EddyGurge
asked on
DNS/AD overwhelming newbie
I'm not entirely sure what my exact problems are, so I'll just start rambling. I have 3 2003 servers, fully patched. All of them are set up to be DCs. If I try to look at group policies in ADUC on server #1 or server #3, I get:
The domain controller for group policy operations is not available. You may cancel this operation for this session or retry using the following domain controller choices.
-The one with the operations master token for the PDC emulator
-The one used by the active directory snap-ins
-Use any available domain controller
I'm wondering if this coudl be DNS related. How should the DNS servers be set up for our domain? Should the all be authoritative for abc.org, or should there be one authoritative, and two secondaries?
I'm not really sure I'm even asking the right questions here, as I am feeling rather frustrated, and in over my head right now.
The domain controller for group policy operations is not available. You may cancel this operation for this session or retry using the following domain controller choices.
-The one with the operations master token for the PDC emulator
-The one used by the active directory snap-ins
-Use any available domain controller
I'm wondering if this coudl be DNS related. How should the DNS servers be set up for our domain? Should the all be authoritative for abc.org, or should there be one authoritative, and two secondaries?
I'm not really sure I'm even asking the right questions here, as I am feeling rather frustrated, and in over my head right now.
ASKER
I looks like I have everything configured in DNS as you stated (I did add the forwarding tidbit though). At the moment, I am not having clients use them for DNS, only the 3 servers themselves. If DNS is not my issue with the error I'm getting, any idea what is? Is AD unhealthy somehow, or just misconfigured? All the items/users I've added appear on each server, but I can't bring up policies on two of them.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, all three now point at each other for DNS.
I changed which machine was the GC (it was the least realiable one, now the most)
I moved all 5 FSMO roles to the most realiable server as well. DCDiag is happy, The AD error is now gone, and I'm happy.
Thank you very much!
(and watch for more of my questions!)
I changed which machine was the GC (it was the least realiable one, now the most)
I moved all 5 FSMO roles to the most realiable server as well. DCDiag is happy, The AD error is now gone, and I'm happy.
Thank you very much!
(and watch for more of my questions!)
I would guess that you are using Active directory integrated DNS (seeing how this is default and recommended). Therefore, the DNS database is replicated automatically between all domain controllers. However, only DC's that have the DNS service installed will service DNS queries from clients. This means that all you have to do is install the DNS service on a DC...the DNS database will automatically be there. It is very easy to configure...
Anyway, you would not typically use primary and secondary DNS hierarchy...with AD integrated DNS, all DNS servers have a read/write database...they are all peers of each other.
So, I would make sure that at least two DC's have the DNS service running. (or better yet, all DC's could run the DNS service). Then make sure that all clients and servers point to these internal Windows DNS servers in TCP/IP (don't point any to your ISP DNS...instead, you can configure forwarding on your DNS servers to resolve internet requests..)
1) All clients and servers in your domain should point INTERNALLY for DNS under TCP/IP properties. No computer should be set to look to the ISP for DNS resolution. (this will cause problems like you have mentioned)
2) Configure DNS forwarding on your DNS servers. Go into the DNS console, right click your server name, choose properties from the drop down box. Click the forwarding tab. Enter the IP addresses here for your ISP DNS server...this will allow your DNS servers to forward internet bound requests to the Internet DNs servers....