two dc and one dhcp

Discussion in 'Microsoft Windows 2000 DNS' started by Krishna, Sep 11, 2006.

  1. Krishna

    Krishna Guest

    I have two DC's. Each is indiviual forests. Server A is meant for only
    DNS/DHCP services. Server B is for logon, fileserver and other applications.
    Now, I have a XP box which obtains IP and DNS from Server A(st.abc.net) but
    cannot join Server B (efg.net). How to resolve?

    Thanks
    Kris
     
    Krishna, Sep 11, 2006
    #1
    1. Advertisements

  2. Krishna

    Herb Martin Guest

    "Krishna" <> wrote in message
    news:%23K%...
    >I have two DC's. Each is indiviual forests. Server A is meant for only
    > DNS/DHCP services. Server B is for logon, fileserver and other
    > applications.


    Generally it is counter-productive to have two DCs but only
    only one of them as a DNS server: DC replication and authentication
    both require DNS so if the one with DNS is down clients will
    either fail to replicate or experiencing slow logons at best.

    > Now, I have a XP box which obtains IP and DNS from Server A(st.abc.net)
    > but
    > cannot join Server B (efg.net). How to resolve?


    Server B is in an different DOMAIN?

    You are going to have to clarify this since when you write
    2-DCs we presume you mean in a single domain where
    both should be using the same DNS-domain-name suffix
    (e.g, abc.net OR efg.net but not both.)

    If you really do have two domains then each will need its
    own DNS ZONE (not necessarily it's 'own' DNS server but
    that is common practice.)

    Each domain must have that DNS zone and it must be dynamic
    to support AD.

    If you have more than one domain, or even just multiple DNS
    zones, there must be a way for each DNS server to find ALL
    such zones to make everything work.

    With multiple DNS servers sets (one set for each DNS zone
    to support each domain) then you need to find a way to get
    from each DNS server to the "other zone" -- usually with
    Win2000 you will need each DNS server to hold a 'secondary'
    for the "other zone".


    --
    DNS for AD
    1) Dynamic for the zone supporting AD
    2) All internal DNS clients NIC\IP properties must specify SOLELY
    that internal, dynamic DNS server (set.)
    3) DCs and even DNS servers are DNS clients too -- see #2
    4) If you have more than one Domain, every DNS server must
    be able to resolve ALL domains (either directly or indirectly)

    netdiag /fix

    ....or maybe:

    dcdiag /fix

    (Win2003 can do this from Support tools):
    nltest /dsregdns /server:DC-ServerNameGoesHere
    http://support.microsoft.com/kb/q260371/

    Ensure that DNS zones/domains are fully replicated to all DNS
    servers for that (internal) zone/domain.

    Also useful may be running DCDiag on each DC, sending the
    output to a text file, and searching for FAIL, ERROR, WARN.

    Single Label domain zone names are a problem Google:
    [ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]


    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]
     
    Herb Martin, Sep 11, 2006
    #2
    1. Advertisements

  3. Krishna

    Krishna Guest

    Herb Martin,
    Thank you for the reply.

    As mentioned in my post, two DC's are seperate by itself in its own forest.
    Both were installed seperately. Since AD requires DNS so both DC's have DNS.
    Server A purpose was to provide IP address, gateway etc (even though it has
    DC users don't login to this server). On Server B, some users have to login
    to access files, access applications etc. Those users when joining there
    computer to Server B domain (efg.net) its not able to find. What I have done
    so far is:

    a. Trust setup (results in SC error, fix?) on both Servers.
    b. DNS forwarders (do see SRV records) on both Servers.

    What else?

    Thanks
     
    Krishna, Sep 12, 2006
    #3
  4. Krishna

    Herb Martin Guest

    "Krishna" <> wrote in message
    news:...
    > Herb Martin,
    > Thank you for the reply.
    >
    > As mentioned in my post, two DC's are seperate by itself in its own
    > forest. Both were installed seperately. Since AD requires DNS so both DC's
    > have DNS. Server A purpose was to provide IP address, gateway etc (even
    > though it has DC users don't login to this server). On Server B, some
    > users have to login to access files, access applications etc. Those users
    > when joining there computer to Server B domain (efg.net) its not able to
    > find. What I have done so far is:
    >
    > a. Trust setup (results in SC error, fix?) on both Servers.


    No additional trusts are needed (or usually useful) in a single
    forest since all domains in the forest already trust each other.

    > b. DNS forwarders (do see SRV records) on both Servers.


    NO.

    IF you forward both DNS servers to each other you merely
    create an INFINITE loop which crashes or causes errors in
    the DNS service.

    For Win2000, the standard answer is for EACH DNS Server
    (representing EACH DOMAIN) to hold a Secondary DNS
    zone for the "other DNS" server.

    (There are other choices in Win2003 but these features don't
    exist in Win2000.)

    Make each DNS hold BOTH DNS zones (i.e., the zones for
    each domain.)



    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]

    > What else?
    >
    > Thanks
    >
    >
     
    Herb Martin, Sep 12, 2006
    #4
  5. Krishna

    Krishna Guest

    > No additional trusts are needed (or usually useful) in a single
    > forest since all domains in the forest already trust each other.


    They are in separate forest.

    >> b. DNS forwarders (do see SRV records) on both Servers.

    >
    > NO.


    I meant each zone is secondary zone for the other (sorry for the confusion).
     
    Krishna, Sep 12, 2006
    #5
  6. Krishna

    Herb Martin Guest

    "Krishna" <> wrote in message
    news:%...
    >> No additional trusts are needed (or usually useful) in a single
    >> forest since all domains in the forest already trust each other.

    >
    > They are in separate forest.


    It is generally the case that you also need "NetBIOS name resolution"
    for work for EXTERNAL trusts to work. (Trusts between domains
    of different forests are ALWAYS 'external' in Win2000.)

    IF you have more than one subnet and you need NetBIOS then you
    also have a practical need for WINS Server AND for every machine
    (including DCs) to be set as WINS CLIENTS on their NIC->IP->
    Advanced configuration.

    >>> b. DNS forwarders (do see SRV records) on both Servers.

    >>
    >> NO.

    >
    > I meant each zone is secondary zone for the other (sorry for the
    > confusion).


    No "zone" can be secondary for another zone.

    A SERVER can hold multiple zones and be secondary for some,
    and (possibly) primary for others.

    We all make the mistake of saying things like "The DNS server for
    the 'first zone'" when the fact is that any DNS server can hold zones
    for many different domains and zones -- it's just hard to talk about this
    stuff without (imprecisely) claiming that the DNS server FROM the
    'first domain' is the 'first zone DNS server'.

    Truth is, DNS servers are "for" the zones they hold no matter
    whether they 'live in' a particular zone or domain, or neither.


    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]
     
    Herb Martin, Sep 13, 2006
    #6
  7. Krishna

    Krishna Guest

    They are in the same subnet. How do I get the external trust work? With the
    current setup when clicked on verify results in sc error.
     
    Krishna, Sep 13, 2006
    #7
  8. Krishna

    Herb Martin Guest

    "Krishna" <> wrote in message
    news:...
    > They are in the same subnet. How do I get the external trust work? With
    > the current setup when clicked on verify results in sc error.
    >


    Check the NIC->IP properties -> Advanced ->WINS tab and
    make sure ALL DCs have NetBIOS enabled.

    Since it is a single subnet you don't need WINS Server and
    they can broadcast for each other.

    If this doesn't resolve the problem then break the trust and
    re-establish it.

    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]

    >
     
    Herb Martin, Sep 13, 2006
    #8
  9. Krishna

    Krishna Guest

    Herb,

    You are correct that I was trying via netbios name which is failing. I tried
    with DNS name, resolved and working like charm. I will verify again to make
    sure Netbios is enabled.
    Why do I get Secure channel error in trust setup?

    Thanks
    Kris
     
    Krishna, Sep 14, 2006
    #9
  10. Krishna

    Herb Martin Guest

    "Krishna" <> wrote in message
    news:...
    > Herb,
    >
    > You are correct that I was trying via netbios name which is failing. I
    > tried with DNS name, resolved and working like charm. I will verify again
    > to make sure Netbios is enabled.
    > Why do I get Secure channel error in trust setup?
    >


    Did you fix the NetBIOS problem yet? NetBIOS is
    generally required for external trusts to work.

    You really need both DNS and NetBIOS working for
    this.

    After that you will need to post the exact error message
    and perhaps look in the Event Log for more details (numbers
    etc.)


    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]

    > Thanks
    > Kris
    >
    >
     
    Herb Martin, Sep 14, 2006
    #10
  11. Krishna

    Krishna Guest

    Herb,

    NETBIOS over TCP/IP is set in both servers.

    I get following error:

    "The secure channel (sc) query on DC \\servernameA of domain efg.net to
    domain st.abc.net failed with error: access is denied. An sc reset will now
    be attempted."

    "The secure channel (sc) reset on domain controller \\servername.st.abc.net
    to domain efg.net failed with error:access is denied."

    Thanks
    Kris
     
    Krishna, Sep 14, 2006
    #11
  12. Krishna

    Herb Martin Guest

    "Krishna" <> wrote in message
    news:%23tA$...
    > Herb,
    >
    > NETBIOS over TCP/IP is set in both servers.
    >
    > I get following error:


    When and where precisely do you get this error?

    > "The secure channel (sc) query on DC \\servernameA of domain efg.net to
    > domain st.abc.net failed with error: access is denied. An sc reset will
    > now be attempted."
    >
    > "The secure channel (sc) reset on domain controller
    > \\servername.st.abc.net to domain efg.net failed with error:access is
    > denied."


    Did you notice that one of those names is using the FULL
    DNS name and other is not. That may be a very important
    hint for the source of the problem.

    Why aren't these domains in the same forest? (They almost always
    should be due to the obvious parent-child DNS relationship.)

    Send the IPConfig /all from the DC of EACH Domain. Send the
    text to a file and paste in the ACTUAL information without editing
    and in text not graphics.


    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]

    > Thanks
    > Kris
    >
     
    Herb Martin, Sep 15, 2006
    #12
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gar

    Two "DNS Domain Name"(s) in DHCP scope

    Gar, Nov 25, 2003, in forum: Microsoft Windows 2000 DNS
    Replies:
    2
    Views:
    180
    Ace Fekay [MVP]
    Nov 26, 2003
  2. Al Taylor

    Win2k Server DHCP or SMC Router DHCP

    Al Taylor, Nov 29, 2003, in forum: Microsoft Windows 2000 DNS
    Replies:
    2
    Views:
    472
    Ace Fekay [MVP]
    Nov 29, 2003
  3. epz

    One DHCP in a one LAN with two AD domains howto?

    epz, Dec 1, 2003, in forum: Microsoft Windows 2000 DNS
    Replies:
    3
    Views:
    294
    Ace Fekay [MVP]
    Dec 3, 2003
  4. eddiec

    Two DHCP servers on same subnet

    eddiec, Apr 30, 2004, in forum: Microsoft Windows 2000 DNS
    Replies:
    4
    Views:
    315
    Marina Roos [SBS-MVP]
    May 3, 2004
  5. Guest

    Two NICS, Two IP Addresses - ONE SERVER NAME

    Guest, Nov 29, 2004, in forum: Microsoft Windows 2000 DNS
    Replies:
    2
    Views:
    431
    Steve Duff [MVP]
    Nov 29, 2004
Loading...

Share This Page