ComputerMensch
asked on
Help! Windows Server 2003 Newbie
I'm trying to set up a domain controller in a 10 client office. Currently they are a windows peer-to-peer network and I need the new server to be the file server and to contain the domain for everyone to access it.
I've set up the DNS service so that it points to itself and it is forwarding out for access to the Internet. I'm not clear on how to configure the DHCP and AD services to get my clients onto the domain. Right now, I can't even ping the server from another machine. Please let me know what other information you need to help me through this. I'm a little out of my element here.
Thanks!
I've set up the DNS service so that it points to itself and it is forwarding out for access to the Internet. I'm not clear on how to configure the DHCP and AD services to get my clients onto the domain. Right now, I can't even ping the server from another machine. Please let me know what other information you need to help me through this. I'm a little out of my element here.
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you. I'll probably have some more questions, but this should get me started.
mcsween - Outstanding answer :^)
ASKER
Some questions (I told you I'd be back...)
When setting the scope, do I keep the addresses on the current address scheme? That is, right now, the server itself is statically assigned 192.168.1.104. Do I then make the address range in the scope 192.168.1.nnn, or do I make that something else (i.e. 192.168.0.nnn)?
Step 7: Not sure what the gateway address would be. Is that the static address of the server?
Step 8: How do I set the client's IP stack to get an address through DHCP? Do you mean to have it get assigned a dynamic address?
Many, many thanks,
Frank
When setting the scope, do I keep the addresses on the current address scheme? That is, right now, the server itself is statically assigned 192.168.1.104. Do I then make the address range in the scope 192.168.1.nnn, or do I make that something else (i.e. 192.168.0.nnn)?
Step 7: Not sure what the gateway address would be. Is that the static address of the server?
Step 8: How do I set the client's IP stack to get an address through DHCP? Do you mean to have it get assigned a dynamic address?
Many, many thanks,
Frank
You want to set the DHCP scope to be within the same subnet. IE if you set the server IP to 192.168.1.104 with a subnet of 255.255.255.0 then your dhcp scope should be 192.168.1.x
If your server is 104 then I would start my scope at 192.168.1.105 and go to say 192.168.1.140 or something (you said you only had 10 clients so your scope should have a minimum of 15 addresses, I always set way more than I need.) The subnet should be Class C (255.255.255.0)
The gateway address is the IP addresss of your internet gateway. If you do not have internet (or any WAN links) then you opt to leave this blank. You want to make sure you use a hardware firewall (even if it's only a Linksys) for your internet gateway. Your gateway is usually .1 for whatever network you are on (i.e. 192.168.1.1)
yes, set the IP stack to obtain through DHCP means assign a dynamic address
RC My Network Places, Properties
RC Your NIC, Properties
DC TCP/IP
Check off "Obtain an IP address automatically" and "Obtain DNS server addresses automatically"
If your server is 104 then I would start my scope at 192.168.1.105 and go to say 192.168.1.140 or something (you said you only had 10 clients so your scope should have a minimum of 15 addresses, I always set way more than I need.) The subnet should be Class C (255.255.255.0)
The gateway address is the IP addresss of your internet gateway. If you do not have internet (or any WAN links) then you opt to leave this blank. You want to make sure you use a hardware firewall (even if it's only a Linksys) for your internet gateway. Your gateway is usually .1 for whatever network you are on (i.e. 192.168.1.1)
yes, set the IP stack to obtain through DHCP means assign a dynamic address
RC My Network Places, Properties
RC Your NIC, Properties
DC TCP/IP
Check off "Obtain an IP address automatically" and "Obtain DNS server addresses automatically"
BTW Thanks for the kudos PeteLong!
ASKER
Thanks much! I'll be back next week after wrestling it to the ground.
Frank
Frank
ASKER
I got through step 10 on the list, but I'm still unable to find the domain from a client so that I can set it.
When I obtain an IP automatically, I simply obtain it from the current DNS server (external).
As I said, I'm a newbie to client/server. Perhaps I have the wrong physical connections? Right now we have a switch taking an uplink from the router. I have the server attached to the switch. Should it be between the router and the switch, perhaps? It does have two NICs.
Thanks and sorry for being so dense about this.
Frank
When I obtain an IP automatically, I simply obtain it from the current DNS server (external).
As I said, I'm a newbie to client/server. Perhaps I have the wrong physical connections? Right now we have a switch taking an uplink from the router. I have the server attached to the switch. Should it be between the router and the switch, perhaps? It does have two NICs.
Thanks and sorry for being so dense about this.
Frank
The network should look like this
INTERNET <---------> ROUTER <----------> SWITCH <----------> SERVER AND CLIENTS
You have to have DNS setup on your domain controller (i.e. Start, Run, dnsmgmt.msc) there should be a forward lookup zone with the same name as your domain
The server and clients should point to the server's IP for DNS in their TCP/IP settings. If you are allowing the router to assign addresses via DHCP turn it off and setup DHCP on the server. The router will assign an external DNS server to the clients and you want it to look at yoru local DNS server. The windows DNS server should have forwarders setup to query internet DNS addresses for your clients.
At the server make sure it has a static IP and the DNS address points at itself. After you have verified this stop then restart the netlogon service. (this will make sure all domain DNS records exist correctly)
Make sure the client is using DNS from your server and try to join the domain again.
Also make sure you are assigning IP addresses on the same network. i.e. If your router's INTERNAL addresss is set to 192.168.1.1 with a 255.255.255.0 subnet mask then make sure the server and all clients have 192.168.1.x with a 255.255.255.0 address. The gateway in this circumstance would be 192.168.1.1. You cannot duplicate any IP addresses on the network either so make sure they are all unique (or use DHCP).
INTERNET <---------> ROUTER <----------> SWITCH <----------> SERVER AND CLIENTS
You have to have DNS setup on your domain controller (i.e. Start, Run, dnsmgmt.msc) there should be a forward lookup zone with the same name as your domain
The server and clients should point to the server's IP for DNS in their TCP/IP settings. If you are allowing the router to assign addresses via DHCP turn it off and setup DHCP on the server. The router will assign an external DNS server to the clients and you want it to look at yoru local DNS server. The windows DNS server should have forwarders setup to query internet DNS addresses for your clients.
At the server make sure it has a static IP and the DNS address points at itself. After you have verified this stop then restart the netlogon service. (this will make sure all domain DNS records exist correctly)
Make sure the client is using DNS from your server and try to join the domain again.
Also make sure you are assigning IP addresses on the same network. i.e. If your router's INTERNAL addresss is set to 192.168.1.1 with a 255.255.255.0 subnet mask then make sure the server and all clients have 192.168.1.x with a 255.255.255.0 address. The gateway in this circumstance would be 192.168.1.1. You cannot duplicate any IP addresses on the network either so make sure they are all unique (or use DHCP).
ASKER
Okay. I have the DNS set up on the domain controller with forward lookup zones. The server has a static IP address and is pointing to itself (its IP address is 192.168.1.104 and it is pointing to the same for DNS).
Now, what I think I hear you saying is that I have to get into the router's adinistration utility itself and turn of DHCP, correct?
One other dumb question: I can't ping the server. Is that because of the NAT security?
Thanks,
Frank
Now, what I think I hear you saying is that I have to get into the router's adinistration utility itself and turn of DHCP, correct?
One other dumb question: I can't ping the server. Is that because of the NAT security?
Thanks,
Frank
yes, that is correct, turn off DHCP on the router.
Your PCs are plugged into the same switch as the Server, correct? NAT security is to prevent intruders from coming in from outside. It will not affect your Client to Server communication.
If the server has a static IP of 192.168.1.104 then the clients must have an ip of 192.168.1.x (where x is any number from 1 - 254)
Let's try and get this going via static IPs before we bring DHCP into the mix.
In your router's config assign it's LAN address to 192.168.1.1
In your router's config disable DHCP
On the server set the gateway to 192.168.1.1
Assign 1 client the IP address of 192.168.1.150 with a subnet of 255.255.255.0, a gateway of 192.168.1.1, and DNS should be 192.168.1.104
Try and ping the server by both name and IP. If this works then add the workstation to the domain.
From there you can install DHCP on the server and configure that to hand out the IPs.
Your PCs are plugged into the same switch as the Server, correct? NAT security is to prevent intruders from coming in from outside. It will not affect your Client to Server communication.
If the server has a static IP of 192.168.1.104 then the clients must have an ip of 192.168.1.x (where x is any number from 1 - 254)
Let's try and get this going via static IPs before we bring DHCP into the mix.
In your router's config assign it's LAN address to 192.168.1.1
In your router's config disable DHCP
On the server set the gateway to 192.168.1.1
Assign 1 client the IP address of 192.168.1.150 with a subnet of 255.255.255.0, a gateway of 192.168.1.1, and DNS should be 192.168.1.104
Try and ping the server by both name and IP. If this works then add the workstation to the domain.
From there you can install DHCP on the server and configure that to hand out the IPs.
Oh and forwarders must be setup on the server unless you have the root hints (don't use the root hints)
Start, Run, dnsmgmt.msc (enter)
RC the server name, properties
Add your ISPs DNS servers to the list.
Start, Run, dnsmgmt.msc (enter)
RC the server name, properties
Add your ISPs DNS servers to the list.
ASKER
Thank you! I will be back next week on this when I can get in here without the users being around.
The forwarders are set up to the ISP's DNS.
Thanks,
Frank
P.S. Root hints did get setup during one of the setup processes. Do I need them? Should I get rid of them?
The forwarders are set up to the ISP's DNS.
Thanks,
Frank
P.S. Root hints did get setup during one of the setup processes. Do I need them? Should I get rid of them?
As long as you have a forwarder setup root hints won't get used.
ASKER
Okay. Here goes:
I tore what was left of my hair out and was on the phone yesterday with a man from the company that owns the router. He was rightfully reluctant to release the username and password for me to disable the DHCP and I was kind of reluctant to disable it on a wing and a prayer largely because one thing bothered me: I couldn't ping the server from anywhere. I wasn't convinced that the problem lay with DHCP.
I took out all of the services (DHCP, DNS, AD) to see if I could ping the server as just another machine on the same subnet. I couldn't. I then swapped the ethernet cord from the NIC it was attached to, to the second NIC. That did it! Apparently, the NIC that is the primary card is configured strangely (it can go out, but no one can get in).
This morning I reconfigured the AD, DNS and DHCP complete with all the forwarding. I was still able to ping the server so I then set my test machine (my personal notebook) to get its DNS from the server with the default gateway as the server as well. That worked beautifully. Finally, I tried to join the domain after setting up a user account. It found the domain (that was a relief) but is now giving me an "access denied" failure. I assume that has to do with the username/password combination, but I can't seem to get it to accept my machine.
Any suggestions?
I thank you profusely for your assistance. If I could give more than 500 points, I would.
Frank
I tore what was left of my hair out and was on the phone yesterday with a man from the company that owns the router. He was rightfully reluctant to release the username and password for me to disable the DHCP and I was kind of reluctant to disable it on a wing and a prayer largely because one thing bothered me: I couldn't ping the server from anywhere. I wasn't convinced that the problem lay with DHCP.
I took out all of the services (DHCP, DNS, AD) to see if I could ping the server as just another machine on the same subnet. I couldn't. I then swapped the ethernet cord from the NIC it was attached to, to the second NIC. That did it! Apparently, the NIC that is the primary card is configured strangely (it can go out, but no one can get in).
This morning I reconfigured the AD, DNS and DHCP complete with all the forwarding. I was still able to ping the server so I then set my test machine (my personal notebook) to get its DNS from the server with the default gateway as the server as well. That worked beautifully. Finally, I tried to join the domain after setting up a user account. It found the domain (that was a relief) but is now giving me an "access denied" failure. I assume that has to do with the username/password combination, but I can't seem to get it to accept my machine.
Any suggestions?
I thank you profusely for your assistance. If I could give more than 500 points, I would.
Frank
When joining the domain you have to specify the Domain Administrator credentials because a computer account needs to be created. Try to join the domain again (use the FQN name like mydomain.local instead of the netbios name)
When prompted to enter user/pass enter the domain administrator credentials like this
DomainName\Administrator
Once you are joined to the domain you can log onto the laptop as the user you created.
The issue with the 2 NICs is probably that you were configuring one but had your network patched into the other. Possibly the one you were plugged into doesn't have drivers loaded for it and isn't appearing under My Network Places properties.
Did they finally turn off DHCP on the stinking router? I have found that ISPs are a pain with that sometimes but a threat to switch companies (wether empty or not) usually takes care of their resistances.
When prompted to enter user/pass enter the domain administrator credentials like this
DomainName\Administrator
Once you are joined to the domain you can log onto the laptop as the user you created.
The issue with the 2 NICs is probably that you were configuring one but had your network patched into the other. Possibly the one you were plugged into doesn't have drivers loaded for it and isn't appearing under My Network Places properties.
Did they finally turn off DHCP on the stinking router? I have found that ISPs are a pain with that sometimes but a threat to switch companies (wether empty or not) usually takes care of their resistances.
FYI - DomainName above is generic for whatever your actual domain name is.
ASKER
Thanks for the quick reply. They didn't turn of the DHCP. I can't say I blame them (security is kind of paramount, after all). Once I was able to actually see the machine, everything else fell into place. The test client logs in now (once I set up groups and assigned the user to administrators and whatever other group it belonged to). The only problem I'm having now is that I don't seem to be able to find any shares.
When I go to Network Places and do a search in the Active Directory, I come up empty. Oddly, I can find users, groups and machines, but no shares. I've created about 10 new shares and have placed the groups I'm in into them but I'm not having any luck. Is there something I need to do on the client end?
Thanks,
Frank
When I go to Network Places and do a search in the Active Directory, I come up empty. Oddly, I can find users, groups and machines, but no shares. I've created about 10 new shares and have placed the groups I'm in into them but I'm not having any luck. Is there something I need to do on the client end?
Thanks,
Frank
If you want shares to be searchable you will have to create share objects in AD. This is done from AD Users and Computers.
RC the OU you want to create the share in and select New, Shared Folder
FYI - You will not be able to run 2 DHCP serves on your network and without using the MS DHCP server you cannot take advantage of Dynamic DNS registration. I would call the ISP again and tell them that if they won't give you the user/pass for the router then they can either send someone out for free to turn it off or just come pick up their equipment. ISPs are a dime a dozen.
RC the OU you want to create the share in and select New, Shared Folder
FYI - You will not be able to run 2 DHCP serves on your network and without using the MS DHCP server you cannot take advantage of Dynamic DNS registration. I would call the ISP again and tell them that if they won't give you the user/pass for the router then they can either send someone out for free to turn it off or just come pick up their equipment. ISPs are a dime a dozen.
That makes me mad!! They have no right to tell you that you have to run their crappy DHCP server on your network.
Sorry just blowing off some steam but that's just not right!
Sorry just blowing off some steam but that's just not right!
ASKER
Don't worry about the DHCP. I can have the company disable it at will - I can live with that. It's the co-ordination of that effort that concerns me more than anything. It's not getting in my way at the moment and it wasn't responsible for the previous spate of problems.
I'm fairly sure that I used the above method to create the shares. They show up as shares on the server side and I can see them by going into Windows Network. But an Active Directorty search is not picking them up.
I'll be back there on Friday, so I'll see what I can do to create some other test share to see if it's something I'm doing on the server side.
Frank
I'm fairly sure that I used the above method to create the shares. They show up as shares on the server side and I can see them by going into Windows Network. But an Active Directorty search is not picking them up.
I'll be back there on Friday, so I'll see what I can do to create some other test share to see if it's something I'm doing on the server side.
Frank
You shared the folders from the server and created the shared folder objects in AD?
When you open AD Users and Computers do you see share objects in one of the OUs? If not they need to be created. Shared folders are not automagically published to AD when they are shared like printers are.
When you open AD Users and Computers do you see share objects in one of the OUs? If not they need to be created. Shared folders are not automagically published to AD when they are shared like printers are.
ASKER
I'm sorry. It never ends. I'm still experiencing some sort of DNS problem.
I've published a share under Users and associated with a shared directory that I've created. It shows up under Users and is searchable from a test client. However, I get the message: "Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied." I can, however, access and map using the IP address. Could this be a result of the dual DHCP?
Thanks,
Frank Aronson
I've published a share under Users and associated with a shared directory that I've created. It shows up under Users and is searchable from a test client. However, I get the message: "Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied." I can, however, access and map using the IP address. Could this be a result of the dual DHCP?
Thanks,
Frank Aronson
ASKER
I want to thank you again for all your help. I think I've got most of everything under control (I got past the above issue by fully qualifying the domain name when creating the shared folders). This is a fine "quick cookbook" for setting things up. I can't thank you enough!
Frank Aronson
Frank Aronson
Your welcome.
FYI - Always use the FQN whenever possible.
FYI - Always use the FQN whenever possible.
FQN = DNS resolved
Netbios Name = WINS resolved (broadcast if no WINS)
Netbios Name = WINS resolved (broadcast if no WINS)
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/default.mspx