Solved

Various issues due to DNS

Posted on 2011-09-06
3
212 Views
Last Modified: 2012-05-12
Greetings, experts!

I have the following structure in my organization:
srv1(named PDC): DC, primary AD, DHCP, DNS, Exchange 2007, separate public IP
srv2(named BDC): DC, replica AD, ISA2006 internet proxy, separate public IP

Each of the servers has separate internal and external IP addresses. Internet connection comes via a single ADSL connection, and ISP provides 8 IP addresses.

Here are the issues I have in my environment possibly because of the DNS:
--Most of the group policies don't apply due to errors in connection to DC. Everyone can login correctly, but the event log says that user PCs cant find DC.
--Replication between the two DCs doesn't work correctly.

Could you advice me what to correct in my environment based on Dcdiag and Netdiag outputs?

attached are "dcdiag -v" and "netdiag" files for both servers. Please let me know if you need any clarifications.
Many thanks! bdc-dcdiag-verbose.txt
bdc-netdiag.txt
pdc-dcdiag-verbose.txt
pdc-netdiag.txt
0
Comment
Question by:Janibek
  • 2
3 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 400 total points
ID: 36500596
Each of the servers has separate internal and external IP addresses

Never ever ever ever ever ever ever ever ever ever ever ever ever multi home Domain Controllers,.....ever.

One IP# on each which would be a LAN IP#,...one live Nic on each which uses that LAN IP#,...if a second nic exist then it must be disabled,... no exceptions

No Dialup adapters or Modems
No Remote Access VPNs (not the same thing as a Site-to-Site VPN, which is OK when done correctly)
All of those things must be done on a different machine or machines.

Public IP#s go on the external interface of the Firewall.   It is the Firewalls job to Reverse-NAT (aka Static NAT) the traffic hitting those addresses to whatever machine on the LAN it is supposed to go to.   Public IP#s can also be placed on other "special" machines that sit outside the LAN on the Public Segment, however DSL technology doesn't lend itself easily to doing that,..DSL is basically a Home-User Technology (as also with CableTV Internet).

Lastly,..you never mentioned this,...but it needs mentioned.
The only place that any other DNS should be listed (such as maybe your ISP's DNS) would be in the Forwarders List within the Config of the DNS Services on each DC.  They should never appear anywhere else,..ever.   Every last machine or device on the LAN that needs DNS must use the DC's IP# and never anything else.   If you Firewall is capable, it must resrict outbound DNS Queries to only coming from the DC's. This prevents and "weeds out" any machine on the LAN using any rogue DNS settings and also cripples any malware that may try to proxy your DNS queries to some "rigged" or "poisoned" DNS Server on the Internet.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36500618
In your case the ISA is your Firewall,...or it should be anyway.  If you aren't going to use it as that then you might as well uninstall it and use the server for something else useful.

Do not install ISA on a DC unless it is being used as a Single-Nic Web Caching Only Proxy  (which is pretty much a waste of time).   The only other exception of running ISA on a DC would be with SBS Premium (limited to ISA2004 packaged with it) which is a spcially designed product to work in this manner, but no other "regular" DC should have ISA on it.
0
 

Author Closing Comment

by:Janibek
ID: 36907897
Many thanks for your input!
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DHCP subnet masking issues 1 57
Auto Login Script 3 40
VMware 6.0 3 70
Robocopy Doesn't Retain Shared Folders After Copying 5 59
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question