Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1619
  • Last Modified:

Active Directory on W2k3 - DNS? help

Hi all - I have been tossed into a situation where we have a single domain controller (W2k3) that was installed and configured without DNS.  The short of it is, this site has been using hosts files since they were a 10 user office and for whatever reason continued to use them.  Now that we have a temporary (and yes, this will all be gone in about 4-6 weeks) solution in place, I've some concerns on the way it was configured.  
I 'thought' DNS was a mandatory process when configuring AD - apparently not, as the consultant that set it up got around it.

So, I'm toying with the idea of setting up both DHCP & DNS on this server (yes, they were also using and still are, static IPs - 300+ clients).  However, DNS in an AD environment is something I haven't really spent much time with.

From your expert experiences, can I get some opinions/advice on setting this up?

A) Is it worth it, since we'll be moving to a stable environment beginning next week, with potentially 1/3 of the office and continuing for 3-6 weeks after (depending on each wave's success)
B) How hard would it be to do so?  DNS has always been a weak point of mine and I'm concerned that I might screw something up! :)
C) Other than touching all 300+ systems again (and this includes some VPN users) - how can we easily/automate the process of switching them over to dynamic IP?

They currently use their provider's DNS servers for internet access.  They have several in-house servers right now.  I've removed all client entries from the hosts files via a login script - but is that enough?

100 points per bullet above.  If I decide to move forward, I'll open a new thread on actually installing it... Thanx.
0
sirbounty
Asked:
sirbounty
  • 2
  • 2
2 Solutions
 
lapukmanCommented:
In my humble opinion:

"A) Is it worth it, since we'll be moving to a stable environment beginning next week, with potentially 1/3 of the office and continuing for 3-6 weeks after (depending on each wave's success)"

- Definitely YES. Utilizing DNS and DHCP allows you to save manpower and time in configuring each 300+ workstation's hosts file and IP address. It also allows you to prevent IP address conflicts as well as hostname to ip resolution/ vice versa conflicts. DNS and DHCP allows you also to better design your network as your company grows.

"B) How hard would it be to do so?  DNS has always been a weak point of mine and I'm concerned that I might screw something up! :)"

- DNS is mind-boggling at first, but as you go and continuosly use it, understanding how it works seems to become very easy. One of the most important part in DNS is zones. When you define a zone, the DNS server becomes the one responsible for name resolutions in that zone. Other important entries in the DNS are A and MX records. A stands for Address that is used for storing an IP address associated with a domain name.  MX stands for Mail Exchanger where all mail servers are enumerated so as the DNS knows where to redirect/point a mail message. Since your company have implemented AD, an AD-integrated DNS is the best method to do it in your network.

To understand more about DNS, please read http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_und_Topnode.asp

This link as well enumerates how to setup Active Directory Integrated DNS: http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_pro_ConfigServerForDS.asp

Meanwhile, setting up DHCP is relatively easy as well. You just need to define your network range and the necessary DHCP settings like DNS, WINS, IP address range and exclusion, default gateway, etc. DHCP setup is wizard base so it is really easy. This link might help you in your DHCP setup: http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_und_Topnode.asp

"C) Other than touching all 300+ systems again (and this includes some VPN users) - how can we easily/automate the process of switching them over to dynamic IP?"

- One way is to set a login script to do it. The login script would contain a command that would erase the TCP/IP configuration in the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{55CABB6A-8C47-4C30-88BD-A48BCFCCADBD}\Parameters\Tcpip

Take note that the entry {55CABB6A-8C47-4C30-88BD-A48BCFCCADBD} will be different on some machines becuase this entry is the NIC card. In my case it is {55CABB6A-8C47-4C30-88BD-A48BCFCCADBD} which might be different in your case.

In this key, you can enable DHCP by changing the key EnableDHCP and set to 1 and removing the entries for DefaultGateway, IPAddress and Subnetmask.

The login script that you did to clear the hosts file will do, provided that they have access to edit the hosts file, otherwise, the entries there would remain. One way to check this is to do a spot check on some machines.

Hope this helps

Lapukman

0
 
SoyYopCommented:
You are still not using mail servers, so migration would be easier. By the way, DNS resolution is required for setting up AD.

Maybe are you using a third-party DNS server? That works, don't need to be microsoft...
Or it is installed and you didn't know?
Or is working over hosts files... I'm gonna try that ;)

After having DNS up and working following Lapukman resources (I just can add to check Microsoft DNS help files on your computer), install DHCP. Remember to enable the segments and to exclude the servers and printers. Wish you have them on contiguous ranges...
And Enable them when ready.

For resetting the IP to automatic, for a given range (in this example, 192.168.0.10-192.168.0.250), just run this script as administrator

for /L %t in (10,1,250) do netsh -r 192.168.0.%t instructions.sh

I'm assuming you are using 192.168.x.x for your network... Save it as "ResetToDHCP.cmd" or something like that.

And instructions.sh is:

# ----------------------------------
# Interface IP Configuration        
# ----------------------------------
pushd interface ip
offline
set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp
commit
popd
# End of interface IP configuration


You can add the following line to set up a fixed dns server, like

add dns "Local Area Connection" 192.168.0.5

if your AD server has the ip 192.168.0.5, so it has it fixed. Is VERY important that the DNS server is set to the Active Directory DNS. If not, you are goig to experience delays (or have to add it to the hosts file).

Netsh gives you a lot of power...
0
 
sirbountyAuthor Commented:
Sadly, it IS using hosts and no, no DNS was installed, nor being used - at least from what I can tell.  I didn't think this was possible and I know everyone agrees with
me - but perhaps it's different with W2k3?

It's a class B: 10.10.x.y

Problem with using login script - is obviously the difference in local interface references, and the fact that some machines are still not, for whatever reason, running them (I think this is mostly VPN users though).  The problem with the netsh batch file is that they could potentially have a server somewhere down the line, 10.10.100.12 that doesn't sit within the 'normal' client range.  This is the most wacked network I've ever seen - you really have to see it to believe it...<sigh>...

Thanx guys - I'll read thru the articles and post back...
0
 
SoyYopCommented:
Maybe, you cant start isolating the servers on a fixed range. You may want them to have fixed IP's, anyway.

You can create a new hosts file, update servers IP, and use the same for /l to copy an updated hosts file, like

for /L %t ...... copy hosts \\10.10.100.%t\admin$\system32\drivers\etc
for /L %t ...... copy hosts \\10.10.101.%t\admin$\system32\drivers\etc
...

etc.

Then move to use DHCP. If you have subnets... you may need to add dhcp servers there and block the ports on routers.
0
 
sirbountyAuthor Commented:
This all sounds like too big an undertaking with this network and the limited amount of time we have left on it.
Sad part is that the IS folks that have worked this network for years apparently don't know how it's configured, so I'd be fearful something would get left out or overlooked and generate more trouble than not.
I am actually surprised it is working without DNS - I learned something new this go around.
But anyway - I thank you all for your insight and encouragement.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now