Solved

Various issues due to DNS

Posted on 2011-09-06
3
209 Views
Last Modified: 2012-05-12
Greetings, experts!

I have the following structure in my organization:
srv1(named PDC): DC, primary AD, DHCP, DNS, Exchange 2007, separate public IP
srv2(named BDC): DC, replica AD, ISA2006 internet proxy, separate public IP

Each of the servers has separate internal and external IP addresses. Internet connection comes via a single ADSL connection, and ISP provides 8 IP addresses.

Here are the issues I have in my environment possibly because of the DNS:
--Most of the group policies don't apply due to errors in connection to DC. Everyone can login correctly, but the event log says that user PCs cant find DC.
--Replication between the two DCs doesn't work correctly.

Could you advice me what to correct in my environment based on Dcdiag and Netdiag outputs?

attached are "dcdiag -v" and "netdiag" files for both servers. Please let me know if you need any clarifications.
Many thanks! bdc-dcdiag-verbose.txt
bdc-netdiag.txt
pdc-dcdiag-verbose.txt
pdc-netdiag.txt
0
Comment
Question by:Janibek
  • 2
3 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 400 total points
ID: 36500596
Each of the servers has separate internal and external IP addresses

Never ever ever ever ever ever ever ever ever ever ever ever ever multi home Domain Controllers,.....ever.

One IP# on each which would be a LAN IP#,...one live Nic on each which uses that LAN IP#,...if a second nic exist then it must be disabled,... no exceptions

No Dialup adapters or Modems
No Remote Access VPNs (not the same thing as a Site-to-Site VPN, which is OK when done correctly)
All of those things must be done on a different machine or machines.

Public IP#s go on the external interface of the Firewall.   It is the Firewalls job to Reverse-NAT (aka Static NAT) the traffic hitting those addresses to whatever machine on the LAN it is supposed to go to.   Public IP#s can also be placed on other "special" machines that sit outside the LAN on the Public Segment, however DSL technology doesn't lend itself easily to doing that,..DSL is basically a Home-User Technology (as also with CableTV Internet).

Lastly,..you never mentioned this,...but it needs mentioned.
The only place that any other DNS should be listed (such as maybe your ISP's DNS) would be in the Forwarders List within the Config of the DNS Services on each DC.  They should never appear anywhere else,..ever.   Every last machine or device on the LAN that needs DNS must use the DC's IP# and never anything else.   If you Firewall is capable, it must resrict outbound DNS Queries to only coming from the DC's. This prevents and "weeds out" any machine on the LAN using any rogue DNS settings and also cripples any malware that may try to proxy your DNS queries to some "rigged" or "poisoned" DNS Server on the Internet.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36500618
In your case the ISA is your Firewall,...or it should be anyway.  If you aren't going to use it as that then you might as well uninstall it and use the server for something else useful.

Do not install ISA on a DC unless it is being used as a Single-Nic Web Caching Only Proxy  (which is pretty much a waste of time).   The only other exception of running ISA on a DC would be with SBS Premium (limited to ISA2004 packaged with it) which is a spcially designed product to work in this manner, but no other "regular" DC should have ISA on it.
0
 

Author Closing Comment

by:Janibek
ID: 36907897
Many thanks for your input!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now