Swiftie Posted May 8, 2008 Share Posted May 8, 2008 Just been testing server 2008, ran dcpromo to get Active Directoy installed with DNS. Nic has a static IPv4 of 192.168.1.10 And I've inputted the Preffered DNS Server as the same IP as above in the TCP/IP settings. Have gone into the DNS role and and set forwarders on there as my ISP DNS addresses. But for some reason I cant join the newly .local created domain from a workstation. Could some one shed some light as to what I'm missing out please? If the info I've given is short and unclear I'm sorry but willing to ask any questions asked. Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/ Share on other sites More sharing options...
+orgitnized Subscriber¹ Posted May 8, 2008 Subscriber¹ Share Posted May 8, 2008 What are you getting for the error message on the workstation trying to join the domain? Is that server also pushing out the DHCP settings? Are you using Static IP's? If you are using DHCP, what are you pushing out for the default DNS suffix? Just as a note, you don't have to use forwarders to your ISP for every Windows server setup that's using DNS. It's still going to resolve hostnames without forwarders to your ISP. Just depends on what you are using this server for really. If everything you are trying to do is local, DNS forwarders won't play a role is my point. (But I don't know your full setup either so I'll just add that as my disclaimer) :D Also, if you are using DHCP, you are pushing out the server's IP address as the primary DNS server, yes? Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-589385073 Share on other sites More sharing options...
Swiftie Posted May 8, 2008 Author Share Posted May 8, 2008 (edited) Ghost96 said: What are you getting for the error message on the workstation trying to join the domain?Is that server also pushing out the DHCP settings? Are you using Static IP's? If you are using DHCP, what are you pushing out for the default DNS suffix? Just as a note, you don't have to use forwarders to your ISP for every Windows server setup that's using DNS. It's still going to resolve hostnames without forwarders to your ISP. Just depends on what you are using this server for really. If everything you are trying to do is local, DNS forwarders won't play a role is my point. (But I don't know your full setup either so I'll just add that as my disclaimer) :D Also, if you are using DHCP, you are pushing out the server's IP address as the primary DNS server, yes? Ok, just after I post that, I came to find out that it was my BELOVED AVG firewall on the WS that was disallowing me from joining the domain. Anways, so now I've managed to get the workstation onto the domain. But when I try and log onto the it using a created user in AD. I get "The system cannot log you on because the domain is not available" Cant even log in as the DOMAIN administrator from the Workstation. I bet its something silly.. :rolleyes: Edited May 8, 2008 by Swiftie Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-589385199 Share on other sites More sharing options...
+BudMan MVC Posted May 8, 2008 MVC Share Posted May 8, 2008 Swiftie said: But for some reason I cant join the newly .local created domain from a workstation. And what is your client using for DNS? It has to be using the DC for its DNS to be able to find your AD to join it.Quite often users playing with AD behind a router run into this, because their router is their dhcp server, and hands out to clients to use it for DNS.. IT has no idea about your .local domain, and neither does your ISP or any other public dns. All clients on a AD need to point to the AD dns to function. http://support.microsoft.com/kb/291382 Frequently asked questions about Windows 2000 DNS and Windows Server 2003 DNS Answer: The most common mistakes are: • The domain controller is not pointing to itself for DNS resolution on all network interfaces. • The "." zone exists under forward lookup zones in DNS. • Other computers on the local area network (LAN) do not point to the Windows 2000 or Windows Server 2003 DNS server for DNS. edit: Ok so you logged in -- and what did you expect to happen? Or are you saying can not log in using the AD account? Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-589385201 Share on other sites More sharing options...
Swiftie Posted May 8, 2008 Author Share Posted May 8, 2008 BudMan said: And what is your client using for DNS? It has to be using the DC for its DNS to be able to find your AD to join it.Quite often users playing with AD behind a router run into this, because their router is their dhcp server, and hands out to clients to use it for DNS.. IT has no idea about your .local domain, and neither does your ISP or any other public dns. All clients on a AD need to point to the AD dns to function. The Preffered DNS Server on the client is the IP address of the server which is 192.168.1.10 Sorry for the quick edits as its probably going to confuse things. But I've managed to get the client to join the domain. It was the firewall blocking me. But now I've joined the domain, I cant get a user in AD to log in from the client. If I try then I get the error I said above. "The system cannot log you on because the domain is not available" Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-589385216 Share on other sites More sharing options...
+BudMan MVC Posted May 8, 2008 MVC Share Posted May 8, 2008 ? when you say preferred dns.. do you mean the only DNS? The only dns server a client should have is the DC for your AD.. Also since you already had an issue with firewalls.. I would make sure ALL firewalls are OFF, both the client and the server. You can run the dcdiag tool on your dc to verify that everything is good. Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-589385407 Share on other sites More sharing options...
Swiftie Posted May 9, 2008 Author Share Posted May 9, 2008 BudMan said: ? when you say preferred dns.. do you mean the only DNS? The only dns server a client should have is the DC for your AD.. Also since you already had an issue with firewalls.. I would make sure ALL firewalls are OFF, both the client and the server.You can run the dcdiag tool on your dc to verify that everything is good. Yes when I say Preferred DNS, I mean that in my TCP/IP settings for the client I have this IP Address: 192.168.1.2 SNM: 255.255.255.0 Gateway: 192.168.1.1 Prefered DNS: 192.168.1.10 Alternate DNS: BLANK Firewalls are now off. And I have managed to get access to the servers administrator user account via the client. And no more "The system cannot log you on because the domain is not available" crap. Tried the users account but got a "The local policy of this system does not permit you to logon interactively" which I know must be because I was trying to connect to that user via Remote Desktop. I'll have a dig into my Default Domain Controller Policy if I really want to, but thats not important. As it's all working so far. (by the looks of things) Now just got to test DHCP through the server and not the router tomorrow when I'm awake and physically at the site. You got any suggestions for that to make my life easier? I know I'll start by turning it off on the router and just configuring it via the server. Its this configuration that I'm asking for any advanced tips if you have any. Also... My forwarders in my DNS roles. I should just leave them as they're right? They're not going to hurt anything? Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-589385660 Share on other sites More sharing options...
+BudMan MVC Posted May 9, 2008 MVC Share Posted May 9, 2008 There is no problem with having forwarders no. As to setting up dhcp.. Pretty much a no brainer.. pick your scope, and what options you want to hand out. I would suggest you hand out domain and node type, are you running wins? Don't use the whole address space up in your scope, leave some room for statics on both ends, etc. Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-589386377 Share on other sites More sharing options...
Swiftie Posted March 12, 2009 Author Share Posted March 12, 2009 Could some one please give me a heads up on how one would make a local domain available through the internet please. It won't be just a case of setting up an A Record would it? Have tried google but no avail thus far. Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-590697532 Share on other sites More sharing options...
Joel Posted March 12, 2009 Share Posted March 12, 2009 Swiftie said: Could some one please give me a heads up on how one would make a local domain available through the internet please. It won't be just a case of setting up an A Record would it? Have tried google but no avail thus far. I cannot imagine why you'd want to do that. Do you plan to host a website on your Windows server? Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-590697552 Share on other sites More sharing options...
+BudMan MVC Posted March 12, 2009 MVC Share Posted March 12, 2009 You can not make something.local resolve on the public net. Since .local is not top level domain, nor is a country based tld. here is the current database of top level domains and country tlds http://www.iana.org/domains/root/db/ This is pretty much the reason its a good AD domain tld ;) The only way you could have someone on the public net resolve that is they specifically added the zone to their dns which pointed to your nameserver, or used your nameserver as their dns. But Im with Joel -- WTF would you need to do something like that for? If you want someone to resolve a name to your public IPs -- then point yourpublicdomain.tld at your IPs Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-590697588 Share on other sites More sharing options...
Swiftie Posted March 13, 2009 Author Share Posted March 13, 2009 Joel said: I cannot imagine why you'd want to do that. Do you plan to host a website on your Windows server? Not necessarily. I'll break it down into a scenario. Say a company has 3 offices. But would like to use one DC at the main office for all users of the 3. All users from the 3 offices will need to be able to communicate with this DC at the main office and 2 out of the 3 will be via the internet. Is it a case of setting up a domain using something like domain.tld or corp.domain.tld for example instead of domain.local whilst doing some DNS work. Or some kind of VPN configuration? Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-590699086 Share on other sites More sharing options...
bobbba Posted March 13, 2009 Share Posted March 13, 2009 Swiftie said: Not necessarily. I'll break it down into a scenario.Say a company has 3 offices. But would like to use one DC at the main office for all users of the 3. All users from the 3 offices will need to be able to communicate with this DC at the main office and 2 out of the 3 will be via the internet. Is it a case of setting up a domain using something like domain.tld or corp.domain.tld for example instead of domain.local whilst doing some DNS work. Or some kind of VPN configuration? IF you were to go the internet named domain.tld route, for your scenario to work you would have to open up ports for dns, ldap, kerberos, netbios and others on all your sites to the internet. Your traffic would then be openly going through the internet and anyone carrying out a port scan could pick your sites up. Basically it would be a truly god awful setup. :x If communication between sites has to be via the internet and not leased lines you should go for a vpn setup. A branch office to branch main office vpn setup with routers or firewalls(tunnel mode) would be easier to maintain than a vpn from each branch office client to the main office server (transport mode). Link Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-590700416 Share on other sites More sharing options...
Swiftie Posted March 14, 2009 Author Share Posted March 14, 2009 bobbba said: IF you were to go the internet named domain.tld route, for your scenario to work you would have to open up ports for dns, ldap, kerberos, netbios and others on all your sites to the internet. Your traffic would then be openly going through the internet and anyone carrying out a port scan could pick your sites up. Basically it would be a truly god awful setup. :x If communication between sites has to be via the internet and not leased lines you should go for a vpn setup. A branch office to branch main office vpn setup with routers or firewalls(tunnel mode) would be easier to maintain than a vpn from each branch office client to the main office server (transport mode). Link Thanks for the info so far. The VPN setup, would that matter on what the domain name is (internet one or local one) Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-590704782 Share on other sites More sharing options...
+BudMan MVC Posted March 14, 2009 MVC Share Posted March 14, 2009 A VPN has NOTHING to do with name resolution or DNS for your AD. It connects your networks together that is ALL!! Kind of right in the name "Virtual Private Network" Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-590706410 Share on other sites More sharing options...
Swiftie Posted March 16, 2009 Author Share Posted March 16, 2009 For the VPN, what would be the best option would you say? Inbuilt windows service or something like Hamachi? Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-590714026 Share on other sites More sharing options...
bobbba Posted March 16, 2009 Share Posted March 16, 2009 Windows servers at each site with 2 nics and the RRAS service is how you could do it with Windows, there will be many 3rd party solutions and low powered linux boxes could probaly do it as well. Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-590714600 Share on other sites More sharing options...
Swiftie Posted May 16, 2009 Author Share Posted May 16, 2009 I have a server setup with two nics. Set up RRAS service. With a static address pool of 192.168.2.x But the minute I finish the setup, the server loses all network access. :( Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-590999706 Share on other sites More sharing options...
+BudMan MVC Posted May 17, 2009 MVC Share Posted May 17, 2009 Well then you clearly did it wrong ;) What help/guide did you follow? http://technet.microsoft.com/en-us/library...818(WS.10).aspx Components of Windows Server 2003 Site-to-Site VPNs http://technet.microsoft.com/en-us/library...328(WS.10).aspx Deploying a PPTP-based Site-to-Site VPN Connection Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-591001700 Share on other sites More sharing options...
Swiftie Posted May 17, 2009 Author Share Posted May 17, 2009 I didn't really follow any guides. But by the looks of the above links and image. I must have had it really t*tts up. I only had the one server, 2 nics. If I set up the RRAS with the two nics, then the server loses network access whilst the VPN doesn't work ofcoz.. However if I was to use just one nic, network on server works. VPN connections to the server are possible from external and internal clients. But without unchecking "use default gateway on remote network" from the clients, they can't access internet themselves. HHhmmm... Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-591003646 Share on other sites More sharing options...
+BudMan MVC Posted May 18, 2009 MVC Share Posted May 18, 2009 "from external and internal clients" WTF would you be creating vpn connections from internal clients for. Your not setting up a site to site if you have 1 server! Do you mean you had 1 server on the other end as well? Keep in mind all the other boxes shown can all be on the "vpn router" box. Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-591004352 Share on other sites More sharing options...
Swiftie Posted May 18, 2009 Author Share Posted May 18, 2009 BudMan said: "from external and internal clients"WTF would you be creating vpn connections from internal clients for. Your not setting up a site to site if you have 1 server! Do you mean you had 1 server on the other end as well? Keep in mind all the other boxes shown can all be on the "vpn router" box. The whole purpose of using internals was just for testing. & no, I've been doing all this with just one server. So in theory I am very wrong in trying to even think this would work. :whistle: Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-591005186 Share on other sites More sharing options...
Swiftie Posted May 18, 2009 Author Share Posted May 18, 2009 Just a quick additional, if one was to follow this guide as example. http://articles.techrepublic.com.com/5100-...11-5805260.html Any good? Cause iirc this is how I have tried to set it up. Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-591005798 Share on other sites More sharing options...
+BudMan MVC Posted May 18, 2009 MVC Share Posted May 18, 2009 "I've been doing all this with just one server" Who are you creating a VPN too then? -- if you only have 1 server? Do you mean you want to allow users to VPN to you? "Say a company has 3 offices. But would like to use one DC at the main office for all users of the 3." This would be a SITE TO SITE VPN to connect 2 networks together. And would require another server on the other end to connect to. If you just want road warriors to connect to your server -- you only need 1 nic on the server and you sure and you do not need to run through the whole RRAS thing, you just setup a inbound vpn connection. Click, Click done! Link to comment https://www.neowin.net/forum/topic/635769-dc-and-active-directory/#findComment-591005884 Share on other sites More sharing options...
Recommended Posts