RE: [ActiveDir] Other people's public domain names in internal Active Directories

Thu, 16 Sep 2004 06:07:20 -0700

Title: Other people's public domain names in internal Active Directories
It's not all that uncommon for people to have internal names that they don't publicly own.  This sounds like DNS configuration problems to me.
 
If their DC/GC is their ISA box, are they running SBS (if premium, that would explain it, since ISA is included with SBS Premium)? They have the added potential problem of exposing their internal DNS to the Internet, which is potentially a big security risk.  At the very least, secure transfers should be in place to ensure noone dumps the internal DNS names.  As you have alluded to, ISA on a DC should probably be changed (unless, like many small companies, that DC/GC/ISA box is the only server in the org).
 
If you suspect DNS - try running DNSLINT against the domain and see what it returns - that might give you some hints if it's a DNS issue (or could point to the problem!).  My guess is they have DNS confused between internal and external and simply didn't realize it.
 
When you say "LDAP errors that hint at DNS" - can you tell us exactly what those errors are?

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Schorr
Sent: Thursday, September 16, 2004 3:54 AM
To: NT System Admin Issues; [EMAIL PROTECTED]
Subject: [ActiveDir] Other people's public domain names in internal Active Directories

Ran into an interesting situation this week, a client who had a previous consultant set up their small AD and the previous guy assigned it the domain name "honolulu.com" which is, of course, a domain name out in the world.  Problem is…it's not their domain name.  They have two servers - 1 Exchange server and a GC/DC which also (against my advice) is their ISA server.  The GC/DC is Win2000, the Exchange runs Win2K3.

Their Exchange server is having difficulty starting up, LDAP errors that hint at DNS problems and I'm wondering if the issue is that internal domain name.  The event viewer is full of MSADC errors that say the LDAP server is down.  I suspect that maybe it's trying to connect to the LDAP server at the public honolulu.com domain.

Their internal DNS seems properly configured and does correctly list their DC/GC server.  We can ping the DC/GC from the Exchange server by name or IP address.  But Netdiag's DNS tests fail when run on the DC/GC server.

If we start the Exchange server it basically hangs at the "Applying Computer Settings" stage.  None of the Exchange services start up, due to the LDAP errors, apparently.

I've been Googling but I have a feeling I'm looking in the wrong places.

Any thoughts?

-Ben-
Ben M. Schorr
Operations Coordinator
Stockholm/KSG - Honolulu
Phone: (808) 535-1500
Mobile: (808) 351-5084


Reply via email to