Strange SBS 2003 Domain behavior 2

[dball63]

I just recently set up my first SBS 2003 Server and domain. Everything seems to be working fine but I am getting some strange resolution problems within the AD Domain. I'm not sure what it is yet. Hopefully someone else has had same problems!

From XP Pro clients some domain security groups show up as ?SID # and not the actual group or user name.
Example, Domain Users Group shows up as ? S-1-5-21-33434534534334-34343-3434-502
The problem seems to be intermittent as some domain user groups show up fine and others do not.

Also browsing domain from Network Places is intermittent as well.

Managing Computer accounts from domain controller gives error message that the network is not available but I know that it is fine. I think this problem may be related.

I've tried adding a 3rd DNS entry of domain server on XP client with no change in results.
Added WINS server address as well.

Any help would be greatly appreciated

David Ball

 

[markdmac]

Did you use the ConnectComputer wizard to join the workstations to the Domain?

 

[dball63]

No, I simply typed the name of the domain into the domain field and when prompted for account, I used admin credentials. Thats the way I have always done it.

 

[markdmac]

With SBS 2003 you are better off going through the wizard. It does some extra stuff as far as group memberships for the PC.

Did you upgrade the network? The extra sids look like they are from an old domain.

 

[dball63]

I'm not so sure thats it but I will definately try it.
Its not an upgrade at all. Its their first server.

 

[dkediger]

The ConnectComputer Wizard is the way you need to go.

After doing this, check that you only have 1 DNS entry on the clients and that this matches the SBS servers IP address.

Same goes for WINS and DHCP, if you are using the SBS server's DHCP.

 

[dball63]

That may be part of the problem. At this point I am not using SBS DHCP service. They already had a Netgear router handing out IP so I left it as is but I may need to change that. The router is currently giving DNS of ISP only. Dynamic DNS is obviously not working and I think that this may be the root of the problem. Switching DHCP and DNS service to the new SBS server may fix it. What do you think?

 

[dkediger]

You don't *need* to switch DHCP to the SBS server as long as you change the DNS settings that the Netgear is handing out to the SBS server.

Moving DHCP to the SBS server does tie everything up in a nice package though.

You can then run the InternetConnections wizard on the SBS server and it should set all the options up for you.

 

[dball63]

Moving it was just a thought. Like you said it keeps it neat and I love that. I did try manually adding the SBS DNS address to a client and still didn't have any change but I believe that it was the 3rd DNS entry on that client after the 2 ISP DNS servers.

I think I may need to read up on DNS services. I've never really setup a production DNS Server! Will I still need to use the ISP DNS servers in my leases as well as my SBS server or can I configure the SBS server to forward DNS queries to the internet to be resolved?

I really think this needs to resolved before I can fix earlier problems, Don't you think?

 

[dkediger]

For your clients, the SBS server should be the first (and ideally, only) DNS listed. Try this and see if it gets your internal resolution going. The SBS server should then have a DNS entry forwarding external requests to your ISP.

Are you running ISA server? Are you only seeking access to the internet from client computers - as well as access to the server?

If so - I would enable DHCP in the SBS server disable it on the router and then run the Internet Connection Wizard from the SBS Administrator Console. This would set up everything in the SBS server for network internet access and DNS and DHCP options.

Schedule some down time for the network for this. You'll also need to know your network's internal IP range, ie 192.168.1.x, your ISP IP address, router IP, and ISP DNS IPs.

 

[dball63]

I have all the addressing information that I need I believe.

No I am not running ISA server, so far the router has been just forwarding everthing.

Back to the DNS Server. If I change the DHCP leases to just include the SBS servers DNS address, how do I get the INternal DNS server to forward unknown requests to external DNS servers? Do I just place my ISP's DNS numbers on my SBS servers TCP/IP nic properties?

 

[dkediger]

I'm assuming a single NIC - its been a while since I've set one up going directly to a router.

The client DNS IPs should point to the SBS server IP address.

The SBS NIC DNS IP should point to itself.

The Client/SBS NIC Default Gateway IP should point at the Router.

The SBS server Internet Connection Wizard should still handle all this setup for you, even if you are not using ISA.

If all you are doing is outgoing connections to the internet for web and incoming/outgoing mail, I would setup ISA server.

 

[jrwizzard]

what he failed to mention was where to put the ISPs DNS addresses. In the DNS mmc goto properties, the second or third tab is for forwarding, click the box to enable it and add the address of the DNSs of the ISP to the list. This will send ALL UNKNOWN DNS request to the ISP DNS. Now all clients only have the SBS DNS in its list so all DNS request will goto that box.

 

[dkediger]

Ooops - Good catch jrwizzard! THanks!

 

[dball63]

Great, I will try this stuff over the weekend.

David Ball

 

[dball63]

I had a chance to make some changes today. So far this is what I did.

1. Made DNS Forwarders change on SBS server to point to ISP DNS Servers.

2. Killed DHCP on the Router

3. Started DHCP on the SBS Server and new scope with options.

4. Added PC's to domain using the wizard. Go figure!.

Status: All is well!
Dynamic DNS is working, DHCP is working, no more unkown domain security objects.
Thanks for the advice

David Ball