Announcement

Collapse
No announcement yet.

What Am I Doing Wrong With My AD Network?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • What Am I Doing Wrong With My AD Network?

    OK,

    EDITED to provide more detail!

    So I have a home network Ö in essence a server (2003) and some clients (XP Pro) which are configured as an AD domain. On that network I also have several devices specifically an HP Jet Direct print server with a Laser Printer on it and a broadband router.

    IPís are as follows:

    Router: xxx.01
    Server: xxx.02
    Jet Direct: xxx.33
    DHCP Clients: xxx.65 to xxx.254
    The Server:
    The server (2003) handles DNS and DHCP, DNS was installed when I created the domain controller (DCPROMO) and configured afterwards to forward to the OpenDNS servers on the internet (it's a small network so I haven't configured any reverse lookups), the server's own DNS is configured to point to itself. DHCP supplies IP, gateway & DNS settings to all clients and the server acts as file and print as well as the one and only DC. To my knowledge the server cannot resolve or ping any client on the network

    The Clients:
    Mostly XP Pro (some Linux) get DHCP supplied IP addresses (client IP's range from xxx.254) as well as gateway (router, xxx.01) & DNS (server, xxx.02). All clients have home folder connected automatically but I manually configure other shares and printers (I'm sure it could be done via domain policy). All clients can resolve and ping the server, access shares and printers, they can ping the router and have full access to the internet (browse, MSN, mail etc.). I haven't tested them all but to my knowledge no client can resolve or ping any other client on the network



    It came to a head today when I put a new 2008 core server with a static IP (xxx.03) on the network ... it is not part of the domain at present. This server can ping the domain server and the router but it cannot resolve or ping to any other device (it's 2008 core so I haven't tested printing or internet access).

    Does anyone have any idea why clients cannot see each other and the server cannot see it's clients? My suspicion is that hardware-wise my configuration is fine but that in some fashion I have not configured my DNS (possibly DHCP) properly.

    Some suggestions from colleagues so far:
    * Check DNS to see if it is registering the various clients
    * Delete DOT root (not sure how or what that does).

    Kyu
    J C Rocks (An Aspiring Author's Journey)
    The Abyssal Void War: Stars, Hide Your Fires

  • #2
    Re: What Am I Doing Wrong With My AD Network?

    First, tell us exactly what the ip addresses on the clients and servers are so that we can tell if they're configured correctly. Second, I believe that by deleting the DOT root zone you have essentially created a caching only DNS server. Can anyone else confirm? Did you say that you configured the DNS server to use OpenDNS as a forwarder?

    Comment


    • #3
      Re: What Am I Doing Wrong With My AD Network?

      Have you tried to ping to IP address?
      If yes:

      Windows Firewall?
      If it is enabled, the device will not respond to ICMP packets (pings).
      [Powershell]
      Start-DayDream
      Set-Location Malibu Beach
      Get-Drink
      Lay-Back
      Start-Sleep
      ....
      Wake-Up!
      Resume-Service
      Write-Warning
      [/Powershell]

      BLOG: Therealshrimp.blogspot.com

      Comment


      • #4
        Re: What Am I Doing Wrong With My AD Network?

        Originally posted by Killerbe View Post
        Windows Firewall?
        If it is enabled, the device will not respond to ICMP packets (pings).
        While you can disable ICMP responses I believe the default is to reply to pings even if Windows Firewall is enabled. Other firewall products may behave in a different manner though.
        Gareth Howells

        BSc (Hons), MBCS, MCP, MCDST, ICCE

        Any advice is given in good faith and without warranty.

        Please give reputation points if somebody has helped you.

        "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

        "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

        Comment


        • #5
          Re: What Am I Doing Wrong With My AD Network?

          Originally posted by joeqwerty View Post
          First, tell us exactly what the ip addresses on the clients and servers are so that we can tell if they're configured correctly. Second, I believe that by deleting the DOT root zone you have essentially created a caching only DNS server. Can anyone else confirm? Did you say that you configured the DNS server to use OpenDNS as a forwarder?
          OK ... they are what I said but 192.168.1.x so:

          Netgear Router: 192.168.1.1
          2003 Server: 192.168.1.2
          Jet Direct: 192.168.1.33
          DHCP Clients: 192.168.1.65 to 192.168.1.254
          I have configured my server to forward DNS requests to OpenDNS ... I think that's slightly different from configuring "OpenDNS as a forwarder" isn't it?

          Originally posted by Killerbe View Post
          Have you tried to ping to IP address?
          If yes:

          Windows Firewall?
          If it is enabled, the device will not respond to ICMP packets (pings).
          Yes and I believe you may be correct because I was just reading up on that

          Kyu
          J C Rocks (An Aspiring Author's Journey)
          The Abyssal Void War: Stars, Hide Your Fires

          Comment


          • #6
            Re: What Am I Doing Wrong With My AD Network?

            I am pretty sure that when the Windows firewall is enabled, it will not respond to ICMP packets (have tested it).
            [Powershell]
            Start-DayDream
            Set-Location Malibu Beach
            Get-Drink
            Lay-Back
            Start-Sleep
            ....
            Wake-Up!
            Resume-Service
            Write-Warning
            [/Powershell]

            BLOG: Therealshrimp.blogspot.com

            Comment


            • #7
              Re: What Am I Doing Wrong With My AD Network?

              Originally posted by Killerbe View Post
              I am pretty sure that when the Windows firewall is enabled, it will not respond to ICMP packets (have tested it).
              A test on a virtual 2008 core installation confirms that but I will confirm it properly tonight

              EDIT: And it does! Woohoo!

              Kyu
              Last edited by Kyuuketsuki; 28th October 2008, 20:18.
              J C Rocks (An Aspiring Author's Journey)
              The Abyssal Void War: Stars, Hide Your Fires

              Comment


              • #8
                Re: What Am I Doing Wrong With My AD Network?

                You can instruct Windows Firewall to discard ICMP traffic, but I do not believe I have ever seen this as the *default* behaviour.
                Gareth Howells

                BSc (Hons), MBCS, MCP, MCDST, ICCE

                Any advice is given in good faith and without warranty.

                Please give reputation points if somebody has helped you.

                "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                Comment


                • #9
                  Re: What Am I Doing Wrong With My AD Network?

                  Defaut is to block ICMP

                  dot (.) zone should not exist. Its there only if you don't want the DNS server to resolve anything except locally hosted zones.

                  Comment


                  • #10
                    Re: What Am I Doing Wrong With My AD Network?

                    Originally posted by Garen View Post
                    Defaut is to block ICMP

                    dot (.) zone should not exist. Its there only if you don't want the DNS server to resolve anything except locally hosted zones.
                    But internal clients would be resolved.
                    I missed the point that there is no client to ip resolving, which is defenetly pointing to a dns problem.

                    Do these clients have the correct DNS server configured?
                    Must be, as the are able to authenticate towards AD.

                    Did you check the DNS server, if the client records where automatically registered?
                    [Powershell]
                    Start-DayDream
                    Set-Location Malibu Beach
                    Get-Drink
                    Lay-Back
                    Start-Sleep
                    ....
                    Wake-Up!
                    Resume-Service
                    Write-Warning
                    [/Powershell]

                    BLOG: Therealshrimp.blogspot.com

                    Comment


                    • #11
                      Re: What Am I Doing Wrong With My AD Network?

                      I think we should go back to the very start here and see why the Server Core machine cannot see the network.

                      Did your network run fine before you put this new server in???

                      Did you have internet access working prior to this server being installed??

                      How is your DHCP scope configured???

                      How is DNS configured??

                      Can you ping an internet address from your router??

                      Can you plug a machine that is not on your comain directly into the router and see if that can connect properly??

                      Comment


                      • #12
                        Re: What Am I Doing Wrong With My AD Network?

                        Based on the information provided, i'm not sure if this will solve your problem -- but you should definitely create the reverse lookup for your zone and IP address space.

                        You mention client to IP resolution not working ?

                        scrap ping, it's really not going to help you diagnose a DNS problem.

                        create the reverse zone and , for testing purposes delete a dns record for a client, then run the following on the client:

                        ipconfig/release
                        ipconfig/renew
                        ipconfig/registerdns

                        The renew should register the connection in DNS, but i would run the register anyway anyway. ( I believe you could restart the DHCP Client service as well )

                        then from the server or client ( who should be pointing to AD/DNS as its preferred DNS)

                        nslookup clientpc

                        let us know if you get a response -- if you do, DNS is working as it should.

                        Comment


                        • #13
                          Re: What Am I Doing Wrong With My AD Network?

                          Originally posted by Killerbe View Post
                          Do these clients have the correct DNS server configured?
                          Must be, as the are able to authenticate towards AD.
                          As far as I know yes, here’s an example of my own client …
                          Code:
                          H:\>ipconfig /all
                            Windows IP Configuration
                             
                                    Host Name . . . . . . . . . . . . : myclient-xp
                                    Primary Dns Suffix  . . . . . . . : domain.local
                                    Node Type . . . . . . . . . . . . : Hybrid
                                    IP Routing Enabled. . . . . . . . : No
                                    WINS Proxy Enabled. . . . . . . . : No
                                    DNS Suffix Search List. . . . . . : domain.local
                                                                        domain.local
                             
                            Ethernet adapter Local Area Connection:
                             
                                    Connection-specific DNS Suffix  . : domain.local
                                    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
                                    Physical Address. . . . . . . . . : 00-13-D4-78-7A-C6
                                    Dhcp Enabled. . . . . . . . . . . : Yes
                                    Autoconfiguration Enabled . . . . : Yes
                                    IP Address. . . . . . . . . . . . : 192.168.1.68
                                    Subnet Mask . . . . . . . . . . . : 255.255.255.0
                                    Default Gateway . . . . . . . . . : 192.168.1.1
                                    DHCP Server . . . . . . . . . . . : 192.168.1.2
                                    DNS Servers . . . . . . . . . . . : 192.168.1.2
                                    Primary WINS Server . . . . . . . : 192.168.1.2
                                    Lease Obtained. . . . . . . . . . : 31 October 2008 08:31:15
                                    Lease Expires . . . . . . . . . . : 08 November 2008 08:31:15
                          Originally posted by Killerbe View Post
                          Did you check the DNS server, if the client records where automatically registered?
                          Each client appears to have a valid DNS record:
                          myclient-xp Host(A) 192.168.1.68

                          Originally posted by wullieb1 View Post
                          I think we should go back to the very start here and see why the Server Core machine cannot see the network.

                          Did your network run fine before you put this new server in???
                          Putting the server in has changed nothing so yes … it’s just that, given I was using Core 2008 on the new server I needed to be able to RDP or similar to it and wasn’t able to, I have subsequently found I can ping that server when I disabled the firewall using …

                          Netsh firewall set icmpsetting 8

                          I wasn’t able to RDP to it (not sure why) and have rebuilt the system as full 2008 enterprise and can’t ping it at all even if I enter the above at a command prompt, do core and full operate differently?
                          Originally posted by wullieb1 View Post
                          Did you have internet access working prior to this server being installed??
                          Yes and it still works on the DC and all the normal clients (not sure on the new server but I’m still learning about that)

                          Originally posted by wullieb1 View Post
                          How is your DHCP scope configured???

                          Code:
                          Start IP: 192.168.1.65
                            End IP:  192.168.1.254
                            Lease: 8 day
                            Scope Option 003: Router, 192.168.1.1
                            Scope Option 006: DNS Servers, 192.168.1.2
                            Scope Option 015: DNS Domain Name, domain.local
                            Scope Option 044: WINS/NBNS Servers, 192.168.1.2
                            Scope Option 046: WINS/NBT Node Type, 0x8
                          Originally posted by wullieb1 View Post
                          How is DNS configured??

                          What do you mean how is it configured … how do I get a summary?

                          Originally posted by wullieb1 View Post
                          Can you ping an internet address from your router??
                          It’s just a bog standard Netgear broadband router … I wasn’t aware you can ping another device from it but given that my clients and DC can reach the internet I’d assume that was a given.

                          Originally posted by wullieb1 View Post
                          Can you plug a machine that is not on your domain directly into the router and see if that can connect properly??
                          Again as above … is that necessary?

                          Originally posted by hboogz View Post
                          Based on the information provided, i'm not sure if this will solve your problem -- but you should definitely create the reverse lookup for your zone and IP address space.
                          How do I do that?

                          Originally posted by hboogz View Post
                          You mention client to IP resolution not working ?
                          My client is 192.168.1.68 … it can ping the router, the DC and can access mail & internet (Skype, msn etc.) so there is no issue clients accessing most other stuff BUT the server cannot ping my client.

                          Originally posted by hboogz View Post
                          scrap ping, it's really not going to help you diagnose a DNS problem.
                          I’m not so sure because if I do ping 192.168.1.68 I get no response but if I do ping myclient-xp I still get no response BUT it does tell me the IP is 192.168.1.68.

                          Originally posted by hboogz View Post
                          create the reverse zone and , for testing purposes delete a dns record for a client, then run the following on the client:

                          ipconfig/release
                          ipconfig/renew
                          ipconfig/registerdns

                          The renew should register the connection in DNS, but i would run the register anyway anyway. ( I believe you could restart the DHCP Client service as well )
                          OK … need to know how though.

                          Originally posted by hboogz View Post
                          then from the server or client ( who should be pointing to AD/DNS as its preferred DNS)

                          nslookup clientpc

                          let us know if you get a response -- if you do, DNS is working as it should.
                          It gives me the correct address (from either client or server) … to me (even before I do those things you mention) this suggests DNS is fine.

                          Kyu
                          J C Rocks (An Aspiring Author's Journey)
                          The Abyssal Void War: Stars, Hide Your Fires

                          Comment


                          • #14
                            Re: What Am I Doing Wrong With My AD Network?

                            Is your DNS server on the 2008 box??? or is it on .02??

                            Have a look at your DNS settings using the DNS console on the 2003 server.

                            Is your client machine on the same switch as the Server??? What type of switches are they??

                            Comment


                            • #15
                              Re: What Am I Doing Wrong With My AD Network?

                              Originally posted by wullieb1 View Post
                              Is your DNS server on the 2008 box??? or is it on .02??

                              Have a look at your DNS settings using the DNS console on the 2003 server.

                              Is your client machine on the same switch as the Server??? What type of switches are they??
                              No ... it's on the 2003 server (192.168.1.2), at present the 2008 server is just a test box nothing more.

                              Yes they are on the same switch, it's a Netgear GS116 16-Port Gigabit Unmanaged Switch. There is another switch upstairs (a Netgear GS105 5-port Gigabit Ethernet Switch) which I did because my kids each have their own PC and I initially only ran up one network lead so that switch splits the connection.

                              Given that DNS resolution is OK (always appears to resolve to correct IP) but ping sometimes doesn't work I'm beginning to wonder if this is an architectural issue (physical or otherwise). Is it possible that in some way my network is configured so that ping requests from the server are sent to to the internet? Would that not allow clients to happily access server shares and printers as well as the internet but somehow, when servers or clients try to ping other network resources, cause problems?

                              Kyu
                              Last edited by Kyuuketsuki; 3rd November 2008, 09:52.
                              J C Rocks (An Aspiring Author's Journey)
                              The Abyssal Void War: Stars, Hide Your Fires

                              Comment

                              Working...
                              X