Skip to main content

Active Directory Domain where FQDN and NetBIOS name are the same

itemprop="text">


I have "inherited" an
ancient domain (NT4, then upgraded to Win2000 Mixed Mode and now running on Win2003)
where the NetBIOS name coincides with the DNS/FQDN one, and this is giving us problems
with remote clients which need to be joined to the
domain.



Lets the domain be called
EXAMPLE: it is both the NetBIOS
name and the DNS name, as can be seen by opening the DNS
administration panel. Inside the local LAN, apart some occasional confusion on what
protocol is resolving the machine's name, this arrangement seems to
work.



On remote LANs (connected by VPN),
problems happen: the remote client can not connect to the domain. The error message
states that the DNS query correctly returns the domain controller list, but no domain
server can be contacted. From a connectivity standpoint, all ports are opened inside the
VPN, so this is not due to ACL and the likes.



Rather, using Wireshark to examine the
exchanged packets, I can see many (failed) NBNS queries - in
other words, the remote PC is using NetBIOS broadcast resolution method to find the
domain controller. This is clearly going to fail, as NetBIOS is a non-routable protocol
by design.



In short, it seems that when entering
a NetBIOS-style domain name in the "Member of domain:" GUI panel, Windows only uses
NetBIOS to resolve/find the domain controllers, with no DNS fallback. In some manner,
this can even expected: after all, EXAMPLE is not a valid DNS
name (however, I wonder why the domain creation wizard let this happen in the first
case, but I digress...).




So
work-around the problem, I tested some
solutions:




  • sidestep the
    problem entirely, joining the PC to the domain when it is on our local LAN for OS
    installation/preparation (it clearly can not be done for client already deployed on
    remote locations)

  • use an appropriately-crafted
    lmhosts file

  • installation and
    use of WINS



The last
approach (WINS) seems clearly better, as it avoid distributing a (potentially changing)
lmhosts file to the remote clients. However, I would like to
solve the problem once for
all.




So, my questions
are:




  • can I
    force Windows to use DNS names rather than NetBIOS (note: I already tried to disable
    NetBIOS name resolution on the NIC properties page, with no
    avail)

  • can this situation be normalized without radically
    change the current domain?

  • new one:
    can I add something like a "DNS domain alias" to assign a correctly-formed FQDN name to
    the current AD domain?

  • can the domain be renamed? If so,
    what problem can I expect doing that?

  • if all the above is
    "no", is the best approach to create a new domain, gradually
    migrating the current client/server on the new
    one?




Thanks.



Answer




WINS/Netbios name resolution should never be used for anything due to the
security risks. Additionally, when Netbios name resolution is enabled, Windows always
performs a Netbios/WINS lookup concurrently with DNS lookups regardless if the name is
available in DNS or not. If the environment does not have any products or applications
that would fail due to a domain rename, that may be an option.



You may want to read up on single-label DNS
name support:



href="https://support.microsoft.com/en-us/help/300684/deployment-and-operation-of-active-directory-domains-that-are-configured-by-using-single-label-dns-names"
rel="nofollow
noreferrer">https://support.microsoft.com/en-us/help/300684/deployment-and-operation-of-active-directory-domains-that-are-configured-by-using-single-label-dns-names



href="https://blogs.msmvps.com/acefekay/2009/11/12/active-directory-dns-domain-name-single-label-names/"
rel="nofollow
noreferrer">https://blogs.msmvps.com/acefekay/2009/11/12/active-directory-dns-domain-name-single-label-names/




Unfortunately you are working with a
version of Windows (2003) that is no longer supported. A more contemporary test would be
to use the GlobalNames zone for flat/single-label name resolution, but you don't have
that.


Comments

Post a Comment

Popular posts from this blog

iLO 3 Firmware Update (HP Proliant DL380 G7)

The iLO web interface allows me to upload a .bin file ( Obtain the firmware image (.bin) file from the Online ROM Flash Component for HP Integrated Lights-Out. ) The iLO web interface redirects me to a page in the HP support website ( http://www.hp.com/go/iLO ) where I am supposed to find this .bin firmware, but no luck for me. The support website is a mess and very slow, badly categorized and generally unusable. Where can I find this .bin file? The only related link I am able to find asks me about my server operating system (what does this have to do with the iLO?!) and lets me download an .iso with no .bin file And also a related question: what is the latest iLO 3 version? (for Proliant DL380 G7, not sure if the iLO is tied to the server model)
Post a Comment
Read more

linux - Awstats - outputting stats for merged Access_logs only producing stats for one server's log

I've been attempting this for two weeks and I've accessed countless number of sites on this issue and it seems there is something I'm not getting here and I'm at a lost. I manged to figure out how to merge logs from two servers together. (Taking care to only merge the matching domains together) The logs from the first server span from 15 Dec 2012 to 8 April 2014 The logs from the second server span from 2 Mar 2014 to 9 April 2014 I was able to successfully merge them using the logresolvemerge.pl script simply enermerating each log and > out_putting_it_to_file Looking at the two logs from each server the format seems exactly the same. The problem I'm having is producing the stats page for the logs. The command I've boiled it down to is /usr/share/awstats/tools/awstats_buildstaticpages.pl -configdir=/home/User/Documents/conf/ -config=example.com awstatsprog=/usr/share/awstats/wwwroot/cgi-bin/awstats.pl dir=/home/User/Documents/parced -month=all -year=all...
Post a Comment
Read more

linux - How can I get my mediawiki to stop thinking I have cookies disabled?

I've searched half a day for how to resolve this issue, and can't figure it out. Shortly after I made my wiki a simple private wiki according to the instructions at Mediawiki's website, it started giving me this weird login error message: Wiki uses cookies to log in users. You have cookies disabled. Please enable them and try again. If I remove those private wiki settings, the error disappears, even if I try logging in. But I need it to be a private wiki for only my team. So what do I do? Here's what I've done so far. Just to be safe, after ever change, I try rebooting Apache using: sudo /etc/init.d/apache2 restart In my php.ini file, I have the following set: session.save_path = "/var/lib/php5" session.cookie_secure = secure session.cookie_path = /tmp session.cookie_domain = my server's internal URL (should I even set this? this field was blank before, but not commented out) session.referer_check = Off I ran the following to ensure that the fold...
Post a Comment
Read more