DNS does not work due to GPO setting not clearing out of registry

10 pts.
Tags:
DNS errors
GPO
Registry
Windows XP
This is more an answer than a question, but it may help someone, took us a long time to figure out. We have been battling an issue with XP SP2 laptops going on and off the domain for quite a while, and now figured out how to fix this. First the issue: Environment: Window 2003 SP2 domain with XP SP2 computers. [list] Symptom: XP computers (dual homed laptops) that sometimes connect to the local (Internal) network and other times to another network (typically a wireless network) have problems connecting to certain websites. [/list][list] They can not connect because their names do not resolve. When you do an ipconfig /all , the right DNS servers show up, but when you try a nslookup , you see that another DNS server is being used for the actual DNS lookup. You can see what DNS server is being used every time you run nslookup, that information shows in the first two result lines. [/list][list] This is important to remember: <strong>ipconfig /all does not (always) show you what is really being used</strong>. It only shows what the network interfaces are set at. [/list][list] So what is defining what DNS server is to be used. I realised that this setting may be stored somewhere in the registry. So I ran regedit and searched the IP address of the DNS server in use according to nslookup. The search found a key called [code]HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTDNSclient[/code]. And there they were, the IP addresses of DNS servers that were really in use, not the ones ipconfig shows. [/list][list] How did that registry entry get in there: At some point that machine belonged to a OU (Organisational Unit) in the AD (Active Directory) GPO Global Policy Object) setting for that DNS. When a GPO defines a setting, that setting results in a value being written to the machines registry. When the machine was later moved to an OU without DNS server set (DNS server setting not defined), that registry entry was not removed when the policy was updated with gpupdate /force and reboot. Worse: Moving the machine to an OU with another DNS server setting did not work either, and that makes no sense at all. [/list][list] We did replicate that same issue on more than one system. [/list][list] Lessons learned: [/list][list] GPO's create registry settings, so when a GPO does strange things, you may want to run regedit and see if you find relevant keys. [/list][list] When you change a GPO setting from 'defined' to 'not defined' the policy change may actually not have a desired effect because the setting on the machine (or user?) level is not removed. This is a but in my opinion. [/list][list] Running the gpresults or the GPO modeling tool in the GPO editor does not always give you the right answer. It certainly did not in our case since it said the DNS servers were different than what the machine was actually using. [/list][list] Don't trust Microsoft software, surprize ... Because changing the DNS in the GPO from nothing to something worked. But then subsequently changing it to a third value had no effect. Another bug. [/list]

Answer Wiki

Thanks. We'll let you know when a new response is added.

Ifconfig | Mar 20 2008 5:29PM GMT

This sounds like registry tatooing, something that should no longer be occurring when you take the computer out of what Microsoft calls the scope of management.

While I agree with how incredibly complex Microsoft makes this stuff (especially documentation!), I’m not so sure it’s a good idea to distribute DNS server information via Group Policy because of situations like this.

Good piece of following the solution to the bitter end! ;-)

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Labnuke99
    WOW!! Nice job of detective work & sleuthing. Yes, I believe that MS hides many things due to the OS being perceived as easy to use by home users and non-trained administrators. MS became the juggernaut it is due to this perceived ease of use.... not by it's technical or manageability strengths. Granted they have improved this and created a more reliable and manageable system. However, things like GPO hidden activities still make one suspect of anything that is done via a GUI interface. Config files & command line options are still a key knowledge and skill that administrators need to have. I think this is why MS is also moving to Powershell to improve the strength of the command line. On the other hand, this makes things more complex and difficult for the less skilled admins. Change is complex and IT becomes more complex as time passes.
    32,960 pointsBadges:
    report
  • Labnuke99
    More rant material: Microsoft has also been typically very poor in documentation and search. How many times have you gone to the MS Knowledgebase with a specific event ID or error code, entered it an NO RESULTS FOUND??? This is so frustrating when all you are looking for is documentation on their product. Makes you wonder if the error codes are done by random number generators ;)
    32,960 pointsBadges:
    report
  • Ifconfig
    This sounds like registry tatooing, something that should no longer be occurring when you take the computer out of what Microsoft calls the scope of management. While I agree with how incredibly complex Microsoft makes this stuff (especially documentation!), I'm not so sure it's a good idea to distribute DNS server information via Group Policy because of situations like this. Good piece of following the solution to the bitter end! ;-)
    90 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following