Active Directory

[RandomClown]

Hai!

I am new to server 2008 & Active Directory.

Me & a friend have been trying to setup AD & have it so we can also remotely manage it [RSAT].

We followed a few online guides & did what was told, but server=fail.

We definitely did stuff wrong.

I am not sure where to start, so I will give an error my friend copied down:

 Note: This information is intended for a network administrator.  If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "horc.me":

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.horc.me

Common causes of this error include the following:

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

68.87.68.162
99.27.200.152

- One or more of the following zones do not include delegation to its child zone:

horc.me
me
. (the root zone)

Can someone help? :(

Thanks for reading

[MRGRIM]

Sounds like DNS isn't working right on that system. I have no idea about RSAT. But I'd run DCPROMO again on that system, google online for DC setup tutorial's you should be able to find some check list style guides, it is very important that before you run dcpromo that you have DNS working correctly.

[digip]

Or check to see if the DNS Server service is even running on the Domain Controller. When I see the ldap error though, I faintly remember something similar with out exchange setup in class, and it might be in sites and services pointing to the wrong domain. Did you create a DNS entrie for the machine listed at horc.me?

[Charles]

To echo the last 2 posters, make sure the DNS service is running and if it is make sure it's configured correctly.

Are you trying to access the machine from the internet or from a machine on the same LAN?

Can you post what the DNS server settings are for the server? ipconfig /all should do the trick.

[anguish79]

Based on what I'm reading, you're looking at external DNS servers that are probably out of your control, and therefore don't have the records you need. As others have said, make sure the DNS server service is running, and configured properly for AD.

Assuming the server is both your DC and your DNS, you might need to change your DNS settings on your NIC to point to itself (for example, if DC/DNS server has IP of 192.168.1.10, you need to make sure your DNS settings point to the same IP as well).

HTH.

[Charles]

Usually when you run DCPROMO, it installs DNS and makes it point to 127.0.0.1 on the server (unless you specify otherwise).

Any clients would have to have their DNS set to the server's IP address.

[digip]

Usually when you run DCPROMO, it installs DNS and makes it point to 127.0.0.1 on the server (unless you specify otherwise).

Any clients would have to have their DNS set to the server's IP address.

QFE. Also, when they need to get ourside their lan, say to the internet, using the domain cotroller as their primary dns, the server will do the lookups for them, so long as he can reach the internet and has an external dns and gateway setup to get out fo the lan. Otherwise, you can only see the lan, so you would need an entry on the DNS server for every machine in the lan to see and talk to one another by domain name.

I think maybe we need more info, because I'm not 100% sure we have the full picture on your needs and setup. How do you connect remotely to the server? Can the server reach any websites on the internet so you know it can get online? Does it resolve names, or can you ping sites and get their ip, or does it say server not found or cant resolve address or something to that effect...

Break it down, and give us the scoop on the fill layout of the domain, lan, and internet access to/from the domain controller.

[Pom]

RC's friend here, as you guys know, I got that message while trying to connect to his domain.

We've run DCPROMO several times over.(not to mention reinstalling everything)

First time we tried this we were using one of those free domains they pass out at dyndns and we also forwarded DNS requests to their nameservers(If i recall directly the DNS at one point was directed to localhost, but I don't think that yielded any different result.) After setting up the AD, the DNS and DC needed to run AD, I tried to connect to his domain via the internet, I would receive a similar message as the one I gave above, except it would find the SRV records yet none of them pointed to a domain controller.

After getting the same message over and over, he opted to get a top level domain due to us assuming it had something to do with using a subdomain.

After finding a provider to host the domain, we reinstalled everything, ran DCPROMO and this time forwarded the dns requests to said provider.

Also, to double check, I ran nslookup with the set type=all parameter to check _ldap._tcp.dc._msdcs.horc.me for the SRV records and couldn't find the server, let alone said records.

Funny thing is I cannot ping the server either. I don't know if that's because the server itself is hosted on a virtual machine or what.

As for the DNS IP's you see, the first one is his, the second one is my ISP's. I opted to keep the latter in case his would not forward my request. I've tried with only the server's IP and subsequently lost all ability to connect to any website.

[Charles]

Are you able to connect to the domain from the LAN?

I thought that you couldn't connect to a AD domain from over the internet unless you used a VPN to connect to the internal network first.

[Sparda]

First time we tried this we were using one of those free domains they pass out at dyndns and we also forwarded DNS requests to their nameservers(If i recall directly the DNS at one point was directed to localhost, but I don't think that yielded any different result.) After setting up the AD, the DNS and DC needed to run AD, I tried to connect to his domain via the internet, I would receive a similar message as the one I gave above, except it would find the SRV records yet none of them pointed to a domain controller.

In what way did you try and connect to the domain? What client did you use?

[Pom]

In what way did you try and connect to the domain? What client did you use?

I'm using Windows 7 Enterprise 64 bit and tried doing so by changing the domain of the PC in the advanced system options feature.

[Sparda]

You really don't want to join a computer to a domain over the internet without a VPN. Ideally you want the computer on the same network as a DC when joining the domain and only using the VPN to access network resources when off site.

[digip]

The domain istelf, that you registered, is it forwarding all the requests to your local machine where Active Directory is running? If you are using a VM, then you need to make sure all the firewall ports are open for DNS, Terminal Server(if you want to RDP into it), LDAP ports, etc are all working and router is port forwarding fo rhtese services to the correct machine as well: http://geekswithblogs.net/TSCustomiser/arc.../09/112357.aspx

Could be you cant connect remotely, because the ports cant be reached for service from the internet to the VM. Some may be workign but others may be blocked somewhere. Also, make sure their are DNS records and try joining a machine to the domain(will require the servers administrator namea nd aspsword for the first time). If you can get a local machine on the lan to join the domain that is running active directory(do not use the host machine running the vm either! use another local machine or VM on the lan) then you knwo active directory and DNS are working. If you can then do it from outside the lan, possibly ports are being blocked either on the host machines firewall, router, or even the ISP.

[Pom]

You really don't want to join a computer to a domain over the internet without a VPN. Ideally you want the computer on the same network as a DC when joining the domain and only using the VPN to access network resources when off site.

Personally we're just trying to get this thing to work, nothing real sensitive is being set up on it yet.

The fact he is on the other side of the country makes being on the same network impossible.

The domain istelf, that you registered, is it forwarding all the requests to your local machine where Active Directory is running? If you are using a VM, then you need to make sure all the firewall ports are open for DNS, Terminal Server(if you want to RDP into it), LDAP ports, etc are all working and router is port forwarding fo rhtese services to the correct machine as well: http://geekswithblogs.net/TSCustomiser/arc.../09/112357.aspx

Could be you cant connect remotely, because the ports cant be reached for service from the internet to the VM. Some may be workign but others may be blocked somewhere. Also, make sure their are DNS records and try joining a machine to the domain(will require the servers administrator namea nd aspsword for the first time). If you can get a local machine on the lan to join the domain that is running active directory(do not use the host machine running the vm either! use another local machine or VM on the lan) then you knwo active directory and DNS are working. If you can then do it from outside the lan, possibly ports are being blocked either on the host machines firewall, router, or even the ISP.

I recall him being able to do so under Win.Server 2003(joining another VM via LAN, but that gave me even more issues, so we went with Server 2008). I had asked him last night when we did all of the domain stuff if he set up his router and the server firewall properly when I first had issues pinging the server and searching for the SRV records, but seeing the information you provided, I have a hunch that he left out a few steps in that area.

I'd VNC it and check it out myself but the host machine is down for least another few hours till someone turns it on at the other end as I have no way of getting physical access to it.

[MRGRIM]

I've skim read the last few posts and may have missed something.

It's generally not recommended to have your "local" domain setup as .com, .net e.t.c.

I'm not sure about Windows 7 but I remember doing something similar to this with SBS 2003 and XP. On my XP Client I needed to change my lmhosts and host files.

I've got to ask, but why would he want to join an "online" / "public" domain, this kind of defeats the point of having a domain (imo)

[RandomClown]

The reason I wanted to do this is because I have setup on like 3 computers a set of accounts that some programs intergrate & use as login information. I wanted an easier-way to manage the accounts than to walk up to each machine & change things, & to make it even easier, if I am on vacation away from home, I can use a tool to config the accounts.

AD works for that right?

=======

As for what my setup is, maybe I did mess up.

I reverted the server to a previous state, so I can make a recording of what I did.

I will edit the video & post it.

=======

Now I forwarded the ports.

:D

=======

[digip]

If you wanted easy managment from afar, you could have just set up RDP on each machine then do what you need to in each machine. That would have been a lot simpler than having a domain to manage and secure as well, beccause if your domain controller is hacked they can send out policies to your other machines to lock you out of them, or even if it just goes down, your machines only login locally anyway, which overrides any domian policies you had in effect. The way i understand it, policies closest to the machine take prescedence over that of the domains, hence, the phrase LSD - Local, then site, then domain, the policies applied locally would override that of the domain, so if the users cant reach th edomain and authenticates locally and not to the domain the policies locally take effect and ignore the domains policies.

In my opinion(and this is just me, but anyway) Active Directory is mainly for large networks that need to have certain policies enfocred for different user groups, while centralizing all domain users and nodes on the domain, restricting their access to certain functions of the OS or even the internet. Its kind of overkill for a home network with only 3 machines.

I would make some sort of bat file, reg file, or wscript setup or something that has my settings for what I want to do on one machine, and then just copy it to each of the other machines. Then when I need to turn somethign on or off, just RDP into the box and run the scripts to turn things on or off or whatever it is you are doing.

Who wants to worry about setting up and maintaining Server 2003/2008, active directory, patches, security, etc. Its great for learning if thats what you want to do, but unless you absolutely need it, find a way to make it work without it. It will be less headache in the long run.

[RandomClown]

I see how setting up stuff on Server can be annoying.

Ive pretty much given up now.

Guess Ill stick with manually controlling accounts.

[MRGRIM]

In my opinion(and this is just me, but anyway) Active Directory is mainly for large networks that need to have certain policies enfocred for different user groups, while centralizing all domain users and nodes on the domain, restricting their access to certain functions of the OS or even the internet. Its kind of overkill for a home network with only 3 machines.

I don't really agree, I've always found AD very useful no matter what size organisation. Prehaps you are right in what you are saying, 50% maybe more like 80% of the AD potential is not used by smaller groups.

As for the OP, I would look at purchasing Small Business Server it really is an "out of box" product.

[Iain]

I don't really agree, I've always found AD very useful no matter what size organisation. Prehaps you are right in what you are saying, 50% maybe more like 80% of the AD potential is not used by smaller groups.

As for the OP, I would look at purchasing Small Business Server it really is an "out of box" product.

A problem about using a Windows Network Operating System to configure a small network is that the cost is significantly higher than configuring the hosts in a peer-to-peer workgroup. Of course, there comes a point when the advantages of a Domain outweigh the costs involved.

[digip]

Im not saying Active Directory isn't a great tool, its just that for what he is doing, how is active directory making that job easier for him to manage 3 machines? What are these special settings that require him to manage them via active directory?

Anyway, the first thing to do is make sure your domain is even set up properly. Maybe this will help: http://www.elmajdal.net/Win2k8/Setting_Up_...erver_2008.aspx

Few things I would do in this case though, because I have a suspicion this is causing part of the issue. 1, dont do this in a VM. yes, server 2003 can work fine in a VM, but generally, build a real box, get all your shit working, then make a VM from the live machine and readjust the IP configurations once its running in the VM. 2, you are trying to join a domain across the internet, like Sparda said, the ideal way would be through a VPN, but in my mind, If the remote server is the main domain controller, in order for them to see him across the internet without the VPN tunnel, wouldnt you still need a local domain controller on your lan itself to receive replication and updates for active directory? 3 Being a remote server, I'm still thinking you need a local one as well and to configure sites and services to be able to receive the configurations from the remote domain controller for the local lan(or "site"). Because the remote server is going to be coming through several networks, NAT and all that is an obsticle in my mind, so routing and all that fun stuff, port forwarding, rules, etc needs to be set up properly as well to make the remote server and 3 desktops think they are on the same lan/domain. The routers at both ends will need configurations to make all the active directory stuff work, and to me starts to become more trouble than its worth.

If that is the case, build the server itself on the local lan in a dedicated machine as yoru domain controller, not in a VM, and set up the server so you can VPN/RDP into it to push out your changes to the other 3 machines on the domain. Draw a map of your network and look at how everything is traveling through the network, if ogign to a remote server, what things need to be set up first before the two locations can see each other.

[MRGRIM]

Hehe I have no rationale for prompoting AD. I am a Windows boy, I run a domain in my home (lol) I tried running SAMBA once and it just didn’t work for me, prehaps Linux has improved since those days. For me looking at it objectively an entry level Dell server with SBS OEM is around £700. SBS on its own can be purchased for £400.

[Charles]

I was thinking about setting up a server 2003 box using AD and whatnot for my home file server. The cost was too high to only use a few features of it. So I went with a Linux server and learned a bit.

I'd say it wouldn't be worth the cost for only a small amount of machine (2-10) but if you are doing an admin of 25+, it would totally be worth it.

[MRGRIM]

For 2-10 machines you wouldn't use Server 2003 you'd use Small Business Server

[Charles]

What's the difference?

Outside of price: Server 2008 Standard: 680. SBS 2008: 740.