Correct way to setup Active Directory in this Environment

Posted on 2004-03-28
Last Modified: 2010-03-19
Here is the setup i just did for a business.

DSL > Pix 501 > Switches > AS400 Server & Win2k3 SBS server

The Pix i believe is giving out the DHCP IPs.  I set the win2k3 machine to a static ip of (192.168.5.x is everything else) - i'm coming into this network blind, so i didn't configure the Pix or the AS400.  They have a domain name they use, but it's not hosted by them nor is their email.  So when i was setting up active directory i didn't do i did companyname and AD said i need to install DNS Server.  So i did all this, installed the DNS server and installed the domain with just companyname.  Well, the computers now joined to the domain seem to work sometimes and not work sometimes with the given IPs from the Pix.  when is ay work - sometimes they flip out and say they can't find the domain, when other times they can find it just fine.  For instance i have "password must be changed xxxxx" and so when i go to login with one of the XP machines it says "password must be changed" as soon as i hit enter, so i type in my old password and the 2 new ones and i hit enter and it takes forever and then times out saying the domain is unavailable...  it's really strange?  I kind of blew it off and was able to map network drives on a few of the computers, but after i mapped them, it couldn't get to them b/c it couldn't authenticate b/c the domain was unavailable again... it's really strange...

A possible solution i found is this: to set the DNS server IPs on the client machines to point to the local IP of the server...  however, this defeats the freedom of DHCP, but in initial trials it works, and it makes sense why it works, however this can't be the only way to do this.  Another possible solution i had was to configure the PIX to throw out the serverIP for the DNS DHCP, however, i don't want their internet to rely on a win2k3 server to be up and running...

So basically, how do you configure a "local/inhouse" domain without having a ".com" or ".net" ...  I have access to my own webhosting company's DNS so i could make a and point it to their net IP and map that then through the Pix, however, there has to be a better solution.

I have to go back otu tomorrow with a solution, so any help would be great.

Question by:NickUA
  • 3
  • 2
LVL 84

Expert Comment

ID: 10702147
You seem to  have two problems here:
"i did companyname" is the first one. If possible in any way, re-create your AD. A single-label domain brings all sorts of problems with it. Call it companyname.local or whatever.
As for your DNS, your domain members definitely *have* to point *only* to your internal DC/DNS server for your AD to work; the DNS settings on the DNS server should point only to itself (the actual IP, not as well. For internet name resolution to work, delete the root zone on your DNS and configure forwarders.
See the following articles for more information:

Information About Configuring Windows 2000 for Domains With Single-Label DNS Names

Considerations for Designing Namespaces in Windows 2000-Based Domain

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS

Windows 2000 DNS and Active Directory Information and Technical Resources

HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows 2000

HOW TO: Configure DNS for Internet Access in Windows 2000

Setting Up the Domain Name System for Active Directory

Troubleshooting Common Active Directory Setup Issues in Windows 2000

How to Verify the Creation of SRV Records for a Domain Controller

How Domain Controllers Are Located in Windows

How Domain Controllers Are Located in Windows XP

Author Comment

ID: 10704245
After reading sounds like i need to do Companyname.internal as the domain name.  And make sure DNS is configured pointing to itself... the internal ip of ... and still need to have the win2k & win2k3 clients use the server as DNS?  Am i right?  guess my next solution would be to configure the pix to throw out the server DNS IPs.

LVL 84

Expert Comment

ID: 10705607
You're correct; all your domain members (and the DC/DNS server itself) need to point only to your internal DNS or, as you've experienced already, they won't be able to find the domain controller, and the DC won't be able to register the necessary SRV records (which will prevent the clients from finding the domain as well).
As for the single-label domain, since you seem to only have setup the machine recently, a fresh installation might be your best choice.
Renaming a domain is theoretically possible in W2k3, but since you're probably running an Exchange server on your SBS, you should only try this if you're feeling really adventurous. Microsoft will offer a Webcast addressing this in June; the Exchange renaming seems to require an additional tool "XDR-Fixup", which is not available yet.

Windows Server 2003 Domain Rename Tools

TechNet Support WebCast: Renaming domains when Microsoft Exchange Server 2003 is in the Active Directory;EN-US;838623
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.


Author Comment

ID: 10710151
One last question.  The IP settings of the Lan Adapter of the server are as follows:

Gateway: (pix)

DNS:   (should this be

DNS Serer on server seems to be working fine, as does the DHCP server i made that throws out the above settings to the clients.  All the clients get the DHCP jsut fine, however, every now and then one machine says it can't find teh domain controller, or it'll get an IP and resolve DNS but won't receive any traffice.   I can nslookup and ping everything and get an IP, however, no webpages will load or anything and ping request times out.  I'm using small business server with "5 user license".  There are actually like 10 computers, so i was interpreting the license as "user licenses" since 1/2 the machines just sit there for UPS shipping stuff and things of that nature.  However, the computers when they lose connection seem to be random and ic an't isolate it to any one thing, evetually they'll continue their normal usage just fine.  Could this be a license issue with SBS limiting connections and resources somehow and only allowing 5 things at once?  Or could this be a config problem.  It's really strange, if it's a license issue i'll just buy more licenses but i want to be absolutely certain.  I think all of my settings are correct.  I went ahead and recreated my domain and named it companyname.internal    -    I'm 99% sure the DNS server and what not is working for all the clients b/c again i can resolve IPs just can't get any traffic coming through.  The pix is the gateway - but this shouldn't limit anything, it never has before.  Can i use the win2k3 SBS machine as the gateway or do i need to add anything else to the install?



Author Comment

ID: 10714479
omfg - the problem was the powerchord on the friggen firewall...  it had a short in it and kept coming on and off - that's why they kept losing internet - how friggen ridiculous is that??!??!?!?!!

Let me let this ride for a little while and see what happens.


Accepted Solution

CetusMOD earned 0 total points
ID: 11171170
PAQed, with points refunded (500)

Community Support Moderator

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question