Small office setup with windows 2008r2 HELP!
Hi All
I am fairly new to this so please forgive my lack of knowledge and if I have posted this in the wrong place.
Trying to set up a small office server and cannot for the life of me get AD DS, DNS and DHCP set up. I am wondering where I am going wrong as I am going round
in circles with forwarders, IP addresses and so forth.
Here goes.
Network consists of a router connecting ISP, an 8 port switch and three client computers. I need the client computers to be able to access the internet, file share
and use printer. No mail server or web server is required although web server may be a future consideration.
The server has two double port network cards and is running 2008r2. I have been following the best practice tool and cannot seem to get rid of all the errors as
I try to configure the DNS and DHCP. I have been using enumerable online sources for a solution. I have tried disabling DHCP on the router and tried various other work-a-rounds.
Should I be using AD DS, DNS and DHCP?
Is it my network set up?
I know I am probably being a bit vague, but I can take this one step at a time I’m sure I can resolve my issues.
Many thanks in advance for any help with this.
James
June 10th, 2011 5:00pm
Since you are only interested in setting up AD without exposing resources to the internet, your network design should be fairly simple. I would suspect that you should choose a design similar to this sample layout.
Here is an overview that may provide some high level info:
Designing Active Directory for a SOHO Network
http://www.anitkb.com/2010/12/designing-active-directory-for-soho.html
Unless your router allows you to configure DHCP scope settings, I would recommend that you simply disable it. Get the server up and functional. Worry about AD/DNS first. Dont bother installing DNS, just run DCPROMO to get the AD portion
set up. You can let the process configure DNS for you. Before you begin, make sure that you disable one of hte NICs, and set the other one to a static IP address.
Once you get AD/DNS up and running, you can install DHCP, set the scope options. A basic installation should get you going. you can then go back and tweak your configuration.
Visit: anITKB.com, an IT Knowledge Base.
Free Windows Admin Tool Kit Click here and download it now
June 10th, 2011 5:16pm
Thanks JM,
I'll give this a bash. Do ignore the best practice analyser errors for now?
Many thanks
J
June 12th, 2011 10:02pm
Sorry, I am not really familiar with that tool. This seems to be a very basic layout. I suspect that that extra NIC could be triggering some of those errors. For the scenario you described, this should be a fairly easy setup.
Visit: anITKB.com, an IT Knowledge Base.
Free Windows Admin Tool Kit Click here and download it now
June 12th, 2011 11:41pm
Thanks for you reply.
When running the dcpromo.exe I am getting an error when the wizard tries to run DNS setiup. 'This computer has dynamically assigned IP address(es)'.
Even though I have switched off the other NIC and set the enabled adapter with the following.
IP address: 192.168.1.200
Subnet: 255.255.255.0
Default Gateway: 192.168.1.254
Preferred DNS: 192.168.1.200
Alt DNS:
I tried switching off IPv6, but I probably need this enabled I'm guessing.
Any thoughts
Many thanks again
James
June 13th, 2011 6:46pm
James, if you disabled one NIC and assigned a static IP to the other, yes, the reason why you see the message (not really an error because you can proceed) is because the IPv6 is set to dynamic by default as well. No need to disable IPv6, unless you
really want to.
Proceed after encountering that message.
I see that you are referrencing the IPs that I used in the sample design above. Please note that those IPs are not required, you can use them or use whatever IP scheme you already have in place.
Visit: anITKB.com, an IT Knowledge Base.
Free Windows Admin Tool Kit Click here and download it now
June 13th, 2011 8:52pm
Hello,
as it sounds that the DC is multi-homed ignore the BPA errots until this is solved. DCs should NEVER use more then on ip address or NIC. Configure the network as described above and see here about multi-homing:
http://support.microsoft.com/kb/157025
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
June 14th, 2011 11:13am
Thanks for your post, but the links don't work,
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2011 4:52pm
Thanks,
I thought I would follow the IP scheme in the example you provided as I wanted to start from scratch with a new approach, so now real reason for choosing them.
J
June 14th, 2011 5:47pm
Hi,
I have noticed a few things in my progression with the server set up. What I have in place so far is.
AD DS, DNS, DHCP
I am still getting errors especially with AD.
AD has 30 noncompliant errors
DHCP has 1
DNS has 28
What I have noticed is:
The server is not connected to the internet. Is this ok?
In order for my not as yet connected client computers to connect to the internet they need to use a different DNS IP
217.x.x.x. Does this indicate where I am going wrong?
I have followed the set up carefully, but cannot seem to get this right. I am showing my inexperience here I think, but cannot trace where things are going wrong.
One more thing. After trying this setup several times and uninstalling everything including AD DS, will there be any settings left over from previous attempts that may cause conflicts?
I did find the DHCP scope was defaulting to a previous IP scheme and I had to manually delete it!
Many, many thanks for any help in resolving this for me
James
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2011 6:10pm
Hello James...
Comments about your questions...
"The server is not connected to the internet. Is this ok?" Yes, there is no dependency for internet access to set up AD. If you have internet access, that is OK.
"In order for my not as yet connected client computers to connect to the internet they need to use a different DNS IP217.x.x.x.
Does this indicate where I am going wrong?" Yes, your client computers need to be setup with their DNS settings to point to the AD/DNS server as indicated in the design above. You shouldnt have to worry about clients yet.
First order is to get your AD/DNS functional, then DHCP, then clients last.
"I have followed the set up carefully, but cannot seem to get this right. I am showing my inexperience here I think, but cannot trace where things are going wrong."
Is there something wrong? what specifically outside of the the fact that you have 59 errors? I wouldnt worry about the errors until you are done. once AD settles down and you have your configuration completed, re-check the event logs on the
server and/or workstations.
"One more thing. After trying this setup several times and uninstalling everything including AD DS, will there be any settings left over from previous attempts that may
cause conflicts? I did find the DHCP scope was defaulting to a previous IP scheme and I had to manually delete it!" When you uninstall AD that should be sufficient. Lingering items in DNS/DHCP can be manually deleted. No problem.
After everything is uninstalled do you encounter errors on the server OS itself?
Unless you encounter a fatal error where you cannot continue, I would be very concerned about all of hte errors and warnings. Depending on the problem, some of these issues disappear once the system settles and the components are in place.Visit: anITKB.com, an IT Knowledge Base.
June 14th, 2011 9:58pm
Hi again,
I have now got the server to a stage where I thought I could connect my first client PC. I changed the DNS IP on the client machine back to 129.168.1.200, but cannot connect
the machine. 'Domain cannot be reached'. I've had a review of the AD DS errors and there are a lot of them indicating LDAP, KDC problems. The domain controller must advertise...... and so on. I have been trying to resolve the issues, but keep hitting a dead
end. I followed the MS procedures and in one case discovered that the registry key for DnsAvoidRegisterRecords is missing!
This seems a serious one to me.
Any thoughts?
Many thanks again for all you advice and help
James
Free Windows Admin Tool Kit Click here and download it now
June 16th, 2011 6:18pm
The IP you posted is incorrect. it should be 192.168.1.200, not 129.168.1.200.
Before you try to join the domain, just verify that DNS is working from the client. on the client open a command prompt, then type ipconfig [hit enter], then type in the dns name for the domain. If the client can resolve it, you should be good
to go, with regard to dns.
Visit: anITKB.com, an IT Knowledge Base.
June 17th, 2011 1:47am
Yeah sorry that was a typo, the IP is correct. I tried to ping the IP from the client and it timed out. I'll try ipconfig.
Thanks
James
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2011 11:08am
Hello James, yes establishing network connectivity is of first priority. make sure its not a simple configuration with the Windows Firewall that's preventing this. To rule out the local Firewalls, just disable them at this time. You can
always create a policy to manage those settings if needed.
Visit: anITKB.com, an IT Knowledge Base.
June 17th, 2011 4:59pm
Hi JM,
Thanks for your reply. Yes all firewall are disabled, local and windows and I did the ipconfig procedure. Still no dice!
Many thanks
James
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2011 6:04pm
Something is not correct then on the configuration of the server and/or workstation. Have you compared the IP settings. feel free to post the results of IPconfig /all from each.Visit: anITKB.com, an IT Knowledge Base.
June 18th, 2011 12:02am
Hi JM
IPconfig as follows:
Workstation:
192.168.1.10
255.255.255.0
192.168.1.254
192.168.1.200
Server:
192.168.1.200
255.255.255.0
192.168.1.254
192.168.1.200
Thanks
J
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2011 1:00pm
Additional,
I can ping 192.168.1.200 from the workstation, but can't ping 192.168.1.10 from the server if that helps any.
James
June 20th, 2011 5:27pm
Based on the IP information and your last post concerning the fact that you can PING one way.... that indicates that the network connectivity is OK. Are you sure that you dont have the FW still running?
Did you verify that you can also resolve DNS queries from the client using NSLOOKUP? Visit: anITKB.com, an IT Knowledge Base.
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2011 6:31pm
Firewalls are definitely turned off I’ll try the NSLOOKUP, but I have bad feeling the AD DS is corrupt! Would it be better to take the OS back to the initial default settings? And if so what is the best way to go about that?
Sorry if I am being a bit thick with this!
James
June 21st, 2011 12:20am
its really difficult to get AD to become "corrupt"...
If you are just starting off and simply want to start fresh and clean, the best option is to wipe the drive by installing Windows from scratch, then run DCPROMO. On any decent piece of hardware, the whole process should take you about 1-2 hours, especially
if you hvae all of hte drivers on hand.Visit: anITKB.com, an IT Knowledge Base.
Free Windows Admin Tool Kit Click here and download it now
June 21st, 2011 3:05am
Hi,
Obviously resetting would be a last resort so I don’t really want to go down that road unless I really have to.
I carried out NSlookup and came up with this:
DNS timed out.
Timeout was 2 seconds
Default server: unknown
Address: ::1
::1 is a IPv6 default is it not?
IPv6 is a problem concerning DHCP I came across earlier in this epic journey. How do I set proper IPv6 IPs?
Sorry this is kind of a side question.
James
June 21st, 2011 5:19pm
IPv6 is not required for this implementation and is a quite different scheme than IPv4. You can uncheck the IPv6 binding if you wish, or just leave it. should not be a factor in this implementation.
Did you try to resolve any queries at that NSLOOKUP prompt? an internal query, external query? When you open the DNS admin console on the server, you see your AD zone correct? You may also want to create a reverse lookup zone, at some point
in the future.Visit: anITKB.com, an IT Knowledge Base.
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2011 1:32am
Hi JM,
I have reinstalled windows 2008r2 and went throught the process from scratch. I am glad to say everything is working much better. I think I had too many messed up settings from previous setups and the NIC card was playing funny. Anyway I can ping the server
from the client and the client from the server. So connectivity seems to be fine. I tried connecting the client via computer name, but it can not find my serve. Is there a better way of connecting the client?
Many thanks
James
June 22nd, 2011 9:51pm
Ok so I am going to assume that you have the server and the client OS up and running as you described. You can ping each machine. good...
Using the network diagram above, you'll want to get Active Directory up and running first. AS you are aware, you'll need to run DCPROMO on the server. During the wizard, you'll choose to set up a new forest and create the first domain.
During the process, it will most likely let you know that DNS is not configured. It's OK to let the wizard set up DNS for you. When the process is complete, you'll need to restart the server.
After that happens, if your client's DNS settings are pointing to that server, you should be able to change its workgroup status to domain joined. Just provide admin credentials when joining the computer to the domain.
Visit: anITKB.com, an IT Knowledge Base.
Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2011 4:59pm
Ok
Everything is set up and I can not connect the client to the domain. I can reach the <servername>/ local site (IIS7 is what I am seeing). I have tried the <servername>/Connect method and I get a
Server Error
<fieldset>
404 - File or directory not found.
The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.
</fieldset>
I'm stumped. Is there anything I could be missing.
Thanks so much once again.
James
June 23rd, 2011 8:17pm
Is this is Small Business Server edition? If so, you may want to continue this thread in that appropriate forum. I do not have much experience with that edition. I am not familiar with the different "connect" options in that version.
The procedure that I know for connecting (joining) a client to the domain is for you to log on the client with admin priveledges, go to system properties (right click my computer), Advanced sysetm settings (Win7), then go to the Computer Name tab, click
on Change. Then click on the radio button for the domain, provide the FQDN of hte domain, hit enter. When prompted, provide a user id and password that has permission to join computers to the domain.
Once you join the domain, that is not going to resolve the error you just provided, but you'll be domain joined. The error above indicates that yes, IIS is installed, but is not properly configured as of yet.
Visit: anITKB.com, an IT Knowledge Base.
Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2011 8:43pm
Hi Thanks,
The edition I am using is standard edition. I tried the computer name proceedure before and I got as far as the username and password, but it won't accept the password I am trying. I had read about the other way to connect via the browser and was trying
that hence the error message. I will try and make sure the logon for the client has admin priveledges and try again. Almost there!! many thanks again.
James
June 23rd, 2011 11:38pm
no problem. When prompted for credentials, just use this format for the user name: domain\userID, and of course use the correct password.Visit: anITKB.com, an IT Knowledge Base.
Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2011 11:44pm
Hi JM,
I am frustratingly close to connecting PC's to the domain, but keep getting a Error access denied or network path not found! I have done a dcdiag and this is what cam back:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = WISESERV
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\WISESERV
Starting test: Connectivity
......................... WISESERV passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\WISESERV
Starting test: Advertising
......................... WISESERV passed test Advertising
Starting test: FrsEvent
......................... WISESERV passed test FrsEvent
Starting test: DFSREvent
......................... WISESERV passed test DFSREvent
Starting test: SysVolCheck
......................... WISESERV passed test SysVolCheck
Starting test: KccEvent
A warning event occurred. EventID: 0x80000B46
Time Generated: 06/24/2011 14:38:14
Event String:
The security of this directory server can be significantly enhanced
by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest)
LDAP binds that do not request signing (integrity verification) and LDAP simple
binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. E
ven if no clients are using such binds, configuring the server to reject them wi
ll improve the security of this server.
......................... WISESERV passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... WISESERV passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... WISESERV passed test MachineAccount
Starting test: NCSecDesc
......................... WISESERV passed test NCSecDesc
Starting test: NetLogons
......................... WISESERV passed test NetLogons
Starting test: ObjectsReplicated
......................... WISESERV passed test ObjectsReplicated
Starting test: Replications
......................... WISESERV passed test Replications
Starting test: RidManager
......................... WISESERV passed test RidManager
Starting test: Services
......................... WISESERV passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000003F6
Time Generated: 06/24/2011 13:49:13
Event String:
Name resolution for the name 168.192.in-addr.arpa timed out after no
ne of the configured DNS servers responded.
A warning event occurred. EventID: 0x000727AA
Time Generated: 06/24/2011 13:49:20
Event String:
The WinRM service failed to create the following SPNs: WSMAN/WISESER
V.serv.wisewomen.local; WSMAN/WISESERV.
A warning event occurred. EventID: 0x00000090
Time Generated: 06/24/2011 13:51:41
Event String:
The time service has stopped advertising as a good time source.
A warning event occurred. EventID: 0x80050004
Time Generated: 06/24/2011 13:57:09
Event String:
Broadcom BCM5709C #37: The network link is down. Check to make sure
the network cable is properly connected.
A warning event occurred. EventID: 0x000003F6
Time Generated: 06/24/2011 14:01:16
Event String:
Name resolution for the name serv.wisewomen.local timed out after no
ne of the configured DNS servers responded.
A warning event occurred. EventID: 0x8000001D
Time Generated: 06/24/2011 14:14:31
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate
to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
or enroll for a new KDC certificate.
A warning event occurred. EventID: 0x000003F6
Time Generated: 06/24/2011 14:14:41
Event String:
Name resolution for the name _ldap._tcp.dc._msdcs.serv.wisewomen.loc
al timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x00000420
Time Generated: 06/24/2011 14:15:22
Event String:
The DHCP service has detected that it is running on a DC and has no
credentials configured for use with Dynamic DNS registrations initiated by the D
HCP service. This is not a recommended security configuration. Credentials fo
r Dynamic DNS registrations may be configured using the command line "netsh dhcp
server set dnscredentials" or via the DHCP Administrative tool.
A warning event occurred. EventID: 0x00000090
Time Generated: 06/24/2011 14:15:25
Event String:
The time service has stopped advertising as a good time source.
A warning event occurred. EventID: 0x00002724
Time Generated: 06/24/2011 14:15:27
Event String:
This computer has at least one dynamically assigned IPv6 address.For
reliable DHCPv6 server operation, you should use only static IPv6 addresses.
An error event occurred. EventID: 0x00000612
Time Generated: 06/24/2011 14:16:15
Event String: Log size is full
A warning event occurred. EventID: 0x000727AA
Time Generated: 06/24/2011 14:18:10
Event String:
The WinRM service failed to create the following SPNs: WSMAN/WISESER
V.serv.wisewomen.local; WSMAN/WISESERV.
A warning event occurred. EventID: 0x000003F6
Time Generated: 06/24/2011 14:35:01
Event String:
Name resolution for the name serv.wisewomen.local timed out after no
ne of the configured DNS servers responded.
A warning event occurred. EventID: 0x8000001D
Time Generated: 06/24/2011 14:38:10
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate
to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
or enroll for a new KDC certificate.
A warning event occurred. EventID: 0x000003F6
Time Generated: 06/24/2011 14:38:25
Event String:
Name resolution for the name WISESERV.serv.wisewomen.local timed out
after none of the configured DNS servers responded.
An error event occurred. EventID: 0xC00038D6
Time Generated: 06/24/2011 14:38:43
Event String:
The DFS Namespace service could not initialize cross forest trust in
formation on this domain controller, but it will periodically retry the operatio
n. The return code is in the record data.
A warning event occurred. EventID: 0x00002724
Time Generated: 06/24/2011 14:38:47
Event String:
This computer has at least one dynamically assigned IPv6 address.For
reliable DHCPv6 server operation, you should use only static IPv6 addresses.
A warning event occurred. EventID: 0x00000090
Time Generated: 06/24/2011 14:39:00
Event String:
The time service has stopped advertising as a good time source.
A warning event occurred. EventID: 0x80040033
Time Generated: 06/24/2011 14:39:27
Event String:
An error was detected on device \Device\Harddisk1\DR1 during a pagin
g operation.
An error event occurred. EventID: 0x00000612
Time Generated: 06/24/2011 14:39:38
Event String: Log size is full
A warning event occurred. EventID: 0x000727AA
Time Generated: 06/24/2011 14:41:33
Event String:
The WinRM service failed to create the following SPNs: WSMAN/WISESER
V.serv.wisewomen.local; WSMAN/WISESERV.
......................... WISESERV failed test SystemLog
Starting test: VerifyReferences
......................... WISESERV passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : serv
Starting test: CheckSDRefDom
......................... serv passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... serv passed test CrossRefValidation
Running enterprise tests on : serv.wisewomen.local
Starting test: LocatorCheck
......................... serv.wisewomen.local passed test
LocatorCheck
Starting test: Intersite
......................... serv.wisewomen.local passed test Intersite
I see errors here but do not know how to fix. Can you help with this?
James
June 24th, 2011 4:51pm
Honestly, there is nothing that stands out preventing you from joining the computers to the domain. Not sure why you are having such a hard time. When you attempt to join the domain, you should be prompted for credentials. When you provide
the credentials, it will either complete or let you know that the credentials you supplied do not have permissions.
The output you provide really only shows warnings, no critical errors. Each can be fixed at a later time if needed.
To join from an XP computer, right click my computer, properties, Computer Name tab, change button. From Windows 7, right click my computer, properties, Advanced system settings link on the left, then computer name tab.
Visit: anITKB.com, an IT Knowledge Base.
Free Windows Admin Tool Kit Click here and download it now
June 24th, 2011 9:16pm
Ok I'll have to try again on Monday. I have been going through the change name process, selecting domain option and entering the server domain. I know that it is finding the domain as it allows me to enter the credentials in the dialog box that pops up,
but always comes back with access denied or network path not found. It happens on another machine I am trying to connect too. Very frustrating!
Thanks again
James
June 25th, 2011 12:47am
If you are being prompted for credentials, that means that the config on the client is correct and that you are communicating with the DC. If it comes back as access denied, your not using the correct account that has permissions.
To rule out all possible account problems, you should be able to provide the credentials for a domain admin in the form of domainname\administrator, then the password.
Visit: anITKB.com, an IT Knowledge Base.
Free Windows Admin Tool Kit Click here and download it now
June 25th, 2011 1:54am
Hi JM,
I just wanted to get back to you and thank you for all your help. I now have all my clients connected and it's all running smoothly, for now anyway. I had to join my users to an admin group before they would be accepted, which I kinda missed.
I'm looking to be able to connect remotely both via remote desktop and VPN so if you have any tips on that too, that would be great.
Thanks again
James
June 30th, 2011 11:14am
If you want to set up VPN, you'll need to decide on the design. While you can set up Windows to act as a VPN server, I wouldnt recommend that role on a DC. However, that's easy to say when not considering additional costs for another server.
I would recommend a more practical and cost effecdtive solution. If you refer back to the diagram that I posted, I would replace the Consumer Grade Router, with another router that supports VPN. Routers that support VPN connections are cost effective,
while not complicating your Windows systems.
For allowing RDP into your network, you can RDP through the VPN connection.
Without a VPN connection, you would have to log into your internet router and set up a NAT rule to allow the inbound of RDP packets (TCP port 3389) and send those packets to the system you want to RDP to. All you would need to know is your public IP
address. From the internet, your client would connect to the Public IP. The NAT rule allows the packets to come into your network.
Visit: anITKB.com, an IT Knowledge Base.
Free Windows Admin Tool Kit Click here and download it now
June 30th, 2011 5:15pm