Active Directory Infrastructure IP assignment

Hi guys, how are you doing?

I need some help here. I need to convince my boss that the following IP assignment is incorrect.

ISP-> Router (WAN-auto | LAN 192.168.1.1) -> switch

W2k3 Server : AD/DNS/DHCP/WINS
IP: 192.168.1.2
DNS: 192.168.1.1
DG: 192.168.1.1

WXP - Domain Member
IP: 192.168.1.100-200
DNS: 192.168.1.1
DG:192.168.1.1

The incorrect configuration is the DNS. It should point to w2k3 server which host Active Directory/DNS. However, he is ignorant that his stuff is right. So I need to pull a information to convince him. I got no luck to get any info relevant to it..... =*(

Thank you guys. all help is really appreciated. Thank you so much.

Sincerely;
mean people SUCK !!! BACK OFF !!!
The Next Stop is, MCSE 2003 and CCNA.
Bachelors of Technology in 1 More Year.

-Working on CCENT. Thank you my love <3

Comments

  • iowatechiowatech Member Posts: 120
    Active Directory cannot function at all without DNS, just tell him the IP of the server needs to be in the DNS settings.

    Which from the looks of it is, 192.168.1.2
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    iowatech wrote:
    Active Directory cannot function at all without DNS, just tell him the IP of the server needs to be in the DNS settings.

    Which from the looks of it is, 192.168.1.2

    +1

    If your gateway device provides DNS, you'll still be able to resolve internet names, but you will cripple AD.
  • jbaellojbaello Member Posts: 1,192
    Try to run "nslookup" and see if you are able to query local hostname, also I believe the client should use the Windows Server as the Preferred DNS server, I think there might be issue logging into the domain since the client computer needs the DNS SRV.
  • taktsoitaktsoi Member Posts: 224
    yea guys. I understand this so much.

    but he just ignore my warning. I convince him more than a week but he still stand for this point.

    This is why i am trying to pull a page about this and show it to him to stand for my point. I hate this when I know i am right but get refused

    any luck helping me?
    mean people SUCK !!! BACK OFF !!!
    The Next Stop is, MCSE 2003 and CCNA.
    Bachelors of Technology in 1 More Year.

    -Working on CCENT. Thank you my love <3
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    http://technet2.microsoft.com/windowsserver/en/library/9d62e91d-75c3-4a77-ae93-a8804e9ff2a11033.mspx?mfr=true

    Has this already been implemented or is this just in the planning stage? Your clients will not be able to log on to the domain if they cannot find the SRV records for your DCs.
  • taktsoitaktsoi Member Posts: 224
    dynamik wrote:
    http://technet2.microsoft.com/windowsserver/en/library/9d62e91d-75c3-4a77-ae93-a8804e9ff2a11033.mspx?mfr=true

    Has this already been implemented or is this just in the planning stage? Your clients will not be able to log on to the domain if they cannot find the SRV records for your DCs.

    Thank dynamik.

    Unfortunately, this has been implemented. The client has about 8 machines there and everyday he got calls for service saying can't find network drive for example. I told him that the DNS setting is wrong but he insists.......

    mm...life is difficult man.

    icon_redface.gificon_confused.gif

    Even more now, he also says that I can put 192.168.1.1 as primary and 192.168.1.2 as a secondary. WTF...... he says that when the machine need to contact server, it will go to the secondary, if the machine need to go to internet, it will go back to primary. he says this is the way primary and secondary dns setting design......WTF....hell no....noooooooooooooooooooo
    mean people SUCK !!! BACK OFF !!!
    The Next Stop is, MCSE 2003 and CCNA.
    Bachelors of Technology in 1 More Year.

    -Working on CCENT. Thank you my love <3
  • jbaellojbaello Member Posts: 1,192
    You need a proper documentation of your idea and print it out from a reliable source like technet, if he disagree he is your manager, but when issue starts arising you can come out to be a hero!
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    taktsoi wrote:
    Unfortunately, this has been implemented. The client has about 8 machines there and everyday he got calls for service saying can't find network drive for example. I told him that the DNS setting is wrong but he insists.......

    This setup sounds insane. No one will be able to log on to the domain without being pointed at the correct DNS server. Are the client machines all using local accounts? Is there more than one domain controller for redundancy? They won't be able to replicate without DNS.
    taktsoi wrote:
    Even more now, he also says that I can put 192.168.1.1 as primary and 192.168.1.2 as a secondary. WTF...... he says that when the machine need to contact server, it will go to the secondary, if the machine need to go to internet, it will go back to primary. he says this is the way primary and secondary dns setting design......WTF....hell no....noooooooooooooooooooo

    This guy has no clue. As I'm sure you know, if a machine can contact the primary server, it will not query the secondary, regardless of whether the primary has the record it is looking for.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Tell him that you will use the 192.168.1.1 as a forwarder on the DC and it will do what it needs to do. Try not to come across as a pest or know-it-all. I'm not saying you are, but I know how gung-ho we can all be at times and that just makes his kind all the more obstinate.

    Say something like "Wow, I found out that you're idea is really correct, except that we use it as a forwarder on the DC then just have all the clients point to the DC". It doesn't matter how stupid it sounds (obviously his idea is not even close to correct) but rather than show him up, let him save face by being "almost right".
    All things are possible, only believe.
  • newbiextnewbiext Member Posts: 17 ■□□□□□□□□□
    +1 for you
    -1 for your boss

    Do your best, dont sound like a know it all...

    Slighty off topic, maybe people are loging on via broadcasts..still not good enough.
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    sprkymrk wrote:
    Tell him that you will use the 192.168.1.1 as a forwarder on the DC and it will do what it needs to do. Try not to come across as a pest or know-it-all. I'm not saying you are, but I know how gung-ho we can all be at times and that just makes his kind all the more obstinate.

    Say something like "Wow, I found out that you're idea is really correct, except that we use it as a forwarder on the DC then just have all the clients point to the DC". It doesn't matter how stupid it sounds (obviously his idea is not even close to correct) but rather than show him up, let him save face by being "almost right".

    Great advice. Sprkymrk: IT Guru and Diplomat.

    newbiext wrote:
    Slighty off topic, maybe people are loging on via broadcasts..still not good enough.

    I don't believe this is possible. As far as I know, the only way to locate a DC is the SRV record in DNS. You can't obtain this by sending out a broadcast. If they're accessing files, they might just be access //server/share and putting in domain credentials when prompted (or access has just been given to Everyone), but that's not the same as having their computer/user log on to the domain.
  • intelamdcpuintelamdcpu Member Posts: 7 ■□□□□□□□□□
    will modifying and adding the server name with its IP in the host file along with 192.168.1.1 as primary dns in the NIC work in this case?
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    will modifying and adding the server name with its IP in the host file along with 192.168.1.1 as primary dns in the NIC work in this case?

    Nope. The problem extends beyond the clients resolving the server's host name to an IP. This could simply be accomplished by NetBIOS broadcasts, unless they were disabled. Active Directory relies on SRV (service) records in DNS to function properly. The client machines query DNS to find the SRV records, which point to the domain controllers. So you see, if a client cannot determine which machines are the domain controllers, it doesn't know which machines to try to authenticate to, and the domain logon will fail (as well as many other things, such as replication between DCs).
  • newbiextnewbiext Member Posts: 17 ■□□□□□□□□□
    "dynamik wrote:
    I don't believe this is possible. As far as I know, the only way to locate a DC is the SRV record in DNS. You can't obtain this by sending out a broadcast. If they're accessing files, they might just be access //server/share and putting in domain credentials when prompted (or access has just been given to Everyone), but that's not the same as having their computer/user log on to the domain.

    Hmm i know the srv records thing, but i remember once i encountered an W2k3 AD domain without a DNS server, and people were logging in albeit very very slowly. Took about 5 mins to login in after a password. Thats why i thought broadcast coupled with the fact that i think i read that broadcast thing somewhere..If not i stand corrected.
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    newbiext wrote:
    Hmm i know the srv records thing, but i remember once i encountered an W2k3 AD domain without a DNS server, and people were logging in albeit very very slowly. Took about 5 mins to login in after a password. Thats why i thought broadcast coupled with the fact that i think i read that broadcast thing somewhere..If not i stand corrected.
    In Windows NT, domain logon was based on NetBIOS names. Every domain controller registered the NetBIOS name Domainname with a <1C> as the sixteenth character in the name on the network and in WINS. When a client tried to log on to the network, the client would try to locate the servers that had the domain controller name registered. If the client could not locate one of these servers, the logon would fail. The SRV records in Windows Server 2003 are used by Windows 2000 and Windows XP Professional clients to locate domain controllers. Without the SRV records, these clients will also not be able to log on to the Windows Server 2003 domain

    http://safari.oreilly.com/0735615772/ch03lev1sec2

    Maybe that was an NT domain or a situation dealing with legacy clients (e.g. Win9icon_cool.gif connecting via WINs.
  • newbiextnewbiext Member Posts: 17 ■□□□□□□□□□
    I stand corrected. Thanks for the info
  • DMinDMin Member Posts: 18 ■□□□□□□□□□
    Any chance you can build a test environment on a couple of old machines with VMWare? If you could show him that the error goes away when you correct the DNS, maybe he'll be swayed by the evidence. It's a lot of work for such a minor change, though. Either that or have him bring in a high-paid consultant to tell him what you already know. People tend to listen better when they're paying $100 / hour for the advice.

    Other than that, my only advice is to get your resume updated and start hitting the job boards. You're not going to want to work with this guy for long.
Sign In or Register to comment.