DNS changed in domain but not coming for Domain Controller

Smrtka

Smrtka

Smrtka

Soldato
Joined
13 May 2013
Posts
2,510
Hello good people,

I am having a strange problem that most of my company PC's had their IP changed to 8.8.8.8 and 8.8.4.4
I have looked on Domain controller and It has our DNS server only and I cannot see google dns being used anywhere on the server.

Can anyone tell me where to look ?

All of the pcs in domain are on DHCP.
This also causes people having trouble printing as printserver is on correct dns.

Thanks
 
For your DHCP clients, this should be set as part of their scope in either one of two places, assuming it's a Windows DHCP server:

DHCP mmc - Scope - Scope Options

or...

DHCP mmc - Server Options

Once you've updated those to point to your internal DNS servers again, you'll need to get folk to do an ipconfig /release & /renew (or reboot). That should sort them out. If you're not sure where your DHCP server is, do an ipconfig /all from one of your client machines, and it will be listed there. Nine times out of ten, DHCP is installed on the first DC in an org.

What I'd expect to see on a domain is the DHCP scopes set to point to at least two DNS servers. I'd then expect your DNS settings to have at least two forwarders to public DNS servers (Launch DNS mmc, right-click the server name, properties, forwarders).

I'd also recommend not using the google DNS servers. They're good and easy to remember, but you'll probably find that there are far quicker ones you can use. There's an app called Namebench that will hunt down the best DNS servers for your area, or ask your ISP for their public DNS details.
 
Last edited:
We have 2 DC servers, Please excuse my lack of knowledge I am just 1st/2nd line.

I am in DHCP>dc1.nameofthecomapnay.com>ipv4>Scope and there is Address pool,Adress leases,Reservations,Scope options,Policies...

Scope options have the correct servers set....
 
How many PC's have you got?
If DHCP is configured with the correct DNS, then I can only imagine it has been changed manually on the machines or via a script.

Do users have rights on the machines to make this sort of change? you may have an enthusiastic amateur who has made the changes 'to make the internet go faster'...

The other alternative, I guess, would be a domain admin setting up a login script or GPO with these changes - but you'd hope someone with that level of rights would have more sense than that.
 
you wouldn't want your client PC's to point to google dns.

Your client machines should point to your DC's for DNS and in turn your DNS server running on the DC should have either google or your ISP DNS as a forwarder.

The DC's should have their DNS set to their own IP with the other DC as secondary.


if you have google set for your client PC's they will not be able to resolve internal domain resources correctly.
 
Little_Crow said:
How many PC's have you got?
If DHCP is configured with the correct DNS, then I can only imagine it has been changed manually on the machines or via a script.

Do users have rights on the machines to make this sort of change? you may have an enthusiastic amateur who has made the changes 'to make the internet go faster'...

The other alternative, I guess, would be a domain admin setting up a login script or GPO with these changes - but you'd hope someone with that level of rights would have more sense than that.
Click to expand...

+- 80 PC's changing dns is can only be done with admin credentials, I am suspecting a malware/virus but why would virus point to google DNS and not some infected one ?

Our server admin dumped this on me saying there is nothing on the server and its users computers that are screwed....

Ploppy2k3 said:
you wouldn't want your client PC's to point to google dns.

Your client machines should point to your DC's for DNS and in turn your DNS server running on the DC should have either google or your ISP DNS as a forwarder.

The DC's should have their DNS set to their own IP with the other DC as secondary.


if you have google set for your client PC's they will not be able to resolve internal domain resources correctly.
Click to expand...

I know that I want google dns, thats the whole point of this thread mate, something somehow changed the DNS on the machines and I am trying to find out how/why/when and how to resolve it with ideally 2 clicks and apply to whole company.

Is it possible that its in GPO ?
 
Probably best to do an RSOP.msc on a client to determine what settings are applied from where. Or do some GP modelling
 
n30_mkii said:
Probably best to do an RSOP.msc on a client to determine what settings are applied from where. Or do some GP modelling
Click to expand...

Thank you,
This is a bit of advanced terms for me I will google up how to use this bits,

If anyone has any other ideas please shoot.
 
You missed part of my original post. From the same DHCP mmc you also have "Server Options." It can also be set there at a global level (all scopes).

GP modelling and RSOP won't help you here, as your DHCP clients will get their settings from your DHCP server, not group policy. If they're definitely getting an IP from the DHCP server you're looking at, then that is where their dns settings should come from.

If you want to be certain that your clients are getting an IP from that server, follow the steps in my original post. If you want to take it one step further. Once your client PC has been assigned an IP, from the DHCP mmc, check the leases to ensure your client is listed, and that the lease time matches with when you did ipconfig /renew. See below:

1. From client PC:

- open up command prompt
- ipconfig /all (check that the listed DHCP server IP is the actual DHCP server you expect)
- ipconfig /release
- ipconfig /renew

On the DHCP server

- open up DHCP snapin
- check lease for the client PC. Does it match? If it does....

- check to see if dba is configured in "SERVER OPTIONS." This is one level up from the scope options.

If any of that doesn't tally up, post the results. It could be a script/ malware, but I have to say it'd be the first I'd heard of something like that happening in many many years. I'd suspect a rogue DHCP server before that, and in reality, just a simple misconfiguration is the likely suspect.
 
Last edited:
Just for the sake of ruling out it being a logon script, here's a few ways to check:

1. Log on to a client machine as an admin.

- open command prompt
- gpresult /r

The output here will show you any logon scripts in play, and from which GPO they are being called from. Once you know the location of the scripts, go and physically look at them to see what they do. Just be careful not to change / remove them, as the rest of your team won't be happy if you break a script.

Normally I'd say run the above as a domain user rather than an admin, but this should be sufficient as a script for this change should need admin rights, and therefore be a computer policy rather than user.

If you can't get to a cmd prompt from the client PC, you can check it via the group policy management mmc on a DC:

- Start - Run - gpmc.msc
- Go to Group Policy Modelling at the bottom of the left hand pane.
- Right- click - Group Policy Modelling Wizard
- Click Next until you can select a user and computer. Select a domain user and a client PC.
- Next all the way to the end.

The output from that will show you any logon scripts expected under the Settings tab.

As already mentioned, I'd be highly surprised if it was a script being called from GP, even having never seen our environment.
 
tribz said:
I'd check for other DHCP servers. Someone might have connected an access point somewhere.
Click to expand...

This would be my guess.

Take a look at one of the affected PCs and check which DHCP server IP was used to get a lease. It's likely neither of your DHCP servers.

This is why people should run DHCP snooping on their networks :p
 
Thnaks guys for all the ideas I will look on each of them...hopefully i get to the bottom of this, I was also suggested to run Wireshark on the machine and to /release /renew to see where the ip is coming from.
 
You must log in or register to reply here.
Back
Top Bottom