Microsoft KB Archive/165521

{| The information in this article applies to:
 * width="100%"|
 * Microsoft Windows NT Server versions 3.5, 3.51, and 4.0

SUMMARY
In a network environment that uses only Domain Name Service (DNS) for name resolution, clients may not be able to log on to a Windows NT domain if they do not have a domain controller on their TCP/IP segment.

This article explains how to configure Microsoft Windows NT 4.0 DNS Server so that clients can locate a domain controller and be validated on the Windows NT Domain. These steps should also work on third-party DNS servers.

MORE INFORMATION
Below are examples of how to configure the DNS server and client so they can perform Windows NT domain validation using DNS only for name resolution. One advantage to using DNS instead of WINS for validation is that you can control the Primary Domain Controller (PDC) and Backup Domain Controller (BDC) server list that DNS will supply to the resolver. This will prevent a remote BDC or PDC from setting up a secure channel with the validation client and doing validation over a slow link.

Example 1
For the first example, the following names will be used:

DNS Domain: LEX.COM Windows NT Domain: NTDOMAIN To configure your DNS so that clients can locate Windows NT domain controllers with DNS queries, perform the following steps:   In the LEX.COM domain on the DNS server, create an A record for NTDOMAIN. For this A record, enter the IP address of your Windows NT domain controller. NOTE: Because you can have multiple A records for the NTDOMAIN resource, it is possible to specify certain domain controllers that will be returned when the DNS resolvers query the Windows NT domain name. To do this, simply create multiple A records for NTDOMAIN. For each A record, enter the IP address of the Windows NT domain controllers that you want to respond to domain name requests. These multiple A records will be given to clients in "round-robin" sequence, which will provide load-balancing for logging on to a Windows NT domain (and other domain functions) across all listed Windows NT domain controllers.   Configure each client's TCP/IP properties with your DNS domain name (in this example, LEX.COM). This step is important because, when the DNS client (resolver) attempts to resolve the domain name, it does a b-node broadcast on its subnet for the NTDOMAIN domain. If it receives no reply (because the Windows NT domain controller is on another segment), it will do one of the following: - If a WINS server is specified on the client, the query for the 1Ch entry will then go to the WINS server. If the WINS server has a 1Ch entry for the domain controller(s), the client uses that server (PDC or BDC) address for Windows NT     domain validation. - If a WINS server is not specified, or cannot be contacted, the client sends a query to the DNS server with the Windows NT domain name, and appends the DNS domain name to that name. So in this example, it sends a query for NTDOMAIN.LEX.COM to the DNS. If step 1 has been completed, the DNS server will respond with one of the IP     addresses named NTDOMAIN in the LEX.COM domain. The client receives this Windows NT domain controller IP address and sends its request for domain logon validation to that Windows NT Domain Controller. 

Example 2
In the special case where the Windows NT domain name has a period (.) in the name, such as NTDOMAIN.COM, the A record creation is slightly different. In the following example, substitute your Windows NT domain name that contains a period where the example uses NTDOMAIN.COM.

In this example, perform the following steps:

In the LEX.COM domain on the DNS Server, create a subdomain called COM. In the COM subdomain, create an A record named NTDOMAIN, and enter the IP address of your Windows NT domain controller. NOTE: Because you can have multiple A records for the NTDOMAIN resource, it is possible to specify certain domain controllers that will be returned when the DNS resolvers query the Windows NT domain name. To do this, simply create multiple A records for NTDOMAIN. For each A record, enter the IP address of the Windows NT domain controllers that you want to respond to domain name requests. These multiple A records will be given to clients in "round-robin" sequence, which will provide load-balancing for logging on to a Windows NT domain (and other domain functions) across all listed Windows NT domain controllers.

Configure each client's TCP/IP properties with your DNS Domain Name (in this example, LEX.COM). This step is important because, when the DNS client (resolver) attempts to resolve the domain name, it does a b-node broadcast on its subnet for the NTDOMAIN.COM domain. If it receives no reply (because the Windows NT domain controller is on another segment), it will do one of the following: - If a WINS server is specified on the client, the query for the the 1Ch entry will then go to the WINS server. If the WINS server has a 1Ch entry for the domain controller(s), then the client uses that server (PDC or BDC) address for Windows NT     domain validation. - If a WINS server is not specified, or cannot be contacted, the client sends a query to the DNS server with the Windows NT domain name and appends the DNS domain name to that name. So, in this example, it sends a query for NTDOMAIN.COM.LEX.COM to the DNS. If     step 1 has been completed, the DNS server will respond with one of      the IP Addresses named NTDOMAIN in the COM subdomain within the LEX.COM domain. The client receives this Windows NT domain controller IP address, and sends its request for domain logon validation to that Windows NT domain controller. Keywords         : NTSrv nttcp kbenv Version          : WinNT:3.5,3.51,4.0 Platform         : winnt Issue type       : kbhowto
 * }

-

Last reviewed: December 23, 1997

© 1998 Microsoft Corporation. All rights reserved. Terms of Use.