Domain Controllers

Can a domain controller be anything else (i.e. IIS Server)? My domain
controller seems bogged down when a computer tries anything other than a
login. I tried adding a workstation to the domain, and it took at least ten
(10) minutes before a confirmation (i.e. Windows dialog message) occurred.

PS The server box is running Terminal Services and IIS only

Hello Patrick,

A domain controller shouldn't run anything else then AD, DNS, GC and maybe
DHCP. Especially IIS is not optimal, lowers security, the same applies to
Terminal services in application mode. This doesn't mean you can not install
all roles on the server, this works but results in lower security settings,
when multihomed, 2 ip addresses in DNS, logon GPO applying etc. etc. etc.
problems.

Your problem seems DNS related, please post an unedited ipconfig /all from
the server and a problem computer.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Can a domain controller be anything else (i.e. IIS Server)? My
> domain controller seems bogged down when a computer tries anything
> other than a login. I tried adding a workstation to the domain, and
> it took at least ten (10) minutes before a confirmation (i.e. Windows
> dialog message) occurred.
>
> PS The server box is running Terminal Services and IIS only
>

Meinolf,

The server is the "problem" computer. It's running Microsoft Internet
Information Services 6.0 and it is also (Microsoft 2003 Server) a domain
controller. The AD portion of this/my equation seems to be the culprit...
as far as the long wait-time; there is only one sub-net. Enterprise Admins
GPO is being used, and the server has only one NIC (Ethernet) installed.

The LAN router is supplying DHCP, and my internet service provider is the
DNS. Is the huge wait-time due to older hardware (1GB of memory, but only a
1.7 GHz CPU) ??? Adding a workstation to the domain shouldn't take this
long.

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:(E-Mail Removed) .com...
> Hello Patrick,
>
> A domain controller shouldn't run anything else then AD, DNS, GC and maybe
> DHCP. Especially IIS is not optimal, lowers security, the same applies to
> Terminal services in application mode. This doesn't mean you can not
> install all roles on the server, this works but results in lower security
> settings, when multihomed, 2 ip addresses in DNS, logon GPO applying etc.
> etc. etc. problems.
>
> Your problem seems DNS related, please post an unedited ipconfig /all from
> the server and a problem computer.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Can a domain controller be anything else (i.e. IIS Server)? My
>> domain controller seems bogged down when a computer tries anything
>> other than a login. I tried adding a workstation to the domain, and
>> it took at least ten (10) minutes before a confirmation (i.e. Windows
>> dialog message) occurred.
>>
>> PS The server box is running Terminal Services and IIS only
>>

Meinolf will probably tell you the same thing, but here is something to
think about.

You cannot run a domain controller and use the DNS at your ISP. Active
Directory depends on DNS and requires a local DNS server to resolve domain
resources. You really should not be using DHCP from your router, as this
will give your clients incorrect DNS settings.

Your workstation cannot join the domain because it cannot find the DC.
It uses DNS to find the logon server and the record for that should be in
your local DNS. There is no way that the DNS at your ISP would have this
info.

The setup you have is fine for a fileserver. It is not compatible with
Active Directory. If you want to run a DC in this network you need to change
your network config.

Give the server a static IP and set it to use the router as its default
gateway. When you promote it to a domain controller, accept the offer to
configure DNS for you. After this is complete you can configure DNS to
forward to a public DNS (such as your ISP) to resolve foreign URLs.

If you were using DHCP on the router, disable it and configure DHCP on
the DC. Configure your scope to issue the router's IP as default gateway but
the DC as the DNS address. All machines must use the DC for DNS.

Your network config should look like this.

Internet
|
192.168.0.1
|
DC
192.168.0.101 dg 192.168.0.1 dns 192.168.0.101
|
workstations
192.168.0.x dg 192.168.0.1 dns 192.168.0.101

"Patrick Whittle" <(E-Mail Removed)> wrote in message
news:#J0b9z#(E-Mail Removed)...
> Meinolf,
>
> The server is the "problem" computer. It's running Microsoft Internet
> Information Services 6.0 and it is also (Microsoft 2003 Server) a domain
> controller. The AD portion of this/my equation seems to be the culprit...
> as far as the long wait-time; there is only one sub-net. Enterprise
> Admins
> GPO is being used, and the server has only one NIC (Ethernet) installed.
>
> The LAN router is supplying DHCP, and my internet service provider is the
> DNS. Is the huge wait-time due to older hardware (1GB of memory, but only
> a
> 1.7 GHz CPU) ??? Adding a workstation to the domain shouldn't take this
> long.
>
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:(E-Mail Removed) .com...
>> Hello Patrick,
>>
>> A domain controller shouldn't run anything else then AD, DNS, GC and
>> maybe
>> DHCP. Especially IIS is not optimal, lowers security, the same applies to
>> Terminal services in application mode. This doesn't mean you can not
>> install all roles on the server, this works but results in lower security
>> settings, when multihomed, 2 ip addresses in DNS, logon GPO applying etc.
>> etc. etc. problems.
>>
>> Your problem seems DNS related, please post an unedited ipconfig /all
>> from
>> the server and a problem computer.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>> Can a domain controller be anything else (i.e. IIS Server)? My
>>> domain controller seems bogged down when a computer tries anything
>>> other than a login. I tried adding a workstation to the domain, and
>>> it took at least ten (10) minutes before a confirmation (i.e. Windows
>>> dialog message) occurred.
>>>
>>> PS The server box is running Terminal Services and IIS only
>>>
>

Hello Patrick,

You're ISP is the problem, that's the reason i asked for the ipconfig /all.
It doesn't have be configured on the NIC, there use only the domain DNS server
ip address, so itself as preferred.

The ISPs DNS server you have to set as FORWARDER under the server properties
in the DNS management console.

Also with only one DC/DNS it will be normal that a reboot will take longer
then with having a second domain DNS server also. This belongs to the starting
sequnces from DNS server service and netlogon service, the latter one mostly
tries to start before DNS server service, but without DNS server it can not
start.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Meinolf,
>
> The server is the "problem" computer. It's running Microsoft Internet
> Information Services 6.0 and it is also (Microsoft 2003 Server) a
> domain controller. The AD portion of this/my equation seems to be the
> culprit... as far as the long wait-time; there is only one sub-net.
> Enterprise Admins GPO is being used, and the server has only one NIC
> (Ethernet) installed.
>
> The LAN router is supplying DHCP, and my internet service provider is
> the DNS. Is the huge wait-time due to older hardware (1GB of memory,
> but only a 1.7 GHz CPU) ??? Adding a workstation to the domain
> shouldn't take this long.
>
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:(E-Mail Removed) .com...
>
>> Hello Patrick,
>>
>> A domain controller shouldn't run anything else then AD, DNS, GC and
>> maybe DHCP. Especially IIS is not optimal, lowers security, the same
>> applies to Terminal services in application mode. This doesn't mean
>> you can not install all roles on the server, this works but results
>> in lower security settings, when multihomed, 2 ip addresses in DNS,
>> logon GPO applying etc. etc. etc. problems.
>>
>> Your problem seems DNS related, please post an unedited ipconfig /all
>> from the server and a problem computer.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Can a domain controller be anything else (i.e. IIS Server)? My
>>> domain controller seems bogged down when a computer tries anything
>>> other than a login. I tried adding a workstation to the domain, and
>>> it took at least ten (10) minutes before a confirmation (i.e.
>>> Windows dialog message) occurred.
>>>
>>> PS The server box is running Terminal Services and IIS only
>>>

"Patrick Whittle" <(E-Mail Removed)> wrote in message
news:%23J0b9z%(E-Mail Removed)...
> Meinolf,
>
> The server is the "problem" computer. It's running Microsoft Internet
> Information Services 6.0 and it is also (Microsoft 2003 Server) a domain
> controller. The AD portion of this/my equation seems to be the culprit...
> as far as the long wait-time; there is only one sub-net. Enterprise
> Admins
> GPO is being used, and the server has only one NIC (Ethernet) installed.
>
> The LAN router is supplying DHCP, and my internet service provider is the
> DNS. Is the huge wait-time due to older hardware (1GB of memory, but only
> a
> 1.7 GHz CPU) ??? Adding a workstation to the domain shouldn't take this
> long.
>

Patrick,

I second and third that the ISP's DNS IS CAUSING the problem.

To undererstand why, you must understand the way AD and DNS works. The
following is a snippet of a longer article I have on multihomed DCs (not
recommended), but posting just the portion that explains the AD-DNS
relationship.

---
To explain why will require a little background on AD and DNS:

First, just to get this out of the way, if you have your ISP's DNS addresses
in your IP configuration (DCs and clients), they need to be REMOVED. If the
ISP's DNS is in there, this will cause additional problems. I usually see
errors (GPOs not working, can't find the domain, RPC issues, etc), when the
ISP's DNS servers are listed on a client, DCs and/or member servers, or with
multihomed DCs. If you have an ISP's (or some other outside DNS server or
even using your router as a DNS server) DNS addresses in your IP
configuration (all DCs, member servers and clients), they need to be REMOVED
and ONLY use the internal DNS server(s). This can be very problematic.

Basically, AD requires DNS. DNS stores AD's resource and service locations
in the form of SRV records, hence how everything that is part of the domain
will find resources in the domain. If the ISP's DNS is configured in the any
of the internal AD member machines' IP properties, (including all client
machines and DCs), the machines will be asking the ISP's DNS 'where is the
domain controller for my domain?", whenever it needs to perform a function,
(such as a logon request, replication request, querying and applying GPOs,
etc). Unfortunately, the ISP's DNS does not have that info and they reply
with an "I dunno know", and things just fail. Unfortunately, the ISP's (or
your router as a DNS server) DNS doesn't have information or records about
your internal private AD domain, and they shouldn't have that sort of
information.

Also, AD registers certain records in DNS in the form of SRV records that
signify AD's resource and service locations. When there are multiple NICs,
each NIC
registers. IF a client, or another DC queries DNS for this DC, it may get
the wrong record. One factor controlling this is Round Robin. If a DC or
client on another subnet that the DC is not configured on queries for it,
Round Robin will kick in offering one or the other. If the wrong one gets
offered, it may not have a route to it. On the other hand, Subnetmask
Priortization will ensure a querying client will get an IP that corresponds
to the subnet it's on, which will work.

To insure everything works, stick with one NIC.
---

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum to benefit from collaboration
among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

This kind-of explains why my ISP recently changed its settings. The last
two octets of my WAN default gateway are now 192.1 ...so I'm thinking that
my ISP distinguished an internal LAN (ISP's regularly update and change
their addressing; this is normal). Does my ISP see that my internal LAN has
a domain controller in it? For their management topology, they must have
"classified" me as having an internal LAN.

Also, I recently bought a router (used to be cable modem only) that has DHCP
on it. When I configure my domain controller with DNS, how do I repudiate /
deny ISP knowledge of internal hosts?

New Default Gateway address: 24.57.192.1 (notice how it suggests &
signals my internal LAN)

"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> Meinolf will probably tell you the same thing, but here is something to
> think about.
>
> You cannot run a domain controller and use the DNS at your ISP. Active
> Directory depends on DNS and requires a local DNS server to resolve domain
> resources. You really should not be using DHCP from your router, as this
> will give your clients incorrect DNS settings.
>
> Your workstation cannot join the domain because it cannot find the DC.
> It uses DNS to find the logon server and the record for that should be in
> your local DNS. There is no way that the DNS at your ISP would have this
> info.
>
> The setup you have is fine for a fileserver. It is not compatible with
> Active Directory. If you want to run a DC in this network you need to
> change your network config.
>
> Give the server a static IP and set it to use the router as its default
> gateway. When you promote it to a domain controller, accept the offer to
> configure DNS for you. After this is complete you can configure DNS to
> forward to a public DNS (such as your ISP) to resolve foreign URLs.
>
> If you were using DHCP on the router, disable it and configure DHCP on
> the DC. Configure your scope to issue the router's IP as default gateway
> but the DC as the DNS address. All machines must use the DC for DNS.
>
> Your network config should look like this.
>
> Internet
> |
> 192.168.0.1
> |
> DC
> 192.168.0.101 dg 192.168.0.1 dns 192.168.0.101
> |
> workstations
> 192.168.0.x dg 192.168.0.1 dns 192.168.0.101
>
> "Patrick Whittle" <(E-Mail Removed)> wrote in message
> news:#J0b9z#(E-Mail Removed)...
>> Meinolf,
>>
>> The server is the "problem" computer. It's running Microsoft Internet
>> Information Services 6.0 and it is also (Microsoft 2003 Server) a domain
>> controller. The AD portion of this/my equation seems to be the
>> culprit...
>> as far as the long wait-time; there is only one sub-net. Enterprise
>> Admins
>> GPO is being used, and the server has only one NIC (Ethernet) installed.
>>
>> The LAN router is supplying DHCP, and my internet service provider is the
>> DNS. Is the huge wait-time due to older hardware (1GB of memory, but
>> only a
>> 1.7 GHz CPU) ??? Adding a workstation to the domain shouldn't take this
>> long.
>>
>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>> news:(E-Mail Removed) .com...
>>> Hello Patrick,
>>>
>>> A domain controller shouldn't run anything else then AD, DNS, GC and
>>> maybe
>>> DHCP. Especially IIS is not optimal, lowers security, the same applies
>>> to
>>> Terminal services in application mode. This doesn't mean you can not
>>> install all roles on the server, this works but results in lower
>>> security
>>> settings, when multihomed, 2 ip addresses in DNS, logon GPO applying
>>> etc.
>>> etc. etc. problems.
>>>
>>> Your problem seems DNS related, please post an unedited ipconfig /all
>>> from
>>> the server and a problem computer.
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>
>>>> Can a domain controller be anything else (i.e. IIS Server)? My
>>>> domain controller seems bogged down when a computer tries anything
>>>> other than a login. I tried adding a workstation to the domain, and
>>>> it took at least ten (10) minutes before a confirmation (i.e. Windows
>>>> dialog message) occurred.
>>>>
>>>> PS The server box is running Terminal Services and IIS only
>>>>

Hello Patrick,

No, the private address range looks like 10.x.x.x, 172.x.x.x or 192.168.x.x
not x.x.192.x

It is NOT your ISPs problem. The WAN port from your DSL router has nothing
to do with your internal network.

As said/requestes before. An unedited ipconfig /all from your server and
a problem computer can sort this really easy.

Also i described how to configure the FORWARDERS to access internet the correct
way with LAN internal Domain DNS servers.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> This kind-of explains why my ISP recently changed its settings. The
> last two octets of my WAN default gateway are now 192.1 ...so I'm
> thinking that my ISP distinguished an internal LAN (ISP's regularly
> update and change their addressing; this is normal). Does my ISP see
> that my internal LAN has a domain controller in it? For their
> management topology, they must have "classified" me as having an
> internal LAN.
>
> Also, I recently bought a router (used to be cable modem only) that
> has DHCP on it. When I configure my domain controller with DNS, how
> do I repudiate / deny ISP knowledge of internal hosts?
>
> New Default Gateway address: 24.57.192.1 (notice how it
> suggests & signals my internal LAN)
>
> "Bill Grant" <not.available@online> wrote in message
> news:(E-Mail Removed)...
>
>> Meinolf will probably tell you the same thing, but here is something
>> to think about.
>>
>> You cannot run a domain controller and use the DNS at your ISP.
>> Active Directory depends on DNS and requires a local DNS server to
>> resolve domain resources. You really should not be using DHCP from
>> your router, as this will give your clients incorrect DNS settings.
>>
>> Your workstation cannot join the domain because it cannot find the
>> DC. It uses DNS to find the logon server and the record for that
>> should be in your local DNS. There is no way that the DNS at your ISP
>> would have this info.
>>
>> The setup you have is fine for a fileserver. It is not compatible
>> with Active Directory. If you want to run a DC in this network you
>> need to change your network config.
>>
>> Give the server a static IP and set it to use the router as its
>> default gateway. When you promote it to a domain controller, accept
>> the offer to configure DNS for you. After this is complete you can
>> configure DNS to forward to a public DNS (such as your ISP) to
>> resolve foreign URLs.
>>
>> If you were using DHCP on the router, disable it and configure DHCP
>> on the DC. Configure your scope to issue the router's IP as default
>> gateway but the DC as the DNS address. All machines must use the DC
>> for DNS.
>>
>> Your network config should look like this.
>>
>> Internet
>> |
>> 192.168.0.1
>> |
>> DC
>> 192.168.0.101 dg 192.168.0.1 dns 192.168.0.101
>> |
>> workstations
>> 192.168.0.x dg 192.168.0.1 dns 192.168.0.101
>> "Patrick Whittle" <(E-Mail Removed)> wrote in message
>> news:#J0b9z#(E-Mail Removed)...
>>
>>> Meinolf,
>>>
>>> The server is the "problem" computer. It's running Microsoft
>>> Internet
>>> Information Services 6.0 and it is also (Microsoft 2003 Server) a
>>> domain
>>> controller. The AD portion of this/my equation seems to be the
>>> culprit...
>>> as far as the long wait-time; there is only one sub-net. Enterprise
>>> Admins
>>> GPO is being used, and the server has only one NIC (Ethernet)
>>> installed.
>>> The LAN router is supplying DHCP, and my internet service provider
>>> is the
>>> DNS. Is the huge wait-time due to older hardware (1GB of memory,
>>> but
>>> only a
>>> 1.7 GHz CPU) ??? Adding a workstation to the domain shouldn't take
>>> this
>>> long.
>>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>>> news:(E-Mail Removed) .com...
>>>
>>>> Hello Patrick,
>>>>
>>>> A domain controller shouldn't run anything else then AD, DNS, GC
>>>> and
>>>> maybe
>>>> DHCP. Especially IIS is not optimal, lowers security, the same
>>>> applies
>>>> to
>>>> Terminal services in application mode. This doesn't mean you can
>>>> not
>>>> install all roles on the server, this works but results in lower
>>>> security
>>>> settings, when multihomed, 2 ip addresses in DNS, logon GPO
>>>> applying
>>>> etc.
>>>> etc. etc. problems.
>>>> Your problem seems DNS related, please post an unedited ipconfig
>>>> /all
>>>> from
>>>> the server and a problem computer.
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> Can a domain controller be anything else (i.e. IIS Server)? My
>>>>> domain controller seems bogged down when a computer tries anything
>>>>> other than a login. I tried adding a workstation to the domain,
>>>>> and it took at least ten (10) minutes before a confirmation (i.e.
>>>>> Windows dialog message) occurred.
>>>>>
>>>>> PS The server box is running Terminal Services and IIS only
>>>>>

Thanks. What I really meant was, my ISP may want to group their clients
based on what they know (or think they know) they are running. Since it's
easy for them to see&log what I am using, wouldn't it be good administrative
practice to configure DNS assignments (sub-nets) reflecting which clients
have a LAN... and who doesn't ???

Which reason do you think ISP's re-assign / refresh their DHCP for? It
could be simply to contend with bots. straggling their IP assignments!!!

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:(E-Mail Removed) .com...
> Hello Patrick,
>
> No, the private address range looks like 10.x.x.x, 172.x.x.x or
> 192.168.x.x not x.x.192.x
>
> It is NOT your ISPs problem. The WAN port from your DSL router has nothing
> to do with your internal network.
>
> As said/requestes before. An unedited ipconfig /all from your server and a
> problem computer can sort this really easy.
>
> Also i described how to configure the FORWARDERS to access internet the
> correct way with LAN internal Domain DNS servers.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> This kind-of explains why my ISP recently changed its settings. The
>> last two octets of my WAN default gateway are now 192.1 ...so I'm
>> thinking that my ISP distinguished an internal LAN (ISP's regularly
>> update and change their addressing; this is normal). Does my ISP see
>> that my internal LAN has a domain controller in it? For their
>> management topology, they must have "classified" me as having an
>> internal LAN.
>>
>> Also, I recently bought a router (used to be cable modem only) that
>> has DHCP on it. When I configure my domain controller with DNS, how
>> do I repudiate / deny ISP knowledge of internal hosts?
>>
>> New Default Gateway address: 24.57.192.1 (notice how it
>> suggests & signals my internal LAN)
>>
>> "Bill Grant" <not.available@online> wrote in message
>> news:(E-Mail Removed)...
>>
>>> Meinolf will probably tell you the same thing, but here is something
>>> to think about.
>>>
>>> You cannot run a domain controller and use the DNS at your ISP.
>>> Active Directory depends on DNS and requires a local DNS server to
>>> resolve domain resources. You really should not be using DHCP from
>>> your router, as this will give your clients incorrect DNS settings.
>>>
>>> Your workstation cannot join the domain because it cannot find the
>>> DC. It uses DNS to find the logon server and the record for that
>>> should be in your local DNS. There is no way that the DNS at your ISP
>>> would have this info.
>>>
>>> The setup you have is fine for a fileserver. It is not compatible
>>> with Active Directory. If you want to run a DC in this network you
>>> need to change your network config.
>>>
>>> Give the server a static IP and set it to use the router as its
>>> default gateway. When you promote it to a domain controller, accept
>>> the offer to configure DNS for you. After this is complete you can
>>> configure DNS to forward to a public DNS (such as your ISP) to
>>> resolve foreign URLs.
>>>
>>> If you were using DHCP on the router, disable it and configure DHCP
>>> on the DC. Configure your scope to issue the router's IP as default
>>> gateway but the DC as the DNS address. All machines must use the DC
>>> for DNS.
>>>
>>> Your network config should look like this.
>>>
>>> Internet
>>> |
>>> 192.168.0.1
>>> |
>>> DC
>>> 192.168.0.101 dg 192.168.0.1 dns 192.168.0.101
>>> |
>>> workstations
>>> 192.168.0.x dg 192.168.0.1 dns 192.168.0.101
>>> "Patrick Whittle" <(E-Mail Removed)> wrote in message
>>> news:#J0b9z#(E-Mail Removed)...
>>>
>>>> Meinolf,
>>>>
>>>> The server is the "problem" computer. It's running Microsoft
>>>> Internet
>>>> Information Services 6.0 and it is also (Microsoft 2003 Server) a
>>>> domain
>>>> controller. The AD portion of this/my equation seems to be the
>>>> culprit...
>>>> as far as the long wait-time; there is only one sub-net. Enterprise
>>>> Admins
>>>> GPO is being used, and the server has only one NIC (Ethernet)
>>>> installed.
>>>> The LAN router is supplying DHCP, and my internet service provider
>>>> is the
>>>> DNS. Is the huge wait-time due to older hardware (1GB of memory,
>>>> but
>>>> only a
>>>> 1.7 GHz CPU) ??? Adding a workstation to the domain shouldn't take
>>>> this
>>>> long.
>>>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>>>> news:(E-Mail Removed) .com...
>>>>
>>>>> Hello Patrick,
>>>>>
>>>>> A domain controller shouldn't run anything else then AD, DNS, GC
>>>>> and
>>>>> maybe
>>>>> DHCP. Especially IIS is not optimal, lowers security, the same
>>>>> applies
>>>>> to
>>>>> Terminal services in application mode. This doesn't mean you can
>>>>> not
>>>>> install all roles on the server, this works but results in lower
>>>>> security
>>>>> settings, when multihomed, 2 ip addresses in DNS, logon GPO
>>>>> applying
>>>>> etc.
>>>>> etc. etc. problems.
>>>>> Your problem seems DNS related, please post an unedited ipconfig
>>>>> /all
>>>>> from
>>>>> the server and a problem computer.
>>>>> Best regards
>>>>>
>>>>> Meinolf Weber
>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>> and
>>>>> confers no rights.
>>>>> ** Please do NOT email, only reply to Newsgroups
>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>>> Can a domain controller be anything else (i.e. IIS Server)? My
>>>>>> domain controller seems bogged down when a computer tries anything
>>>>>> other than a login. I tried adding a workstation to the domain,
>>>>>> and it took at least ten (10) minutes before a confirmation (i.e.
>>>>>> Windows dialog message) occurred.
>>>>>>
>>>>>> PS The server box is running Terminal Services and IIS only
>>>>>>

Hello Patrick,

Your ISP has nothing to do with your LAN, they can not access it if you don't
let them. It is your task to secure your network.

As far as i know the ISPs have once a day to disconnect your network for
a small time, except you have fixed ip addresses rented for yourself, it's
so short you normally don't realize. So that will be the reason that your
router has different WAN ip addresses, but that's not your part of configuration.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thanks. What I really meant was, my ISP may want to group their
> clients based on what they know (or think they know) they are running.
> Since it's easy for them to see&log what I am using, wouldn't it be
> good administrative practice to configure DNS assignments (sub-nets)
> reflecting which clients have a LAN... and who doesn't ???
>
> Which reason do you think ISP's re-assign / refresh their DHCP for?
> It could be simply to contend with bots. straggling their IP
> assignments!!!
>
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:(E-Mail Removed) .com...
>
>> Hello Patrick,
>>
>> No, the private address range looks like 10.x.x.x, 172.x.x.x or
>> 192.168.x.x not x.x.192.x
>>
>> It is NOT your ISPs problem. The WAN port from your DSL router has
>> nothing to do with your internal network.
>>
>> As said/requestes before. An unedited ipconfig /all from your server
>> and a problem computer can sort this really easy.
>>
>> Also i described how to configure the FORWARDERS to access internet
>> the correct way with LAN internal Domain DNS servers.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> This kind-of explains why my ISP recently changed its settings. The
>>> last two octets of my WAN default gateway are now 192.1 ...so I'm
>>> thinking that my ISP distinguished an internal LAN (ISP's regularly
>>> update and change their addressing; this is normal). Does my ISP
>>> see that my internal LAN has a domain controller in it? For their
>>> management topology, they must have "classified" me as having an
>>> internal LAN.
>>>
>>> Also, I recently bought a router (used to be cable modem only) that
>>> has DHCP on it. When I configure my domain controller with DNS, how
>>> do I repudiate / deny ISP knowledge of internal hosts?
>>>
>>> New Default Gateway address: 24.57.192.1 (notice how it
>>> suggests & signals my internal LAN)
>>>
>>> "Bill Grant" <not.available@online> wrote in message
>>> news:(E-Mail Removed)...
>>>
>>>> Meinolf will probably tell you the same thing, but here is
>>>> something to think about.
>>>>
>>>> You cannot run a domain controller and use the DNS at your ISP.
>>>> Active Directory depends on DNS and requires a local DNS server to
>>>> resolve domain resources. You really should not be using DHCP from
>>>> your router, as this will give your clients incorrect DNS settings.
>>>>
>>>> Your workstation cannot join the domain because it cannot find the
>>>> DC. It uses DNS to find the logon server and the record for that
>>>> should be in your local DNS. There is no way that the DNS at your
>>>> ISP would have this info.
>>>>
>>>> The setup you have is fine for a fileserver. It is not compatible
>>>> with Active Directory. If you want to run a DC in this network you
>>>> need to change your network config.
>>>>
>>>> Give the server a static IP and set it to use the router as its
>>>> default gateway. When you promote it to a domain controller, accept
>>>> the offer to configure DNS for you. After this is complete you can
>>>> configure DNS to forward to a public DNS (such as your ISP) to
>>>> resolve foreign URLs.
>>>>
>>>> If you were using DHCP on the router, disable it and configure DHCP
>>>> on the DC. Configure your scope to issue the router's IP as default
>>>> gateway but the DC as the DNS address. All machines must use the DC
>>>> for DNS.
>>>>
>>>> Your network config should look like this.
>>>>
>>>> Internet
>>>> |
>>>> 192.168.0.1
>>>> |
>>>> DC
>>>> 192.168.0.101 dg 192.168.0.1 dns 192.168.0.101
>>>> |
>>>> workstations
>>>> 192.168.0.x dg 192.168.0.1 dns 192.168.0.101
>>>> "Patrick Whittle" <(E-Mail Removed)> wrote in message
>>>> news:#J0b9z#(E-Mail Removed)...
>>>>> Meinolf,
>>>>>
>>>>> The server is the "problem" computer. It's running Microsoft
>>>>> Internet
>>>>> Information Services 6.0 and it is also (Microsoft 2003 Server) a
>>>>> domain
>>>>> controller. The AD portion of this/my equation seems to be the
>>>>> culprit...
>>>>> as far as the long wait-time; there is only one sub-net.
>>>>> Enterprise
>>>>> Admins
>>>>> GPO is being used, and the server has only one NIC (Ethernet)
>>>>> installed.
>>>>> The LAN router is supplying DHCP, and my internet service provider
>>>>> is the
>>>>> DNS. Is the huge wait-time due to older hardware (1GB of memory,
>>>>> but
>>>>> only a
>>>>> 1.7 GHz CPU) ??? Adding a workstation to the domain shouldn't
>>>>> take
>>>>> this
>>>>> long.
>>>>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>>>>> news:(E-Mail Removed) .com...
>>>>>> Hello Patrick,
>>>>>>
>>>>>> A domain controller shouldn't run anything else then AD, DNS, GC
>>>>>> and
>>>>>> maybe
>>>>>> DHCP. Especially IIS is not optimal, lowers security, the same
>>>>>> applies
>>>>>> to
>>>>>> Terminal services in application mode. This doesn't mean you can
>>>>>> not
>>>>>> install all roles on the server, this works but results in lower
>>>>>> security
>>>>>> settings, when multihomed, 2 ip addresses in DNS, logon GPO
>>>>>> applying
>>>>>> etc.
>>>>>> etc. etc. problems.
>>>>>> Your problem seems DNS related, please post an unedited ipconfig
>>>>>> /all
>>>>>> from
>>>>>> the server and a problem computer.
>>>>>> Best regards
>>>>>> Meinolf Weber
>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>>> and
>>>>>> confers no rights.
>>>>>> ** Please do NOT email, only reply to Newsgroups
>>>>>> ** HELP us help YOU!!!
>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>>>> Can a domain controller be anything else (i.e. IIS Server)? My
>>>>>>> domain controller seems bogged down when a computer tries
>>>>>>> anything other than a login. I tried adding a workstation to
>>>>>>> the domain, and it took at least ten (10) minutes before a
>>>>>>> confirmation (i.e. Windows dialog message) occurred.
>>>>>>>
>>>>>>> PS The server box is running Terminal Services and IIS only
>>>>>>>