If DNS is not set up on the Domain controller correctly, domain-wide issues can occur such as replication between domain controllers. If DNS is not set up on the client correctly, the client may experience many networking and internet issues. Unable log on to the domain or join the domain from a workstation or server, and can't access the Internet indicate that you may have DNS settings issues.

1.The domain controller is not pointing to itself for DNS resolution on all network interfaces. Especially, when you have multihomed server, the WAN connection may be assign 127.0.0.1 as DNS ip.
2. The "." zone exists under forward lookup zones in DNS.
3. The clients on LAN do not point the DNS to internal DNS server.

Symptom: When running nslookup, you may receive this message: Can't find server name for ....: No response from server

Cause: the DNS server's reverse lookup zones do not contain a PTR record for the DNS server's IP address. Refer to case 0204BL

Cause: You don't have a DNS server specified in your TCP/IP Properties. If you have no DNS server configured on your client, Nslookup will. default to the local loopback address.

Symptoms: you have a windows 2000 server running IIS for public access with 10 public IPs. The router is broken. We would like to enable IP filtering to block all ports except the port 80 for the web, 25 and 110 for the mail. After enabling IP Filtering, the server can't access any web sites, can't ping yahoo.com and nslookup gets time out.

Cause: 1. Incorrect DNS.
2. The netlogon service tries to register the RR before the DNS service is up. Refer to case 0304TTa

It is not recommended to install DNS on a multihomed server. If you do, you should restrict the DNS server to listen only on a selected address.

Symptoms: You have a domain controller with DNS. The server can ping router and any public IPs. However, the server can't open any web sites.

Resolution: Check the server DNS settings, especially make sure the server points to the internal DNS instead of the ISP DNS or 127.0.0.1.

1. Go to DNS Manager to add it manually.
2. Use netlogon, ipconfig and nbtstat command. Refer to case 0304TTa

To correct DNS settings and troubleshoot DNS problems, you can 1) run nslookup from a command line is the default dns server the one you expect.
2) use ipconfig /all on client to make sure the client point to correct DNS server and the the DC server points to only itself for DNS by its actual tcp/ip address, and make sure no any ISP DNS listed in tcp/ip properties of any W2K/XP.
3) When the machine loads it should register itself with the DNS. If not, use ipconfig /regiesterdns command.
4) Check Event Viewer to see whether the event logs contain any error information. On both the client and the server, check the System log for failures during the logon process. Also, check the Directory Service logs on the server and the DNS logs on the DNS server.
5) Use the nltest /dsgetdc:domainname command to verify that a domain controller can be located for a specific domain. The NLTest tool is installed with the Windows XP support tools.
6) If you suspect that a particular domain controller has problems, turn on the Netlogon debug logging. Use the NLTest utility by typing nltest /dbflag:0x2000ffff at a command prompt. The information is logged in the Debug folder in the Netlogon.log file.
7) Use DC Diagnosis tool, dcdiag /v to diagnose any errors. If you still have not isolated the problem, use Network Monitor to monitor network traffic between the client and the domain controller.

A: You can use the NSLookup tool to verify that DNS entries are correctly registered in DNS. For example, to verify record registration, use the following commands: nslookup computername.domain.com.

If your VPN client cannot find servers or cannot ping computernmae, you may need to add DNS and WINS into your VPN server. For example, to add DNS and WINS on a Cisco Firewall PIX, add vpdn group 1 client configuation dns dnsservername and vpdn group 1 client configuration wins winsservername..

You may need to clear bad information in Active Directory-integrated if DNS is damaged or if the DNS contains incorrect registration information. To do that, 1) Change the DNS settings to Standard Primary Zone.
2) Delete the DNS zones.
3) Use ipconfig /flushdns command.
4) Recreate the DNS zones.
5) Restart Net Logon service 6)Use ipconfig /registerdns

To ensure that DNS is registering the Active Directory DNS records, to go DNS Management console>Server name>Forward Lookup Zones>Properties, make sure Allow Dynamic Updates is set to Yes and _msdcs, _sites, _tcp and _udp are correctly registering the Active Directory DNS records. If these folders do not exist, DNS is not registering the Active Directory DNS records. These records are critical to Active Directory functionality and must appear within the DNS zone. You should repair the Active Directory DNS record registration.

Under the following situations you may want to reinstall the DDNS in a Windows 2000 Active Directory:

1. Clear the DNS information.
2. Clear the Caching Resolver.
3. Point all DNS servers to the first DNS server under TCP/IP properties.
4. Re-add the zones and configure them to be Active Directory integrated.
5. Register your A resource record for DNS as well as your start of authority (SOA).

How to configure DNS Forwarders

To ensure network functionality outside of the Active Directory domain (such as browser requests for Internet addresses), configure the DNS server to forward DNS requests to the appropriate Internet service provider (ISP) or corporate DNS servers. To configure forwarders on the DNS server:

For more troubleshooting information about DNS configuration for Active Directory, see the following Microsoft Knowledge Base articles:

DC's FQDN Does Not Match Domain Name

Symptoms: After you promote or install a domain controller, the DNS suffix of your computer name may not match the domain name. Or the FQDN does not match the domain name because a NT 4.0 upgrade automatically clears the Change primary DNS suffix when domain membership changes check box. It is not possible to rename the computer on the Network Identification tab. Also, you may receive NETLOGON events in the System Log with ID:5781 or other error messages that indicate a failure to dynamically register DNS records.

Resolutions: 1. After you upgrade to Microsoft Windows 2000, but before you run dcpromo and obtain the Active Directory Installation Wizard, add the following values to the following registry key:
Value name: SyncDomainWithMembership
Value type: REG_DWORD
Value: 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\

2. If you have already promoted to a domain controller, use the Active Directory Installation Wizard to demote to a member server. Click to select the Change primary DNS suffix when domain membership changes check box, and then run dcpromo to promote back to a domain controller.

3. Modify HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ and changed domain=mydomain.com, NV Domain=mydomain.com, SyncDomainWithMembership= 1 (here mydomain.com is yhe donaim name).

Primary or Active Directory Integrated DNS

With Active Directory Integrated DNS, this permits all servers to accept updates. Instead of adding standard secondary DNS servers, you can convert the server from a primary DNS server to an Active Directory Integrated Primary server and configure another domain controller to be a DNS server. With Active Directory Integrated DNS servers, all the servers are primary servers, so when a zone change is made at one server, it is replicated to the others, eliminating the need for a zone transfer.

2nd DNS Issues

1. When setup 2nd DNS, make sure you type correct Master DNS Server IP address.
2. Make sure primary DNS and 2nd DNS servers can ping each other and not firewall block them.
3. Make sure primary DNS and 2nd DNS servers point to each other as primary and themselves as secondary if both DNS servers are in the LAN.
4. If you have two or more DNS servers in different locations, you will setup primary DNS and 2nd DNS servers point to themselves as primary and each other as secondary.

Some A Records don't appear in DNS

Cause: 1. incorrect TCP/IP settings.
2. Register this connection's address in DNS is unchecked.

The DSA operation is unable to proceed because of a DNS lookup failure.

Symptoms: 1. When trying to DCPROMO, ,you receive: "The operation failed because: The directory service failed to replicate off changes made locally. The DSA operation is unable to proceed because of a DNS lookup failure."
2. The Event Viewer may list Event ID: 1265 - The DSA operation is unable to proceed because of a DNS lookup failure.
3. DCDiag test display this message: "The DSA operation is unable to proceed because of a DNS lookup failure".

Causes: 1. Incorrect TCP/IP configuration.
2. Incorrect DNS configuration
3. Bad information in DNS Manager.

“The procedure entry point DsIsManagedDnW could be located in the dynamic link library NTDSAPI.dll”

Symptom: when trying to run DCDiag and getting the following error, "the procedure entry point DsIsManagedDnW could be located in the dynamic link library NTDSAPI.dll".

Resolutions: 1. Remove the dcdiag.exe from Controller Panel and install it from w2k/xp DC.
2. The "entry point not found" is typical of a service pack mismatch and the dcdiag.exe is out of sync with the service pack level of your system. To fix, go to the service pack x folder, and find "adminpack.msi" Right click it and select install.

Troubleshooting the Domain Locator Process

1. Assuming both LAN connection and VPN connection have the different DNS because they are assigned by different DHCPs, the active DNS goes with the default gateway.
2. You can pick up which DNS you want to use manually.

UDP and TCP port 53. However, the internal DNS clients may not hear answers even though the query has been sent out on 53,until you open the UDP port above 1023.

Q: Why do I have to point my domain controller to itself for DNS?

A: The Netlogon service on the domain controller registers a number of records in DNS that enable other domain controllers and computers to find Active Directory-related information. If the domain controller is pointing to the ISP's DNS server, Netlogon does not register the correct records for Active Directory, and errors are generated in Event Viewer. The preferred DNS setting for the domain controller is itself; no other DNS servers should be listed. The only exception to this rule is with additional domain controllers. Additional domain controllers in the domain must point to the first domain controller (which runs DNS) that was installed in the domain and then to themselves as secondary.

Q: Everyone can access our web site on the Internet. But no one can access the web site internally. Instead, we are point to our Intranet.

A: If you network domain name is the same of your web site name, you should point the web to the web public IP. To do this, open DNS manager and create a host. for example www.chicagotech.net=public ip.

A Records appear and disappear randomly

How to configure DNS Forwarders

DC's FQDN Does Not Match Domain Name

The DSA operation is unable to proceed because of a DNS lookup failure.

Troubleshooting the Domain Locator Process