iphonogasm Posted June 9, 2012 Posted June 9, 2012 Hi, this is my very first time deploying and configuring AD. I am setting up a Domain Controller at home, for a very small network (testing and knowledge ;) ) I have crated the domain and have a DNS zone for my domain I had the DNS zone prior to setting up the DC, it was just propogating DNS records, A, MX mail etc etc for my domain. So i went ahead and installed the DC role using dcpromo, all seemed to go well, however, i am unable to connect to the DC. I am - on the same network - the DC is my DNS server - I have a static IP - The adapter is setup to update DNS records. - The DC/DNS server is not the DHCP server I am getting the error Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt. The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "megahosting.co.nz": The error was: "DNS name does not exist." (error code 0x0000232B RCODE_NAME_ERROR) The query was for the SRV record for _ldap._tcp.dc._msdcs.megahosting.co.nz Common causes of this error include the following: - The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses: 192.168.2.200 - One or more of the following zones do not include delegation to its child zone: megahosting.co.nz co.nz nz . (the root zone) Thanks guys!! Quote
ICTCity Posted June 9, 2012 Posted June 9, 2012 The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "megahosting.co.nz": The error was: "DNS name does not exist." (error code 0x0000232B RCODE_NAME_ERROR) The query was for the SRV record for _ldap._tcp.dc._msdcs.megahosting.co.nz Common causes of this error include the following: - The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses: 192.168.2.200 The answer is there... your DNS does not have the SRV record related to "_ldap._tcp.dc._msdcs.megahosting.co.nz" this looks a bit strange to me but add this record manually and everything should be resolved. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted June 10, 2012 Author Posted June 10, 2012 So heres the thing, I have created the SRV record. Service = _ldap Protocol= _tcp Port = 3389 Host offering the server = computer name domain = megahosting.co.nz I have a ZONE megahosting.co.nz with A records proporgated for my domain to the internet. Do i need to create a domain for this zone? Im getting the same error There appears to be a firewall entry (automatically added) for this port Thanks again! Quote
ICTCity Posted June 10, 2012 Posted June 10, 2012 You just have to create the SRV record in "megahosting.co.nz" and the name of this record will be: "_ldap._tcp.dc._msdcs" ps: pay attention when you reply, you have edited my post ;) Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted June 13, 2012 Author Posted June 13, 2012 You just have to create the SRV record in "megahosting.co.nz" and the name of this record will be: "_ldap._tcp.dc._msdcs" ps: pay attention when you reply, you have edited my post ;) Im really sorry about this. Have no idea how that happened. ;) I got it working, however i had to create a new domain, so instead of promoting my DC to my existing TLD megahosting.co.nz, i had to make it megahosting.local i understand this is better for security reasons as .local is not routable. Just woundering why it would not add to my existing .co.nz domain (dynamic updates enabled) Maybe you could just quickly explain to me the main points of a Domain. Why have a domain in a network? What does it do/restrict? Thanks again!! Quote
ICTCity Posted June 13, 2012 Posted June 13, 2012 A domain is a group of objects (computers, users, policies, ...). In a windows environment you have a basic NON-domain WORKGROUP (called workgroup) which is good until 10 clients, then you can't add more pc. This limit is imposed by microsoft. In a domain you can easily manage everything at once, when you decide that the new default printer will be the HP IdontKnow instead of the Canon IreallyDontKnow, you don't have to access all the computers, you can just change your script or group policy. Regarding NAMES: well you should have everytime a local domain and (if needed) a public domain. Dynamics update are something different, actually megahosting.co.nz and megahosting.local ARE NOT the same thing. Windows doesn't know anything about the similar name. So, you should first create the LOCAL domain and THEN the public domain. To be honest this doesn't matter, the most important thing is: have 2 domains, internal and external. Hope this help. 1 Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted June 13, 2012 Author Posted June 13, 2012 Thanks that clears that up!! I have a few other small issues after installing and configuring AD - i am unable to remotely RDP into the server now from a seperate public ip. I am getting an authentication problem and is saying that the username/password is incorrect. However i can access it from the local network with the same credentials. - When connected to the Domain, i can RDP into the server on the local network but ONLY using computer name. It no longer works with IP (192.168.2.200) and appears to be the oppisite when not connected to the domain - and lastly, after creating and configuring AD, my Administrator accound has changed. Different desktop, different settings etc. i had saved downloads paused in an app and need to resume them but when i log in to the app they are gone, i have 3x Administrator accounts in the Users folder Thanks Quote
ICTCity Posted June 14, 2012 Posted June 14, 2012 If (and this is your case) the RDP answesr but the credentials are wrong, you may have two different problems: 1) You must specify the domain: username@mydomain or mydomain\username 2) Check if remote RDP for that user is blocked or not (USUALLY for admins is permitted, but check in AD properties if it's permitted) It sounds like RDP is not enabled on that IP and it works with the name because of DNS resolves the name with the correct IP. Check on TS properties if the BINDING interface is only the external and change it to "*" (all). That's right. When you login with domain account (no matter if it's a new or old account) the GROUP POLICY is (are) applied specifying desktop settings, permissions and so on. By default the "Default Group Policy" is applied. To change this: Start > RUN > gpedit.msc tip: when you want to test if RDP is up and running, open your browser and type: http://IPorNAMEofTHEserver:3389/ Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted June 14, 2012 Author Posted June 14, 2012 Thanks, also, can users not on the domain still access shares? also when trying to add a user, i keep getting a password policy error, using capitals, letters and numbers? Thanks! Quote
ICTCity Posted June 14, 2012 Posted June 14, 2012 Depends on how do you set permissions... Check the default domain policy. By default the "password must meet minimal security. Bla bla bla" is enabled ;) Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted June 14, 2012 Author Posted June 14, 2012 I thought this would be the case, how do i edit domain policies Sorry for basic question, but im guessing its no longer in gpedit.msc :) Thanks! Quote
ICTCity Posted June 14, 2012 Posted June 14, 2012 Yes it is... anyway start admin tool group policy management. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted June 19, 2012 Author Posted June 19, 2012 so ive setup AD and configured a Domain, bit i figured i should probally do this on a seperate server as i have MSSQL, IIS sites deployed etc and im not 100% with how to configure users etc so i used DCPROMO to remove the domain, and now i have 3 administrator account, Administrator, Administrator002, and Administrator003 How can i get back to my original administrator account as now i cannot start SQLEXPRESS service and multiple other issues. Thanks! Quote
ICTCity Posted June 19, 2012 Posted June 19, 2012 Tell me that you can unjoin all servers and pc from domain, delete it, re-create the domain and rejoin... if not... mhhhh you should MANUALLY find each entry for Admin002 and 003 in your domain... good luck -.-' Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted June 19, 2012 Author Posted June 19, 2012 But these are local accounts. I mean ive had 3 administrator accounts created after adding and removing the DC and AD Quote
ICTCity Posted June 19, 2012 Posted June 19, 2012 ahhhh ok... net user /delete Administrator002 & 3 doesn't work? Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted June 20, 2012 Author Posted June 20, 2012 Nope doesnt work, says the user is not found.... Its almost like its just reconfigured the admin account, settings destop etc Net user is only displaying 1 administrator account Another thing, the password to logon is back to the old password, however password for VPN, FTP etc is still the password required by AD passwrd complexity requirements Quote
ICTCity Posted June 20, 2012 Posted June 20, 2012 Go to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ And check if you can find any account named admin002 and so. Under the folder ProfileList there are SIDs but once you have selected one of them, on the right pane you can find ProfileImagePath that can tell you what's the name of that account. Honestly I think the problem is a permission issue on the admin profile folder (you should be the owner of that folder), because the 001, 002, ... profiles are created to avoid duplicates when windows cannot write to the profile directory. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted June 20, 2012 Author Posted June 20, 2012 Yes they are all here, Under profilelist i have folders like S-1-5-21-1056292147-1731425162-1583861610-500 and so on, which include the key for the usernames. like this S-1-5-21-1056292147-1731425162-1583861610-500 has key C:\Users\Administrator.SERVER and S-1-5-21-1582617699-224248212-3476242630-500 has key C:\Users\Administrator.SERVER.000 and,.... S-1-5-21-2921618210-2197447772-3526847797-500 has key C:\Users\Administrator ( THIS IS THE ONE I WANT, THE ONE BEFORE THE DOMAIN) and.... S-1-5-21-481466144-1424781139-3841315146-500 has key C:\Users\Administrator.SERVER.001 Key is "ProfileImagePath" Thanks again! Quote
ICTCity Posted June 20, 2012 Posted June 20, 2012 Yes they are all here, Under profilelist i have folders like S-1-5-21-1056292147-1731425162-1583861610-500 and so on, which include the key for the usernames. like this S-1-5-21-1056292147-1731425162-1583861610-500 has key C:\Users\Administrator.SERVER and S-1-5-21-1582617699-224248212-3476242630-500 has key C:\Users\Administrator.SERVER.000 and,.... S-1-5-21-2921618210-2197447772-3526847797-500 has key C:\Users\Administrator ( THIS IS THE ONE I WANT, THE ONE BEFORE THE DOMAIN) and.... S-1-5-21-481466144-1424781139-3841315146-500 has key C:\Users\Administrator.SERVER.001 Key is "ProfileImagePath" Thanks again! The red marked profiles should stay there. Rename the others (simply add OLD at the beginning of the SID) and check if everything's still working. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.