Problems with DNS naming of Win2k PDC 1

[GordonLeeds]

I need help resolving DNS/Domain/Active Directory problems on a Windows 2000 Server. Thanks in advance to anyone who can offer advice.

Here is the situation.

1) Existing Windows NT 4.0 Primary Domain Controller, named SERVER1, in domain DOMAIN1.

2) Windows NT 4.0 Backup Domain Controllers SERVER2, SERVER3 and SERVER4.

3) Existing internet domain

http://WWW.MYCOMPANY.COM,

pointing to a public ip at a 3rd-party web hosting company.

4) On the LAN, a single dedicated public ip address for DSL gateway - dedicated LAN ip addresses, including servers, are in the range 192.168.1.1 - 192.168.1.253 while the internal ip for the gateway is 192.168.1.254.

5) None of our local servers hosts a website - our DSL service is currently used only for user web access and email.

6) A year ago I added a Windows2000 Server as PDC of a new domain, DOMAIN2000. Based on my reading about DNS and ADS, I named the computer SERVER2000.OFFICE.MYCOMPANY.COM. The Network Identification tab of the System Properties applet shows "Full computer name: SERVER2000.OFFICE.MYCOMPANY.COM, Domain: OFFICE.MYCOMPANY.COM Note: The identification of the computer cannot be changed because: - The computer is a domain controller."

7) Made DOMAIN1 and DOMAIN2000 co-trusted, so users are still managed and authenticated by SERVER1, but automatically have full access to resources on SERVER2000.

This setup accomplished the primary goal, giving users access to resources on the new SERVER2000. We've had zero operational problems in that respect.

However, as I'm sure anyone properly trained in Win2k migration will see at once, the name space has serious problems, and my Event Log is full of DNS and NETLOGON errors. My goal was to establish a separate Win2k domain, accessible by users of the old NT domain, with the new server as PDC and root of the ADS forest. As the older servers are replaced, I would add their replacments to the new domain, and eventually migrate the users across. Given the scenario I've described above, how SHOULD I have set things up? Does one HAVE to have an internet domain that points to the LAN in some way, before assigning a name to the new server?

I now have another new server to configure, and I'm wondering if I need to demote SERVER2000 to the role of Member Server in order to fix its naming conventions, and then make the new computer the PDC?

Any and all advice on this topic is welcome.

Thank you!
Gordo

 

[FilthPig]

Well, if I'm taking this all in correctly, you're not in as bad shape as you think.

Your local domain need not have anything to do with a real internet domain.

If you're not running DNS on your 2k server, install it and have it host a zone for office.mycompany.com. 2k uses DNS like NT 4 uses WINS. It's everywhere. Point all your local machines to your local DNS server, and if you still want your ISP to handle internet name resolution, there's a forwarders tab in the properties of the DNS server - specify your IPS's DNS server as a forwarder and the local DNS will send all requests that are not in it's local zones or cache to the forwarder.

You shouldn't have to rename your DC or your domain, however, if you do, and if you havn't set up extensive permissions on your 2k server, you can run DCPROMO to remove active directory on your 2k server, rename it, run DCPROMO again, recreate your AD name structure, and re-establish your trusts. Just make sure your local DNS server has a forward lookup zone (and ideally a reverse lookup zone too) for your domain name. Marc Creviere

 

[GordonLeeds]

Bless your heart, M. Creviere, thanks for the quick reply! It's good to get some encouragement. I'll work through your suggestions and reply again if I come up with more questions.

Thanks again!
Gordo

 

[GordonLeeds]

Well, I've made progress, thanks to FilthPig's advice, but now I need another boost. I did in fact have DNS installed and configured, but for some unknown reason the external DNS servers listed in my TCP/IP Properties were no longer set correctly. Changing this back to my DSL ISPs proper DNS ip's made the worst of my DNS errors go way.

What I'm left with now is this Event:

Event Type: Warning
Event Source: NETLOGON
Event Category: None
Event ID: 5773
Date: 2/6/2002
Time: 12:32:50 PM
User: N/A
Computer: SERVER2000
Description:
The DNS server for this DC does not support dynamic DNS. Add the DNS records from the file '%SystemRoot%\System32\Config\netlogon.dns' to the DNS server serving the domain referenced in that file.
Data:
0000: 2c 23 00 00 ,#..

Experimentation and a thorough search of the MS Knowledge base have NOT revealed HOW to "add the DNS records" from the netlogon.dns file. Am I supposed to parse this file manually and add the records one by one to the forward lookup zone for SERVER2000.OFFICE.MYCOMPANY.COM?

I did find references to enabling dynamic DNS, and I changed the "Allow Dynamic updates?" setting from "Only secure updates" to "Yes". Will that take care of things, or do I still need to "add the DNS records" somehow?

Thanks again, I'm very happy to have made progress ironing this out!

Regards,
Gordo

 

[FilthPig]

Now that you've enabled Dynamic DNS, stop and restart your DNS service, and reboot your DC. It should create the records you need (dynamically!) Marc Creviere

 

[FilthPig]

Er, re-read your post, different advice in fact. Sounds like you're using your ISP's DNS for that machine? Like, in the TCP/IP properties of the server? You want to change that back to your local DNS, and set up a forwarder to your ISP's DNS. To do that, first delete the "." forward lookup zone if it's there, right-click on your server in the DNS Manager, go to the forwarders tab, and enter your ISP's DNS as a forwarder. Marc Creviere

 

[GordonLeeds]

Got it, I had read about the forwarding and what you say sounds just right. When you say to change the TCP/IP properties back "to your local DNS", you mean change them to the ip address of SERVER2000, yes?

And... thank you, thank you, thank you again. I can't tell you what a relief it is to have a friendly, knowledgable AND responsive advisor at hand!!!

Gordo

 

[FilthPig]

Yes, change the DNS server that the TCP/IP properties are looking to back to itself for SERVER2000. Active Directory requires Dynamic DNS. Your ISP is neither running a zone for your DNS domain name, nor do they probably support Dynamic DNS, so when the domain controller went looking to update DNS (at your ISP), it rightly errored out. Hope that makes sense.

And you're quite welcome. Things have been rather slow at work lately, so I've been rather active here. Glad it's helped you! (Psst - mark my posts helpful ) Marc Creviere