New To Ad....some Questions And Problems

[iphonogasm]

Hi, this is my very first time deploying and configuring AD. I am setting up a Domain Controller at home, for a very small network (testing and knowledge ) )

 

I have crated the domain and have a DNS zone for my domain

 

I had the DNS zone prior to setting up the DC, it was just propogating DNS records, A, MX mail etc etc for my domain.

 

So i went ahead and installed the DC role using dcpromo, all seemed to go well, however, i am unable to connect to the DC.

 

I am

 

- on the same network

- the DC is my DNS server

- I have a static IP

- The adapter is setup to update DNS records.

- The DC/DNS server is not the DHCP server

 

I am getting the error

 

 

Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.

 

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "megahosting.co.nz":

 

The error was: "DNS name does not exist."

(error code 0x0000232B RCODE_NAME_ERROR)

 

The query was for the SRV record for _ldap._tcp.dc._msdcs.megahosting.co.nz

 

Common causes of this error include the following:

 

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

 

192.168.2.200

 

- One or more of the following zones do not include delegation to its child zone:

 

megahosting.co.nz

co.nz

nz

. (the root zone)

 

Thanks guys!!

[ICTCity]

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "megahosting.co.nz":

 

The error was: "DNS name does not exist."

(error code 0x0000232B RCODE_NAME_ERROR)

 

The query was for the SRV record for _ldap._tcp.dc._msdcs.megahosting.co.nz

 

Common causes of this error include the following:

 

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

 

192.168.2.200

 

 

The answer is there...

 

your DNS does not have the SRV record related to "_ldap._tcp.dc._msdcs.megahosting.co.nz" this looks a bit strange to me but add this record manually and everything should be resolved.

[iphonogasm]

So heres the thing, I have created the SRV record.

 

Service = _ldap

 

Protocol= _tcp

 

Port = 3389

 

Host offering the server = computer name

 

domain = megahosting.co.nz

 

I have a ZONE megahosting.co.nz with A records proporgated for my domain to the internet.

 

Do i need to create a domain for this zone?

 

Im getting the same error

 

There appears to be a firewall entry (automatically added) for this port

 

Thanks again!

[ICTCity]

You just have to create the SRV record in "megahosting.co.nz" and the name of this record will be: "_ldap._tcp.dc._msdcs"

 

ps: pay attention when you reply, you have edited my post )

[iphonogasm]

You just have to create the SRV record in "megahosting.co.nz" and the name of this record will be: "_ldap._tcp.dc._msdcs"

 

ps: pay attention when you reply, you have edited my post )

 

Im really sorry about this. Have no idea how that happened. )

 

I got it working, however i had to create a new domain, so instead of promoting my DC to my existing TLD megahosting.co.nz, i had to make it megahosting.local i understand this is better for security reasons as .local is not routable. Just woundering why it would not add to my existing .co.nz domain (dynamic updates enabled)

 

Maybe you could just quickly explain to me the main points of a Domain. Why have a domain in a network? What does it do/restrict?

 

Thanks again!!

 

 

[ICTCity]

A domain is a group of objects (computers, users, policies, ...). In a windows environment you have a basic NON-domain WORKGROUP (called workgroup) which is good until 10 clients, then you can't add more pc. This limit is imposed by microsoft. In a domain you can easily manage everything at once, when you decide that the new default printer will be the HP IdontKnow instead of the Canon IreallyDontKnow, you don't have to access all the computers, you can just change your script or group policy.

 

Regarding NAMES: well you should have everytime a local domain and (if needed) a public domain. Dynamics update are something different, actually megahosting.co.nz and megahosting.local ARE NOT the same thing. Windows doesn't know anything about the similar name. So, you should first create the LOCAL domain and THEN the public domain. To be honest this doesn't matter, the most important thing is: have 2 domains, internal and external.

 

Hope this help.

[iphonogasm]

Thanks that clears that up!!

 

I have a few other small issues after installing and configuring AD

 

- i am unable to remotely RDP into the server now from a seperate public ip. I am getting an authentication problem and is saying that the username/password is incorrect. However i can access it from the local network with the same credentials.

 

- When connected to the Domain, i can RDP into the server on the local network but ONLY using computer name. It no longer works with IP (192.168.2.200) and appears to be the oppisite when not connected to the domain

 

- and lastly, after creating and configuring AD, my Administrator accound has changed. Different desktop, different settings etc. i had saved downloads paused in an app and need to resume them but when i log in to the app they are gone, i have 3x Administrator accounts in the Users folder

 

Thanks

[ICTCity]

If (and this is your case) the RDP answesr but the credentials are wrong, you may have two different problems:

1) You must specify the domain: username@mydomain or mydomain\username

2) Check if remote RDP for that user is blocked or not (USUALLY for admins is permitted, but check in AD properties if it's permitted)

 

 

It sounds like RDP is not enabled on that IP and it works with the name because of DNS resolves the name with the correct IP. Check on TS properties if the BINDING interface is only the external and change it to "*" (all).

 

 

That's right. When you login with domain account (no matter if it's a new or old account) the GROUP POLICY is (are) applied specifying desktop settings, permissions and so on. By default the "Default Group Policy" is applied. To change this: Start > RUN > gpedit.msc

 

 

 

tip: when you want to test if RDP is up and running, open your browser and type: http://IPorNAMEofTHEserver:3389/

[iphonogasm]

Thanks, also, can users not on the domain still access shares?

 

also when trying to add a user, i keep getting a password policy error, using capitals, letters and numbers?

 

Thanks!

[ICTCity]

Depends on how do you set permissions...

 

Check the default domain policy. By default the "password must meet minimal security. Bla bla bla" is enabled )

[iphonogasm]

I thought this would be the case, how do i edit domain policies

 

Sorry for basic question, but im guessing its no longer in gpedit.msc

 

:) Thanks!

[ICTCity]

Yes it is... anyway start admin tool group policy management.

[iphonogasm]

so ive setup AD and configured a Domain, bit i figured i should probally do this on a seperate server as i have MSSQL, IIS sites deployed etc and im not 100% with how to configure users etc

 

so i used DCPROMO to remove the domain, and now i have 3 administrator account, Administrator, Administrator002, and Administrator003

 

How can i get back to my original administrator account as now i cannot start SQLEXPRESS service and multiple other issues.

 

Thanks!

[ICTCity]

Tell me that you can unjoin all servers and pc from domain, delete it, re-create the domain and rejoin... if not... mhhhh you should MANUALLY find each entry for Admin002 and 003 in your domain... good luck -.-'

[iphonogasm]

But these are local accounts. I mean ive had 3 administrator accounts created after adding and removing the DC and AD

[ICTCity]

ahhhh ok...

 

net user /delete Administrator002 & 3

 

doesn't work?

[iphonogasm]

Nope doesnt work, says the user is not found.... Its almost like its just reconfigured the admin account, settings destop etc

 

Net user is only displaying 1 administrator account

 

Another thing, the password to logon is back to the old password, however password for VPN, FTP etc is still the password required by AD passwrd complexity requirements

[ICTCity]

Go to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\

 

And check if you can find any account named admin002 and so. Under the folder ProfileList there are SIDs but once you have selected one of them, on the right pane you can find ProfileImagePath that can tell you what's the name of that account.

 

Honestly I think the problem is a permission issue on the admin profile folder (you should be the owner of that folder), because the 001, 002, ... profiles are created to avoid duplicates when windows cannot write to the profile directory.

[iphonogasm]

Yes they are all here, Under profilelist i have folders like

 

S-1-5-21-1056292147-1731425162-1583861610-500

 

and so on, which include the key for the usernames.

 

like this

 

S-1-5-21-1056292147-1731425162-1583861610-500 has key C:\Users\Administrator.SERVER

 

and

 

S-1-5-21-1582617699-224248212-3476242630-500 has key C:\Users\Administrator.SERVER.000

 

and,....

 

S-1-5-21-2921618210-2197447772-3526847797-500 has key C:\Users\Administrator ( THIS IS THE ONE I WANT, THE ONE BEFORE THE DOMAIN)

 

and....

 

S-1-5-21-481466144-1424781139-3841315146-500 has key C:\Users\Administrator.SERVER.001

 

Key is "ProfileImagePath"

 

Thanks again!

[ICTCity]

Yes they are all here, Under profilelist i have folders like

 

S-1-5-21-1056292147-1731425162-1583861610-500

 

and so on, which include the key for the usernames.

 

like this

 

S-1-5-21-1056292147-1731425162-1583861610-500 has key C:\Users\Administrator.SERVER

 

 

and

 

S-1-5-21-1582617699-224248212-3476242630-500 has key C:\Users\Administrator.SERVER.000

 

and,....

 

S-1-5-21-2921618210-2197447772-3526847797-500 has key C:\Users\Administrator ( THIS IS THE ONE I WANT, THE ONE BEFORE THE DOMAIN)

 

and....

 

S-1-5-21-481466144-1424781139-3841315146-500 has key C:\Users\Administrator.SERVER.001

 

Key is "ProfileImagePath"

 

Thanks again!

 

The red marked profiles should stay there. Rename the others (simply add OLD at the beginning of the SID) and check if everything's still working.

[iphonogasm]

Thanks ill try this tonight.

 

I have some more questions regarding AD. Ive just setup a seperate server as my DC.

 

I have edited the default policy and default domain policy and disabled password complexity requirements, but still it requires a password lenth etc. I also tried to "enforce" these policies with no luck.

 

Another thing, do i have to have to DOmain Controller set as the DNS Server in order to join the domain? Or does the DNS server just have to be on the domain aswell or in the forest.

 

For examle, i have my DC at 192.168.2.230 and say i am using the router as my DNS server 192.168.2.1 will i be able to join the domain, because this doesnt seem to work

 

And lastly, for now ) i have joined a few clients to the domain, however when logging in, it logs in as COMPUTERNAME/USERNAME not DOMAIN/USERNAME

 

how do i setup my DC so when a computer is joined to my domain, it adds the crediantials automatically for that computer and the default login is to the DOMAIN not local computer

 

Hope this makes sense!!

 

Thanks!!

[ICTCity]

I think I will write a tutorial / explenation regarding policies in Windows' domain. There's a lot of confusion and to troubleshoot these problems is a really hard task. First of all you must determine which polices are applied to that group / ou / user, then you can start troubleshoot. So, open gp manager and run a RESULTANT GROUP OF POLICY and select the computer / user. Once finished you can easily see which policies have been applied, in case of an error (permissions) you will see "ACCESS DENIED" or something like this.

 

Good question, TEORICALLY no, you just need a common DNS with the needed record (_ldap, _tcp, ...) so your router cannot do this (you can't add DNS entries). Pratically --> mhhh more or less, you can set up a dns server BEFORE and then create a domain. In this way dcpromo should create the the entries for you but anyway you will ever have a local dns but the client's DNS can also be another (different from you DC).

 

Mhh no idea, usually when a PC joins correctly to a domain you are prompted to enter domain's credentials. If you write domain\username it works?

[iphonogasm]

Ok, i managed to logon to the domain with a client DOMAIN/USER. Worked fine, took a while though :S

 

So, how can i change this damn password to not require complexity requirements. I have set the policies so do i need to assign the policies to the user now?

 

Also, lastly, can i set it so the domain to automatically create a user for the local user account? or do i need to manually add it?

 

Thanks again, Learning lots :) :) :)

[ICTCity]

Ok, i managed to logon to the domain with a client DOMAIN/USER. Worked fine, took a while though :S

 

So, how can i change this damn password to not require complexity requirements. I have set the policies so do i need to assign the policies to the user now?

 

Also, lastly, can i set it so the domain to automatically create a user for the local user account? or do i need to manually add it?

 

Thanks again, Learning lots :) :) :)

 

Check on all of your GROUP POLICY if somewhere there's the policy "Password must meet minimal complexity requirements".

 

I don't understand what you mean with "can i set it so the domain to automatically create a user for the local user account? or do i need to manually add it?"

[iphonogasm]

Yes i have disabled the "password must meet minimum complexity requirements" in both the DOMAIN profile and DOMAIN CONTROLLERS profiles. Yet i am still unable to use any password unless it contains capitals and numbers etc.

 

What i mean by this is.....if i have someone join my domain, say a staff members joins my company and needs to join the domain. Do i NEED to add that user as a user on my DC manually? Obviously i need to add the PC to the domain, then do i need to access the domain controller and manually add the user there.

 

Im guessing i do it manuall otherwise this would be a security issue. Just woundering though

 

A few more little questions )

 

Right now, any user on the DC can access on PC on the domain using there username via RDP.

 

How do i disable this, just disable remote connections for the user? But then say i want to allow a user to RDP into their machine only, and their username only working on THEIR PC.

 

So in other words, assign a USER to a COMPUTER in the DC

 

Thanks!