Trying all News Groups - Windows 2003 DNS Help

Discussion in 'DNS Server' started by Pikk, Nov 25, 2004.

  1. Pikk

    Pikk Guest

    I've recently upgraded our company domain server to 2003 server and use
    this for DNS as well. Prior to this, we ran NT 4. Now several of us have
    laptops (including myself) and home wireless/wired networks. All of which
    worked flawlessly before the server upgrade. Now...when myself or others try
    to connect to their home workgroups (to XP or Win2k boxes), we're getting
    the error. "There are no logon servers available to service the logon
    request". This happens whether I try to connect to a Win2K box or an XP box.
    Both machines are on a wired/wireless b network using a Linksys Broadband
    Router. Others that are having the same problem use Linksys as well as other
    brands...same problem occurs. I assume this is a DNS issue. Also worthy of
    noting is that we all run IpSec thru FreeSwan for our VPN and this of course
    works fine. In any event...I've tried everything to try and fix this and
    still no luck. (Netswitcher, separate HW profiles, etc.) I'm going a little
    nuts trying to resolve this. Strangely
    enough though...I used "Net Use" once and it did work for one of my machines
    but now...not anymore. Same error at the DOS prompt every time. Also worth
    noting is that our president can no longer use his VPN thru the wireless
    access zone at airport. This worked fine before the upgrade.

    Am I missing something??

    Please, need help! :(

    TIA,
    Pikk
     
    Pikk, Nov 25, 2004
    #1
    1. Advertisements

  2. Pikk

    Sharad Naik Guest

    Just one of the possible reasons:

    On one of those wnXP OS laptops, run regedit and go to following key:

    MyComputer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\DNSClient

    In this key do you find a value named " NameServer" with data pointing to
    the local IP address of the
    win 2003 server?

    If YES THEN:

    On win 2003 server, edit group policies and go to:
    Default DomainPolicy:
    Computer Configuration -> Administrative Templates->Network-> DNS Client->
    DNS Servers.
    Have you defined any DNS server in this settings?
    If yes, delete those and set this policy to 'Not Configured'.
    Then in command prompt run "gpupdate /force" (w/o quote marks)

    Then
    1. Either connect each of the laptop to your LAN and login to domain and run
    "gpudpate /force" on each of them.

    2. Or if the laptops are not in office:
    run regedit and go to following key:
    MyComputer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\DNSClient
    Find "NameServer" value and delete it completely. Just delete it nothing
    will go wrong.

    Try to connect to VPN / internet / workgroup from home.

    Sharad
     
    Sharad Naik, Nov 25, 2004
    #2
    1. Advertisements

  3. Pikk

    Pikk Guest

    Sharad,

    Thanks for this info. Makes sense. I was wondering if there was a Reg
    entry that I could modify. I will try this tonight and let you know.

    Thanks again!

    Pikk
     
    Pikk, Nov 25, 2004
    #3
  4. Pikk

    Pikk Guest

    Actually...one other thing.

    I noted you wrote XP laptops. These are actually Windows 200 Pro
    Laptops...not XP. My home network runs 2 XP Pro boxes.

    Pikk
     
    Pikk, Nov 25, 2004
    #4
  5. Pikk

    Sharad Naik Guest

    On win 2000 laptops also, the Registry path should be same. I am not sure
    though, don't have any win 2000 machine to check.
    In registry you can give search for the private IP address of the 2003 DNS
    server, and when found check if this
    data is under value 'NameServer'. If it is then this is the key you delete.

    Sharad
     
    Sharad Naik, Nov 26, 2004
    #5
  6. Pikk

    Pikk Guest

    Hey Sharad,

    Thanks for following up on this with me. I will check this for sure. One
    thing I noted is that when I logon to my laptop, Locally (admin account)...I
    can see my home network just fine. I guess because I'm not using the Domain
    login...certain stuff is not being loaded. Also, I'm wondering if there is
    somehting I can do with DNS on my 2003 Server here that would enable users
    to see their home networks when VPN'd into the network? Any ideas?

    Thanks again!!

    P'
     
    Pikk, Nov 26, 2004
    #6
  7. Pikk

    Pikk Guest

    OK, I found the settings. They're located in the CurrentControlSet keys. I
    included the full key names below. These keys contain DHCP as well as
    NameServer info.

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
    \{70E249E5-59DD-4770-B4EA-0BE120E27199}

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces
    \{70E249E5-59DD-4770-B4EA-0BE120E27199}

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interf
    aces\{70E249E5-59DD-4770-B4EA-0BE120E27199}

    Do you think it's safe to delete the NameServer info?

    Pikk
     
    Pikk, Nov 26, 2004
    #7
  8. Pikk

    Sharad Naik Guest

    This is not the registry path I was talking about.
    It should be under policies.
    Try the same registry path I told earlier. Do you find NameServer there?
    If yes delete it.

    Did you also check the policies on win 2003 server as I told?
    IS DNS Server Specified there? If you have checked this and
    DNS Server is not specified in the policies path I mentioned, then
    please ignore my posts completely, as I said, in first post, This could
    just one of the posibilities.

    By the way, you can delete the NameServer value in the registry path you
    mentioned
    below. It won't make any harm. At the same time I am not sure if it will
    make any good
    or not. You can surely try it, without any harm.

    Sharad
     
    Sharad Naik, Nov 26, 2004
    #8
  9. Pikk

    Pikk Guest

    Sharad

    The only key I find in the registry pertaining to what you said in your
    first email is this one. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft and
    unfortunately...it doesn't have any NameServer listing. I will check the
    group policy thing now and get back to you shortly.

    Thanks!!

     
    Pikk, Nov 26, 2004
    #9
  10. Pikk

    Sharad Naik Guest

    Hello pikk
    If the path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WinNT\DNSClient
    doesn't have value 'NameServer' then there is no need to check the group
    policy on the server.
    If the policy I told was enabled with DNS servers entered, you would have
    found the value in
    registry on each computer.

    So I guess your problem is different, and unfortunately I don't have
    further clues.
    Best luck, and hope someone else will follow this thread and will help you.

    Sharad

     
    Sharad Naik, Nov 26, 2004
    #10
  11. In
    Is NetBIOS over TCP/IP enabled on all internal Adapters?

    Are you using WINS?

    Are all clients using only the internal DNS server for the AD domain.

    Since you have VPN clients, is your internal AD domain name the same as your
    public domain name?
    This causes problems with VPN client because they can see the public domain
    before you connect the VPN and causes connection problems to the internal
    namespace once connected.


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Nov 26, 2004
    #11
  12. Pikk

    Pikk Guest

    Hi Kevin

    Thanks for the reply. Actually...the VPN is not the biggest issue
    because it works fine in most places. For example...from home, the VPN is
    fine but from the Bell AccessZone at our Intnl Airport...it doesn't work
    anymore. It's kind of funny cuz most of the time VPN works like a champ. The
    main issue is the home networking thing. The Login server error messages are
    frustratiing us. Obviously, I'd love to have the Access Zone thing fixed too
    but...

    As for the names...our AD Domain contains the public name but it's not
    exactly the same, no. Our internal domain is hq.mydomain.com and our
    external (public) domain is mydomain. The VPN itself uses the
    username.mydomain.com...I think.

    Thnx

    P
     
    Pikk, Nov 26, 2004
    #12
  13. In
    VPN access and AD can be tricky sometimes. The important thing is to
    remember, as everyone else is indicating, the client machine ONLY uses the
    internal DNS or it will not be able to find anything in regards to the
    internal domain.

    For the VPN clients, ensure they are using the internal network's DNS and
    not the ISP's. Make sure the VPN client is the default network connection
    when it's connected.

    You can also create entries in your HOSTS files for the internal domain
    controllers.

    As for the airport thing, your VPN may be using L2TP/IPSec, and the airport
    may be using NAT that doesn't support IPSec, so the VPN can't be
    established.NAT and PPTP works fine, which is what you were probably using
    prior to your new installation.


    --
    Regards,
    Ace

    G O E A G L E S !!!
    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
     
    Ace Fekay [MVP], Nov 26, 2004
    #13
  14. Pikk

    Pikk Guest

    Ace,

    Interesting point regarding the NAT and IPSec. However, our VPN has not
    changed at all in years. The only change was to the server. Our VPN is
    FreeSwan on a Redhat box. Does this make sense? Also worthy of noting...I
    found a strange entry in my DNS Forward Lookup configuration. I can try to
    explain. Under the FLZ' I have the _msdcs.hq.mydomain.com and another
    heading called just hq.mydomain.com. All the entries in there look normal
    except for the latter (hq....com) When I select hq.mydomain.com and then the
    _msdcs folder below it...the right hand pane shows a different server. it
    actually shows my NT BDC listed as bdc.hq.mydomain.com. I suspect this is
    not right. Can I remove this without causing problems?

    Thnx Ace

    P'

    "Ace Fekay [MVP]"
     
    Pikk, Nov 26, 2004
    #14
  15. In
    Actually you made a good choice for your AD domain name. All you need to do
    is have your public DNS admin add a delegation named 'hq' to the public zone
    and point the delegation to the internal DNS server and private address.
    This makes the delegation useless until the VPN is connected, so it does not
    cause a security issue.
    Verification of SJC-SP-DNS-01.supplier01-int.com:
    http://www.microsoft.com/windows200...enarios/scenarios/dns_vfy_sjcspdns01_01ic.asp

    As for the login server error I beleive you will find this is a NetBIOS
    resolution issue with Network Places not being fully populated. Make sure
    all clients are configured to use WINS.


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Nov 26, 2004
    #15
  16. In
    I am not familiar with that VPN. You will need to ask the vendor about it's
    specifics and possibly how it will work with the airport's system. If the
    airport has initiated additional security measures, this may effect your VPN
    connectivity.

    As for the NT BDC entry, you can go ahead and delete it, and then run this
    at a command prompt from any one of the Win2003 domain controllers to
    register the correct records. Keep in mind, the DCs and all machines, must
    be only pointing to the internal DNS servers.
    ipconfig /registerdns
    net stop netlogon
    net start netlogon

    Then check your _msdcs zone again. If that name registers again, I may be
    leaning towards a problem with the upgrade where you may have possibly ran
    an upgrade, but removed the machine without the references taken out of the
    AD database. Maybe you can comment on that a bit more. Were there any
    problems during your upgrade? Does the NT4 machine show up in Sites and
    Services as a server and are there replication partnership objects
    associated wtih it under it's NTDS settings? Does it show up in the Domain
    Controllers OU?

    Ace
     
    Ace Fekay [MVP], Nov 29, 2004
    #16
  17. Pikk

    Pikk Guest

    Kevin

    What you're saying then is I should run WINS on my DC as well?

    P
     
    Pikk, Nov 29, 2004
    #17
  18. Pikk

    Pikk Guest

    One other thing....

    I'm not sure what you mean by having my public DNS admin add a delegation.
    Do you mean Network Solutions would do this in accordance with our Public
    Domain name? Or am I totally confused here? :)
     
    Pikk, Nov 29, 2004
    #18
  19. In
    Yes, you need WINS if you are using Network Places or mapping to only the
    NetBIOS name i.e. \\server\share if you mappings are to the FQDN of the
    server i.e. \\server.hq.mydomain.com\share WINS is not required unless you
    expect Network Places to work. Network Places uses the Computer Browser
    Service, which relies on NetBIOS broadcasts that doesn't cross routers, or
    WINS.

    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Nov 29, 2004
    #19
  20. In
    Yes, as it states in the article I posted, the delegation is added to the
    public zone and is to the internal name and IP of the internal DNS server.
    The delegation is useless unless the VPN is connected, once connected and
    authenticated DNS resolution is seamless to all VPN clients and internal
    clients.
    You should be able to add the delegation yourself, but if you have someone
    else do it give them the internal DNS server name and IP address. Some may
    balk at adding a private record to the public zone, but it is more secure
    than give it a public address that is mapped to the internal DNS server
    because with a private record it won't work until the VPN is connected.
    Whereas if it has a public IP mapped to the internal DNS anyone could
    resolve names from the internal DNS server, even before the VPN is
    connected.


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Nov 29, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.