Error joining Win Server 2008's domain (possible DNS issue)

[Jerry_03]

Just got Win Server 2008 running on my ESXi server, with the intentions of running it as a 24x7 DC for my home network.

I followed this guide to setting up my domain:
https://support.cloudshare.com/hc/e...a-Domain-Controller-on-Windows-Server-2008-R2

I installed the role as Active Directory Domain Services. I unchecked the option to install the DNS server with it, because I want to use my ISP's DNS servers. my FQDN is home.smithnet.com

However when I tried to connect my first host to the domain, I get this error:

At first i figured this was because I didnt install the DNS role. So i went back and installed the DNS role to my server then added DNS fowarder to point to my ISP's DNS servers.

I tried connecting my host to the domain again but I still get the same error.

any ideas?

 

[Mackintire]

Active Directory and DNS are tied at the hip.

Install DNS and just point your DNS forwarder to your ISP.

Just make sure your sites and services are corrected configured.

Here's the DNS bible for microsoft: http://blogs.technet.com/b/askds/ar...ations-you-will-ever-find-from-microsoft.aspx

 

[gimp]

Best practice is to usually use either a non-public FQDN, or at least use one that isn't already in use out on the interwebs.
Unless you actually own home.smithnet.com ?

Pinging home.smithnet.com [184.168.221.96] with 32 bytes of data:
Reply from 184.168.221.96: bytes=32 time=67ms TTL=48

And yes, you need the DC to be running DNS.
Your ISP's DNS won't have your domain controller registered, therefore your workstations will not know how to contact the DC.

 

[Jerry_03]

no i dont own smithnet.com. I just intend it be used in my home network. is there a naming convention for non-public FQDN? like .local instead of .com??

 

[klank]

Remove the DNS and AD roles reboot then re-add the AD role with the stock options (including DNS). When it comes time to setting it up best practice for a home or lab would be to use smithnet.local

When it comes time to setting up clients change their DNS to the DC ip and join away. It would be better and easier to set custom DNS IPs on your DHCP pool in your router so it just hands out the DC IP.

 

[k1pp3r]

Remove the DNS and AD roles reboot then re-add the AD role with the stock options (including DNS). When it comes time to setting it up best practice for a home or lab would be to use smithnet.local

When it comes time to setting up clients change their DNS to the DC ip and join away. It would be better and easier to set custom DNS IPs on your DHCP pool in your router so it just hands out the DC IP.

2012 they don't want you to use .local anymore

 

[klank]

2012 they don't want you to use .local anymore

LOL. Opps

I am a long time nix guy that just started playing with AD. In the last week I have setup and tore down about half dozen AD severs playing with everything from AD itself, GPO to WSUS and Exchange.

 

[Mackintire]

There I fixed it:

smithnetlocal.com

 

[feffrey]

I like ad.domain.com
Then your domain user names are ad\name

 

[Database]

You need to install DNS on the domain controller.

You also need to set the machine you are trying to join to the domain to use the domain controller as it's DNS server. If you don't do this, it won't join because it can't find the domain.

 

[gimp]

2012 they don't want you to use .local anymore

That's debatable. Microsoft contradicts itself all over the place.

2012 R2 Essentials defaults to .local

The domain is created with a .local domain suffix

http://richardjgreen.net/windows-server-2012-essentials-initial-admin-thoughts/

Here it specifically recommends AGAINST a .net/com/org/etc

Using the .local label for the full DNS name for the internal domain is a more secure configuration because the .local label is not registered for use on the Internet. This separates your internal domain from your public Internet domain name. It is recommended that you not use the extension of your registered Internet domain name (for example, .com, .net, and .biz) as this can result in name resolution issues.

http://technet.microsoft.com/en-us/library/cc708159(v=ws.10).aspx/

But then here they say to NOT use .local or an unregistered suffix

Also, we do not recommend using unregistered suffixes, such as .local.

http://technet.microsoft.com/en-us/library/cc726016(v=ws.10).aspx/

Doing some reading it looks like the downside to .local is if you're presenting data to the internet and need SSL certificates to be issued by 3rd party roots, Mac's, and some integration that is more business-oriented (ie Office365)

On the flip-side, the recommended TLD would be one you OWN. Not some random made-up TLD.

 

[Nerdface Killah]

Use a sub domain of a domain you actually own. Microsoft does not recommend .local anymore.

 

[Biznatch]

Use a sub domain of a domain you actually own. Microsoft does not recommend .local anymore.

Got any documentation on why that is? Not much has changed between 2k8 and 2k12, so I can't see any reason why they would suddenly recommend against it.

 

[Nate7311]

I think it boils down to a change in MSs AD design philosophy and Internet connectivity and design and that ICANN has effectively outlawed non-TLD or Non-FQDN host names in Public SSLs moving forward. The latter really only affects SAN-type certs but it is a big change.

As far as the OP goes. Especially just for learning as this it obviously his 1st domain, just use a .local. Safer than a made-up TLD and not as complicated as a subdomain of a TLD that I'm assuming the OP doesn't have.