New To Ad....some Questions And Problems

[iphonogasm]

Hi, this is my very first time deploying and configuring AD. I am setting up a Domain Controller at home, for a very small network (testing and knowledge ) )

I have crated the domain and have a DNS zone for my domain

I had the DNS zone prior to setting up the DC, it was just propogating DNS records, A, MX mail etc etc for my domain.

So i went ahead and installed the DC role using dcpromo, all seemed to go well, however, i am unable to connect to the DC.

I am

- on the same network
- the DC is my DNS server
- I have a static IP
- The adapter is setup to update DNS records.
- The DC/DNS server is not the DHCP server

I am getting the error


Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "megahosting.co.nz":

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.megahosting.co.nz

Common causes of this error include the following:

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

192.168.2.200

- One or more of the following zones do not include delegation to its child zone:

megahosting.co.nz
co.nz
nz
. (the root zone)

Thanks guys!!

 

[ICTCity]

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "megahosting.co.nz":

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.megahosting.co.nz

Common causes of this error include the following:

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

192.168.2.200

The answer is there...

your DNS does not have the SRV record related to "_ldap._tcp.dc._msdcs.megahosting.co.nz" this looks a bit strange to me but add this record manually and everything should be resolved.

 

[iphonogasm]

So heres the thing, I have created the SRV record.

Service = _ldap

Protocol= _tcp

Port = 3389

Host offering the server = computer name

domain = megahosting.co.nz

I have a ZONE megahosting.co.nz with A records proporgated for my domain to the internet.

Do i need to create a domain for this zone?

Im getting the same error

There appears to be a firewall entry (automatically added) for this port

Thanks again!

 

[ICTCity]

You just have to create the SRV record in "megahosting.co.nz" and the name of this record will be: "_ldap._tcp.dc._msdcs"

ps: pay attention when you reply, you have edited my post )

 

[iphonogasm]

You just have to create the SRV record in "megahosting.co.nz" and the name of this record will be: "_ldap._tcp.dc._msdcs"

ps: pay attention when you reply, you have edited my post )

Im really sorry about this. Have no idea how that happened. )

I got it working, however i had to create a new domain, so instead of promoting my DC to my existing TLD megahosting.co.nz, i had to make it megahosting.local i understand this is better for security reasons as .local is not routable. Just woundering why it would not add to my existing .co.nz domain (dynamic updates enabled)

Maybe you could just quickly explain to me the main points of a Domain. Why have a domain in a network? What does it do/restrict?

Thanks again!!

 

[ICTCity]

A domain is a group of objects (computers, users, policies, ...). In a windows environment you have a basic NON-domain WORKGROUP (called workgroup) which is good until 10 clients, then you can't add more pc. This limit is imposed by microsoft. In a domain you can easily manage everything at once, when you decide that the new default printer will be the HP IdontKnow instead of the Canon IreallyDontKnow, you don't have to access all the computers, you can just change your script or group policy.

Regarding NAMES: well you should have everytime a local domain and (if needed) a public domain. Dynamics update are something different, actually megahosting.co.nz and megahosting.local ARE NOT the same thing. Windows doesn't know anything about the similar name. So, you should first create the LOCAL domain and THEN the public domain. To be honest this doesn't matter, the most important thing is: have 2 domains, internal and external.

Hope this help.

 

[iphonogasm]

Thanks that clears that up!!

I have a few other small issues after installing and configuring AD

- i am unable to remotely RDP into the server now from a seperate public ip. I am getting an authentication problem and is saying that the username/password is incorrect. However i can access it from the local network with the same credentials.

- When connected to the Domain, i can RDP into the server on the local network but ONLY using computer name. It no longer works with IP (192.168.2.200) and appears to be the oppisite when not connected to the domain

- and lastly, after creating and configuring AD, my Administrator accound has changed. Different desktop, different settings etc. i had saved downloads paused in an app and need to resume them but when i log in to the app they are gone, i have 3x Administrator accounts in the Users folder

Thanks

 

[ICTCity]

If (and this is your case) the RDP answesr but the credentials are wrong, you may have two different problems:
1) You must specify the domain: username@mydomain or mydomain\username
2) Check if remote RDP for that user is blocked or not (USUALLY for admins is permitted, but check in AD properties if it's permitted)


It sounds like RDP is not enabled on that IP and it works with the name because of DNS resolves the name with the correct IP. Check on TS properties if the BINDING interface is only the external and change it to "*" (all).


That's right. When you login with domain account (no matter if it's a new or old account) the GROUP POLICY is (are) applied specifying desktop settings, permissions and so on. By default the "Default Group Policy" is applied. To change this: Start > RUN > gpedit.msc



tip: when you want to test if RDP is up and running, open your browser and type: http://IPorNAMEofTHEserver:3389/

 

[iphonogasm]

Thanks, also, can users not on the domain still access shares?

also when trying to add a user, i keep getting a password policy error, using capitals, letters and numbers?

Thanks!

 

[ICTCity]

Depends on how do you set permissions...

Check the default domain policy. By default the "password must meet minimal security. Bla bla bla" is enabled )

 

[iphonogasm]

I thought this would be the case, how do i edit domain policies

Sorry for basic question, but im guessing its no longer in gpedit.msc

Thanks!

 

[ICTCity]

Yes it is... anyway start admin tool group policy management.

 

[iphonogasm]

so ive setup AD and configured a Domain, bit i figured i should probally do this on a seperate server as i have MSSQL, IIS sites deployed etc and im not 100% with how to configure users etc

so i used DCPROMO to remove the domain, and now i have 3 administrator account, Administrator, Administrator002, and Administrator003

How can i get back to my original administrator account as now i cannot start SQLEXPRESS service and multiple other issues.

Thanks!

 

[ICTCity]

Tell me that you can unjoin all servers and pc from domain, delete it, re-create the domain and rejoin... if not... mhhhh you should MANUALLY find each entry for Admin002 and 003 in your domain... good luck -.-'

 

[iphonogasm]

But these are local accounts. I mean ive had 3 administrator accounts created after adding and removing the DC and AD

 

[ICTCity]

ahhhh ok...

net user /delete Administrator002 & 3

doesn't work?

 

[iphonogasm]

Nope doesnt work, says the user is not found.... Its almost like its just reconfigured the admin account, settings destop etc

Net user is only displaying 1 administrator account

Another thing, the password to logon is back to the old password, however password for VPN, FTP etc is still the password required by AD passwrd complexity requirements

 

[ICTCity]

Go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\

And check if you can find any account named admin002 and so. Under the folder ProfileList there are SIDs but once you have selected one of them, on the right pane you can find ProfileImagePath that can tell you what's the name of that account.

Honestly I think the problem is a permission issue on the admin profile folder (you should be the owner of that folder), because the 001, 002, ... profiles are created to avoid duplicates when windows cannot write to the profile directory.

 

[iphonogasm]

Yes they are all here, Under profilelist i have folders like

S-1-5-21-1056292147-1731425162-1583861610-500

and so on, which include the key for the usernames.

like this

S-1-5-21-1056292147-1731425162-1583861610-500 has key C:\Users\Administrator.SERVER

and

S-1-5-21-1582617699-224248212-3476242630-500 has key C:\Users\Administrator.SERVER.000

and,....

S-1-5-21-2921618210-2197447772-3526847797-500 has key C:\Users\Administrator ( THIS IS THE ONE I WANT, THE ONE BEFORE THE DOMAIN)

and....

S-1-5-21-481466144-1424781139-3841315146-500 has key C:\Users\Administrator.SERVER.001

Key is "ProfileImagePath"

Thanks again!

 

[ICTCity]

Yes they are all here, Under profilelist i have folders like

S-1-5-21-1056292147-1731425162-1583861610-500

and so on, which include the key for the usernames.

like this

S-1-5-21-1056292147-1731425162-1583861610-500 has key C:\Users\Administrator.SERVER


and

S-1-5-21-1582617699-224248212-3476242630-500 has key C:\Users\Administrator.SERVER.000

and,....

S-1-5-21-2921618210-2197447772-3526847797-500 has key C:\Users\Administrator ( THIS IS THE ONE I WANT, THE ONE BEFORE THE DOMAIN)

and....

S-1-5-21-481466144-1424781139-3841315146-500 has key C:\Users\Administrator.SERVER.001

Key is "ProfileImagePath"

Thanks again!

The red marked profiles should stay there. Rename the others (simply add OLD at the beginning of the SID) and check if everything's still working.