Unable to Join Domain

[Moltuae]

Some great information and advice in this thread.

I have to admit, until I understood how DCs worked, I would enter the router or a public DNS as the secondary DNS. It seemed the logical thing to do at the time, but I learned the hard way that it doesn't work like that. If the DC goes offline, even briefly, some pretty funky things can happen, especially in multi-server environments, when internal names start resolving to external IPs.

Now that I understand that I should setup DNS Forwarding on the server and point both the primary and secondary DNS on the laptop should point to the server I'll work on that tomorrow.

Unless I've been doing it wrong, no need to enter the server's IP twice. Just fill in the primary and leave the secondary blank. If the server isn't responding as the primary DNS, it aint gonna respond as a secondary DNS either.

 

[YeOldeStonecat]

Good catch Molt.....I didn't see that. MM...just leave the secondary blank.

 

[Mike McCall]

Ok, so my project for this morning is to get a grasp of DNS forwarding and implement it on the server. Should the server then forward to the router/gateway which then forwards to OpenDNS, or should it forward directly to OpenDNS?

 

[YeOldeStonecat]

Direct. The less hops the better. Don't need a router adding yet another hop (which adds latency) and some black hole to troubleshoot.

 

[Mike McCall]

Alright, forwarding is in place and the laptop (which I'm currently on) looks only to the server. I know I should move DHCP from the router to the server, but since the server is a learning tool right now and therefore likely to have significant and recurring operator errors I'm a bit leery. Although, I'll have to do it sometime. Can't afford trepidation.

So, in a network like mine where it's a hodgepodge of dissimilar devices where at best two devices (a Mac mini & a Win7pro Laptop) are capable of joining a domain, yet all devices should look to the server for DHCP, how should it be configured given "Best Practices?" I do have a managed switch to work with, but I don't know how much help that will be on such a relatively small network.

As an aside, this is what I became frustrated with when working toward my Net+ cert. I know break/fix reasonably well and needed mainly to get up to speed with various changes for the A+. The cram courses provided by the State (though I'm thankful for them) just don't teach this stuff. Sitting in a helpdesk cubicle with a headset answering calls for password resets won't get you any experience either. Most of the job postings I see (yes, I'm still looking as I still need actual income) ask for at least some AD experience which leads me back to learning this myself. So, no matter which way my fortune goes I need to know this better than I do. So, I'm in - all in. If switching DHCP to the server is the next logical step, then that's what I'll do. I have a significant array of dissimilar devices to torture myself with, and as long as the wife can check her email and surf the web when she gets home, I have nothing to prevent me from learning. So, where to next, DHCP? Should I map everything out on paper first? Should I be concerned about the lack of a firewall?

 

[nlinecomputers]

DHCP needs to be on the server. Period. Yes you need a firewall.

 

[Mike McCall]

DHCP needs to be on the server. Period. Yes you need a firewall.

Fair enough. So, that will have to wait until I have a firewall.

 

[nlinecomputers]

Why? Your router can still be used to provide NAT and NOT be a DHCP server and having NAT provides SOME protection as a firewall.

 

[Mike McCall]

Why? Your router can still be used to provide NAT and NOT be a DHCP server and having NAT provides SOME protection as a firewall.

I was just thinking about that and why you would say (for other than good practice) that a firewall was now needed. My thought was that since the server was now looking directly to outside DNS servers there would be increased exposure and therefore greater risk. I couldn't think of another reason why a firewall would be more needed now than it has been. Ugh, I should know better. As you say, the router still provides NAT translation and therefore some protection. Still, a firewall has moved up on my shopping list.

So, please let me know if I become too bothersome or annoying as I continue to ask questions. I don't wish to become a thorn in anyone's underwear.

At this point it seems reasonable to reconfigure the entire network structure. I've read that moving away from the typical consumer 192.168.xxx.xxx addressing is good practice. So, now seems a good time to change to a 10.58.58.xx addressing scheme, though I should be able to retain the current layout. Correct?

 

[SAG]

So, please let me know if I become too bothersome or annoying as I continue to ask questions. I don't wish to become a thorn in anyone's underwear.

Are you kidding?
Do you have any idea how many people come in here with the exact same sort of question, but instead of being willing to ask-examine-ask-apply-ask-again like you have, they just say "OMG GIMME THE ANSWER ORDOITFORME!!! WARGARBLE!!!!1111eleventyone!"

I'm kinda looking forward to those same people in the future just being directed to this thread.

 

[YeOldeStonecat]

MM, a Windows Server DHCP service will serve ANY devices. Be it an XBox, Apples, Windoze, Linux, SmartTVs, whatever. They'll still pull an IP from your Windows Servers DHCP service just like they would the routers. They don't have to join the domain, the DHCP service will serve anyone on the physical LAN.

Note for you....you can't start a Windows DHCP service if there is currently another DHCP service running on the network. So you'll have to log into the router...disable its DHCP..and then configure and start the DHCP service on your server. If you try to configure/start it first...it will eventually say "Eh eh...sorry..I can't....I smell another DHCP service on the network and I'm a spoiled brat and can't co-exist with another...I want all the glory!"

...or something like that.

 

[nlinecomputers]

Some routers can be setup as secondary DHCP servers but it's always been a royal b-tch to get it to work well.

 

[Mike McCall]

Are you kidding?
Do you have any idea how many people come in here with the exact same sort of question, but instead of being willing to ask-examine-ask-apply-ask-again like you have, they just say "OMG GIMME THE ANSWER ORDOITFORME!!! WARGARBLE!!!!1111eleventyone!"

I'm kinda looking forward to those same people in the future just being directed to this thread.

Well, I'll forge ahead then.

In my searching for general "Best Practice" documentation I came across this document from Cisco. While it doesn't directly address my immediate concerns, it does provide a good work-flow to follow when designing a larger network. For my application it seems prudent to stick with the basics to ensure that I understand what I'm doing, and why. Those principals will make the larger network configurations easier for me to understand, and hopefully better at what I'm doing.

So, changing my internal addressing scheme to 10.58.58.xx should also change the router's gateway address as well. So, if I wanted to make a direct copy of my current ip scheme the router ip should then become 10.58.58.1. The rest of what's on my network could retain it's current .xx address with only the 10.58.58 changing. Correct? Given the devices I've listed above, should I change the internal addressing scheme? If so, why?

 

[Mike McCall]

MM, a Windows Server DHCP service will serve ANY devices. Be it an XBox, Apples, Windoze, Linux, SmartTVs, whatever. They'll still pull an IP from your Windows Servers DHCP service just like they would the routers. They don't have to join the domain, the DHCP service will serve anyone on the physical LAN.

Note for you....you can't start a Windows DHCP service if there is currently another DHCP service running on the network. So you'll have to log into the router...disable its DHCP..and then configure and start the DHCP service on your server. If you try to configure/start it first...it will eventually say "Eh eh...sorry..I can't....I smell another DHCP service on the network and I'm a spoiled brat and can't co-exist with another...I want all the glory!"

...or something like that.

Ha! I've already learned that one! I initially installed 1012 Essentials awhile back not knowing it installs itself preconfigured as the DHCP server, among other things. I currently have 4 devices that are able to handle DHCP. Only one gets promoted to that task!

 

[YeOldeStonecat]

Yeah. You can get Windows DHCP to get another with other Windows DHCP....so long as same directory, and some other things in place. But that's on networks much bigger than we on here work on.

 

[Mike McCall]

Since it appears that a ground-up rework of the network is in order, how much consideration should be given to the physical layout? There's not much room for change in this case as the physical requirements of the network include 3 rooms and a basement. One change I know I should make is in the office. There I have a NAS, 2 hosts (with USB devices attached), and a network printer behind an unmanaged switch connected to a port on the managed switch. Each device should be connected directly to a port on the managed switch, but that would mean running multiple cables across the floor (and under area rugs) in a home built in 1910. I'm not running cable through 105-year old lath & plaster walls! It seems reasonable to expect that a client (myself in this case) would have physical compromises as well.

So, It seems that I should use static ip's where possible such as for the managed switch, server, NAS, hosts, and printer. I could then set a DHCP range for the various wifi devices. The Roku & VOIP don't allow me to set static ip's, but I could set reservations for them. Any advantage in this case for breaking things out onto different LAN's? Any performance improvements?

 

[Markverhyden]

My rule of thumb is assign static IP addresses on all devices that provide some type of service on the network and let clients use DHCP. Many support people tend to use the same type of IP architecture on all their networks. Makes thing simpler to troubleshoot when you have many sites.

For a somewhat complex class C networks I'll typically do the following which includes my home network

Networking devices .1-.14
servers - .15-.50
server VM's - .51-.65
printers - .100-.110
DHCP scope for clients - .125-.150

But simple networks I'll just terminate the DHCP scope at .200 and put the few fixed IP stuff above that. Another hint. When you plan your LAN's think about VPN's as the EU's site cannot have the same subnet as the destination subnet. Many common networks are 192.168.1.x, 192.168.0.x, 10.1.10.x because of the way the residential routers are setup. So if you have a customer with possible VPN you should bump up the second to last octet. Personally I'll set it to .253.x

 

[Mike McCall]

Thanks, Mark, I hadn't even considered ip addresses for future VM's. They are a must on my list of things to do. As for bumping up the second to last octet for VPN, I'm missing something here. Both 10.1.10.0/24, and 10.1.253.0/24 = 128 Max. Subnets and 254 Max. Hosts. I've either forgotten (since January), or am brain-dead altogether because I don't see what the difference is, other than I have more I can "borrow from" for the last octet. But, since I can only have 254 Hosts and 128 Subnets in either example, I can only assume that I don't understand.

 

[Markverhyden]

Sorry Mike, I guess I was not clear enough. Say you, or a customer, wants to VPN between two sites. Does not matter whether it is a office to office or client, EU, to office. At a minimum class C subnets cannot be the same. You cannot have one side 10.1.10.0/24 and the other side 10.1.10.0/24 as well. That is what I meant by bumping up the second last octet. One can be .10.0/24 and the other can be .11.0/24. Of course if they are totally different nets, say 192.x and 10.x then that works.

An example. An office is setup with FIOS which defaults to 10.1.10.0/24 if I remember correctly using their standard router setup. Now a user may have FIOS as well or Comcast, I think Comcast also does 10.1.10.0/24. Say the office has all kinds of stuff setup, NAS, printers, AP's. So one will think, ok, have the user change it. No problem except most ISP's have poor residential support so the process might take hours or pay you to do it. Now another EU shows up on the radar, same issue. It becomes a customer service issue.

If the office was all done on DHCP then changing the router and release/renew on the clients and equipment works. But then you will have to re-map all of the services which may add time and expense. If it's an existing setup I just tell them we need to changes things once. When I setup new services I'll always have the office on some thing like 192.168.2xx.0/24. If it's a 10.x.x.x network I'll make it 10.253.x.0/24 because I have seen many public hotspots in the 10.x.x.x/24 range. But all of the variance has been in the 3rd octet. Hope that is clear enough.

 

[YeOldeStonecat]

I'm similar to Mark....

For setup, I prefer to have the gateway at .1
Managed switches typically in the low single digits
Servers around .10 and low teens
Printers in the .20 and up
Typically set the DHCP client range to start at .100...or for a larger network with many client rigs...start at .75 or even .50.

Years ago learned to no longer use the common class C's....192.168.0.x, 192.168.1.x, 10.1.1.x, because of remote VPN users from home. easier to build the office network on a more unique IP range than try to change the home LAN of every remote VPN user.

So I'll typically do 192.168.10.xxx, 192.168.11, xxx, or sometimes I'll play in the 10.xxx.xxx.xxx range but more commonly the 192.

If you're building a network that will be multi-site, make each site different.
Mothership/central office 192.168.10.xxx, satellite A 192.168.11,xxx, satellite B 192.168.12.xxx
For purpose of connecting via VPN tunnels in between the routers.