How to reference a Domain Controller out of the Local Network?

2

We have multiple servers scattered over different hosting providers. For learning, experimenting and, ultimately, production purposes, I set one of them as a Domain Controller.

That went well, most of our services are now authenticating via AD, which helps us a lot.

What I want to do now is to simplify the authentication for the multiple servers, by making each of them look at the Domain Controller. This way, our Devs can log into (Remote Desktop) the multiple servers with the same credentials from AD.

I know I have to configure each server to look at the Domain Controller.

But when I try to add the Domain Controller to the Computer, it cannot find it, although the Domain Controller address is a valid, reachable internet sub-domain (as in "ad.ourcompany.com").

enter image description here

This is the detailed error message:

Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller for domain ad.ourcompany.com:

The error was: "DNS name does not exist." (error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.ad.ourcompany.com

Common causes of this error include the following:

  • The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

    109.188.207.9

    109.188.207.10

  • One or more of the following zones do not include delegation to its child zone:

    ad.ourcompany.com

    ourcompany.com com

    . (the root zone)

For information about correcting this problem, click Help.

What am I missing?

I'm an experienced Dev, but a newbie Sysdamin experimenting with new stuff.

Disclaimer

All IP addresses and domains/subdomains were changed to preserve security. If by any chance you still can see private information, please let me know so that I can change it.

active-directory
subdomain
domain-controller
asked on Server Fault Aug 29, 2012 by Adriano Carneiro • edited Aug 30, 2012 by Michael Hampton

4 Answers

6

For the love of God, don't have Domain Controllers that are accessible over the internet. That's begging for a catastrophe. You need to set up site-to-site VPNs between your sites, and make sure your subnet/subdomain on which AD is located is NOT accessible other the internet through anything but a VPN.

In IPv4, that means your Domain Controllers, (and your whole internal network as well) should have a privately routed address such as 10.x.x.x 192.168.x.x or 172.16-31.x.x, and not start with a publicly routed octet like 109.

DO NOT just go punching holes in your firewalls to make this work, please.

answered on Server Fault Aug 30, 2012 by HopelessN00b
5

The clue is in the error message, the servers that you plan to join to the domain need to use the DNS servers that hold your AD DNS zone as their DNS servers. It looks like they're using some public DNS servers, which I'm guessing are not the DNS servers holding your AD DNS zone.

answered on Server Fault Aug 29, 2012 by joeqwerty
0

joeqwerty is spot on.

For the pc to join the domain, it looks up SRV records. If the clients are at the same site as the DC, change DNS on the clients to point to your DC, otherwise follow the details below.

I'm guessing the ad in ad.ourcompany.com is the hostname for your DC? If so, you should try and join the domain without putting the ad. part - specify the domain only.

It sounds like you only have the A record set up for your server. The client pc first looks for _ldap._tcp.dc._msdcs.ourcompany.com which should then point to ad.ourcompany.com. (or yourdc.ad.ourcompany.com)

If you create this SRV record accessible on the public internet, then this should eliminate this error. Also check DNS on your DC for the other relevant SRV records which your AD setup requires.

However for security reasons, my preference would be to set up a local DNS server at the site(s) your client PC's are based at which hold the relevant SRV records so these are not available to all and sundry.

answered on Server Fault Aug 29, 2012 by Robin Gill
-3

Remove all the DNS server entries from your IPv4 network configuration. Then add your dns server IPv4 address as the only one. Also may need to flush dnscache.

answered on Server Fault Dec 20, 2014 by user260680

User contributions licensed under CC BY-SA 3.0