dwils15
asked on
how do i setup a DNS server on small network.
I tried setting up a DC and DNS for the first time about a year ago. Somehow I got it to work, at least so users could login to the domain and access the file server, and get internet.
When logging in it takes a long time for the clients to connect, and we have intermittent issues with certain computers not being able to connect. It has worked problem free for several months, but now I have 2 of my 3 machines that say "The system detected a possible attempt to compromise security" when they try to connect to the server.
Here is the setup and what I want it to be able to do:
AT&T internet service with a netopia 3347nwg modem/router.
AT&T gave us a block of static IPs to use, and I have those IPMapped to static ips given to each machine.
I have a windows 2003 r2 server as the DC and DNS server. (has 2 NICs)
I have 3 xp pro machines
Question 1:
should I let the router handle dhcp, or the server? (im going for easy)
question 2:
should I use just one NIC on the server, or is there a reason to use both?
I had both configured at one time, but then disabled one because I was told it would cause issues. When I disabled it, I could no longer connect to the internet on the server, but all clients could access the file server.
question 3:
How do i properly setup DNS on this server?
(do I need to enter TCP/IP settings for the server NIC or can I use the auto settings and get that info from the router?) What should be the DNS server address for the NIC on MY DNS server?
Whats confusing is that I have one xp machine that connect to the interenet and file server shares with no problem. My other 2 xp machines give me the "The system detected a possible attempt to compromise security" error. From what I can see they all have a static ip (192.168.1.10X) and all use the DNS from the ISP.
thanks
When logging in it takes a long time for the clients to connect, and we have intermittent issues with certain computers not being able to connect. It has worked problem free for several months, but now I have 2 of my 3 machines that say "The system detected a possible attempt to compromise security" when they try to connect to the server.
Here is the setup and what I want it to be able to do:
AT&T internet service with a netopia 3347nwg modem/router.
AT&T gave us a block of static IPs to use, and I have those IPMapped to static ips given to each machine.
I have a windows 2003 r2 server as the DC and DNS server. (has 2 NICs)
I have 3 xp pro machines
Question 1:
should I let the router handle dhcp, or the server? (im going for easy)
question 2:
should I use just one NIC on the server, or is there a reason to use both?
I had both configured at one time, but then disabled one because I was told it would cause issues. When I disabled it, I could no longer connect to the internet on the server, but all clients could access the file server.
question 3:
How do i properly setup DNS on this server?
(do I need to enter TCP/IP settings for the server NIC or can I use the auto settings and get that info from the router?) What should be the DNS server address for the NIC on MY DNS server?
Whats confusing is that I have one xp machine that connect to the interenet and file server shares with no problem. My other 2 xp machines give me the "The system detected a possible attempt to compromise security" error. From what I can see they all have a static ip (192.168.1.10X) and all use the DNS from the ISP.
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I also disabled the 2nd NIC.
"3) Again, I would use DNS on your server. Use AD integrated zone follow these instructions (Has pictures too) :o) Server will need to look at it's own IP address for DNS, so just input that"
- is there supposed to be a link?
**********You will need to turn off DNS and DHCP on the router*********
-I think DNS id off on the router already. As far as DHCP goes, I am working this all remotely, so should I turn on the DHCP on the server before turning it off on the router.?
- will turning dhcp off on the router, affect the the IPMaps on the router? Will they be necessary?
The reason they are there now is so the users can remotley connect to their machines using the static ips given by ATT. Is there a way to set that up on the server?
"3) Again, I would use DNS on your server. Use AD integrated zone follow these instructions (Has pictures too) :o) Server will need to look at it's own IP address for DNS, so just input that"
- is there supposed to be a link?
**********You will need to turn off DNS and DHCP on the router*********
-I think DNS id off on the router already. As far as DHCP goes, I am working this all remotely, so should I turn on the DHCP on the server before turning it off on the router.?
- will turning dhcp off on the router, affect the the IPMaps on the router? Will they be necessary?
The reason they are there now is so the users can remotley connect to their machines using the static ips given by ATT. Is there a way to set that up on the server?
Your sertver will be running DNS regardless of where you point your clients for DNS, so using the server is good.
Static IP's are good on this size network - easy to maintain etc.
Yes, DNS server points to it's own IP for DNS rersolution.
Yes, Clients pointing to DNS server IP address.
You can turn DHCP off on the router if you want. Be careful as you may have printers, devices using DHCP. Not great practice. Maybe worth leaving it on until you have time to check it's redundant. Hopefully the sevrer DHCP service isn't running. You can cause big probs if both DHCPs are runniong
The only thing I can think of is forwarding DNS rersolution to your ISP's DNS servers for addresses that can't be resolved by your own DNS server.
Check that by going to the DNS management console, right click your Server name at the top, properties> forwarders tab> and it should show there.
othwer than that it seems fine
Static IP's are good on this size network - easy to maintain etc.
Yes, DNS server points to it's own IP for DNS rersolution.
Yes, Clients pointing to DNS server IP address.
You can turn DHCP off on the router if you want. Be careful as you may have printers, devices using DHCP. Not great practice. Maybe worth leaving it on until you have time to check it's redundant. Hopefully the sevrer DHCP service isn't running. You can cause big probs if both DHCPs are runniong
The only thing I can think of is forwarding DNS rersolution to your ISP's DNS servers for addresses that can't be resolved by your own DNS server.
Check that by going to the DNS management console, right click your Server name at the top, properties> forwarders tab> and it should show there.
othwer than that it seems fine
I also disabled the 2nd NIC. ************ GOOD
"3) Again, I would use DNS on your server. Use AD integrated zone follow these instructions (Has pictures too) :o) Server will need to look at it's own IP address for DNS, so just input that"
- is there supposed to be a link?"*************YES THERE WAS MEANT TO BE - Seems like you are ok so far though as I forgot DNS will be installed anyway as it's a Domain controller
**********You will need to turn off DNS and DHCP on the router*********
-I think DNS id off on the router already. As far as DHCP goes, I am working this all remotely, so should I turn on the DHCP on the server before turning it off on the router.?
You really don't DHCP on a network this size unless you have masses of devices that you haven't told me about?
- will turning dhcp off on the router, affect the the IPMaps on the router? Will they be necessary? TURNING OFF DHCP WILL ONLY AFFECT Devices that rely on it for it's address. Printers usually have static addresses, but you may want to check.
The reason they are there now is so the users can remotley connect to their machines using the static ips given by ATT. Is there a way to set that up on the server?
Your router will be fine as it will have rules that allow these external connections in using those addresses. Leave it on if it makes you feel better and test when you have the time. DHCP will only respond to a device that is calling out for an address. It will do no harm if nothing wants an address.
Let me know if any issues. I'd say we've cracked it so far
"3) Again, I would use DNS on your server. Use AD integrated zone follow these instructions (Has pictures too) :o) Server will need to look at it's own IP address for DNS, so just input that"
- is there supposed to be a link?"*************YES THERE WAS MEANT TO BE - Seems like you are ok so far though as I forgot DNS will be installed anyway as it's a Domain controller
**********You will need to turn off DNS and DHCP on the router*********
-I think DNS id off on the router already. As far as DHCP goes, I am working this all remotely, so should I turn on the DHCP on the server before turning it off on the router.?
You really don't DHCP on a network this size unless you have masses of devices that you haven't told me about?
- will turning dhcp off on the router, affect the the IPMaps on the router? Will they be necessary? TURNING OFF DHCP WILL ONLY AFFECT Devices that rely on it for it's address. Printers usually have static addresses, but you may want to check.
The reason they are there now is so the users can remotley connect to their machines using the static ips given by ATT. Is there a way to set that up on the server?
Your router will be fine as it will have rules that allow these external connections in using those addresses. Leave it on if it makes you feel better and test when you have the time. DHCP will only respond to a device that is calling out for an address. It will do no harm if nothing wants an address.
Let me know if any issues. I'd say we've cracked it so far
ASKER
Thanks. It seems to be working fine now!
ASKER
I came in this morning and none of the computers could get internet access, or access the server. The server was restarted and everything seems to be working fine for now, but in even viewer under DNS Server I see these errors (they started since before yesterdays updates, but have continued after the updates as well.)
The DNS server was unable to open zone mycompany.mycompany.local in the Active Directory from the application directory partition DomainDnsZones.mycompany-s
AND
The DNS server was unable to open zone _msdcs.mycompany-server.mycompany.local in the Active Directory from the application directory partition ForestDnsZones.aec-server.
Is this critical? How do I fix this?
Thanks
The DNS server was unable to open zone mycompany.mycompany.local in the Active Directory from the application directory partition DomainDnsZones.mycompany-s
AND
The DNS server was unable to open zone _msdcs.mycompany-server.mycompany.local in the Active Directory from the application directory partition ForestDnsZones.aec-server.
Is this critical? How do I fix this?
Thanks
ASKER
also under the event viewer\file replication service i started getting this error as of yesterday:
The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
Replica set name is : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
Replica root path is : "c:\windows\sysvol\domain"
Replica root volume is : "\\.\C:"
A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons.
[1] Volume "\\.\C:" has been formatted.
[2] The NTFS USN journal on volume "\\.\C:" has been deleted.
[3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
[4] File Replication Service was not running on this computer for a long time.
[5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:".
Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
[1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service.
[2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.
The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
Replica set name is : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
Replica root path is : "c:\windows\sysvol\domain"
Replica root volume is : "\\.\C:"
A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons.
[1] Volume "\\.\C:" has been formatted.
[2] The NTFS USN journal on volume "\\.\C:" has been deleted.
[3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
[4] File Replication Service was not running on this computer for a long time.
[5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:".
Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
[1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service.
[2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.
OK, I have no idea why this has occurred but there are ways of getting out of it.
Work through the link, shouldn't take long and use D2 initially. If that doesn't work, use D4. http://www.petri.co.il/for
You also need to reload your zones as suggested. I will give you step by step insructions. It might even be worth deleting the zones and letting AD repopulate again. Give me a few minutes. In the meantime, do the steps in link provided.
Work through the link, shouldn't take long and use D2 initially. If that doesn't work, use D4. http://www.petri.co.il/for
You also need to reload your zones as suggested. I will give you step by step insructions. It might even be worth deleting the zones and letting AD repopulate again. Give me a few minutes. In the meantime, do the steps in link provided.
To sort out your DNS, go to Start>run>type dnsmgmt.msc and OK
This will bring up the DNS management snap-in. Right click on your servername and select Properties.
Click on forwarders TAB> this should be your ISP's DNS servers for resolution outside your domain. See image Forwarders
Click on advanced Tab - Check startup is AD and registry as shown in advanced image
It would be quite quick to delete the zones >expand servername>Forward lookup zone, expand>Right click delete zone/zones.
To install new zone, right click forward lookup zone>New Zone and follow wizard. Look at New Zone image for important setting.
Let me know how things are going.
forwarders.JPG
advanced.JPG
New-Zone.JPG
This will bring up the DNS management snap-in. Right click on your servername and select Properties.
Click on forwarders TAB> this should be your ISP's DNS servers for resolution outside your domain. See image Forwarders
Click on advanced Tab - Check startup is AD and registry as shown in advanced image
It would be quite quick to delete the zones >expand servername>Forward lookup zone, expand>Right click delete zone/zones.
To install new zone, right click forward lookup zone>New Zone and follow wizard. Look at New Zone image for important setting.
Let me know how things are going.
forwarders.JPG
advanced.JPG
New-Zone.JPG
Hi dwils15, How are you getting on?
ASKER
Ok this is what i've been doing...
I changed the dns address on my server to its own ip.
I went to the xp machines and made sure they all had static ips.(one didn't, that i thought did) Then I entered my servers address as the dns address on the clients.
I have DHCP "on" on the router, and I think it might be off on the server at the moment though. Do i need to turn them on/off, since the clients are all static anyway?
So far they seem to log in faster and everybody is connecting and printing and get internet.
Did I miss anything?