Second AD Server not providing Internet

[G33kman]

OK so I'm not sure if I'm just confused on this concept or what's going on but I have 2 servers with the following roles installed:

 

Main Server - Windows Server 2008 R2 (08SRV)

• Active Directory Domain Services
• DHCP
• DNS
• IIS
• File and Storage Services

Backup Server - Windows Server 2012 R2 (WS2012)

• Active Directory Domain Services
• DNS
• IIS
• File and Storage Services

So my original plan was to use WS2012 as a backup server in case 08SRV went down (like if I needed to restart it) so that we could still login to the domain as well as use the internet. Everything seems to be setup correctly as I'm not showing any issues in Server Manager but I went to restart 08SRV last night after installing Windows Updates and immediately lost internet to all the computers. Do I need to have the DHCP role installed on the Backup server or am I missing something?

 

[Jarsky]

It sounds like you lost DNS. Have you got both DNS servers (AD members) specified in your router configuration?

 

 

[brwainer]

Start down the TSing tree:

-Are client computers getting good IP addresses?

-can client computers ping the default gateway?

-can you ping an outside IP address, like 8.8.8.8 from client devices?

-are DNS lookups working from client devices?

[leadeater]

Make sure you have your DHCP zones configured to give out both DNS server IP addresses else clients will only talk to one DNS server and if that goes offline no DNS services will be available hence no internet etc.

 

Post an output of ipconfig /all from one of the clients so we can check the configuration they are actually getting.

[leadeater]

Also yes you should have DHCP on both servers setup in split-scope, split-scope is important it needs to be that and not just two DHCP servers handing out IP addresses of the same range on the same subnet else you'll have duplicate IP addresses and clients breaking.

[Windows7ge]

50 minutes ago, G33kman said:

OK so I'm not sure if I'm just confused on this concept or what's going on but I have 2 servers with the following roles installed:

 

Main Server - Windows Server 2008 R2 (08SRV)

• Active Directory Domain Services
• DHCP
• DNS
• IIS
• File and Storage Services

Backup Server - Windows Server 2012 R2 (WS2012)

• Active Directory Domain Services
• DNS
• IIS
• File and Storage Services

So my original plan was to use WS2012 as a backup server in case 08SRV went down (like if I needed to restart it) so that we could still login to the domain as well as use the internet. Everything seems to be setup correctly as I'm not showing any issues in Server Manager but I went to restart 08SRV last night after installing Windows Updates and immediately lost internet to all the computers. Do I need to have the DHCP role installed on the Backup server or am I missing something?

 

If the two servers have different IP addresses then DHCP services will have to be enabled on both for all the network clients to re-associate what their default gateway is. If it doubles as a domain server then you won't be able to login to the domain without that servers IP saved in every host but only one Default gateway can be configured at a time for a single network interface. So. I think dhcp needs to be on both. You'll have to configure the two servers in some way though to prevent duplicate addresses.

[G33kman]

OK so that's a good amount of information to go off of! Lol I will look into these options and see what I can make work.

Thank you everyone for your input I appreciate it!

[leadeater]

1 minute ago, Windows7ge said:

If the two servers have different IP addresses then DHCP services will have to be enabled on both for all the network clients to re-associate what their default gateway is. If it doubles as a domain server then you won't be able to login to the domain without that servers IP saved in every host but only one Default gateway can be configured at a time for a single network interface. So. I think dhcp needs to be on both. You'll have to configure the two servers in some way though to prevent duplicate addresses.

Default gateway and Active Directory aren't really related, Active Directory relies on DNS to work. When you join a computer to a domain it does a DNS lookup for the FQDN which will resolve to multiple IP addresses, one for each Domain Controller.

 

Once a computer is part of an Active Directory domain it is actually aware of each Domain Controller and will be able to authenticate to any one of them even if one goes down.

 

A default gateway isn't actually required at all if the computers are on the same subnet as the domain controller, default gateways are exclusively for network routing which is typically required as servers are normally on their own subnet but that shouldn't be confused as a requirement for Active Directory to function.

[G33kman]

2 minutes ago, leadeater said:

Default gateway and Active Directory aren't really related, Active Directory relies on DNS to work. When you join a computer to a domain it does a DNS lookup for the FQDN which will resolve to multiple IP addresses, one for each Domain Controller.

 

Once a computer is part of an Active Directory domain it is actually aware of each Domain Controller and will be able to authenticate to any one of them even if one goes down.

 

A default gateway isn't actually required at all if the computers are on the same subnet as the domain controller, default gateways are exclusively for network routing which is typically required as servers are normally on their own subnet but that shouldn't be confused as a requirement for Active Directory to function.

So even if 08SRV goes down as of right now I should still be able to authenticate logins through WS2012. I'm just not able to use WS2012 for a backup connection to the internet yet. Did I understand that correctly?

[leadeater]

2 minutes ago, G33kman said:

So even if 08SRV goes down as of right now I should still be able to authenticate logins through WS2012. I'm just not able to use WS2012 for a backup connection to the internet yet. Did I understand that correctly?

Correct, I suspect the issue is just your DHCP server configuration.

 

Edit:

But only if the client has cached the IP address of the other DC else if it needs to do an IP lookup and it's only configured with a single DNS server it'll fail at everything.

[G33kman]

OK I will look at the settings for DHCP on 08SRV and see if I need to do anything there. So I shouldn't need to add the DHCP role to WS2012?

[leadeater]

@G33kman

 

Here's a screenshot of my lab configuration, 172.16.4.1 and 172.16.14.1 are my Domain Controllers. Here I have set in the global server options to hand out to every DHCP client those DNS server IP addresses.

 

 

Edit:

Just be careful when using the global options over the scope options, in larger networks that spans multiple cities you'll want to control the DNS servers at the scope level not the global level.

[leadeater]

5 minutes ago, G33kman said:

OK I will look at the settings for DHCP on 08SRV and see if I need to do anything there. So I shouldn't need to add the DHCP role to WS2012?

You don't have to no. Clients hold their IP addresses once they are given them for the configured lease time, only new computers that boot up during the outage of the DHCP server will fail to get an IP address.

[G33kman]

Yeah I was confused why they were losing connection if it was a DHCP problem since they shouldn't have had to request a new IP unless a new machine requested one or the lease time expired.

Here's my settings the red text is the WS2012 IP that I will be adding.

[leadeater]

2 minutes ago, G33kman said:

Yeah I was confused why they were losing connection if it was a DHCP problem since they shouldn't have had to request a new IP unless a new machine requested one or the lease time expired.

Here's my settings the red text is the WS2012 IP that I will be adding.

Should be all sorted now, just need to schedule a time to actually test it since proof is in the pudding 

[G33kman]

Lol well since I'm the only one in the office right now I'm thinking this sounds like the perfect time! I'll give it a try and see.

[leadeater]

2 minutes ago, G33kman said:

Lol well since I'm the only one in the office right now I'm thinking this sounds like the perfect time! I'll give it a try and see.

You'll need to test it on a client that you've run ipconfig /renew on before rebooting/shutting down the primary DC else it won't have the new configuration.

[G33kman]

Well it seemed to work. At first it didn't but I went into the adapter IPv4 settings on my computer and set the preferred DNS to the 08SRV and Alternate DNS to WS2012 and then it connected to the internet just fine. I still wasn't able to remote into the 08SRV for a few minutes so I know it wasn't working through that. SO... I would assume that it's working now. Lol

So I'm guessing just go through to each machine and set the same settings in the adapter IPv4 DNS and I should be good to go?

Does that makes sense?

[leadeater]

1 minute ago, G33kman said:

Well it seemed to work. At first it didn't but I went into the adapter IPv4 settings on my computer and set the preferred DNS to the 08SRV and Alternate DNS to WS2012 and then it connected to the internet just fine. I still wasn't able to remote into the 08SRV for a few minutes so I know it wasn't working through that. SO... I would assume that it's working now. Lol

So I'm guessing just go through to each machine and set the same settings in the adapter IPv4 DNS and I should be good to go?

Does that makes sense?

Nah they'll get the DNS setting required once they refresh their DHCP leases, they'll do that after a reboot or after a few hours/days depending on your lease time configuration etc. You won't need to manually configure anything, that is what DHCP is for after all .

[Windows7ge]

26 minutes ago, leadeater said:

Default gateway and Active Directory aren't really related, Active Directory relies on DNS to work. When you join a computer to a domain it does a DNS lookup for the FQDN which will resolve to multiple IP addresses, one for each Domain Controller.

 

Once a computer is part of an Active Directory domain it is actually aware of each Domain Controller and will be able to authenticate to any one of them even if one goes down.

 

A default gateway isn't actually required at all if the computers are on the same subnet as the domain controller, default gateways are exclusively for network routing which is typically required as servers are normally on their own subnet but that shouldn't be confused as a requirement for Active Directory to function.

So essentially the default gateway is the name of the domain that all the computers are on. Of one domain controller goes down all the computers should automatically be able to make requests to/from the backup domain server if it has the same configuration as the primary one?

[G33kman]

Oh even better! Well it looks like I am all set!

Thanks for your help with this guys. I really appreciate it.

[leadeater]

Just now, Windows7ge said:

So essentially the default gateway is the name of the domain that all the computers are on. Of one domain controller goes down all the computers should automatically be able to make requests to/from the backup domain server if it has the same configuration as the primary one?

Default gateway is just the IP address of a router, totally independent of anything to do with Active Directory.

 

My domain in my lab is ad.lab.lan and here is the DNS lookup output for that:

 

H:\>nslookup ad.lab.lan
Server:  hmn-dc01.internal.t-guides.info
Address:  10.1.10.1

Non-authoritative answer:
Name:    ad.lab.lan
Addresses:  172.16.14.1
          172.16.4.1

 

Here you can see that the FQDN of my domain resolves to two IP addresses, 172.16.4.1 and 172.16.14.1. My default gateway for those networks are 172.16.4.254 and 172.16.14.254 and is a networking device specifically a FortiGate 60D (172.16.4.254) and a Ubnt ERLite-3 (172.16.14.1). My two domain controllers are actually located in different building across the city.

 

[leadeater]

1 minute ago, G33kman said:

Oh even better! Well it looks like I am all set!

Thanks for your help with this guys. I really appreciate it.

Awesome, now who do I send the bill to? /jk

[G33kman]

Lol send it right to me! Just make sure you double the amount and add a few extra hours in to make it worth your time! 

[Windows7ge]

4 minutes ago, leadeater said:

Default gateway is just the IP address of a router, totally independent of anything to do with Active Directory.

 

My domain in my lab is ad.lab.lan and here is the DNS lookup output for that:

 

H:\>nslookup ad.lab.lan
Server:  hmn-dc01.internal.t-guides.info
Address:  10.1.10.1

Non-authoritative answer:
Name:    ad.lab.lan
Addresses:  172.16.14.1
          172.16.4.1

 

Here you can see that the FQDN of my domain resolves to two IP addresses, 172.16.4.1 and 172.16.14.1. My default gateway for those networks are 172.16.4.254 and 172.16.14.254 and is a networking device specifically a FortiGate 60D (172.16.4.254) and a Ubnt ERLite-3 (172.16.14.1). My two domain controllers are actually located in different building across the city.

 

I have a basic understanding of what a DNS server does (Domain Name Service/Server, looks-up the public IP address associated with a particular website URL) but I'll have to do some research on how Active Directory correlates to that because I'm just not quite wrapping my head around your explanation. I have a rather bad learning curve and it doesn't help I picked Computers/computer networking as a carrier. Thanks for trying to clarify it for me though.