Home
Join

96 Replies

  • This would make a good how to. 

    Spice (5) flagReport
    Was this post helpful? thumb_up thumb_down
  • Second that - good information - thanks!

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Awesome write up. Thanks for sharing.

    Was this post helpful? thumb_up thumb_down
  • I sure could have used this 2 weeks ago. DNS was intermittently failing. Turns out Primary DNS onDHCP server was pointed to a non-existant server.  Great write up.

    Was this post helpful? thumb_up thumb_down
  • Thanks very much brilliant writeup

    Was this post helpful? thumb_up thumb_down
  • Excellent !! thanks for sharing.

    Was this post helpful? thumb_up thumb_down
  • Great article!

    Was this post helpful? thumb_up thumb_down
  • Great Article

    I'll keep this in my laptop bag!

    Was this post helpful? thumb_up thumb_down
  • Very nice write up!  Thanks for sharing.

    Was this post helpful? thumb_up thumb_down
  • Very nice, Would definitely make a good How To.

     

    Was this post helpful? thumb_up thumb_down
  • Great job! Thanks for sharing the insight.

    Was this post helpful? thumb_up thumb_down
  • BGarland wrote:

    This would make a good how to. 

    More than anything that's the purpose.

    Thank you very much for your input.

    Was this post helpful? thumb_up thumb_down
  • Thank you everybody for your positive input! DNS is a topic that is just getting more complex, especially in the short horizon when at some point IPv4 and IPv6 will need to be supported at the same time to make a transparent transition possible.

    I hope a lot of more users find this article useful, I am planning to submit a second part on it.

    Was this post helpful? thumb_up thumb_down
  • Excellent topic for sharing, well done!  Reviewing Your Work Section is critical, I don't know how many times I see this missed during implementation.  Only thing I might add is a quick section on Aging and Scavenging of Stale Records since you go through the DNS and DHCP setup.

     

    Thanks for sharing!

    Was this post helpful? thumb_up thumb_down
  • Thank you. This is a great how to to have at hand.

    Was this post helpful? thumb_up thumb_down
  • Ive been setting up Windows servers since NT 3.1 and I learned something today.

     

    I swear, it doesn't matter how much I know about DNS there is always something new.

    Was this post helpful? thumb_up thumb_down
  • SeatownTilt wrote:

    Excellent topic for sharing, well done!  Reviewing Your Work Section is critical, I don't know how many times I see this missed during implementation.  Only thing I might add is a quick section on Aging and Scavenging of Stale Records since you go through the DNS and DHCP setup.

     

    Thanks for sharing!

    Thank you for your input, I am agree, the DHCP configuration is very important, hopefully I will be able to get deeper on it in future articles.

    Was this post helpful? thumb_up thumb_down
  • SpicyWeiner wrote:

    Thank you. This is a great how to to have at hand.

    Glad you find it useful SW!

     

    Thank you!

    Was this post helpful? thumb_up thumb_down
  • Very good explanation.

    I setup network services in a domain in the same way, with a couple of differences:

     

    • I install dns during the dcpromo stage
    • I setup the forwarders in DNS servers (very important)
    • I setup just one DHCP during initial setup, but after a couple of days I add redundancy by using the 50-50 or 70-30 rule (if you have two DC's with AD and DNS, why don't have two DHCP?

    One thing to share is when you setup AD with the explained steps, GPO's works like a charm.

    BTW: I never setup a DC using different steps, this is just how a domain and basic network services needs to be implemented according to all MCSA, MCSE, MCTS and MCITP training and MS Books.

    Was this post helpful? thumb_up thumb_down
  • ScottInFlorida wrote:

    Ive been setting up Windows servers since NT 3.1 and I learned something today.

     

    I swear, it doesn't matter how much I know about DNS there is always something new.

    One thing I've learned very well back in school was to recognize that when you deal with computer science, we are only scratching the surface, and that we really never know enough. Just remember the philosophical words "I just know that I know nothing".

    Was this post helpful? thumb_up thumb_down
  • Excellent information. Thank you for the write up.

    Was this post helpful? thumb_up thumb_down
  • Alexis3617 wrote:

    Very good explanation.

    I setup network services in a domain in the same way, with a couple of differences:

     

    • I install dns during the dcpromo stage
    • I setup the forwarders in DNS servers (very important)
    • I setup just one DHCP during initial setup, but after a couple of days I add redundancy by using the 50-50 or 70-30 rule (if you have two DC's with AD and DNS, why don't have two DHCP?

    One thing to share is when you setup AD with the explained steps, GPO's works like a charm.

    BTW: I never setup a DC using different steps, this is just how a domain and basic network services needs to be implemented according to all MCSA, MCSE, MCTS and MCITP training and MS Books.

    Thank you Alexis! It makes sense, the large the network the more resource redundancy.

    At some point I've used to put the forwaders in the DNS servers too, now I use the firewall for that, and just to avoid latency in the e-mail servers, I also configure Exchange with forwarders.

    Was this post helpful? thumb_up thumb_down
  • Thank you for taking the time to write this.  And I agree that it would a good "How-to".

    Was this post helpful? thumb_up thumb_down
  • Craig Flint wrote:

    Thank you for taking the time to write this.  And I agree that it would a good "How-to".

    Thank you Craig, I just need the "blessing" of a couple of Microsoft DNS gurus hehe.

    Was this post helpful? thumb_up thumb_down
  • JCAlexandres says: "Thank you Alexis! It makes sense, the large the network the more resource redundancy.

    At some point I've used to put the forwaders in the DNS servers too, now I use the firewall for that, and just to avoid latency in the e-mail servers, I also configure Exchange with forwarders."

     

    Do you mean you setup your forwarders in your firewall and setup forwarders in your MS DNS to contact your firewall for DNS external resolution? Why you do that? Can you elaborate?

    Was this post helpful? thumb_up thumb_down
  • Superb writeup.  Thanks.

    Was this post helpful? thumb_up thumb_down
  • Alexis3617 wrote:

    JCAlexandres says: "Thank you Alexis! It makes sense, the large the network the more resource redundancy.

    At some point I've used to put the forwaders in the DNS servers too, now I use the firewall for that, and just to avoid latency in the e-mail servers, I also configure Exchange with forwarders."

     

    Do you mean you setup your forwarders in your firewall and setup forwarders in your MS DNS to contact your firewall for DNS external resolution? Why you do that? Can you elaborate?

    If we still talking about LANs, a lot of people put external DNS servers information on the local DNS server properties (Forwarders tab), which is not a good and unnecessary practice, because there will be normally a routing statement telling your network computers that everything that is not LAN traffic go to the default gateway (firewall), that's why it makes perfect sense to put the information of external DNS servers there, the local DNS servers only deal with local traffic. In my practice, only the e-mail servers which are hosted within the network using private IP addressing and tunneled DNS and e-mail related protocols, have a reference of external DNS servers configured within the SMTP delivery control.

    Was this post helpful? thumb_up thumb_down
  • Thanks for the clarification, very good idea.  Great article btw.

    Was this post helpful? thumb_up thumb_down
  • You are welcome pcguy514, any time!

    Was this post helpful? thumb_up thumb_down
  • That's very helpful and detailed. Thank you for sharing all that.

    Was this post helpful? thumb_up thumb_down
  • So here is a question and feel free to point me elsewhere if I'm in the wrong place but... what if we have multiple DCs but both at a site tend to have DNS issues (specifically says you don't have permission and won't let you add an entry, or be updated from elsewhere) until rebooted?

    Was this post helpful? thumb_up thumb_down
  • Never have I been so confused.

    Was this post helpful? thumb_up thumb_down
  • wraptur wrote:

    So here is a question and feel free to point me elsewhere if I'm in the wrong place but... what if we have multiple DCs but both at a site tend to have DNS issues (specifically says you don't have permission and won't let you add an entry, or be updated from elsewhere) until rebooted?

    Obviosuly you need to do some trouble-shooting, What OS and version are you running?

    Microsoft normally distributes excellent tools to trouble-shoot and repair installation, but you can also download.

    Was this post helpful? thumb_up thumb_down
  • smartguy90 wrote:

    Never have I been so confused.

    in what aspect bud, is there anything we can help with?

    You are welcome to post any questions, please feel free to do so.

    Was this post helpful? thumb_up thumb_down
  • Thanks for info...

    Actually i have the same  problem but it is slightly different from urs.

    When users try to open any sites and first attempt the browser says "Server not found" page after clicking 5-6 times in "Try Again" button..the page is load.

    This the problem with me.

     

    I have one DC and Sonicwall NSA240 firewall. i already check the DNS settings it looks fine and both server and firewall end.

    Can you help me out this issue?

     

     

     

     

    Was this post helpful? thumb_up thumb_down
  • Great write up.

    Was this post helpful? thumb_up thumb_down
  • Excellent info!

    Was this post helpful? thumb_up thumb_down
  • I, like another espondent here, install (empty) DNS Server role on the future DC's and avoid touching the HOSTS file. I believe that is a better practice not to involve a HOSTS file, which is a manula function which we may forget about later, if we want to make a change.

    I also used to use as forwarders on the DC, the DNS servers of the relevant ISP (or a well known local ISP), but now rely on what are known as root hints.

    My experience shows that the empty DNS gets populated automatically and correctly using DCPROMO including the reverse lookup zone and, apart from network equipment which one tends to give static IPs and therefore have to be manually added to DNS, dynamic DNS on modern workstations register themselves correctly. That is, if you configure it so in DHCP (non-default)

    Was this post helpful? thumb_up thumb_down
  • Fantastic write-up and a great case study in finding your way in a broken network you have not setup or used before yourself.

    Thanks for sharing!

    Was this post helpful? thumb_up thumb_down
  • hardik wrote:

    Thanks for info...

    Actually i have the same  problem but it is slightly different from urs.

    When users try to open any sites and first attempt the browser says "Server not found" page after clicking 5-6 times in "Try Again" button..the page is load.

    This the problem with me.

     

    I have one DC and Sonicwall NSA240 firewall. i already check the DNS settings it looks fine and both server and firewall end.

    Can you help me out this issue?

    I have seen situations like this, very much likely related to a device failure or misconfiguration.

    When network latency is very high I always tap into a connection right after the ISP router configuring a laptop with a public IP and start testing from there. 7 out of 10 I find a circuit flapping so the ISP will get involved.  If my test from there is satisfactory then I tap into the firewall and test from there, I have found errors in the firewall interfaces which can cause issues like that, sometimes as easy as replacing a cable, changing the port on the switch where the firewall is connected, or more drastic, if you have a modular device, replace the interface in the firewall or the firewall itself.

    Now, if your test from the firewall is satisfactory then you need to trouble-shoot what is in between the computers and the firewall. Check first if you have high latency testing from a computer in your network to an Internet host, pretty much ping <ip address> -t Let run for a minute or so, if you get too many drops or high latency and that happens from any computer in your network, very likely a network switch, a port on the switch, or even a cable can be causing the problem.

    On another case, I've discovered the location had an anti-spam and Internet content device behind the firewall and this device was causing very high latency, eventually the users would get Page Not Found errors too.

     

    Was this post helpful? thumb_up thumb_down
  • stevteig wrote:

    I, like another espondent here, install (empty) DNS Server role on the future DC's and avoid touching the HOSTS file. I believe that is a better practice not to involve a HOSTS file, which is a manula function which we may forget about later, if we want to make a change.

    I also used to use as forwarders on the DC, the DNS servers of the relevant ISP (or a well known local ISP), but now rely on what are known as root hints.

    My experience shows that the empty DNS gets populated automatically and correctly using DCPROMO including the reverse lookup zone and, apart from network equipment which one tends to give static IPs and therefore have to be manually added to DNS, dynamic DNS on modern workstations register themselves correctly. That is, if you configure it so in DHCP (non-default)

    The step about touching the hosts file is to make the machine a domain controller, especially if the domain is going to be set locally and with no reference from public DNS to the domain you are setting, else setting up the domain will fail unless you have set the DNS for it on the DNS servers the machine will query for it, with in most cases configuring the firewall for tunneling DNS.

    Agree, keep the hosts file as clean as possible!

    Was this post helpful? thumb_up thumb_down
  • Awesome Job

    Was this post helpful? thumb_up thumb_down
  • JCAlexandres - Thanks for the great write up  - you have been an active part of this community for along time and always provide help to other community members!

    Was this post helpful? thumb_up thumb_down
  • Thank you for your post. I will appreciate if you can assist me on this issue - I have a Cisco ASA 5505 Router. The port Eth0/0 is an outside interface (on VLAN2), Port Eth0/1 is Inside interface connected to my SBS 2008 server; i have wirless APs and 16ports D-Link switch connected to ports Eth0/2-6; port Eth0/7 is PoE ports so i use it for site-to-site VPN and Avaya IP phone is connected to it.  The ASA 5505 ROUTER IS HANDLING DHCP on the network AND I USE ONE OF THE DNS ADDRESS PROVIDED BY THE ISP AS PRI. DNS SERVER AND THE SBS STATIC IP ADDRESS AS THE SEC. DNS SERVER. Everything works fine for some months when suddenly some of the ports on the ASA ROUTER STOP CONNECTING TO THE INTERNET. THE PORTS ARE WORKING BECAUSE WHEN I LOGIN TO THE ROUTER AND DO SHOW RUNNING-CONFIG, ALL THE INTERFACES AND LINE PROTOCOLS ARE UP! PHYSICALLY TOO, THE LIGHTS ARE BLINKING WHEN CABLE IS PLUGGED. BUT WHEN I CONNECT COMPUTER DIRECTLY TO THE ROUTER, IT WON'T CONNECT TO INTERNET. WHEN I CLICK TROUBLESHOOTER, I HAVE THIS ERROR REPORT "WINDOWS CAN'T COMMUNICATE WITH THE DEVICE OR RESOURCES (PRIMARY DNS SERVER)"

    Was this post helpful? thumb_up thumb_down
  • If the interface of the firewall is physically connected to the SMB server, be sure you have matching speed in the firewall and in the server's network interfaces.

    Another thing I have found to cause problems like this is the cable in use between the firewall and the computer, as you said you have Eth0/1 connected directly to the server. ASA models normally detect automatically if a crossover or straight cable is connected to the interfaces, but again, eventually I have resolved intermittent problems changing the cable from straight to crossover.

    Check your ASA device has the latest IOS, I had similar issue involving an ASA5510 and an ASA5505 which were working with point-to-point VPN for long time, one day all of a sudden the 5505 would not connect at all, the issue got resolved upgrading the IOS to the lastest version, including a required RAM upgrade.

    At the ASA do a command sho int for your Eth0/0 and Eth0/1 and look for errors, mainly input and CRC can cause problem like the one you are reporting.

    Was this post helpful? thumb_up thumb_down
  • Bob Beatty wrote:

    JCAlexandres - Thanks for the great write up  - you have been an active part of this community for along time and always provide help to other community members!

    Thank you Bob! I appreciate your input.

    Was this post helpful? thumb_up thumb_down
  • Great job sir.

    Was this post helpful? thumb_up thumb_down
  • JCAlexandres wrote:

    Alexis3617 wrote:

    JCAlexandres says: "Thank you Alexis! It makes sense, the large the network the more resource redundancy.

    At some point I've used to put the forwaders in the DNS servers too, now I use the firewall for that, and just to avoid latency in the e-mail servers, I also configure Exchange with forwarders."

     

    Do you mean you setup your forwarders in your firewall and setup forwarders in your MS DNS to contact your firewall for DNS external resolution? Why you do that? Can you elaborate?

    If we still talking about LANs, a lot of people put external DNS servers information on the local DNS server properties (Forwarders tab), which is not a good and unnecessary practice, because there will be normally a routing statement telling your network computers that everything that is not LAN traffic go to the default gateway (firewall), that's why it makes perfect sense to put the information of external DNS servers there, the local DNS servers only deal with local traffic. In my practice, only the e-mail servers which are hosted within the network using private IP addressing and tunneled DNS and e-mail related protocols, have a reference of external DNS servers configured within the SMTP delivery control.

    Not to be disrespectful or anything but I disagree with this statement.  Correct me if I am wrong but all your client machines (in order to find things on your network and for AD to work properly) will be pointing to your internal DNS servers, so they will be handling both internal and external lookups no matter if you set DNS servers on your firewall or not. You want this so caching and all that (i.e. one client goes to microsoft.com your DNS servers cache it and then they do not have to look it up again until the ttl expires on the record) works.  It has always been my understanding that setting up forwarders on your DNS server is best practice so that your DNS server is not looking to the root hints for DNS queries.  In other words, if you wanted your DNS server to use your firewall to do iterative queries, you should be setting the DNS servers on your firewall, then setting your forwarder up to be your firewall's IP address.  If you have no forwarder setup and you have the "Use root hints if no forwarders are available" check box checked, your DNS server is going to the root hints every time it needs to do an iterative query (not your firewall) instead of using your ISPs or googles DNS server for example.

    Was this post helpful? thumb_up thumb_down
  • I am agree with your input, and I really appreciate your involvement. DNS servers were made exactly for responding to DNS queries and all works fine if implemented in that way ... In a bright sunny day.  Viruses and malware makers have learn to exploit the transportability of this protocol very well, and you are probably familiar with poisoned DNS.  In my case yes, I have implemented domain name for the domains inside my WAN at the corporate firewall, and also I let the firewall deal with any traffic that goes to and back to Internet, I consider this a lot more secure.

    Was this post helpful? thumb_up thumb_down
  • Great article. Always enjoy reading up on how others are handling simular environments. The one thing I would probably add to your list of steps is right after step 4 for your first AD/DC

    5. Launch Server Manager, go to the "Active Directory Domain Services" node and then scrol down in the right window pane and launch the "Best Practice Anaylizer".  There is a button for "Scan This Role".

     

    This will definatley pick up any errors for that particular role.  I would run that on each DC you setup.

     

    Was this post helpful? thumb_up thumb_down

Read these next...