Setting up Active Directory - woes and considerations

[SecCon]

Not getting around the DNS lookup stuff.

Intended client can't find the ADDC.

This is not even covered by any of the tutorials, not as simple as this should be anyways.

Note: This information is intended for a network administrator. If you are not your network’s administrator, notify the administrator that you have received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain “wsrvaddc1.homered.conram.it”:

The error was: “DNS name does not exist.”
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.wsrvaddc1.homered.conram.it

Common causes of this error include the following:

• The DNS SRV records required to locate an AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when an AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

192.168.1.1

• One or more of the following zones do not include delegation to its child zone:

wsrvaddc1.homered.conram.it
homered.conram.it
conram.it
it
. (the root zone)

Tried added a forward in my firewall to cope with this but it is not working or is the wrong thing or whatever...

forward-zone:
  name: "wsrvaddc1.homered.conram.it."
  forward-addr: 192.168.1.42

 

[DavidRa]

So, remember how I said "All your clients only use the DCs for DNS" - this sort of domain join failure is a symptom of DNS not working.

Whatever you're trying to join to AD must have ONLY your DC IP addresses. This is 100% not negotiable at all. Windows will look up all DNS servers in parallel so you can't rely on "Well the local DC is first".

From the client try:

nslookup homered.conram.it 192.168.1.42

It should return that third record for 192.168.1.42.

Next, what is the domain name you're trying to join? Looks like you're trying to join the domain controller, not the domain. When you created the domain you gave it domain names to use - use them here.

 

[SecCon]

@DavidRa
I guess you are right, I read too much in the linked tutorial and not enough what was posted here.

This is the windows server




The nslookup from a virtual test machine I also use, resulted in this:

C:\Users\USER>nslookup homered.conram.it 192.169.1.42
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.169.1.42

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

The DNS entry in ServerManager looks like this



and has this text in it below:

The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

(Don't really know if that is something that needs addressing.)


From the nslookup result and the 169.254* addresses in Server Manager I think I need to reconf the DNS on the server somehow, but not sure how.

 

[DavidRa]

Your test with nslookup used the wrong IP - I can see you typed 192.169 instead of 192.168. These details are really important, the computer can't interpret typos to get the answers you need.

Looks to me like your server might have multiple IP addresses - maybe multiple NICs? You really want most devices to have only one, for simplicity. When you need more ... you'll know because there's a specific need for it (as a rule, only routers, firewalls, maybe proxy servers and backup servers).

So. DC with a single NIC and address 192.168.1.42. Use your normal subnet mask and gateway. It must have DNS server addresses either 127.0.0.1 or 192.168.1.42. Client with a single NIC and address 192.168.1.SOMETHING and DNS server addresses configured with only 192.168.1.42. Join the domain homered.conram.it.

 

[SecCon]

Your test with nslookup used the wrong IP - I can see you typed 192.169 instead of 192.168. These details are really important, the computer can't interpret typos to get the answers you need.

Grr, sorry, was working at the same time and still are. Distracted. Are you implying correct numbers are important ?

> From my work desktop, that is not intended as client for this:

C:\Users\USER>nslookup homered.conram.it 192.168.1.42
Server:  UnKnown
Address:  192.168.1.42

DNS request timed out.
    timeout was 2 seconds.
Name:    homered.conram.it
Address:  192.168.1.42

> From a virtual machine that could be used as client for this:

C:\Users\USER>nslookup homered.conram.it 192.168.1.42
Server:  UnKnown
Address:  192.168.1.42

Name:    homered.conram.it
Address:  192.168.1.42
>

> From the ADDC server itself

C:\Users\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WSRVADDC1
   Primary Dns Suffix  . . . . . . . : homered.conram.it
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : homered.conram.it

Ethernet adapter Onboard LAN 1:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : homered.conram.it
   Description . . . . . . . . . . . : Intel(R) Ethernet Connection (2) I219-LM
   Physical Address. . . . . . . . . : 0C-C4-7A-88-4C-74
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) I350 Gigabit Network Connection
   Physical Address. . . . . . . . . : 0C-C4-7A-88-4C-76
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Onboard LAN 4:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) I350 Gigabit Network Connection #2
   Physical Address. . . . . . . . . : 0C-C4-7A-88-4C-77
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : homered.conram.it
   Description . . . . . . . . . . . : Intel(R) I210 Gigabit Network Connection
   Physical Address. . . . . . . . . : 0C-C4-7A-88-4C-75
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::cd12:80f7:45b7:7e%7(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.42(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : den 24 oktober 2023 11:04:53
   Lease Expires . . . . . . . . . . : den 25 oktober 2023 09:06:16
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 101500026
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2C-C3-60-1F-0C-C4-7A-88-4C-75
   DNS Servers . . . . . . . . . . . : ::1
                                       192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\Users\Administrator>

The server has only one NIC connected, as I posted above somewhere... it had two, and the NIC Card has four ports, but I removed all but one, that is shared with BMI, so in theory it has one IP for BMI and one IP for the server, but there should be no way of mixing those up.

 

[DavidRa]

OK the disconnected ports are the reason Server Manager shows multiple wrong IPs. The ones registered in DNS are more important.

Why is your DC using DHCP? When DNS is installed, it should have warned you to make it static. Do that too!

You do need to set DNS on the DC to just be the DC itself, not other devices - the DNS Server will handle forwarding other queries out to the Internet. The rest seems like it should proceed to plan now as long as you stop handing out the DNS of the firewall in DHCP.

 

[SecCon]

A bit step by step.
---

I set the DNS on the ADDC machine to 127.0.0.1, it had defaulted for some reason.

  Connection-specific DNS Suffix  . : homered.conram.it
   Description . . . . . . . . . . . : Intel(R) I210 Gigabit Network Connection
   Physical Address. . . . . . . . . : 0C-C4-7A-88-4C-75
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::cd12:80f7:45b7:7e%7(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.42(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : den 24 oktober 2023 11:04:53
   Lease Expires . . . . . . . . . . : den 26 oktober 2023 11:53:24
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 101500026
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2C-C3-60-1F-0C-C4-7A-88-4C-75
   DNS Servers . . . . . . . . . . . : ::1
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

I did a small test on my ADDC machine

C:\Users\Administrator>nltest /dsgetdc:homered.conram.it
           DC: \\WSRVADDC1.homered.conram.it
      Address: \\192.168.1.42
     Dom Guid: b8d03df0-4271-4df2-8181-7f1b4bbf6ec4
     Dom Name: homered.conram.it
  Forest Name: homered.conram.it
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS DS_8 DS_9 DS_10 KEYLIST
The command completed successfully

That was not successful on my intended clients.

I can still ping the ADDC machine via it's IP, but not it's domain name.

So I set one of my test clients to use DNS of the ADDC machine:

C:\Users\USER>ipconfig /renew

Windows IP Configuration

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : homered.conram.it
   Link-local IPv6 Address . . . . . : fe80::9671:5a34:b586:fb5%5
   IPv4 Address. . . . . . . . . . . : 192.168.1.52
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1

And then repeated the nltest from that Client

C:\Users\USER>nltest /dsgetdc:homered.conram.it
           DC: \\WSRVADDC1.homered.conram.it
      Address: \\192.168.1.42
     Dom Guid: b8d03df0-4271-4df2-8181-7f1b4bbf6ec4
     Dom Name: homered.conram.it
  Forest Name: homered.conram.it
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS DS_8 DS_9 DS_10 KEYLIST
The command completed successfully

Successfully joined the domain homered.conram.it


Lets see if it survives the restart. And a posterior logon to that client via RDP as usual...


It worked.

So the whole issue might have been inconsistent implementation of the DNS server, doing unrelated junk, and not 100% controlling what exactly I was changing. Hey, that's me in a nutshell. Also why I document.

So now to see if I can do some messing about with this client.

Suggestions?

---
I can not replace the DNS of my Firewall with the DNS of the ADDC machine due to many reasons, my home comps are not all a "lab", only a very limited few.

 

[nabsltd]

So, remember how I said "All your clients only use the DCs for DNS" - this sort of domain join failure is a symptom of DNS not working.

Has Server 2019 or 2022 fixed the problem with slow recursive DNS lookups (i.e., anything to the Internet) that existed in Server 2012?

Because of these timeouts, I changed the DNS server given out by Windows DHCP to be my pfSense firewall. On the pfSense, there is a re-direct for local domains to the DNS server on the DCs. That allowed everything to work perfectly...no timeouts on DNS that leaves the premises, and Windows DNS still works fine.

 

[SecCon]

Has Server 2019 or 2022 fixed the problem with slow recursive DNS lookups (i.e., anything to the Internet) that existed in Server 2012?

I do not know, anything I can test for you?
I run IPFire as FW since it is has a lot easier initial configuration. It has just about no settings related to ADDC implemented with the exception of one rule:

forward-zone:
  name: "homered.conram.it."
  forward-addr: 192.168.1.42

And it might work without it, will try that later.

 

[DavidRa]

Has Server 2019 or 2022 fixed the problem with slow recursive DNS lookups (i.e., anything to the Internet) that existed in Server 2012?

I have not seen this failure mode in any of the environments I've built, so I can't say.

I do not know, anything I can test for you?
I run IPFire as FW since it is has a lot easier initial configuration. It has just about no settings related to ADDC implemented with the exception of one rule:

forward-zone:
  name: "homered.conram.it."
  forward-addr: 192.168.1.42

And it might work without it, will try that later.

Well that config is fine for DNS (though you should also add the correct reverse lookup zones and a forwarder, it's not an absolute requirement). Definitely should have included that in your other configuration information.

The reason I harp on "have to use the DCs for DNS" is because attempting to cater for all possibilities, including people who do weird and wacky things for "sekkuritee", is a fool's errand. Simplify when trying to teach/guide.

 

[SecCon]

The reason I harp on "have to use the DCs for DNS" is because attempting to cater for all possibilities, including people who do weird and wacky things for "sekkuritee", is a fool's errand. Simplify when trying to teach/guide.

Lol, I would probably be one of those. Since I worked with, and managed, Tech Support in an automotive company for well over a decade in the past I may have stumbled over that.

Just pondering next steps right now... browsing a few tutorials, but nothing like having relevant feedback from a live dialogue like this. Oh, and spamming ChatGPT....

 

[SecCon]

So I started over.

Remember this?



One sees that and may look for errors. We all know that 169.254.*.* addresses are a bad thing if you expect connectivity. Well, it was easy to fix. Just disable the NIC's you do not use.



But that leaves me with the question, why the report in Server Manager even bother to collect data from non-connected NIC's? Ah well. I guess there is a reason somehow.

I deleted everything and reinstalled the server. The reason for this was twofold:
The naming of the AD and DC was not good enough, even for a fictional scenario. When changing that I suddenly got a temp profile in users after the reboot. I loathe temp profiles in Windows, something is wrong and often you don't find out what. So since my steps so far were not very hard nor lengthy to remake I decided for the recycler.

In this I simplified a few things, like the name, that was changed to WADDC1 .

I will continue in next posts, or editing this if no one posts after me.

 

[ghost792]

But that leaves me with the question, why the report in Server Manager even bother to collect data from non-connected NIC's? Ah well. I guess there is a reason somehow.

That is one of those great unanswered questions.

Ironically, I'm setting up a new domain and AD server at work today.

 

[SecCon]

Oddly enough, despite having disabled the those NIC's as posted above, the ADDC installation re enabled them so I had to disable them again. WTH.

In any case I am now so far in the second setup that everything works as intended, I changed some network settings as well prior to that, I was not happy with the naming of stuff and its interpretation, but that's just me being picky.

Now I will make the GPO and join a comp, it worked before so should work again.

 

[SecCon]

... and after leaving it with zero actions since last post, 10 days, suddenly it has no internet conn, when it previously had, with 127.0.0.1 as dns server. wtf...
...

after a reboot that was fixed, but why does it do such things?

 

[ghost792]

... and after leaving it with zero actions since last post, 10 days, suddenly it has no internet conn, when it previously had, with 127.0.0.1 as dns server. wtf...
...

I don't usually use 127.0.0.1 for the domain controller's DNS. I set it to the LAN IP that the DNS server listens on. Every time I've used 127.0.0.1 for the server's DNS, it's ended up causing problems for us.

You might also want to check your forwarders in the DNS server and make sure they have your desired external DNS servers correctly set (usually ISP's DNS, Google, Cloudflare, or whatever).

 

[SecCon]

The local DNS server on the ADDC server has zero such entries.

 

[artinm]

"The local DNS server on the ADDC server has zero such entries."

Does this mean you have not set any forwarders?

ex. In dns manager -> {server name} properties -> forwarders

 

[SecCon]

Not done anything specific for DNS aside from what was done when setting up the AD





That was not really covered by the "ohh setup AD is so easy-peasy" tutorials I have looked in to so far.
Which was kinda expected anyhow... I am in no hurry.

 

[ghost792]

Not having DNS forwarders set can make the domain controller, or any computer using the DC for DNS, unable to access the internet. When a computer requests a DNS transaction from the DC's DNS server for an address outside the local network, it sends that request to one of the DNS servers configured as a forwarder.