Re: Directory Service Event 1311

Yes I had used the portqry command line before and it showed that TCP port
135 was blocked. I guess I could not convince the router guy from this
output. I checked the router ACL and indeed all traffic from the subnet was
being blocked. Once I permitted in the ACL, all port queries worked fine.

I just wanted a little confirmation, that it was the firewall blocking it,
and you did gave me that. Thanks for your help.

Manoj


"Net Admin" wrote:

Download and run this tool from Microsoft. You can set it to run queries for:
Domains and Trusts
IPSec
Networking
SQL
WEB Service
Exchange
Netmeeting

It will run according to what services you set it to check for and tell you
what is being filtered/blocked. Run it from the server that you cannot join
to the domain.
Also, is there a site link created between the two sites?



"Manoj" wrote:

Wow, I would have imagined this to be a routine problem, but guess not. In
my case, it seemed to be a firewall problem too, but my Cisco router guy does
not think so, saying all tcp traffic is going through the VPN tunnel. Was
there any specific ports they had to open up in the firewall?

My problem is how to prove to the router guy that it is an access control
list in the router config that is blocking the traffic. How can that be
proved. Any debugging tools to help this sort out.

Thanks
Manoj

"Net Admin" wrote:

I had to call MS Support and it took us 14 hours and 6 engineers to finally
fix the problem. The main issue was DNS. I had to point all DNS servers, even
the child domain DNS servers, to the PDC in the main site as their primary
DNS server. I had to allow zone transfers to all DNS servers in the forest.
There were issues with routers and our firewall appliance blocking certain
ports. I also had to create a zone delegation for the child doamin zone.
Since The firewall admin and router admin are 2 other administrators we all
had to get in on it to figure this thing out. I downloaded and ran the GUI
port query tool to see what was being filtered. I am happy to say that
everyhting works just fine now. It was well worth the money to call
Microsoft. Sometimes you need an expert from the outside to come in and take
a look. I hope you figure your issues out.
Good Luck!

"Manoj" wrote:

I get a similar error from a new server that is at site 2 while sending
portqry to a PDC at site 1.

I am trying to join this new server to domain and am not able to contact the
PDC at site 1.

Does this mean a firewwall is blocking it. I have windows firewall turned
off on the PDC and on this new server. My routers at both sites, do not
specifically block this TCP port. What else must be going on. How did you
solve your problem .

Thanks
Manoj


"Net Admin" wrote:

Ok our firewall admin says all traffic is allowed between child domain DCs
and parent domain DCs. I ran the query command you gave me and this is what I
got:

H:\>portqry -n childdc -e 135 -p tcp
Querying target system called:
childdc
Attempting to resolve name to IP address...
Name resolved to 10.0.17.2
TCP port 135 (epmap service): FILTERED
H:\>
Could this be filtered on the server itself?

"Paul Williams [MVP]" wrote:

Sorry for the delay!

That sounds fine. Run the following tests to be sure we've not missed
anything re. DNS:

nltest /dsgetdc:domain-name.com
nltest /dsgetsite


Run that from a client and a DC. NLTEST is a support tool.

If you don't have NLTEST and can't install the support tools for whatever
reason, use NSLOOKUP:


nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com


If that is yielding a positive result, the problem is elsewhere. Use
REPLMON to monitor replication and see what is going on.

Are there any firewalls in between DCs and PCs? Check that you are able to
query the end-point mapper (TCP135) and one of the DS ports returned by the
end-point mapper using PORTQRY (support tool or download), like so:

portqry -n hostname -e 135 -p tcp


--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net




.

Relevant Pages

  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: CEICW fails at firewall config
    ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
    (microsoft.public.windows.server.sbs)
  • Re: Cost of setting up a network
    ... A router capable of acting as a VPN endpoint for more than one user simultaneously with four Ethernet ports or a switch to suit. ... The rationale for using a server here is basically that the router doesn't need to be able to decide which PC to route the connection to. ... If you are using a router which supports it, you can set up a port-forwarding inbound rule which also _translates_ the port supplied to the receiving port. ... You can use several of these connections to different machines simultaneously. ...
    (uk.comp.homebuilt)
  • Re: How to Maintain an IIS Server?
    ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Still cant connect to RWW or OWA remotely
    ... No Phantom NICs as far as I can see. ... that it can not find the server. ... Configure your Router as an Eithernet Bridge. ... Once you have this then configure the Routers Firewall and Port ...
    (microsoft.public.windows.server.sbs)
Loading