Solved

Various issues due to DNS

Posted on 2011-09-06
3
216 Views
Last Modified: 2012-05-12
Greetings, experts!

I have the following structure in my organization:
srv1(named PDC): DC, primary AD, DHCP, DNS, Exchange 2007, separate public IP
srv2(named BDC): DC, replica AD, ISA2006 internet proxy, separate public IP

Each of the servers has separate internal and external IP addresses. Internet connection comes via a single ADSL connection, and ISP provides 8 IP addresses.

Here are the issues I have in my environment possibly because of the DNS:
--Most of the group policies don't apply due to errors in connection to DC. Everyone can login correctly, but the event log says that user PCs cant find DC.
--Replication between the two DCs doesn't work correctly.

Could you advice me what to correct in my environment based on Dcdiag and Netdiag outputs?

attached are "dcdiag -v" and "netdiag" files for both servers. Please let me know if you need any clarifications.
Many thanks! bdc-dcdiag-verbose.txt
bdc-netdiag.txt
pdc-dcdiag-verbose.txt
pdc-netdiag.txt
0
Comment
Question by:Janibek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 400 total points
ID: 36500596
Each of the servers has separate internal and external IP addresses

Never ever ever ever ever ever ever ever ever ever ever ever ever multi home Domain Controllers,.....ever.

One IP# on each which would be a LAN IP#,...one live Nic on each which uses that LAN IP#,...if a second nic exist then it must be disabled,... no exceptions

No Dialup adapters or Modems
No Remote Access VPNs (not the same thing as a Site-to-Site VPN, which is OK when done correctly)
All of those things must be done on a different machine or machines.

Public IP#s go on the external interface of the Firewall.   It is the Firewalls job to Reverse-NAT (aka Static NAT) the traffic hitting those addresses to whatever machine on the LAN it is supposed to go to.   Public IP#s can also be placed on other "special" machines that sit outside the LAN on the Public Segment, however DSL technology doesn't lend itself easily to doing that,..DSL is basically a Home-User Technology (as also with CableTV Internet).

Lastly,..you never mentioned this,...but it needs mentioned.
The only place that any other DNS should be listed (such as maybe your ISP's DNS) would be in the Forwarders List within the Config of the DNS Services on each DC.  They should never appear anywhere else,..ever.   Every last machine or device on the LAN that needs DNS must use the DC's IP# and never anything else.   If you Firewall is capable, it must resrict outbound DNS Queries to only coming from the DC's. This prevents and "weeds out" any machine on the LAN using any rogue DNS settings and also cripples any malware that may try to proxy your DNS queries to some "rigged" or "poisoned" DNS Server on the Internet.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 36500618
In your case the ISA is your Firewall,...or it should be anyway.  If you aren't going to use it as that then you might as well uninstall it and use the server for something else useful.

Do not install ISA on a DC unless it is being used as a Single-Nic Web Caching Only Proxy  (which is pretty much a waste of time).   The only other exception of running ISA on a DC would be with SBS Premium (limited to ISA2004 packaged with it) which is a spcially designed product to work in this manner, but no other "regular" DC should have ISA on it.
0
 

Author Closing Comment

by:Janibek
ID: 36907897
Many thanks for your input!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
Come and listen to Percona CEO Peter Zaitsev discuss what’s new in Percona open source software, including Percona Server for MySQL (https://www.percona.com/software/mysql-database/percona-server) and MongoDB (https://www.percona.com/software/mongo-…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question