Monday, March 13, 2006

DNS: Troubleshooting name resolution issues

I had an interesting conversation about name resolution with a consultant who was on-site with a customer. He was having problems finding a machine by hostname… the conversation was interesting from the standpoint that name resolution is something most people take for granted, and I thought it was worth posting because the situation was a bit non-standard, and useful for discussion.

“I added a machine to the network, and I can ping it by IP address because I know the address, but when I ping by name, I get “request timed out”, and the IP that it responds with is the wrong address.”

Okay, so is this a Windows 2000/2003 AD environment, using AD-integrated DNS, and WINS?

“Yes, AD-integrated DNS, WINS, etc”.

Does the workstation have a static IP?

“Yes, it has an IP of xxx.xxx.xxx.xxx and it’s pointed at the internal DNS server.”

Is the machine that you’re having problems with a member of the domain?

“No. See, the machine needs to be in a workgroup because… [some valid reason].”

How are you doing name resolution?

“Well, I have the client pointing to DNS, so DNS should resolve it.”

Have you checked the DNS management console? Because it might not be registering; or it's registered with the wrong IP.

"You’re right. Why isn’t it registering?"

Since it’s not a member of the domain, you need to allow “Nonsecure and secure Dynamic updates” in DNS (DNS>Server>Forward Lookup Zones>corp.domain.com). Then, you need to specify a DNS suffix for the connection on the client, tell it to register, and have it use the connection’s DNS suffix in DNS registration.

"Okay, done. But I’m still getting that wrong address when I try to ping it by name."

Did the machine come up and grab an address from DHCP before you gave it a static IP?

"Yes."

It probably registered in WINS; open up the WINS management console and delete those entries that are no longer relevant for the client… either that, or point the client to the WINS server.

"It worked!"

To summarize, when the client came up for the first time and pulled an address via DHCP it registered with DNS and WINS. After assigning a static IP to the client, he was able to ping it by IP. But when pinging by hostname, the host was resolving the old IP that had previously been registered in DNS and WINS. By the time I got involved he had unregistered the client from DNS, but not removed the entries from WINS. I had him turn on unsecured dynamic updates to DNS, set the DNS suffix on the client, and the machine started registering properly.

It’s important to keep in mind that unsecured dynamic updates to DNS can be a security risk. The default behavior in Active Directory-integrated DNS is to only allow secure updates, so this should be considered before making such changes.

No comments: