Home
Join

10 Replies

  • 1. Refrain from writing in capitals, it's rude.

    2. Your PC seems to be missing a gateway - this should be your router.

    3. Never mix internal and external DNS, your client should ONLY ever use your DCs as DNS servers.

    4. Your DCs DNS server should be itself (ideally need 2 DCs, if you have two, they should point to each other first, then 127.0.0.1 as secondary), but you can use a forwarder of 8.8.8.8 if you really must in your DNS server settings, this is the only place an external DNS should exist.

    If this is a brand new domain, you should avoid using domain.local suffix, you should own a registered domain, like company.com and internally your AD should be ad.company.com.

    .local domains have not been best practise or recommended for many years now.

    Spice (7) flagReport
    2 found this helpful thumb_up thumb_down
  • On top of the DC's DNS round-robin for the DC's DNS server IP address settings....

    Are your clients using DHCP ? The SOP is to use the DCs IPs as both primary DNS servers and then Internet firewall as gateway address with a forwarder in DHCP to 8.8.8.8 or 1.1.1.1 (Internet DNS).

    1 found this helpful thumb_up thumb_down
  • I just also noticed you have a subnet mask of 255.255.252.0 are you doing this for one large subnet of just over 1000 devices? or have you mistyped this?

    Was this post helpful? thumb_up thumb_down
  • Hello ,

    1- i have changed subnet mask from 255.255.252.0 to 255.255.248.0

    2- I have also put gateway 10.101.252.254 this is our firewall ip address. we are not using any router.

    note- now internet working in our domain controller but when i joining client pc in domain its unable to join even client pc ping our domain controller.

    note2- Domain controller & dns both in same server.

    attach_file Attachment 1.PNG 65.5 KB
    0 of 1 found this helpful thumb_up thumb_down
  • below attachment is client pc system

    attach_file Attachment Screenshot_2022-0...112000.png 76.2 KB
    Was this post helpful? thumb_up thumb_down
    1. Configure your DHCP server to point to your DC DNS server IP for DNS
    2. Configure Forwarders into your DNS Server on DC to point to an external DNS (8.8.8.8 or 1.1.1.1)

    3. Let your clients obtain IP from the DHCP server.
    Was this post helpful? thumb_up thumb_down
  • spicehead-oduzj wrote:

    Hello ,

    1- i have changed subnet mask from 255.255.252.0 to 255.255.248.0

    2- I have also put gateway 10.101.252.254 this is our firewall ip address. we are not using any router.

    note- now internet working in our domain controller but when i joining client pc in domain its unable to join even client pc ping our domain controller.

    note2- Domain controller & dns both in same server.

    You've put external DNS on the server as I advised you not to do.

    Your DC should be itself if it is the only DC, if you have 2 it should be the other DC first, then itself second.

    If you want to use Google DNS for internet you must configure this in the DNS tool.

    Why have you expanded your subnet mask?

    Was this post helpful? thumb_up thumb_down
  • if i put 10.101.252.11 (domain controller ip address) in client primary domain so its joining domain successfully.

    attach_file Attachment 2.png 930 KB
    Was this post helpful? thumb_up thumb_down
  • Correct, for internet access your DC needs to have the DNS server configured to use forwarders or leave it with root hints and it will work.

    Your DHCP server should be configured to give out the DNS of the DC only.

    Was this post helpful? thumb_up thumb_down
  • To recap:

    1. All devices on the network should have the same subnet mask. For small networks, this is usually 255.255.255.0, which allows for 254 devices.
    2. On the domain controller(s):
      1. Network interface IPv4 configuration
        1. If you have two or more domain controllers
          1. set a different DC IP as the primary DNS server
          2. Set 127.0.0.1 as the secondary DNS server
          3. DO NOT set any external (ISP or public) DNS servers in the domain controller's network interface
        2. If you have only one domain controller
          1. Set 127.0.0.1 as the primary DNS server
          2. Do not set any additional DNS servers
        3. Set the default gateway to the internal IP address of your edge router (between network and the Internet)
      2. Active Directory DNS service
        1. Set one or more public or ISP DNS servers as forwarders (not "conditional forwarders"). Some reliable public DNS servers are:
          1. 9.9.9.9 (Quad9)
          2. 8.8.8.8 (Google)
          3. 8.8.4.4 (Google)
          4. 1.1.1.1 (Cloudflare)
        2. Alternatively, use root hints by not setting forwarders. In most cases, using public DNS servers will provide faster response due to caching. 
      3. DHCP Service (if used)
        1. Configure DNS (option 6) to list ONLY the domain controller(s) IPv4 addresses on the local network.
        2. Configure default gateway (option 3) to the internal IP address of your edge router (between network and the Internet).
        3. If you're using DHCP in your router, you could set these options in the router, but it's highly recommended to disable DHCP in the router and use the DHCP service in a domain controller, instead.
    3. On the client systems:
      1. Network interface IPv4 configuration
        1. If using DHCP (recommended), set "Obtain an IP address automatically" and "Obtain DNS server address automatically"
        2. If not using DHCP, set the DNS servers to the IP address(es) of the domain controller(s).
        3. If not using DHCP, set the default gateway to the internal IP address of your edge router.
        4. DO NOT set any external (ISP or public) DNS servers in the client system's network interface.

    The gist of it is that Active Directory domain client systems, including the domain controller, should query ONLY Active Directory DNS servers** for hostnames and IP addresses, never public or ISP DNS servers, or the router. That's because these external "servers" know nothing about the structure of your active directory domain; only the Active Directory DNS server on your domain controller(s) know this information. If the client queries a public DNS server for "myDCserver.ADdomain.registereddomain.tld", the public DNS server will return NXDOMAIN -- a valid response that means "nonexistent domain". Because the client system received a valid response it will NOT try other name servers, even if those other name servers are valid for the internal domain.

    Even setting an external DNS server as "secondary" is not recommended, due to the manner in which Windows queries DNS servers. At times it will query the secondary first, so all DNS servers listed should be authoritative for the domain.

    Only the DNS service in the domain controller should query external DNS servers, which it will use when a domain is queried for which it is not authoritative.

    (**The following is outside of the scope of this discussion, but is presented here for completeness. There is a way of configuring some enterprise-grade edge routers to forward queries for the local domain to the DC DNS servers, so the edge router could be queried by clients and receive correct responses. It's an advanced method not recommended unless you are well versed in how DNS works. It is sometimes used to increase resiliency in the network. Similarly, in a wide area network with multiple Active Directory domains, DNS servers in other connected networks may be configured with conditional forwarders and thereby queried by clients in disparate domains.)

    Was this post helpful? thumb_up thumb_down

Read these next...