Re: Add a new DC to a new branch
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Thu, 18 May 2006 20:29:21 +0100
First:
Did you solved the problem about booting the server in Directory Services
Restore Mode?
Is the server ok now?
What happen on that server?
Second:
All tests to portqry.exe should return code 0x00000000
and TCP port XXX (service): LISTENING
if not then you must have some firewall bloking these ports.
--
I hop that helps
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Manoj" <Manoj@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BE42FEC0-9F64-433F-8645-B8D707DC2F76@xxxxxxxxxxxxxxxx
From my new member server at site 2, I ran PortQryUI. The preferred DNS on
this machine is pointing to PDC at site 1 - 192.168.1.100
Here are the results. It seem the ports are being filtered and there is no
repsonse. What does this suggest. How do I fix this. Thanks
=============================================
Starting portqry.exe -n 192.168.1.100 -e 135 -p TCP ...
Querying target system called:
192.168.1.100
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
TCP port 135 (epmap service): FILTERED
portqry.exe -n 192.168.1.100 -e 135 -p TCP exits with return code
0x00000002.
=============================================
Starting portqry.exe -n 192.168.1.100 -e 389 -p BOTH ...
Querying target system called:
192.168.1.100
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
TCP port 389 (ldap service): FILTERED
UDP port 389 (unknown service): LISTENING or FILTERED
Using ephemeral source port
Sending LDAP query to UDP port 389...
LDAP query to port 389 failed
Server did not respond to LDAP query
portqry.exe -n 192.168.1.100 -e 389 -p BOTH exits with return code
0x00000001.
=============================================
Starting portqry.exe -n 192.168.1.100 -e 636 -p TCP ...
Querying target system called:
192.168.1.100
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
TCP port 636 (ldaps service): FILTERED
portqry.exe -n 192.168.1.100 -e 636 -p TCP exits with return code
0x00000002.
=============================================
Starting portqry.exe -n 192.168.1.100 -e 3268 -p TCP ...
Querying target system called:
192.168.1.100
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
TCP port 3268 (unknown service): FILTERED
portqry.exe -n 192.168.1.100 -e 3268 -p TCP exits with return code
0x00000002.
=============================================
Starting portqry.exe -n 192.168.1.100 -e 3269 -p TCP ...
Querying target system called:
192.168.1.100
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
TCP port 3269 (unknown service): FILTERED
portqry.exe -n 192.168.1.100 -e 3269 -p TCP exits with return code
0x00000002.
=============================================
Starting portqry.exe -n 192.168.1.100 -e 53 -p BOTH ...
Querying target system called:
192.168.1.100
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
TCP port 53 (domain service): FILTERED
UDP port 53 (domain service): LISTENING or FILTERED
Sending DNS query to UDP port 53...
DNS query timed out
portqry.exe -n 192.168.1.100 -e 53 -p BOTH exits with return code
0x00000002.
=============================================
Starting portqry.exe -n 192.168.1.100 -e 88 -p BOTH ...
Querying target system called:
192.168.1.100
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
TCP port 88 (kerberos service): FILTERED
UDP port 88 (kerberos service): LISTENING or FILTERED
portqry.exe -n 192.168.1.100 -e 88 -p BOTH exits with return code
0x00000002.
=============================================
Starting portqry.exe -n 192.168.1.100 -e 445 -p TCP ...
Querying target system called:
192.168.1.100
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
TCP port 445 (microsoft-ds service): FILTERED
portqry.exe -n 192.168.1.100 -e 445 -p TCP exits with return code
0x00000002.
=============================================
Starting portqry.exe -n 192.168.1.100 -e 137 -p UDP ...
Querying target system called:
192.168.1.100
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
UDP port 137 (netbios-ns service): LISTENING or FILTERED
Using ephemeral source port
Attempting NETBIOS adapter status query to UDP port 137...
NETBIOS name for 192.168.1.100 not found (timeout)
Adapter status query failed.
UDP port: FILTERED
portqry.exe -n 192.168.1.100 -e 137 -p UDP exits with return code
0x00000001.
=============================================
Starting portqry.exe -n 192.168.1.100 -e 138 -p UDP ...
Querying target system called:
192.168.1.100
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
UDP port 138 (netbios-dgm service): LISTENING or FILTERED
portqry.exe -n 192.168.1.100 -e 138 -p UDP exits with return code
0x00000002.
=============================================
Starting portqry.exe -n 192.168.1.100 -e 139 -p TCP ...
Querying target system called:
192.168.1.100
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
TCP port 139 (netbios-ssn service): FILTERED
portqry.exe -n 192.168.1.100 -e 139 -p TCP exits with return code
0x00000002.
=============================================
Starting portqry.exe -n 192.168.1.100 -e 42 -p TCP ...
Querying target system called:
192.168.1.100
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
TCP port 42 (nameserver service): FILTERED
portqry.exe -n 192.168.1.100 -e 42 -p TCP exits with return code
0x00000002.
"Jorge Silva" wrote:
to check for opened ports download
PortQryUI - User Interface for the PortQry Command Line Port Scanner
http://www.microsoft.com/downloads/details.aspx?FamilyID=8355e537-1ea6-4569-aabb-f248f4bd91d0&DisplayLang=en
--
I hop that helps
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:ulUJ2ageGHA.3468@xxxxxxxxxxxxxxxxxxxxxxx
Hi
Network Ports Used by Active Directory Replication
By default, RPC-based replication uses dynamic port mapping. When
connecting to an RPC endpoint during Active Directory replication, the
RPC
run time on the client contacts the RPC endpoint mapper on the server
at a
well-known port (port 135). The server queries the RPC endpoint mapper
on
this port to determine what port has been assigned for Active Directory
replication on the server. This query occurs whether the port
assignment
is dynamic (the default) or fixed. The client never needs to know which
port to use for Active Directory replication.
Note
. An endpoint comprises the protocol, local address, and port
address.
In addition to the dynamic port 135, other ports that are required for
replication to occur are listed in the following table.
Port Assignments for Active Directory Replication
Service Name UDP TCP
LDAP
389
389
LDAP
636 (Secure Sockets Layer [SSL])
LDAP
3268 (global catalog)
Kerberos
88
88
DNS
53
53
SMB over IP
445
445
Replication within a domain also requires FRS using a dynamic RPC port.
--
I hop that helps
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Manoj" <Manoj@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2FE4D94D-B151-4D8C-BFBF-A5E1B6413582@xxxxxxxxxxxxxxxx
Thanks for your prompt reply.
I tried to fix the event log overflow and after restarting my new DC
gets
hung up at "Preparing network connections". How do I get past this. I
am
not
able to do a safe boot either. Any ideas.
I have another new server that I connected to site 2 - the 192.168.2.0
network. After installing server 2003, I changed the TCP/IP settings
to
point
to PDC/DNS 192.168.1.100 and tried to join this server to domain. I
get
an
error saying the _ldap._tcp.dc._msdcs.domainname.com not found.
When I run from this new member server
nslookup
set q = srv
_ldap._tcp.dc._msdcs.domainname.com
I get time out errors.
But when I go to my PDC and run nslookup, the SRV record is found ok.
I think this is my main problem that was blocking access to PDC in
case
of
first new server too.
Is there any port that needs to be opened for RPC traffic in DNS. My
routers
on either site do not block any of the RPC port 135. What else might
be
blocking this traffic. Any way to debug this.
Thanks for your help.
Manoj
"Jorge Silva" wrote:
Hi
There is just a single IP site link that connects site 1 and site
2.
Isn't
that just what is needed. Since I do not have more than 2 sites, I
figure
I
do not need more than 1 site link or a site link bridge. Am I right
?
Please
confirm.
That's correct.
Yes there is a Revese lookup zone for the 192.168.2.0 subnet.
The netdiag /fix did not fix it.
At one point, I did not reboot the server after ipchange.
- if you run ipconfig /registerdns does the PTR record appears in
Reverse
lookup zone 192.168.2.x subnet?
- How are showing the Active Directory Sites and Services, regarding
to
the
new sites created and the moved DC, is the correct information
refreshed
in
both DCs?
- If no, them reconfigure it in both DCs.
-Then in bothe DCs perform the following actions:
- delete the files netlogon.dnb and netlogon.dns from
%systemroot%\system32\config
- restart the netlogon service
- confirm the creation of the files
- run netdiag /fix
- Make sure that you can ping the server in the main office by FQDN
or
any
other replication partners.
- Test replication
DCDIAG /D /V /C > DCDIAG.TXT
NETDIAG /V /DEBUG > NETDIAG.TXT
Open DCDIAG.TXT and NETDIAG.TXT and check for errors and if any
troubleshoot
them
Assuming that you're talking about network places or browsing by
\\computername , you'll need Wins in both subnets replicating with
each
other.
I was trying to browse by \\ip address. I think my WINS in both
subnets
was
not replicating and that is what I am going to do next.
resolve that,make sure that both Wins are replicating with each
other.
might need to change the replication partners that replicate with the
moved
DC for WINS, etc.
If you have DHCP you need to reauthorize it. Don't forget to remove
the
old authorization.
Aditional information for needed ports:
Service overview and network port requirements for the Windows Server
system
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017
I hop that helps
Good Luck
Jorge Silva
MCSA
Systems Administrator
.
- Follow-Ups:
- Re: Add a new DC to a new branch
- From: Manoj
- Re: Add a new DC to a new branch
- References:
- Add a new DC to a new branch
- From: Manoj
- Re: Add a new DC to a new branch
- From: Jorge Silva
- Re: Add a new DC to a new branch
- From: Manoj
- Re: Add a new DC to a new branch
- From: Jorge Silva
- Re: Add a new DC to a new branch
- From: Manoj
- Re: Add a new DC to a new branch
- From: Jorge Silva
- Re: Add a new DC to a new branch
- From: Jorge Silva
- Re: Add a new DC to a new branch
- From: Manoj
- Add a new DC to a new branch
- Prev by Date: Re: raise domain controller functional level
- Next by Date: Re: DC - Certificate Authority
- Previous by thread: Re: Add a new DC to a new branch
- Next by thread: Re: Add a new DC to a new branch
- Index(es):
Relevant Pages
|
Loading
