able to join client systems to windows active directory but domain admin member privilege issue and dns related
Dear Experts
Installed windows 2016 standard and configured it to function as domain controller, DNS server and DHCP. It is observed the after promoting the server to AD domain controller the IP of the serer in the primary dns changed to local host I mean pointing to 127.0.0.1, manually changed to the actual IP.
While creating the forward and reverse zone had selected “do not update dynamic updates”
Following are the issues faced
1. While joining the client system that is windows 10 pro to domain it accepted to join but message shown “preferred dns could not be changed” and then after reboot able to login with domain user. Please let me know where I am going wrong
2. When the user logon and click on network browse the domain controller can see netlogon directory but does not show the user home directory, please let me know what I have missed.
3. I made the normal user a member of domain administrator group in the server and then logon to the client system with this user but he does not get admin privileges when click on network to change IP address it prompts for logon and password but it does not allow administrator login to client system nor it does not consider this user as administrator who is actually member of domain admin group
4. Before joining the client system to the domain controller is required to create A and PTR records manually and then after join the system to domain
Please help me understand and suggest the steps to resolve the above 1 to 4, this will be a great help, thanks in advance.
Installed windows 2016 standard and configured it to function as domain controller, DNS server and DHCP. It is observed the after promoting the server to AD domain controller the IP of the serer in the primary dns changed to local host I mean pointing to 127.0.0.1, manually changed to the actual IP.
While creating the forward and reverse zone had selected “do not update dynamic updates”
Following are the issues faced
1. While joining the client system that is windows 10 pro to domain it accepted to join but message shown “preferred dns could not be changed” and then after reboot able to login with domain user. Please let me know where I am going wrong
2. When the user logon and click on network browse the domain controller can see netlogon directory but does not show the user home directory, please let me know what I have missed.
3. I made the normal user a member of domain administrator group in the server and then logon to the client system with this user but he does not get admin privileges when click on network to change IP address it prompts for logon and password but it does not allow administrator login to client system nor it does not consider this user as administrator who is actually member of domain admin group
4. Before joining the client system to the domain controller is required to create A and PTR records manually and then after join the system to domain
Please help me understand and suggest the steps to resolve the above 1 to 4, this will be a great help, thanks in advance.
ASKER
thanks for the inputs will provide the results of ipconfig/all meanwhile request you please help on the other points of my requested.
OK, First off, why the no dynamic update for DNS? That makes thing harder, especially since you indicate you are using DHCP. Do you see all your SRV records in DNS? An A record for the DC itself? AD is really dependent on DNS, A smarter thing would be to allow secure updates only,
1. I have never seen that message on a Win 10 joining the domain. You should have set the default DNS IP and domain name in DHCP so it should never have to change it.
2, Did you assign him a Home Directory in his AD account?
3. If the client has no A record, then logged in behavior can be funky. I would run whoami /Groups at either the command line or powershell to make sure the group membership was there.
4. What you really need is to make sure the DC records are all there. But, I would recommend you change your DNS to either allow Dynamic Updates or Allow Secure Dynamic updates and then start and stop the netlogon service. No it is not required to have a client A and PTR record make before joining the domain but not having one after makes things more difficult.
1. I have never seen that message on a Win 10 joining the domain. You should have set the default DNS IP and domain name in DHCP so it should never have to change it.
2, Did you assign him a Home Directory in his AD account?
3. If the client has no A record, then logged in behavior can be funky. I would run whoami /Groups at either the command line or powershell to make sure the group membership was there.
4. What you really need is to make sure the DC records are all there. But, I would recommend you change your DNS to either allow Dynamic Updates or Allow Secure Dynamic updates and then start and stop the netlogon service. No it is not required to have a client A and PTR record make before joining the domain but not having one after makes things more difficult.
>>"meanwhile request you please help on the other points of my requested. "
I suspect the root of all problems is DNS. My suggestion was just to verify that.
if everything works better then we need to address the IP, DNS, and DNS configurations of the server.
I would also verify in the DNS management console, under properties of the server, on the interfaces tab, that only the server IP's (both IPv4 & IPv6) are checked and that the local host, and if present VPN IP, are not.
I suspect the root of all problems is DNS. My suggestion was just to verify that.
if everything works better then we need to address the IP, DNS, and DNS configurations of the server.
I would also verify in the DNS management console, under properties of the server, on the interfaces tab, that only the server IP's (both IPv4 & IPv6) are checked and that the local host, and if present VPN IP, are not.
ASKER
thanks for the inputs will follow accordingly, before installing the active directory role installed and configured forward and reverse zones I mean dns server is first configured and then installed Active Directory during the installation process it showed something like dns delegation not possible have do it manually and I continued.
1. Please let me know should we have to first configure dns server with zones forward and reverse and then install the active directory or just install dns server and do not configure the zones the Active directory installation will take care of it,
2. can you please help me to understand what would have gone wrong as while installing active directory the message appeared DNS delegation cannot be created something like this.
please help on above 1 and 2
1. Please let me know should we have to first configure dns server with zones forward and reverse and then install the active directory or just install dns server and do not configure the zones the Active directory installation will take care of it,
2. can you please help me to understand what would have gone wrong as while installing active directory the message appeared DNS delegation cannot be created something like this.
please help on above 1 and 2
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thank you very much, I first installed DNS and configured it as DNS server by creating zones and after this installed active directory while installing when the progress reached to the DNS section the following message appeared "A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain . Otherwise, no action is required.
That message occurs when it cannot find the zone to update. Since you disabled Dynamic updates... it is to be expected. Do you see any SRV records in your Forward lookup zone? An A record for the server?
ASKER
thanks for the update, I do not see instead I created it manually, now is it possible to enable the dynamic updates and restart the dns service OR do you recommend to fresh install of dns and AD again.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thank you very much, sure will follow the steps, thanks once again.
ASKER
thanks to one and all I followed as per your inputs it works perfectly, I am able to join the windows systems to domain controller, I have few linux servers how to make these linux servers to use the windows AD domain controller DNS server, I mean like on windows system we assign the windows AD ip as dns server like wise then join to domain. for these linux servers how to configure windows AD as its DNS server, should I have to manually create A and PTR records of the linux servers and then configure linux server DNS server to windows AD, please suggest, thanks.
It is OK if the server points to the local host for DNS, but your DHCP scope must assign the server's IP, not local host.
If still having problems please post the results of Ipconfig /all here