Troubleshooting DNS-Related AD Logon Problems, Part 1

How the DNS lookup process can fail

I get many reader questions that go something like this: "I set up a test computer called DC1 at 192.168.1.4 to play with Active Directory (AD). This computer runs Windows 2000 Server and acts as both the DNS server and the first AD domain controller (DC) on my test domain, which I call acme.com. Everything works fine with that DC—I can create users and run all the AD administrative tools. Then, I put Win2K Server on another computer named DC2 at 192.168.1.5 and run Dcpromo to make that computer the second DC in the domain. But Dcpromo says that it's unable to contact the domain and can't make DC2 into a DC for acme.com. Yet I can ping DC1 from DC2 and vice versa, and the DCs are on the same subnet, so why can't they see each other?"

What causes this problem? To see how things go wrong, let's reconstruct what happens.

Finding a DNS Server
When you run Dcpromo and instruct it to make your computer into an additional DC, Dcpromo displays a Network Credentials panel that requests the name, domain, and password of an account that has the authority to add a DC to the existing domain (e.g., acme.com). Dcpromo then looks for an acme.com DC and uses the name and password to try to log on. But first, Dcpromo must be able to find a DC.

Remember that DNS acts as the central naming service for an AD domain. An essential DNS function in a Win2K network is to help computers find DCs. To use DNS, your system needs to have two pieces of software: the server software, which runs on the DNS server, and the DNS client software, which runs on your workstation. Your workstation uses the DNS client software to resolve names. But the client can't help unless it can find a DNS server. To find a DC that will authenticate you, Dcpromo says to the DNS client software, "Find a DNS server for acme.com, and ask it for the names and IP addresses of the DCs in the domain." The client does so by querying the DNS server for an SRV record.

To determine which DNS server your system queries, you can open a command line and type

ipconfig /all

Within the output, you'll see a list of the IP addresses for all the domain's DNS servers. When the DNS client software needs to resolve a DNS query, the client tries to contact the first machine on the list. If a DNS server is at that location, the client will address all DNS queries to that machine. The client doesn't query another DNS server from the list unless the client gets no DNS server response from the preferred server.

When a Win2K system needs to find an AD DC to log the system on, the system prefers to use a local DC. So, a Win2K system often does multiple DNS queries when looking for a DC: first, "Tell me about the local DCs for acme.com," then if that query fails, "Tell me about all the DCs for acme.com."

Troubleshooting AD Authentication
A powerful utility for troubleshooting AD authentication problems is Nslookup, which lets you mimic the behavior of a Win2K system that's trying to log on to an AD domain. On a command line, type

nslookup

The response gives the default server and its IP address and tells you that Nslookup did two things: It successfully contacted a DNS server, and it asked the server to reverse-resolve the server's IP address into a DNS name. Reverse resolution is unnecessary for AD logons, but if a functional DNS server doesn't reverse-resolve, Nslookup returns a message that makes you think something is seriously wrong:

DNS request timed out.
  timeout was 2 seconds.
*** Can't find server name
  for address 200.200.10.10:
  Timed out
*** Default servers are not
  available
Default Server:  UnKnown
Address:  200.200.10.20

However, if you type an Internet address (e.g., www.win2000mag.com) at the Nslookup prompt, the response reveals that Nslookup easily resolves that name:

www.win2000mag.com
Server:  ns1.yourisp.com
Address:  200.200.10.10

Name:    www.win2000mag.com
Address:  63.88.172.66

Nslookup also complains if the DNS server that your DNS client is supposed to use is dead or has a problem:

*** Can't find server name
 for address 200.200.10.10:
 No response from server
*** Default servers are not
 available
Default Server:  UnKnown
Address:  200.200.10.10

Do you see a significant difference between this response and the one that indicates a failed reverse resolution? No? Neither do I. So, how can you determine whether the server has a real problem or Nslookup is complaining about reverse resolution? Your best bet is to simply try to resolve an Internet address. If the problem exists at the server, the response will instead resemble

Server:  UnKnown
Address:  200.200.10.20

*** UnKnown can't find
  www.win2000mag.com: No
  response from server

Previous [1] 2 Next

I have that problem, and its reflect when a made any change to a user acount, isn't replicate to the other dommains

Hiran Coello December 05, 2001

I have domain name same as my registered internet domain name and I resolve address fine. I do get other problems though. The XP Pro stations seems to work fine but looking in the event log show domain related errors:

Every 30-40 minutes it logs event id 1030: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

and event id 1005: Windows cannot connect to mydomain.com domain. (Operations Error). Group Policy processing aborted.

I wonder if these errors are related. I have looked all over MS site but nothing on these ids.

Bill December 26, 2001

Troubleshooting is supposed to have some resolution. None are included with this document. Why?

Jason October 10, 2003

I am having this problem is there a next page that has the resolution? or a fix for this?

Rich Bowen June 14, 2004

I am running in mixed mode. One PC which is xp cannot see the network in "my network places" claiming a lack of permission. But it can map a drive to a server on the network. Same with the printers. It doesn't matter who is logged on. Is this a DNS error?

Hugh_McGinness September 16, 2004 (Article Rating:

)

You did not address other logon problem scenarios and resolutions. Scenario:
2 DCs on the DMZ as Web Servers running Windows 2003 Enterprise. AD integrated DNS on both DCs, and servers resolve own DNS.

Problem: Users accessing the public web sites randomly get a login request box. IIS folder permissions and NTFS permissions are correct. What is causing the problem?

Anonymous User February 01, 2005

Where is the resolution? How is this a troubleshooting document? It just told me what I already know, I have a problem with DNS! Sigh, I guess I'll look elsewhere.

Anonymous User February 17, 2005 (Article Rating:

)

You must log on before posting a comment.

If you don't have a username & password, please register now.