Need to install DNS child domain on Windows 2008 server aready a DC and installed w/DNS
I have a Windows 2003 server with AD and DNS installed- in the plains.local domain. I created a child domain, vci.plains.local with Windows Server 2008, configured it as a DC and installed DNS.
I would like to create a DNS delegation for this child doman, but cannot seem to make it happen following Microsoft protocol. Is this because it is already a DC?
Can this be done given the present configuration of the 2008 server?
I would like to create a DNS delegation for this child doman, but cannot seem to make it happen following Microsoft protocol. Is this because it is already a DC?
Can this be done given the present configuration of the 2008 server?
Nuttycomputer
Did you install the DC/DNS Server 2008 as a child in the existing domain? If so then you've got a DNS AD integrated zone and the delegation should have already happened automatically for you.
I would have to confirm with Nutty if you have already installed the DC then you should have the delegation already created for you. You manually create a delegation before you create the child domain if you want to do manually.
ASKER
I did, but it did not replicate. Is it possible to just start over again?
I installed AD in the 2008 server as a child domain and DNS was installed at the time of the dcpromo.
I cannot figure out what is wrong.
I installed AD in the 2008 server as a child domain and DNS was installed at the time of the dcpromo.
I cannot figure out what is wrong.
When you go into your DNS Forward lookup zones what zones do you have?
ASKER
See the JPG's please.
The Plains-DC1 2003 server shows bot the Plains.local and the VCI-Plains.local aA records.
The VCI-Terminal2 2008 server shows only the VCI.Plains.Local A records, not the Plains.local A records.
Thanks.
Svr2008-Term-serv2-DNS.JPG
Svr-2003-Plains-DC1-DNS.JPG
The Plains-DC1 2003 server shows bot the Plains.local and the VCI-Plains.local aA records.
The VCI-Terminal2 2008 server shows only the VCI.Plains.Local A records, not the Plains.local A records.
Thanks.
Svr2008-Term-serv2-DNS.JPG
Svr-2003-Plains-DC1-DNS.JPG
What? I am confused now.
ASKER
Because it looks like it should work?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can see the following diagrams show the two active directory integrated domain zones. Server2 is responsible for vci.plains.local and Server1 is responsible for plains.local.
Unless I explicitly request that plains.local is replicated to all DNS Servers in the forest it will not show up on Server2.
plains-local.JPG
vci-plains.JPG
Unless I explicitly request that plains.local is replicated to all DNS Servers in the forest it will not show up on Server2.
plains-local.JPG
vci-plains.JPG
ASKER
I see that, but now I cannot authenticate the otherthree servers to the DC as well.
"There are no logon servers available"
The DC is the only ser able to log on to the domain.
"There are no logon servers available"
The DC is the only ser able to log on to the domain.
Yeah I'm not sure I performed that correctly either. I'm having to review the documentation I have because I'm used to just configuring everything assuming only one domain model (the ideal model)
This may be worth a look while I play with this: http://support.microsoft.com/kb/255248
This may be worth a look while I play with this: http://support.microsoft.com/kb/255248
There is also a lot of information under related content on the right.
ASKER
Yes, I saw that page. I hope there are no changes in Server 2008 too differentfrm Server 2000.
I need tosolvethis puzzle tonight (soon)
I need tosolvethis puzzle tonight (soon)
May I inquire why using multiple domains? A single domain would greatly simplify administration
ASKER
need to separate user bases, do not want them in primary domain
ASKER
More data on the DNS and Active direcotry replication problem.
Here is the config of one of the firewalls in the network - Since RPC has been flagged as a problem, an all virus protection andMicrosoft firewalls have been removed orturned off, could RPC be bloked by a firewall policy or port?
PortQry show ports being fltered.
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 10full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security50
enable password
passwd
hostname Firewall-PIX
domain-name anydomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list westbrooke permit ip 192.168.56.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list gainesville permit ip 192.168.56.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list midway permit ip 192.168.56.0 255.255.255.0 192.168.48.0 255.255.255.0
access-list midway permit ip 192.168.56.0 255.255.255.0 192.168.49.0 255.255.255.0
access-list midway permit ip 192.168.56.0 255.255.255.0 192.168.70.0 255.255.255.0
access-list bala permit ip 192.168.56.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.56.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list nonat permit ip 192.168.56.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list nonat permit ip 192.168.56.0 255.255.255.0 192.168.48.0 255.255.255.0
access-list nonat permit ip 192.168.56.0 255.255.255.0 192.168.49.0 255.255.255.0
access-list nonat permit ip 192.168.56.0 255.255.255.0 192.168.70.0 255.255.255.0
access-list nonat permit ip 192.168.56.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.56.0 255.255.255.0 192.168.61.0 255.255.255.0
access-list nonat permit ip 192.168.51.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat permit ip 192.168.56.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list chattanooga permit ip 192.168.56.0 255.255.255.0 192.168.61.0 255.255.255.0
access-list CVPN permit ip 192.168.51.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list CVPN permit ip 192.168.56.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list gainesville2 permit ip 192.168.56.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list ACL_OUT permit ip any any
access-list ACL_OUT permit icmp any any echo-reply
access-list ACL_OUT permit icmp any any time-exceeded
access-list ACL_OUT permit icmp any any unreachable
access-list ACL_IN permit tcp host 6x.2xx.1xx.30 host 192.168.56.151 eq www
access-list ACL_IN permit tcp host 6x.2xx.1xx.31 host 192.168.56.151 eq www
access-list ACL_IN permit tcp host 6x.2xx.1xx.32 host 192.168.56.151 eq www
access-list ACL_IN permit tcp host 6x.2xx.1xx.33 host 192.168.56.151 eq www
access-list ACL_IN2 permit icmp any any
pager lines 24
logging on
logging trap informational
logging history informational
logging facility 23
logging host outside 1xx.2xx.200.3
logging host outside 1xx.2xx.200.8
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 1xx.1xx.2xx.250 255.255.255.248
ip address inside 192.168.56.1 255.255.255.0
ip address intf2 172.16.3.1 255.255.255.252
ip audit name attacking attack action alarm drop reset
ip audit interface outside attacking
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2001 disable
ip audit signature 2004 disable
ip local pool VPN 10.0.0.1-10.0.0.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 1xx.1xx.2xx.251
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 192.168.56.103 1xx.1xx.232.252 255.255.255.255
alias (inside) 192.168.56.104 1xx.1xx.232.253 255.255.255.255
alias (inside) 192.168.56.115 146.145.232.254 255.255.255.255
static (inside,outside) 1xx.1xx.2xx.252 192.168.56.103 netmask 255.255.255.255 0 0
static (inside,outside) 1xx.1xx.2xx.253 192.168.56.104 netmask 255.255.255.255 0 0
static (inside,outside) 1xx.1xx.2xx.254 192.168.56.115 netmask 255.255.255.255 0 0
static (inside,intf2) 192.168.56.0 192.168.56.0 netmask 255.255.255.0 0 0
access-group ACL_IN in interface outside
access-group ACL_OUT in interface inside
access-group ACL_IN2 in interface intf2
conduit permit icmp any any
conduit permit tcp host 1xx.1xx.2xx.252 eq www any
conduit permit tcp host 1xx.1xx.2xx.253 eq www any
conduit permit tcp host 1xx.1xx.2xx.252 eq ftp-data any
conduit permit tcp host 1xx.1xx.2xx.252 eq ftp any
conduit permit tcp host 1xx.1xx.2xx.253 eq ftp-data any
conduit permit tcp host 1xx.1xx.2xx.253 eq ftp any
conduit permit tcp host 1xx.1xx.2x.254 eq 5001 any
route outside 0.0.0.0 0.0.0.0 146.145.232.249 1
route intf2 172.16.1.0 255.255.255.0 172.16.3.2 1
route intf2 172.16.2.0 255.255.255.0 172.16.3.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 1xx.1xx.6x.0 255.255.255.0 outside
http 1xx.1xx.3x.0 255.255.255.0 outside
http 192.1xx.1.0 255.255.255.0 inside
snmp-server host outside 1xx.2xx.200.3
snmp-server host outside 1xx.2xx4.200.8
no snmp-server location
no snmp-server contact
snmp-server community ATXNet
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set NORMAL esp-des esp-md5-hmac
crypto ipsec transform-set STRONG esp-3des esp-md5-hmac
crypto dynamic-map 20 11 set transform-set NORMAL
crypto map s2s 10 ipsec-isakmp
crypto map s2s 10 match address centralcity
crypto map s2s 10 set peer 7x.1xx.x.xx
crypto map s2s 10 set transform-set NORMAL
crypto map s2s 20 ipsec-isakmp
crypto map s2s 20 match address miami
crypto map s2s 20 set peer xx.1xx.1xx.xx
crypto map s2s 20 set transform-set NORMAL
crypto map s2s 30 ipsec-isakmp
crypto map s2s 30 match address atlanta
crypto map s2s 30 set peer xx.x1.xx6.x
crypto map s2s 30 set transform-set NORMAL
crypto map s2s 40 ipsec-isakmp
crypto map s2s 40 match address clevland
crypto map s2s 40 set peer 1xx.1xx.0.1xx
crypto map s2s 40 set transform-set STRONG
crypto map s2s 50 ipsec-isakmp
crypto map s2s 50 match address phoenix
crypto map s2s 50 set peer x1.1xx.2xx.xxx
crypto map s2s 50 set transform-set NORMAL
crypto map s2s 200 ipsec-isakmp dynamic 20
crypto map s2s interface outside
isakmp enable outside
isakmp key ******** address xx.1xx.x7.x8 netmask 255.255.255.255
isakmp key ******** address 1x.1x.0.1xx netmask 255.255.255.255
isakmp key ******** address xx.1x.255.xx2 netmask 255.255.255.255
isakmp key ******** address xx.1xx.255.xxx netmask 255.255.255.255
isakmp key ******** address xx.1x.1x.xx netmask 255.255.255.255
isakmp key ******** address 7x.xx.xxx.1 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 5
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup JonJones address-pool VPN
vpngroup JonJones split-tunnel CVPN
vpngroup JonJones idle-time 86400
vpngroup JonJones password ********
vpngroup LisaBrown address-pool VPN
vpngroup LisaBrown split-tunnel CVPN
vpngroup LisaBrown idle-time 86400
vpngroup LisaBrown password ********
vpngroup DanWhite address-pool VPN
vpngroup DanWhite split-tunnel CVPN
vpngroup DanWhite idle-time 86400
vpngroup DanWhite password ********
vpngroup BillieJean idle-time 1800
vpngroup MikeGreen address-pool VPN
vpngroup MikeGreen split-tunnel CVPN
vpngroup MikeGreen idle-time 86400
vpngroup MikeGreen password ********
vpngroup JohnSmith address-pool VPN
vpngroup JohnSmith split-tunnel CVPN
vpngroup JohnSmith idle-time 86400
vpngroup JohnSmith password ********
telnet xxx.xxx.xxx.0 255.255.255.0 outside
telnet xxx.xxx.xx.110 255.255.255.0 outside
telnet xxx.xxx.x.0 255.255.255.0 inside
telnet 1xx.xx8.xx.0 255.255.255.0 inside
telnet timeout 30
ssh 1xx.1xx.3x.0 255.255.255.0 outside
ssh 1xx.1xx.x4.0 255.255.255.0 outside
ssh 1xx.xx5.6x.0 255.255.255.0 outside
ssh 1xx.1xx.5x.0 255.255.255.0 inside
ssh timeout 30
management-access inside
console timeout 0
terminal width 80
Cryptochecksum
: end
ASKER
Bandwidth provider had not made the changes to their PIX as they said they had. Router eth 2 (normally DMZ) hd been configured to pass traffic back to child domain on 2nd network segment. Once changes were made, AD and DNS replicated fine.