Certbot

alex.olynyk

@Dashrender said in Certbot:

The only DNS IPs that should be listed in any PC that lives on your network should be the IPs of these machines

Im aware of that

Dashrender

Hold the phone here -

JB pointed out to me that the ipconfig you posted is from your DC.

THAT majorly changes things.

You can point to yourself for DNS on a DC - in your case you don't need to, because have 6 DNS servers.

You need to change the Domain Controller's DNS to all point to other DNS servers on your network. The primary one should point to another Local DNS server if there is one, the secondary can be local or remote. If there are no other local DNS, you have no choice but to have the primary point to another DNS that is remote.

wirestyle22

@Dashrender said in Certbot:

Hold the phone here -

JB pointed out to me that the ipconfig you posted is from your DC.

THAT majorly changes things.

You can point to yourself for DNS on a DC - in your case you don't need to, because have 6 DNS servers.

You need to change the Domain Controller's DNS to all point to other DNS servers on your network. The primary one should point to another Local DNS server if there is one, the secondary can be local or remote. If there are no other local DNS, you have no choice but to have the primary point to another DNS that is remote.

Yeah I was literally just typing that out in a post. Rose-DC1 so it would refer to itself for DNS

Dashrender

@alex.olynyk said in Certbot:

@Dashrender said in Certbot:

@alex-olynyk

Do you have someone else in the company who is a senior IT person? Or are you the one currently in charge of the network?

there is a senior IT person. But he is at the same level as me when it comes to DNS

I'm really thinking JB is right, you need to hire someone to either remotely assist you or come onsite and give your network a good once over. it will be well worth the spend.

alex.olynyk

@Dashrender said in Certbot:

Hold the phone here -

JB pointed out to me that the ipconfig you posted is from your DC.

THAT majorly changes things.

You can point to yourself for DNS on a DC - in your case you don't need to, because have 6 DNS servers.

You need to change the Domain Controller's DNS to all point to other DNS servers on your network. The primary one should point to another Local DNS server if there is one, the secondary can be local or remote. If there are no other local DNS, you have no choice but to have the primary point to another DNS that is remote.

128.1 is the only DC/DNS on site so its pointing to 118.5 which is a DC/DNS server at a remote site.

Dashrender

what is the name of that server at that site?

alex.olynyk

@Dashrender said in Certbot:

what is the name of that server at that site?

TRI-DC1A

JaredBusch

@alex.olynyk said in Certbot:

@Dashrender said in Certbot:

Hold the phone here -

JB pointed out to me that the ipconfig you posted is from your DC.

THAT majorly changes things.

You can point to yourself for DNS on a DC - in your case you don't need to, because have 6 DNS servers.

You need to change the Domain Controller's DNS to all point to other DNS servers on your network. The primary one should point to another Local DNS server if there is one, the secondary can be local or remote. If there are no other local DNS, you have no choice but to have the primary point to another DNS that is remote.

128.1 is the only DC/DNS on site so its pointing to 118.5 which is a DC/DNS server at a remote site.

Gods, what a train wreck, but I keep coming back...

The DNS setting in the NIC for a DC (assuming it is also a DNS server) should ALWAYS point to itself first.

It should never point to anything else first.

DNS 1: 127.0.0.1
DNS 2: Some other INTERNAL DNS server

JaredBusch

@JaredBusch said in Certbot:

@alex.olynyk said in Certbot:

@Dashrender said in Certbot:

Hold the phone here -

JB pointed out to me that the ipconfig you posted is from your DC.

THAT majorly changes things.

You can point to yourself for DNS on a DC - in your case you don't need to, because have 6 DNS servers.

You need to change the Domain Controller's DNS to all point to other DNS servers on your network. The primary one should point to another Local DNS server if there is one, the secondary can be local or remote. If there are no other local DNS, you have no choice but to have the primary point to another DNS that is remote.

128.1 is the only DC/DNS on site so its pointing to 118.5 which is a DC/DNS server at a remote site.

Gods, what a train wreck, but I keep coming back...

The DNS setting in the NIC for a DC (assuming it is also a DNS server) should ALWAYS point to itself first.

It should never point to anything else first.

DNS 1: 127.0.0.1
DNS 2: Some other INTERNAL DNS server

Once you have that setup right, everything in the local office will immediately start working right.

Next, you need to look into your DNS configuration, because in theory, you should have still been working if your DNS was properly replicating between all of your servers.

Alex Sage

What DNS addresses are your clients getting from DHCP?

alex.olynyk

@aaronstuder said in Certbot:

What DNS addresses are your clients getting from DHCP?

we dont use DHCP. Clients are statically assigned 118.5

Alex Sage

@alex.olynyk said in Certbot:

we dont use DHCP. Clients are statically assigned 118.5

It just gets better, and better.....

Dashrender

@JaredBusch said in Certbot:

128.1 is the only DC/DNS on site so its pointing to 118.5 which is a DC/DNS server at a remote site.

Gods, what a train wreck, but I keep coming back...

The DNS setting in the NIC for a DC (assuming it is also a DNS server) should ALWAYS point to itself first.

It should never point to anything else first.

DNS 1: 127.0.0.1
DNS 2: Some other INTERNAL DNS server

OK I'll disagree here. A DC should always point to another DC first and itself second. The assumption is that the other DC will be up and running while this DC is down. This will allow this DC to boot up faster on the assumption that DNS isn't the first thing that comes up.

I have seen faster reboots because I point to some other DNS server instead itself first.

Dashrender

@alex.olynyk said in Certbot:

@aaronstuder said in Certbot:

What DNS addresses are your clients getting from DHCP?

we dont use DHCP. Clients are statically assigned 118.5

While I don't understand your lack of use of DHCP, that shouldn't really matter.

The clients do need to have DNS entries of only DNS servers within your network, they should never have an DNS entry for something outside your network, like google's 8.8.8.8 or your ISPs DNS servers. That will cause all kinds of problems.

JaredBusch

@Dashrender said in Certbot:

@JaredBusch said in Certbot:

128.1 is the only DC/DNS on site so its pointing to 118.5 which is a DC/DNS server at a remote site.

Gods, what a train wreck, but I keep coming back...

The DNS setting in the NIC for a DC (assuming it is also a DNS server) should ALWAYS point to itself first.

It should never point to anything else first.

DNS 1: 127.0.0.1
DNS 2: Some other INTERNAL DNS server

OK I'll disagree here. A DC should always point to another DC first and itself second. The assumption is that the other DC will be up and running while this DC is down. This will allow this DC to boot up faster on the assumption that DNS isn't the first thing that comes up.

I have seen faster reboots because I point to some other DNS server instead itself first.

Microsoft agrees with you, but I have dealt with too many issue like this to like that answer.

Faster or slower is not really relevant. If you are relying on DC reboot speed for anything in your network, you have some other issues.

Relevant to the topic, his DNS is obviously hosed because it is not resolving right. So set it to 127.0.0.1 first and then secondary to the other DNS server. make sure everything works, then figure out what is going wrong with DNS replication.

Once that is then resolved, you can change the DC to point to the other first again.

alex.olynyk

[192.168.128.1]: PS C:\Windows\system32> ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : RV-DC1
Primary Dns Suffix . . . . . . . : ROSE.internal
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ROSE.internal

Ethernet adapter Local Area Connection 6:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : New Virtual Network
Physical Address. . . . . . . . . : F0-4D-A2-0A-D2-F5
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.128.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.128.254
DNS Servers . . . . . . . . . . . : 127.0.0.1
192.168.118.5
NetBIOS over Tcpip. . . . . . . . : Enabled

JaredBusch

@alex.olynyk and what does nslookup report now.

Come on think man. Can you not post the obvious next question without being led to water?

Dashrender

Does it work now?

alex.olynyk

Microsoft Windows [Version 10.0.14342]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\Alex>nslookup
Default Server: UnKnown
Address: 192.168.128.1

server 192.168.128.1
Default Server: [192.168.128.1]
Address: 192.168.128.1

owncloud.roseradiology.com
Server: [192.168.128.1]
Address: 192.168.128.1

Non-authoritative answer:
Name: owncloud.roseradiology.com
Address: 209.156.58.217

Dashrender

is DNS installed on RV-DC1?

I mean, yeah it's a DC (we think) and the default is to install DNS on all DCs, but you don't have to.