Troubleshooting DNS
A Records appear and
disappear randomly
Can't
logon or join the domain
Can't Find Server Name for Address 127.0.0.1 when running nslookup
Can't find server name for ....: No response from server -
Can't open an external website using the same network domain name
Common DNS settings mistakes
DNS issue with
IP Filtering
"DNS name does not exist."
DNS on multihomed server
DNS for multiple subnets
DNS Request Timed Out
DNS
Lookup Failed
DNS request time out -
ip name lookup failed
DNS
server can't access the Internet
How to register the DNS RR
How to reinstall the dynamic DNS in a Windows 2000 Active Directory
How to
troubleshoot DNS problems
How can I verify a computer DNS entries are correctly registered in DNS
How to add DNS and
WINS into your Cisco VPN server
How does the internal DNS resolve names Internet without the ISP's DNS server
How
to clear bad information in Active Directory-integrated DNS
How to ensure that DNS is registering the Active Directory DNS records
How to repair the DNS record registration
How to
configure DNS Forwarders
How to fix DC's FQDN Does Not
Match Domain Name
How to Rename the Hosts file
HOW TO: Set the Alternative DNS Server.. policies, script ?
How to setup two DNS servers in a domain
network
Primary or Active
Directory Integrated DNS
2nd DNS Issues
Some A Records don't appear in DNS
The DSA operation is unable to proceed because of a DNS lookup failure.
“The procedure entry point DsIsManagedDnW could be located in the dynamic link
library NTDSAPI.dll”
Troubleshooting the
Domain Locator Process
Which DNS
does a VPN client use
Which ports are used for DNS
Why do I have to point my domain controller to itself for DNS?
Why I can't perform external name resolution to the root hint servers on the
Internet.
Why our web site doesn't
work internally
Post your questions, comments, feedbacks and suggestions
Contact a consultant
Cause: Your DNS zone is
configured to query WINS.
Can't logon or join the domain
If DNS is not set up on the Domain controller correctly,
domain-wide issues can occur such as replication between domain controllers.
If DNS is not set up on the client correctly, the client may experience many
networking and internet issues. Unable log on to the domain or join the domain
from a workstation or server, and can't access the Internet indicate that you
may have DNS settings issues.
For consultants, refer to domain issue page.
Can't open an external website using the same network domain name
Create a DNS record for pointing to the www with the public IP.
Common DNS
settings mistakes
1.The domain controller is not pointing to itself for DNS resolution on all
network interfaces. Especially, when you have multihomed server, the WAN
connection may be assign 127.0.0.1 as DNS ip.
2. The "." zone exists under forward lookup zones in DNS.
3. The clients on LAN do not point the DNS to internal DNS server.
Can't find server name for ....: No response from server - DNS Request Timed
Out
Symptom: When running nslookup, you may
receive this message: Can't find server name for ....: No response from server
Cause: the DNS
server's reverse lookup zones do not contain a PTR record for the DNS server's
IP address. Refer to case 0204BL
Can't Find Server Name for Address 127.0.0.1 when running nslookup
Cause: You don't have a DNS server specified in your TCP/IP Properties. If
you have no DNS server configured on your client, Nslookup will. default to
the local loopback address.
DNS issue
with IP Filtering
Symptoms: you have a windows 2000 server
running IIS for public access with 10 public IPs. The router is broken. We
would like to enable IP filtering to block all ports except the port 80 for
the web, 25 and 110 for the mail. After enabling IP Filtering, the server
can't access any web sites, can't ping yahoo.com and nslookup gets time out.
Cause: IP Filtering block the ports fro DNS.
"DNS name does
not exist."
Cause: 1. Incorrect DNS.
2. The netlogon service tries to register the RR before the DNS service is up.
Refer to case 0304TTa
DNS on multihomed server
It is not recommended to install DNS on a
multihomed server. If you do, you should restrict the DNS server to listen
only on a selected address.
DNS request time out - ip name lookup failed
When troubleshooting Outlook 550 5.7.1 relaying denied - ip name lookup failed by using nslookup to resolve host name,
you may receive "DNS request time out...*** Request to mail.chicagotech.net time-out.
Possible causes: 1. Incorrect DNS settings.
2. Incorrect TCP/IP settings on the DC.
3. Missing PRT on Reverse Lookup Zones.
Refer to case 0504BL
DNS server can't access the
Internet
Symptoms: You have a domain
controller with DNS. The server can ping router and any public IPs. However,
the server can't open any web sites.
Resolution: Check the server DNS
settings, especially make sure the server points to the internal DNS instead
of the ISP DNS or 127.0.0.1.
How to
register the DNS RR
1. Go to DNS Manager to add it manually.
2. Use netlogon, ipconfig and nbtstat command. Refer to case 0304TTa
How to
troubleshoot DNS problems
To correct DNS settings and troubleshoot DNS problems, you can 1) run
nslookup from a command line is the default dns server the one you expect.
2) use ipconfig /all on client to make sure the client point to correct DNS
server and the the DC server points to only itself for DNS by its actual
tcp/ip address, and make sure no any ISP DNS listed in tcp/ip properties of
any W2K/XP.
3) When the machine loads it should register itself with the DNS. If not, use
ipconfig /regiesterdns command.
4) Check Event Viewer to see whether the event logs contain any error
information. On both the client and the server, check the System log for
failures during the logon process. Also, check the Directory Service logs on
the server and the DNS logs on the DNS server.
5) Use the nltest /dsgetdc:domainname
command to verify that a domain controller can be located for a specific
domain. The NLTest tool is installed with the Windows XP support tools.
6) If you suspect that a particular domain controller has problems, turn on
the Netlogon debug logging. Use the NLTest utility by typing nltest
/dbflag:0x2000ffff at a command prompt. The information is logged in the
Debug folder in the Netlogon.log file.
7) Use DC Diagnosis tool, dcdiag /v to diagnose any errors. If you still have
not isolated the problem, use Network Monitor to monitor network traffic
between the client and the domain controller.
For consultants, refer to DNS issue page.
How can I verify a computer DNS entries are correctly registered in DNS?
A: You can use the NSLookup tool to verify
that DNS entries are correctly registered in DNS. For example, to verify
record registration, use the following commands: nslookup
computername.domain.com.
How to add DNS and WINS
into your Cisco VPN server
If your VPN client cannot find servers or
cannot ping computernmae, you may need to add DNS and WINS into your VPN
server. For example, to add DNS and WINS on a Cisco Firewall PIX, add vpdn
group 1 client configuation dns dnsservername and vpdn group 1 client
configuration wins winsservername..
How
to clear bad information in Active Directory-integrated DNS
You may need to clear bad information in Active Directory-integrated if DNS
is damaged or if the DNS contains incorrect registration information. To do
that, 1) Change the DNS settings to Standard Primary Zone.
2) Delete the DNS zones.
3) Use ipconfig /flushdns command.
4) Recreate the DNS zones.
5) Restart Net Logon service
6)Use ipconfig /registerdns
How to ensure that DNS is registering the Active Directory DNS records
To ensure that DNS is registering the Active Directory DNS records,
to go DNS Management console>Server name>Forward Lookup Zones>Properties,
make sure Allow Dynamic Updates is set to Yes and _msdcs,
_sites, _tcp and _udp are correctly registering the Active Directory DNS
records. If these folders do not exist, DNS is not registering the Active
Directory DNS records. These records are critical to Active Directory
functionality and must appear within the DNS zone. You should repair the
Active Directory DNS record registration.
Q:
How does the internal DNS resolve names Internet without the ISP's DNS server
A: As long as the "." zone does not exist under forward
lookup zones in DNS, the DNS service uses the root hint servers. The root hint
servers are well-known servers on the Internet that help all DNS servers
resolve name queries.
How to reinstall the dynamic DNS in a Windows 2000 Active Directory
Under the following situations you may want to reinstall the DDNS in a
Windows 2000 Active Directory:
- Some weird DNS errors have occurred and clearing DNS information has been
unsuccessful.
- Services that depend upon DNS, such as, the File Replication service
(FRS) and/or Active Directory are failing.
- The secondary DNS server doesn't support dynamic updates.
To reinstall the dynamic DNS in a Windows 2000 Active Directory,
1. Clear the DNS information.
2. Clear the Caching Resolver.
3. Point all DNS servers to the first DNS server under TCP/IP properties.
4. Re-add the zones and configure them to be Active Directory integrated.
5. Register your A resource record for DNS as well as your start of authority
(SOA).
How to repair the DNS
record registration
To repair the Active Directory DNS record registration:
- Check for the existence of a Root Zone entry. View the Forward Lookup
zones in the DNS Management console. There should be an entry for the domain.
Other zone entries may exist. There should not be a dot (".") zone. If the
dot (".") zone exists, delete the dot (".") zone. The dot (".") zone
identifies the DNS server as a root server. Typically, an Active Directory
domain that needs external (Internet) access should not be configured as a
root DNS server.
The server probably needs to reregister its IP configuration (by using
Ipconfig) after you delete the dot ("."). The Netlogon service may also need
to be restarted. Further details about this step are listed later in this
article.
- Manually repopulate the Active Directory DNS entries. You can use the
Windows 2000 Netdiag tool to repopulate the Active Directory DNS entries.
Netdiag is included with the Windows 2000 Support tools. At a command prompt,
type netdiag /fix.
To install the Windows 2000 Support tools:
- Insert the Windows 2000 CD-ROM.
- Browse to Support\Tools.
- Run Setup.exe in this folder.
- Select a typical installation. The default installation path is
Systemdrive:\Program Files\Support Tools.
After you run the Netdiag utility, refresh the view in the DNS Management
console. The Active Directory DNS records should then be listed.
NOTE: The server may need to reregister its IP configuration
(by using Ipconfig) after you run Netdiag. The Netlogon service may also need
to be restarted.
If the Active Directory DNS records do not appear, you may need to manually
re-create the DNS zone.
- After you run the Netdiag utility, refresh the view in the DNS Management
console. The Active Directory DNS records should then be listed. Manually
re-create the DNS zone:
Still need help,
contact consultant Your
feedback and contributions to this web site
To ensure network functionality outside of the Active Directory domain
(such as browser requests for Internet addresses), configure the DNS server to
forward DNS requests to the appropriate Internet service provider (ISP) or
corporate DNS servers. To configure forwarders on the DNS server:
- Start the DNS Management console.
- Right-click the name of the server, and then click Properties.
- Click the Forwarders tab.
- Click to select the Enable Forwarders check box.
NOTE: If the Enable Forwarders check box is
unavailable, the DNS server is attempting to host a root zone (usually
identified by a zone named only with a period, or dot ("."). You must delete
this zone to enable the DNS server to forward DNS requests. In a
configuration in which the DNS server does not rely on an ISP DNS server or a
corporate DNS server, you can use a root zone entry.
- Type the appropriate IP addresses for the DNS servers that will accept
forwarded requests from this DNS server. The list reads from the top down in
order; if there is a preferred DNS server, place it at the top of the list.
- Click OK to accept the changes.
For more troubleshooting information about DNS configuration for Active
Directory, see the following Microsoft Knowledge Base articles:
Symptoms: After you
promote or install a domain controller, the DNS suffix of your computer name
may not match the domain name. Or the FQDN does not match the domain name
because a NT 4.0 upgrade automatically clears the
Change primary DNS suffix when domain membership changes check box.
It is not possible to rename the computer on the Network
Identification tab. Also, you may receive NETLOGON events in the
System Log with ID:5781 or other error messages that indicate a failure to
dynamically register DNS records.
Resolutions: 1. After you
upgrade to Microsoft Windows 2000, but before you run dcpromo
and obtain the Active Directory Installation Wizard, add the following
values to the following registry key:
Value name: SyncDomainWithMembership
Value type: REG_DWORD
Value: 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
2. If you have already promoted to a domain controller, use the Active
Directory Installation Wizard to demote to a member server. Click to select
the Change primary DNS
suffix when domain membership changes check box, and then run
dcpromo to promote back to a
domain controller.
3. Modify HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
and changed domain=mydomain.com, NV Domain=mydomain.com,
SyncDomainWithMembership= 1 (here mydomain.com is yhe donaim name).
Primary or Active
Directory Integrated DNS
With Active Directory Integrated DNS, this permits all
servers to accept updates. Instead of adding standard secondary DNS servers,
you can convert the server from a primary DNS server to an Active Directory
Integrated Primary server and configure another domain controller to be a
DNS server. With Active Directory Integrated DNS servers, all the servers
are primary servers, so when a zone change is made at one server, it is
replicated to the others, eliminating the need for a zone transfer.
2nd DNS Issues
1. When setup 2nd DNS, make sure you type correct Master DNS Server IP
address.
2. Make sure primary DNS and 2nd DNS servers can ping each other and not
firewall block them.
3. Make sure primary DNS and 2nd DNS servers point to each other as primary
and themselves as secondary if both DNS servers are in the LAN.
4. If you have two or more DNS servers in
different locations, you will setup primary DNS and 2nd DNS servers point to
themselves as primary and each other as secondary.
Some A Records don't appear in
DNS
Cause: 1. incorrect TCP/IP settings.
2. Register this connection's address in DNS is unchecked.
Symptoms: 1. When trying to DCPROMO, ,you
receive: "The operation failed because: The directory service failed to
replicate off changes made locally. The DSA operation is unable to proceed
because of a DNS lookup failure."
2. The Event Viewer may list Event ID: 1265 - The DSA operation is unable to
proceed because of a DNS lookup failure.
3. DCDiag test display this message: "The DSA operation is unable to
proceed because of a DNS lookup failure".
Causes: 1. Incorrect TCP/IP configuration.
2. Incorrect DNS configuration
3. Bad information in DNS Manager.
“The procedure entry point DsIsManagedDnW could be located in the dynamic
link library NTDSAPI.dll”
Symptom: when trying to
run DCDiag and getting the following error, "the procedure entry point
DsIsManagedDnW could be located in the dynamic link library NTDSAPI.dll".
Resolutions: 1. Remove
the dcdiag.exe from Controller Panel and install it from w2k/xp DC.
2. The "entry point not found" is typical of a service pack mismatch and the
dcdiag.exe is out of sync with the service pack level of your system. To
fix, go to the service pack x folder, and find "adminpack.msi" Right click
it and select install.
1) Check Event Viewer on both the client and the DNS server for any errors.
- Verify that the IP configuration is correct for your network by using
ipconfig /all.
- Ping both the DNS IP address and the DNS server name to verify network
connectivity and name resolution. .
- Use nslookup servername.domain.com command to verify that DNS entries are
correctly registered in DNS.
- If nslookup command does not succeed, use one of the following methods to
reregister records with DNS: a) force host record registration by using
ipconfig /registerdns; b) force domain controller service registration
by stopping/restarting the Netlogon service.
- If you still have the same issue, use Network Monitor to monitor network
traffic between the client and the domain controller.
Which
DNS does a VPN client use
1. Assuming both LAN connection and VPN connection have the different DNS
because they are assigned by different DHCPs, the active DNS goes with the
default gateway.
2. You can pick up which DNS you want to use manually.
Which ports
are used for DNS
UDP and TCP port 53. However, the internal DNS
clients may not hear answers even though the query has been sent out on
53,until you open the UDP port above 1023.
Why I can't perform external name resolution to the root hint servers on the
Internet.
A: make sure "." zone does not
exist under forward lookup zones in DNS. If you do not delete
this setting, you may not be able to perform external name resolution to the
root hint servers on the Internet.
Q:
Why do I have to point my domain controller to itself for DNS?
A: The Netlogon service on the domain controller registers a
number of records in DNS that enable other domain controllers and computers to
find Active Directory-related information. If the domain controller is
pointing to the ISP's DNS server, Netlogon does not register the correct
records for Active Directory, and errors are generated in Event Viewer. The
preferred DNS setting for the domain controller is itself; no other DNS
servers should be listed. The only exception to this rule is with additional
domain controllers. Additional domain controllers in the domain must point to
the first domain controller (which runs DNS) that was installed in the domain
and then to themselves as secondary.
Why our web site doesn't work internally
Q: Everyone can access our web site on the Internet. But no one can access
the web site internally. Instead, we are point to our Intranet.
A: If you network domain name is the same of your web site name, you should
point the web to the web public IP. To do this, open DNS manager and create a
host. for example
www.chicagotech.net=public ip.
This web is provided "AS IS" with no warranties.
Copyright © 2002-2018
ChicagoTech.net,
All rights reserved. Unauthorized reproduction forbidden.
|