2

At my workplace we have a Windows Small Business Server, which runs DHCP and DNS services for our local network. I believe it's an Active Directory setup, but since I have no clue of Windows really, I'm not entirely sure about this. What I can say is that the server controls a Windows domain, and some of our Windows machines are in that domain. We have loads more computers, for our clients to use, and those are plain Internet PCs, running Windows but not attached to a domain or workgroup.

We often have problems with the server machine, partly because the hardware is fairly old. Also, the firewall/router device we are using is often causing trouble. I'm replacing the latter now with an old PC running Linux and a firewall system (OpenWRT).

It is very important that our clients have working Internet connections, and in the old setup a failure of either the router/firewall or the Small Business Server would mean that they do not. While I'm replacing the old firewall with my Linux system, I also want to migrate the DHCP and DNS services from the server to the firewall. Therefore, a failure of the server would no longer cause Internet problems.

Now I have installed the new firewall. I have switched off the DHCP server on the SBS, and I have configured its TCP/IP protocol such that it uses the new firewall machine as DNS. Everything worked like a charm, but only for a few hours. I tested a few Windows computer on the domain, and they worked. I disabled and enabled the network interface, to obtain the network config from the new DHCP service (the one on the firewall).

However, after a few hours (i.e. this morning when I came back to work) the Windows machines on the domain could not mount network shares anymore. Network drives and also printers refused to work. When double-clicking a network drive, an alert box popped up saying "The local device name is already in use".

What do I have to do to keep our Windows network services functioning when deactivating the DHCP server on the SBS and operating a DHCP on a separate (non-Windows) machine?

So far, I have added DHCP options on the new firewall, referring to the IP address of the SBS as netbios-ns and netbios-dd. That does not seem to be enough.

I would like a setup, where the firewall operates local DHCP and DNS services, but the Windows PCs know that the Windows services are available from a different server. Anything regarding Windows network shares, printers, Active Directory, whatever, should be done by the SBS, which is not the acting DHCP and DNS server.

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
svenor
  • 123
  • 1
  • 4
  • I am not 100 % sure on this, but I think a DHCP server has to be authorized in an AD environment for windows networking to function correctly, and I do not think you can do this with a Linux DHCP server. – KutscheraIT Dec 20 '10 at 14:07

1 Answers1

5

The problem you're going to run into is that Active Directory uses DNS to tell client machines where to find various resources, so turning off DNS on the Windows server will eventually stop things that require Active Directory from working. It sounds like it worked for a number of hours because clients had it cached, but then the cache expired.

My suggestion would be to run bind on your Linux server, and make it act as a secondary to your Windows server, and then configure your DHCP server to give out the Linux server as the DNS server clients should be using. That way, your DNS queries are offloaded onto the Linux server whilst retaining the ability to use Active Directory.

You'll need a line in your named.conf (or such) a bit like this:-

zone "ad.internal.company.com"
{
  type slave;
  file "/etc/bind/db.ad.internal.company.com";
  masters { aaa.bbb.ccc.ddd; };
};

Not sure which version of SBS you're on, but for 2003, open up the dnsmgmt console, go to the properties for your active directory domain, and add your Linux server as a nameserver on the Name Servers tab. You'll also want to make sure Allow zone transfers is ticked on the Zone Transfers tab, along with Only to servers listed on the Name Servers tab. Additionally, you'll want to make sure that when you click Notify... (also on the Zone Transfers tab), that Automatically notify and Servers listed on the Name Servers tab are selected.

Reload (or restart) bind on your Linux server, and keep an eye on the logs, and you should see bind requesting a copy of the zonefile from the Windows server. To make sure everything's working, try making an addition to the zonefile on the Windows server and make it's propagated to bind on the Linux server.

Hope that helps!

Andy Smith
  • 1,798
  • 13
  • 15
  • 2
    Thanks a lot. This definitely helps, as it points me in the right direction. The only issue with this solution is, that dnsmasq registers the hostnames of DHCP client machines in the DNS zone, which can be handy. I think with your solution that would not happen. Bind acts as a slave of the SBS DNS server, but nobody tells that DNS that new machines have been registered through DHCP. Not a dramatical problem, but I'll think about it. Ideally, my DNS would be the primary but pass on the special requests to the SBS DNS. – svenor Dec 20 '10 at 14:20
  • Yeah, you're right - I did think about that but I guess it's a case of weighing up which is more important - functionality in terms of dynamic DNS or stability with two boxes sharing the load. You might be able to do something with the ISC DHCP server, though - have a look at http://stoilis.blogspot.com/2005/06/implementing-dhcp-in-windows-active.html – Andy Smith Dec 20 '10 at 14:41