Home / server / Questions / 108202
Accepted
Ian
Asked: 2010-02-01 22:11:37 +0800 CST

“Official Practice” in setting up a domain environment

  • 772

Here's our scenario.

We have two machines, Machine A is a Windows Server 2003 SP2 machine that is setup as the Domain Controller. Machine B is a Windows XP SP3 machine that is to be joined to the Domain Controller that is Machine A. Both machines have a single LAN card.

Both computers are connected to our corporate LAN. Since our corporate LAN has DHCP enabled, both computers were automatically assigned their dynamic IPs and DNS servers (Both lan cards were set to "Obtain an IP address automatically" and "Obtain DNS server address automatically")

Machine B was joined to the domain (ian.sd.local -- Machine A). The machine was successfully joined to the domain (validated by a welcome message) after asking for a domain admin account. It then asked for a reboot.

After reboot, we logged in to the domain using a domain admin account. It went in normally. We then created a new folder then shared it to check if we can retrieve the accounts from the domain controller, we can't. From the Sharing tab -> Permissions -> Add -> Select Users or Groups dialog box, clicking on the Locations button, the DC won't show up.

Another thing, pinging the domain controller from the client machine using FQDN will fail. While pinging it using the machine name only will succeed.

I somehow know what the problem is. Since the client machine is set to automatically obtain the DNS server address, our corporate LAN gave us our own "corporate DNS server" (used by our corporate domain controller), thus resulting on the client machine not being able to "resolve" the FQDN. However, I am still not sure why the "domain controller" cannot be found on the "Select Users or Groups" dialog box.

Anyway, hardcoding the domain controller's IP address as the client's Preferred Primary DNS server fixes the problem.

My question is, is there an "official" Microsoft document that tells the user to set the domain controller's IP address as the client's Preferred Primary DNS server? I am asking because a tester on our company used the above setup to install one of our software and it is failing because of this. I need to prove to him that this is a configuration issue and not an issue with the software.

Thanks!

windows-server-2003 domain-controller resolution

1 Answers

  1. Best Answer

    DNS is critical to proper operation of Active Directory; any and all Microsoft documentation states this quite clearly.

    There's no actual need for your DNS server to be a domain controller, or even a Windows machine at all; but the DNS server(s) which domain member computers (including DCs!) use must be authoritative for the domain; they are also required to support SRV records, and should allow dynamic DNS updates (unless you want very big headaches managing them).

    Here are the best practices for member computers configuration:
    http://support.microsoft.com/kb/825036

    These links are about DNS and Active Directory:
    http://support.microsoft.com/kb/291382/en-us
    http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx

    This is a guide to using non-Microsoft DNS servers (useful for understanding what's actually going on behind the scenes):
    http://technet.microsoft.com/en-us/library/dd316373.aspx

    While things can of course get more complex depending on your network and domain configurations, best practices for DNS in an AD environment are quite simple and boil down to two basic rules:

    • Have your DCs be DNS servers.
    • Have all domain computers (including DCs) use them, and only them.
    • 5