Announcement

Collapse
No announcement yet.

AD connection errors

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD connection errors

    Hi all,

    I am the new IT Manager of a school/non-profit. I've been in IT overall for over 10 years, but have always been more on the management side than the technical, so my AD skills are mediocre. But there is no staff here (perhaps in a year or so) and as such, I am it.

    Now, my predecessors here were always contractors so the truth is that there are a lot of messes for me to clean up. But one thing I realized very quickly is that virtually all the users here are logging in locally to their PCs. There is an AD domain in place, though...

    The domain name is "lfdcs.lan". Note the .

    Now the first thing I did when I got in here was buy a laptop for my own use. And of course, the first thing I did was join it to the domain. That was successful.

    Now a few items, and I'll start slow for my own benefit...

    If you look at the attachment, you will see the errors I get on my laptop every time I log into it. I am logging in to the domain (not the laptop itself) with my username and password. I created that username and password my first day here and added myself to Domain Admins and Enterprise Admins.
    1. My AD username is "cbartlett". After joining to the domain, I logged into the laptop itself as a local administrator and went in the User Management to add myself "lfdcs.lan\cbartlett" as a local admin to the laptop. I can't. The domain does not show up as a location.
    2. To get around this, I went to AD Users & Computers on the DC, found my laptop name, and added myself from there.
    3. Not all PCs are joined to the domain. Actually, very, very few are. But all the others that are have the same problem as my laptop.
    4. All joined machines, including my laptop say "lfdcslan", not "lfdcs.lan" when trying to logon to the machine after the CTR+ALT+DEL screen. What does this mean? Why is there a discrepancy with the "."?
    5. If I type in \\domaincontrollername\c$ into the Run box on my laptop, I can get to it with my AD credentials. So I am resolving DNS...


    Obviously, with almost everyone here logging into their own PCs (all with local usernames equivalent to their AD usernames), there is no effective management of rights, etc... I've spoken to former associates who think it may be better for me to build a replacement DC and test that. Then when ready, join everyone to the new DC. What do you guys think?

    Thanks!

    Chris

    PS. The DC is running Windows Server 2003 Standard Edition
    Attached Files
    Last edited by WorldBuilder; 15th August 2008, 19:03. Reason: Added Info

  • #2
    Re: AD connection errors

    Do you know how many other DCs there are?

    I would get DCDiag and Netdiag from the support tools (link in sticky in Misc Forum) and run them - posting the output here
    (Once installed try "dcdiag /v > c:\dcdiag.txt" which should create a txt file for you for example).

    The cert prompt can be fixed later.
    Can you make sure your primary DNS is the IP address of the server although for you to add the machine I imagine it already is.

    If you are a domain admin then this group gets added to the local administrators group on machines that are added to the domain anyway so you shouldn't need to add yourself again.

    The reason for the differences in names between, in your situation, lfdcs.lan and lfdcslan is that the name you see when you log on is the netbios domain name. When you setup AD you can have joebloggs in that box but domain.local for the rest. They clearly just setup the netbios name as lfdcslan so it isn't an issue.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: AD connection errors

      Originally posted by AndyJG247 View Post
      Do you know how many other DCs there are?
      There is only this one. But I think it's also important to mention that it is also acting as a file server and application server. It is also a home built server. I will be dealing with those issues in the coming months. This server should NOT be doing as much as it is...

      Originally posted by AndyJG247 View Post
      I would get DCDiag and Netdiag from the support tools (link in sticky in Misc Forum) and run them - posting the output here
      (Once installed try "dcdiag /v > c:\dcdiag.txt" which should create a txt file for you for example).
      I will check this out, thanks! Gonna have to be Monday, though... Almost out of here for the day...

      Originally posted by AndyJG247 View Post
      The cert prompt can be fixed later.
      Can you make sure your primary DNS is the IP address of the server although for you to add the machine I imagine it already is.
      Cert prompt? What do you mean? Regarding the DNS, the DNS server is actually an eSoft InstaGate firewall box they have. It is NOT this DC. The InstaGate is also our DHCP server.

      Originally posted by AndyJG247 View Post
      If you are a domain admin then this group gets added to the local administrators group on machines that are added to the domain anyway so you shouldn't need to add yourself again.
      True, and I did see it get added on my laptop as soon as I joined, but since then the name "lfdcs\Domain Admins" is actually not resolving. It's showing that silly "S-1-5-21-etc, etc, etc" name.

      Originally posted by AndyJG247 View Post
      The reason for the differences in names between, in your situation, lfdcs.lan and lfdcslan is that the name you see when you log on is the netbios domain name. When you setup AD you can have joebloggs in that box but domain.local for the rest. They clearly just setup the netbios name as lfdcslan so it isn't an issue.
      OK, great.

      Thanks for the info so far!

      Chris

      Comment


      • #4
        Re: AD connection errors

        Cert prompt was your first picture in the word doc.

        dcdiag and netdiag will give us a good idea of the server health so looking forward to seeing them!
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: AD connection errors

          Originally posted by AndyJG247 View Post
          Cert prompt was your first picture in the word doc.

          dcdiag and netdiag will give us a good idea of the server health so looking forward to seeing them!
          Hello again! Attached, please find the TXT file outputs for both NETDIAG and DCDIAG. I appreciate all your help with this. I very much want to get this network under control, although I know it will most likely take a lot of small steps over a lot of time.

          Many thanks!

          Chris
          Attached Files

          Comment


          • #6
            Re: AD connection errors

            No problem.

            Did you change the IP addresses for DNS? The error below implies your server has 4.2.2.1 and 4.2.2.0 setup as DNS servers. As you only have 1 server setup then even if you did there is something else wrong. With a single server the primary DNS should be the servers IP address. It will probably have problems when it boots because AD tries to query DNS to start and the DNS service isn't running therefore it would be best to change the DNS IP address and then restart netlogon to start with. You client machines should also have their primary DNS set as the servers IP address.



            [WARNING] The DNS entries for this DC are not registered correctly on DNS server '4.2.2.1'. Please wait for 30 minutes for DNS server replication.
            [WARNING] The DNS entries for this DC cannot be verified right now on DNS server 4.2.2.0, ERROR_TIMEOUT.
            [FATAL] No DNS servers have the DNS records for this DC registered.
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: AD connection errors

              Hello Andy,

              I can't thank you enough.

              Yes, listed in the Network Properties of the connection, the DNS servers are set statically to 4.2.2.1 for the primary and 4.2.2.0 for the alternate. Some thoughts and questions...

              As stated, I did not build this domain. And DNS and AD are definitely not my strongest suits, but I will absolutely do my homework and respectfully continue asking your assistance. So here's the setup I have, and this may shed some light.

              On the DC, as I stated above, the DNS is what it is. I don't know why because as you can see from the attached tracert of 4.2.2.1, that is some PRI router in New York somewhere... I can't think of why my DNS would point there...

              However, on all the clients, the DNS (which is gotten through DHCP) is set to 192.168.1.1.

              Now, the DC's IP address is 192.168.1.3.

              The default gateway is 192.168.1.1. The default gateway is an eSoft InstaGate EX2 firewall/router device of which I know only a little about.

              So...

              Should I change the DNS properties of the server (DC) to itself (192.168.1.3) or the EX2 (192.168.1.1)?

              And by setting up local DNS, I assume this only resolves internal information and in no way affects the WAN connection?

              Could changing this cause any problems?

              I hope my questions make sense! This is all a bit too technical even for me, so I want to understand implications and technicalities before progressing.

              Thanks so much!

              Chris
              Attached Files

              Comment


              • #8
                Re: AD connection errors

                vnsc-pri.sys.gtei.net looks like a public DNS server to me.
                Personally I would change the servers primary DNS to 192.168.1.3
                Leave the gateway as 192.168.1.1
                make sure the clients all look to 192.168.1.3 as well.
                The servers DNS has an option called forwarders that you can set to 192.168.1.1 (i.e. they try the local server first and then forward out to your router to resolve).

                It may be a good idea to get a professional in to check this all out though as you may find there are more problems than can be fixed though.

                There is a bit on DNS here too:
                http://www.petri.com/install_and_con...dns_server.htm
                cheers
                Andy

                Please read this before you post:


                Quis custodiet ipsos custodes?

                Comment


                • #9
                  Re: AD connection errors

                  So you're saying I should use the DC as the DHCP server instead of letting the EX2 do it? Or (since there's only about 100 clients), would it be easier to dynamically get IP addresses, but give each individual client manual DNS to 192.168.1.3?

                  Thanks!

                  PS. As much as I would like to, hiring someone to have a look is pretty well out of the question. 'Tis my burden to bear.

                  Comment


                  • #10
                    Re: AD connection errors

                    There is no problem with either being the DHCP but for AD to work the clients and the server both need to use a "supported" DNS server. The EX2 device isn't capable of working to that level so the DNS installed on the DC will have to be used (MS DNS is designed for this anyway!). If you are able, you can change the EX2 DHCP so it gives out 192.168.1.3 as the only DNS server but make sure the server is looking at 192.168.1.3 as primary DNS first, then restart the netlogon. This should make it register its records in DNS first.
                    As an overview DNS holds records that machines use to find out where services are held. Things like "where is a DC" for example. If they ask the EX2 device where a DC is it will say I don't know, let me ask my DNS servers. They will say "I don't know either" and you will have problems like you are experiencing. The S-121-2123 etc means the machine cannot resolve the name properly because the response it has had from DNS haven't been able to help.
                    Hope that all makes sense!
                    cheers
                    Andy

                    Please read this before you post:


                    Quis custodiet ipsos custodes?

                    Comment


                    • #11
                      Re: AD connection errors

                      Sure, it makes sense. I understand all the principles of DNS, but the application itself is mildly fuzzy.

                      I will look at the EX2 and changing it's DNS settings...

                      Also, one more things, you keep mentioning "restarting netlogon". I'm afraid I don't know what exactly you mean. Could you elaborate, please?

                      Do you simply mean this?

                      If your computer is a domain controller, you must manually stop and restart NetLogon service. To do this, type the following commands:
                      net stop netlogon
                      net start netlogon
                      Thanks!

                      [edit] I just checked the EX2 and don't see a way to add the DC as a DNS server. The only DNS settings anywhere in it is what you see in the attached screenshot. I will call eSoft tomorrow and see if there is a way for it's DHCP to tell clients to point to the DC instead. If not, here's something I remember that you might find interesting...

                      Before I started, the principal of the school asked me to look at her laptop because she could not get it to get on a network away from the school. So I took it and investigated. What I found, and I realize now that it's important, is that although it was set to DHCP, the DNS was statically set to 192.168.1.3: the DC IP address. I thought that was weird at the time, but after removing that setting, it worked everywhere. And I'd be willing to bet that if I looked at other clients at work, they'd all be set to 192.168.1.3... The only problem, like you say, seems to be that the DC itself is pointed elsewhere, to that DNS server in NY.

                      So whether I get the EX2 to point DHCP clients to the DC or I set all the clients to point to the DC manually (more work), the result should be the same, right? Assuming I change the DC's DNS to itself...

                      And finally, should I assume that the DNS on the DC is running OK? What you saw in that TXT file was OK? 'Cause I didn't really know what I was looking at. LOL! I do know that the DNS client service is started and running, but the DNS server service is set to manual and is currently not running. [/edit]
                      Attached Files
                      Last edited by WorldBuilder; 20th August 2008, 12:56. Reason: Added more info

                      Comment


                      • #12
                        Re: AD connection errors

                        Hello again,

                        OK, since I figured I could always change it back, I edited the DNS on the DC. I changed it from 4.2.2.1 and 4.2.2.0 to itself: 192.168.1.3. I then restarted Netlogon. The internet connection died.

                        Changed it all back and am good to go...

                        Then I retried the same exact thing except I added a secondary DNS server of the EX2's IP address: 192.168.1.1. And it is still all working.

                        I contacted eSoft and the EX2 cannot hand out DNS information other than itself. So until I install DHCP on the DC and kill that function from the EX2, I'm stuck. I'm going to see what this little change does over the next day or so....

                        Fingers crossed,

                        Chris
                        Last edited by WorldBuilder; 20th August 2008, 22:11.

                        Comment


                        • #13
                          Re: AD connection errors

                          Your internet connection is still there it is just that DNS is only being resolved internally. Can you open your DNS server and see if you have a "." listed as a zone? If so you need to delete it. Also right click the server and choose properties. There is a forwarders tab that you need to put in the 4.2.2.1 and 4.2.2.0 addresses. This means the server will use those as forwarders for unknown internal addresses (like google etc).

                          You need to restart netlogon (just like you said) when the server is looking at itself for DNS but the service needs to be running and on automatic startup

                          I'm suprised the EX2 cannot be changed but if that is what they say..

                          It looks like it is best to:
                          1. Start the DNS service on the server and set to auto.
                          2. Set the server to itself for DNS only.
                          3. restart netlogon.
                          4. run dcdiag again.
                          5. set the forwarders in DNS to the 4.x.x.x addresses.
                          6. disable DHCP on the Ex2
                          7. enable DHCP on the server and set it to give out the router and server as DNS>
                          8. get the clients to register with the new server
                          9. assess again.

                          It is obviously difficult working like this but I believe that is the best solution so far.
                          cheers
                          Andy

                          Please read this before you post:


                          Quis custodiet ipsos custodes?

                          Comment


                          • #14
                            Re: AD connection errors

                            Originally posted by AndyJG247 View Post
                            Your internet connection is still there it is just that DNS is only being resolved internally. Can you open your DNS server and see if you have a "." listed as a zone? If so you need to delete it. Also right click the server and choose properties. There is a forwarders tab that you need to put in the 4.2.2.1 and 4.2.2.0 addresses. This means the server will use those as forwarders for unknown internal addresses (like google etc).
                            When I try to manage DNS, I get the error you see in the attachment. I checked services and "DNS Client" is started and set to automatic. "DNS Server" is set to Manual and not started.


                            Originally posted by AndyJG247 View Post
                            You need to restart netlogon (just like you said) when the server is looking at itself for DNS but the service needs to be running and on automatic startup
                            So set "DNS Server" service to Automatic then?

                            Originally posted by AndyJG247 View Post
                            I'm surprised the EX2 cannot be changed but if that is what they say..

                            It looks like it is best to:
                            1. Start the DNS service on the server and set to auto.
                            2. Set the server to itself for DNS only.
                            3. restart netlogon.
                            4. run dcdiag again.
                            5. set the forwarders in DNS to the 4.x.x.x addresses.
                            6. disable DHCP on the Ex2
                            7. enable DHCP on the server and set it to give out the router and server as DNS>
                            8. get the clients to register with the new server
                            9. assess again.
                            I agree completely and that is the plan. Can I do it now? Nope. School starting this week and if I crash the network all hell breaks loose. Will it be soon? Hopefully. Will it be by year's end? Most likely. Can I set the forwarders once DNS is running right?

                            Originally posted by AndyJG247 View Post
                            It is obviously difficult working like this but I believe that is the best solution so far.
                            You have been most fantastic, sir! I couldn't ask for better help and am most appreciative.

                            Chris

                            PS. Current setup is still:
                            • Primary DNS set to itself (192.168.1.3)
                            • Alternate DNS server set to the EX2 (192.168.1.1)
                            • EX2 set to look at our ISP's DNS servers.
                            • DHCP Client service was running (don't know why on a DC!), but I just stopped it.
                            • WINS is not installed. Should I install it?
                            • DHCP is not installed. Will do that when ready...
                            Attached Files

                            Comment


                            • #15
                              Re: AD connection errors

                              Originally posted by WorldBuilder View Post
                              "DNS Server" is set to Manual and not started.
                              Wait,
                              and this is a DC??? If it's a DC, it cannot exist without a running DNS server.
                              Can you rerun netdiag, dcdiag and run a "net start" all from the command prompt?
                              Last edited by Dumber; 21st August 2008, 13:02.
                              Marcel
                              Technical Consultant
                              Netherlands
                              http://www.phetios.com
                              http://blog.nessus.nl

                              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                              "No matter how secure, there is always the human factor."

                              "Enjoy life today, tomorrow may never come."
                              "If you're going through hell, keep going. ~Winston Churchill"

                              Comment

                              Working...
                              X