Various issues due to DNS

Greetings, experts!

I have the following structure in my organization:
srv1(named PDC): DC, primary AD, DHCP, DNS, Exchange 2007, separate public IP
srv2(named BDC): DC, replica AD, ISA2006 internet proxy, separate public IP

Each of the servers has separate internal and external IP addresses. Internet connection comes via a single ADSL connection, and ISP provides 8 IP addresses.

Here are the issues I have in my environment possibly because of the DNS:
--Most of the group policies don't apply due to errors in connection to DC. Everyone can login correctly, but the event log says that user PCs cant find DC.
--Replication between the two DCs doesn't work correctly.

Could you advice me what to correct in my environment based on Dcdiag and Netdiag outputs?

attached are "dcdiag -v" and "netdiag" files for both servers. Please let me know if you need any clarifications.
Many thanks! bdc-dcdiag-verbose.txt
bdc-netdiag.txt
pdc-dcdiag-verbose.txt
pdc-netdiag.txt
JanibekAsked:
Who is Participating?
 
pwindellCommented:
Each of the servers has separate internal and external IP addresses

Never ever ever ever ever ever ever ever ever ever ever ever ever multi home Domain Controllers,.....ever.

One IP# on each which would be a LAN IP#,...one live Nic on each which uses that LAN IP#,...if a second nic exist then it must be disabled,... no exceptions

No Dialup adapters or Modems
No Remote Access VPNs (not the same thing as a Site-to-Site VPN, which is OK when done correctly)
All of those things must be done on a different machine or machines.

Public IP#s go on the external interface of the Firewall.   It is the Firewalls job to Reverse-NAT (aka Static NAT) the traffic hitting those addresses to whatever machine on the LAN it is supposed to go to.   Public IP#s can also be placed on other "special" machines that sit outside the LAN on the Public Segment, however DSL technology doesn't lend itself easily to doing that,..DSL is basically a Home-User Technology (as also with CableTV Internet).

Lastly,..you never mentioned this,...but it needs mentioned.
The only place that any other DNS should be listed (such as maybe your ISP's DNS) would be in the Forwarders List within the Config of the DNS Services on each DC.  They should never appear anywhere else,..ever.   Every last machine or device on the LAN that needs DNS must use the DC's IP# and never anything else.   If you Firewall is capable, it must resrict outbound DNS Queries to only coming from the DC's. This prevents and "weeds out" any machine on the LAN using any rogue DNS settings and also cripples any malware that may try to proxy your DNS queries to some "rigged" or "poisoned" DNS Server on the Internet.
0
 
pwindellCommented:
In your case the ISA is your Firewall,...or it should be anyway.  If you aren't going to use it as that then you might as well uninstall it and use the server for something else useful.

Do not install ISA on a DC unless it is being used as a Single-Nic Web Caching Only Proxy  (which is pretty much a waste of time).   The only other exception of running ISA on a DC would be with SBS Premium (limited to ISA2004 packaged with it) which is a spcially designed product to work in this manner, but no other "regular" DC should have ISA on it.
0
 
JanibekAuthor Commented:
Many thanks for your input!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.