two dc and one dhcp

  • Thread starter Thread starter Krishna
  • Start date Start date
K

Krishna

I have two DC's. Each is indiviual forests. Server A is meant for only
DNS/DHCP services. Server B is for logon, fileserver and other applications.
Now, I have a XP box which obtains IP and DNS from Server A(st.abc.net) but
cannot join Server B (efg.net). How to resolve?

Thanks
Kris
 
Krishna said:
I have two DC's. Each is indiviual forests. Server A is meant for only
DNS/DHCP services. Server B is for logon, fileserver and other
applications.
Click to expand...

Generally it is counter-productive to have two DCs but only
only one of them as a DNS server: DC replication and authentication
both require DNS so if the one with DNS is down clients will
either fail to replicate or experiencing slow logons at best.
Now, I have a XP box which obtains IP and DNS from Server A(st.abc.net)
but
cannot join Server B (efg.net). How to resolve?
Click to expand...

Server B is in an different DOMAIN?

You are going to have to clarify this since when you write
2-DCs we presume you mean in a single domain where
both should be using the same DNS-domain-name suffix
(e.g, abc.net OR efg.net but not both.)

If you really do have two domains then each will need its
own DNS ZONE (not necessarily it's 'own' DNS server but
that is common practice.)

Each domain must have that DNS zone and it must be dynamic
to support AD.

If you have more than one domain, or even just multiple DNS
zones, there must be a way for each DNS server to find ALL
such zones to make everything work.

With multiple DNS servers sets (one set for each DNS zone
to support each domain) then you need to find a way to get
from each DNS server to the "other zone" -- usually with
Win2000 you will need each DNS server to hold a 'secondary'
for the "other zone".


--
DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
 
Herb Martin,
Thank you for the reply.

As mentioned in my post, two DC's are seperate by itself in its own forest.
Both were installed seperately. Since AD requires DNS so both DC's have DNS.
Server A purpose was to provide IP address, gateway etc (even though it has
DC users don't login to this server). On Server B, some users have to login
to access files, access applications etc. Those users when joining there
computer to Server B domain (efg.net) its not able to find. What I have done
so far is:

a. Trust setup (results in SC error, fix?) on both Servers.
b. DNS forwarders (do see SRV records) on both Servers.

What else?

Thanks
 
Krishna said:
Herb Martin,
Thank you for the reply.

As mentioned in my post, two DC's are seperate by itself in its own
forest. Both were installed seperately. Since AD requires DNS so both DC's
have DNS. Server A purpose was to provide IP address, gateway etc (even
though it has DC users don't login to this server). On Server B, some
users have to login to access files, access applications etc. Those users
when joining there computer to Server B domain (efg.net) its not able to
find. What I have done so far is:

a. Trust setup (results in SC error, fix?) on both Servers.
Click to expand...

No additional trusts are needed (or usually useful) in a single
forest since all domains in the forest already trust each other.
b. DNS forwarders (do see SRV records) on both Servers.
Click to expand...

NO.

IF you forward both DNS servers to each other you merely
create an INFINITE loop which crashes or causes errors in
the DNS service.

For Win2000, the standard answer is for EACH DNS Server
(representing EACH DOMAIN) to hold a Secondary DNS
zone for the "other DNS" server.

(There are other choices in Win2003 but these features don't
exist in Win2000.)

Make each DNS hold BOTH DNS zones (i.e., the zones for
each domain.)
 
No additional trusts are needed (or usually useful) in a single
forest since all domains in the forest already trust each other.
Click to expand...

They are in separate forest.
NO.
Click to expand...

I meant each zone is secondary zone for the other (sorry for the confusion).
 
Krishna said:
They are in separate forest.
Click to expand...

It is generally the case that you also need "NetBIOS name resolution"
for work for EXTERNAL trusts to work. (Trusts between domains
of different forests are ALWAYS 'external' in Win2000.)

IF you have more than one subnet and you need NetBIOS then you
also have a practical need for WINS Server AND for every machine
(including DCs) to be set as WINS CLIENTS on their NIC->IP->
Advanced configuration.
I meant each zone is secondary zone for the other (sorry for the
confusion).
Click to expand...

No "zone" can be secondary for another zone.

A SERVER can hold multiple zones and be secondary for some,
and (possibly) primary for others.

We all make the mistake of saying things like "The DNS server for
the 'first zone'" when the fact is that any DNS server can hold zones
for many different domains and zones -- it's just hard to talk about this
stuff without (imprecisely) claiming that the DNS server FROM the
'first domain' is the 'first zone DNS server'.

Truth is, DNS servers are "for" the zones they hold no matter
whether they 'live in' a particular zone or domain, or neither.
 
They are in the same subnet. How do I get the external trust work? With the
current setup when clicked on verify results in sc error.
 
Krishna said:
They are in the same subnet. How do I get the external trust work? With
the current setup when clicked on verify results in sc error.
Click to expand...

Check the NIC->IP properties -> Advanced ->WINS tab and
make sure ALL DCs have NetBIOS enabled.

Since it is a single subnet you don't need WINS Server and
they can broadcast for each other.

If this doesn't resolve the problem then break the trust and
re-establish it.
 
Herb,

You are correct that I was trying via netbios name which is failing. I tried
with DNS name, resolved and working like charm. I will verify again to make
sure Netbios is enabled.
Why do I get Secure channel error in trust setup?

Thanks
Kris
 
Krishna said:
Herb,

You are correct that I was trying via netbios name which is failing. I
tried with DNS name, resolved and working like charm. I will verify again
to make sure Netbios is enabled.
Why do I get Secure channel error in trust setup?
Click to expand...

Did you fix the NetBIOS problem yet? NetBIOS is
generally required for external trusts to work.

You really need both DNS and NetBIOS working for
this.

After that you will need to post the exact error message
and perhaps look in the Event Log for more details (numbers
etc.)
 
Herb,

NETBIOS over TCP/IP is set in both servers.

I get following error:

"The secure channel (sc) query on DC \\servernameA of domain efg.net to
domain st.abc.net failed with error: access is denied. An sc reset will now
be attempted."

"The secure channel (sc) reset on domain controller \\servername.st.abc.net
to domain efg.net failed with error:access is denied."

Thanks
Kris
 
Krishna said:
Herb,

NETBIOS over TCP/IP is set in both servers.

I get following error:
Click to expand...

When and where precisely do you get this error?
"The secure channel (sc) query on DC \\servernameA of domain efg.net to
domain st.abc.net failed with error: access is denied. An sc reset will
now be attempted."

"The secure channel (sc) reset on domain controller
\\servername.st.abc.net to domain efg.net failed with error:access is
denied."
Click to expand...

Did you notice that one of those names is using the FULL
DNS name and other is not. That may be a very important
hint for the source of the problem.

Why aren't these domains in the same forest? (They almost always
should be due to the obvious parent-child DNS relationship.)

Send the IPConfig /all from the DC of EACH Domain. Send the
text to a file and paste in the ACTUAL information without editing
and in text not graphics.
 
Back
Top