DNS and active directory

Discussion in 'DNS Server' started by Jamie, Apr 18, 2006.

  1. Jamie

    Jamie Guest

    I have a server problem and I think it is DNS related.

    I can resolve external addresses, but I cannot resolve any internal
    computers on my network, I think this is a dns misconfiguration.

    at one stage none of the network clients could see the DC as they could not
    resolve its network address.

    I am sure this is a simple fix, any ideas?

    Jamie, Apr 18, 2006
    1. Advertisements

  2. Jamie

    Herb Martin Guest

    Yes, it is likely due to one of two VERY CLOSELY related
    client DNS configuration problems.

    On the CLIENT NIC->IP Properties you must use STRICTLY
    the (internal) DNS Server (set) which can resolve ALL internal,
    and external, names for the client.

    You must NOT mix the "external" DNS into those settings.

    DNS clients assumed that EVERY DNS server they use will
    return ALL (and correct) names they query.

    (Remember that DNS servers and DCs are also DNS clients
    Herb Martin, Apr 18, 2006
    1. Advertisements

  3. Jamie

    Jamie Guest

    Thanks Herb,

    This was not the issue, I decided to start from scratch and delete the dns
    configuration on the server, I then created the forward zone again and called
    it the same name as the domain name, for some strange reason it started to
    work immediately, this is the 4th time I had followed this process, I do not
    know why it should start working?

    my concerns are it happening again, we shall see.


    Jamie Campbell

    Jamie, Apr 18, 2006
  4. Jamie

    Herb Martin Guest

    What else WOULD you ever call it?

    While you can have DNS zone with any name you
    please, you MUST have a DYNAMIC DNS zone for
    every Active Directory Domain.

    If you don't have AD, you must have the DNS domain
    name as a zone on your internal DNS servers that matches
    the DNS domain name you machines use.
    Likely this is happening through some accident, or
    by chance. Stop flailing. (It's flailing to make changes
    or do reinstalls, especially repetitively, without
    understanding the problem.)

    We WILL HELP you solve the real problem.

    I still STRONGLY suspect that your problem is a MIXTURE
    of internal AND EXTERNAL DNS on the client side.

    This can result in intermittently correct and incorrect resolution.

    Check the clients.

    If you have AD, run DCDiag on every DC.

    In any case, run NetDiag on each non-DC.

    Send the output to text files (>name.txt) and search the file(s)
    with a text editor to find FAIL, WARN, ERROR messages.

    Fix, or post those output files.

    Herb Martin, MCSE, MVP
    Accelerated MCSE
    [phone number on web site]
    Herb Martin, Apr 18, 2006
  5. sortta just nodding to Herb

    All members of an Active Directory (including the DC's themselves) should
    look _only_ to AD Integrated DNS servers for name resolution. The AD
    integrated servers can then use either 'root hints' or 'forwarders' to
    satisfy name resolution outside the AD.
    Give us the output of 'ipconfig /all > c:\ipconfig.txt' from the DC's, DNS
    servers and one effected workstation. If you feel you have to munge them, do
    so in a consistent manner.

    SuperGumby [SBS MVP], Apr 18, 2006
  6. Jamie

    Herb Martin Guest

    The above is a LITTLE too strong but the main idea is

    Technically, DNS Clients can use ANY DNS server (set)
    which can return EVERY address they will ever need.

    For most people this comes out as stated above, i.e., the
    internal DNS Clients must use the DNS servers which
    hold the zone which supports the AD Domain (not that it
    must be AD Integrated either).

    This latter paragraph is commonly true, but it NOT the
    Please try to avoid retyping or editing them. If you really
    feel you must not post them then send them to one or two of
    us by email.

    It's really hard to figure out what is wrong after most people
    go in an pull out what THEY think is irrelevant. (Usually if
    they know what was critical they would have fixed it already.)

    Herb Martin, MCSE, MVP
    Accelerated MCSE
    [phone number on web site]
    Herb Martin, Apr 18, 2006
  7. I have a similar problem and I am sure it is DNS related.

    I have two W2K3 domains (Domain A & Domain B). Both domains are running DNS
    and each DNS has the other domain in its DNS as a forward lookup zone. From
    Domain B I can go to Domain A and traverse through the domain, looking at the
    machines/servers listed there. The same is true from Domain A to B exept for
    3 W2K3 servers that were added to the domain last week. I can go to Domain A
    from Domain B and see the new servers however when I click on the server I
    receive the following error: "\\Servername is not accessible. You might not
    have permission to use this network resource. The network path is not found."

    From the new servers in Domain A, if I try to access Domain B, I receive the
    following error: "Domain is not accessible. You might not have permission to
    use this network resource. The list of servers for this workgroup is not
    currently available."

    TCP/IP configuration on the new servers are static. DNS server is set to
    the IP Address of the DC in Domain A (where the servers are).

    Are suggestions on what could be wrong?

    Last week, some new servers were added to Domain A

    Rachel L Chipman, Apr 18, 2006
  8. Jamie

    Herb Martin Guest


    Do NOT do that. You cannot (reliably) set two DNS servers
    to forward to each other -- they will create an infinite loop
    and cause problems for the DNS service.

    One can forward to the other, but you must hold a "cross
    secondary" or use something like CONDITIONAL forwarding
    to prevent infinite forwarding loops.
    Normally a DNS server should be set to use itself first
    (as a DNS Client).

    BUT every DNS CLIENT (whether a DC, DNS server, or
    ordinary DNS client) MUST use STRICTLY a DNS server
    (set) that is able to resolve EVERY request that client will
    ever make.

    DNS Clients (includes DCs and DNS Servers) must NEVER
    be configured to a mixture of DIFFERENCT DNS servers
    (i.e., that might return different answers.)
    First fix the loop.
    Then check the following:

    DNS for AD
    1) Dynamic for the zone supporting AD
    2) All internal DNS clients NIC\IP properties must specify SOLELY
    that internal, dynamic DNS server (set.)
    3) DCs and even DNS servers are DNS clients too -- see #2
    4) If you have more than one Domain, every DNS server must
    be able to resolve ALL domains (either directly or indirectly)

    netdiag /fix

    ....or maybe:

    dcdiag /fix

    (Win2003 can do this from Support tools):
    nltest /dsregdns /server:DC-ServerNameGoesHere

    Ensure that DNS zones/domains are fully replicated to all DNS
    servers for that (internal) zone/domain.

    Also useful may be running DCDiag on each DC, sending the
    output to a text file, and searching for FAIL, ERROR, WARN.

    Single Label domain zone names are a problem Google:
    [ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

    Herb Martin, MCSE, MVP
    Accelerated MCSE
    [phone number on web site]
    Herb Martin, Apr 18, 2006
  9. I did not create these zones in DNS. They showed up on their own. How can
    I tell if a zone if primary, secondary or stub? What is the difference
    between secondary and stub?
    How can I ensure that my DNS zones/domains are fully replicated to all DNS
    servers for the zone/domain?
    Rachel L Chipman, Apr 19, 2006
  10. Jamie

    Herb Martin Guest

    The serious issue is NOT the zones, but having DNS servers
    mutually forward to EACH OTHER:

    DNS1->DNS2->DNS1->infinite (until they crash or give errors)
    Look on the zone properties in the MMC (right click on zone);
    the zone type is on the main dialog page (left most.)
    Stubs are only relevant to LARGE zones -- stubs are like
    secondaries that do NOT contain all of the records. They
    ONLY contain enough to FIND the real DNS servers for
    that zone (SOA, NS records, and associated A records.)

    Just make sure you don't forward to a DNS server that
    forwards to you.

    Herb Martin, MCSE, MVP
    Accelerated MCSE
    [phone number on web site]
    Herb Martin, Apr 19, 2006
  11. When you say this "make sure you don't forward to a DNS server that forward
    to you", are you referring to not setting up forwarders on each DNS server?

    Or does this have to do with replication of the zones?
    Rachel L Chipman, Apr 19, 2006
  12. Jamie

    Herb Martin Guest

    Not precisely. You can certainly setup every DNS
    server to forward to another (eventually to the Internet
    DNS servers) but you must NOT set ANY TWO (or
    more) to forward in a circle:

    If you set them up to forward to each other (in a circle)
    how would they ever STOP such forwarding when the
    answer is not found?

    Forwarding has nothing to do with zones held on a DNS

    Each Zone has a Primary and (usually) some optional

    In Windows, the SINGLE Primary for A zone can have
    a "set of AD Integrated DNS servers" instead. "Set"
    means one OR MORE (usually more.)

    The AD Integrated DNS Server (set) takes the place of
    the single Primary from traditional DNS and can still
    have ordinary secondaries but there is usually no reason
    to do that.

    If you have more than one Zone, all of the above is repeated
    for EVERY Zone. Primary (or AD-set) with optional
    secondaries for every zone.

    Herb Martin, MCSE, MVP
    Accelerated MCSE
    [phone number on web site]

    Herb Martin, Apr 19, 2006
  13. Jamie

    Herb Martin Guest

    Which is the reason that I have explained each time what
    I meant by this.

    Possibly you are correct that this is not what she meant:
    Herb Martin, Apr 20, 2006
  14. It does make sense that you certainly don't want to set them up to forward to
    each other thus creating a circle. Currently, I do not have zone transfers
    or forwarding setup on the zones.

    Here's something I came across when I restarted my DNS Server service on my
    DNS servers (currently one in each domain, currently have three domains).
    Error 4515 which says the following:
    The zone hbrsag.hbr-inc.com was previously loaded from the directory
    partition DomainDnsZones.hbrapp.hbr-inc.com but another copy of the zone has
    been found in directory partition ForestDnsZones.hbrapp.hbr-inc.com. The DNS
    Server will ignore this new copy of the zone. Please resolve this conflict as
    soon as possible.

    If an administrator has moved this zone from one directory partition to
    another this may be a harmless transient condition. In this case, no action
    is necessary. The deletion of the original copy of the zone should soon
    replicate to this server.

    If there are two copies of this zone in two different directory partitions
    but this is not a transient caused by a zone move operation then one of these
    copies should be deleted as soon as possible to resolve this conflict.

    To change the replication scope of an application directory partition
    containing DNS zones and for more details on storing DNS zones in the
    application directory partitions, please see Help and Support.

    For more information, see Help and Support Center at

    I found article 867464 and ran the adsiedit.msc utility but am not certain
    how to fix this. I am a little leary of deleting a zone but by the sounds of
    the article, that's what needs to happen to resolve the conflict. How do I
    know for certain what to delete? I realize this is probably an "HUGE"
    open-ended question. I appreciate any direction you can give. Thanks.

    Rachel L Chipman, Apr 20, 2006
  15. Simon -

    I really appreciate the information.
    Let's see if I can explain my "problem".

    When I run the ADISEDIT.MSC tool on my root W2K3 domain (which is also a DNS
    server), I see both FORESTDNSZONES and DOMAINDNSZONES under the MicrosoftDNS.
    In both zones, my other two w2k3 DNS servers are listed so I am guessing
    that is where the conflict is because I would guess they should only be
    listed in ONE of the two zones.

    Now my question is this. How do I know which one to delete? The Replication
    on my Root domain dns server is set to replicate to "All DNS servers in the
    Active Directory forest". The replication for the particular domain's zone
    on one of the other DNS servers is set to replicate to "all DNS servers in
    the Active Directory forest". Same is true for my third DNS server. These
    SHOULD be set to replicate to the forest so that the updates for each zone
    can be replicate to the other DNS servers in the forest? If they aren't,
    then the DNS information in these zones will not be in the other zones.

    I do not want to cause a DNS loop as Herb was describing.

    I sure hope this makes some sense.....


    Rachel L Chipman, Apr 26, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.