1

I maintain a small domain (about 20 clients) and we need to make some changes to the DNS server that's being used by the clients. All the clients have been hard coded to use the domain controller as their DNS. Since these are new machines, and I never changed their DNS settings, I'm guessing there must be a GPO that's causing them to use the domain controller as their DNS. Since we don't have any GPO other than the default one yet, it's got to be the default GPO, however, I have looked through all the GPO settings and none of them refer to anything related to DNS. So I'm wondering if there's anything else that might be causing this.

Any help or advice is highly appreciated.

Thanks, Harry

EDIT: Just to clarify things a little, here's what I'm dealing with: if I look at the network adapter settings in Windows on these clients and check the IPV4 settings, the IP address is set to DHCP, but the DNS is hard coded. I can change the DNS to DHCP also, however, after a reboot, it's back to being hard coded pointing to the domain controller

Harry Muscle
  • 243
  • 2
  • 10
  • 3
    The DHCP server usually defines the DNS servers. – jscott Nov 09 '12 at 16:51
  • 2
    You do realize the ramifications of having AD-joined clients using DNS servers other than their Domain Controllers for DNS, right? It really breaks AD unless you have the proper forwarders configured and you handle client DNS registration in a way other than the default self-register settings. – MDMarra Nov 09 '12 at 17:04

3 Answers3

6

Edit: Because of your edits and followup comments, I really believe that their is either a script in the local startup folder doing this on each machine, or you're just missing where one is being called in rsop.

SYSVOL can be empty and startup scripts can still be called from other shares as long as the permissions are correct. There's no requirement that a statup/logon script must exist in SYSVOL.

All the clients have been hard coded to use the domain controller as their DNS

You shouldn't do this. I'll explain why later.

Since these are new machines, and I never changed their DNS settings, I'm guessing there must be a GPO that's causing them to use the domain controller as their DNS

Probably not. The GPO to force DNS settings only works on XP or earlier. If these are new machines, they're probably not XP, meaning that if there actually was a GPO enforcing this, it wouldn't apply to anything Vista or later.

The only thing that I can think of, as pointed out in the comments, is a logon script, or a conditional forwarder from the other domain that's in this picture (as described in your previous question).

Since we don't have any GPO other than the default one yet, it's got to be the default GPO, however, I have looked through all the GPO settings and none of them refer to anything related to DNS.

If you really want to dig into what GPO settings are applying, look through the output of gpresult /H c:\gpo.html and rsop.msc. These are the two primary tools for troubleshooting GPO issues.

So I'm wondering if there's anything else that might be causing this.

Yes, most likely you've configured the DNS Server DHCP option on your DHCP server. This is how you actually want to distribute your DNS Server search list. By hardcoding it, you make it a real PITA to change down the road. Microsoft agrees with this, as evidenced in their choice to deprecate the GPO that sets the DNS server list for clients.

You should make sure that your DHCP server is handing out the right DNS servers to clients and then stop statically configuring it. There's no reason to.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • You need to reference his related question to get a picture of the scenario: http://serverfault.com/questions/446998/ad-server-within-another-network-dns-issues. Also, it's possible that that the DNS servers are being set with a script via GPO. – joeqwerty Nov 09 '12 at 16:57
  • Oh, well that's gross. Overlapping IP space, same DHCP server, etc. It's definitely possible that they're getting that via a script, *but* if they weren't configured with it prior to the domain join, they probably wouldn't have been able to join in the first place unless conditional forwarders are configured on the other domain. – MDMarra Nov 09 '12 at 16:58
  • The more I think about this, the more I think that there aren't enough details to either question – MDMarra Nov 09 '12 at 16:59
  • It's an unorthodox arrangement to be sure. – joeqwerty Nov 09 '12 at 17:04
  • Thank you for all the comments and suggestions, however, I'm still stuck ... just to elaborate, if I look at the network adapter settings in Windows on these clients and check the IPV4 settings, the IP address is set to DHCP, but the DNS is hard coded. I can change the DNS to DHCP also, however, after a reboot, it's back to being hard coded pointing to the domain controller. – Harry Muscle Nov 09 '12 at 18:48
  • Then it sounds like there's a script setting this. Check through `rsop` and `gpresult` like I suggested. – MDMarra Nov 09 '12 at 18:50
  • Unfortunately neither show anything related to DNS entries. It's really weird. I'm wondering if this is maybe not GPO related, but something else on the server is causing this to happen on all the clients. Just in case it matters, we're running the Small Business Server 2011 Essentials. Btw, I also check for scripts. I setup this server, so I know I never setup any scripts, and the SYSVOL scripts folder is empty so I don't think there are any default scripts running. Is there any way to check for sure if any scripts are running at logon? – Harry Muscle Nov 09 '12 at 18:55
  • 1
    This absolutely _screams_ of a script or other program changing the settings during boot. @HarryMuscle - Resultant Set of Policy is going to show you "Startup Scripts" and "Shutdown Scripts" in its output. – Evan Anderson Nov 09 '12 at 19:09
3

Log on to one of the machines and run rsop.msc. This will report on what GPO settings are being applied and which GPO is setting them.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Unfortunately this doesn't get me any closer. It just points to all the same settings that I see in the GPO on the server, which shows nothing related to the DNS. – Harry Muscle Nov 09 '12 at 18:42
  • Look for a script that might be setting the DNS server settings on the client. – joeqwerty Nov 09 '12 at 23:45
2

This will be configured on your DHCP server options, not Group Policy.

Dan
  • 15,430
  • 1
  • 36
  • 67
  • That I know, however, it's not, that's my problem :) If I look at the network adapter settings in Windows on these clients and check the IPV4 settings, the IP address is set to DHCP, but the DNS is hard coded. I can change the DNS to DHCP also, however, after a reboot, it's back to being hard coded pointing to the domain server. – Harry Muscle Nov 09 '12 at 18:41
  • @HarryMuscle Apologies, I didn't interpret the question properly! – Dan Nov 09 '12 at 19:27