I'm working through an Azure tutorial on MSDN as suggested by #BrentDaCodeMonkey. Basically, I'm trying to learn how to set up a Windows domain, so I can use it for a some other SQL Server tutorials. See my previous question here.
I'm running into a problem where I cannot connect my servers to my Active Directory Name Controller. When I try to add my domain name to the server in System Properties, I get an error message instead of the Windows Security popup dialog.
An Active Directory Name Controller (AD DC) for the domain "corp.ejm.com" could not be contacted. Ensure that the domain name is typed correctly. [...] The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Name Controller (AD NC) for domain "corp.ejm.com"; The error was: "This operation returned because the timeout period expired."
Note that I am able to verify the DC's IP address, with nslookup in the command prompt.
Complicating this issue is that the tutorial instructions don't exactly match what I'm seeing in Azure. For example, I'm not allowed to use Windows Server 2008 R2 SP1 when setting up SQL Server virtual machines. I had to use Windows Server 2012 for those, but still used 2008 for the DC. I thought that the problem might be a conflicting operating systems, so I tried running the tutorial again using Windows Server 2012 for everything. Same error message.
Also note: the tutorial says that I should use the example domain, corp.contoso.com. I used my own example domain instead, corp.ejm.com. I'm wondering if this has something to do with it. My example domain is not registered on the Internet.
Connect to the DC VM and find out its IPAddress (10.*).
Go to the virtual network configuration and set the DNS server IP Address to that.
Also make sure you use this IP Address during step #8 in install SQL VMs section.
Now try joining the SQL VMs to the domain.
Hope this helps.
Related
I have a simple Asp.Net Core Azure Web App that needs to make a http get request to an on-premise Rest service. This Rest service is hosted on IIS with bindings set only for port 443. I've setup a new Hybrid Connection in Azure and added it to the Web App. At the on-prem side, I've installed Hybrid Connection Manager and entered the connection string for the Hybrid Connection - this now shows as "Connected".
Problem is, when executing the line of code that makes the get request, the following error is thrown:
System.AggregateException: One or more errors occurred. (No such host is known) ---> System.Net.Http.HttpRequestException: No such host is known ---> System.Net.
There's an interesting blog post here: Microsoft Blog which states that the connections should be setup without using the fully qualified domain name (FQDN) - server name suffixed with organisation.co.uk. However, as far as I can tell, the SSL certificate for the Rest service requires the FQDN - otherwise it presents the error
There is a problem with this website’s security certificate
Does anyone know how to troubleshoot and work around this problem?
The first error is probably a DNS issue. As that blog mentioned
If you are using a fully-qualified domain name, you need to ensure
that it’s a name that can be resolved within your local network. (In
some cases, customers are running DNS in the local network, and it’s
that local DNS service that resolves the name.)
So, If you have to use FQDN in the connection string for the Hybrid Connection. You could use an FQDN which only could be resolved by local DNS service.
Alternatively, you could try to edit the hosts file to make DNS lookup preferably inside the on-premise network. Add a line in Rest service server hosts file (located in %WINDIR%\system32\drivers\etc) mapping the IIS server's IP to a name.
For example:
192.168.0.50 serverFQDN
More details, Refer to this.
Can I migrate my domain into Azure and still allow local workstations to join that domain? I currently have a setup of 7 workstations and 1 server. I'd like to move the server into Azure. It's the domain controller, DNS, AD, and file server. Is my scenario possible? I would just like to make it seem as if the workstation doesn't know the difference other than its now connecting to a different server. The end user would still work as they used to as well. I've found a lot of info on joining other Azure VMs to a Azure-hosted domain controller, but nothing like I'm looking for. It's for a small business setup and I'm new to Azure, but instead of replacing aging server hardware, I'd rather move it to the cloud. If only certain services are possible, that's fine, the minimum requirement would be just being able to setup a domain. I can setup file services through other methods if need be. Thanks!
According to the Description of support boundaries for Active Directory over NAT
The Microsoft statement regarding Active Directory over NAT is:
Active Directory over NAT has not been tested by Microsoft.
We do not recommend Active Directory over NAT.
Support for issues related to
Active Directory over NAT will be very limited and will reach the
bounds of commercially reasonable efforts very quickly.
The problem is that as part of the connection sequence the AD server will send its local IP Address for the client to connect to, so the client will attempt to connect to the address behind NAT.
The only way you can connect a client to an AD VM is to go through a virtual network. So as long as you had a site to site VPN your clients wouldn't notice any difference.
I try to configure a platform for our developers on Microsoft Azure.
I have to configure a new domain with a one way trust relationship with my main domain.
I created a Virtual Network with a VPN Tunnel, and successfully created my first DC and the new forest : rd.consoso.com (with my main domain beinf contoso.com)
When I try to add my second DC, I run into the famous DCPROMO Creating the NTDS Settings object error.
I tried the steps described here : https://support.microsoft.com/en-us/kb/2737935?wa=wsignin1.0 but couldn't solve the problem.
The local admin of the second DC is different from my Domain Admin.
I also tried to open the firewall as described here : https://technet.microsoft.com/en-us/library/hh472161.aspx?f=255&MSPPError=-2147217396#BKMK_KnownIssues
I tried to rename the second DC and change its IP
My VNet is configured with only the first DC as DNS server.
Both servers are WS2012R2 Datacenter
I can ping the servers from one another.
Any idea on this ?
Thanks.
Ok someone gave me a solution on another forum :
Deactivate IPV6 from both machines on network connection
Deactivate 6to4 adapter if active :netsh interface 6to4 set state disabled
And that's it !
I created my virtual network, gateway, and certificates. I upload my management certificate and created my VPN client. I successfully installed the VPN client. When I attempt to connect I get the following error:
"Custom script (to update your routing table) failed (80070057)."
Tried in 3 different computers (2 windows 7 and 1 2008 R2).
I've been looking around and found that the connection is done if I delete the SetRoute part in the .cms file installed by the client (user\AppData\Roaming\Microsoft\Network\Connections\Cm\myConection\myConnection.cms); I then have to set manually all routes and gateways. It works but it's not what I need, because I need the installer.
Any ideas?
Check your firewall or routing table on your router if you are using one, try to connect from another location to see whether it is because of your network architecture or not. if all OK and the problem not fixed, try to another range of IP in azure portal for you VPN subnet, sometimes it has conflicts with your local network.
I have two Active Directory servers performing both authentication and DNS.
One server is 2003 and the other is 2008. It is my understanding that there is no primary Domain server in this scenario and that everything will replicate from 2003 to 2008 without issue.
I have a 3rd virtual 2008 server which has been preforming DHCP for over 2 years without a problem.
It is now appearing that I cannot properly authorize DHCP (Red downward arrow).
When I attempt authorization, I do not get an error. It simply does not function and appears to not be authorized. I also tried netsh for authorization.
I have an error in the logs of the DHCP stating:
"The DHCP Service failed to see a directory server for Authorization"
One change that was made recently was that I tried to revive the old physical DHCP server for performing another service. I changed the IP and the Computer name before I networked it. I have since turned it off, but I believe that this is when the problem began.
What is the problem?
Additionally, are one of the AD servers more primary in the authorization of DHCP, or are they of equal authority?
Thanks
Note: I have removed all outdated entries regarding DHCP from DNS.
Also, forest functionality level is set to Windows 2000, though we have nothing on our network older than XP.
Your first domain controller in your network is the "primary" domain controller. The primary domain controller keeps 5 FSMO roles of the entire Active Directory forest.
In your case, I think there might be some problems with DNS. Most of these types of problems were caused by DNS. You can try to use DCDiag utility to test the connection and DNS configuration from both domain controllers.
After fixing your DNS, you might want to restart the Net Logon service on both Domain Controller to refresh the SRV Record.
In the worst case that it happens to me, I had to dis-join the DHCP server (standalone server) from the domain, and join it back it, re-authorize it with AD.