Re: New DC behind a firewall

---

• From: "kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx>
• Date: Mon, 14 Jan 2008 11:09:36 -0700

---

Yan wrote:

The dcdiag output is the following :

Command Line: "dcdiag.exe /v /c /d /e /s:mydc"

Domain Controller Diagnosis

Have a look at;

http://technet.microsoft.com/en-us/library/bb727063.aspx
Active Directory Replication over Firewalls

Performing initial setup:
* Connecting to directory service on server mydc.
mydc.currentTime = 20080114153914.0Z
mydc.highestCommittedUSN = 26918
mydc.isSynchronized = 1
mydc.isGlobalCatalogReady = 0
[mydc] LDAP bind failed with error 1326,
Win32 Error 1326.
DcDiag: a dcdiag exception raised, handling error 8444

Then, DNSLint stops with
"LDAP query to speficied LDAP server on TCP port 389 failed
Server Down"

Everything runs fine when I run it from a machine on the same side of
the firewall (i.e. in the OURGROUP network branch).

This seems to confirm that there is something wrong in the way the FW
is configured for LDAP use (unless I'm jumping a bit too fast to
conclusions !).

I forwarded all the ports according to the docs I found (everything
summarized here : http://support.microsoft.com/kb/832017), namely 445
(Netbios), 53 (DNS), 88 (Kerberos), 3268-3269(LDAP),636(LDAP-SSL),389
(LDAP) and 42 (WINS).


Yan.



On Jan 14, 2:58 pm, "Paul Bergson [MVP-DS]"
<pbergson@xxxxxxxxxxxxxxxxx> wrote:

Run diagnostics against your child domain.

If you don't have the support tools installed, install them from
your server install disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
-> dnslint /ad /s "ip address of your dc"

**Note: Using the /E switch in dcdiag will run diagnostics against
ALL dc's
in the forest. If you have significant numbers of DC's this test
could
generate significant detail and take a long time. You also want to
take
into account slow links to dc's will also add to the testing time.

If you download a gui script I wrote it should be simple to set and
run (DCDiag and NetDiag). It also has the option to run individual
tests
without having to learn all the switch options. The details will be
output
in notepad text files that pop up automagically.

The script is located on my website
athttp://www.pbbergs.com/windows/downloads.htm

Just select both dcdiag and netdiag make sure verbose is set.
(Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.

Description and download for
dnslinthttp://support.microsoft.com/kb/321045

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Yan" <yan.cornei...@xxxxxxxxx> wrote in message

news:32cb1b91-b6b1-440e-9e73-bd808d6a24b2@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hello everyone,

A group in our organization needs to have its own infrastructure.

So, I just installed a new w2k3 DC to our network.
- its domain name is "OURGROUP"
- this DC is behind a firewall, open ports :
53,88,3268-3269,636,389,42.
The structure basically looks like that :

new DC (IP : a.b.c.181) + some machines (IP range: a.b.c.0) ->
FIREWALL -> orgnetwork (IP range : x.y.z.0)

- the existing DC is still existing for the rest of the
organization. It's in the orgnetwork (x.y.z.0 IP range).

I have to add user machines (connected in the orgnetwork IP range to
the new domain), but I only get "An active directory domain
controller
for the domain OURGROUP could not be contacted).

Is there any configuration issue ? Any DNS specific config ?
Anything I could have to change ?

thanks in advance,

Yan.- Hide quoted text -

- Show quoted text -

--
/kj


.

---

• References:
  • New DC behind a firewall
    • From: Yan
  • Re: New DC behind a firewall
    • From: Paul Bergson [MVP-DS]
  • Re: New DC behind a firewall
    • From: Yan

• Prev by Date: Re: Domain Rename (Exchange on a DC)
• Next by Date: Re: Removing dead adam instance
• Previous by thread: Re: New DC behind a firewall
• Next by thread: Re: New DC behind a firewall
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Duplicate SIDs ... Run dcdiag, netdiag and repadmin in verbose mode. ... I have a problem with a Windows Server 2008 Active Directory. ... (microsoft.public.windows.server.active_directory) Re: Server 2003 sp3 error - Domain controller cannot be found ? ... Run diagnostics against your Active Directory domain. ... If you don't have the support tools installed, install them from your server ... Run dcdiag, netdiag and repadmin in verbose mode. ... (microsoft.public.windows.server.active_directory) Re: Cant connect to AD ... Run diagnostics against your Active Directory domain. ... If you don't have the tools installed, install them from your server install ... Run dcdiag, netdiag and repadmin in verbose mode. ... (microsoft.public.win2000.active_directory) Re: Demotion of DC fails ... Run diagnostics against your Active Directory domain. ... If you don't have the support tools installed, install them from your server ... Run dcdiag, netdiag and repadmin in verbose mode. ... I ran NTDSUtil.exe and seized the rolls from DC2 to DC1 (the now ... (microsoft.public.windows.server.active_directory) RE: LDAP + Active Directory ... Subject: LDAP + Active Directory ... LDAP server on it's rootdse. ... This list is provided by the SecurityFocus Security Intelligence Alert ... (Pen-Test)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2008-01