Re: Automatic primary zone to primary zone transfers???

"Joe Flowers" <flowers@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ujgYkx%23%23FHA.228@xxxxxxxxxxxxxxxxxxxxxxx
> Thanks a lot Herb! This was very helpful.
>
> Something wierd though:
> I turned the built-in MS ICS firewall on the servers and AD started back
> to replicating correctly. Ouch!

[That is the ICF (firewall) even though ICF and ICS are on the same dialog.]

That is extremely weird. It should be the other way around.
(I assume you have a typo above.)

If you turned it OFF it SHOULD replicate but it SHOULD FAIL
if the ICF is on in many case.

Notice it might not fail always since this DC might be the initiator
of the replication, but it will fail FROM any DC with the ICF
(or BASIC RRAS) firewall running.

> I thought that ICS would have recognized that it was running on a DC and
> automatically opened the correct ports/etc. for correct AD sync.

Why? ICS isn't even built particularly for a server.

Even BASIC Firewall (in RRAS) which is similar wouldn't
do that.

> Any ideas on how I can re-enable ICS AND have AD replicate correctly?

No, not really. You could define all needed ports but that
would open it to ALL client addresses which would largely
invalidate the reason for a 'firewall'.

Use IPSec instead, even though you will never enable the
actual IPSec protocols. Use IPSec to build a PASS and BLOCK
filter only.

Notice that it makes little sense to turn on a firewall like ICS
for a DC -- ICS is all or nothing except for Port definitions,
and even then it is for ALL clients.

Most people don't realize that IPSec policies can be used for
simple (and complex) BLOCK/PASS filters with no actual
IPSec ever invoked.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
> Joe
>
>
>
> Herb Martin wrote:
>> "Joe Flowers" <flowers@xxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:%232qdzJo%23FHA.1676@xxxxxxxxxxxxxxxxxxxxxxx
>>
>>>Hmmm... They are AD Integrated DNS servers. There must me something else
>>>wrong then? Let me check the AD replication status.
>>>
>>>Thanks Herb. Thanks a lot!
>>>
>>>I'll see what DCDiag tells me.
>>>
>>>Does anyone else have any ideas please?
>>>
>>
>>
>>
>> Well, in that case it is likely a DNS problem that is
>> causing a failure of AD replication (check DCDiag)
>> and therefore the replication of DNS itself (because
>> DNS is AD Integrated.)
>>
>> You might want to point EVERY DC (on the NIC IP
>> DNS Settings) to the "best" DNS server -- get the all
>> registered -- get AD replicated. Then you can point
>> them back to themselves.
>>
>> Here are the general settings on DNS for AD:
>>
>> 1) Dynamic for the zone supporting AD
>> 2) All internal DNS clients NIC\IP properties must specify SOLELY
>> that internal, dynamic DNS server (set.)
>> 3) DCs and even DNS servers are DNS clients too -- see #2
>> 4) If you have more than one Domain, every DNS server must
>> be able to resolve ALL domains (either directly or
>> indirectly)
>>
>> netdiag /fix
>>
>> ...or maybe:
>>
>> dcdiag /fix
>>
>> (Win2003 can do this from Support tools):
>> nltest /dsregdns /server:DC-ServerNameGoesHere
>> http://support.microsoft.com/kb/q260371/
>>
>> Ensure that DNS zones/domains are fully replicated to all DNS
>> servers for that (internal) zone/domain.
>>
>> Also useful may be running DCDiag on each DC, sending the
>> output to a text file, and searching for FAIL, ERROR, WARN.
>>
>> Single Label domain zone names are a problem Google:
>> [ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
>>

.

Relevant Pages

  • Re: DHCP assinged DNS servers dont work
    ... Although the WinXP firewall is enabled and configured via Group ... The first two DNS servers are AD controllers running ONLY core ... I have 75 WinXP machines on a Win2K3 domain using DHCP for address ...
    (microsoft.public.windows.server.networking)
  • Re: Weird DNS behavior
    ... All my DNS servers are behind a firewall and, ... you have to either fix the firewall to allow DNS to use ... Cisco PIX, block these UDP packets, because they exceed 512 bytes. ...
    (microsoft.public.windows.server.dns)
  • Re: Internet Time Out
    ... the Names Servers for star-kcorp.com are found as below. ... star-kcorp.com nameserver = dns3.name-services.com ... Are all these your DNS servers?? ... Further are you using a third party firewall? ...
    (microsoft.public.windows.server.dns)
  • Re: ICS DNS
    ... No DNS queries are able to be requested on the ... Disable and then enable ICS on box running ICS. ... What firewall does the ICS box have? ... The firewall is just the standard Windows XP firewall. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Weird DNS behavior
    ... I made the change on my PIX and surely, ... All my DNS servers are behind a firewall and, ...
    (microsoft.public.windows.server.dns)