leaf-user

[leaf-user] [OT] Windows 2003 SBS behind leaf router

[Boris <bo...@ca...>]

Hej all,


I'm sorry to annoy you with that off-topic theme, but I'm quite sure
there is somebody with the right knowledge on this list because the
setup is quite common and I'm hoping strongly for help. Here's the story:

I have a small network connected to the web with a Bering uClibc that
works as dhcpd and of course dns server. Center of the network is a
Windows 2003 SmallBusinessServer as domain-controller, file-, print-,
and MSSQL-server. The network is slow and I get a lot of serious errors
in the event-logs that seem to cause the bad performance:

> event-id 4004: The DNS server was unable to complete directory service
enumeration of zone .. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the
zone without it. Check that the Active Directory is functioning properly
and repeat enumeration of the zone. The event data contains the error.

> event-id 4015: The DNS server has encountered a critical error from
the Active Directory. Check that the Active Directory is functioning
properly. The event data contains the error.

I agree my question is quite flat but it is simple: What should I look
for and what can I do?

My own brain puts out something like this:

- I don't want to make the windows server dncpd.

- afaik Windows Active Diretory needs the own DNS-Service, so it's
impossible to deactivate it.

- Could the problem be solved through building something like a
dns-cascade (windows-server asks bering-box -> bering-box asks
windows-server). How can I do something like this?

Thanks a lot for your ideas!

Boris

Re: [leaf-user] [OT] Windows 2003 SBS behind leaf router

[Robert K C. J. -I. F. D. Corp. <bco...@in...>]

Boris,

Is your SBS pointed to itself for DNS?  It should be.  You can use the DNS
server on Leaf as a forwarder. 

Re: [leaf-user] [OT] Windows 2003 SBS behind leaf router

[Bob G. <ban...@ms...>]

Boris,

Apologies for top-posting, but I can't see how to respond piecemeal.

I run SBS2003 behind a LEAF bering firewall but my setup is different: Two
NICs on the SBS server and the SBS manages an interior "Windoze" network
(for example 192.168.0.0) to which it serves DHCPD, DNS - everything
configured using the SBS wizards as if the upstream interface were connected
directly to the public Internet. SBS works best when you use it's wizards
and don't tinker around with individual service configurations. Otherwise
you really need to understand how things interoperate with AD, Remote
Access, etc.

The SBS upstream interface is on a seperate private network (192.168.1.0 for
example) that is managed by the LEAF bering firewall (two NICS). The bering
upstream is a public IP from my ISP. The bering box serves dhcpd and dns to
the intermediate network. The SBS upstream has a static address on this
network and the gateway and DNS point to the bering box.

SBS is configured to forward all DNS queries not resolved internally to the
bering box just as you might do to an ISP's DNS server if the bering
firewall and intervening network weren't in the path.

There are a few internal linux servers and workstations on the .1 network
(inside the bering firewall but outside of the SBS network) and various
other things which don't affect the topology.

Yes, there are two layers of NAT for clients connecting to external sites
from inside the SBS network. I've never had any problems resulting from this
for over 5 years now. It's an office network which I designed and continue
to manage and it has been extremely stable and trouble free.

The main benefit of this design is that both the LEAF bering firewall and
the SBS 2003 begin life with very simple "stock" configurations. It is easy
to tweak to get something like SBS "Remote Web Workplace" (a very useful
feature, IMO) or Remote Access (RAS, a VPN server) working from the Internet
by configuring DNAT rules (I use shorewall) for the various ports and
protocols (all are documented and easily found). The SBS server need not be
bogged down running advanced or third party firewall solutions and there is
less exposure to various Micro$oft security risks.

The SBS environment (and M$ server stuff generally) has extensions and
dependencies among DHCPD, AD, DNS, RAS. The best way I've found to avoid
these pitfalls is to isolate the Windows environment.

[Internet]--firewall--["dmz" net]--SBS--[Windows net]

Hope this is helpful,
~Bob

> -----Original Message-----
> From: lea...@li... [mailto:leaf-user-
> bo...@li...] On Behalf Of Boris
> Sent: Thursday, September 04, 2008 1:25 PM
> To: lea...@li...
> Subject: [leaf-user] [OT] Windows 2003 SBS behind leaf router
> 
> Hej all,
> 
> 
> I'm sorry to annoy you with that off-topic theme, but I'm quite sure
> there is somebody with the right knowledge on this list because the
> setup is quite common and I'm hoping strongly for help. Here's the story:
> 
> I have a small network connected to the web with a Bering uClibc that
> works as dhcpd and of course dns server. Center of the network is a
> Windows 2003 SmallBusinessServer as domain-controller, file-, print-,
> and MSSQL-server. The network is slow and I get a lot of serious errors
> in the event-logs that seem to cause the bad performance:
> 
> > event-id 4004: The DNS server was unable to complete directory service
> enumeration of zone .. This DNS server is configured to use information
> obtained from Active Directory for this zone and is unable to load the
> zone without it. Check that the Active Directory is functioning properly
> and repeat enumeration of the zone. The event data contains the error.
> 
> > event-id 4015: The DNS server has encountered a critical error from
> the Active Directory. Check that the Active Directory is functioning
> properly. The event data contains the error.
> 
> I agree my question is quite flat but it is simple: What should I look
> for and what can I do?
> 
> My own brain puts out something like this:
> 
> - I don't want to make the windows server dncpd.
> 
> - afaik Windows Active Diretory needs the own DNS-Service, so it's
> impossible to deactivate it.
> 
> - Could the problem be solved through building something like a
> dns-cascade (windows-server asks bering-box -> bering-box asks
> windows-server). How can I do something like this?
> 
> Thanks a lot for your ideas!
> 
> Boris
[...snip...]

Re: [leaf-user] [OT] Windows 2003 SBS behind leaf router

[Gordon B. <go...@q-...>]

Boris,

If you run Windows 2003 Server as a domain-controller for Windows XP or 
Vista workstations then the Windows 2003 server *has* to be the DNS 
server and possibly DHCP as well.

A typical symptom of having a different server perform these roles is 
when logging onto the domain authentication and loading of a relatively 
small roaming profile can literally take ages to complete.

The simplest approach would be to attach the firewall directly to a 
second NIC on the Windows 2003 server and let Windows handle the 
internet traffic. The alternative is to alter the default router 
configuration in Microsofts DHCP server or manually set this value in 
the workstations IP properties.

Gordon

Boris wrote:
> Hej all,
> 
> 
> I'm sorry to annoy you with that off-topic theme, but I'm quite sure
> there is somebody with the right knowledge on this list because the
> setup is quite common and I'm hoping strongly for help. Here's the story:
> 
> I have a small network connected to the web with a Bering uClibc that
> works as dhcpd and of course dns server. Center of the network is a
> Windows 2003 SmallBusinessServer as domain-controller, file-, print-,
> and MSSQL-server. The network is slow and I get a lot of serious errors
> in the event-logs that seem to cause the bad performance:
> 
>> event-id 4004: The DNS server was unable to complete directory service
> enumeration of zone .. This DNS server is configured to use information
> obtained from Active Directory for this zone and is unable to load the
> zone without it. Check that the Active Directory is functioning properly
> and repeat enumeration of the zone. The event data contains the error.
> 
>> event-id 4015: The DNS server has encountered a critical error from
> the Active Directory. Check that the Active Directory is functioning
> properly. The event data contains the error.
> 
> I agree my question is quite flat but it is simple: What should I look
> for and what can I do?
> 
> My own brain puts out something like this:
> 
> - I don't want to make the windows server dncpd.
> 
> - afaik Windows Active Diretory needs the own DNS-Service, so it's
> impossible to deactivate it.
> 
> - Could the problem be solved through building something like a
> dns-cascade (windows-server asks bering-box -> bering-box asks
> windows-server). How can I do something like this?
> 
> Thanks a lot for your ideas!
> 
> Boris
> 

Re: [leaf-user] [OT] Windows 2003 SBS behind leaf router

[Bob G. <ban...@ms...>]

>Gordon writes:
> 
> ...If you run Windows 2003 Server as a domain-controller for Windows XP or
> Vista workstations then the Windows 2003 server *has* to be the DNS
> server and possibly DHCP as well...
 
True, but the fact is that if you run Windows 2003 *SBS* (Small Business
Server) *at all*, then it *must* be the primary domain controller for your
one (and only) Windows domain. Otherwise it's not "SBS": you can't use SQL
Server, Exchange, SharePoint, etc.

Running an SBS network behind a leaf/bering firewall is a great idea, and
easy to do without changing the standard SBS configuration in any way.

~Bob

Re: [leaf-user] [OT] Windows 2003 SBS behind leaf router

[Trev P. <tr...@ad...>]

Hello,

For Active Directory (AD) to work you need a DNS server that accepts
dynamic changes.  BIND can be configured to do this but it is not
trivial.  I'm not sure if DJBDNS (tinyDNS or DNScache) can be configured
to do this.  DNS is the heart of how AD gives information on which
server is the Kerberos server, LDAP server, Global Catalog Server (if
you have more than one Domain Controller), etc.  This is accomplished by
adding special records in DNS.  If the DNS server does not handle these
updates properly you will have a lot of problems.  Most AD problems are
caused by incorrectly configured DNS.  The simplest and easiest way to
have AD work correctly is to install your domain controller as the DNS
server.

DHCP is another story.  The router can remain the DHCP server if you
wish but it must give out the correct DNS server address for AD to
function.

Hope this helps,

On Fri, 2008-09-05 at 12:02 +0200, Gordon Bos wrote:
> Boris,
> 
> If you run Windows 2003 Server as a domain-controller for Windows XP or 
> Vista workstations then the Windows 2003 server *has* to be the DNS 
> server and possibly DHCP as well.
> 
> A typical symptom of having a different server perform these roles is 
> when logging onto the domain authentication and loading of a relatively 
> small roaming profile can literally take ages to complete.
> 
> The simplest approach would be to attach the firewall directly to a 
> second NIC on the Windows 2003 server and let Windows handle the 
> internet traffic. The alternative is to alter the default router 
> configuration in Microsofts DHCP server or manually set this value in 
> the workstations IP properties.
> 
> Gordon
> 
> Boris wrote:
> > Hej all,
> > 
> > 
> > I'm sorry to annoy you with that off-topic theme, but I'm quite sure
> > there is somebody with the right knowledge on this list because the
> > setup is quite common and I'm hoping strongly for help. Here's the story:
> > 
> > I have a small network connected to the web with a Bering uClibc that
> > works as dhcpd and of course dns server. Center of the network is a
> > Windows 2003 SmallBusinessServer as domain-controller, file-, print-,
> > and MSSQL-server. The network is slow and I get a lot of serious errors
> > in the event-logs that seem to cause the bad performance:
> > 
> >> event-id 4004: The DNS server was unable to complete directory service
> > enumeration of zone .. This DNS server is configured to use information
> > obtained from Active Directory for this zone and is unable to load the
> > zone without it. Check that the Active Directory is functioning properly
> > and repeat enumeration of the zone. The event data contains the error.
> > 
> >> event-id 4015: The DNS server has encountered a critical error from
> > the Active Directory. Check that the Active Directory is functioning
> > properly. The event data contains the error.
> > 
> > I agree my question is quite flat but it is simple: What should I look
> > for and what can I do?
> > 
> > My own brain puts out something like this:
> > 
> > - I don't want to make the windows server dncpd.
> > 
> > - afaik Windows Active Diretory needs the own DNS-Service, so it's
> > impossible to deactivate it.
> > 
> > - Could the problem be solved through building something like a
> > dns-cascade (windows-server asks bering-box -> bering-box asks
> > windows-server). How can I do something like this?
> > 
> > Thanks a lot for your ideas!
> > 
> > Boris
> > 
> 
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> ------------------------------------------------------------------------
> leaf-user mailing list: lea...@li...
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/
-- 
Trev Peterson
Advanced Reality
Email: tr...@ad...
Phone: +1 847 406 9018

Re: [leaf-user] [OT] Windows 2003 SBS behind leaf router

[Boris <bo...@ca...>]

Hej all, hej list,


first let me tank you all for your thoughts in my case.

What did I do?
I hard-coded the server's IP into the leaf-box's /etc/resolv.conf and
have a kind of DNS-cascade through the leaf-box now. This is a second
choice after making the leaf-box secondary dns-server for the server,
primary th server itself, but it let me understand a bit how it works
and it seems to work. And it was quick done without touching the server.

Thanks again,


Boris


Trev Peterson schrieb:
> Hello,
> 
> For Active Directory (AD) to work you need a DNS server that accepts
> dynamic changes.  BIND can be configured to do this but it is not
> trivial.  I'm not sure if DJBDNS (tinyDNS or DNScache) can be configured
> to do this.  DNS is the heart of how AD gives information on which
> server is the Kerberos server, LDAP server, Global Catalog Server (if
> you have more than one Domain Controller), etc.  This is accomplished by
> adding special records in DNS.  If the DNS server does not handle these
> updates properly you will have a lot of problems.  Most AD problems are
> caused by incorrectly configured DNS.  The simplest and easiest way to
> have AD work correctly is to install your domain controller as the DNS
> server.
> 
> DHCP is another story.  The router can remain the DHCP server if you
> wish but it must give out the correct DNS server address for AD to
> function.
> 
> Hope this helps,
> 
> On Fri, 2008-09-05 at 12:02 +0200, Gordon Bos wrote:
>> Boris,
>>
>> If you run Windows 2003 Server as a domain-controller for Windows XP or 
>> Vista workstations then the Windows 2003 server *has* to be the DNS 
>> server and possibly DHCP as well.
>>
>> A typical symptom of having a different server perform these roles is 
>> when logging onto the domain authentication and loading of a relatively 
>> small roaming profile can literally take ages to complete.
>>
>> The simplest approach would be to attach the firewall directly to a 
>> second NIC on the Windows 2003 server and let Windows handle the 
>> internet traffic. The alternative is to alter the default router 
>> configuration in Microsofts DHCP server or manually set this value in 
>> the workstations IP properties.
>>
>> Gordon
>>
>> Boris wrote:
>>> Hej all,
>>>
>>>
>>> I'm sorry to annoy you with that off-topic theme, but I'm quite sure
>>> there is somebody with the right knowledge on this list because the
>>> setup is quite common and I'm hoping strongly for help. Here's the story:
>>>
>>> I have a small network connected to the web with a Bering uClibc that
>>> works as dhcpd and of course dns server. Center of the network is a
>>> Windows 2003 SmallBusinessServer as domain-controller, file-, print-,
>>> and MSSQL-server. The network is slow and I get a lot of serious errors
>>> in the event-logs that seem to cause the bad performance:
>>>
>>>> event-id 4004: The DNS server was unable to complete directory service
>>> enumeration of zone .. This DNS server is configured to use information
>>> obtained from Active Directory for this zone and is unable to load the
>>> zone without it. Check that the Active Directory is functioning properly
>>> and repeat enumeration of the zone. The event data contains the error.
>>>
>>>> event-id 4015: The DNS server has encountered a critical error from
>>> the Active Directory. Check that the Active Directory is functioning
>>> properly. The event data contains the error.
>>>
>>> I agree my question is quite flat but it is simple: What should I look
>>> for and what can I do?
>>>
>>> My own brain puts out something like this:
>>>
>>> - I don't want to make the windows server dncpd.
>>>
>>> - afaik Windows Active Diretory needs the own DNS-Service, so it's
>>> impossible to deactivate it.
>>>
>>> - Could the problem be solved through building something like a
>>> dns-cascade (windows-server asks bering-box -> bering-box asks
>>> windows-server). How can I do something like this?
>>>
>>> Thanks a lot for your ideas!
>>>
>>> Boris
>>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> ------------------------------------------------------------------------
>> leaf-user mailing list: lea...@li...
>> https://lists.sourceforge.net/lists/listinfo/leaf-user
>> Support Request -- http://leaf-project.org/