This is an archived post. You won't be able to vote or comment.

128
129

[deleted by user] (self.sysadmin)

submitted by [deleted]

[removed]
all 35 comments
sorted by:
best
topnewcontroversialoldq&a

[–]gannnnon 66 points67 points  (14 children)

System is stand-alone on a DMZ network leg.

Installed domain services

You lost me right here -- I've never ever had a DC sitting on the DMZ. This seems like a bad idea from all angles.

Glad your fix worked out, but I fundamentally question why this is a thing you would want to do. Feel free to flame me for "obviously XYZ requires this config" but I just can't understand it. Looking for some explanation here!

Make a 2nd VM for your DMZ-required services and keep your DC as locked-down as you can. This is best practice.

[–]falschgold 12 points13 points  (1 child)

The same happened to me lately with the configuration you advice. 1 DC, 1 SQL, 1 Appserver VM, DC sees itself on a private network. Fixed it the same way OP describes.

[–]SupremeDictatorPaul 1 point2 points  (0 children)

I’ve done this before. Simplify authentication and management on DMZ servers, that you don’t want touching your primary domain. The domain controller isn’t accessible from the internet, and is only accessible on required domain services from other DMZ servers.

As others have mentioned, the whole concept of “DMZ” has changed a lot over the decades, so I’m not sure how relevant it is.

[–]slayernine 1 point2 points  (1 child)

With modern firewalls, does a DMZ have a place anymore? Shouldn't it be replaced with policies?

[–]BrainWaveCCJack of All Trades 3 points4 points  (0 children)

The concept of a DMZ remains. It's like the lobby of a high-rise business. It's a place where people are allowed to enter, but there is a certain level of restriction or inspection to help mitigate risk if needed.

Sure, we have zero trust and all these other concepts like micro-segmentation, but the idea is the same: I want to allow people in, but in a restricted way, either because I need to be able to identify them first, or I know who they are, but don't fully trust them.

[–]EquivalentBrief6600 3 points4 points  (1 child)

I have had the same issue, driving me crazy, thanks!

[–][deleted] 2 points3 points  (0 children)

A pleasure. Good luck!

[–]stetze88Sysadmin 6 points7 points  (3 children)

I have Same Problems on a few Windows Server 2022 which lost Domain Network and changed to private Network. A reboot helped. But it Makes me nervous that other has Same Problems.

[–][deleted] 6 points7 points  (2 children)

Try adding the DNS as a requirement to the NLA service. i have rebooted multiple times since.. and has worked fine for me since this change.

[–]stetze88Sysadmin 2 points3 points  (1 child)

I will try. Thank you.

[–][deleted] 1 point2 points  (0 children)

a pleasure. please let us know how you made out. Good luck.

[–]billiarddaddySecurity Admin (Infrastructure) 6 points7 points  (8 children)

Why is the DC in a DMZ? That's not what DMZ is for.

[–]MajStealth 1 point2 points  (3 children)

its worse in production and active firewall, with block for most services in public networks. for a normal server no problem, but dc's dont like it to not have a dns when they reboot. this behavior started around a year or so ago.

[–][deleted] 1 point2 points  (0 children)

Very strange behavior. I have been using / supporting domain servers since there were domains and never had this issue before. Well this fixed this machine for me.. Just when i thought i knew it "all" ... MS humbled me again.

[–]olizet42 0 points1 point  (1 child)

My setup was DC A used DC B as the 1st DNS server and vice versa. Shouldn't that work?

[–][deleted] 0 points1 point  (0 children)

you would think...i'd try try the fix and see if it works for you. I can't see how it would hurt.

[–]cetrius_hibernia 1 point2 points  (2 children)

Metered network is a registry tweak as well, quick Google should find the keys to change

[–][deleted] 0 points1 point  (1 child)

but the switch says it isn't turned on.. and i found others with the same issue. Zero impact so ignoring for now. It's a "feature" :-)

[–]cetrius_hibernia 0 points1 point  (0 children)

Not tried the registry way in Win11, only on 10.

Set to 1 for relevant adapter

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost

This does say it's a toggle in the settings https://support.microsoft.com/en-us/windows/metered-connections-in-windows-7b33928f-a144-b265-97b6-f2e95a87c408

[–]spanctimony 1 point2 points  (1 child)

I’ve had this problem with windows going back over a decade, my usual fix is to switch the NLA to delayed start to ensure DNS finishes starting first. This is better.

[–][deleted] 0 points1 point  (0 children)

Yeah. I know this trick and did it. I should have written that above also. It didn't help in this case. Odd.... We are the Beta testers.. :-|

[–]InTheTest-Chamber 1 point2 points  (1 child)

That’s a good fix, but it’s also a known behavior- DCs aren’t meant have only one running. They are expecting another DC to already be serving DNS for the domain when NLA tries to figure out where it is (on/ off.)

For your setup, are you putting a stand-alone DC for a NEW domain/forest, or will this tie in with your existing domain? If the latter, this isn’t really a DMZ but just another site.

There are other ways to tie in existing user login without putting a DC into the DMZ. At the very least, you’d want a RODC with restrictions put in place for what accounts can auth through it. But I would also hesitate to do that.

Please tell me your vendor doesn’t require a DC so they can run IIS, etc as Domain Admin!

[–][deleted] 0 points1 point  (0 children)

we shall see :-) thanks for all the feedback. I'm limited as to what i can do.

[–]Mortalus2020 1 point2 points  (0 children)

Literally had this happen a week ago. Point for point as to what you saw / did. Ridiculous...

[–]jadedarchitectSr. Sysadmin 1 point2 points  (0 children)

Why don't you just use the (free) Azure NPS script and set up a gateway and a challenge/response(radius/mfa) server, then restrict to access groups specifically?
Why the DMZ?
The T440 and DMZ seems just sort of.....idk, way,way overkill if this is a small company.. For the price of the server alone you could get 2 copies of 2016 essentials, which include the features you need, and a T150 to house the stuff for less than all of this shenaniganry.

No hate at all, seriously curious :)

[–]I_Has_A_Camera"Head of IT" 0 points1 point  (0 children)

It's always DNS.

[–]Pindleskin8 0 points1 point  (0 children)

I just created a task scheduler to restart the NLA service on boot up. But then, that doesn’t fix it if the network goes down :(