Some Basic, but real quick questions...

TechJunky · June 2006

I go to work tomorrow... They want me to setup a 2003 server tomorrow, but the company doesnt really know much about computers. They have a website and email hosted by someone else. I was planning on setting up AD, but I know it requires a DNS server that allows Dynamic updates. They are using hostgo.com for their dns servers... I was curious if there was a way of finding out if the dns servers that are hosting their site allow dynamic updates, other than going into work tomorrow and just trying their domain name and see if it works. From the sounds of it, they only have one 2003 server that I can setup and I dont want to bog it down with multiple services if I dont have to. I plan on partitioning it into 2 partitions and installing, DCHP, RIS, AD, and maybe an Exchange server down the road. I really dont want to install a DNS server on this box as well.

Thanks.

RussS · June 2006

Follow the wizards dude - follow the wizards

sprkymrk · June 2006

I can almost guarantee you that you will need to install DNS on it if you want AD to work. You also don't want all their hosts private DNS exposed on a public Internet DNS server even if it would work, which it almost certainly won't. Their public DNS won't necessarily match their AD naming convention. It's standard procedure to use split-DNS, public and private. DNS won't bog down your server anyway, it's not very resourse intensive, especially with the small number of hosts you'll likely be dealing with. Just do like the man says - follow the wizards. I recommend looking up AD DNS best practices on technet before you go in.

Danman32 · June 2006

It isn't absolutely required to have dynamic DNS for AD, but it does help tremendously when the DNS isn't set up right. Without dynamic DNS, you have to configure the SRV records yourself, which IS required for AD.
With dynamic DNS updates, the Netlogon and NetDiag /fix can update and correct any missing or incorrect records to resolve for DCs and the services they provide. Dynamic updates of client machines is usually not critical unless the clients have resources others need, IE file/print sharing and their IPs are not static.

I too would say though, use at least one local DNS server hosting records for your AD domain.

But you do have a few choices on how you will define your AD domain namespace.

1. Share the Domain namespace with your public one. In other words, your AD domain name would be the same as your registered domain name. In this case, the AD and the public domains are really two separate ones that happen to share the same name. The difficulty you may come across here is if your users on your LAN need to access resources hosted outside of your network. The reason this is a problem is because your machines on your lan need to exclusively look to your local DNS server so they can find the domain controllers. The solution is to add records to your local DNS that matches the ones on the public DNS. For example, your domain is mycompany.com. You have a web server with the URL www.mycompany.com hosted on internet with the IP 24.35.46.57. You would add WWW to your local DNS mapping it to the proper IP. Accessing internet resources located on the internet from within your lan only by the domain name would not be possible however. In other words, you could not get to your public web site using the URL mycompany.com.

2. Your AD domain is a child domain of the public domain and you would host that zone locally only. Your local machines will still exclusively look to your local servers exclusively for name resolution, though if the public DNS hierarchy refers back to your child domain, using a public DNS server would work. The problem with this though is your local lan probably has a private address scheme that is not compatable with the internet, so issuing correct addresses from various sources would be a problem.

3. Have totally separate domain names. Microsoft recommends using .local as the first label in your domain name, but any domain name with at least 2 labels would work. Using .local as the first label would guarantee though that it would not conflict with a name on the internet as .local is not a valid registerable domain.

I usually recommend option 3, as it keeps what is local remaining local, and what is public remaining public without conflicts of name or IP address resolution. Your local machines would use the local DNS servers hosting your local DNS exclusively, and your DNS servers would forward requests out to the internet that it can't resolve on its own. You can use forwarders to send external queries directly to your ISP which would take advantage of any cached queries they may have. The down side of direct forwarding I have come across with clients though is when the ISP decommissions a DNS server you were forwarding to without telling you.

TechJunky · June 2006

Danman32: Thanks for the reply. That information is what I was wanting to know. I have setup AD before without a server that supports Dynamic DNS and from an administration point it was a hassle. I have had good luck in the past setting up the internal DNS server using method one. I made sure I set my forwarders to the correct DNS servers and never had any DNS issues. Since everything is local, and I am using NAT addresses I never came into a problem. I of course just made sure I never added the same records... IE: ns1.company.com if the external dns already had this record.

I plan on adding an internal website as well...

Here are my plans...

Internal IIS Server for company use only, Intranet site.

DNS Server for AD local only to resolve internal address resolution within the domain.

And of course make sure all of it is setup with AD.

The only problems I have came into in the past is lets say I purchased www.company.com and have records pointed to an external ip address... Lets say www.company.com = 24.25.26.27

I then want to setup my internal DNS server as local.company.com = 10.0.0.1

The forward lookup zones do not create correctly. They will only create the SOA, NS, and A records. The following is not created...

_msdcs
_sites
_tcp
_udp
Domain DNS Zones
Forest DNS Zones

I have tried in the past to use net stop netlogon, then net start netlogon. If that doesnt work I try netdiag /fix, if that doesnt work I try ipconfig /flushdns, then ipconfig /registerdns. If that doesnt work I check the Windows\Sysvol\sysvol\company.com and make sure it's not there. If thats not there I then check for the C:\Windows\NTDS\ntds.dit file and make sure its there. Depending on what files are there or arent there I will try the first above steps and see if that fixes the problem.

However, the only real way I was able to fix the problem seemed as though if I didnt add a subdomain address to the company.com domain name. If I setup my forwarding zone to use company.com instead of local.company.com and everything would work fine.

Any ideas?

As you can tell I have dealt with DNS a time or two.

Danman32 · June 2006

First off, you wouldn't be purchasing www.company.com but rather company.com and adding a A record WWW to the zone.

You could make a child domain local.company.com for your local network, the internet wouldn't care, and since you own the parent domain, there's no chance of conflict unless you create the conflict.

When the _ subdomains don't get created, there's usually one of two reasons: there's no DNS server hosting a zone for your active directory domain that the DC has access to, or you have dynamic DNS updates turned off in your zone. Since 2003 tends to side on security now, I suspect that may be your problem. Try setting DNS to allow unsecure updates util you get the records and AD replication straightened out. Then you can set it to secure again. After setting the zone to allow unsecure updates, run netdiag /fix again. If that doesn't work, note the error given in the DNS test. It should clue you into why it could not fixt the records. That and check event logs on the DNS server and DC.

TechJunky · June 2006

I have updates allowed for both the forward zones and reverse zones. Sorry about the domain thing. Yes I am aware that you purchase company.com and not www.company.com. It has an A record pointing for www.company.com so their site resolves via web.

I guess the best explanation would be to let ya know the company name so you can do a dig or nslookup or whatever you prefer.

www.skurlas.com

I show these records when I do a nslookup.

Non-authoritative answer:
skurlas.com nameserver = ns1.hostgo.com
skurlas.com nameserver = ns2.hostgo.com
skurlas.com internet address = 66.220.22.162
skurlas.com MX preference = 0, mail exchanger

skurlas.com nameserver = ns1.hostgo.com
skurlas.com nameserver = ns2.hostgo.com
ns1.hostgo.com internet address = 64.62.164.101
ns2.hostgo.com internet address = 216.218.220.34
skurlas.com internet address = 66.220.22.162

So I was wanting to setup local.skurlas.com for internal use only.. .IE: 192.168.1.109

I am using 2003 server. I get three options for how to create the zone... setup in forest, setup in domain, setup throughout domain controllers for this domain. I went with domain controllers for this domain.

Here is the netdiag /fix print out.

C:\Program Files\Support Tools>netdiag /fix

....................................

Computer Name: SERVER
DNS Host Name: Server.skurlas.com
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 2 Stepping 4, GenuineIntel
List of installed hotfixes :
Q147222

Netcard queries test . . . . . . . : Passed

Per interface results:

Adapter : Local Area Connection 4

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : Server
IP Address . . . . . . . . : 192.168.1.109
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.1.1
Dns Servers. . . . . . . . : 192.168.1.109

AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{A27B5B1F-FB2D-4BBE-94FD-BC5270B71E92}
1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '192.168.1.10
9'.

Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{A27B5B1F-FB2D-4BBE-94FD-BC5270B71E92}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{A27B5B1F-FB2D-4BBE-94FD-BC5270B71E92}
The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Skipped

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped
No active remote access connections.

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run "netsh ipsec dynamic show /?" for more detailed information

The command completed successfully

C:\Program Files\Support Tools>
Thanks again for the help.

TechJunky · June 2006

I dont know. I have never had any luck setting up a forward zone for anything other then the parent domain. IE: company.com for forward domain. Then you can just create A records within that forward lookup zone of company.com for local, www, mail, ad, or whatever you want. I always thought setting up a sub domain name as the forward lookup zone was incorrect. It has always worked the way I have been doing it and I have never had any bad side effects. The way I think you are describing I have heard from a few other people but in a BIG domain environment I have never seen it setup this way. It has always been setup the way I put my DNS servers together. So I will just stick with what works.

Danman32 · June 2006

Your DNS test passed as did the rest of the netdiag tests so you should have all your records needed on server 192.168.1.109 for the zone skurlas.com, and that's the only server that matters for your AD.
If you are at 2003 native function level, you probably also have a zone for _msdcs.skurlas.com on that server.

What's out on the internet is irrelevant to your AD.

As for your AD integrated replication choices, you can leave it at the defaults but here's what it means.

To all DNS servers in the forest: all domain controllers in the forest, not just this domain, that also have DNS servers installed will get this data.

To all DNS servers in the domain: All DCs in this domain that have DNS installed will get the data.

To all DCs in the domain: All DCs in this domain will get the zone data, regardless if they have DNS installed or not. Only replicates within the domain, not the forest. This is how W2K operates, which was a problem for the _MSDCS records that needed to be forest-wide so that forest-wide FSMO role holders could be found across domains.

It seems you already created your AD, but if you have your domain/forest at 2003 native function level, you can change the domain name if you wish to local.skurlas.com.

If you want to leave things as they are, add an A record for WWW on the zone for skurlas.com on the server resolving to the public IP address of your hosted website so that your users can get to it since your local server is authoritive for skurlas.com as far as they are concerned.

For forwarding, in the DNS manager go to the properties of the server object, select the forwarders tab, and add the ISP's DNS addresses (or any other valid DNS server on the internet that allows unrestricted public queries) for All Other DNS Domains. This tab may be disabled if you have a dot zone '.' in your forward lookup zones. If so, remove the dot zone, restart the manager and try adding the forwarder again.

Once your network is set up properly, your machines on your lan would query your server for DNS lookups. If your server can't resolve it, it will query one of your forwarders. If you don't have forwarders configured, it can do the internet lookups on its own using the root hints, but I often find that problematic.

TechJunky · June 2006

Thanks for the clarification. I already knew that information, but I defiantly bet it is helpful to someone else on this site. And yes, I am already using forwarders etc. It is working real smooth.

Thanks again, and I hope other people on this site find this information useful.

Some Basic, but real quick questions...

Comments