Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Active Directory domain with no sign of DNS?

Posted on 2008-09-30
8
Medium Priority
?
372 Views
Last Modified: 2011-10-03
I am trying to help a friend of mine work on a non-profit's W2K3 DC.  Attempting to load AVG to clients via AD, however load fails.  Client reports inability to authenticate against DC.  Upon reviewing DC, AD is loaded and running as best as can be told, users seem to be authenticating against it as server also is used as file server for office and clients able to access authoritatively.  Here is the catch, no sign of DNS running on this server at all.  Have checked under:

1.  Services - only client service is displayed and running
2.  Server Manager - Only Domain Controller and File Server are displayed as rolls
3.  Event Viewer - no DNS log
4.  Add/Remove Components : DNS not checked or otherwise indicated as installed

First, how is this possible - has anyone else seen similar?  Second, how to bring DNS online, potential concerns, mitigations and expectations?
0
Comment
Question by:atlas_shuddered
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 6

Expert Comment

by:dathho
ID: 22606136
You've got to have DNS somewhere for AD to work.  What are the DNS entries set to on the server? (ipconfig /all) What is the response from nslookup commands on the server and clients?  Have you tried troubleshootinfg with dnslint?
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 22606297

> First, how is this possible - has anyone else seen similar?  

Possible but far from ideal and only partially functional. I imagine the clients are using NetBIOS to find the domain / DCs then NTLM to authenticate as and when they actively need to talk to it.

It is also possible the clients are using cached credentials and not actually authenticating against the domain at logon.

> Second, how to bring DNS online, potential concerns, mitigations and expectations?

Moderately easy, lets have a little check list:

1. Add the DNS Service
2. Create a new Forward Lookup Zone for the AD Domain
3. Ensure that the server points to itself (and only itself) for DNS servers in TCP/IP configuration
4. Restart NetLogon and run "ipconfig /registerdns" on the DC. Ensure that an _msdcs folder is created under the Forward Lookup zone after this.
5. Run DCDiag and NetDiag to verify the state of the server and AD.
6. Change client TCP/IP settings to point at the DC for DNS (again, and only the DC)
7. Check event logs on the client for errors

HTH

Chris
0
 
LVL 18

Expert Comment

by:Americom
ID: 22606303
If your AD is not relying on external DNS or other 3rd party DNS like unix, then you can try remove DNS and reinstall DNS services.
If your DNS, you must have a Host, Name Server, and SOA  record of your domain controller.
You should be able to run NSLOOKUP the domain name as well as the domain controller server name to get the IP of your domain and vice versa. Just make sure your IP configuration for your DC is pointing to itself as the preferred DNS.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 10

Author Comment

by:atlas_shuddered
ID: 22608066
dathho

I'm going to try and answer all three of you here.  Sorry for the delayed response.

ipconfig/all - The server is referencing the DG as its DNS server.  That being said, it would be referencing an ISP indirectly for DNS.  Clients, I have been told, are definitely referencing ISP DNS.

nslookup - returns same basic information

dnslint - going to hold on this for the time being

Chris-Dent

I was thinking the same thing may be happening - possibly pulling from cached DNS to keep AD running?  

The clients would have to be authenticating against AD in order to still access the files on the DC yes?

Regarding your directions.  Sounds straightforward, however I am unfamiliar with this type of situation so would like to clarify a couple of points -

First, these directions will install DNS and then link it back to AD after it is up and in a stable state (i.e. created as a primary DNS server, forward lookup zone to AD is established, etc.)?

Second, what is the likelihood that AD and therefore the server itself will crash during this procedure?

Third, in the event of a crash, is it possible to rebuild the box, re-install DNS and configure and then overlay or restore AD to the box?

Americom -
DNS isn't running on the box at all.  Only service registered anywhere on the machine as DNS is the DNS Client service itself.

Thanks for the input so far guys.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22609579

> I was thinking the same thing may be happening - possibly pulling from cached DNS to keep AD running?  

Only works if there's a server answering authoritatively for the zone which doesn't appear to be the case :)

> The clients would have to be authenticating against AD in order to still access the files on the DC yes?

Yes, using NTLM and server level authentication rather than Kerberos and domain level authentication.

> First, these directions will install DNS and then link it back to AD after it is up and in a stable state
> (i.e. created as a primary DNS server, forward lookup zone to AD is established, etc.)?

Yes, although the instructions have you test and verify a number of times to verify it is behaving after each major step.

> Second, what is the likelihood that AD and therefore the server itself will crash during this procedure?

In my opinion, none at all. We're not doing anything remotely destructive, only adding in missing services.

> Third, in the event of a crash, is it possible to rebuild the box, re-install DNS and configure
> and then overlay or restore AD to the box?

You need a backup of the System State. That will include DNS in it's current state (including service state). The best we could do is drop back to that in the event of total failure. I do advise you take a backup regardless of my opinion on the risk level above. Better safe than sorry and all that :)

Chris
0
 
LVL 10

Author Comment

by:atlas_shuddered
ID: 22617489
Chris

Thanks for the reply.  We've already got a backup, just wanted to verify those points prior to trying.

Wish us luck.

Cheers

J
0
 
LVL 10

Author Closing Comment

by:atlas_shuddered
ID: 31501575
Cheers and thanks again for the input.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22617628

Good luck :) You know where we are if it doesn't play the game :)

Chris
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question