2 NIC's server can not install active directory
Hello All,
I'm setting up a server at home to share files and for internet security. i set up windows server 2003 on my machine to "play" with it as have never done this befor but know bits about it.
At first when setting up i only had the 1 network card installed and every thing was fine, set it up as domain controller and set file server shares and the network could see them. now i have done fresh installation and added a second but faster gigabit network card. The idea is to use this second card to connect to the gigabit switch which is connected to wired network ( only the switch connects the rest of the network) and use my 100MB card to connect to the internet. i have got the server set as a DHCP server and allowed internet sharing which is now giving my network internet access but can not install active directory. nic 1 is using the 192.168.1.x range and is connected to a router for the internet so this nic has the gateway in its tcp/ip properties and nic 2 is using the 172.16.1.x range. when trying to install A/D i get a general network error at the end, i will be using this server as a dns server too. I want to have it as a domain network as people use different pcs round the house and only want certain people to have access to certain files. also whats the best way to secure the server from out side attacks, i have norton internet security on the pcs but want the server to be solid as it is first line in defence.
thanks in advance
I'm setting up a server at home to share files and for internet security. i set up windows server 2003 on my machine to "play" with it as have never done this befor but know bits about it.
At first when setting up i only had the 1 network card installed and every thing was fine, set it up as domain controller and set file server shares and the network could see them. now i have done fresh installation and added a second but faster gigabit network card. The idea is to use this second card to connect to the gigabit switch which is connected to wired network ( only the switch connects the rest of the network) and use my 100MB card to connect to the internet. i have got the server set as a DHCP server and allowed internet sharing which is now giving my network internet access but can not install active directory. nic 1 is using the 192.168.1.x range and is connected to a router for the internet so this nic has the gateway in its tcp/ip properties and nic 2 is using the 172.16.1.x range. when trying to install A/D i get a general network error at the end, i will be using this server as a dns server too. I want to have it as a domain network as people use different pcs round the house and only want certain people to have access to certain files. also whats the best way to secure the server from out side attacks, i have norton internet security on the pcs but want the server to be solid as it is first line in defence.
thanks in advance
ASKER
hi _JMpouloZ
i have done fresh installation of windows server i set up NAT and added DHCP server all was fine so i tried installation of A/D and it wnet on but i am now getting error befor logon of at least 1 service or driver failed on system sartup. i could logon but had to pick domain first which i didnt have to do befor to log on. once logged on i was unable to open manage this active directory as got this message " naming information cannot be located because the specified domain does not exist or could not be contacted.
after looking at event viewer i found these messages:
The time service encountered an error and was forced
to shut down. The error was: 0x80070700: An attempt
was made to logon, but the network logon service was
not started.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 06/09/2005
Time: 10:43:41
User: N/A
Computer: B59HOPE
Description:
The Security System detected an authentication error
for the server ldap/b59hope.Data.sec. The failure
code from authentication protocol Kerberos was "There
are currently no logon servers available to service
the logon request.
another one was netlogon depends on the following non-exsistant service lanmanserver
there was quite a few errors under applications refering to domain controller name for netork could not be found.
it has also stoped the internet access for other pcs
i didnt have these issues befor so why this time?
i'm going bold pulling out hair!
i have done fresh installation of windows server i set up NAT and added DHCP server all was fine so i tried installation of A/D and it wnet on but i am now getting error befor logon of at least 1 service or driver failed on system sartup. i could logon but had to pick domain first which i didnt have to do befor to log on. once logged on i was unable to open manage this active directory as got this message " naming information cannot be located because the specified domain does not exist or could not be contacted.
after looking at event viewer i found these messages:
The time service encountered an error and was forced
to shut down. The error was: 0x80070700: An attempt
was made to logon, but the network logon service was
not started.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 06/09/2005
Time: 10:43:41
User: N/A
Computer: B59HOPE
Description:
The Security System detected an authentication error
for the server ldap/b59hope.Data.sec. The failure
code from authentication protocol Kerberos was "There
are currently no logon servers available to service
the logon request.
another one was netlogon depends on the following non-exsistant service lanmanserver
there was quite a few errors under applications refering to domain controller name for netork could not be found.
it has also stoped the internet access for other pcs
i didnt have these issues befor so why this time?
i'm going bold pulling out hair!
Hi,
>>i could logon but had to pick domain first which i didnt have to do befor to log on
Use username as [DOMAINADMIN]@DOMAIN and you don´t need to choose domain from drop-down list.
Then open Control panel/Network connections and select Advanced --> Advanced settings (from toolbar). Then rearrange connections. First one must be LAN adapter second one NAT adapter and so on. Apply changes and click OK. I think there´s NAT or some else adapter first on the list and that´s because you get error
>> " naming information cannot be located because the specified domain does not exist or could not be contacted."
Then reboot and check from Control panel -> Administrative tools -> Servicies is Server and Windows time service running. If not try to start manually. Test can you access AD management tools
I'll come back to the question in a little while. Must open MCSE books and check couple of things more.
Hope this helps meanwhile ....
_JMpouloZ
>>i could logon but had to pick domain first which i didnt have to do befor to log on
Use username as [DOMAINADMIN]@DOMAIN and you don´t need to choose domain from drop-down list.
Then open Control panel/Network connections and select Advanced --> Advanced settings (from toolbar). Then rearrange connections. First one must be LAN adapter second one NAT adapter and so on. Apply changes and click OK. I think there´s NAT or some else adapter first on the list and that´s because you get error
>> " naming information cannot be located because the specified domain does not exist or could not be contacted."
Then reboot and check from Control panel -> Administrative tools -> Servicies is Server and Windows time service running. If not try to start manually. Test can you access AD management tools
I'll come back to the question in a little while. Must open MCSE books and check couple of things more.
Hope this helps meanwhile ....
_JMpouloZ
ASKER
thanks,
changed the order, my second NIC was at top of list which is the one connect to the LAN, so that is now second in the list with the NIC connected to internet at top and remote access conections at the bottom.
in services:
server is not listed and windows time is set to automatic but wasn't running. when i started manualy i got error "could not start windows time service on local computer error 1792: an attemt was made to log on but the network logon service was not started".
i tried to manually start net logon service but this error " could not start net logon service on local computer error1075: the dependency service does not exsist or is marked for deletion.
still cannot access A/D management
thanks
changed the order, my second NIC was at top of list which is the one connect to the LAN, so that is now second in the list with the NIC connected to internet at top and remote access conections at the bottom.
in services:
server is not listed and windows time is set to automatic but wasn't running. when i started manualy i got error "could not start windows time service on local computer error 1792: an attemt was made to log on but the network logon service was not started".
i tried to manually start net logon service but this error " could not start net logon service on local computer error1075: the dependency service does not exsist or is marked for deletion.
still cannot access A/D management
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hello,
I check the DNS suffix on LAN NIC there wasn't one so put my DNS suffix on it. does that need to be done for the other NIC? both NIC's are set to use them selfs as DNS server then forwarders are set on DNS server to my isp DNS servers.
there is 2 host a records for each NIC ip address
got some messages as follows from netdaig:
Check the DNS registration for DCs entries on DNS server '192.168.1.2'
[FATAL] Could not open file C:\WINDOWS\system32\config
Check the DNS registration for DCs entries on DNS server '172.16.1.1'
[FATAL] Could not open file C:\WINDOWS\system32\config
[FATAL] No DNS servers have the DNS records for this DC registered.
DC discovery test. . . . . . . . . : Failed
Find DC in domain 'DATA':
[FATAL] Cannot find DC in domain 'DATA'. [ERROR_NO_SUCH_DOMAIN]
DC list test . . . . . . . . . . . : Failed
'DATA': Cannot find DC to get DC list from [test skipped].
List of DCs in Domain 'DATA':
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Skipped
'DATA': Cannot find DC to get DC list from [test skipped].
LDAP test. . . . . . . . . . . . . : Failed
Cannot find DC to run LDAP tests on. The error occurred was: The specified domain either does not exist or could not be contacted.
Find DC in domain 'DATA':
[WARNING] Cannot find DC in domain 'DATA'. [ERROR_NO_SUCH_DOMAIN]
Testing DNS
[FATAL] Could not open file C:\WINDOWS\system32\config
[FATAL] Could not open file C:\WINDOWS\system32\config
[FATAL] No DNS servers have the DNS records for this DC registered.
Testing redirector and browser... Passed
Testing DC discovery.
Looking for a DC
Gathering the list of Domain Controllers for domain 'DATA'
Testing trust relationships... Skipped
Testing Kerberos authentication... Failed
Testing LDAP servers in Domain DATA ...
and from dcdaig full txt here...
Testing server: Default-First-Site-Name\B5
Starting test: Connectivity
The host ec55eee5-8172-484d-9348-ea
be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(ec55eee5-8172-484d-9348-e
resolved, the server name (b59hope.Data.sec) resolved to the IP
address (192.168.1.2) and was pingable. Check that the IP address is
registered correctly with the DNS server.
......................... B59HOPE failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\B5
Skipping all tests, because server B59HOPE is
not responding to directory service requests
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : Data
Starting test: CrossRefValidation
......................... Data passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Data passed test CheckSDRefDom
Running enterprise tests on : Data.sec
Starting test: Intersite
......................... Data.sec passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQU
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERV
5
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... Data.sec failed test FsmoCheck
It looks like server service (lanmanserver) is root of most of the troubles but why would of this been removed and how to get it back?
cheers
I check the DNS suffix on LAN NIC there wasn't one so put my DNS suffix on it. does that need to be done for the other NIC? both NIC's are set to use them selfs as DNS server then forwarders are set on DNS server to my isp DNS servers.
there is 2 host a records for each NIC ip address
got some messages as follows from netdaig:
Check the DNS registration for DCs entries on DNS server '192.168.1.2'
[FATAL] Could not open file C:\WINDOWS\system32\config
Check the DNS registration for DCs entries on DNS server '172.16.1.1'
[FATAL] Could not open file C:\WINDOWS\system32\config
[FATAL] No DNS servers have the DNS records for this DC registered.
DC discovery test. . . . . . . . . : Failed
Find DC in domain 'DATA':
[FATAL] Cannot find DC in domain 'DATA'. [ERROR_NO_SUCH_DOMAIN]
DC list test . . . . . . . . . . . : Failed
'DATA': Cannot find DC to get DC list from [test skipped].
List of DCs in Domain 'DATA':
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Skipped
'DATA': Cannot find DC to get DC list from [test skipped].
LDAP test. . . . . . . . . . . . . : Failed
Cannot find DC to run LDAP tests on. The error occurred was: The specified domain either does not exist or could not be contacted.
Find DC in domain 'DATA':
[WARNING] Cannot find DC in domain 'DATA'. [ERROR_NO_SUCH_DOMAIN]
Testing DNS
[FATAL] Could not open file C:\WINDOWS\system32\config
[FATAL] Could not open file C:\WINDOWS\system32\config
[FATAL] No DNS servers have the DNS records for this DC registered.
Testing redirector and browser... Passed
Testing DC discovery.
Looking for a DC
Gathering the list of Domain Controllers for domain 'DATA'
Testing trust relationships... Skipped
Testing Kerberos authentication... Failed
Testing LDAP servers in Domain DATA ...
and from dcdaig full txt here...
Testing server: Default-First-Site-Name\B5
Starting test: Connectivity
The host ec55eee5-8172-484d-9348-ea
be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(ec55eee5-8172-484d-9348-e
resolved, the server name (b59hope.Data.sec) resolved to the IP
address (192.168.1.2) and was pingable. Check that the IP address is
registered correctly with the DNS server.
......................... B59HOPE failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\B5
Skipping all tests, because server B59HOPE is
not responding to directory service requests
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : Data
Starting test: CrossRefValidation
......................... Data passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Data passed test CheckSDRefDom
Running enterprise tests on : Data.sec
Starting test: Intersite
......................... Data.sec passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQU
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERV
5
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... Data.sec failed test FsmoCheck
It looks like server service (lanmanserver) is root of most of the troubles but why would of this been removed and how to get it back?
cheers
This might help you
http://support.microsoft.com/default.aspx?scid=kb;en-us;272294
Then check that netlogon.dns file in \system32\config\. Make a copy of that file and open with wordpad/notepad. Open allso original netlogon.dns in wordpad. Syntax should be something like this
**QUOTE from http://www.oreilly.com/catalog/dnswin2/chapter/ch11.html
movie.edu. 600 IN A 192.249.249.3
_ldap._tcp.movie.edu. 600 IN SRV 0 100 389 terminator.movie.edu.
_ldap._tcp.pdc._msdcs.movi
_ldap._tcp.6e10690c-40a2-4
600 IN SRV 0 100 389 terminator.movie.edu.
260aad2b-3ce7-41c2-923e-8e
terminator.movie.edu.
_kerberos._tcp.dc._msdcs.m
_ldap._tcp.dc._msdcs.movie
_kerberos._tcp.movie.edu. 600 IN SRV 0 100 88 terminator.movie.edu.
_kerberos._udp.movie.edu. 600 IN SRV 0 100 88 terminator.movie.edu.
_kpasswd._tcp.movie.edu. 600 IN SRV 0 100 464 terminator.movie.edu.
_kpasswd._udp.movie.edu. 600 IN SRV 0 100 464 terminator.movie.edu.
_ldap._tcp.Default-First-S
terminator.movie.edu.
_kerberos._tcp.Default-Fir
600 IN SRV 0 100 88 terminator.movie.edu.
_ldap._tcp.Default-First-S
600 IN SRV 0 100 389 terminator.movie.edu.
_kerberos._tcp.Default-Fir
600 IN SRV 0 100 88 terminator.movie.edu.
_ldap._tcp.gc._msdcs.movie
gc._msdcs.movie.edu. 600 IN A 192.249.249.3
_gc._tcp.movie.edu. 600 IN SRV 0 100 3268 terminator.movie.edu.
_ldap._tcp.Default-First-S
600 IN SRV 0 100 3268 terminator.movie.edu.
_gc._tcp.Default-First-Sit
terminator.movie.edu.
**QUOTE ENDS
Every IP address in _ldap, _gc, _kerberos and the first row must be LAN adapter IP address. You can manually edit this file and then overwrite original. First check the KB article. It´s possible that you must install AD again. But try this first and then reboot.
_JMpouloZ
http://support.microsoft.com/default.aspx?scid=kb;en-us;272294
Then check that netlogon.dns file in \system32\config\. Make a copy of that file and open with wordpad/notepad. Open allso original netlogon.dns in wordpad. Syntax should be something like this
**QUOTE from http://www.oreilly.com/catalog/dnswin2/chapter/ch11.html
movie.edu. 600 IN A 192.249.249.3
_ldap._tcp.movie.edu. 600 IN SRV 0 100 389 terminator.movie.edu.
_ldap._tcp.pdc._msdcs.movi
_ldap._tcp.6e10690c-40a2-4
600 IN SRV 0 100 389 terminator.movie.edu.
260aad2b-3ce7-41c2-923e-8e
terminator.movie.edu.
_kerberos._tcp.dc._msdcs.m
_ldap._tcp.dc._msdcs.movie
_kerberos._tcp.movie.edu. 600 IN SRV 0 100 88 terminator.movie.edu.
_kerberos._udp.movie.edu. 600 IN SRV 0 100 88 terminator.movie.edu.
_kpasswd._tcp.movie.edu. 600 IN SRV 0 100 464 terminator.movie.edu.
_kpasswd._udp.movie.edu. 600 IN SRV 0 100 464 terminator.movie.edu.
_ldap._tcp.Default-First-S
terminator.movie.edu.
_kerberos._tcp.Default-Fir
600 IN SRV 0 100 88 terminator.movie.edu.
_ldap._tcp.Default-First-S
600 IN SRV 0 100 389 terminator.movie.edu.
_kerberos._tcp.Default-Fir
600 IN SRV 0 100 88 terminator.movie.edu.
_ldap._tcp.gc._msdcs.movie
gc._msdcs.movie.edu. 600 IN A 192.249.249.3
_gc._tcp.movie.edu. 600 IN SRV 0 100 3268 terminator.movie.edu.
_ldap._tcp.Default-First-S
600 IN SRV 0 100 3268 terminator.movie.edu.
_gc._tcp.Default-First-Sit
terminator.movie.edu.
**QUOTE ENDS
Every IP address in _ldap, _gc, _kerberos and the first row must be LAN adapter IP address. You can manually edit this file and then overwrite original. First check the KB article. It´s possible that you must install AD again. But try this first and then reboot.
_JMpouloZ
I think ICS (internet connection sharing) is cause of the problems. It will break down all DHCP and DNS functionatility. Use NAT instead. I think you better first install DHCP, then AD/DNS and then Routing and remote access. And when you configure routing and remote access use custom configuration and select NAT and LAN routing. Then you must add NIC interfaces to NAT/firewall section and tell wich one is NAT and LAN interface.
Here´s some help to you.
For securing win 2003 AD/server without 3rd party software read these
http://www.microsoft.com/windowsserver2003/techinfo/overview/adsecurity.mspx
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx
Allso check this
http://www.petri.co.il/active_directory_installation_requirements.htm
There´s about requirements and recommendations about installing AD.
Here´s help to configure NAT/Basic firewall
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/fe8f6650-93af-4f99-a477-41297374357a.mspx
_JMpouloZ