http://www.experts-exchange.com/articles/Networking/Protocols/DNS/MS-DNS-Dynamic-Record-Registration.html
________________________________________________________
I also heard that you can deny NON-encrypted DNS registration and only allow encrypted registration. I haven't really looked into this. I stuck with the defaults of setting up DNS.
0
 
TacomaVAAuthor Commented:
Thank you everyone for helping, I know it's not easy solving these issues over the web.

No DHCP is running.

Attached are my files - OnDomain (ipconfig /all for workstation on domain), DC (ipconfig /all for DC/DNS and I blacked out the host name), OffDomain (ipconfig /all for off domain PC and I blacked out the host name).

OnDomain.JPG
DC.JPG
OffDomain.JPG
0
 
bluntTonyCommented:
OK, it all looks in order.
Just to sum up (if only for me!) you've got three problems (or symptoms) really:
1. When joining a domain, then initial SRV query for the DC returns OK, but then the query for the Host (a) for the same DC fails, even though the record exists in DNS. Adding a record to the Hosts file resolves this problem.
2. When performing an nslookup test for the DC's host record, the request times out. It doesn't return false, it actually times out. But the reverse lookup to find the name of the DNS server is successful.
3. When you do manage to join a machine to the domain, it fails to dynamically update DNS. You're not using DHCP so the client is attempting to do this directly.
Looking at this logically, it looks like the issue is with your main forward lookup zone, as an SRV and PTR query are successful (both different zones). It's like you are being refused permission to read/write to the zone data.
I would check the links provided by ChiefIT. When you said that when you check DNS after removing a machine from the domain, and the Host record for it wasn't there, had you checked that it was there before disjoining? If not, I think that maybe it never was in the first place.
Stab in the dark here, but try checking the security permissions for the Host (A) record for the DC (how to here: http://technet.microsoft.com/en-us/library/cc759029(WS.10).aspx). Authenticated Users and Everyone should have at least Read permissions.
Here is a table showing what the default permissions for a resource record should be: http://technet.microsoft.com/en-us/library/cc758380(WS.10).aspx
I'm leaving the office now but will have a think and get back to you...
0
 
TacomaVAAuthor Commented:
I checked the security permissions for the host record for the DC and found something interesting.  Everyone is listed and the read box is checked.  However, under security for the DC host record, I do not have Authenticated Users listed.  Should I add it?

Now if I view properties on the Name Server or Start of Auth... entries and then click on the security tab, I have everyone and Authenticated Users listed.  Everyone has read checked and Authenticated Users has "Create all Child Objects" checked.  What should I do here?

Also, I'm including a screenshot of my DNS window.  If you view it, under my forward lookup zones, you'll see domaindnszones.xxxx and forestdnszones.xxxx.  I have one of those selections highlighted and as you see on the right, there are three entries.  It looks the same if you select forestdnszones.  Can I delete domaindnszones and forestdnszones?  I only have one domain, no child domains.
DNS.gif
0
 
ChiefITCommented:
Were is your MSDCS file folder that holds your DNS SRV records? Is it within the forward lookup zone?

So try this:

go to the command prompt and type

Netdiag /fix

0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

  • 10
  • 8
  • 5
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now