I've killed my domain. (and it was far too easy) :~(

  • Thread starter Thread starter Cardman
  • Start date Start date
C

Cardman

First of all I should point out that this is a Windows 20003 server
issue and not quite Win2k, but this is the closest group I found.

Anyway, here is what happened...

A short time ago I was trying to resolve a problem with a wireless
connection on my network and left a lot of services enabled on this
connection NIC in my server.

Just recently I went to check that make sure that only TCP/IP was
still enabled on the NIC going to the cable modem and the Internet.

Shock horror. As all those bucket loads of network services was
running on my Internet connection allowing hackers to do as they
please. And so I had the idea to uninstall them all, which I now see
was unwise.

As only when I had stripped the Internet NIC down to only TCP/IP did I
discover that all these services were removed from the other NIC as
well. Why Microsoft classes these service installs under each NIC I
will never know, when they belong to all NICs.

Anyway, no problem to reset the computer as demanded and reinstall all
the required ones again, but then things suddenly got a whole load
worse.

As now my server cannot contact the domain, where it is the case of
hold on the server *IS* the domain (and DNS, DCHP and more). And so
server.home.local now cannot find home.local even if it can still log
into home.

Not to forget that every single user and share has gone to parts that
I just do not know. In a way that it is kind of there, but Win2k3 just
cannot find it.

And now the top three options of the Active Directories in the
Administrative Tools don't work as they should, when they cannot
contact the domain that everything is telling the system should be
there.

So two quick questions...

Where did my domain and everything else go to and can it be recovered?

Then what is the easiest method to sort all this out? I don't mind
setting up the few users and shares again if needed, but I need my
domain and everything back.

Alas restoring the last good known configuration did not work out,
when Win2k3 believes that losing the domain is perfectly fine.

Anyway, before I get out the install CD and make everything worse,
then I thought that I should get some advice from people who know all
about domains, active directories and where they go to when you
uninstall everything except TCP/IP on the NICs.

Your help will be much appreciated.

Cardman.
 
Hi,
I believe that your first problem is DNS. It is essential service for AD.
Your clients can find home because it is NetBIOS name (ie does not use DNS)
and home.local is Fully Qualified Domain Name (FQDN, ie uses DNS).

When you have two NICs, do as follows.
1 Open Network Properties.
2. First rename your LAN connections so that one is named ExternalNet, the
other is LocalNet.
3. From Advanced menu choose Advanced Settings.
Make your LocalNet first in the list.
Make your ExternalNet second in the list.
4. From ExternalNet remove checkmarks from:
File and Printer Sharing...
Client for Microsoft Networks
(This disables sharing from external network)
5. Adjust network properties so that you use DNS on internal network only on
both NICs.
6. If you want to use external DNS, then set forwarders on your internal DNS
to forward unresolved traffic to external DNS.
7. Check internal DNS that it has SRV records registered (SRV records are
used by AD).
8. If your DNS is installed on this dual homed server, you may wish to
unbind DNS from ExternalNet. You can do it from DNS console. If you do that,
users from the Internet will not be able to resolve DNS names against this
server.
9. You may wish to configure RRAS so you can use NAT service and packet
filtering.

Dusko Savatovic
 
Hi,
I believe that your first problem is DNS. It is essential service for AD.
Your clients can find home because it is NetBIOS name (ie does not use DNS)
and home.local is Fully Qualified Domain Name (FQDN, ie uses DNS).
Click to expand...

Then I will look into DNS, but why the hosting server cannot find it's
own domain seems a touch more serious. After all DNS works perfectly
fine for all the TCP/IP net connections, where also all my computers
still appear under Home.
When you have two NICs, do as follows.
Click to expand...

Well technically I have three, but one is currently disabled. As I was
just reading about wireless problems with switches etc, then I think
that I will plug my WAP directly into this normally disabled third
card to see if that helps.

My wireless problem is an odd one as well, when data transfer from my
two laptops works perfectly at between 0.3 to 0.5 mb/s, but downloads
to those laptops results in multiple connection failures and resets of
the link.

It takes a very long time to download anything to my laptops these
days, when say just a 350 kb unit often involves 5 stalls and link
resets. Then as such connection loss often screws up the transfers,
then I can have to restart the download a dozen times.

I have tried simply everything to fix it, but removing my Belkin WAP
from the switch is a new one.
1 Open Network Properties.
2. First rename your LAN connections so that one is named ExternalNet, the
other is LocalNet.
Click to expand...

I prefer to call them Cable Modem and LAN, where the third one is
disabled, but if it works out I would call it Wireless or WAP.
3. From Advanced menu choose Advanced Settings.
Make your LocalNet first in the list.
Make your ExternalNet second in the list.
Click to expand...

Or first and third, but now done.
4. From ExternalNet remove checkmarks from:
File and Printer Sharing...
Client for Microsoft Networks
Click to expand...

Already done, when I remembered what those checkmarks were for, which
is why only TCP/IP is enabled on my Cable Modem NIC.
(This disables sharing from external network)
Click to expand...

Yes, which is why I uninstalled them all in the first place, where I
then found out that this uninstalled them from all NICs.

I will remember not to do that again.
5. Adjust network properties so that you use DNS on internal network only on
both NICs.
Click to expand...

I am not sure what you fully mean here, when the TCP/IP settings on my
Cable Modem NIC require that some DNS is specified, where it is either
my local DNS or to obtain DNS automatically.
6. If you want to use external DNS, then set forwarders on your internal DNS
to forward unresolved traffic to external DNS.
Click to expand...

It is nice to know Internet domain names, which is why my DNS lookup
both involves my local DNS and my ISP's one.
7. Check internal DNS that it has SRV records registered (SRV records are
used by AD).
Click to expand...

Well after checking DNS I notice a few DNS service errors namely
events 6702, 4015 and 4004 twice. In other words DNS wants my Active
Directory to work, but as I know it is screwed.

Unable to complete directory service enumeration explains something
about my home.local domain though.

Apart from that DNS has my SERVER option containing home.local and
_msdcs.home.local under the Forward Lookup Zones.
8. If your DNS is installed on this dual homed server,
Click to expand...

DNS looks like it normally does apart from those errors about the
Active Directory.
you may wish to unbind DNS from ExternalNet. You can do it from DNS console.
If you do that, users from the Internet will not be able to resolve DNS names
against this server.
Click to expand...

So what one of these many options does that?
9. You may wish to configure RRAS so you can use NAT service and packet
filtering.
Click to expand...

I already use RRAS and NAT services to filter Net data across my LAN,
when after all my Cable Modem only links to one computer and routing
needs to be used.

Just recently I noticed that I need to sort out NAT some more, where
like this computer is 192.168.0.13 and that is what it tells other
computers on the Net what it is instead of my ISPs assigned IP
address.

Thanks for your help so far, where Active Directory seems like the
cause here, when it cannot find this domain. I just wish that I knew
what I was doing, when I did not set up this system in the first
place.

Cardman.
 
As a follow-up to my last message, then just a few minutes ago I got
lucky and found the cause of why my domain, active directory, users
and shares had all vanished into the void.

While browsing the many error messages I found one about an error
reading a configuration file, where the recommended solution was that
the netlogon service was not started, which made it a good idea to go
and start it.

Bingo, sure enough as soon as I ran the "net start netloglon" command
my home.local domain and all the users came flooding back. The shares
did not however, but maybe that was because I established a couple of
new vital shares between then and now.

So problem solved, as when I uninstalled all those network options and
installed them all again, then my Win2k3 server forgot to switch the
netlogon service back on.

Microsoft has a bug in their Windows 2003 server software me thinks,
when being the core of a network without running the netlogon service
simply should not be.

Fortunately this saves me trashing my system with some radical action,
where I thought that it would all still be there someplace.

The only problem now is to get my new USB Wireless link mapped into
the rest of my network IP addresses. Namely 192.168.0.*, where the
only problem is that setting a suitable IP address manually results in
no contact with the laptop at the other end of this perfectly working
link in the wireless sense.

That is except for when the link was first established and Win2k3
decided to configure them in some private virtual domain, which was
somewhere around the 168.*.*.* address I recall.

Not compatible with my network, which is why I ideally want to assign
this USB NIC to the 192.168.0.3 IP address, except that somewhere
within my configuration something is missing and contact is zero.

And before you say it, then I added this new link to Routing and
Remote access by just copying the same settings as used by my
hardwired LAN NIC.

Still no luck, which makes me think my best idea is to turn it back
over to the virtual private network and to check out the routing table
on that one. As if I see how that link was auto configured, then I
should be able to replicate that with my IP address.

Not of course forgetting the inclusion of Internet access, which the
default virtual private network lacked.

I expect that I will get there soon enough, but getting this new link
working in my network's IP range is a lot harder than what I believed
it would be.

Cardman.
 
I expect that I will get there soon enough, but getting this new link
working in my network's IP range is a lot harder than what I believed
it would be.
Click to expand...

Oh silly me! As of course adding this new wireless NIC is not like
plugging my WAP into my existing network and it being allocated an IP
address within the existing range.

My problem was that the entire 192.168.0.* range is already owned by
my wired NIC on 192.168.0.1. And so trying to share this range was
unhelpful, when this non-flexible system can only route one way.

Anyway, since it would take too long to sub divide this range into
areas, then I decided to start my new wireless network on the IP range
of 192.168.1.* with this NIC being 192.168.1.1.

Kind of wasteful having this entire range for an ad-hoc wireless link
that can only consist of two and no more, but there you go.

Sure enough my Laptop1 computer popped to life and can now see the
server on this NIC. Only problem is that DCHP has yet to allocate my
Laptop1 computer an IP address within this new range.

Setting it manually works, but DCHP starts complaining about an Bad IP
address being used. Maybe it just wants to save 192.168.1.10 for
something else being the first IP address to be allocated, but I hope
that DCHP is limited to allocating IP address only within the servers
IP address range of 192.168.0.*.

I may have even got my wired and wireless networks seeing each other
by adding my two scopes under a super scope, when they can certainly
ping each other, but with all the issues with Laptop1's DCHP and my
old USB problem coming back (My server has old USB v1.0 ports that
like to completely fail USB devices now and again) it is hard to say
for sure at this second.

The Internet connection and connection to the server works fine at
least from both network segments. Except when USB support dies on my
server, which makes me think that I should switch off these first
generation USB ports on this motherboard and buy a USB 2.0 plug in
card.

Also I have discovered Win2k3's basic firewall addition to my Cable
Modem connection, which makes one more problem solved, when I can now
allocate ports through it. Maybe I should give the more advanced
firewall a shot, when allocating a small range to be used to each of
my computers is a very long process one port at a time.

I also have had further developments in my netlogon service startup
problem, when despite confirming the automatic start setting this
service would not auto start on boot.

So I thought it was time for radical action, which is why I deleted
all NICs and all Network services and started this lot from fresh. And
fortunately Microsoft Windows Networking remembered to handle the
netlogon service during following boots.

And so not a bad day for sorting out all my server problems, which has
been causing problems for months. Just have to solve the problem of
what is going on with my problem WAP and my USB ports, where I am then
all solved.

I have just also fished re-establishing all of the 20 shares lost
during this netlogon problem, which puts my small network back in
action.

Cardman.
 
Well I have just suckered another one of my network problems, when not
long ago DHCP was being an "evil bitch" and was not allocating IP
address for my new wireless network range.

The problem was that my DHCP server was on 192.168.0.1 and my new
wireless scope allocation was from 192.168.1.10 to 192.168.1.254. And
DHCP was being a bitch by only allocating addresses based on a subnet
mask of 255.255.255.0 of itself.

In other words it knew perfectly well that I added this new range for
allocation to my laptops down this NIC gateway, but as it was not
within it's "happy zone", then it ignored these laptop computers.

The solution to this problem was the little service hidden under
Routing and Remote Access known as the "DHCP Relay", which I guess
moved this DHCP request data from 192.168.1.1 to DHCP to the new
192.168.1.1 through 192.168.0.1 to DCHP.

So now that it was within it's "happy zone" then so did it soon
allocate IP addresses to my laptops. Or more correctly the one
address, when it allocates IP address based on the MAC address it
seems, where the loss of my problem WAP means that I am on share mode.

Oh well time to get me one of those D-Link 802.11g 108 mbps PCMCIA
cards I guess and then to figure out how to have a three computer
wireless network, while avoiding the transmission problem of my last
WAP.

I think at the same time I will replace the wired segment NIC in my
server with a Gigabit one, when that is long overdue seeing that this
computer I am using has had Gigabit support built in to it for a long
time.

Then of course it is time to add a USB 2.0 PCI card into my server at
the same time, when the built in four USB ports on this motherboard
are just not what they should be. Seeing a USB cascade failure is
quite impressive taking out all devices at once, but I can kick it
back to life again by switching between drivers.

As doing that every hour is unhelpful, then getting this new USB card
is required. So that is my current shopping list, even if a new WAP,
switch and more could soon follow.

For now I am going to have a shot at solving the unsolvable, which is
that whenever I click on my Home domain first time, then all the
computers under home.local it shows me are the ones on the local
subnet mark.

Since having to search for the computer that you want to connect to is
unhelpful, just because it is on a different branch of the same tree,
then I will see if there is any way of getting it to list the other
half of my network as well by default.

Ideas on that one are welcome.

To end of a happy note, then during my many searches into solving my
network problems, then I came across one joke advert that made me
laugh, which was titled "will route TCP/IP for sex". :-]

Considering the very problem and complex configuration that a network
system is, when it is like having to solder your services together
with wires, then he could well have got more than a few offers. ;-]

Cardman.
 
Back
Top