It sounds like DNS resolution. If it's on the same subnet then it cannot be the firewall.
Can you ping this machine by both hostname and fully qualified domain name in both directions?
Well, if they are both using the same DNS server and that server is responding to the queries that is a good sign that the problem is not so severe.
If the machine cannot ping and you mentioned they are on the same subnet, check for an IP addreess conflict as well as check that there are no typos in the subnet, gateway, netmask, etc...
This has been a fun topic of discussion on Server Fault. There appear to be varying "religious views" on the topic.
I agree with Microsoft's recommendation: Use a sub-domain of the company's already-registered Internet domain name.
So, if you own foo.com
, use ad.foo.com
or some such.
The most vile thing, as I see it, is using the registered Internet domain name, verbatim, for the Active Directory domain name. This causes you to be forced to manually copy records from the Internet DNS (like www
) into the Active Directory DNS zone to allow "external" names to resolve. I've seen utterly silly things like IIS installed on every DC in an organization running a web site that does a redirect such that someone entering foo.com
into their browser would be redirected to www.foo.com
by these IIS installations. Utter silliness!
Using the Internet domain name gains you no advantages, but creates "make work" every time you change the IP addresses that external host names refer to. (Try using geographically load-balanced DNS for the external hosts and integrating that with such a "split DNS" situation, too! Gee-- that would be fun...)
Using such a subdomain has no effect on things like Exchange email delivery or User Principal Name (UPN) suffixes, BTW. (I often see those both cited as excuses for using the Internet domain name as the AD domain name.)
I also see the excuse "lots of big companies do it". Large companies can make boneheaded decisions as easily (if not moreso) than small companies. I don't buy that just because a large company makes a bad decision that somehow causes it to be a good decision.
Best Answer
Domains
Microsoft first introduced (Windows) Domains with Windows NT Server as part of their bid to compete with Novell Netware for control of the business server market.
If you didn't have something like a Windows Domain or Novell Netware, then every time you wanted to access a resource on another computer that was protected by a password, you had to enter or re-enter the password. And each different server might ask you for a totally different password. Windows Domains and Netware Domains are designed to make it so you can log on one time to the computer that you are sitting at, and then be granted or denied access to resources on many other servers in the background without you having to submit credentials every time you access a different resource.
One simplified way to look at a Windows Domain is that it is two lists. One list is usernames and passwords. These are the user credentials that a human being will know, that they enter when they log on to the computer they are sitting at. The verification of these user credentials is then made available to all the other computers that have resources the user wants to access. But we don't want just any computer to be able to check a user's credentials.
That's why the second "list" is a list of computer names and passwords. That might sound strange at first, but it makes sense. We want to control what computers a Domain user can access, and we want to control which computers are even allowed to query the Domain for information about users. So computers also have their own credentials, and whenever a computer boots up, it logs on to the domain with it's computer name and password. There is a process to create the computer account on the domain and establish the credentials, which is called "joining the computer to the domain".
A lot has changed about Windows Domains in the almost 20 years since the heyday of NT 4.0, but those two "lists" of credentials, one for users and one for computers, remains as a central and critical element of a Windows Domain.
Domain Controllers
Just to recap, a Domain Controller is essentially a Microsoft Windows Server that both stores a copy of the domain information (those two lists mentioned above as well as a lot of other data) and provides access and mechanisms to protect and use that data.
Recalling the importance of the lists of user and computer credentials that are the core information for a Windows Domain, it shouldn't surprise you to know that one of the most important functions of a Domain Controller is authentication. To streamline the user experience (our original goal from up in the second paragraph), servers that host resources need to be able to query the list of user credentials to see if the users in question are who they say they are and have access granted to the resources being served. Domain Controllers are the servers that a resource server can query to validate the identity and access for a user.
There's a lot to dive into when it comes to Windows Domain authentication, but two big concepts you could research further are Kerberos authentication, which is the mechanism for authentication used in Windows 2000 and later domains, and pass-through authentication, which is what makes the seamless user experience possible.
The other highly important service Domain Controllers provide is to store and replicate all of the Domain information. Starting in Windows 2000, the amount of information that makes up a domain increased dramatically over the two lists of credentials and few other odds and ends that Windows NT stored. By replicating all or part of this data to other Domain Controllers, the Windows Domain mechanism makes it more highly available and more fault tolerant.
Active Directory
Released with Windows 2000, Active Directory is a complete redesign and rebranding of the entire Windows Domain system. The term "Active Directory" can refer to either the entire system of managing Windows 2000 and later domains, or the database that comprises the Windows Domain information (the two lists and a bunch more) or both.
All of the information that makes up an Active Directory is stored in an X.500 compatible database. X.500 is a set of network directory standards, a Windows Domain is a kind of network directory, hence the name Active Directory for its replacement. As mentioned above, this X.500 database is replicated between domain controllers to make it accessible and fault tolerant.
Relevant to the question of "what is a domain?", Active Directory introduced one important new type of object and concept, Forests. An Active Directory Forest is kind of a list of lists, meaning, it is a collection of Domains that are all related to each other for both security and management purposes.
There are a lot more things involved in Active Directory Domains and Forests and a lot more services that are (or can be) provided by Domain Controllers. Hopefully this is enough to add to your existing information and give you some research direction going forward. Obviously, you can search by and/or favorite the active-directory tag on this very site, and maybe sort by votes, to see more about AD.