Some
common issues that you may encounter with Active Directory installation and
configuration can cause a partial or complete loss of functionality in Active
Directory. These issues may include, but not be limited to:
·
Domain
Name System (DNS) configuration errors.
·
Network
configuration problems
Difficulties when you upgrade from Microsoft Windows NT.
Difficulties when you upgrade from Microsoft Windows NT.
You
must configure DNS correctly to ensure that Active Directory will function
properly.
Review
the following configuration items to ensure that DNS is healthy and that the
Active Directory DNS entries will be registered correctly:
·
DNS
IP configuration
·
Active
Directory DNS registration
·
Dynamic
zone updates
·
DNS
forwarders
·
DNS
IP Configuration
An
Active Directory server that is hosting DNS must have its TCP/IP settings
configured properly. TCP/IP on an Active Directory DNS server must be
configured to point to itself to allow the server to register with its own DNS
server.
To view the current IP configuration
Open
a command window and type
ipconfig /all
to
display the details. You can modify the DNS configuration by following these
steps:
1.
Right-click
My Network Places, and then click Properties.
2.
Right-click
Local Area Connection, and then click Properties.
3.
Click
Internet Protocol (TCP/IP), and then click Properties.
4.
Click
Advanced, and then click the DNS tab. Configure the DNS information as follows:
Configure the DNS server addresses to point to the DNS server. This should be
the computer's own IP address if it is the first server or if no dedicated DNS
server will be configured.
5.
If
the resolution of unqualified names setting is set to Append these DNS suffixes
(in order), the Active Directory DNS domain name should be listed first (at the
top of the list).
6.
Verify
that the DNS Suffix for this connection setting is the same as the Active
Directory domain name.
7.
Verify
that the Register this connection's addresses in DNS check box is selected.
8.
At
a command prompt, type
ipconfig /flushdns
to
purge the DNS resolver cache, and then type
ipconfig /registerdns
to
register the DNS resource records.
9.
Start
the DNS Management console. There should be a host record (an "A"
record in Advanced view) for the computer name. There should also be a Start of
Authority (SOA in Advanced view) record pointing to the domain controller (DC)
as well as a Name Server record (NS in Advanced view).
Active
Directory DNS Registration
The
Active Directory DNS records must be registering in DNS. The DNS zone can be
either a standard primary or an Active Directory-integrated zone. An Active
Directory-integrated zone is different from a standard primary zone in several
ways. An Active Directory-integrated zone provides the following benefits:
·
The
Windows 2000 DNS service stores zone data in Active Directory. This causes DNS
replication to create multiple masters, and it allows any DNS server to accept
updates for a directory service-integrated zone. Using Active
·
Directory
integration also reduces the need to maintain a separate DNS zone transfer
replication topology.
·
Secure
dynamic updates are integrated with Windows security. This allows an
administrator to precisely control which computers can update which names, and
it prevents unauthorized computers from obtaining existing names from DNS.
Use
the following steps to ensure that DNS is registering the Active Directory DNS
records:
1.
Start
the DNS Management console.
2.
Expand
the zone information under the server name.
3.
Expand
Forward Lookup Zones, right-click the name of the Active Directory domain's DNS
zone, click Properties, and then verify that Allow Dynamic Updates is set to
Yes.
4.
Four
folders with the following names are present when DNS is correctly registering
the Active Directory DNS records. These folders are labeled:
_msdcs
_sites
_tcp
_udp
_sites
_tcp
_udp
If
these folders do not exist, DNS is not registering the Active Directory DNS
records. These records are critical to Active Directory functionality and must
appear within the DNS zone. You should repair the Active Directory DNS record
registration.
To repair the Active Directory DNS record registration
Check
for the existence of a Root Zone entry. View the Forward Lookup zones in the
DNS Management console.
There
should be an entry for the domain. Other zone entries may exist. There should
not be a dot (".") zone. If the dot (".") zone exists,
delete the dot (".") zone. The dot (".") zone identifies
the DNS server as a root server.
Typically,
an Active Directory domain that needs external (Internet) access should not be
configured as a root DNS server.
The
server probably needs to reregister its IP configuration (by using Ipconfig)
after you delete the dot ("."). The Netlogon service may also need to
be restarted.
Manually
repopulate the Active Directory DNS entries. You can use the Windows 2000
Netdiag tool to repopulate the Active Directory DNS entries. Netdiag is
included with the Windows 2000 Support tools. At a command prompt, type
netdiag /fix
After
you run the Netdiag utility, refresh the view in the DNS Management console.
The Active Directory DNS records should then be listed.
Note: The server may need to reregister its IP
configuration (by using Ipconfig) after you run Netdiag. The Netlogon service
may also need to be restarted.
If
the Active Directory DNS records do not appear, you may need to manually
re-create the DNS zone.
Manually
re-create the DNS zone
1.
Start
the DNS Management console.
2.
Right-click
the name of the zone, and then click Delete.
3.
Click
OK to acknowledge any warnings. The Forward Lookup zones no longer list the
deleted zone.
4.
Right-click
Forward Lookup Zones, and then click New Zone.
5.
The
New Zone Wizard starts. Click Next to continue.
6.
Click
the appropriate zone type (either Active Directory-integrated or Standard
primary, and then click Next.
7.
Type
the name of the zone exactly as it appears in Network Identification, and then
click Next.
8.
Click
the appropriate zone file, or a new zone file. Click Next, and then click
Finish to finish the New Zone Wizard.
9.
The
newly created zone appears in the DNS Management console.
10. Right-click the
newly created zone, click Properties, and then change Allow Dynamic Updates to
Yes.
11. At a command
prompt, type
net stop netlogon
and
then press ENTER. The Netlogon service is stopped.
12. Type
net start netlogon
and
then press ENTER. The Netlogon service is restarted.
13. Refresh the view in
the DNS Management console. The Active Directory DNS records should be listed
under the zone.
If
the Active Directory DNS records still do not exist, there may be a disjointed
DNS namespace.
Dynamic
Zone Updates
Microsoft
recommends that the DNS Lookup zone accept dynamic updates. You can configure
this by right-clicking the name of the zone, and then clicking Properties. On
the General tab, the Allow Updates setting should be set to Yes, or for an
Active Directory-integrated zone, either Yes or Only secure updates. If dynamic
updates are not allowed, all host registration must be completed manually.
DNS
Forwarders
To
ensure network functionality outside of the Active Directory domain (such as
browser requests for Internet addresses), configure the DNS server to forward
DNS requests to the appropriate Internet service provider (ISP) or corporate
DNS servers.
To
configure forwarders on the DNS server:
1.
Start
the DNS Management console.
2.
Right-click
the name of the server, and then click Properties.
3.
Click
the Forwarders tab.
4.
Click
to select the Enable Forwarders check box.
Note: If the Enable Forwarders check box is
unavailable, the DNS server is attempting to host a root zone (usually
identified by a zone named only with a period, or dot ("."). You must
delete this zone to enable the DNS server to forward DNS requests. In a
configuration in which the DNS server does not rely on an ISP DNS server or a
corporate DNS server, you can use a root zone entry.
5.
Type
the appropriate IP addresses for the DNS servers that will accept forwarded
requests from this DNS server. The list reads from the top down in order; if
there is a preferred DNS server, place it at the top of the list.
6.
Click
OK to accept the changes.
Upgrade
Installation Considerations
Earlier (Legacy) DNS Servers - DNS servers that
run Windows NT 4.0 cannot dynamically register the Active Directory DNS
records. The best solution in this case is to install DNS on the Active
Directory domain controller to ensure that Active Directory DNS records will be
registered for the domain.
Disjointed DNS Namespace - You must configure
the correct DNS suffix information before you begin a Windows 2000 upgrade
installation. You cannot change the server name and DNS domain information
after Active Directory is installed.
To configure the DNS suffix information in Windows NT
before you upgrade the computer to a Windows 2000-based Active Directory domain
controller:
1.
Right-click
Network Neighborhood, and then click Properties.
2.
Click
the Protocols tab, click TCP/IP Protocol, and then click Properties.
3.
Click
the DNS tab.
4.
In
the Domain box, type the complete Active Directory domain name.
5.
Click
Apply, and then click OK.
6.
Click
OK to quit the Network tool.
7.
Restart
the computer.
To
verify the settings, open a command window, and then type ipconfig /all. The
Host Name line shows the fully qualified domain name.
If
you must change the DNS domain information after you install Active Directory,
you must run the Dcpromo utility on the computer to remove it from the domain
and make it a stand-alone server.
To determine if a disjointed namespace exists on an existing
Windows 2000-based domain controller:
1.
Right-click
My Computer, and then click Properties.
2.
Click
the Network Identification tab.
3.
Compare
the DNS suffix section of the full computer name to that of the domain name
listing. The full computer name reads as follows: hostname. dns_suffix. These
two entries should contain identical suffix information.
If
these two entries do not contain identical suffix information, a disjointed DNS
namespace exists. This condition prevents proper registration of any Active
Directory DNS records.
Note: The only supported method to recover from
a disjointed namespace is to use Dcpromo to remove the computer from the domain
and make it a stand-alone server. You can then correct the DNS namespace
information and run Dcpromo again to promote the computer back to a domain
controller.
No comments:
Post a Comment