Hi All I am fairly new to this so please forgive my lack of knowledge and if I have posted this in the wrong place. Trying to set up a small office server and cannot for the life of me get AD DS, DNS and DHCP set up. I am wondering where I am going wrong as I am going round in circles with forwarders, IP addresses and so forth. Here goes. Network consists of a router connecting ISP, an 8 port switch and three client computers. I need the client computers to be able to access the internet, file share and use printer. No mail server or web server is required although web server may be a future consideration. The server has two double port network cards and is running 2008r2. I have been following the best practice tool and cannot seem to get rid of all the errors as I try to configure the DNS and DHCP. I have been using enumerable online sources for a solution. I have tried disabling DHCP on the router and tried various other work-a-rounds. Should I be using AD DS, DNS and DHCP? Is it my network set up? I know I am probably being a bit vague, but I can take this one step at a time I’m sure I can resolve my issues. Many thanks in advance for any help with this. James

Since you are only interested in setting up AD without exposing resources to the internet, your network design should be fairly simple. I would suspect that you should choose a design similar to this sample layout. Here is an overview that may provide some high level info: Designing Active Directory for a SOHO Network http://www.anitkb.com/2010/12/designing-active-directory-for-soho.html Unless your router allows you to configure DHCP scope settings, I would recommend that you simply disable it. Get the server up and functional. Worry about AD/DNS first. Dont bother installing DNS, just run DCPROMO to get the AD portion set up. You can let the process configure DNS for you. Before you begin, make sure that you disable one of hte NICs, and set the other one to a static IP address. Once you get AD/DNS up and running, you can install DHCP, set the scope options. A basic installation should get you going. you can then go back and tweak your configuration. Visit: anITKB.com, an IT Knowledge Base.

Thanks JM, I'll give this a bash. Do ignore the best practice analyser errors for now? Many thanks J

Sorry, I am not really familiar with that tool. This seems to be a very basic layout. I suspect that that extra NIC could be triggering some of those errors. For the scenario you described, this should be a fairly easy setup. Visit: anITKB.com, an IT Knowledge Base.

Thanks for you reply. When running the dcpromo.exe I am getting an error when the wizard tries to run DNS setiup. 'This computer has dynamically assigned IP address(es)'. Even though I have switched off the other NIC and set the enabled adapter with the following. IP address: 192.168.1.200 Subnet: 255.255.255.0 Default Gateway: 192.168.1.254 Preferred DNS: 192.168.1.200 Alt DNS: I tried switching off IPv6, but I probably need this enabled I'm guessing. Any thoughts Many thanks again James

James, if you disabled one NIC and assigned a static IP to the other, yes, the reason why you see the message (not really an error because you can proceed) is because the IPv6 is set to dynamic by default as well. No need to disable IPv6, unless you really want to. Proceed after encountering that message. I see that you are referrencing the IPs that I used in the sample design above. Please note that those IPs are not required, you can use them or use whatever IP scheme you already have in place. Visit: anITKB.com, an IT Knowledge Base.

Hello, as it sounds that the DC is multi-homed ignore the BPA errots until this is solved. DCs should NEVER use more then on ip address or NIC. Configure the network as described above and see here about multi-homing: http://support.microsoft.com/kb/157025 http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Thanks for your post, but the links don't work,

Thanks, I thought I would follow the IP scheme in the example you provided as I wanted to start from scratch with a new approach, so now real reason for choosing them. J

Hi, I have noticed a few things in my progression with the server set up. What I have in place so far is. AD DS, DNS, DHCP I am still getting errors especially with AD. AD has 30 noncompliant errors DHCP has 1 DNS has 28 What I have noticed is: The server is not connected to the internet. Is this ok? In order for my not as yet connected client computers to connect to the internet they need to use a different DNS IP 217.x.x.x. Does this indicate where I am going wrong? I have followed the set up carefully, but cannot seem to get this right. I am showing my inexperience here I think, but cannot trace where things are going wrong. One more thing. After trying this setup several times and uninstalling everything including AD DS, will there be any settings left over from previous attempts that may cause conflicts? I did find the DHCP scope was defaulting to a previous IP scheme and I had to manually delete it! Many, many thanks for any help in resolving this for me James

Hello James... Comments about your questions... "The server is not connected to the internet. Is this ok?" Yes, there is no dependency for internet access to set up AD. If you have internet access, that is OK. "In order for my not as yet connected client computers to connect to the internet they need to use a different DNS IP217.x.x.x. Does this indicate where I am going wrong?" Yes, your client computers need to be setup with their DNS settings to point to the AD/DNS server as indicated in the design above. You shouldnt have to worry about clients yet. First order is to get your AD/DNS functional, then DHCP, then clients last. "I have followed the set up carefully, but cannot seem to get this right. I am showing my inexperience here I think, but cannot trace where things are going wrong." Is there something wrong? what specifically outside of the the fact that you have 59 errors? I wouldnt worry about the errors until you are done. once AD settles down and you have your configuration completed, re-check the event logs on the server and/or workstations. "One more thing. After trying this setup several times and uninstalling everything including AD DS, will there be any settings left over from previous attempts that may cause conflicts? I did find the DHCP scope was defaulting to a previous IP scheme and I had to manually delete it!" When you uninstall AD that should be sufficient. Lingering items in DNS/DHCP can be manually deleted. No problem. After everything is uninstalled do you encounter errors on the server OS itself? Unless you encounter a fatal error where you cannot continue, I would be very concerned about all of hte errors and warnings. Depending on the problem, some of these issues disappear once the system settles and the components are in place.Visit: anITKB.com, an IT Knowledge Base.

Hi again, I have now got the server to a stage where I thought I could connect my first client PC. I changed the DNS IP on the client machine back to 129.168.1.200, but cannot connect the machine. 'Domain cannot be reached'. I've had a review of the AD DS errors and there are a lot of them indicating LDAP, KDC problems. The domain controller must advertise...... and so on. I have been trying to resolve the issues, but keep hitting a dead end. I followed the MS procedures and in one case discovered that the registry key for DnsAvoidRegisterRecords is missing! This seems a serious one to me. Any thoughts? Many thanks again for all you advice and help James

The IP you posted is incorrect. it should be 192.168.1.200, not 129.168.1.200. Before you try to join the domain, just verify that DNS is working from the client. on the client open a command prompt, then type ipconfig [hit enter], then type in the dns name for the domain. If the client can resolve it, you should be good to go, with regard to dns. Visit: anITKB.com, an IT Knowledge Base.

Yeah sorry that was a typo, the IP is correct. I tried to ping the IP from the client and it timed out. I'll try ipconfig. Thanks James

Hello James, yes establishing network connectivity is of first priority. make sure its not a simple configuration with the Windows Firewall that's preventing this. To rule out the local Firewalls, just disable them at this time. You can always create a policy to manage those settings if needed. Visit: anITKB.com, an IT Knowledge Base.

Hi JM, Thanks for your reply. Yes all firewall are disabled, local and windows and I did the ipconfig procedure. Still no dice! Many thanks James

Something is not correct then on the configuration of the server and/or workstation. Have you compared the IP settings. feel free to post the results of IPconfig /all from each.Visit: anITKB.com, an IT Knowledge Base.

Hi JM IPconfig as follows: Workstation: 192.168.1.10 255.255.255.0 192.168.1.254 192.168.1.200 Server: 192.168.1.200 255.255.255.0 192.168.1.254 192.168.1.200 Thanks J

Additional, I can ping 192.168.1.200 from the workstation, but can't ping 192.168.1.10 from the server if that helps any. James

Based on the IP information and your last post concerning the fact that you can PING one way.... that indicates that the network connectivity is OK. Are you sure that you dont have the FW still running? Did you verify that you can also resolve DNS queries from the client using NSLOOKUP? Visit: anITKB.com, an IT Knowledge Base.

Firewalls are definitely turned off I’ll try the NSLOOKUP, but I have bad feeling the AD DS is corrupt! Would it be better to take the OS back to the initial default settings? And if so what is the best way to go about that? Sorry if I am being a bit thick with this! James

its really difficult to get AD to become "corrupt"... If you are just starting off and simply want to start fresh and clean, the best option is to wipe the drive by installing Windows from scratch, then run DCPROMO. On any decent piece of hardware, the whole process should take you about 1-2 hours, especially if you hvae all of hte drivers on hand.Visit: anITKB.com, an IT Knowledge Base.

Hi, Obviously resetting would be a last resort so I don’t really want to go down that road unless I really have to. I carried out NSlookup and came up with this: DNS timed out. Timeout was 2 seconds Default server: unknown Address: ::1 ::1 is a IPv6 default is it not? IPv6 is a problem concerning DHCP I came across earlier in this epic journey. How do I set proper IPv6 IPs? Sorry this is kind of a side question. James

IPv6 is not required for this implementation and is a quite different scheme than IPv4. You can uncheck the IPv6 binding if you wish, or just leave it. should not be a factor in this implementation. Did you try to resolve any queries at that NSLOOKUP prompt? an internal query, external query? When you open the DNS admin console on the server, you see your AD zone correct? You may also want to create a reverse lookup zone, at some point in the future.Visit: anITKB.com, an IT Knowledge Base.

Hi JM, I have reinstalled windows 2008r2 and went throught the process from scratch. I am glad to say everything is working much better. I think I had too many messed up settings from previous setups and the NIC card was playing funny. Anyway I can ping the server from the client and the client from the server. So connectivity seems to be fine. I tried connecting the client via computer name, but it can not find my serve. Is there a better way of connecting the client? Many thanks James

Ok so I am going to assume that you have the server and the client OS up and running as you described. You can ping each machine. good... Using the network diagram above, you'll want to get Active Directory up and running first. AS you are aware, you'll need to run DCPROMO on the server. During the wizard, you'll choose to set up a new forest and create the first domain. During the process, it will most likely let you know that DNS is not configured. It's OK to let the wizard set up DNS for you. When the process is complete, you'll need to restart the server. After that happens, if your client's DNS settings are pointing to that server, you should be able to change its workgroup status to domain joined. Just provide admin credentials when joining the computer to the domain. Visit: anITKB.com, an IT Knowledge Base.

Ok Everything is set up and I can not connect the client to the domain. I can reach the <servername>/ local site (IIS7 is what I am seeing). I have tried the <servername>/Connect method and I get a Server Error <fieldset> 404 - File or directory not found. The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable. </fieldset> I'm stumped. Is there anything I could be missing. Thanks so much once again. James

Is this is Small Business Server edition? If so, you may want to continue this thread in that appropriate forum. I do not have much experience with that edition. I am not familiar with the different "connect" options in that version. The procedure that I know for connecting (joining) a client to the domain is for you to log on the client with admin priveledges, go to system properties (right click my computer), Advanced sysetm settings (Win7), then go to the Computer Name tab, click on Change. Then click on the radio button for the domain, provide the FQDN of hte domain, hit enter. When prompted, provide a user id and password that has permission to join computers to the domain. Once you join the domain, that is not going to resolve the error you just provided, but you'll be domain joined. The error above indicates that yes, IIS is installed, but is not properly configured as of yet. Visit: anITKB.com, an IT Knowledge Base.

Hi Thanks, The edition I am using is standard edition. I tried the computer name proceedure before and I got as far as the username and password, but it won't accept the password I am trying. I had read about the other way to connect via the browser and was trying that hence the error message. I will try and make sure the logon for the client has admin priveledges and try again. Almost there!! many thanks again. James

no problem. When prompted for credentials, just use this format for the user name: domain\userID, and of course use the correct password.Visit: anITKB.com, an IT Knowledge Base.

Hi JM, I am frustratingly close to connecting PC's to the domain, but keep getting a Error access denied or network path not found! I have done a dcdiag and this is what cam back: Directory Server Diagnosis Performing initial setup: Trying to find home server... Home Server = WISESERV * Identified AD Forest. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\WISESERV Starting test: Connectivity ......................... WISESERV passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\WISESERV Starting test: Advertising ......................... WISESERV passed test Advertising Starting test: FrsEvent ......................... WISESERV passed test FrsEvent Starting test: DFSREvent ......................... WISESERV passed test DFSREvent Starting test: SysVolCheck ......................... WISESERV passed test SysVolCheck Starting test: KccEvent A warning event occurred. EventID: 0x80000B46 Time Generated: 06/24/2011 14:38:14 Event String: The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. E ven if no clients are using such binds, configuring the server to reject them wi ll improve the security of this server. ......................... WISESERV passed test KccEvent Starting test: KnowsOfRoleHolders ......................... WISESERV passed test KnowsOfRoleHolders Starting test: MachineAccount ......................... WISESERV passed test MachineAccount Starting test: NCSecDesc ......................... WISESERV passed test NCSecDesc Starting test: NetLogons ......................... WISESERV passed test NetLogons Starting test: ObjectsReplicated ......................... WISESERV passed test ObjectsReplicated Starting test: Replications ......................... WISESERV passed test Replications Starting test: RidManager ......................... WISESERV passed test RidManager Starting test: Services ......................... WISESERV passed test Services Starting test: SystemLog A warning event occurred. EventID: 0x000003F6 Time Generated: 06/24/2011 13:49:13 Event String: Name resolution for the name 168.192.in-addr.arpa timed out after no ne of the configured DNS servers responded. A warning event occurred. EventID: 0x000727AA Time Generated: 06/24/2011 13:49:20 Event String: The WinRM service failed to create the following SPNs: WSMAN/WISESER V.serv.wisewomen.local; WSMAN/WISESERV. A warning event occurred. EventID: 0x00000090 Time Generated: 06/24/2011 13:51:41 Event String: The time service has stopped advertising as a good time source. A warning event occurred. EventID: 0x80050004 Time Generated: 06/24/2011 13:57:09 Event String: Broadcom BCM5709C #37: The network link is down. Check to make sure the network cable is properly connected. A warning event occurred. EventID: 0x000003F6 Time Generated: 06/24/2011 14:01:16 Event String: Name resolution for the name serv.wisewomen.local timed out after no ne of the configured DNS servers responded. A warning event occurred. EventID: 0x8000001D Time Generated: 06/24/2011 14:14:31 Event String: The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Sma rt card logon may not function correctly if this problem is not resolved. To cor rect this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate. A warning event occurred. EventID: 0x000003F6 Time Generated: 06/24/2011 14:14:41 Event String: Name resolution for the name _ldap._tcp.dc._msdcs.serv.wisewomen.loc al timed out after none of the configured DNS servers responded. A warning event occurred. EventID: 0x00000420 Time Generated: 06/24/2011 14:15:22 Event String: The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the D HCP service. This is not a recommended security configuration. Credentials fo r Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool. A warning event occurred. EventID: 0x00000090 Time Generated: 06/24/2011 14:15:25 Event String: The time service has stopped advertising as a good time source. A warning event occurred. EventID: 0x00002724 Time Generated: 06/24/2011 14:15:27 Event String: This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses. An error event occurred. EventID: 0x00000612 Time Generated: 06/24/2011 14:16:15 Event String: Log size is full A warning event occurred. EventID: 0x000727AA Time Generated: 06/24/2011 14:18:10 Event String: The WinRM service failed to create the following SPNs: WSMAN/WISESER V.serv.wisewomen.local; WSMAN/WISESERV. A warning event occurred. EventID: 0x000003F6 Time Generated: 06/24/2011 14:35:01 Event String: Name resolution for the name serv.wisewomen.local timed out after no ne of the configured DNS servers responded. A warning event occurred. EventID: 0x8000001D Time Generated: 06/24/2011 14:38:10 Event String: The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Sma rt card logon may not function correctly if this problem is not resolved. To cor rect this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate. A warning event occurred. EventID: 0x000003F6 Time Generated: 06/24/2011 14:38:25 Event String: Name resolution for the name WISESERV.serv.wisewomen.local timed out after none of the configured DNS servers responded. An error event occurred. EventID: 0xC00038D6 Time Generated: 06/24/2011 14:38:43 Event String: The DFS Namespace service could not initialize cross forest trust in formation on this domain controller, but it will periodically retry the operatio n. The return code is in the record data. A warning event occurred. EventID: 0x00002724 Time Generated: 06/24/2011 14:38:47 Event String: This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses. A warning event occurred. EventID: 0x00000090 Time Generated: 06/24/2011 14:39:00 Event String: The time service has stopped advertising as a good time source. A warning event occurred. EventID: 0x80040033 Time Generated: 06/24/2011 14:39:27 Event String: An error was detected on device \Device\Harddisk1\DR1 during a pagin g operation. An error event occurred. EventID: 0x00000612 Time Generated: 06/24/2011 14:39:38 Event String: Log size is full A warning event occurred. EventID: 0x000727AA Time Generated: 06/24/2011 14:41:33 Event String: The WinRM service failed to create the following SPNs: WSMAN/WISESER V.serv.wisewomen.local; WSMAN/WISESERV. ......................... WISESERV failed test SystemLog Starting test: VerifyReferences ......................... WISESERV passed test VerifyReferences Running partition tests on : ForestDnsZones Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Running partition tests on : DomainDnsZones Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Running partition tests on : Schema Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Running partition tests on : Configuration Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Running partition tests on : serv Starting test: CheckSDRefDom ......................... serv passed test CheckSDRefDom Starting test: CrossRefValidation ......................... serv passed test CrossRefValidation Running enterprise tests on : serv.wisewomen.local Starting test: LocatorCheck ......................... serv.wisewomen.local passed test LocatorCheck Starting test: Intersite ......................... serv.wisewomen.local passed test Intersite I see errors here but do not know how to fix. Can you help with this? James

Honestly, there is nothing that stands out preventing you from joining the computers to the domain. Not sure why you are having such a hard time. When you attempt to join the domain, you should be prompted for credentials. When you provide the credentials, it will either complete or let you know that the credentials you supplied do not have permissions. The output you provide really only shows warnings, no critical errors. Each can be fixed at a later time if needed. To join from an XP computer, right click my computer, properties, Computer Name tab, change button. From Windows 7, right click my computer, properties, Advanced system settings link on the left, then computer name tab. Visit: anITKB.com, an IT Knowledge Base.

Ok I'll have to try again on Monday. I have been going through the change name process, selecting domain option and entering the server domain. I know that it is finding the domain as it allows me to enter the credentials in the dialog box that pops up, but always comes back with access denied or network path not found. It happens on another machine I am trying to connect too. Very frustrating! Thanks again James

If you are being prompted for credentials, that means that the config on the client is correct and that you are communicating with the DC. If it comes back as access denied, your not using the correct account that has permissions. To rule out all possible account problems, you should be able to provide the credentials for a domain admin in the form of domainname\administrator, then the password. Visit: anITKB.com, an IT Knowledge Base.

Hi JM, I just wanted to get back to you and thank you for all your help. I now have all my clients connected and it's all running smoothly, for now anyway. I had to join my users to an admin group before they would be accepted, which I kinda missed. I'm looking to be able to connect remotely both via remote desktop and VPN so if you have any tips on that too, that would be great. Thanks again James

If you want to set up VPN, you'll need to decide on the design. While you can set up Windows to act as a VPN server, I wouldnt recommend that role on a DC. However, that's easy to say when not considering additional costs for another server. I would recommend a more practical and cost effecdtive solution. If you refer back to the diagram that I posted, I would replace the Consumer Grade Router, with another router that supports VPN. Routers that support VPN connections are cost effective, while not complicating your Windows systems. For allowing RDP into your network, you can RDP through the VPN connection. Without a VPN connection, you would have to log into your internet router and set up a NAT rule to allow the inbound of RDP packets (TCP port 3389) and send those packets to the system you want to RDP to. All you would need to know is your public IP address. From the internet, your client would connect to the Public IP. The NAT rule allows the packets to come into your network. Visit: anITKB.com, an IT Knowledge Base.