Changed network structure, now domain is MIA 1

[Cervantes]

Hi;
Quick background: had one PC with 2 nics set up as gateway/firewall/dns/dhcp/wins/active directory/RARS, etc. Decided this wasn't the best setup, so I picked up a dlink 624, with hardware firewall and dhcp, etc. Disabled RARS on the server, changed IP, set up 624.

Where I'm at now: Full resolution and access via the 624 for the internet. DNS resolution on internal names (eg: ping mymachinename works). The server (10.0.0.2) is accessible and pingable by IP and name. I can even open some unprotected folders from the server. I cannot, however, log onto the domain. Trying it from a PC previously on the domain logs me in locally, without login script, and when I try to access domain resources it asks me to log in (and accepts it). When I try from another machine that has not had this domain user log in before, it tells me the domain could not be contacted.

What did I screw up? I've been through everything I can think of, with no luck. Does anyone have something I can check to find out why I can access my server, but not log into the domain hosted by it?

-Cerv

 

[aznluvsmc]

Does your D-link act as a DHCP server also? If so, I think the D-link can only give out IPs in the 192.168.x.x range. I'm aware that your server has IP 10.0.0.2 and that you're able to ping it but I would check to see what the IP is of the client.

It really doesn't make sense to me. Does you DNS server have all the correct zones for the domain? Can you ping the domain name?

Steven S.
MCSA
A+, Network+, Server+, i-Net+, Security+

 

[Cervantes]

Hi aznluvsmc;
I thought the dlink could only do 192.168 as well, but apparently it's smart enough that when you set it's IP to 10.0.0.1, to change it's available subnet to the 10.x.x.x range. I suspect the same is true of the third private range as well. I was quite pleased... something feels dirty about using 192.168

The server, Charon (10.0.0.2) is pingable by name and IP. I can start/run \\charon and get the base folder (netlogon, printers, public folders, etc).
The clients are properly getting assigned dynamic IPs in the 10.0.0.1xx range that I requested, they're also getting proper DNS Server and Gateway information. I have full intra and internet access. The only glitch is that it won't find the domain for logon.

 

[GlenJohnson]

I'm from the old school. Take the machine that can't access the domain, and put a hosts file on it with the address of the server and see what happens. (What's the OS of the bad pc? Make sure browsing is turned off on it, if it's w2k or beyond.) Good luck.

Glen A. Johnson
If you're from Northern Illinois/Southern Wisconsin feel free to join the Tek-Tips in Chicago, Illinois Forum.

TTinChicago
Johnson Computers

 

[aznluvsmc]

Ok, just occurred to me. When you configured your D-link it might be using your ISPs DNS server and then giving that out to the clients. So when your clients login, they are querying your ISPs DNS server rather than your internal DNS server.

Run an IPCONFIG /ALL on the client to see what the DNS server address is set to use.

Steven S.
MCSA
A+, Network+, Server+, i-Net+, Security+

 

[Cervantes]

The DLink supposedly allows you to set primary and secondary DNS servers, so I tried setting a primary of my local server and a secondary of my ISP DNS. I can, for example, successfully "ping zero-cool" and have it resolve to 10.0.0.103

Yes, I named a pair of my primary PCs "Zero-Cool" and "Acid-Burn". Props to everyone who gets that.

The point is, I do have internal DNS resolution. I can, in fact, log in on a PC under a local ID, and Start/Run "\\charon" (the name of my server) and successfully get a directory listing. But when I try to log on with a domain user account, it says it can't find the domain.

FTR, I'm using WinXP Pro SP1 on most machines. Server is Win2k advanced server. I've done my best to confirm that WINS, DHCP, and AD are all running fine on the server... so the only thing left that I can think of is something must be hiding somewhere that is still pointing domain requests to the old server IP...

I swear, computers were created by the Bayer Corporation so they could sell more Asprin.

 

[aznluvsmc]

I notice you have 2 nics. Is DNS set to accept requests from both interfaces?

If you're only using one NIC, I would suggest disabling the one that isn't used.

_______________
Doing IT Right!

 

[Cervantes]

Yep, ever since I stopped using the server as a gateway I disabled the second (external connection) NIC. The only active one now is the one that was always connected to the LAN.

Given that I haven't changed which connection was connected to the LAN, I didn't think DNS would need any changes in that regard. I'll double-check though. Thanks!

 

[Shekinah]

This sounds like it might be a service record problem. All DCs have regular address records in DNS. That is why it will resolve the server name. But it needs the service record to tell WHAT the machine does. (kinda like the extra telephone book entry that has doctors and dentists in bold) In you DNS zone do you have these folders:
_msdcs
_sites
_tcp
_udp

If you don't then something happened to your service records. If you had DNS installed before or after the DCPROMO process then these records will not be there. They really only install correctly if you install DNS during the promotion process with your network setting pointing to yourself as the DNS server. Otherwise the service records are on the DNS server you were pointed to when you promoted... your ISP's? Sometimes the local machines can find the DC because it can broadcast the netbios name of the domain and find the controller, but anything that has to use DNS exclusively will not find it.

Hope this helps.

 

[Cervantes]

Shekinah, you are a genius : I ended up uninstalling and reinstalling DNS, and then following this:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q172953

to recreate my domains DNS records properly. Looks like it's gonna behave now!

Thanks a mil for getting me on the right track!
-Cerv

 

[Shekinah]

GLAD it worked!