Domain Controllers

Discussion in 'Server Networking' started by Patrick Whittle, Aug 2, 2009.

  1. Can a domain controller be anything else (i.e. IIS Server)? My domain
    controller seems bogged down when a computer tries anything other than a
    login. I tried adding a workstation to the domain, and it took at least ten
    (10) minutes before a confirmation (i.e. Windows dialog message) occurred.

    PS The server box is running Terminal Services and IIS only
     
    Patrick Whittle, Aug 2, 2009
    #1
    1. Advertisements

  2. Hello Patrick,

    A domain controller shouldn't run anything else then AD, DNS, GC and maybe
    DHCP. Especially IIS is not optimal, lowers security, the same applies to
    Terminal services in application mode. This doesn't mean you can not install
    all roles on the server, this works but results in lower security settings,
    when multihomed, 2 ip addresses in DNS, logon GPO applying etc. etc. etc.
    problems.

    Your problem seems DNS related, please post an unedited ipconfig /all from
    the server and a problem computer.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Aug 2, 2009
    #2
    1. Advertisements

  3. Meinolf,

    The server is the "problem" computer. It's running Microsoft Internet
    Information Services 6.0 and it is also (Microsoft 2003 Server) a domain
    controller. The AD portion of this/my equation seems to be the culprit...
    as far as the long wait-time; there is only one sub-net. Enterprise Admins
    GPO is being used, and the server has only one NIC (Ethernet) installed.

    The LAN router is supplying DHCP, and my internet service provider is the
    DNS. Is the huge wait-time due to older hardware (1GB of memory, but only a
    1.7 GHz CPU) ??? Adding a workstation to the domain shouldn't take this
    long.
     
    Patrick Whittle, Aug 3, 2009
    #3
  4. Patrick Whittle

    Bill Grant Guest

    Meinolf will probably tell you the same thing, but here is something to
    think about.

    You cannot run a domain controller and use the DNS at your ISP. Active
    Directory depends on DNS and requires a local DNS server to resolve domain
    resources. You really should not be using DHCP from your router, as this
    will give your clients incorrect DNS settings.

    Your workstation cannot join the domain because it cannot find the DC.
    It uses DNS to find the logon server and the record for that should be in
    your local DNS. There is no way that the DNS at your ISP would have this
    info.

    The setup you have is fine for a fileserver. It is not compatible with
    Active Directory. If you want to run a DC in this network you need to change
    your network config.

    Give the server a static IP and set it to use the router as its default
    gateway. When you promote it to a domain controller, accept the offer to
    configure DNS for you. After this is complete you can configure DNS to
    forward to a public DNS (such as your ISP) to resolve foreign URLs.

    If you were using DHCP on the router, disable it and configure DHCP on
    the DC. Configure your scope to issue the router's IP as default gateway but
    the DC as the DNS address. All machines must use the DC for DNS.

    Your network config should look like this.

    Internet
    |
    192.168.0.1
    |
    DC
    192.168.0.101 dg 192.168.0.1 dns 192.168.0.101
    |
    workstations
    192.168.0.x dg 192.168.0.1 dns 192.168.0.101
     
    Bill Grant, Aug 3, 2009
    #4
  5. Hello Patrick,

    You're ISP is the problem, that's the reason i asked for the ipconfig /all.
    It doesn't have be configured on the NIC, there use only the domain DNS server
    ip address, so itself as preferred.

    The ISPs DNS server you have to set as FORWARDER under the server properties
    in the DNS management console.

    Also with only one DC/DNS it will be normal that a reboot will take longer
    then with having a second domain DNS server also. This belongs to the starting
    sequnces from DNS server service and netlogon service, the latter one mostly
    tries to start before DNS server service, but without DNS server it can not
    start.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Aug 3, 2009
    #5
  6. Patrick,

    I second and third that the ISP's DNS IS CAUSING the problem.

    To undererstand why, you must understand the way AD and DNS works. The
    following is a snippet of a longer article I have on multihomed DCs (not
    recommended), but posting just the portion that explains the AD-DNS
    relationship.

    ---
    To explain why will require a little background on AD and DNS:

    First, just to get this out of the way, if you have your ISP's DNS addresses
    in your IP configuration (DCs and clients), they need to be REMOVED. If the
    ISP's DNS is in there, this will cause additional problems. I usually see
    errors (GPOs not working, can't find the domain, RPC issues, etc), when the
    ISP's DNS servers are listed on a client, DCs and/or member servers, or with
    multihomed DCs. If you have an ISP's (or some other outside DNS server or
    even using your router as a DNS server) DNS addresses in your IP
    configuration (all DCs, member servers and clients), they need to be REMOVED
    and ONLY use the internal DNS server(s). This can be very problematic.

    Basically, AD requires DNS. DNS stores AD's resource and service locations
    in the form of SRV records, hence how everything that is part of the domain
    will find resources in the domain. If the ISP's DNS is configured in the any
    of the internal AD member machines' IP properties, (including all client
    machines and DCs), the machines will be asking the ISP's DNS 'where is the
    domain controller for my domain?", whenever it needs to perform a function,
    (such as a logon request, replication request, querying and applying GPOs,
    etc). Unfortunately, the ISP's DNS does not have that info and they reply
    with an "I dunno know", and things just fail. Unfortunately, the ISP's (or
    your router as a DNS server) DNS doesn't have information or records about
    your internal private AD domain, and they shouldn't have that sort of
    information.

    Also, AD registers certain records in DNS in the form of SRV records that
    signify AD's resource and service locations. When there are multiple NICs,
    each NIC
    registers. IF a client, or another DC queries DNS for this DC, it may get
    the wrong record. One factor controlling this is Round Robin. If a DC or
    client on another subnet that the DC is not configured on queries for it,
    Round Robin will kick in offering one or the other. If the wrong one gets
    offered, it may not have a route to it. On the other hand, Subnetmask
    Priortization will ensure a querying client will get an IP that corresponds
    to the subnet it's on, which will work.

    To insure everything works, stick with one NIC.
    ---

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum to benefit from collaboration
    among responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check
    http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MCT], Aug 3, 2009
    #6
  7. This kind-of explains why my ISP recently changed its settings. The last
    two octets of my WAN default gateway are now 192.1 ...so I'm thinking that
    my ISP distinguished an internal LAN (ISP's regularly update and change
    their addressing; this is normal). Does my ISP see that my internal LAN has
    a domain controller in it? For their management topology, they must have
    "classified" me as having an internal LAN.

    Also, I recently bought a router (used to be cable modem only) that has DHCP
    on it. When I configure my domain controller with DNS, how do I repudiate /
    deny ISP knowledge of internal hosts?

    New Default Gateway address: 24.57.192.1 (notice how it suggests &
    signals my internal LAN)
     
    Patrick Whittle, Aug 3, 2009
    #7
  8. Hello Patrick,

    No, the private address range looks like 10.x.x.x, 172.x.x.x or 192.168.x.x
    not x.x.192.x

    It is NOT your ISPs problem. The WAN port from your DSL router has nothing
    to do with your internal network.

    As said/requestes before. An unedited ipconfig /all from your server and
    a problem computer can sort this really easy.

    Also i described how to configure the FORWARDERS to access internet the correct
    way with LAN internal Domain DNS servers.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Aug 3, 2009
    #8
  9. Thanks. What I really meant was, my ISP may want to group their clients
    based on what they know (or think they know) they are running. Since it's
    easy for them to see&log what I am using, wouldn't it be good administrative
    practice to configure DNS assignments (sub-nets) reflecting which clients
    have a LAN... and who doesn't ???

    Which reason do you think ISP's re-assign / refresh their DHCP for? It
    could be simply to contend with bots. straggling their IP assignments!!!
     
    Patrick Whittle, Aug 3, 2009
    #9
  10. Hello Patrick,

    Your ISP has nothing to do with your LAN, they can not access it if you don't
    let them. It is your task to secure your network.

    As far as i know the ISPs have once a day to disconnect your network for
    a small time, except you have fixed ip addresses rented for yourself, it's
    so short you normally don't realize. So that will be the reason that your
    router has different WAN ip addresses, but that's not your part of configuration.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Aug 3, 2009
    #10
  11. You don't think ISP's assign new IP addresses on regular basis' ? I will
    contest your view in this regard. ISP's dynamically assign new IP addresses
    per sub-net on a regular basis (twice, if not 3 times a year). I got a
    letter in the mail querying (postal) my usage the other day. They ask
    questions like, "When will you reach 100 GB data trasnfer in a day? " They
    want to know the reasoning, justifiably (bandwidth)... so that they can
    charge me more. I dunno.
     
    Patrick Whittle, Aug 3, 2009
    #11
  12. Hello Patrick,

    I cna only see in our environment where we have 8 fixed public addresses
    and they didn't change until 1.5 year.

    But again, if you don't give some info about your ip configuration, we can
    not help you to fix your starting problem.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Aug 3, 2009
    #12

  13. I think there's a misconception here. An ISP (Cable, Verizon, Quest,
    whomever), provide the external IP to their layer 2 connection device,
    whether it be a T1 smartjack, gateway device, modem, etc, and in somce cases
    they are combined devices, but for the internal network, you dictate your
    settings. They do not 'see' your internal network. However many ISPs may or
    do (depending on who they are), will keep tabs on bandwidth usage.

    If you purchased a business line, they more than likely will have provided a
    static WAN IP (the external address), or multiple static IPs (depending on
    your service agreement at signup), whereas a residential line is a DHCP
    address where the WAN IP changes periodically. How often does a residential
    WAN IP change? Once again, depends on the ISP and/or the agreement between
    you and them

    If you have a business or residential line, they will more than likely
    monitor bandwidth usage (100GB or whatever per month), as said. For
    residential lines, they may sniff traffic 'type' such as inbound (and
    possibly outbound, depending on the ISP) SMTP traffic or HTTP traffic to see
    if you are running any services from your location, which of course they shy
    upon with residential lines. Business lines are a different ballpark.

    If they watch bandwidth, they more than likely will charge you for the
    additional overage, because THEY have to pay for bandwidth, too, to their
    suppliers.

    How much bandwidth do you expect to use per month? Do you download or
    transfer gigabytes of data on a daily basis, such as multiple DVDs or
    Blueray disks worth of data on a daily basis? If so, and they keep track,
    and if it's in YOUR agreement, than expect to be charged.

    Now for the internal network, they CANNOT see it. They have no say what you
    do internally., It is a private internal, network, whether you have 2, 5 or
    1000 machines. Otherwise it would be a breach of privacy.

    As for the problems, as requested and has been reiterated, we would like to
    help you out with your network and problems with AD, however we can't do
    anything without seeing an ipconfig /all from your DC and sample
    workstation. The discussion about the ISP with this case is a moot point
    which does not apply to AD, other than to not use your ISP's DNS addresses
    internally, but it appears that you are not heeding that suggestion, unless
    I misread your posts?

    Help us to help you.

    Thank you,

    Ace
     
    Ace Fekay [MCT], Aug 3, 2009
    #13
  14. My starting problem was "Can a domain controller be anything else (i.e. IIS
    Server)" and this has been resolved. Unless you are refering to me adding a
    computer to the domain. I am fixing this as we speak- the DNS on my Windows
    2003 Server will the Primary DNS Server, and my ISP is secondary.
     
    Patrick Whittle, Aug 4, 2009
    #14
  15. Hello Patrick,

    And as mentioned before this is the wrong configuration. Do NOT use the ISPs
    DNS server on the NIC, configure it as FORWARDER under the DNS server properties
    in the DNS management console, otherwise you will run in trouble multiple
    times.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Aug 4, 2009
    #15
  16. My Primary DNS Server (on Microsoft 2003 Server -192.168.0.101) is now
    configured on my router too (the router knows Windows 2003 Server also has
    DNS Services). The router's secondary DNS Server is set to point to my ISP.

    My AD problem surfaced when I tried to add a computer to the domain, and the
    server (Active Directory) didn't know where to look. That's why I was
    waiting 15-20 minutes to have a confirmation dialog window saying "Computer
    Successfully Added" (or reasonable facsimile thereof). Now that host
    computers on my LAN are seeing a DNS server on the same internal LAN, adding
    a computer happens in just seconds. I added DNS to my 2003 Server after my
    first answer (post #1) and that was the solution.

    Secondary DNS Server : 24.226.1.93
     
    Patrick Whittle, Aug 4, 2009
    #16
  17. Oh ya. I'm still researching the 'forwarder' business. Do I configure the
    Microsoft 2003 Server to do this, my router, or both ???
     
    Patrick Whittle, Aug 4, 2009
    #17
  18. Hello Patrick,


    Did you ever open the DNS server properties in the DNS management console
    as always pointed out?

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Aug 4, 2009
    #18
  19. Patrick Whittle, Aug 4, 2009
    #19
  20. Hello Patrick,

    You didn't choose the DNS server WIND-2003, you choose the DNS top level.
    Mark the server name and choose the properties.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Aug 4, 2009
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.