Re: New DC behind a firewall

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Yan <yan.corneille@xxxxxxxxx>
Date: Mon, 14 Jan 2008 08:22:59 -0800 (PST)

The dcdiag output is the following :

Command Line: "dcdiag.exe /v /c /d /e /s:mydc"

Domain Controller Diagnosis

Performing initial setup:
* Connecting to directory service on server mydc.
mydc.currentTime = 20080114153914.0Z
mydc.highestCommittedUSN = 26918
mydc.isSynchronized = 1
mydc.isGlobalCatalogReady = 0
[mydc] LDAP bind failed with error 1326,
Win32 Error 1326.
DcDiag: a dcdiag exception raised, handling error 8444

Then, DNSLint stops with
"LDAP query to speficied LDAP server on TCP port 389 failed
Server Down"

Everything runs fine when I run it from a machine on the same side of
the firewall (i.e. in the OURGROUP network branch).

This seems to confirm that there is something wrong in the way the FW
is configured for LDAP use (unless I'm jumping a bit too fast to
conclusions !).

I forwarded all the ports according to the docs I found (everything
summarized here : http://support.microsoft.com/kb/832017), namely 445
(Netbios), 53 (DNS), 88 (Kerberos), 3268-3269(LDAP),636(LDAP-SSL),389
(LDAP) and 42 (WINS).

Yan.

On Jan 14, 2:58 pm, "Paul Bergson [MVP-DS]"
<pbergson@xxxxxxxxxxxxxxxxx> wrote:

Run diagnostics against your child domain.

If you don't have the support tools installed, install them from your server
install disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
-> dnslint /ad /s "ip address of your dc"

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take
into account slow links to dc's will also add to the testing time.

If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be output
in notepad text files that pop up automagically.

The script is located on my website athttp://www.pbbergs.com/windows/downloads.htm

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.

Description and download for dnslinthttp://support.microsoft.com/kb/321045

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Yan" <yan.cornei...@xxxxxxxxx> wrote in message

news:32cb1b91-b6b1-440e-9e73-bd808d6a24b2@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hello everyone,

A group in our organization needs to have its own infrastructure.

So, I just installed a new w2k3 DC to our network.
- its domain name is "OURGROUP"
- this DC is behind a firewall, open ports :
53,88,3268-3269,636,389,42.
The structure basically looks like that :

new DC (IP : a.b.c.181) + some machines (IP range: a.b.c.0) ->
FIREWALL -> orgnetwork (IP range : x.y.z.0)

- the existing DC is still existing for the rest of the organization.
It's in the orgnetwork (x.y.z.0 IP range).

I have to add user machines (connected in the orgnetwork IP range to
the new domain), but I only get "An active directory domain
controller
for the domain OURGROUP could not be contacted).

Is there any configuration issue ? Any DNS specific config ? Anything
I could have to change ?

thanks in advance,

Yan.- Hide quoted text -

- Show quoted text -

Follow-Ups:
- Re: New DC behind a firewall
  - From: Paul Bergson [MVP-DS]
- Re: New DC behind a firewall
  - From: kj [SBS MVP]

References:
- New DC behind a firewall
  - From: Yan
- Re: New DC behind a firewall
  - From: Paul Bergson [MVP-DS]

Prev by Date: Re: New DC
Next by Date: Re: Problem delegating password change
Previous by thread: Re: New DC behind a firewall
Next by thread: Re: New DC behind a firewall
Index(es):
- Date
- Thread

Relevant Pages

Re: New DC behind a firewall
... Active Directory Replication over Firewalls ... Connecting to directory service on server mydc. ... DcDiag: a dcdiag exception raised, ... "LDAP query to speficied LDAP server on TCP port 389 failed ...
(microsoft.public.windows.server.active_directory)
Re: ADC replication issues.
... If there are errors in the dcdiag, there should be room to post those. ... i managed to install CRM 4.0 and it is working ... on ADC when i type control sysdm.cpl and goes to Computer ... that RPC server is unavailable. ...
(microsoft.public.windows.server.active_directory)
Re: NTDS Replication Event ID 1083/1955
... You can also run the commands only as e.g. dcdiag /v on the DC's one by one. ... On the non-DC DNS server ... there was single instance of an error in the DNS server event log: ... A zone transfer request for the secondary zone ...
(microsoft.public.windows.server.active_directory)
Re: Does DCDiag require WINS?
... NetBIOS resolution and THAT requires WINS Server ... DCDiag might conceivable be using NetBIOS to FIND ... all of the DCs but it really SHOULD do this through DNS. ...
(microsoft.public.windows.server.active_directory)
Re: Error while trying to upgrade a Windows 2000 Server domain
... If you don't have the support tools installed, install them from your server install disk. ... Run dcdiag, netdiag and repadmin in verbose mode. ... The Windows 2000 DC has Windows Services for Unix v3.0 installed, ...
(microsoft.public.windows.server.active_directory)