Recommended Posts

Just been testing server 2008, ran dcpromo to get Active Directoy installed with DNS.

Nic has a static IPv4 of 192.168.1.10

And I've inputted the Preffered DNS Server as the same IP as above in the TCP/IP settings.

Have gone into the DNS role and and set forwarders on there as my ISP DNS addresses.

But for some reason I cant join the newly .local created domain from a workstation.

Could some one shed some light as to what I'm missing out please?

If the info I've given is short and unclear I'm sorry but willing to ask any questions asked.

Link to comment
https://www.neowin.net/forum/topic/635769-dc-and-active-directory/
Share on other sites

What are you getting for the error message on the workstation trying to join the domain?

Is that server also pushing out the DHCP settings? Are you using Static IP's? If you are using DHCP, what are you pushing out for the default DNS suffix?

Just as a note, you don't have to use forwarders to your ISP for every Windows server setup that's using DNS. It's still going to resolve hostnames without forwarders to your ISP. Just depends on what you are using this server for really.

If everything you are trying to do is local, DNS forwarders won't play a role is my point. (But I don't know your full setup either so I'll just add that as my disclaimer) :D

Also, if you are using DHCP, you are pushing out the server's IP address as the primary DNS server, yes?

  Ghost96 said:
What are you getting for the error message on the workstation trying to join the domain?

Is that server also pushing out the DHCP settings? Are you using Static IP's? If you are using DHCP, what are you pushing out for the default DNS suffix?

Just as a note, you don't have to use forwarders to your ISP for every Windows server setup that's using DNS. It's still going to resolve hostnames without forwarders to your ISP. Just depends on what you are using this server for really.

If everything you are trying to do is local, DNS forwarders won't play a role is my point. (But I don't know your full setup either so I'll just add that as my disclaimer) :D

Also, if you are using DHCP, you are pushing out the server's IP address as the primary DNS server, yes?

Ok, just after I post that, I came to find out that it was my BELOVED AVG firewall on the WS that was disallowing me from joining the domain.

Anways, so now I've managed to get the workstation onto the domain. But when I try and log onto the it using a created user in AD.

I get "The system cannot log you on because the domain is not available"

Cant even log in as the DOMAIN administrator from the Workstation.

I bet its something silly.. :rolleyes:

Edited by Swiftie
  Swiftie said:
But for some reason I cant join the newly .local created domain from a workstation.
And what is your client using for DNS? It has to be using the DC for its DNS to be able to find your AD to join it.

Quite often users playing with AD behind a router run into this, because their router is their dhcp server, and hands out to clients to use it for DNS.. IT has no idea about your .local domain, and neither does your ISP or any other public dns.

All clients on a AD need to point to the AD dns to function.

http://support.microsoft.com/kb/291382

Frequently asked questions about Windows 2000 DNS and Windows Server 2003 DNS

Answer: The most common mistakes are:

• The domain controller is not pointing to itself for DNS resolution on all network interfaces.

• The "." zone exists under forward lookup zones in DNS.

• Other computers on the local area network (LAN) do not point to the Windows 2000 or Windows Server 2003 DNS server for DNS.

edit: Ok so you logged in -- and what did you expect to happen? Or are you saying can not log in using the AD account?

  BudMan said:
And what is your client using for DNS? It has to be using the DC for its DNS to be able to find your AD to join it.

Quite often users playing with AD behind a router run into this, because their router is their dhcp server, and hands out to clients to use it for DNS.. IT has no idea about your .local domain, and neither does your ISP or any other public dns.

All clients on a AD need to point to the AD dns to function.

The Preffered DNS Server on the client is the IP address of the server which is 192.168.1.10

Sorry for the quick edits as its probably going to confuse things. But I've managed to get the client to join the domain.

It was the firewall blocking me. But now I've joined the domain, I cant get a user in AD to log in from the client.

If I try then I get the error I said above.

"The system cannot log you on because the domain is not available"

? when you say preferred dns.. do you mean the only DNS? The only dns server a client should have is the DC for your AD.. Also since you already had an issue with firewalls.. I would make sure ALL firewalls are OFF, both the client and the server.

You can run the dcdiag tool on your dc to verify that everything is good.

  BudMan said:
? when you say preferred dns.. do you mean the only DNS? The only dns server a client should have is the DC for your AD.. Also since you already had an issue with firewalls.. I would make sure ALL firewalls are OFF, both the client and the server.

You can run the dcdiag tool on your dc to verify that everything is good.

Yes when I say Preferred DNS, I mean that in my TCP/IP settings for the client I have this

IP Address: 192.168.1.2
SNM: 255.255.255.0
Gateway: 192.168.1.1

Prefered DNS: 192.168.1.10
Alternate DNS: BLANK

Firewalls are now off. And I have managed to get access to the servers administrator user account via the client. And no more "The system cannot log you on because the domain is not available" crap.

Tried the users account but got a "The local policy of this system does not permit you to logon interactively" which I know must be because I was trying to connect to that user via Remote Desktop. I'll have a dig into my Default Domain Controller Policy if I really want to, but thats not important. As it's all working so far. (by the looks of things) Now just got to test DHCP through the server and not the router tomorrow when I'm awake and physically at the site.

You got any suggestions for that to make my life easier? I know I'll start by turning it off on the router and just configuring it via the server. Its this configuration that I'm asking for any advanced tips if you have any.

Also... My forwarders in my DNS roles. I should just leave them as they're right? They're not going to hurt anything?

There is no problem with having forwarders no.

As to setting up dhcp.. Pretty much a no brainer.. pick your scope, and what options you want to hand out.

I would suggest you hand out domain and node type, are you running wins? Don't use the whole address space up in your scope, leave some room for statics on both ends, etc.

  • 10 months later...
  Swiftie said:
Could some one please give me a heads up on how one would make a local domain available through the internet please. It won't be just a case of setting up an A Record would it? Have tried google but no avail thus far.

I cannot imagine why you'd want to do that. Do you plan to host a website on your Windows server?

You can not make something.local resolve on the public net. Since .local is not top level domain, nor is a country based tld.

here is the current database of top level domains and country tlds

http://www.iana.org/domains/root/db/

This is pretty much the reason its a good AD domain tld ;)

The only way you could have someone on the public net resolve that is they specifically added the zone to their dns which pointed to your nameserver, or used your nameserver as their dns.

But Im with Joel -- WTF would you need to do something like that for?

If you want someone to resolve a name to your public IPs -- then point yourpublicdomain.tld at your IPs

  Joel said:
I cannot imagine why you'd want to do that. Do you plan to host a website on your Windows server?

Not necessarily. I'll break it down into a scenario.

Say a company has 3 offices. But would like to use one DC at the main office for all users of the 3.

All users from the 3 offices will need to be able to communicate with this DC at the main office and 2 out of the 3 will be via the internet. Is it a case of setting up a domain using something like domain.tld or corp.domain.tld for example instead of domain.local whilst doing some DNS work.

Or some kind of VPN configuration?

  Swiftie said:
Not necessarily. I'll break it down into a scenario.

Say a company has 3 offices. But would like to use one DC at the main office for all users of the 3.

All users from the 3 offices will need to be able to communicate with this DC at the main office and 2 out of the 3 will be via the internet. Is it a case of setting up a domain using something like domain.tld or corp.domain.tld for example instead of domain.local whilst doing some DNS work.

Or some kind of VPN configuration?

IF you were to go the internet named domain.tld route, for your scenario to work you would have to open up ports for dns, ldap, kerberos, netbios and others on all your sites to the internet. Your traffic would then be openly going through the internet and anyone carrying out a port scan could pick your sites up. Basically it would be a truly god awful setup. :x

If communication between sites has to be via the internet and not leased lines you should go for a vpn setup. A branch office to branch main office vpn setup with routers or firewalls(tunnel mode) would be easier to maintain than a vpn from each branch office client to the main office server (transport mode).

Link

  bobbba said:
IF you were to go the internet named domain.tld route, for your scenario to work you would have to open up ports for dns, ldap, kerberos, netbios and others on all your sites to the internet. Your traffic would then be openly going through the internet and anyone carrying out a port scan could pick your sites up. Basically it would be a truly god awful setup. :x

If communication between sites has to be via the internet and not leased lines you should go for a vpn setup. A branch office to branch main office vpn setup with routers or firewalls(tunnel mode) would be easier to maintain than a vpn from each branch office client to the main office server (transport mode).

Link

Thanks for the info so far. The VPN setup, would that matter on what the domain name is (internet one or local one)

  • 2 months later...

Well then you clearly did it wrong ;)

What help/guide did you follow?

http://technet.microsoft.com/en-us/library...818(WS.10).aspx

Components of Windows Server 2003 Site-to-Site VPNs

cc775818.abc1ece8-19a0-41f9-b0a9-d9a5dce3007d(en-us).gif

http://technet.microsoft.com/en-us/library...328(WS.10).aspx

Deploying a PPTP-based Site-to-Site VPN Connection

I didn't really follow any guides. But by the looks of the above links and image. I must have had it really t*tts up.

I only had the one server, 2 nics. If I set up the RRAS with the two nics, then the server loses network access whilst the VPN doesn't work ofcoz..

However if I was to use just one nic, network on server works. VPN connections to the server are possible from external and internal clients. But without unchecking "use default gateway on remote network" from the clients, they can't access internet themselves.

HHhmmm...

"from external and internal clients"

WTF would you be creating vpn connections from internal clients for.

Your not setting up a site to site if you have 1 server! Do you mean you had 1 server on the other end as well?

Keep in mind all the other boxes shown can all be on the "vpn router" box.

  BudMan said:
"from external and internal clients"

WTF would you be creating vpn connections from internal clients for.

Your not setting up a site to site if you have 1 server! Do you mean you had 1 server on the other end as well?

Keep in mind all the other boxes shown can all be on the "vpn router" box.

The whole purpose of using internals was just for testing.

& no, I've been doing all this with just one server. So in theory I am very wrong in trying to even think this would work. :whistle:

"I've been doing all this with just one server"

Who are you creating a VPN too then? -- if you only have 1 server? Do you mean you want to allow users to VPN to you?

"Say a company has 3 offices. But would like to use one DC at the main office for all users of the 3."

This would be a SITE TO SITE VPN to connect 2 networks together. And would require another server on the other end to connect to.

If you just want road warriors to connect to your server -- you only need 1 nic on the server and you sure and you do not need to run through the whole RRAS thing, you just setup a inbound vpn connection.

post-14624-1242649115_thumb.jpg

Click, Click done!

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.