Domain Controllers

Discussion in 'Server Networking' started by Patrick Whittle, Aug 2, 2009.

  1. The router itself, doesn't need to use your internal DNS server. It's not an
    AD client, nor will you be doing any resolution for AD resources, such as
    domain controllers, shares or printers. You can leave the ISP's DNS
    addresses on the router itself. And this is all assuming the "router" is not
    a Windows machine that is part of your domain.

    So apparently you did heed our suggestions. Good to hear that it;s working
    for you now.

    As for the Secondary DNS you mention in the last part, 24.226.1.93, are you
    saying you have that on your clients and domain controller as well? If so,
    remove it please. Remember, what we're stressing here is NOT to use anything
    other than 192.168.0.101 on all internal machines, such as domain
    controllers and clients.

    Use 24.226.1.93 as a Forwarder. I beleive Meinolf posted how to do that in
    DNS properties, Forwarders tab. That is the only place that 24.226.1.93
    should appear, and not in IP properties of any machine.

    Ace
     
    Ace Fekay [MCT], Aug 4, 2009
    #21
    1. Advertisements

  2. Right click, Wind-2003, choose properties.

    What is worrying me now that I see your zone name, you have a Single Lable
    DNS Domain Name. This is extremely problematic. This will contribute to AD
    problems. Notice I used the word, "will." It's not a maybe, rather a
    guarantee.

    Please read more on this issue to get a full understanding of what this
    means, and the implications.

    ==================================================================
    Single label names:
    By Ace Fekay, MCT, MCTS Exchange 2007, MCSE & MCSA 2000 & 2003, MCSA
    Messaging
    Compiled 3/2005
    ---

    Since AD requires and relies on DNS, and DNS is a hierarchal database, a
    single lable name does not follow any sort of hierarchy. DNS fails with
    single label

    names. Windows 2008, Windows 2003, XP and Vista have problems resolving
    single label names because it does not follow the proper format for a DNS
    domain name,

    such as domain.com, etc.

    How did it happen? Possibly lack of planning or research on the engineer
    that implemented it.

    Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003
    Domain (or any AD upgrade or installation):
    http://support.microsoft.com/default.aspx?scid=kb;en-us;555040

    How to fix it? Good question. Glad you'vr asked.

    1. The preffered "fix" is to install a fresh new domain properly named and
    use ADMT to migrate user, group and computer accounts into the new domain
    from the current domain.

    2. An alternative is to perform a domain rename, (difficulty depends on the
    operating system and which version of Exchange is installed).

    3. As a temporary resort, you can use the patch/bandaid mentioned in the
    following link, which must be done on ALL machines. Unfortunately it must be
    done on ALL machines in the domain, including the DC.

    300684 - Information About Configuring Windows 2000 for Domains with
    Single-Label DNS Names:
    http://support.microsoft.com/?id=300684

    ---

    Please read Microsoft stance on Single Label Names:

    ---

    Single label names, from Alan Woods, MS:

    "We really would preffer to use FQDN over Single label name. There are
    alot of other issues that you can run into when using a Single labeled
    domain name with other AD integrated products. Exchange would be a great
    example. Also note that the DNR (DNS RESOLVER) was and is designed to
    Devolve DNS requests to the LAST 2 names.

    Example: Single Labeled domain .domainA
    then, you add additional domains on the forest.
    child1.domainA
    Child2.child1.domainA

    If a client in the domain Child2 wants to resolve a name in domainA
    Example. Host.DomainA and uses the following to connect to a share
    \\host then it is not going to resolve. WHY, because the resolver is
    first going to query for first for Host.Child2.child1.domainA, then it
    next try HOST.Child1.domainA at that point the Devolution process is
    DONE. We only go to the LAST 2 Domain Names.

    Also note that if you have a single labeled domain name it causes excess
    DNS traffic on the ROOT HINTS servers and being all Good Internet Community
    users we definitely do not want to do that. NOTE that in Windows 2003,
    you get a big Pop UP Error Message when trying to create a single labeled
    name telling you DON'T DO IT. It will still allow you to do it, but you
    will still be required to make the registry changes, which is really not
    fun.

    Microsoft is seriously asking you to NOT do this. We will support you but
    it the end results could be limiting as an end results depending on the
    services you are using.

    Thank you,

    Alan Wood[MSFT]"

    ---

    More Info:

    Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003
    Domain
    http://support.microsoft.com/?id=555040

    825036 - Best practices for DNS client settings in Windows 2000 Server and
    in Windows Server 2003:
    http://support.microsoft.com/?id=825036

    DNS and AD (Windows 2000 & 2003) FAQ:
    http://support.microsoft.com/?id=291382
    ==================================================================

    Ace
     
    Ace Fekay [MCT], Aug 4, 2009
    #22
    1. Advertisements

  3. Scratch that info on the single label name. I looked at your image again,
    and can see it has proper formatted name, although the TLD is pretty long,
    it's still formatted correctly. The long name through me off when I first
    looked at it.

    Sorry about the confusion!!

    But remember, never use the ISP's DNS!!!

    Curious, does the server have more than one NIC, IP or RRAS on it?

    Ace
     
    Ace Fekay [MCT], Aug 4, 2009
    #23
  4. I changed the DNS search order so that my Windows 2003 Server's DNS is
    first, and my ISP is second. How do I set it back to the ISP's primary AND
    their secondary too???
     
    Patrick Whittle, Aug 4, 2009
    #24
  5. Only one NIC & one IP, but it does have RRAS.

    Run this: %systemroot%\system32\mstsc.exe
    ...and connect to: 24.57.255.110

    It's also running IIS: http://24.57.255.110/
     
    Patrick Whittle, Aug 4, 2009
    #25
  6. Meinolf Weber [MVP-DS], Aug 4, 2009
    #26
  7. Hello Patrick,

    So your Domain controller is full in the internet without any firewall? Well
    hopefully none will crack it, then full control over your environment is
    lost.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Aug 4, 2009
    #27
  8. DMZ
     
    Patrick Whittle, Aug 4, 2009
    #28
  9. Hello Patrick,

    But still a DC, the heart of your domain.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Aug 4, 2009
    #29
  10. Thanks, but that's not it. My DNS Search order is screwed up. Primary is
    POINTING TO MY BOX, and secondary to my ISP. I'm trying to make both
    primary&secondary my ISP servers.
     
    Patrick Whittle, Aug 4, 2009
    #30
  11. Hello Patrick,

    Do what you like, i give up. Sorry that we are not able to help you.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Aug 4, 2009
    #31

  12. Patrick,

    We've mentioned this multiple times. You cannot use the ISP's DNS on your DC
    or any other machine.

    It's quite possible that there's a problem with the newsreader you're using
    that you are not able to read that part of it, it's getting truncated, or
    something. Otherwise, I may have to conclude you don't believe us and are
    ignoring the suggestions.

    If you don't beleive the following Microsoft articles regarding this, then I
    don't know what to say, other than I hope you work it out with what you
    believe.

    825036 - Best practices for DNS client settings in Windows 2000 Server and
    in Windows Server 2003 (including how-to configure a forwarder):
    http://support.microsoft.com/kb/825036

    291382 - Frequently asked questions about Windows 2000 DNS and Windows
    Server 2003 DNS
    http://support.microsoft.com/?id=291382

    Ace
     
    Ace Fekay [MCT], Aug 4, 2009
    #32
  13. What's a DC doing in a DMZ??

    If RRAS is installed on a DC, it constitutes a multihomed DC.

    Microsoft article on this:

    292822 - Name Resolution and Connectivity Issues on Windows 2000 Domain
    Controller with Routing and Remote Access and DNS Insta {DNS and RRAS and
    unwanted IPs
    registering]:
    http://support.microsoft.com/?id=292822

    Good luck!

    Ace
     
    Ace Fekay [MCT], Aug 4, 2009
    #33
  14. Patrick Whittle

    Dave Warren Guest

    In message <#> "Patrick Whittle"
    I'm not quite sure if you're ignoring all the other advice in this
    thread or just trolling, but to reiterate, Active Directory *will not
    work* unless you use DNS servers that accept dynamic updates.

    Does your ISP accept dynamic updates?
     
    Dave Warren, Aug 5, 2009
    #34
  15. Patrick Whittle

    Bill Grant Guest

    I can see why Ace and Meinolf have given up on you, but here is one last
    try.

    Never multihome a DC/DNS server. Do not use it for remote access, because
    it then becomes multihomed as soon as a remote user connects. This will
    cause all sorts of odd problems with name resolution and browsing. For
    details see KB 292822.

    Running a server on a private LAN behind a DSL "router" is fine as long as
    you do not use Active Directory. If you want to use AD you cannot use the
    default setup. You must use a local DNS server for AD, because this DNS
    contains the records AD uses to find AD resources, including how to find the
    DC. This information cannot be stored in your ISP's DNS. This is why you had
    trouble joining your client to the domain.

    Your AD clients (and the DC itself) must use the local DNS server ONLY.
    To access "foreign" URLs you configure forwarders on this local DNS to a
    public DNS server, such as the one at your ISP. The local DNS will forward
    requests to this DNS on the client's behalf. The AD members should not have
    any reference to any DNS server except your local DNS.

    When you promoted the server to a DC, did you accept the offer to set up
    DNS for you? If you did, your local DNS will have all the AD records
    configured. All you need to do is make sure that your machines use this DNS
    only.
     
    Bill Grant, Aug 5, 2009
    #35
  16. My 2003 Server ended up sending it's newly added DNS service info., to my
    router. The router replaced its Primary DNS Server address to that of my
    server!
    I corrected this manually.
     
    Patrick Whittle, Aug 5, 2009
    #36
  17. My ISP refreshed their DHCP after my router debacle. They are still sending
    me primary/secondary info., and their system sent me all addresses after I
    cycled my router. I think this is how my ISP picked up on the
    "primary/secondary" scenario. Did my router send a BOOTP or something?
     
    Patrick Whittle, Aug 5, 2009
    #37
  18. With all due respect, I don't even know what this means.

    Ace
     
    Ace Fekay [MCT], Aug 5, 2009
    #38
  19. I'll take one more stab at this.

    Patrick, CAREFULLY read each sentence, please, and specifically comment on
    each sentence. This way at least I know you are reading the post.

    If your router's OUTSIDE interface is getting a DHCP address from the ISP,
    that is normal. Let it get its IP and DNS configuration from the ISP. Leave
    the OUTSIDE interface (also called the WAN interface) alone as they've told
    you to configure it.

    For the INSIDE interface (also called the LAN interface), YOU would manually
    set a STATIC configuration with an IP address and subnet mask for your
    INSIDE network. This MUST be set to static. For DNS address on the INSIDE
    LAN interface, it does NOT matter what you set it to. It could be your
    ISP's, it could be your server.

    If you have set the LAN interface to get an IP configuration automatically,
    then it *somewhat* makes sense trying to understand your post that it is
    receiving the IP address of your internal DNS server. If this is the case,
    change it to STATIC or MANUAL (consult your router's documentation for the
    terminology it uses) and set up the IP address manually for the internal IP
    address.

    The LAN IP address you set in the router, becomes the GATEWAY address for
    all of your internal machines.

    In your internal machines, ONLY use YOUR server for DNS.

    I hope that makes sense.

    If this does not, please explain and elaborate, even draw a picture of your
    router, your server, and your workstation, with arrows pointing to each
    interface and the IP addresses, subnet mask, gateway address, and DNS
    addresses used on each interface, that are on it and post it somwhere, such
    as www.sendspace.com, with a link we can click on to download and view the
    picture.

    Ace
     
    Ace Fekay [MCT], Aug 5, 2009
    #39
  20. My router's OUTSIDE interface is getting a DHCP address from the ISP. For
    my INSIDE interface I have a static (ever since the server was first
    installed 6+ months ago) on the Microsoft 2003 (Datacenter Edition) Server.
    This is the only internal host that has a static IP. It's curious that you
    say DNS servers can be both ISP & internal. Does this mean my server box
    (192.168.0.101) could have the DNS service set to the OUTSIDE address?

    +--- Microsoft 2003 Server
    ¦ ¦ +--- DNS Service
    ¦ ¦
    ¦ +---Router
    ¦ ¦ +--- WAN
    ¦ ¦ ¦ +--- DNS (Primary & Secondary)
    ¦ ¦ ¦ +--- DHCP
    ¦ ¦ ¦
    ¦ ¦ +---LAN
    ¦ ¦ ¦ +--- DHCP
    ¦ ¦ ¦

    While setting up my internal DNS, I came to know that AD needs its own DNS
    server (must be at least one in the domain). I didn't know that Microsoft
    implemented their own DNS around AD. Since ICANN has been around since
    before internet became a "home computer network" ...Microsoft has sure
    mutated DNS.
     
    Patrick Whittle, Aug 5, 2009
    #40
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.