Solved

Various issues due to DNS

Posted on 2011-09-06
3
210 Views
Last Modified: 2012-05-12
Greetings, experts!

I have the following structure in my organization:
srv1(named PDC): DC, primary AD, DHCP, DNS, Exchange 2007, separate public IP
srv2(named BDC): DC, replica AD, ISA2006 internet proxy, separate public IP

Each of the servers has separate internal and external IP addresses. Internet connection comes via a single ADSL connection, and ISP provides 8 IP addresses.

Here are the issues I have in my environment possibly because of the DNS:
--Most of the group policies don't apply due to errors in connection to DC. Everyone can login correctly, but the event log says that user PCs cant find DC.
--Replication between the two DCs doesn't work correctly.

Could you advice me what to correct in my environment based on Dcdiag and Netdiag outputs?

attached are "dcdiag -v" and "netdiag" files for both servers. Please let me know if you need any clarifications.
Many thanks! bdc-dcdiag-verbose.txt
bdc-netdiag.txt
pdc-dcdiag-verbose.txt
pdc-netdiag.txt
0
Comment
Question by:Janibek
  • 2
3 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 400 total points
ID: 36500596
Each of the servers has separate internal and external IP addresses

Never ever ever ever ever ever ever ever ever ever ever ever ever multi home Domain Controllers,.....ever.

One IP# on each which would be a LAN IP#,...one live Nic on each which uses that LAN IP#,...if a second nic exist then it must be disabled,... no exceptions

No Dialup adapters or Modems
No Remote Access VPNs (not the same thing as a Site-to-Site VPN, which is OK when done correctly)
All of those things must be done on a different machine or machines.

Public IP#s go on the external interface of the Firewall.   It is the Firewalls job to Reverse-NAT (aka Static NAT) the traffic hitting those addresses to whatever machine on the LAN it is supposed to go to.   Public IP#s can also be placed on other "special" machines that sit outside the LAN on the Public Segment, however DSL technology doesn't lend itself easily to doing that,..DSL is basically a Home-User Technology (as also with CableTV Internet).

Lastly,..you never mentioned this,...but it needs mentioned.
The only place that any other DNS should be listed (such as maybe your ISP's DNS) would be in the Forwarders List within the Config of the DNS Services on each DC.  They should never appear anywhere else,..ever.   Every last machine or device on the LAN that needs DNS must use the DC's IP# and never anything else.   If you Firewall is capable, it must resrict outbound DNS Queries to only coming from the DC's. This prevents and "weeds out" any machine on the LAN using any rogue DNS settings and also cripples any malware that may try to proxy your DNS queries to some "rigged" or "poisoned" DNS Server on the Internet.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36500618
In your case the ISA is your Firewall,...or it should be anyway.  If you aren't going to use it as that then you might as well uninstall it and use the server for something else useful.

Do not install ISA on a DC unless it is being used as a Single-Nic Web Caching Only Proxy  (which is pretty much a waste of time).   The only other exception of running ISA on a DC would be with SBS Premium (limited to ISA2004 packaged with it) which is a spcially designed product to work in this manner, but no other "regular" DC should have ISA on it.
0
 

Author Closing Comment

by:Janibek
ID: 36907897
Many thanks for your input!
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now