D00Dness
asked on
New Build -- Win2003 STD
Good evening -- It seems that I'm re-thinking what I did when I first built my box. Here is my situation .....After moving into our new building, we decided to get away from DSL and go bussiness cablemodem 4mb service.....my supv also decided to get rid of the Cisco 2600 router and put in place, a Linksys cablemodem router with NAT and just have everyone connect to the internet through the router as if they where home.. ( i know I know, dont ask why) .... :) ..
but during the move, our primary server took a dive and was unusable and had to be rebuilt.....So i had the lovely pleasure of building this box this past week.....during that time, the requirment came to just have the users log into the server just to back up their software code and any working documents .. almost like a CM storage box... after confiring with some other techies, we all agreeded on this pholophosy (sp) .... seeing how our bussiness is growing fast and eventually the laptops will be phased out and desktops phased in, we decided to configure the server as the DC server with AD since we are the primary site for the bussiness and eventually users will use the server the proper way ......
After finishing the build today, I wanted to start using the AD potential and have the users share drives on the server be mapped automatically ..... so I did some research and found this great .vbs script .. after following the directions the script worked locally but not on the workstations... I of course posted a question here and was pleased to have Luv2Smile help me with my problem.... but it seems from talking to him that I may have DNS issues.......
After taking his advise and loading DNS i'm still not sure that I did it right... so .... how do I know if I loaded the DNS properly?? In my TCP/IP settings I set the DNS server to 127.0.0.1 and I can surf the web fine ... Luv2Smile thinks the DNS could be messing with my group policy problem.... any ideas guys??? let me know if you need more info .. or have any suggestions ... THanks ...
but during the move, our primary server took a dive and was unusable and had to be rebuilt.....So i had the lovely pleasure of building this box this past week.....during that time, the requirment came to just have the users log into the server just to back up their software code and any working documents .. almost like a CM storage box... after confiring with some other techies, we all agreeded on this pholophosy (sp) .... seeing how our bussiness is growing fast and eventually the laptops will be phased out and desktops phased in, we decided to configure the server as the DC server with AD since we are the primary site for the bussiness and eventually users will use the server the proper way ......
After finishing the build today, I wanted to start using the AD potential and have the users share drives on the server be mapped automatically ..... so I did some research and found this great .vbs script .. after following the directions the script worked locally but not on the workstations... I of course posted a question here and was pleased to have Luv2Smile help me with my problem.... but it seems from talking to him that I may have DNS issues.......
After taking his advise and loading DNS i'm still not sure that I did it right... so .... how do I know if I loaded the DNS properly?? In my TCP/IP settings I set the DNS server to 127.0.0.1 and I can surf the web fine ... Luv2Smile thinks the DNS could be messing with my group policy problem.... any ideas guys??? let me know if you need more info .. or have any suggestions ... THanks ...
Also it sounds like you only have one DC ??
ASKER
THanks much for the help so far... i'll see if i can remote in soon and try out the above information .. as for the 1 DC .. yes.. I did that purposely cause of expansion ..... unless that was a mistake .. tks ..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>>>After taking his advise and loading DNS i'm still not sure that I did it right... so .... how do I know if I loaded the DNS properly?? In my TCP/IP settings I set the DNS server to 127.0.0.1 and I can surf the web fine ... Luv2Smile thinks the DNS could be messing with my group policy problem.... any ideas guys??? let me know if you need more info .. or have any suggestions ... THanks ...
Yes....there is a problem with your DNS Server now...because when you installed Active Directory on your computer at that time DNS was pointing to 127.0.0.1 (so its a loopback IP Addresss) and DC SRVs registered with this address. Now you point your DNS server to use your Local IP Address assigned to this server and then follow the steps to re-register the DC SRVs. DC SRVs are used by all services in your network....for example :- Winlogon.exe sends a DNS query to DNS Server to find Domain Controller. This query is not send as Host Query but SRV Query (Service Location) for LDAP and KEREBEROS protocol. Winlogon needs to retreive a list of Group Policy applied to the user or computer...and obviously with the help of SRVs registered in DNS.
To verify DNS registration for domain controllers using the nslookup command
1. Open Command Prompt.
2. Type:
nslookup
3. After the previous command completes, at the nslookup (">") prompt type:
set q=rr_type
4. After the previous command completes, type:
_ldap._tcp.dc._msdcs.Activ e_Director y_domain_n ame
5. Review the output of the previous SRV query and determine if further action is needed based on whether the previous query succeeded or failed:
Ref: -
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_tro_VerifyDomainSrvLocRRs.asp
Please follow the steps. Everything should work fine: -
1. Stop Netlogon service.
2. Open DNS Console.
3. Delete Active Directory Integrated Zone.
4. Stop and Start DNS Service.
5. Close and Re-open DNS Console.
6. Re-create DNS Zone (domain_name)
7. Start Netlogon service.
8. issue ipconfig /registerdns.
Let me know.
Thanks
Yes....there is a problem with your DNS Server now...because when you installed Active Directory on your computer at that time DNS was pointing to 127.0.0.1 (so its a loopback IP Addresss) and DC SRVs registered with this address. Now you point your DNS server to use your Local IP Address assigned to this server and then follow the steps to re-register the DC SRVs. DC SRVs are used by all services in your network....for example :- Winlogon.exe sends a DNS query to DNS Server to find Domain Controller. This query is not send as Host Query but SRV Query (Service Location) for LDAP and KEREBEROS protocol. Winlogon needs to retreive a list of Group Policy applied to the user or computer...and obviously with the help of SRVs registered in DNS.
To verify DNS registration for domain controllers using the nslookup command
1. Open Command Prompt.
2. Type:
nslookup
3. After the previous command completes, at the nslookup (">") prompt type:
set q=rr_type
4. After the previous command completes, type:
_ldap._tcp.dc._msdcs.Activ
5. Review the output of the previous SRV query and determine if further action is needed based on whether the previous query succeeded or failed:
Ref: -
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_tro_VerifyDomainSrvLocRRs.asp
Please follow the steps. Everything should work fine: -
1. Stop Netlogon service.
2. Open DNS Console.
3. Delete Active Directory Integrated Zone.
4. Stop and Start DNS Service.
5. Close and Re-open DNS Console.
6. Re-create DNS Zone (domain_name)
7. Start Netlogon service.
8. issue ipconfig /registerdns.
Let me know.
Thanks
ASKER
Tks guys!!! Well here is the odd thing... I did what you suggested SystmProg but the " set q=rr_type is not requinzed (sp) as a command.... totally weird.... I've also opened up my cmd window, and typed in the NSLOOKUP google.com and it comes up fine... even resolves my server name.... also i looked in the DNS manager window and there are no errors showing up there...... now im courious, am i setup for a domain controller or not? Ideas??? How can i verify my server is setup for DNS properly for AD to work .. tks again... .
Here is the proper DNS setup as I mentioned above. The goal is to have the DNS box point to itself only. Your DNS on the Domain, all workstations and servers need to point to that primary DNS server only. If you can logon and ping the boxes by name, hit the Internet, then your DNS server is probably just fine. Look in your event logs. You probably will not see yads of errors with DNS. If DNS was hosed, you probably wouldn't be able to get to your internal boxes or the Internet.
Do not use forwarders unless absolutely necessary. Let your server work as designed going out to the internet Root servers for resolution.
Do not use forwarders unless absolutely necessary. Let your server work as designed going out to the internet Root servers for resolution.
Hello,
I like Sam's ideas ( approach ) the best so far.
Is there anything not working ?
When you perform a gpresult on the client machines do you still get that error message?
(from command line type gpresult)
Remember to point the clients DNS to only your DNS
Earlier I mentioned to run a utility called dcdiag... anything come from that ?
I like Sam's ideas ( approach ) the best so far.
Is there anything not working ?
When you perform a gpresult on the client machines do you still get that error message?
(from command line type gpresult)
Remember to point the clients DNS to only your DNS
Earlier I mentioned to run a utility called dcdiag... anything come from that ?
ASKER
Guys --- Thanks much ... all your hard work and efforts paied off ... I followed everyone suggestions/inputs and the DNS server is up and running just fine.. the reason the group policy's where not working is because the workstations where not pointing to the DNS server .. DOAH! but after making that change on the workstaitons, they are now getting the group policy's .. thanks to all !!!! I wish there was a way to evenly distribute the points though .. sorry ... on the flip side, another problem has arisen but thats a different question ... thanks ..
Mdiglio -- The dcdiag utility did not work on the server for some reason .....
Mdiglio -- The dcdiag utility did not work on the server for some reason .....
Glad to be of help!
You should not use the loopback address for your primary DNS server.
Set it to the IP address of your Domain Controller
On your DC's tcp/ip properties do not put your isp's ip address.
This should be done through forwarders that you set up using th DNS management tool
Open DNS management by clicking start >> adminsitrative tools >> DNS
right click your server >> properties >> you'll see the forwarder tab there
While DNSmgmt is open expand your server >> expand forward lookup zones >>
does this name match your domain name ?
Right click your forward lookup zone >> Properties >> make sure Dynamic Updates are enabled
How to configure DNS for Internet access in Windows Server 2003
http://support.microsoft.com/?kbid=323380
Run this command from the command prompt of your DC
dcdiag /v >> C:\dcdiag.txt
This will create a text file named dcdiag on the root of your C drive
open it and look for any failed tests.
If there are any failed tests post them here.
I won't be around much this weekend but I will try to look in and see how things are going
Also EE member oBdA has a great list of steps and links to ensure DNS is setup properly.
you can find that here:
https://www.experts-exchange.com/questions/21312905/Group-Policy-Not-Being-Applied.html