Re: About DNS naming convention for Active Directory

Hi Ace,

Here's what I did so far, I set up a private network consists of the
following:

1) NT4 PDC (originally installed as BDC, promoted to PDC then take if
offline from production corporate network). I then promoted a BDC on the
production corporate network as PDC so nothing changed on the production
corporate side

2) Windows 2003 Server as standalone joined to workgroup

3) Windows 2000 Pro

4) Windows 98 SE

I did an in-place upgrade of the NT4 PDC to Active Directory 2003, during
the wizard I chose not to install DNS or configure later so on the private
LAN, I had no DNS service at all. The upgrade process went okay as I could
login to the new AD 2003 with the above Operating Systems. I changed user's
password and it was recognized by the member computer no problem during
login. Joined the 2003 Server as a member server and that went well too. I
then tried using the new Windows 2003 member server and promote to another
AD in the same forest. Then I realized the server couldn't locate the first
AD in the forest. Then I realized I should have installed and configured
DNS service.

Off I go to wipe the config and restart step (1), I was able to configure
DNS service and use IP forwarder for external addresses. So the AD 2003 IP
Config, I had: 127.0.0.1 for primary DNS. Our Unix's IPs as forwarders.
This seemed to work as I was able to browse the Internet and Intranet.

Everything was done through its own private LAN until I mistakenly took our
production network cable and plugged it into the test AD2003. It was
connected for about half an hour. During this time, it converted a number
of PCs to the new domain (basically the same domain name) but the Network
Identification tab shows: company.com instead of just COMPANY. We were
getting calls about people couldn't login so I took the network cable out.
Manually dis-joined the computers from the AD2003 domain to workgroup and
re-joined to the NT4 Domain. At this point, I didn't realize the
authentication was used between AD2003 and NT4 so I guess all the newly
configured 2000/XP computers were trying to authenticate against new AD2003
while it was offline (as I took out the network cable). Because they were
converted to AD2003, they couldn't authenticate against a NT4 BDC so people
couldn't login to their own computers. I guess if I left the cable plugged
in, everything would have been fine!

The test I had on the test LAN was I turned on each computer one by one,
they logged in okay and in tern, converted to the new domain. The scenario
was a bit different and I was panicking if nobody could login to their own
computers.

At the moment, the entire production network is still NT4 Domain as we've
converted those who changed back to NT4. I still have the new AD2003
offline.

What I'd like to do before I roll it out to the production network is to set
up a 2nd AD2003, make sure they both talk to each other (no child domain) on
a test network. If it goes well and the above computers can join and talk
to the AD no problem, then I'll roll it out into production.

Our production network is a mixture of Windows, Unix and Linux. Our core
services rely on Unix as we have Unix based DNS, mail, etc. DHCP is running
on a Windows 2003 Server running as a member server to the domain. Most of
the Windows based clients are on DHCP. Only a few numbers are on static IP.

The current IPCONFIG from production PC:

IP: 90.0.23.1
Subnet: 255.0.0.0
Gateway: 90.0.0.4
DHCP Server: 90.0.1.180
DNS Servers: 90.0.0.1, 90.0.1.1
Primary WINS Server: 90.0.1.180

DHCP/WINS server is a Windows 2003 based member server
DNS Server 90.0.0.1 is Unix based which I don't think it supports dynamic
update


The current IPCONFIG from the test AD2003:

IP: 90.0.1.194
Subnet: 255.0.0.0
Gateway: 90.0.0.4
DNS Servers: 127.0.0.1

I configured the IP forwarder to be 90.0.0.1 and 90.0.1.1

>From the test AD2003 server, I can ping any workstations using name
resolutions.

Our Unix admins suggested to leave Unix/Linux machines to use Unix based DNS
servers and leave out the DNS server address for AD2003. This way, the
Linux/Unix machines will never know a Windows based DNS existed.

On the Windows side, the primary DNS will be the AD2003 so any Windows based
PC will be able to find the Active Directories as well as resolve any DNS
resolutions. The forwarder will forward any Unix/Linux based requests as
well as Internet addresses.

Am I getting somewhere with this setup?

Thanks again for your assistance and sorry for the long post. Hopefully it
gives you some background information. I once again thank you Rebecca for
staying with me on this whole DC -> AD upgrade process, as well as with all
other MVP's.

Simon



"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@xxxxxxxxxxx> wrote in
message news:OrfV0N%23aFHA.3712@xxxxxxxxxxxxxxxxxxxxxxx
> In news:OLIZ3U9aFHA.1088@xxxxxxxxxxxxxxxxxxxx,
> Newbie <newbie@xxxxxxxxxxx> stated, and I replied below:
>> I'm sorry for jumping all over the places for this AD upgrade for our
>> company. I made a mistake today by plugging the test AD to the
>> corporate network and caused some users not be able to login to their
>> computers.
>> Simon
>
> We'll try to keep the discussion here so we can collaborate with all the
> facts.
>
> You stated that you successfully upgraded to Win2003. I am assuming you
> upgraded your NT4 domain controller to this new 2003 domain controller.
> All services, such as logon, authentication, etc, should continue as
> previous under NT4 with the same users.
>
> Now, if I may try to translate what you just posted here, you are saying
> that you upgraded this in a test network and then plugged it into your
> main network? I thought you mentioned earlier (as I implied above), that
> you upgraded your production machine?
>
> What is your current production domain? NT4 or Win2003?
> Is the test AD Netbios domain name the same as the production Netbios
> domain name? That can cause issues if both are side by side with the same
> Netbios domain name, depending on if you are using WINS, and if you set
> the test machine to use the production WINS server. Now AD doesn't require
> WINS to function, since it relies purely on DNS services, but it can
> affect your current legacy and newer clients, since they've been using
> NTLM as the authentication method with NT4. Once Win2000 and newer
> machines realize there's an AD domain out there, their authentication
> method now turns to and sticks with Kerberos. If they try to authenticate
> against the NT4 domain, it will fail. If you unplug the AD DC, their
> authentication attempts will fail. There is an article describing this,
> and was fixed with later service packs, and not sure if it applies, since
> I do not know all the facts. Upto now, I do not know your config.
>
> 284937 - Windows 2000-Based Clients Connect Only to the Domain Controller
> That Was Upgraded First in a Mixed-Mode Domain:
> http://support.microsoft.com/?id=284937
>
> Here's a little snippet from one of my previous posts explaining about AD
> and DNS: Also,m please take the time to read this passage and some of the
> articles I provided below. They are short and to the point and may help
> give you a better understanding of how AD and DNS works.
>
> =========================
> Just a little background: AD uses DNS. DNS stores AD's resource and
> service locations in the form of SRV records, hence how everything that is
> part of the domain will find resources in the domain. If the ISP's DNS is
> configured in the any of the internal AD member machines' IP properties,
> (including all client machines and DCs), the machines will be asking the
> ISP's DNS 'where is the domain controller for my domain?", whenever it
> needs to perform a function, (such as a logon request, replication
> request, querying and applying GPOs, etc). Unfortunately, the ISP's DNS
> does not have that info and they reply with an "I dunno know", and things
> just fail..
>
> So you cannot use your ISP's DNS addresses anymore in your client or any
> other machines. You cannot use your router as a DNS or DHCP server either.
> If you are using your NT4 as a DNS server, that all needs to be changed
> over to Win2003 DNS. Same with DHCP. NT4 DNS cannot support AD's SRV
> requirements and dynamic updates.
>
> If this is the current scenario, it is highly suggested and recommended to
> only use the internal DNS servers on the network that is hosting the AD
> zone name. This applies to all machines, (DCs and clients). Believe me,
> Internet resolution will still work with the use of the Root hints (as
> long as the root zone doesn't exist).
>
> However, for more effcient Internet resolution, it's recommended to
> configure a forwarder. If the forwarding option is grayed out, delete the
> Root zone (looks like a period). If not sure how to preform these two
> tasks, please follow one of the two articles listed below, depending on
> your operating system. They show a step by step on how to perform these
> tasks:
>
> 323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003 :
> http://support.microsoft.com/?id=323380
>
> 300202 - HOW TO Configure DNS for Internet Access in Windows Server 2000 :
> http://support.microsoft.com/?id=300202
>
> DNS and AD (Windows 2000 & 2003) FAQ:
> http://support.microsoft.com/?id=291382
>
> ===========================
>
> Do use a favor, to get a more specific picture about your config, can you
> please post:
>
> 1. ipconfig /all of your new DC, your NT4 machine, and one of your DHCP
> clients.
> 2. The exact spelling of your zone name in DNS
> 3. If dynamic updates are enabled in the zone properties
> 4. Any Event log errors.
>
> Thanks,
> Ace
>


.

Relevant Pages

  • Random Network Disconnects
    ... network and the only way I can seem to get it back up is to restart the box. ... Testing IpConfig - pinging the Secondary WINS server... ... DNS Host Name: itdspstest01.itd.edited.edited ... Provider Version:2 ...
    (microsoft.public.windows.server.dns)
  • RE: Server 2003 Network problems since IP address change
    ... Rightclick "My Computer", properties, Computer name or network identification, ... Is there any firewall running on client or server? ... Is the Primary DNS ... of zone WSW.local. ...
    (microsoft.public.windows.server.networking)
  • Re: Single NIC configuration with cable modem/router
    ... Internal or single network adapter configuration ... Verify the Domain Name System (DNS) pointers. ... Right-click Server Local Area Connection, ...
    (microsoft.public.windows.server.sbs)
  • RE: Strange Irregular DNS/Networking Problems
    ... My network is not a complicated set up and only has one domain controller. ... problems with DNS resolving after changing DNS servers. ... I was already using the server for DHCP. ...
    (microsoft.public.windows.server.dns)
  • Re: Windows NT 4 domain to AD
    ... If your old NT4 DC is "ghostable", ... I am starting to look into converting or migrating a Windows NT domain to ... Can I use a Windows 2003 CD from one of my new Dell server to upgrade ... I am not sure what DNS to use on this box. ...
    (microsoft.public.win2000.active_directory)