NSlookup wifi overrides ethernet default server?

[VPuccetti]

So at work I do not get to control DHCP and we have certain static addresses for servers/printers and then a dynamic scope for clients.

DHCP for our wired network has the domain controller / active directory / dns machine as the primary dns server (the way it should be).

I've been noticing the laptop clients experience bigger issues with communicating with my server and after doing an nslookup right after the wifi is connected, the default dns server changes to a server that is not in my domain and I do not control (different department).

This has been creating huge issues with policy updates and not having the laptop correctly register with the dns server

(gpupdate causes the userenv to fail saying the dc can not be reached, but was resolved by disabling the wifi and ipconfig /registerdns then a gpupdate /force).

How can I make it so that the ethernet settings always override the wifi settings as far as default dns server... (I've already googled and tried researching it and found nothing)

[+BudMan MVC]

"How can I make it so that the ethernet settings always override the wifi settings as far as default dns server"

HUH?? Are you saying these machines are wired and wireless at the same time?? That makes no sense from the get go.

You can not use the settings of a no longer dhcp connection - wired, when its disconnected and your now using a different interface with new setting for a different dhcp server.

If you don't want to use dns from dhcp - then dont.. Just change your clients to get the IP, but to use a static dns server. Just change that on the properties of your wireless interface.

What I don't get is why you don't just get with who runs the wireless network and have them correct their dhcp scope -- seems kind of pointless to have a setting in wireless dhcp scope that is wrong for the users of said wireless network.

[VPuccetti]

Budman,

In our office we have docking stations for people who use laptops and then we also have just regular desktops. Those docking stations are hardwired (which gives out our IP scope for our floor of 172.16.4.xxx).

The wifi for the entire building uses a different ip scope and different default dns server.

So the problem is that any time a person who has a laptop is docked and goes to log on, the primary dns server is defaulted to the the wrong dns server (due to the wifi being connected) and it's slower for people logging in and it's causing problems with gpupdate.

I can't set a static dns server in the TCP/IP settings because so many of the people on my floor have to go to different schools or travel, which once again have completely different IP scopes.

I guess I was just hoping there was an active directory or registry trick to make the hardwired settings take precedence.

What I don't get is why you don't just get with who runs the wireless network and have them correct their dhcp scope -- seems kind of pointless to have a setting in wireless dhcp scope that is wrong for the users of said wireless network.

Trust me, I've tried. I've also tried getting them to add our dns server as a forwarder on their main DNS server and it hasn't happened going on almost 1 1/2 years now... They also JUST upgraded the main backbone of our building to 100mb from an old 10mb backbone.

Edited November 23, 2009 by Unholee

[sc302 Veteran]

basically what you need is to have separate hardware profiles, docked vs undocked. Basically in the docked profile, you want the laptop to disable the wireless network card, but in an undocked profile you want the wireless enabled.

xp http://support.microsoft.com/kb/308577

vista http://www.lockergnome.com/windows/2006/12...files-in-vista/

[VPuccetti]

basically what you need is to have separate hardware profiles, docked vs undocked. Basically in the docked profile, you want the laptop to disable the wireless network card, but in an undocked profile you want the wireless enabled.

xp http://support.microsoft.com/kb/308577

vista http://www.lockergnome.com/windows/2006/12...files-in-vista/

I was looking into hardware profiles but the problem is with over 100 people on my floor it would take me forever to try and get each laptop worked on PLUS teach them how to switch from different profiles.

An ex Principal honestly couldn't hook up a video monitor cable to her docking station even though it was blue and color coordinated :( that's why I was hoping there could be a simple configuration on either my dns server or active directory / vbs script that can launch when they log in.

[sc302 Veteran]

no there isn't an easy way to do it. but the system will "see" if it is docked vs undocked and will apply the profile as it becomes docked vs undocked. This is going to be your best solution. Unfortunatly when dealing with multihomed situations (2 nics with 2 different gw addresses/dns etc), the system ends up getting confused and does not prioritize between the two (lan overrides wlan or vice versa).

You would have to adopt that into your future images. If you want a lazy mans way of doing it, push the image down to the pc once you have it, be sure to save the users data (but once you figure it out it won't take you much more than 15 min at the laptop to configure it).

Teaching them will be a moot point being that they are already doing what is required (insert laptop into dock, remove laptop from dock).

[VPuccetti]

I'll definitely look into that then since it will be my best and only option. The image idea would be very difficult because we have so many different models of Dell in the office :( It spans from Latitude D400's, 410's, 610's 620's, 630's, E5400's, E4300's, and a few other models ALL with different hardware (some have intell vs dell wifi nic's and some have different video cards).

I'll definitely start changing that on my images that I've begun doing on the new batch of laptops.

[sc302 Veteran]

when you are looking to upgrade your imaging software look for something that can do a baremetal restore (restore 1 image to disimilar hardware, this technology has been out for a couple of years now, I know acronis has it which is their universal restore option and I believe ghost has something similar now). Something to keep in the back of your mind when upgrading softwares or renewing contracts.

[VPuccetti]

We just upgraded our Acronis True Image Home 11 to the 2010 which now has the universal restore which is very very nice :) We also use the Server Enterprise for our backup solution for our servers.

When I first came into this position 2 years ago both AD servers were horribly configured and couldn't pass a dcdiag, DNS was jacked, no back up solutions, and no script management for log in methods :hmmm: But I can't complain, this has given me so much hands on work so when I'm done with my MIS degree and IA degree it will prepare me for the ugly corporate world :ninja:

[+BudMan MVC]

"due to the wifi being connected"

Well disable the wireless when a wire is connected then.. Most modern wireless driver supports this option. Look in the advanced driver options of your wireless card.

Or here is some software you can use

http://www.wlanbook.com/bridgechecker/

BridgeChecker is a windows utility that can automatically disable/enable wireless interfaces. Whenever your computer is connected to an Ethernet port and the link state is good, the utility can automatically turns off the IEEE 802.11 wireless network interface. This conserves IP address allocation, reduces security risks, resolves dual interface routing issues, and prolongs battery life.

This would solve your issue as well -- since you should not be connected to wireless and wired at the same time -- its pointless unless they are 2 different networks.

Im curious what dns they point to on this wireless network, if its not AD dns?? How and the F do they access anything while on wireless??

[VPuccetti]

Im curious what dns they point to on this wireless network, if its not AD dns?? How and the F do they access anything while on wireless??

lol do you really want to know how stupid their configuration is? They have 1 primary DNS server for 2 buildings (5 floors each) and then a secondary DNS server for each floor. Each gateway is tunneled to the main gateway so even if I'm in a 172.16.15.xxx ip range, I can see my 172.16.4.xxx network.

Not only do they open the network entirely throughout both buildings for inner-transport, but schools can see upstream to our main network. So if a high school kid wants to jack around and (theoretically) do DOS attacks on the main servers in our building... They can.

They've wanted to change the domain of our floor and pretty much get rid of my position, but we have so many programmers and testers with different needs that being on their domain would cause even more of a headache.

P.S The Intel WiFi link 5100 AGN doesn't have that setting to disable while the NIC is connected, nor have I seen it on a few other dells :(

[+BudMan MVC]

All the Dells we use support it, if not on the driver look in the dell quickset stuff.

Or I pointed you to a some software that will do it.

As to the network being open?? Well if they are suppose to be working together, then yeah thats going to be required. Can/Should you filter on non required traffic -- sure.. for example clients prob have no reason to talk to clients from floor to floor. But its quite possible they need access to servers there.. So you could filter that with an ACL.

As to seeing other networks that are part of the same business -- again thats pretty much a given.. Users can see networks in Germany and Asia for example.. Since they need to access servers and services there. Now this should be locked down to only the services required, and only the machines that are needed to be accessed, etc. But that can become a logistics problem very quickly if not setup correctly from the get go and just a mash of machines.

As to how many dns servers they have -- 1 for each floor seems a bit much, how many machines on each floor?

Seems your the ODD ball out there -- and your own some different domain. Why don't you just have them add the records you need for your domain into their dns.. From what it sounds like being the ODD man out does not give you much pull -- ask nicely!! have them point put in some NS records for your domain into their dns.. Should take them 2 minutes and then everyone will be happy.

[VPuccetti]

Each floor has roughly 50 - 100 machines all mainly connected to their main domain. But then of course, each school has a different domain operated at the school but tunnelled to the main network.

Half the people in the wan/lan administration don't know what the hell they're doing. They tried setting up that Internet Sherrif protection for porn sites and access and they ended up jacking up everything for the entire district and a week later they just killed it... Heck they have LANDesk for antivirus and it doesnt work and theyve improperly configured lojack on laptops to where they arent even being traced.

So what SHOULD be a 2 minute task is a huge PITA :( I'm the ODD one out with one of the more reliable domains, AD, scripts, and uptime lol yay for being a contracted full time college student.

[+BudMan MVC]

Well 50-100 freaking machines don't need their own DNS.. Is each floor its own AD domain?

What is a shame is why are there so many domains, and why are you working only on 1 domain? If all one school district it should be central controlled, etc.

I feel your pain, working with people that do not understand how it works -- and don't want to make any changes (like add a dns record) because it might break something etc.. can be a real pain in the ass!!!

Good luck!! But again to fix your issue I would just disable the wireless when on wire, and keep in mind you could always put in your own host and lmhost records for your domain! That way they can always be found no matter what other dns they might be using.

[sc302 Veteran]

sounds like a mess. It really should be fixed. good luck with that.

[VPuccetti]

Good luck!! But again to fix your issue I would just disable the wireless when on wire, and keep in mind you could always put in your own host and lmhost records for your domain! That way they can always be found no matter what other dns they might be using.

Budman - Do you have any script examples of how I could over ride the lmhosts.sam file upon startup to edit it for my domain? I already have Netbios over TCP/IP enabled on the server side.

sounds like a mess. It really should be fixed. good luck with that.

What makes all of this worse, the entire district Technology Manager was actually a football coach with no knowledge of this stuff, he just got into the position because he knows the Superintendent.

[+BudMan MVC]

And why would you do anything to the lmhosts.sam file? that is just a sample nothing in there is going to work.

You could use central file I would guess.

Here this should help

http://technet.microsoft.com/en-us/library/cc959846.aspx

Creating Entries in the LMHOSTS File

Sure the info is for 2000 server, but I doubt anything has changed, etc. As to a script to change it -- sure you could use a startup script or something to change them.. But might just want to use a central file.. Then its one change on each machine to point to the central file -- then you could add or change anything just in one spot, etc.

[VPuccetti]

I just assumed that by talking about LMHOSTS you meant altering the lmhosts.sam file on the clients' computers to have a more static entry of all the domain information. If I'm wrong could you please tell me what you meant about using hosts and lmhosts :)

[sc302 Veteran]

I just assumed that by talking about LMHOSTS you meant altering the lmhosts.sam file on the clients' computers to have a more static entry of all the domain information. If I'm wrong could you please tell me what you meant about using hosts and lmhosts :)

you could also use the host file

c:\windows\system32\drivers\etc\hosts

format:

x.x.x.x <tab> hostname

example:

192.168.1.20 admin1

[+BudMan MVC]

Your correct I mean the lmhosts file -- but lmhosts.sam is not the file you edit -- it is not used, you use a file just called LMHOSTS

Look in your windows\system32\drivers\etc

you will see a LMHOSTS file and lmhosts.sam file -- you do do not edit the .sam file, but the LMHOSTS file. the .sam file gives you the info you need.

edit: ^ But the host file is not read for netbios names of the domain. But sure the host file can be used for name resolution when pointing to a dns server that you do not have control over for host names, etc.

Here maybe this article will be more helpful?

http://support.microsoft.com/kb/314108

How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues

[sc302 Veteran]

Last time I touched an lmhost file was in 97. Novell 3.12 with NT 4.0. No WINS or DNS, netbios with the micrsoft client for novell (win 95).

Man that was a long time ago.

Edited November 30, 2009 by sc302

[VPuccetti]

@ sc302 - Well sadly they have only 1 WINS server for the entire district and once again... it's a PITA to ask them to add any type of information lol

@ Budman - Actually on none of my computers or servers did i see just an LMHOSTS file, I guess that's why I assumed the .sam file was the correct one.

I think it may just be easier to use that WLAN software from the previous page. Installing the software once on all the laptops and just doing a gpupdate will fix headaches from the future.

[sc302 Veteran]

Can u modify your vlan config. If u can u can change the dhcp helper address to point to your dhcp server and modify your dns as needed.

This is prociding that your vlan is the only vlan housing your witeless clients. I still say using a docked ad undocked hardware profile is your best solution.

Edit: or if u have access to the wap and the wap supports multiple ssids/networks you could configure it to your network (will have to meke the port that it is plugged into on the switch configured on in both vlans by having a secondary address). Then either on each pc or group policy designate a new default ssid for the pcs.

Edited November 30, 2009 by sc302

[+BudMan MVC]

If you don't see -- just create.. My point was you can do all you want to the .sam file -- its not going to be read.. The file is lmhosts not lmhosts.sam

You can remove the ext if you want on that file, etc.. But it has a lot of extra info in there remarked out.

As to not using lmhosts since the old days -- sure, wins is what is normally used.. But since you don't have control of dns or wins it seems then you have to do it old school ;)

[sc302 Veteran]

If I dont get the keys to the kingdom or completely redesign the kingdom, I dont take the job :p