How does name resolution work in AD?
-
When you have a Windows 10 client and access a Windows intranet webserver that belongs to a domain (and you have AD and the whole shebang), is the client using DNS to resolve the server name or is it using something else?
-
By default it's using DNS.
It could fall back on NetBIOS over IP though... if that protocol is enabled.
-
@Dashrender said in How does name resolution work in AD?:
By default it's using DNS.
It could fall back on NetBIOS over IP though... if that protocol is enabled.
So if port 53 is blocked somewhere it will use NetBIOS instead?
Is that a client or AD/DNS setting or both? Is it enabled by default?
-
@Pete-S said in How does name resolution work in AD?:
So if port 53 is blocked somewhere
blocked to the internal domain controller? You have other issues on that site.
-
A client first polls his
hosts-file. Next is always DNS. If that doesn't work, WINS might kick in (you better don't run WINS).If all that fails, the client will fall back to whatever he has available on his side, like NetBIOS.
-
@Pete-S said in How does name resolution work in AD?:
is the client using DNS to resolve the server name or is it using something else?
Since Windows 2000, DNS was the default. WINS was used as well for a long time, but is no longer needed, but sometimes used.
-
@thwr said in How does name resolution work in AD?:
A client first polls his lmhosts-file. Next is always DNS.
Always HOSTS before DNS.
-
@scottalanmiller said in How does name resolution work in AD?:
@thwr said in How does name resolution work in AD?:
A client first polls his lmhosts-file. Next is always DNS.
Always HOSTS before DNS.
ah, my bad.
hostsis correct,lmhostsis something even older -
@Pete-S said in How does name resolution work in AD?:
@Dashrender said in How does name resolution work in AD?:
By default it's using DNS.
It could fall back on NetBIOS over IP though... if that protocol is enabled.
So if port 53 is blocked somewhere it will use NetBIOS instead?
Is that a client or AD/DNS setting or both? Is it enabled by default?
JB is right - this is all internal traffic. Your AD/DNS servers should have port 53 fully exposed to the internal network.
This is a client call from the PC to the server, so the server is what has to have the ports open on the firewall. typically MS's processes will take care of enabling this for you when you install DNS on a Windows Server - though, it's always possible to break this.
-
I was wondering how it works because we see a problem where a couple of Win 10 clients can resolve all the internal Windows servers names, but not the statically assigned names of linux servers.
I thought if the name resolution works over different mechanisms and uses different ports it could be an firewall or L3 switch somewhere that has been misconfigured.
-
@Pete-S said in How does name resolution work in AD?:
I was wondering how it works because we see a problem where a couple of Win 10 clients can resolve all the internal Windows servers names, but not the statically assigned names of linux servers.
I thought if the name resolution works over different mechanisms and uses different ports it could be an firewall or L3 switch somewhere that has been misconfigured.
This is common in situations where Linux is not given an opportunity to auto-update the DNS entries, no one makes them manually, and they are not joined to AD.
-
@scottalanmiller said in How does name resolution work in AD?:
@Pete-S said in How does name resolution work in AD?:
I was wondering how it works because we see a problem where a couple of Win 10 clients can resolve all the internal Windows servers names, but not the statically assigned names of linux servers.
I thought if the name resolution works over different mechanisms and uses different ports it could be an firewall or L3 switch somewhere that has been misconfigured.
This is common in situations where Linux is not given an opportunity to auto-update the DNS entries, no one makes them manually, and they are not joined to AD.
Exactly - have you or anyone else added these servers to AD's DNS?
-
@Pete-S said in How does name resolution work in AD?:
I was wondering how it works because we see a problem where a couple of Win 10 clients can resolve all the internal Windows servers names, but not the statically assigned names of linux servers.
I thought if the name resolution works over different mechanisms and uses different ports it could be an firewall or L3 switch somewhere that has been misconfigured.
Have you configured them in your DNS too or does your Linux servers DHCP client automatically update DNS? No client cares about a Linux hostname
-
@Dashrender said in How does name resolution work in AD?:
@scottalanmiller said in How does name resolution work in AD?:
@Pete-S said in How does name resolution work in AD?:
I was wondering how it works because we see a problem where a couple of Win 10 clients can resolve all the internal Windows servers names, but not the statically assigned names of linux servers.
I thought if the name resolution works over different mechanisms and uses different ports it could be an firewall or L3 switch somewhere that has been misconfigured.
This is common in situations where Linux is not given an opportunity to auto-update the DNS entries, no one makes them manually, and they are not joined to AD.
Exactly - have you or anyone else added these servers to AD's DNS?
They have been added manually. The name of the service is also not the name as the server. So if a webserver is abc001.company.com the name in the DNS that will send you to that server might be logistics.company.com. So client accessing the service would find it with https://logistics
-
@Pete-S said in How does name resolution work in AD?:
@Dashrender said in How does name resolution work in AD?:
@scottalanmiller said in How does name resolution work in AD?:
@Pete-S said in How does name resolution work in AD?:
I was wondering how it works because we see a problem where a couple of Win 10 clients can resolve all the internal Windows servers names, but not the statically assigned names of linux servers.
I thought if the name resolution works over different mechanisms and uses different ports it could be an firewall or L3 switch somewhere that has been misconfigured.
This is common in situations where Linux is not given an opportunity to auto-update the DNS entries, no one makes them manually, and they are not joined to AD.
Exactly - have you or anyone else added these servers to AD's DNS?
They have been added manually. The name of the service is also not the name as the server. So if a webserver is abc001.company.com the name in the DNS that will send you to that server might be logistics.company.com.
if you're being sent to logistics, that's the entry that must be in DNS.. you can have as many entries as are needed for a single server.
each name is it's own entry.
