Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18
  1. #11
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,249

    Default

    AD without DNS = BAD.

    The DCPromo utility should have configured DNS services on the domain controller for you. If it didn't... you need to isntall it by hand and configure it. When you're done and while you're at it install the DHCP service in the windows server too.

    Then, kill the DHCP service on UT. Configure the windows DNS service to forward unknown requests to the UT. Configure the windows DHCP service to pass the DC's IP address out for the client's DNS server.

    That is a PILE of work, but if you can get through it your Active Directory should be standing up and dancing. Login times will fall... group policy actually works... all sorts of cool stuff.

    P.S. I really needed a spell check for my posts a year ago... good heavens look at all that bad grammar and spelling...
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  2. #12
    Newbie
    Join Date
    Jan 2009
    Posts
    12

    Default

    well, its feels good to know what i will be doing tomorrow

    1) remove the whole existing AD
    2) install the AD (again)
    3) install dns
    4) install dhcp

    in that order, right?

    and btw, to forward unknow requests is the single "." thingy, right?

  3. #13
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,249

    Default

    No, that is "root" in a DNS name space. When you get DNS online take a look through the property pages for the server itself. You will find the DNS forwarder configuration. And this order is better...

    1.) Yank AD
    2.) Install DNS
    3.) Install DHCP
    4.) Install AD

    Always install AD as your last service. I find this makes things easier. There is only one exception... MSSQL... NEVER promote a DC or demote a DC that has MSSQL installed on it. Just trust me on that one...

    BTW you may be able to fix the current directory. If you yank AD and reinstall you'll have to rejoin any workstations to the new domain and migrate those user profiles. This is why I refuse to use AD in an environment where I can't have 2 AD dedicated servers.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #14
    Newbie
    Join Date
    Jan 2009
    Posts
    12

    Default

    Just want to say: thank you sky-knight!

  5. #15
    Newbie
    Join Date
    Apr 2009
    Posts
    13

    Default

    I noticed something else that's not relavent to the untangle box exactly.

    If you have the T1's on a flat or subnetted network for the branch offices, you'd want to set the routers to DHCP Forward to your primary DHCP server, that way all your DHCP management can happen on one system. Keep a backup of your DHCP server on the other two DC's so you can easily start one up if your primary DC fails.

    Makes life a lot easier.

    Even if you use VPN's you should have a DHCP helper or forwarder option to do this.

  6. #16
    Untanglit
    Join Date
    Mar 2009
    Posts
    23

    Default

    Quote Originally Posted by sky-knight View Post
    AD without DNS = BAD.

    Configure the windows DNS service to forward unknown requests to the UT.
    Consider it a non-negotiable thing: ALWAYS and SOLELY use Windows DNS and DHCP in an Active Directory Environment. Period. Not Windows for DNS1 and OpenDNS for DNS2. Just Windows.

    Do NOT use forwarders without a specific reason to. OpenDNS filtering would be a good example of when you might want to. Or forwarding to a master coporate server. Generally you do not want forward to an ISP DNS as they are notorious for being slower and problematic. Do not forward from a DNS server to Untangle DNS to Outside DNS unless your firewall is set to block DNS. In that scenario, it'd be preferable to pass DNS only for your DNS server, block it for everyone else, and don't relay.

    Do use Root Hints (there is a tab by that name). If your roots aren't populated, just click on "copy from server". Put in "198.41.0.4" (or the IP of any other root server), and it will fill everything in.

    Why not use DNS1 internal and DNS2 public? Because Windows doesn't rigidly follow a DNS1 then DNS2 order. When it's hitting DNS2 first, you can get problems. For example, say you have www.companyname.com listed on internal DNS as 192.168.1.20 and external DNS as 232.35.125.65. It resolves using public DNS, web page gets an error from an internal client. Etc.

    Why not relay? Speed and reliability. A single web page might have 20, 30, more seperate DNS lookups. Going from server to server to server introduces extra delays. More, ISP DNS is often a lot slower than internal DNS running root hints. For web pages, DNS can be more of a performance issue than raw bandwidth. Further, why rely on your ISPs to properly maintain their systems when you need not?

  7. #17
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,249

    Default

    But that is why we have forwarders.

    Technically speaking all AD supporting DNS servers are authoritative for the internal domain name space. And it's not a good security practice to have your authoritative DNS servers caching anything.

    The setup is very simple in this regard. You should have 2 AD servers for each network before you even think about AD. (Don't get me started on SMB server)

    Both these AD servers should have the DNS on them to backup AD, just to keep things simple. Set them both as the DNS servers for the clients on the network, and configure both to forward DNS requests to the Untangle Router at the edge.

    At that point you're free to configure untangle with the DNS servers of your ISP, or that of OpenDNS, or any other DNS sever available to do non local lookups. If you're worried about performance put in a DNS server on the lan that is setup just to do exterior resolution and forward to that.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #18
    Untangle Ninja mrunkel's Avatar
    Join Date
    Jul 2008
    Posts
    3,040

    Default

    I'm of the opinion that if you run Windows Servers with an AD domain, use the DHCP and DNS services on the windows box, not on the untangle.

    1.) You get things like automatic registration of hosts into the DNS zone
    2.) It's easier to troubleshoot
    3.) You don't need to bother with setting up forwarders
    4.) It's one less thing to go wrong.

    I would also suggest using the windows box as "upstream" DNS server for the untangle, that way all the correct hostnames will appear in the reports.
    m.


    Big Frickin Disclaimer:
    While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.

    It often helps troubleshooting if you have a good network map. Look here if you want my advice on how to draw one.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Page 2 of 2 FirstFirst 12

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2