Active Directory - Domain Controller Settings & Troubleshooting

If you follow an online article about creating a new Domain Controller for either Windows Server 2008 or 2012, then it all seems to be a breeze. Well that’s not how it always turns out to be, as I recently found out myself.

I was building a new domain controller on Windows Server 2012 Virtual Server on VMWare Workstation 9. On the face of it, everything I did was to the book – setup static IPs, new forest, new domain and new DNS. But soon I ran into problems where DNS name resolution won’t work and another VM wouldn’t connect to domain controller. After hours of troubleshooting, I gave up and re-built the server from scratch. Below are some of the lessons of this experience. Hopefully this will save someone else a great deal of time.

Pre-requisites – Windows Server 2012 or 2008

Before you install the ADDS role, make sure your server has the following settings. Don’t proceed without them.

  • Static IP address. Have a look at my article here about how to assign a static IP on VMWare Workstation
  • Virtual Network Adapter set to VMnet1 (Host Only) or VMNet8 (NAT)

Install ADDS role, DNS and promote server as domain controller

This is straightforward. Go to Server Manager and add “Active Directory Domain Services” role and its associated features. Following ADDS installation, configure your server as domain controller from Server Manager.

Configuration - Domain Controller

TCP/IP (IPv4) and IPv6 properties

  • Make sure TCP/IP (IPv4) settings are “NOT Set” to obtain IP address dynamically from DHCP. Even if you are using VMWare DHCP configuration file to assign a static IP, you must set the static IP in TCP/IP properties to ensure VMWare DHCP service is not used for setting the IP address.
    • IP address: <static ip>
    • Preferred DNS Server: 127.0.0.1 (loopback address)
    • Alternate DNS Server: IP address of domain controller itself
    • IPv6 properties are set to obtain IP address and DNS server address automatically. Don’t disable IPv6
Preferred and Alternate DNS are both set to point to server itself. One is the loopback address and another is the server’s IP address. You can configure a third DNS server for query forwarding. But if you are building a local lab network then that’s not a requirement.

Create a Reverse Lookup Zone

Reverse Lookup Zone in DNS matches IP address with host name, meaning it’s the opposite of Forward Lookup Zone which matches host name with IP address. Consider a client wants to find the IP address for myintranet.co.nz then the query goes to Forward Lookup Zone, client provides the name and gets back the IP address. But if client is after the host name, then it queries the Reverse Lookup Zone, provides the IP address and get back the host name.

  • Open DNS manager and create a reverse lookup zone. Choose “192.168” as the network address as this covers the both NAT and Host-only IP addresses in VMWare networking.

Create a PTR record for domain controller

A PTR (pointer) record is created inside the Reverse Lookup Zone and basically maps server IP address to its name.

  • Go to your domain Forward Lookup Zone, double click domain controller “A” record, select the checkbox related to Update corresponding PTR record and click ok.
  • Now go back to Reverse Lookup Zone and make sure you have a PTR record visible for Domain Controller. Press F5 to refresh the screen

Configuration - Domain members

DNS settings of domain members (or computers you plan to join to domain) must point to IP address of domain controller.

  • On client computer, open TCP/IP properties, set the preferred DNS server to IP of domain controller. Leave the alternate DNS server as blank.
  • Leave all other settings unchanged, including IPv6

Refresh DNS settings

If you change any of the TCP/IP properties, then make sure to refresh the DNS by executing following commands

  • On domain controller and client computers
    • ipconfig /flushdns
    • ipconfig /registerdns
  • Restart the netlogon service on domain controller
    • Net stop netlogon
    • Net start netlogon

Troubleshooting

DNS request timed out

If you started receiving “DNS Request timed-out” errors on nslookup, that’s a clear sign that your name resolution is not working. One of the following may be wrong

  • DNS server can’t be contacted
    • Fix by making sure TCP/IP properties are set as listed in section before
    • Change to “host-only” networking in VMWare to isolate the machine from external network and try again
    • Check there are no “DNS Forwarders” set by going to “Open DNS manager --> Right click DNS node --> Properties”

Test – Domain Controller

Test domain controller settings by executing following commands. All of these must be successful. If not, then you have got DNS configuration problems

  • PING 127.0.0.1
  • PING <server name>
  • PING <Server FQDN> (Important – make sure this command is successful. If not check your TCP/IP settings as outlined above)
  • PING <default gateway>
  • Nslookup
  • Nslookup <server FQDN>

Test – Domain Clients

Test connection to domain controller from another VM on the network you are planning to join to domain

  • PING <dc name>
  • PING <dc FQDN>
  • Nslookup
  • Nslookup <server FQDN>
  • NSLOOKUP
    • >set type=all
    • _ldap._tcp.dc._msdcs.<domain FQDN>
  • Download the PORTQRY tool to check if the ports are open. If you are stuck, may be try disabling the Firewall temporarily
    • PORTQRY -n -p tcp -e 389
    • PORTQRY -n -p tcp -e 636
    • PORTQRY -n -p both -e 3268
    • PORTQRY -n -p tcp -e 3269

References

Comments

Popular posts from this blog

SharePoint 2013 Search Service Activation Error

VMWare Workstation - Assign a static IP address

Office365: Assigning licenses using Azure AD PowerShell