Answer the question
In order to leave comments, you need to log in
How to properly build a local network with Active Directory and Cisco?
Question for experienced administrators. I want to put together the most correct scheme. I work with high school/students and I have a classroom with good equipment. I want to collect the best practical solution, I will be glad to help and tips.
So, the scheme is as follows: 3 classes of 15, 6 and 5 computers. 2 servers for the AD domain (primary and backup). A server for the local web, another one like a file one with a disk bin. For Internet access - a Cisco 2800 router. For switching, there is - 1 gigabit unmanaged Trendnet switch for 24 ports, managed by Edge-Core 24x100 + 4 at 1Gb / s, Cisco 3750 24x100 + 2 at 1 Gb / s, wi-fi point Cisco access.
The topology is as follows: Internet from the provider comes to the Cisco router, where PPPoE is configured. It also has DHCP configured for the local network (I haven’t enabled VLAN yet, maybe I’ll share it later). All computers of classes while are in one network with the domain. The domain name chosen is studio.xxx.ru - this is my second level domain. And here some difficulties arise, probably I'm missing some points in setting up AD ... The
router distributes the following configuration to computers:
192.168.4.11 - 100/24, gateway - 192.168.4.1 (the router itself), DNS - 192.168.4.3 ( AD domain), 192.168.4.1, 8.8.8.8
The first 10 addresses are reserved for devices.
192.168.4.3 - main AD domain, 192.168.4.4 - reserve.
In general, when the computers in the classroom are turned on, problems begin with the Internet. I don't have much experience with setting up AD - I guess I need to take a closer look at the DNS settings, because the problems are somehow related to the domain name. I hope for the help of experienced system administrators ...
Answer the question
In order to leave comments, you need to log in
Go to 192.168.4.3
In paragraph 3, write 192.168.4.1 or / and 8.8.8.8, uncheck 3.2 (it will not allow you to register forwarders).
Now about the meaning. If this is not configured, then:
The client wants to find out the yandex.ru address, sees 192.168.4.3 in the DNS list, makes a request to 192.168.4.3 for the yandex.ru address, but 192.168.4.3 knows only about its domain, it does not know about yandex .ru and responds to the client with a refusal. In a good way, the client should immediately ask the same question to the next DNS in the list (192.168.4.1) and get a normal answer. But in windows, working with DNS has always been clumsy, inadequate. Windows seems to be telling you "if I don't get the correct answer from DNS on the first try , then you will suffer from me!"
If you add forwarders, then 192.168.4.3, when requesting yandex.ru, will say (to itself) "So, I don’t know anything about yandex.ru, so I’ll ask 192.168.4.1", and he asks 192.168.4.1, receives an answer, and then passes this response (on its own behalf) to the client. Those. the client will get what he needs on the first try.
There is one more option. Whether it will work better depends on the Cisco router. You register two DNS on the router: 192.168.4.3, 8.8.8.8. At the same time, remove 192.168.4.3 from the DNS list in DHCP. Those. clients receive DNS 192.168.4.1, 8.8.8.8. When requesting names from AD, the router must forward the request to 192.168.4.3. At the same time, it is no longer necessary (and even a little harmful) to prescribe forwarders to 192.168.4.3. In theory, it should work no worse than the first option, but you need to check it in practice, because. in each specific network and with each piece of iron there can be troubles.
The good news is that everything needs to be redone. DHCP to transfer to HELL, for HELL to do the domain xxx.local. Your problem now is that DNS is not configured correctly and it does not know about DHCP. on 2800, leave only outward routing and NAT, connect 3750 to it and configure VLAN and internal routing, connect everything else after 3750. then the DNS forwarding proposed above will not be needed. And this one, the backup server in AD, died along with NT - since then, servers are not divided into primary and backup, different roles can be transferred to them, but they all work at the same time.
It is difficult, not convenient and long to paint in detail how you do everything. the idea is that the router should route the external load, 3750 will become the core / aggregation layer, the rest of the zoo will go to the access layer. as a result, network management will be mainly at 3750. By integrating DHCP into AD and configuring DNS correctly, you can automatically distribute addresses to different VLANs and you will not have problems with resolving names, both external and internal. Besides at you the domain name "external" is now used, and addressing of a class With not routable - the collapse turns out. this is very wrong. especially if your xxx.ru is registered somewhere and your DNS understands that it should be outside, but in fact it is inside.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question