RE: [ActiveDir] nslookup. AD beginer question
Using the version of DCDIAG that comes with the 2003 SP1 support tools: Type: dcdiag /test:dns /e /v That will tell you what shape your DNS system is in. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Monday, August 28, 2006 11:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a user’s computer Thanks
Re: [ActiveDir] nslookup. AD beginer question
There's a rather large error in my previous message: ...get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. That should read: ...get a list of all DCs for that domain. Basically, that command returns the (Same as parent) records for the domain, which are host (A) records for the domain [name]. Apologies all. I don't know what I was thinking about when composing that mail. I'll be sure to drink my first coffee of the day _before_ replying in the future! --Paul (No I didn't spot the error; I was notified offline ;-) - Original Message - From: Paul Williams To: ActiveDir@mail.activedir.org Sent: Tuesday, August 29, 2006 10:43 AM Subject: Re: [ActiveDir] nslookup. AD beginer question If you do NSLOOKUP DOMAIN-NAME.COM then you will get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. If you want to pull all DCs in the domain, you need to run something like this: nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com If you run the above command and get computer accounts back, see kb825675 as referenced by Steve. I wasn't aware that that bug also registered A records for the domain name, but it might... If you're new to NSLOOKUP, consider what information you want. There's a bunch of different types of DNS record that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting AD, the main ones to look for are A and SRV (there's also an instance where you need to check the CNAME record too). Remember that simply pinging a DC doesn't mean that the necessary SRV records are in place. I personally always advise people to use a combination of NSLOOKUP and NLTEST to troubleshoot DNS and the locator process. Use NSLOOKUP to see if the records that you expect are there, and NLTEST to make the DsGetDC and DsGetSite calls. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 7:14 PM Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a users computer Thanks
Re: [ActiveDir] nslookup. AD beginer question
If you don't have a host record (A) for the hostname "sami", then you should delete the SRV record [1]. If that isn't a DC, look at the KB mentioned by Steve and I. I've seen a bunch of XP workstations registering in DNS in the past. --Paul [1] Assuming of course that you don't have a DDNS issue, i.e. you don't have a record in DNS but you do have a server with that name. - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Tuesday, August 29, 2006 4:06 PM Subject: RE: [ActiveDir] nslookup. AD beginer question I did the nslookup -type=srv _ldap._tcp.dc._msdcs.domain.com and I got _ldap._tcp.dc._msdcs.domain.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = sami.domain.com I cant find that machine anywhere, not in the AD or dns server!!! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BrunsonSent: Tuesday, August 29, 2006 10:15 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] nslookup. AD beginer question I think the key to this question is a very simple troubleshooting step. Go into DNS and look at the (same as parent folder) records. Delete the ones that arent currently DNS servers. If you are using AD integrated DNS, then this should be any domain controllers that you want clients to get DNS from. Give it a day or two and see if the bad ones come back. If they dont then you can assume this was an obsolete entry. If they do then you can start looking for why. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Tuesday, August 29, 2006 4:43 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] nslookup. AD beginer question If you do NSLOOKUP DOMAIN-NAME.COM then you will get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. If you want to pull all DCs in the domain, you need to run something like this: nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com If you run the above command and get computer accounts back, see kb825675 as referenced by Steve. I wasn't aware that that bug also registered A records for the domain name, but it might... If you're new to NSLOOKUP, consider what information you want. There's a bunch of different types of DNS record that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting AD, the main ones to look for are A and SRV (there's also an instance where you need to check the CNAME record too). Remember that simply pinging a DC doesn't mean that the necessary SRV records are in place. I personally always advise people to use a combination of NSLOOKUP and NLTEST to troubleshoot DNS and the locator process. Use NSLOOKUP to see if the records that you expect are there, and NLTEST to make the DsGetDC and DsGetSite calls. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 7:14 PM Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a users computer Thanks
RE: [ActiveDir] nslookup. AD beginer question
I am guessing, based on the port number, you have a DNS A record for this computer in gc._msdcs.domain.com . Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Tuesday, August 29, 2006 10:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question I did the nslookup -type=srv _ldap._tcp.dc._msdcs.domain.com and I got _ldap._tcp.dc._msdcs.domain.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = sami.domain.com I can’t find that machine anywhere, not in the AD or dns server!!! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Tuesday, August 29, 2006 10:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question I think the key to this question is a very simple troubleshooting step. Go into DNS and look at the (same as parent folder) records. Delete the ones that aren’t currently DNS servers. If you are using AD integrated DNS, then this should be any domain controllers that you want clients to get DNS from. Give it a day or two and see if the bad ones come back. If they don’t then you can assume this was an obsolete entry. If they do then you can start looking for why. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, August 29, 2006 4:43 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] nslookup. AD beginer question If you do NSLOOKUP DOMAIN-NAME.COM then you will get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. If you want to pull all DCs in the domain, you need to run something like this: nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com If you run the above command and get computer accounts back, see kb825675 as referenced by Steve. I wasn't aware that that bug also registered A records for the domain name, but it might... If you're new to NSLOOKUP, consider what information you want. There's a bunch of different types of DNS record that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting AD, the main ones to look for are A and SRV (there's also an instance where you need to check the CNAME record too). Remember that simply pinging a DC doesn't mean that the necessary SRV records are in place. I personally always advise people to use a combination of NSLOOKUP and NLTEST to troubleshoot DNS and the locator process. Use NSLOOKUP to see if the records that you expect are there, and NLTEST to make the DsGetDC and DsGetSite calls. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 7:14 PM Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a user’s computer Thanks
RE: [ActiveDir] nslookup. AD beginer question
I've had "un-plugged" NIC's register threw the active one before with a loopback. Check your DC's for 2nd or 3rd NIC's and see if you find one named what your looking for? Jason Centenni | The Capital Group Companies | Location: SNO | Extension: 44843 Outside: 210-474-4843 | Cell: 210-385-5932 | E-mail: [EMAIL PROTECTED] [ Mailing: 3500 Wiseman Blvd. San Antonio, TX 78251-4321 USA ] "Ramon Linan" <[EMAIL PROTECTED] com> To Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject RE: [ActiveDir] nslookup. AD beginer question 08/29/2006 10:06 AM Please respond to [EMAIL PROTECTED] tivedir.org I did the nslookup -type=srv _ldap._tcp.dc._msdcs.domain.com and I got _ldap._tcp.dc._msdcs.domain.comSRV service location: priority = 0 weight = 100 port = 389 svr hostname = sami.domain.com I can’t find that machine anywhere, not in the AD or dns server!!! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Tuesday, August 29, 2006 10:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question I think the key to this question is a very simple troubleshooting step. Go into DNS and look at the (same as parent folder) records. Delete the ones that aren’t currently DNS servers. If you are using AD integrated DNS, then this should be any domain controllers that you want clients to get DNS from. Give it a day or two and see if the bad ones come back. If they don’t then you can assume this was an obsolete entry. If they do then you can start looking for why. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, August 29, 2006 4:43 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] nslookup. AD beginer question If you do NSLOOKUP DOMAIN-NAME.COM then you will get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. If you want to pull all DCs in the domain, you need to run something like this: nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com If you run the above command and get computer accounts back, see kb825675 as referenced by Steve. I wasn't aware that that bug also registered A records for the domain name, but it might... If you're new to NSLOOKUP, consider what information you want. There's a bunch of different types of DNS record that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting AD, the main ones to look for are A and SRV (there's also an instance where you need to check the CNAME record too). Remember that simply pinging a DC doesn't mean that the necessary SRV records are in place. I personally always advise people to use a combination of NSLOOKUP and NLTEST to troubleshoot DNS and the locator process. Use NSLOOKUP to see if the records that you expect are there, and NLTEST to make the DsGetDC and DsGetSite calls. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 7:14 PM Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing ns
RE: [ActiveDir] nslookup. AD beginer question
I did the nslookup -type=srv _ldap._tcp.dc._msdcs.domain.com and I got _ldap._tcp.dc._msdcs.domain.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = sami.domain.com I can’t find that machine anywhere, not in the AD or dns server!!! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Tuesday, August 29, 2006 10:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question I think the key to this question is a very simple troubleshooting step. Go into DNS and look at the (same as parent folder) records. Delete the ones that aren’t currently DNS servers. If you are using AD integrated DNS, then this should be any domain controllers that you want clients to get DNS from. Give it a day or two and see if the bad ones come back. If they don’t then you can assume this was an obsolete entry. If they do then you can start looking for why. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, August 29, 2006 4:43 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] nslookup. AD beginer question If you do NSLOOKUP DOMAIN-NAME.COM then you will get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. If you want to pull all DCs in the domain, you need to run something like this: nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com If you run the above command and get computer accounts back, see kb825675 as referenced by Steve. I wasn't aware that that bug also registered A records for the domain name, but it might... If you're new to NSLOOKUP, consider what information you want. There's a bunch of different types of DNS record that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting AD, the main ones to look for are A and SRV (there's also an instance where you need to check the CNAME record too). Remember that simply pinging a DC doesn't mean that the necessary SRV records are in place. I personally always advise people to use a combination of NSLOOKUP and NLTEST to troubleshoot DNS and the locator process. Use NSLOOKUP to see if the records that you expect are there, and NLTEST to make the DsGetDC and DsGetSite calls. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 7:14 PM Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a user’s computer Thanks
RE: [ActiveDir] nslookup. AD beginer question
I think the key to this question is a very simple troubleshooting step. Go into DNS and look at the (same as parent folder) records. Delete the ones that aren’t currently DNS servers. If you are using AD integrated DNS, then this should be any domain controllers that you want clients to get DNS from. Give it a day or two and see if the bad ones come back. If they don’t then you can assume this was an obsolete entry. If they do then you can start looking for why. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, August 29, 2006 4:43 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] nslookup. AD beginer question If you do NSLOOKUP DOMAIN-NAME.COM then you will get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. If you want to pull all DCs in the domain, you need to run something like this: nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com If you run the above command and get computer accounts back, see kb825675 as referenced by Steve. I wasn't aware that that bug also registered A records for the domain name, but it might... If you're new to NSLOOKUP, consider what information you want. There's a bunch of different types of DNS record that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting AD, the main ones to look for are A and SRV (there's also an instance where you need to check the CNAME record too). Remember that simply pinging a DC doesn't mean that the necessary SRV records are in place. I personally always advise people to use a combination of NSLOOKUP and NLTEST to troubleshoot DNS and the locator process. Use NSLOOKUP to see if the records that you expect are there, and NLTEST to make the DsGetDC and DsGetSite calls. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 7:14 PM Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a user’s computer Thanks
RE: [ActiveDir] nslookup. AD beginer question
That was it, thanks so much From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, August 29, 2006 5:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] nslookup. AD beginer question Probably because it's a secondary server. Check to see if that IP is hosting a secondary copy of the zone. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 10:04 PM Subject: RE: [ActiveDir] nslookup. AD beginer question What I actually did was nslookup domain.com…I just found out that one of the computer is a linux server that is managing a child domain child.domain.com…that is the reason is showing up there. Anyway, I am also getting an ip address for a windows server machine that is not a DC, don’t know why… Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Monday, August 28, 2006 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question You mean, you did the following: nslookup set q=a domain.com and the IP you got is for a user's desktop? If so, one reason could be because someone created an A record in DNS for domain.com and mapped it to the desktop's IP. Maybe because the desktop is running web service and hosting the domain.com web site. Is this what you meant? If so, you will need to go and delete the record. You will then need to tell your users that they will not be able to get to the domain.com website site any longer because that is your AD domain name. You could create another A record named (for example) WWW under the domain.com zone and give it the desktop's IP and tell your users that they should now use http://www.domain.com/ to get to that website instead of domain.com This is a fairly common misconfiguration. And it's a big problem for your clients and DCs. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Mon 8/28/2006 1:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question Thanks, but after reading all that I still was not able to find out what kind of information do you get when you do lookup domain.com, being domain.com your AD domain, and why am I getting a user’s computer. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Monday, August 28, 2006 2:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question http://www.cni.org/pub/inetroom/nslookup.html http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup.mspx?mfr=true http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup__subcommands.mspx?mfr=true Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Mon 8/28/2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a user’s computer Thanks
Re: [ActiveDir] nslookup. AD beginer question
Probably because it's a secondary server. Check to see if that IP is hosting a secondary copy of the zone. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 10:04 PM Subject: RE: [ActiveDir] nslookup. AD beginer question What I actually did was nslookup domain.com I just found out that one of the computer is a linux server that is managing a child domain child.domain.com that is the reason is showing up there. Anyway, I am also getting an ip address for a windows server machine that is not a DC, dont know why Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Monday, August 28, 2006 4:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] nslookup. AD beginer question You mean, you did the following: nslookup set q=a domain.com and the IP you got is for a user's desktop? If so, one reason could be because someone created an A record in DNS for domain.com and mapped it to the desktop's IP. Maybe because the desktop is running web service and hosting the domain.com web site. Is this what you meant? If so, you will need to go and delete the record. You will then need to tell your users that they will not be able to get to the domain.com website site any longer because that is your AD domain name. You could create another A record named (for example) WWW under the domain.com zone and give it the desktop's IP and tell your users that they should now use http://www.domain.com/ to get to that website instead of domain.com This is a fairly common misconfiguration. And it's a big problem for your clients and DCs. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon LinanSent: Mon 8/28/2006 1:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] nslookup. AD beginer question Thanks, but after reading all that I still was not able to find out what kind of information do you get when you do lookup domain.com, being domain.com your AD domain, and why am I getting a users computer. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Monday, August 28, 2006 2:21 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] nslookup. AD beginer question http://www.cni.org/pub/inetroom/nslookup.html http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup.mspx?mfr=true http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup__subcommands.mspx?mfr=true Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon LinanSent: Mon 8/28/2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a users computer Thanks
Re: [ActiveDir] nslookup. AD beginer question
If you do NSLOOKUP DOMAIN-NAME.COM then you will get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. If you want to pull all DCs in the domain, you need to run something like this: nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com If you run the above command and get computer accounts back, see kb825675 as referenced by Steve. I wasn't aware that that bug also registered A records for the domain name, but it might... If you're new to NSLOOKUP, consider what information you want. There's a bunch of different types of DNS record that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting AD, the main ones to look for are A and SRV (there's also an instance where you need to check the CNAME record too). Remember that simply pinging a DC doesn't mean that the necessary SRV records are in place. I personally always advise people to use a combination of NSLOOKUP and NLTEST to troubleshoot DNS and the locator process. Use NSLOOKUP to see if the records that you expect are there, and NLTEST to make the DsGetDC and DsGetSite calls. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 7:14 PM Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a users computer Thanks
RE: [ActiveDir] nslookup. AD beginer question
What I actually did was nslookup domain.com…I just found out that one of the computer is a linux server that is managing a child domain child.domain.com…that is the reason is showing up there. Anyway, I am also getting an ip address for a windows server machine that is not a DC, don’t know why… Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Monday, August 28, 2006 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question You mean, you did the following: nslookup set q=a domain.com and the IP you got is for a user's desktop? If so, one reason could be because someone created an A record in DNS for domain.com and mapped it to the desktop's IP. Maybe because the desktop is running web service and hosting the domain.com web site. Is this what you meant? If so, you will need to go and delete the record. You will then need to tell your users that they will not be able to get to the domain.com website site any longer because that is your AD domain name. You could create another A record named (for example) WWW under the domain.com zone and give it the desktop's IP and tell your users that they should now use http://www.domain.com/ to get to that website instead of domain.com This is a fairly common misconfiguration. And it's a big problem for your clients and DCs. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Mon 8/28/2006 1:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question Thanks, but after reading all that I still was not able to find out what kind of information do you get when you do lookup domain.com, being domain.com your AD domain, and why am I getting a user’s computer. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Monday, August 28, 2006 2:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question http://www.cni.org/pub/inetroom/nslookup.html http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup.mspx?mfr=true http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup__subcommands.mspx?mfr=true Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Mon 8/28/2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a user’s computer Thanks
RE: [ActiveDir] nslookup. AD beginer question
There was a bug in Windows XP where netlogon would register SRV records which are documented here: http://support.microsoft.com/kb/825675/en-us . That is the only time I have seen that. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Monday, August 28, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question You should get back your domain controllers’ IP addresses. Is it possible that your user’s computer has gotten the IP of an old DC? Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Monday, August 28, 2006 3:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question Thanks, but after reading all that I still was not able to find out what kind of information do you get when you do lookup domain.com, being domain.com your AD domain, and why am I getting a user’s computer. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Monday, August 28, 2006 2:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question http://www.cni.org/pub/inetroom/nslookup.html http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup.mspx?mfr=true http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup__subcommands.mspx?mfr=true Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Mon 8/28/2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a user’s computer Thanks
RE: [ActiveDir] nslookup. AD beginer question
You may be running into this: http://support.microsoft.com/kb/825675/en-us From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Monday, August 28, 2006 12:15 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a user’s computer Thanks
RE: [ActiveDir] nslookup. AD beginer question
You mean, you did the following: nslookup set q=a domain.com and the IP you got is for a user's desktop? If so, one reason could be because someone created an A record in DNS for domain.com and mapped it to the desktop's IP. Maybe because the desktop is running web service and hosting the domain.com web site. Is this what you meant? If so, you will need to go and delete the record. You will then need to tell your users that they will not be able to get to the domain.com website site any longer because that is your AD domain name. You could create another A record named (for example) WWW under the domain.com zone and give it the desktop's IP and tell your users that they should now use http://www.domain.com/ to get to that website instead of domain.com This is a fairly common misconfiguration. And it's a big problem for your clients and DCs. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon LinanSent: Mon 8/28/2006 1:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] nslookup. AD beginer question Thanks, but after reading all that I still was not able to find out what kind of information do you get when you do lookup domain.com, being domain.com your AD domain, and why am I getting a user’s computer. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Monday, August 28, 2006 2:21 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] nslookup. AD beginer question http://www.cni.org/pub/inetroom/nslookup.html http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup.mspx?mfr=true http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup__subcommands.mspx?mfr=true Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon LinanSent: Mon 8/28/2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a user’s computer Thanks
RE: [ActiveDir] nslookup. AD beginer question
When you do an nslookup for the domain, you are going to get whatever records are listed in DNS for “(same as parent folder)”. If there is an IP address listed in there that is old and obsolete, it will still show until you go in and delete it. It is possible it was there from a time when that IP was in fact a DNS server, or possibly it was a mistake. But it was put in there intentionally or unintentionally at some time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Monday, August 28, 2006 3:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question Thanks, but after reading all that I still was not able to find out what kind of information do you get when you do lookup domain.com, being domain.com your AD domain, and why am I getting a user’s computer. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Monday, August 28, 2006 2:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question http://www.cni.org/pub/inetroom/nslookup.html http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup.mspx?mfr=true http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup__subcommands.mspx?mfr=true Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Mon 8/28/2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a user’s computer Thanks
RE: [ActiveDir] nslookup. AD beginer question
You should get back your domain controllers’ IP addresses. Is it possible that your user’s computer has gotten the IP of an old DC? Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Monday, August 28, 2006 3:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question Thanks, but after reading all that I still was not able to find out what kind of information do you get when you do lookup domain.com, being domain.com your AD domain, and why am I getting a user’s computer. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Monday, August 28, 2006 2:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question http://www.cni.org/pub/inetroom/nslookup.html http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup.mspx?mfr=true http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup__subcommands.mspx?mfr=true Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Mon 8/28/2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a user’s computer Thanks
RE: [ActiveDir] nslookup. AD beginer question
Thanks, but after reading all that I still was not able to find out what kind of information do you get when you do lookup domain.com, being domain.com your AD domain, and why am I getting a user’s computer. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Monday, August 28, 2006 2:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question http://www.cni.org/pub/inetroom/nslookup.html http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup.mspx?mfr=true http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup__subcommands.mspx?mfr=true Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Mon 8/28/2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a user’s computer Thanks
RE: [ActiveDir] nslookup. AD beginer question
http://www.cni.org/pub/inetroom/nslookup.html http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup.mspx?mfr=true http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup__subcommands.mspx?mfr=true Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon LinanSent: Mon 8/28/2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a user’s computer Thanks
[ActiveDir] nslookup. AD beginer question
Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a user’s computer Thanks