Re: DNS not doing recursive lookups

In news:7C27ED06-BBD1-4929-890E-6C3CB3ABDFA3@xxxxxxxxxxxxx,
Rob Boylan <RobBoylan@xxxxxxxxxxxxxxxxxxxxxxxxx> made this post, which I
then commented about below:
> Thanks for your help Ace.
>
> "Ace Fekay [MVP]" wrote:
>
>> One is your AD domain name is possibly a single label domain name?
>> It should be in the form of the TLD plus the first level name, such
>> as example.com. I hope you were just trying to mask the names and
>> you do not have a single label name.
>
> Actually, I do have a single-label domain name. This place really is
> a TLD. If I understand the <a
> href="http://support.microsoft.com/?kbid=300684";>knowledge base
> article</a> correctly, there are two things that do not work
> automatically in a single label domain: 1) dynamic updates do not
> work and 2) member computers cannot use DNS to locate DCs in a
> single-label domain that is in another forest. I'm not planning on
> allowing dynamic updates in this domain and I'm not dealing with
> multiple forests. So is there another gotcha that I'm overlooking?

That article states a client cannot locate DCs because the DNS resolver will
not treat the name as prefix to suffix the search string. If the name has an
identical NetBIOS name, then it will resolve, whether in the local domain or
in other domains: But if there is no cooresponding NetBIOS name, then it
will not resolve.

Keep in mind, GPOs will not apply. This is because it looks for this share:
\\domain.com\sysvol\domain.com\Policies\[GUIDNumberOfPolicy-etc]

Notice it needs to resolve "domain.com" above? That is the LdapIpAddress
record in DNS. If it is a single label name, there is no cooresponding
record and it cannot resolve it.

The problem is especially apparent in Win2000 SP4 and newer OSes such as XP
and 2003
826743 - Clients cannot dynamically register DNS records in a single-label
forward lookup zone:
http://web.archive.org/web/20040518224908/support.microsoft.com/?kbid=826743

Do you know why Microsoft stopped single label name dynamic updates
behavior? Look below this post for a passage from a Microsoft engineer that
was posted when Win2000 SP4 came out.


>
>> Second, there is NO need for manually creating any records in the
>> netlogon.dns file for AD. This is an automatic process. The netlogon
>> services updates the netlogon.dns file from what it reads in AD,
>> then it sends that data to the zone name configured in the Primary
>> DNS Suffix using the DNS address listed in it's IP properties. If
>> this is not working automatically, then there is a major
>> configuration problem. A single label domain name will cause this
>> not to function.
>
> Netlogon is not doing this automatically. I had assumed that this was
> because dynamic DNS was disabled.

Is it disabled on the zone properties? It won't update in a single label
name anyway if you have W2000 SP4 or newer.

Here's some info on dynamic updates:

816592 - How it works and HOW TO Configure DNS Dynamic Update in Windows
2003:
http://support.microsoft.com/default.aspx?kbid=816592

Rules of engagement for dynamic updates to automatically work (which is
default): are below. But before that, I just want to let you know, as an
FYI, AD requires DNS. AD stores it's resource and service locations in the
form of SRV records in DNS. When any communication function occurs in AD
(logons, Kerberos authentication, replication intiation, GPOs getting
applied, and numerous other functions), DNS is queried for the location of
that respective service. If DNS doesn't have those records, then that
function will fail. The records get registered into DNS by the netlogon
service on the DCs. The main thing is required for registration are these
simple rules:

1. AD's DNS name can't be a single label name
2. The AD DNS name MUST match the name of the zone in DNS
3. Dynamic Updates are allowed in the zone properties
4. The Primary DNS Suffix MUST match the zone name and the AD DNS name
5. You must only use the DNS servers that host a copy of the AD zone name or
have a reference to get to them. Do not use your ISP's or some other DNS
that does not have a copy of the AD zone. Internet resolution for your
machines will be accomplished by the Root servers (Root Hints). It is
recommended to configure a forwarder for efficient Internet resolution. When
you attempt to configure a forwader and the forwarding option is grayed out,
you need to delete the Root zone (looks like a period), refresh the console
and try again. Forwarders and how to are all explained in:
http://support.microsoft.com/?id=300202

If none of the above is correct, we've got a problem or you can apply the
reg fix based on article #300684 on all your machines (DC and clients).



>
>>
>> Third, the inability for Win2003 to resolve external names without a
>> forwarder is possibly due to your Cisco router. Windows 2003 is now
>> using a new industry standard feature called EDNS0 that allows UDP
>> DNS queries to go beyond the previously capped limit of 512 bytes to
>> the max 1500 MTU. To fix it, either update the Cisco firmware (which
>> is the recommendation), or disable it in Win2003.
>>
>> 828731 - An External DNS Query May Cause an Error Message in Windows
>> Server 2003:
>> http://support.microsoft.com/?id=828731
>
> The Cisco link on this page goes to a "Page Not Found". Searching the
> Cisco, site I could not find anything that seemed to mention
> increasing the allowable UDP packet size. Does this require a
> firmware upgrade or just an upgrade to the IOS? Which versions have
> the required modification? I'll need to find firm documentation
> before I'll be allowed to make changes to the routers.

IOS upgrade actually. Here'a s couple more links on it. I'm surprised Cisco
pulled their webpage regarding this:

828263 - DNS query responses do not travel through a firewall in Windows
Server 2003:
http://support.microsoft.com/?id=828263

832223 - Some DNS Name Queries Are Unsuccessful After You Upgrade Your DNS
Server to Windows Server 2003:
http://support.microsoft.com/?id=832223

>
> In the meantime, I will try disabling the EDNS0 on the Windows 2003
> server, although I will have to wait for a non-peek usage time to
> perform the test.
>
> Thanks,
> --Rob

Single label names repost:
++++++++++++++++++++++++++++++
================================
Single label name from Alan Woods, MS:
"We really would preffer to use FQDN over Single labled. There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products. Exchange would be a great
example. Also note that the DNR (DNS RESOLVER) was and is designed to
Devolve DNS requests to the LAST 2 names.

Example: Single Labeled domain .domainA
then, you add additional domains on the forest.
child1.domainA
Child2.child1.domainA

If a client in the domain Child2 wants to resolve a name in domainA
Example. Host.DomainA and uses the following to connect to a share
\\host then it is not going to resolve. WHY, because the resolver is
first going to query for first for Host.Child2.child1.domainA, then it
next try HOST.Child1.domainA at that point the Devolution process is
DONE. We only go to the LAST 2 Domain Names.

Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that. NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON'T DO IT. It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
fun.

Microsoft is seriously asking you to NOT do this. We will support you but
it the end results could be limiting as an end results depending on the
services you are using.

Thank you,

Alan Wood[MSFT]"
=====================================


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================



.

Relevant Pages

  • Re: DNS Server Setup
    ... > and new at DNS. ... If not in mixed mode, then it's a little more difficult. ... The BIGGEST problem is that the domain is a single label name. ... whether you use the registry entry metioned in that link above or not. ...
    (microsoft.public.win2000.dns)
  • Re: Single label Domains
    ... > my memory about single label domains and other types. ... There's alot of info on it. ... >> single label name does not depict any sort of hierarchy, since DNS ... that excessive DNS traffic was hitting the ISC Root servers with any machine ...
    (microsoft.public.win2000.dns)
  • Re: DNS not doing recursive lookups
    ... > One is your AD domain name is possibly a single label domain name? ... 1) dynamic updates do not work and 2) member computers cannot ... use DNS to locate DCs in a single-label domain that is in another forest. ... > forwarder is possibly due to your Cisco router. ...
    (microsoft.public.windows.server.dns)
  • Re: Resolving single label domain name
    ... Now I want to resolve from command line D0002 to child1.root. ... may not work with a single label name hostname query. ... a single label DNS name has no hierarchy. ... This is a direct link to the Microsoft Public ...
    (microsoft.public.win2000.dns)
  • Re: FSMO Role holder doesnt have SRV records
    ... I had read the 'single label' article but haven't applied it as my ... Until DC2 populates DNS with it's records I ... servers listed in teh Root Hint tab is the list of servers on the internet ... the agbility to resolve single lable name was disabled. ...
    (microsoft.public.windows.server.dns)