Unable to login into SBS 2003 Domain server

Discussion in 'Active Directory' started by Jeff, Apr 17, 2009.

  1. Jeff

    Jeff Guest

    Problem:
    1. Vista workstations are configured for DHCP but cannot get an IP address
    from the SBS Server/DC
    2. Vista & XP Workstations cannot access their email via Outlook
    3. Workstations cannot remote desktop to SBS server/Domain controller
    4. SBS/DC Server (ABCSBS01)

    We think the problem is with the DNS setup, however nothing has changed on
    it. Recently We noticed a few

    Environment:
    • Vista SP1 workstations with Office/Outlook 2007
    • XP SP2 & SP3 workstations with Office/Outlook 2003
    • Win 2003 SBS Server SP2 with Exchange, is Domain Controller & DNS Server
    DHCP Server (SBS/DC) (192.168.0.2 & 192.168.0.8). No Windows firewall
    (ABCSBS01)
    • Win 2003 File Server, also a Domain Controller (192.168.0.3). No Windows
    Firewall. (ABCFS01)
    • Motorola Surfboard Cable Modem – DHCP is disabled (192.168.100.1)
    • Smoothwall firewall (192.168.0.1)

    Recent maintenance tasks on server
    The only maintenance task done on the SBS/DC was to swap the EXCHSRVR disk
    that contains the MDBData files. No programme file locates were changed.
    After stopping the Exchange services, these files were relocated to a new
    disk and the disk was allocated the same drive letter as the former disk.
    All the Exchange services start without error and we can access the Exchange
    mail box via OWA on the SBS/DC.

    Connectivity tests

    Workstations
    • Vista workstations attempt to log on to the SBS and get a 169.254.* IP
    address.
    • On Vista workstations, Connection-specific DNS suffix is blank in
    IPconfig.
    • When doing Network Diagnostics, we get Windows cannot find “ABCSBS01â€
    Click for more information about DNS.
    • When doing ipconfig /displayDNS, Name does not exist appears in relation
    to all the DNS servers that are described in our DNS setup (viz ABCSBS01,
    ABCFS01, _kerberos._tcp.dc._msdcs.ABC.local,
    _ldap._tcp.dc._msdcs.ABC.local. Many external web sites are listed here also.
    • Have done Ipconfig /flushDNS, Ipconfig /degisterDNS
    • XP workstations can get a valid 192.168 ip address but cannot access
    Exchange via Outlook. Connection-specific DNS suffix is not blank in IPconfig
    • If we configure a Vista Workstations with Fixed IP address, it can access
    the domain resources (files & folders on the file server) but cannot access
    email on the exchange server. Either a local PST is opened or a workstation
    issues the error Microsoft Exchange server is unavailable. Retry/Work
    offline/Cancel.
    • Can remote desktop to the ABCFS01 File server but not to the SBS/DC ABCSBS01
    • From any workstation, when we attempt to ping the SBS/DC – via IP address
    or workstation name, we get time-outs
    • When doing NSLookup <DC name> we get a DNS request timeout with Server
    UnKnown however the correct Ip address of the DNS server is returned.
    • Only some workstations are displayed in Network leaf of Explorer.


    SBS/DC (ABCSBS01) – Connectivity
    • When doing IPConfig, we get 2 IP addresses returned for the same NIC
    (192.168.0.2 & 192.168.0.8). This has been the case for a very long time
    without problem. The old IP address that probably was used by an old NIC is
    displaying along with the current IP address.
    • When pinging itself via w/station name – viz ABCsbs01, we get the valid ip
    address returned. When we ping that same IP address, we get the workstation
    name returned
    • When we ping the additional IP address, we also get successful
    • Can access the File server file via Remote Desktop and can access files &
    folders on the file server
    • Can access the internet

    DHCP – services are started
    Net Logon services are started pm

    I don't believe we have any group policies that would be preventing us from
    logging in.

    DNS Setup
    The server name ABCSBS01.local appears with every occurrence of the valid
    IIP address (192.168.0.2). The old IP address (192.168.0.8) is also listed
    with the server name in the DNS setup along with the current IP addressof the
    server in DomainDNSZones & ForestDNSZones in the DNS setup

    We have done, Ipconfig /FlushDNS, Ipconfig /RegisterDNS, DCDiag /FIX, Net
    stop netlogin, Net Start netLogin.

    When we run DCDiag again, we still get the error GUID <Long
    Number>._msdcs.jsr.local) couldn't be resolved, the server name
    (jsrsbs01.jsr.local) resolved to the IP address (192.168.0.2) and was
    pingable. Check that the IP address is registered correctly with the DNS
    server. ABCSBS01 failed test Connectivity

    Other DCDiag tests pass.

    Where do we enter the name of the server to overcome the UnKnown error in
    the DNS name?

    We have looked through the event logs and haven’t found anything that looks
    particularly informative.

    Where else do we need to check/look to overcome the login problem which I
    believe is preventing Access to the Exchange mail boxes via Outlook?
     
    Jeff, Apr 17, 2009
    #1
    1. Advertisements

  2. An unedited ipconfig /all from your server and a workstation would be
    helpful here.
    Get rid of that 2nd IP address. Reboot everything. See if it helps. It
    should.
    It is a problem and it needs to be gotten rid of...I do'nt know why things
    would've been working right before.
    This is a nice amount of detail but unfortunately it is difficult to make
    sense of such a long post. I hope my advice above helps.
     
    Lanwench [MVP - Exchange], Apr 17, 2009
    #2
    1. Advertisements

  3. Jeff

    kj [SBS MVP] Guest

    (Adding in microsoft.public.windows.server.sbs)

    Do you possibly have ISA 2004 and recently applied MS09-012?
     
    kj [SBS MVP], Apr 17, 2009
    #3
  4. Hello jeff,

    I agree with Lanwench, an unedited ipconfig /all from DC/DNS and a more functional
    workstation could be helpful. Also if the DC has 2 ip addresses on the NIC,
    that should be removed.

    Best regards

    Meinolf Weber


    Number>> ._msdcs.jsr.local) couldn't be resolved, the server name
    Number>>
     
    Meinolf Weber [MVP-DS], Apr 17, 2009
    #4
  5. Jeff

    Jeff Guest

    Hi,

    Thak you for your replies.

    ISA is not installed on the network.

    Here is ther IPCONFig from a workstation that I've configured for Static IP.
    On this workstation I still cannot remote desktop to the SBS/DC or access
    Exchange/email on it.

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : ABCQ66
    Primary Dns Suffix . . . . . . . : abc.local
    Node Type . . . . . . . . . . . . : Broadcast
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : abc.local

    Ethernet adapter Local Area Connection 4:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : TAP-Win32 Adapter V9
    Physical Address. . . . . . . . . : 00-FF-62-40-60-CE
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Realtek RTL8168B/8111B Family PCI-E
    Gigabit Ethernet NIC (NDIS 6.0)
    Physical Address. . . . . . . . . : 00-19-DB-F5-2F-B3
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::9dbd:7262:29d8:18b9%8(Preferred)
    IPv4 Address. . . . . . . . . . . : 192.168.0.11(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.0.1
    DNS Servers . . . . . . . . . . . : 192.168.0.2
    61.9.194.49
    61.9.195.193
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 16:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . :
    isatap.{624060CE-7AFC-464F-B013-BCD08D158A9C}
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 17:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . :
    isatap.{35C3329A-1451-418C-99E2-7B2B413302B3}
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 18:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
    Physical Address. . . . . . . . . : 02-00-54-55-4E-01
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv6 Address. . . . . . . . . . . :
    2001:0:cf2e:3096:2845:2851:3f57:fff4(Preferred)
    Link-local IPv6 Address . . . . . :
    fe80::2845:2851:3f57:fff4%23(Preferred)
    Default Gateway . . . . . . . . . : ::
    NetBIOS over Tcpip. . . . . . . . : Disabled

    NSLookup on the same PC looks like this:

    DNS request timed out.
    timeout was 2 seconds.
    Default Server: UnKnown
    Address: 192.168.0.2

    --------------------

    Here is the IPconfig from a laptop that is configured for DHCP:

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : T61
    Primary Dns Suffix . . . . . . . : abc.local
    Node Type . . . . . . . . . . . . : Broadcast
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : abc.local

    Wireless LAN adapter Wireless Network Connection:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN
    Physical Address. . . . . . . . . : 00-1F-3B-AF-B0-49
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) 82566MM Gigabit Network
    Connection
    Physical Address. . . . . . . . . : 00-1C-25-BA-E2-1E
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . :
    fe80::184e:37ee:f925:b2fc%10(Preferred)
    Autoconfiguration IPv4 Address. . : 169.254.178.252(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.0.0
    Default Gateway . . . . . . . . . : 192.168.0.1
    DNS Servers . . . . . . . . . . . : 192.168.0.2
    61.9.194.49
    61.9.195.193
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 7:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . :
    isatap.{40391962-23E1-4E39-83C9-105332B77200}
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 12:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    ----------------------------

    Here is IPConfig from the DNS server:

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : abcsbs01
    Primary Dns Suffix . . . . . . . : abc.local
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : Yes
    DNS Suffix Search List. . . . . . : abc.local

    Ethernet adapter Local Area Connection:
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Server Adapter
    Physical Address. . . . . . . . . : 00-04-23-B9-AF-15
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.0.2
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.0.1
    DNS Servers . . . . . . . . . . . : 61.9.194.49

    I have checked the DHCP server is running & authorised. The only entries
    inthe DHCP logs are events 24 & 25. I checked Scope Option 15 has abc.local
    specified in the value and 192.168.0.2 is spcified in scope 006 (DNS Server)
    & 044 (Wins/Netbios).


    Both 192.168.0.2 & 192.168.0.8 were configured for the same NIC. When I
    deleited 192.168.0.8 I received a message that that IP was allocated ot a NIC
    that was no longer availalble. But since 192.168.0.8 has been removed from
    the NIC and from the DNS entries and rebooted we still have the same problem
    and cant access enchange or access shares on SBS/DC or acces SBS/DC via
    remote desktop.

    Thanks,
    Jeff
     
    Jeff, Apr 18, 2009
    #5


  6. Hello Jeff,

    I've been following your thread, and when I first read it, I said to myself,
    as Meinolf and the only main reason that one can't login to a domain is
    because of DNS. And looking at the ipconfigs, now I see why.

    The two outside DNS servers is causing all of the problems. They are these
    servers:
    61.9.194.49
    61.9.195.193

    And the SBS is using:
    I recommend removing EVERY instance of them on ALL machines. Change it so
    ONLY 192.168.0.2 shows up.

    You can use those two outside addresses as forwarders for more efficient
    internet resolution. This article shows how:
    323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003 :
    http://support.microsoft.com/?id=323380

    Is the SBS your DHCP server? Double check Option 006 and make sure it only
    has 192.168.0.2 as the DNS address it is handing out. If it is only set to
    this address, then I would look at your router to make sure DHCP services
    are not enabled. If so, your clients are getting the incorrect
    configuration. If it is enabled on the router, please disable it.

    Also, it appears that the laptop is getting this IP address:
    The 169.254.x.x address is what we call the APIPA address (the automatic
    Private IP Address) that a machine will give it's NIC when a DHCP server is
    not available. So I can see why this laptop may not be communicating. Find
    out if DHCP is running on the router.


    ==============
    So by now you are wondering why the big deal with DNS and not use the ISP's
    DNS addresses. Well, if you have a little time, the following is a nice read
    with a background on DNS and AD to help understand the inter-relationship a
    little better.

    First, just to get this out of the way, if you have your ISP's DNS addresses
    in your IP configuration (DCs and clients), they need to be REMOVED. If the
    ISP's DNS is in there, this will cause problems. I usually see errors (GPOs
    not working, can't find the domain, RPC issues, etc), when the ISP's DNS
    servers are listed on a client, DCs and/or member servers, or with
    multihomed DCs. If you have an ISP's (or some other outside DNS server or
    even using your router as a DNS server) DNS addresses in your IP
    configuration (all DCs, member servers and clients), they need to be REMOVED
    and ONLY use the internal DNS server(s). This can be very problematic.

    Basically, AD requires DNS. DNS stores AD's resource and service locations
    in the form of SRV records, hence how everything that is part of the domain
    will find resources in the domain. If the ISP's DNS is configured in the any
    of the internal AD member machines' IP properties, (including all client
    machines and DCs), the machines will be asking the ISP's DNS 'where is the
    domain controller for my domain?", whenever it needs to perform a function,
    (such as a logon request, replication request, querying and applying GPOs,
    etc). Unfortunately, the ISP's DNS does not have that info and they reply
    with an "I dunno know", and things just fail. Unfortunately, the ISP's (or
    your router as a DNS server) DNS doesn't have information or records about
    your internal private AD domain, and they shouldn't have that sort of
    information.

    If you mix the internal DNS and an external DNS, is not good. This because
    of the way the resolver service works on all machines (DCs and clients):
    If the server gets a response, even if it is a negative ('not found')
    response, it's a response and will not go to the alternate. If after the
    query to the first one times out (after 3 tries), it removes it from the
    'eligible' resolvers list and then goes to the next one in the order listed.
    It will not go back to the first one until a specified timeout period
    (forget how long) unless one of three other things happen: restart the
    machine, restart the DNS Client Service or DHCP Client Service, or set a reg
    entry to force the TTL to reset the list after each query.

    Also, AD registers certain records in DNS in the form of SRV records that
    signify AD's resource and service locations. If a domain controller has
    multiple NICs, each NIC registers. IF a client, or another DC queries DNS
    for this DC, it may get the wrong record. One factor controlling this is
    Round Robin. If a DC or client on another subnet that the DC is not
    configured on queries for it, Round Robin will kick in offering one or the
    other. If the wrong one gets offered, it may not have a route to it. On the
    other hand, Subnetmask Priortization will ensure a querying client will get
    an IP that corresponds to the subnet it's on, which will work. To insure
    everything works, stick with one NIC.

    These articles explains AD and DNS best practices in more detail:
    825036 - Best practices for DNS client settings in Windows 2000 Server and
    in Windows Server 2003:
    http://support.microsoft.com/?id=825036

    DNS and AD (Windows 2000 & 2003) FAQ:
    http://support.microsoft.com/?id=291382

    I hope this helps.


    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer


    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [Microsoft Certified Trainer], Apr 18, 2009
    #6
  7. Hello jeff,

    Remove the 61.9.194.49 and 61.9.195.193 from the NIC configuration on ANY
    domain machine.

    These are your ISP's DNS server i assume, they should be configured on the
    FORWARDERS tab in the DNS server properties with the DNS management console.
    The DNS server has to point to itself ass preferred DNS not to the ISP's
    DNS server.

    Additional remove the IPv6 addresses or better disable, at least uncheck
    the IPv6, on the local area connection properties of the NIC.

    Unused NIC's which set there APIPA address 169.254.x.x disable, they register
    with that address also in DNS and create conflicts.


    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Apr 18, 2009
    #7
  8. Jeff

    Jeff Guest

    Thanks. I deselected the V6 IP and also removed the external (ISP) IP
    addresses from the DNS settings of the workstation so just the local DNS
    Server Ip is there. But I still cannot connect to it.

    When doing ipconfig/renew from that workstation, I get the error " An error
    occurred while renewing interface Unable to contact your DHCP server.
    Request time out.

    I have removed the ISP IPs from the server DNS settings and ensured the
    Server DNS was pointing to itself. The ISP's IPs were also already in the
    DNS Forwarders.

    Because none of the server DHCP & DNS configurations have changed aboart
    from the above, I'm thinking the problem must be something more obvious.

    DHCP is running and authorised. It is the only DHCP server on the network.
    When I look at the statistics on it, it shows Nil Discovers, Offers,
    Requests, Acks, Nacks, Declines etc.

    The DNS server also passes the database consistency checks. The recursive
    and simple DNS tests pass.

    It also seems odd that when I set a workstation a fixed IP of 192.168.0.*, I
    still cant ping the SBSDC or remote desktop to it. But I can ping that
    worksation from the SBSDC and remote desktop from the SBSdc to another
    workstation.

    Thanks,

    Jeff
     
    Jeff, Apr 19, 2009
    #8
  9. Jeff

    Jeff Guest

    IpConfig /all from the SBS DC is now:

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : abcsbs01
    Primary Dns Suffix . . . . . . . : abc.local
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : Yes
    DNS Suffix Search List. . . . . . : abc.local



    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Server Adapter
    Physical Address. . . . . . . . . : 00-04-23-B9-AF-15
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.0.2
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.0.1
    DNS Servers . . . . . . . . . . . : 192.168.0.2


    Here is an IPconfig from a workstation:


    Windows IP Configuration

    Host Name . . . . . . . . . . . . : T61
    Primary Dns Suffix . . . . . . . : abc.local
    Node Type . . . . . . . . . . . . : Broadcast
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : abc.local

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) 82566MM Gigabit Network
    Connection
    Physical Address. . . . . . . . . : 00-1C-25-BA-E2-1E
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Autoconfiguration IPv4 Address. . : 169.254.178.252(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.0.0
    Default Gateway . . . . . . . . . : 192.168.0.1
    DNS Servers . . . . . . . . . . . : 192.168.0.2
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Thanks,
    Jeff
     
    Jeff, Apr 19, 2009
    #9
  10. Hello jeff,

    Please also answer my questions. How many DHCP servers do you have running?

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Apr 19, 2009
    #10
  11. Jeff, have you confirmed that the DHCP service on your router is disabled?

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 19, 2009
    #11

  12. Jeff,

    The server ipconfig looks good. The workstation does not. See the
    169.254.x.x address? It's saying it cannot get a configuration from a DHCP
    server. It appears there are more than one DHCP service running causing a
    conflict.

    Also, is RRAS installed and running on the SBS? I've seen where RRAS if
    installed and misconfigured, will cause the SBS to not be able to
    communicate properly.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 19, 2009
    #12
  13. Jeff

    Jeff Guest

    Hi Acde,

    Yes, The DHCP on the cable modem is disabled.

    Jeff


     
    Jeff, Apr 19, 2009
    #13
  14. Good.

    What is the IP range you've created in your Windows DHCP scope?

    Also, did you see my other question regarding RRAS?

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 19, 2009
    #14
  15. Jeff

    Jeff Guest

    Hi Meinolf,

    The SCSDC (abcsbs01) is the only DHCP server and it is authorised & running.
    DHCP is disabled on the cable router. Our file server (abcfs01) is also
    setup to be a DC /replicate AD, but I'm not sure how well that works as we
    cannot acess the file server (abcfs01) if the SBSDC is down. The file server
    (abcfs01) doesn't have DHCP or DNS installed on it.

    Thanks,
    Jeff
     
    Jeff, Apr 19, 2009
    #15

  16. Actually, that is the way it works. The SBS server is your domain
    controller, therefore it authenticates all access requests to anything in
    the domain, from shares and other resources (printers, etc) on itself, to
    shares and other resources (printers, etc), on all other machines that are
    joined to the domain. If it is down, and all DNS records point to it, then
    it will not be able to authenticate. This may also point to an issue with
    abcfs01 possibly not registering properly in DNS.

    Please post an ipconfig /all of abcfs01.

    I would recommend to install DNS on abcfs01. Once installed, allow
    replication to occur (do not manually create any zones), and wait for the
    zone to automatically show up. This may take up to 30 minutes. Then setup
    the NIC on each domain controller so the first DNS address is itself (its
    own IP), and the second IP is the other domain controller.

    Back to DHCP. We have to find out why DHCP is not giving an IP address to
    your workstations. I had a previous question regarding RRAS and what the IP
    range is set to for the DHCP scope.

    Hopefully between Meinolf and I, we'll eventually get this thing going for
    you.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 20, 2009
    #16
  17. Jeff

    Jeff Guest

    Hi Ace,

    The DHCP on the cable router & on the Smoothwall firewall are disabled.
    I’ve also shutdown the cable modem & smoothwall firewall and attempted to
    login as part of my tests.

    I’ve shut them I looked at RRAS. Yes it is installed but there don’t seem
    to be any policies that could prevent login. There are 3 default remote
    access policies - Mobile users, connections to routing & remote access
    servers & login time restrictions which allow 24/7. But I did stop it and
    attempted to log in from a Vista PC and still couldn't & the local DNS server
    name doesn’t display when doing IPCOnfig from that workstation.

    I've started RRAS again. The settings look correct. The 7 ports in use
    are WAN miniport VPNs, PPPoe & parallel.
    IP routing –General
    Loopback - 127.0.01,
    Local Area Connection – Dedicated -
    Enable IP Router Manager
    Use IP address has 192.168.0.2 (SBSDC).
    Multicast heartbeat & broadcast have no entries, not enabled
    Internal interfaces – IP Manager enabled but nothing specified

    Static routes – nothing specified

    I looked again at the DHCP setup and it appears correct
    Scope has 192.168.0.1 through 192.168.0.254 On the DNS tab, Enable DNS
    dynamic updates is not selected “Dynamically update DNS A & PTR Records if
    specifically requested by DHCP clients is ticked and greyed out.
    DHCP only is ticked on the Advanced tab.

    But going back to basics – I can’t ping the SBSDC (either IP or w/s name)
    from any other PC on the Lan, but the SBSDC can ping any PC on the LAN.

     
    Jeff, Apr 20, 2009
    #17
  18. Jeff,

    Good DHCP on your two other devices are disabled.

    RRAS was just a possible cause. It looks like the settings are fine.

    For DHCP, the scope is overlapping existing IP addresses, such as your
    router (192.168.0.1), and your two servers (192.168.00.2 and .the other
    server, I think is 192.168.0.3). This will cause conflicts and may be the
    cause of why the workstations can't get an IP. You may have to delete the
    scope and re-created it, with settings such as:
    Scope: 192.168.0.100 - 192.168.0.254
    Option 003 = 192.168.0.1
    Option 006 = 192.168.0.2 and 192.168.0.3 (for the other DC after you install
    DNS on it)
    Option 015 = abc.local

    If you are using RRAS, I would suggest to use WINS so the remote users will
    be able to browse server shares and resources. If you do install WINS, add
    the following to Scope options:
    Option 044 = 192.168.0.2
    Option 046 = 0x8

    Getting closer. Also, I haven't seen the ipconfig /all of the other server.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 20, 2009
    #18
  19. Jeff

    Jeff Guest

    Hi Ace,

    Thanks again to you and Meinholf. I know we're getting there. Thanks
    also for explaining the authentication and earlier issues. I thought if the
    F/S was also setup as a DC replicating AD from the Primary, it woud
    authenticate if the SBSDC was down.

    Here is the ipconfig from the abcfs01. I'm about to install DNS on it as
    you recommend.

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : abcfs01
    Primary Dns Suffix . . . . . . . : abc.local
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : abc.local

    Ethernet adapter Local Area Connection:


    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
    Physical Address. . . . . . . . . : 00-0C-76-A0-0B-12
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.0.3
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.0.1
    DNS Servers . . . . . . . . . . . : 192.168.0.2


    Jeff.
     
    Jeff, Apr 20, 2009
    #19
  20. It can answer authentication, if DNS is installed on it and the IP is set on
    the client machines so the clients can find and use it. DNS is the *key* to
    AD.

    As mentioned earlier, I recommend to install DNS on it, wait 30 minutes,
    make DNS on it as itself as the first entry, then the SBS as the second.
    Make this the second entry on the SBS.

    Did you change the scope range yet?

    Once you install DNS on the other server, change Scope Option 006 to:
    192.168.0.2 and 192.168.0.3

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 20, 2009
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.