More AD Troubles...

D

Drake

[H]ard|Gawd
Joined
Dec 28, 2002
Messages
1,056
Hey all,

Why does my network suck?? Or, how can you help me make it better?

This is basically a test environment to learn the ins and outs of networking in an active directory environment. The picture is a little off, but nothing is too radically different (no slave AD/DNS server). All servers (save the web server and VOIP server) are Windows 2003 (Enterprise, I think, if that makes a difference), and all interconnecting devices are 10/100Mb switches.

Ok, our problems:
We were given the false glimmer of hope that we *might* get internet access this year. Nope. Under this pretense I assigned IP ranges of 192.168.2.x for the top level network (the named computers) and 192.168.1.x for the lower computers, with a subnet mask of 255.255.255.0 for both. Kudos if you spot the error.
Code: 
11000000.10101000.00000010.x
11000000.10101000.00000001.x
11111111.11111111.11111111.00000000

So we sat for weeks not being able to figure out just why the two active directory servers could not establish a trust between them. I finally discovered the subnet was wrong, and set the IP ranges to 199.199.199.x and 199.199.198.x with a subnet of 255.0.0.0. Just FYI, we were told why subnets were used, but never how to calculate them like that. What's worse is the teacher didn't even catch it. UGHH!

However, now none of the workstation computers can log on or find their roaming profiles.

I temporarily put all the machines into a workgroup while the servers are sorted out, but they still try to synchronize their profiles! it's infuriating... takes ages to log in or out.

I first tried deleting the domain within the existing AD server and creating new DNS forward and reverse lookup zones. No dice, however with that done we can ping machines by their name and not just by IP.

I then tried removing all of the server roles and going through the "set up your server for the first time wizard." That didn't help things either... whenever we tried to join the domain it always gave an error like "semaphor time expired" or the like.

At the end of class the machine was reformatted and there's a Windows 2003 server waiting with a clean slate.

Now the questions:
What should I do to get an Active Directory server up and running? So far outside of wizards I've done nothing.

What are good practices in maintaining users? Currently we make OU's specific to the group of users (LAN Admins or Networking) and add in new group polices for them.

What groups should users be made part of if they need full control (i.e. changing the IP and the like) over their own computers? Administrators and Domain Admins?

How, specifically, can I set up a trust between two domains? Is the wizard the only option? Last year we did the SAME EXACT THING in the last month of school, and everything worked PERFECTLY.

Admittedly, we've received absolutely no training on the subject matter nor do we have a knowledgeable teacher to guide us. The class is supposed to teach us these things (as per the class description) but that is just not the case.
 
How many servers are you running?
Are any multi-homed (multiple network cards being used)?

First....with active directory....DNS is very important for name resolution/browsing, and AD to function across the network. It's all about DNS.

For some help on getting DNS setup,
http://www.speedguide.net/read_articles.php?id=1660

It appears you have two networks to deal with...lets get each network functioning first, then deal with the trusts, and the "pain in the butt" roaming profiles. "ugh". Roaming profiles...easy to setup, can create hassles on the workstation level though.
 
As per the picture, (1)AD/DNS server, (1)file server, (1)web server (temporarily with windowsxp), and (1)VOIP server. The only internconnection the VOIP server has with the network is DHCP, other than that it's a standalone unit. We never set up a slave AD/DNS server so it sits unused.

The secondary network has (1)AD/DNS server and nothing more.

YeOldeStonecat said:
It appears you have two networks to deal with...lets get each network functioning first, then deal with the trusts
Click to expand...
That's all I seek to do. That's the stage I was at, but changing the IPs seems to have borked the entire network.
 
Drake said:
As per the picture, (1)AD/DNS server, (1)file server, (1)web server (temporarily with windowsxp), and (1)VOIP server. The only internconnection the VOIP server has with the network is DHCP, other than that it's a standalone unit. We never set up a slave AD/DNS server so it sits unused.

The secondary network has (1)AD/DNS server and nothing more.

That's all I seek to do. That's the stage I was at, but changing the IPs seems to have borked the entire network.
Click to expand...

When you changed the IP address of the servers did you update their DNS records? Based on your limited descriptions (long logon times, non-replicating domains, failed trusts, etc) I would guess your entire issue was DNS related.

Since thats all gone now, start simple and add things back one step at a time. Setup the TCP/IP connections with appropriate routers and IP settings. Once thats happy, move onto AD and windows server.

 
Ack sorry I didn't even click that link to see the diag.

If things "broke" when you changed IP's...I'd pour over your TCP and DNS settings in detail. DNS is oh so important, and needs to be setup correctly, in the servers own TCP/IP settings, in DNS forwarding, and regarding the clients, be they static IPs or through DHCP.

When changing the severs own IP address, besides changing the TCP/IP settings, double check your DNS, any entries made, flush it and restart the service, check with WINS if you're stuck running that pig for any Win9X clients, and create a new DHCP scope, as the old one will be dead.
 
Well, I checked the diagram and it appears you have no routers in this anywhere- which explains the 192.168.1.0/24 and the 192.168.2.0/24 networks not talking to each other. In the interest of upgradability, I would seriously ask you to change the IP's back to something in a private address range- 192.168.X.X, 10.X.X.X, etc. and adjust the subnet so that everything can talk to each other on a flat network (192.168.1.0/23 and 192.168.2.0/23 should be able to talk to each other fine without a router). While you don't have any problems now with your IP addresses (199.X.X.X/8) they are legitimate public IP addresses that when/if you add Internet connectivity can cause problems (the dns response for website XYZ.com could point to a compute internally and you'd never get to the page).

That having been said, it sounds like dns is resolving incorrectly- as others have stated. The easiest method to test would be to sit at a workstation open the command line and run type these commands in:

ipconfig /flushdns
ping XXXX


where XXXX is the name of a server internally, like adserver1 or whatever you've got. In theory you should get an output similar to this:
C:\Documents and Settings\secret>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Documents and Settings\secret>ping adserver

Pinging adserver.domain.local [10.1.0.34] with 32 bytes of data:

Reply from 10.1.0.34: bytes=32 time=1ms TTL=128
Reply from 10.1.0.34: bytes=32 time<1ms TTL=128
Reply from 10.1.0.34: bytes=32 time<1ms TTL=128
Reply from 10.1.0.34: bytes=32 time<1ms TTL=128

Ping statistics for 10.1.0.34:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms

If it times out or you get errors resolving the name, then DNS and/or the underlying network is hosed.
 
/22 will get you rolling, not /23

Then solve the other problems.
 
Internet was denied once and for all (until next year :rolleyes: ). I migrated to 199.x.x.x because we used it (successfully) in the past, and I was frustrated. Keep in mind the fact that none of us actually know what we're doing, and we didn't learn until a few days ago how the hell subnets work.

Well, I checked the diagram and it appears you have no routers in this anywhere- which explains the 192.168.1.0/24 and the 192.168.2.0/24 networks not talking to each other
Click to expand...
I already explained all interconnecting devices were switches.

DNS seems to resolve most names most of the time. Before the server was reformatted, all of the servers and most of the workstations could be pinged.

Another question... will there ever be a need to manually add host entries to the DNS configuration?

And just for clarification on the networks:

springfield.net (LAN Admin)
199.199.199.1 monorail.springfield.net - AD/DNS/ server, DHCP eventually
199.199.199.2 kwikemart.springfield.net - File server
199.199.199.3 moes.springfield.net - webserver
199.199.199.4 (unused)
199.199.199.5 VOIP server
all named boxen are workstations

The other network (heroes.net) I have no direct control over. From what I understand they didn't even set up user accounts even though they've had it for over 6 weeks now. Ugh.



A question pertaining to http://www.speedguide.net/read_articles.php?id=1660 ...
If the network is not behind a NAT router, what should the gateway be? I've always just set it to the IP of the AD/DNS server on the network.
 
Drake said:
I've always just set it to the IP of the AD/DNS server on the network.
Click to expand...

The answer to that would depend on what your internet pipe is then....running the servers on public IP's? If server is mutiply homed you can set it up so it's your networks gateway, using routing on the server. But if you have something else like a router from your ISP, well...I'm fumbling in the dark not knowing your networks internet pipe setup. Need the details on that.
 
YeOldeStonecat said:
The answer to that would depend on what your internet pipe is then....running the servers on public IP's? If server is mutiply homed you can set it up so it's your networks gateway, using routing on the server. But if you have something else like a router from your ISP, well...I'm fumbling in the dark not knowing your networks internet pipe setup. Need the details on that.
Click to expand...


Stated once in the first post, once in the network image, and once in my last post...

we

have

NO INTERNET

nor will we be getting internet access.
 
Then simply stated....YOU DON'T NEED A GATEWAY!!!

"No Internet" can also simply mean the users are denied internet access, yet the network itself such as servers have it for antivirus updates, WSUS, etc.
 
Aye, but in the image it clearly depicts no connection to an outside network at all.

Thanks for clearing that up :)
 
The "image" only states "Interweb = No" and "Interet Access Unlikely".

Add to that, most of the "home made" diagrams I see on forums aren't 100% accurate, so I think nothing of not seeing an internet pipe connected.

Add to that, I've setup many networks where some, or a majority, or any combination of the above, end users are not allowed to have internet access. Wether it's controlled through proxy/ISA, or a TCP group with no gateway. So "no internet" can mean several things, depending...

Regardless, in your case of physically not having an internet connection present through any means, you simply don't enter any gateway. A gateway is simply a route for local network traffic to take to access another network. In most cases, it's connecting a local network, to the internet.

///steps out of thread
 
feigned said:
/22 will get you rolling, not /23

Then solve the other problems.
Click to expand...

Stupid fat fingers!!!

Anyway, the default gateway is the spot traffic goes when it can't find the resource specified locally. It looks through everything it knows about locally, and if it can't find what it needs there- send the traffic to that address and let it deal with the request.

With a flat network like this, they aren't necessary, you can enter whatever you want in that and it won't affect anything. I'm curious as to why DNS only /usually/ resolves, the theory is that it always resolves properly (theories are grand, aren't they?). If you ping, are you pinging via IP address or name? Do pings via IP always work 100% of the time?

If those aren't working consistently, I'd be pretty suprised if you could get AD working properly. It'd be like building a house on a crappy foundation; it might look good, just don't live in it.
 
You must log in or register to reply here.
Back
Top