Solved

Active directory and DC acting strange

Posted on 2007-03-22
12
197 Views
Last Modified: 2010-03-17
Hi experts,
Some of you may find this question very interesting.
Background: I am running into a situation where my Active Directory is not functioning at all and I had it working very good before that. Recently I have added web service to this machine and migrated IIS from Win 2K server. BTW my AD is wrunning on Windows 2003 server.
Problem: After I have the machine runing IIS, I found out one fine day that my dns is totally messed up. The domain I used to use is no more valid one. When I run "nslookup lab.com" it gives me some weried IP address. The site "lab.com" exists in the web and as if my AD is trying to connect to that domain and earlier it was only my domain inside our subnet. Since, AD crashed, DHCP also crashed.
Questions:
Now I have been advised by my senior Computer guys, to use another existing domain for AD. This domain is named "lab.university.ca"( no chance of being duplicate). The machine that is running this domain and dns service won't be part of the domain, so I don't understand how will my  AD work as Domain controller for this domain? As far my understanding about AD I know that I have to have an operational domain and at the same time I need to have it on the same server. Am I right or wrong?
Secondly how my DNS got messed up? How can my server starts trying to talk to a domain which is not at all in our physical network. I can have similar domain like other commercial website has, but it should not be  a problem as long as I have it inside my subnet. But what could cause this kind of situation?
Finally, what should I do to configure my AD? Can I stick to my old domain " lab.com" and how or should I need to change the domain?
FYI, for few days I had all service running very smooth on the server until I come across this problem. I would appreciate all your expert comment and advice.
0
Comment
Question by:srabanti_chitte
  • 4
  • 4
  • 4
12 Comments
 
LVL 21

Expert Comment

by:mcsween
Comment Utility
I don't completely understand your issue, from what I can gather is you are starting over with your domain...is this correct?

If so pick a name that ends in .local as this will never resolve to a public IP.

What do you mean by:
As far my understanding about AD I know that I have to have an operational domain and at the same time I need to have it on the same server.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
yeah i am a little lost here too...the problem obviously occured after importing IIS...i take it that a site within IIS matches your current domain name?
0
 

Author Comment

by:srabanti_chitte
Comment Utility
Sorry, guys if it souns confusing.
My web service and IIS domain are working fine. But problem is with my AD domain.It resolves to public IP which is causing my DC to fail. Yes, everything started after I moved IIS to my DC.
So my first question was is it due to IIS and if so why? Is it a problem if I have IIS and DC on the same machine?
Second concern was if I use another domain name for my DC is it necessary to have the DNS running on the same server where AD is installed? Right now the DNS is running on another machine and my AD is on windows server 2003. If the DNS machine is not part of the domain can AD talk to the dns?
At this moment these are my primary issue to take care. Please ignore other information in my orginal question.
Thank you.

0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
DNS should be on the DC yes

IIS is fine to have on a DC as well, though your naming conflicts as you have found, come from your internal domain name matching your external. Good news is its usually not to hard to fix.

IIS would have caused this in conjunction with internal domain nameing
0
 

Author Comment

by:srabanti_chitte
Comment Utility
Thanks Jay-jay.
How to fix this IIname matching issue?
So DNS has to be running on the DC...hmm.
What would happen if DNS is running on another machine in teh same domain?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
It doesnt have to be, but it should be for completeness sake

can you post an ipconfig /all of your server?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:srabanti_chitte
Comment Utility
Thanks Jay-Jay.
Here is the ipconfig information for my AD server.
C:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : cfl-x
   Primary Dns Suffix  . . . . . . . : uwindsor.ca
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : uwindsor.ca

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : uwindsor.ca
   Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Network Connection
   Physical Address. . . . . . . . . : 00-C0-9F-07-33-2A
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 137.207.200.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 137.207.200.1
   DNS Servers . . . . . . . . . . . : 137.207.32.2
                                                 137.207.32.32
I also paste the nslookup result for my server.
C:\Documents and Settings\Administrator>nslookup mlab.com
Server:  ns2.uwindsor.ca
Address:  137.207.32.2

Non-authoritative answer:
Name:    mlab.com
Address:  66.35.215.92
So you suggest that it is bette to have DNS on the same machine..right?
Now if I need to rename my AD domain, what shall I do? Is it ok to use rename tool from Microsoft? I think if I need to use that tool, I should have dns running on the same server.
Please advise.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
sorry for the late reply, dont go the rename path, it will break your domain

i think for starters that we need to put DNS on the same box
0
 
LVL 21

Accepted Solution

by:
mcsween earned 250 total points
Comment Utility
Looking at your IPConfig:
Is this machine on a public or private network?
What is your Active Directory domain name (mlab.com or uwindsor.ca)
What is your Companys Public DNS address? (mlab.com or uwindsor.ca)

DNS should always be on your Active Directory Controller using AD Integrated forward and reverse lookup zones.
0
 
LVL 21

Expert Comment

by:mcsween
Comment Utility
If your internet domain and AD Domain name are the same create an "A" record in your forward lookup zone called www and assign it your public IP address.  This will allow clients on your network to resolve your website correctly.
0
 

Author Comment

by:srabanti_chitte
Comment Utility
Actually they are not same. The domain mlab.com I used for AD was exclusively for a computer lab and domain uwindsor.ca is public domain. Another point is I don't want to use mlab.com as public doomain. Thank you for your comment.
0
 
LVL 21

Expert Comment

by:mcsween
Comment Utility
I would use mlab.local then.  MS Best Practices state not to use a domain name that can be resolved on the internet as an internal AD name.  mlab.com does resolve on the internet.

H:\>nslookup mlab.com
Server:  srwadc03.spr.spgroup.inc
Address:  192.168.1.38

Non-authoritative answer:
Name:    mlab.com
Address:  66.35.215.92
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now