I have 3 subnets in total.
I've only got two subnets added into Active Directory Sites and Services.
![Here you can see the two subnets][1]
Subnet 1 has domain controllers.
Subnet 2 has domain controllers.
Subnet 3 only has PC's and no Servers at all.
I keep getting the alert below on all of the Domain Controllers.
Why am I getting this alert? Do I need to have all subnets added into Active Directory Sites and Services even if the subnet has no domain controllers and if so why? What are Microsoft's best practices?
"During the past 4.23 hours there have been 580 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites. The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes. The current maximum size is 20000000 bytes. To set a different maximum size, create the above registry value and set the desired maximum size in bytes.*"
This alert happens because the subnet of site 3 is not defined in AD Sites and Services.
AD uses subnets to determine which site the client computer is in, and that determines which domain controller(s) can be used for the client to log on. At the moment site 3 is not known to AD because the subnet is not assigned to an AD site, so it just picks a (random) DC in any site.
To stop the alerts coming through, add the subnet for site 3 into AD Sites and Services, then assign the subnet to whichever sits contains the domain controllers that should be used for authenticating users from that subnet. The decision about which site to assign the subnet to depends on latency, cost, link speed, routing availability etc.
Related
I'm not sure I've phrased the question correctly but I'll explain a bit more.
I have a server running on a virtual machine on PC1. I can access this through a particular IP address on the same computer.
Now on a different PC2, when I try the same IP address I see the content served by PC1's server. Both computers are on the same network.
I don't really understand how that IP address is serving the same info on PC2. I'm not sure of the mechanics in the background either and it would really help if someone could explain what's happening here.
If you are using a wifi network then it is because of it you can access the content of the server you have created.
You can see the architecture as that of the internet but on a small scale. Your IP addresses are stores in the wifi (routing tables) so that it can send packets accordingly (See hoping and packet transmission). To be precise, each and every individual system maintains a routing table in it. Thus, in order to fetch a particular site, a system sees its routing table. If the particular IP address is present, the router returns it and the system shows that page. On the contrary, if the IP address is not present the router asks the nearby systems/servers for that particular IP address and the phenomenon continues till the IP address is found.
So, when you search for a local server via system B, whose data is in system A, then the router requests all its child systems to search for the particular IP address in their routing tables, and thus you can access the local server via systems connected on the same network.
To add furthermore, since the local servers are known to be locally operated, the router just sends the seek requests to its child systems only and not globally.
I have tried to keep it as simple as possible supposing that you have not learned about computer networks yet.
I am not a programmer but I have an idea that I would like to see developed. I want to have a cross platform web app that is programmed to, for any DNS look-up request from any app on the device (even native apps), first look in our DNS server that will check to see if the service provider is a member of our system, and if so, a different experience will be delivered to the user, and if not, then the user's device should be forwarded to the normal DNS that is specified in system settings. Is this feasible? Are there any risks to the users or me? Can the code be safe from being tampered with?
Many thanks.
What you are doing is not easily feasible for a web application. In effect what you are doing is running your own DNS server which the users connect to and if the website provider is a member you already have their DNS records loaded and it providers one set of records and if the website is not a member then it performs a forward lookup to an upstream provider to get the global DNS records for the DNS query made. I have implemented this for a number of small and medium businesses on their local networks so that queries to certain domains from the LAN resolve to internal addresses, both for the purpose of blocking domains from being accessed from work as well as for connecting the users to local servers where the domain in question is hosted locally, however to do this for client devices not on a single network would mean you would have to either install software to change the DNS settings on the device or to have the user change their DNS settings themselves which would not give you a unified experience as some would and some wouldn't, especially if you are talking about members of the public and their own devices. If memory serves there are also restrictions in place on mobile devices including Android and iOS devices which prevent an app from altering network settings such as DNS as a security precaution as such an app would present a huge risk to user online security. The best bet would be to simply provide DNS hosting for service providers and they host their DNS records with you and so you can present the enhanced experience to the end user.
I am using Haproxy with two different nodes having different machines 'geographically scattered'
Load-balancer-one having dns = http1.example.com
Load-balancer-two having dns = http2.example.com
The service is listening on DNS main site with original hostname --haproxy
My question is how to maintain a static URL? i.e. it must not show the back-end server domain's or IPs, I want to show only original hostname.
The simplest method is to setup a round robin DNS entry that returns the IP addresses of both servers.
You likely however want to use a GSLB (global server load balancing) solution that can remove failed load balancers from responses based on a health check. If you are in multiple data centers, some GSLB solutions can route users to the most performant location for them.
F5 and Netscaler have hardware GSLB solutions. Dyn, Akamai, UltraDNS and others offer GSLB as a service. AWS' Route53 has a weighted round robin solution. They do not currently offer health checking or routing based on geographic location.
This is my case:
I have 6 servers across US and Europe. All servers are on a load balancer. When you visit the website (www.example.com) its pointing on the load balancer IP address and from their you are redirect to one of the servers. Currently, if you visit the website from Germany for example, you are transfered randomly in one of the server. You could transfer to the Germany server or the server in San Fransisco.
I am looking for a way to redirect users to the nearest server based on their location but without changing url. So I am NOT looking of having many url's such as www.example.com, www.example.co.uk, www.example.dk etc
I am looking for something like a CDN where you retrieve your files from the nearest server (?) so I can get rid of the load balancer because if it crashes, the website does not respond (?)
For example:
If you are from uk, redirect to IP 53.235.xx.xxx
If you are from west us, redirect to IP ....
if you are from south europe, redirect to IP ... etc
DNSMadeeasy offers a feature similar to this but they are charging a 600 dollars upfront price and for a startup that doesnt know if that feature will work as expected or there is no trial version we cannot afford: http://www.dnsmadeeasy.com/enterprise-dns/global-traffic-director/
What is another way of doing this?
Also another question on the current setup. Even with 6 servers all connected to the load balancer, if the load balancer has lag issues, it takes everything with it, right? or if by any change it goes down, the website does not respond. So what is the best way to eliminate that downtime so that if one server IP address does not respond, move to the next (as a load balancer would do but load balancers can have issues themselves)
Would help to know what type of application servers you're talking about; i.e. J2EE (like JBoss/Tomcat), IIS, etc?
You can use a hardware or software load balancer with Sticky IP and define ranges of IPs to stick to different application servers. Each country's ISPs should have it's own block of IPs.
There's a list at the website below.
http://www.nirsoft.net/countryip/
Here's also a really, really good article on load balancing in general, with many high availability / persistence issues addressed. That should answer your second question on the single point of failure at your load balancer; there's many different techniques to provide both high availability and load distribution. Alot depends on what kind of application your run and whether you require persistent sessions or not. Load balancing by sticky IP, if persistence isn't required and you're LB does health checks properly, can provide high availability with easy failover. The downside is that load isn't evenly distributed, but it seems you're looking for distribution based on proximity, not on load.
http://1wt.eu/articles/2006_lb/index.html
I don't know how else to say it so I'm just going to explain my ideal scenario and hopefully you can explain to me how to implement it...
I'm creating an application with the Zend Framework that will be hosted with DreamHost. The application will be hosted on its own domain (i.e. example-app.com). Basically, a user should be able to sign up, get their own domain sampleuser.example-app.com or example-app.com/sampleuser which points to, what looks like their own instance of the app, which is really a single instance serving up different content based on the url.
Eventually, I want my users to be able to create their own domain (like foobar.com) that points to sampleuser.example-app.com, such that visitors to foobar.com don't notice that the site is really being served up from example-app.com.
I don't know how to do most of that stuff. How does this process work? Do I need to do some funky stuff with Apache or can this be done with a third party host, like DreamHost?
Update: Thanks for the advice! I've decided to bite the bullet and upgrade my hosting plan to utilize wildcard subdomains. It's cheaper than I was expecting! I also found out about domain reseller programs, like opensrs.com, that have their own API. I think using one of these APIs will be the solution to my domain registration issue.
Subdomains are easy. In hosting environements, in most cases, apache is configured to catch all subdomain calls below the main domain. You just need to have a wildcard DNS defined, so *.example-app.com are pointed to IP of your server. Then your website should catch all calls to those subdomain names.
Other domains are hard. They need to be configured as virtual hosts in Apache - see http://httpd.apache.org/docs/1.3/vhosts/name-based.html - that means it will be difficult to automate that, especially in hosting environement - unless your host gives you some API to do just that (easy and more feasible scenario would be to have a distinctive IP assigned to your website, then you can catch all with your Apache - it's probably possible to configure using your hosting control panel or works out of the box - and then just point DNS servers to your IP).
Then, after you have configured your Apache to point all necessary calls to your website, you can differnetiate application partitions per subdomain in this way:
get the host header from HTTP request
have a database table containing all subdomain names you're serving
make a lookup to that database table to determine instance, or user, id and use it later for filtering data / or selecting a database, if you'll go with a "database per application instance" schema.
Good luck :)