Unconfigured Ad Widget

Collapse

Anyone Here know Domain and DNS Configuration? - IT WORKS!!!

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • goodlookin1
    Veteran Member
    • Apr 2009
    • 2557

    Anyone Here know Domain and DNS Configuration? - IT WORKS!!!

    Here's the problem. So I'm setting up a new server for a friend of mine. I picked out a Dell blade server (R320). Comes with Windows Server 2012. I also set him up with a new Zyxell USG 50 firewall router. Currently, the Zyxell Firewall is creating the "network", in that it is giving out the DHCP and the primary DNS to all the workstations. It was my intention to create a Domain environment for the users because it is much easier to manage and manipulate, not to mention the enhanced security features.

    Anyhow, I'm trying to set up this stupid Domain and it is just not working. I went step by step.....pretty easy, really. It automatically installed the proper DNS records and everything went without a hitch. Or so I thought.

    I cannot for the life of me get another computer on the network to resolve the Domain name! I disabled IPv6 on the server's NIC thinking it might be causing issues, but no dice. I added and re-added forward and reverse lookup zones in the DNS manager to no avail. I have no idea what is going on? I'm sure it's something stupid, but I've never worked with Server 2012 before and I havent had issued with previous version of Windows Server while setting up a Domain.

    I have a hunch that it has everything to do with the DNS setup in that I am doing something wrong. I have never fully understood the concept of local DNS, but it's always pretty much worked just fine.

    What I need to know is this: Can I have the Firewall/Router continue to be the primary DNS for all of the workstations while still being able to have a working Domain? If so, how to I get it (192.168.1.1) to resolve the domain name of the Domain on the Windows Server (192.168.1.10)? A simple NSLOOKUP of the FQDN bears no fruit and says "cannot find the DNS". I even set the workstation's primary DNS to be that of the Windows Server (192.168.1.10), was able to continue having internet access with no issues and could ping NetBIOS devices on the network, but it would not find/resolve the stupid Domain name. So I cannot join anyone to the domain at all....just times out.

    Any ideas from you techies?


    EDIT: It works now!!! See post 38.
    Last edited by goodlookin1; 08-03-2013, 10:11 AM.
    www.FirearmReviews.net
  • #2
    njineermike
    Calguns Addict
    • Dec 2010
    • 9784

    I always put the DNS service originating in the PDC. When all else fails I create a manual HOSTS file.
    Originally posted by Kestryll
    Dude went full CNN...
    Peace, love, and heavy weapons. Sometimes you have to be insistent." - David Lee Roth

    Comment

    • #3
      d4v0s
      Senior Member
      • Aug 2010
      • 1661

      Your dns on the router needs to send the clients to the server instead of downstream.

      Even better, use the server to handle dhcp scope and all that.
      Originally posted by Franklincollector
      It was administered with a toothpick and placed on a street taco.

      Comment

      • #4
        d4v0s
        Senior Member
        • Aug 2010
        • 1661

        forgot to ask what did you name the domain? Are you sure you have the proper domain name when trying to add clients to the domain?
        Originally posted by Franklincollector
        It was administered with a toothpick and placed on a street taco.

        Comment

        • #5
          ocabj
          Calguns Addict
          • Oct 2005
          • 7924

          I'm assuming that when you say the router is providing DNS to the client, you actually mean that the router is simply giving the external (ISP) DNS IP to the client when DHCP lease is given.

          If this is the case, the issue is that your clients aren't using the Windows Server's DNS for name resolution, and therefore have no concept of the Windows AD namespace.

          What you need to do is set the DNS server IP of the clients to the IP of the AD DC. Then the clients will be able to resolve mydomain.local.

          From there, you would add the DNS server IPs of your ISP as forwarders on your DC. Then the clients will be able to get to calguns.net even though the Windows AD DNS won't have calguns.net in it's namespace and then kick it to the ISP DNS for name resolution and then return it the client.

          Distinguished Rifleman #1924
          NRA Certified Instructor (Rifle and Metallic Cartridge Reloading) and RSO
          NRL22 Match Director at WEGC

          https://www.ocabj.net

          Comment

          • #6
            goodlookin1
            Veteran Member
            • Apr 2009
            • 2557

            Originally posted by d4v0s
            forgot to ask what did you name the domain? Are you sure you have the proper domain name when trying to add clients to the domain?
            The router has 4 outputs that can create different subnet networks on each port, which is a must because this particular business has a second business in the same office and the two shouldnt be "talking" to each other. This is why I want to use the router as the DHCP vs the server.

            I tried both "mydomain" and "mydomain.local". The fully qualified domain name is "mydomain.local". I am positive I typed it in correctly. I did it multiple times from different PCs, as well as the NSLOOKUP and ping function. None were able to find the local Domain.
            Last edited by goodlookin1; 07-31-2013, 9:13 PM.
            www.FirearmReviews.net

            Comment

            • #7
              goodlookin1
              Veteran Member
              • Apr 2009
              • 2557

              Originally posted by ocabj
              I'm assuming that when you say the router is providing DNS to the client, you actually mean that the router is simply giving the external (ISP) DNS IP to the client when DHCP lease is given.

              If this is the case, the issue is that your clients aren't using the Windows Server's DNS for name resolution, and therefore have no concept of the Windows AD namespace.

              What you need to do is set the DNS server IP of the clients to the IP of the AD DC.

              From there, you would add the DNS server IPs of your ISP as forwarders on your DC.
              I actually did this manually. Currently, the router is giving off the local IP of the router as the primary DNS (192.168.1.1). It in turn forwards any unresolved IP's to the ISP's DNS. However, thinking of this, I manually configured the PC's NIC cards to grab a DHCP IP address, but manually added the Window Server IP as the DNS (192.168.1.10). Did an IPCONFIG /ALL in the CMD window to verify the DNS was set to the Server instead of the Router, and it was correctly set. I then verified I still had internet access and I did. I was able to ping other devices with no issues. But as soon as I tried the NSLOOKUP on the domain, or pinging the FQDN, it wouldnt work. Basically, it's as if the Domain service is not turned on (but it is).
              www.FirearmReviews.net

              Comment

              • #8
                ocabj
                Calguns Addict
                • Oct 2005
                • 7924

                I'd portscan the Windows Server from internal to see if it's actually listening on port 53. Make sure the DNS service is running and it's not firewalled off by the Windows Server local FW.

                Obviously, check your Event logs to see if there's any glaring issues.

                Distinguished Rifleman #1924
                NRA Certified Instructor (Rifle and Metallic Cartridge Reloading) and RSO
                NRL22 Match Director at WEGC

                https://www.ocabj.net

                Comment

                • #9
                  tonyxcom
                  Calguns Addict
                  • Aug 2011
                  • 6397

                  Originally posted by goodlookin1
                  But as soon as I tried the NSLOOKUP on the domain, or pinging the FQDN, it wouldnt work. Basically, it's as if the Domain service is not turned on (but it is).
                  Did you flush the dns or reboot the computer?

                  Instead of manually setting the DNS on the clients, most soho routers allow you to configure the DNS given out via DHCP.

                  Comment

                  • #10
                    goodlookin1
                    Veteran Member
                    • Apr 2009
                    • 2557

                    Still cant figure this crap out.

                    So I disabled the firewall completely for all three zones, I've uninstalled, reinstalled twice now the Domain Services and DNS. This is supposed to be a no-brainer kind of install and it's proven to be a major pain in the butt!

                    Tried flushing the DNS, no go

                    I'm going to give this piece of crap one more shot. I'm gonna do AD DC, DNS, and DHCP. If it wont do it at that point, it's a lost cause and I might just take a hammer to it!
                    www.FirearmReviews.net

                    Comment

                    • #11
                      ocabj
                      Calguns Addict
                      • Oct 2005
                      • 7924

                      I'm not sure what process you're going through, but I'm assuming you're:

                      1. Installing the OS
                      2. Updating the OS
                      3. Running dcpromo

                      That's pretty much it. When you dcpromo, the process is supposed to include the AD service and DNS roles.

                      Our campus setup is a bit different. We actually have the official internal campus DNS servers for everyone in both our class B IP blocks (let's just say *nix running BIND).

                      The FQDN of the forest is in campus DNS, then we setup the forest such that it forwards it's zones to campus DNS.

                      Since all clients use campus DNS for lookups, they can resolve anything non-AD related on campus, anything external (e.g. microsoft.com, calguns.net), and anything within the AD forest since the AD forest forwards to campus DNS (e.g. someworkstation.somedepartment.myforest.mycompany. com).

                      Distinguished Rifleman #1924
                      NRA Certified Instructor (Rifle and Metallic Cartridge Reloading) and RSO
                      NRL22 Match Director at WEGC

                      https://www.ocabj.net

                      Comment

                      • #12
                        d4v0s
                        Senior Member
                        • Aug 2010
                        • 1661

                        How are the clients and server setup? Is there a switch connecting them all to the firewall? Are they all on the same switch?

                        If you truly want them separate you need to isolate the networks (separate subnets per zone) and then allow the server to handle DHCP.

                        I can almost promise you that the firewall is dropping the DNS queries looking for the server in charge of your domain. When you type in the domain to the add domain box, it will query the local DNS server, and unless your computers are hitting the server for their DNS they will never resolve the domain server.

                        Also look under your DNS structure, look under forward zones and under the yourdomain bin. Is your local server A record under a folder? Some people create a domain or AD folder then put all of their servers under it. This makes it so you have to ad domains using the folder name.domain so ad.domain.org for example.

                        If you like maybe one of us could take a look at it remotely. Setup team viewer free or something and I would be happy to take a look.
                        Originally posted by Franklincollector
                        It was administered with a toothpick and placed on a street taco.

                        Comment

                        • #13
                          pluke the 2
                          Senior Member
                          • May 2012
                          • 1926

                          I suspect an issue with the reassigning of the DHCP address range. i'd run with what you got and try rebooting the gateway, then firewall, and turn them back on and connect one laptop or pc at a time

                          Comment

                          • #14
                            Jason95357
                            Senior Member
                            • Feb 2013
                            • 1130

                            Quick thoughts: You router isn't asking your Domain Controller about your DNS Domain. It's not going to, don't bother.

                            Rather, change the DHCP configuration on the router to give out the Domain Controller's 192.168.0.10 address for DNS. If it doesn't support this, then turn off DHCP on the router and configure DHCP for 192.168.0.x 255.255.255.0 on the Domain Controller (with a default gateway of 192.168.0.1, the router; and DNS of the Domain Controller 192.168.0.10).


                            Beyond that, here are the basics:
                            1. Is the Domain Controller on the same IP network as the PCs? This is determined by looking at the mask and comparing the IP addresses.

                            A mask of 255.255.255.0 means that anything with an IP address starting with Z.Z.Z.Y can talk to anything else with the same Z.Z.Z.X beginning.

                            Verify this (the IP address and Mask) on both the PC and the Domain Controller with ipconfig/all

                            Then ping from a PC to the Domain Controller's IP.

                            2. Is the DNS resolver working on the Domain Controller? First, check that it is listening on port 53 on the Domain Controller:
                            netstat -na | find ":53"

                            If not, check that the DNS Server Service is set to Automatic and Started.

                            Next, try a local lookup on the Domain Controller itself:
                            nslookup -q=a TESTLOOKUP.yourdomain. localhost

                            This tells the PC's stub resolver to ask the "localhost" (in this case, the Domain Controller is asking itself) what the IPv4 A record for TESTLOOKUP.yourdomain is. If your Domain Controller is MYDC01.mydomain, then you'd use:
                            nslookup -q=a MYDC01.mydomain. localhost

                            If this is failing, you'll need to look at your DNS zone configuration.

                            If the above does work, go back to a client PC and try:
                            nslookup -q=a MYDC01.mydomain. 192.168.0.10
                            Where 192.168.0.10 is the ipaddress of your Domain Controller.

                            If this is working, then verify your PC's ipconfig/all shows the DNS server of the Domain Controller. If so, then try:

                            ping MYDC01.mydomain.

                            If that works, try and test the search domain properties, which should also be visible in ipconfig/all. You should be able to do the following and have it automatically add mydomain at the end:
                            ping MYDC01

                            Those are some good first basic IP networking and DNS troubleshooting steps.

                            After that, things get more Active Directory-specific.
                            Last edited by Jason95357; 08-01-2013, 8:33 PM.
                            LTCs: CA, OR, AZ, UT, FL, NV
                            GOA & NRA Member

                            Comment

                            • #15
                              ibanezfoo
                              I need a LIFE!!
                              • Apr 2007
                              • 11999

                              These guys are right, you need to change the DHCP settings in your router to give out the IP address of the domain controller as the primary DNS entry (leave the secondary blank). If you want internet to work correctly you set the DNS on the domain controller to forward unknown DNS requests to your ISPs DNS (or just use 4.2.2.2, 4.2.2.3, and 8.8.8.8)

                              I agree with them too that you should disable DHCP on the router and set it up on the domain controller. You still have to make sure your DNS is pointing at the DC though and you also have forwarders in the DNS server's config.
                              vindicta inducit ad salutem?

                              Comment

                              Working...
                              UA-8071174-1