Re: DNS related issue in a 2003 trust environment

Mark,

I fix ports into registry as you wrote, I used port 1025 tcp for both keys
and I have open ports from extranet dc to intranet dcs into the firewall, i
opend also the 3268 TCP for GC queries...it was closed, anyway queries
continues to much latency, and login via rdp to the extranet dc with a
intranet user account take more than 5 minutes...

Do you think that I have to restart the pc after registry changes to take
effect?

Any advice?

Thank you

Matteo

"Matteo" wrote:

No I did not set fixed ports changing registry keys, is it required? Which
port could I use? I need to change it only into the extranet DC because of
the intranet dcs have all the ports open going to extranet into the firewall,
exact?

Which consequences could cause this change?

About .NET framework: all of the DC have the 3.0 .NET framework

About LDAP query: actually in Extranet DC from DSA.msc the delay is at least
2 minutes when I try to add a intranet user into an extranet group (dsa.msc
query via ldap I think, if not, how can I manually query the intranet AD from
extranet DC?)

Thank you Mark, I really appreciate your help.

Matteo
"Mark Hewitson" wrote:

Matteo,

Have you set fixed ports for RPC on your DC's as below:

Settings for the Local Security Authority (LSA) RPC port are stored in the
TCP/IP Port entry in the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters registry
key.

Settings for the Net Logon RPC port are stored in the DCTcpipPort entry in
the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
registry key.


Also, can you manually run LDAP query to internal DC from the extranet DC
without delay?
Also, do you have the latest .net installed on DC's?


"Matteo" wrote:

Actual config is:

Extranet DC --> Intranet DC1
53, 135, 389, 445, 1025 tcp
53, 88, 389 udp

Extranet DC --> Intranet DC2
53, 135, 389, 445, 1025 tcp
53, 88, 389 udp

Intranet DC1 and Intranet DC2 --> Extranet DC
all UDP and TCP ports open in this direction (Intranet --> Extranet) from
these servers (Intranet DC1 and Intranet DC2) to this server (Extranet DC)

Matteo




"Mark Hewitson" wrote:

Matteo, can you give us some info on your firewall setup?

Do you tunnel the traffic or open ports? If you open ports, do you allow any
any or what do you have specified?



"Matteo" wrote:

Yep Mark, I checked what the firewall block during an Intranet user addition
to a Extranet Group, but it doesn't show anything blocked, I did the same
also connecting via RDP and checking firewall logs...but nothing is logged
between Extranet DC and both of Intranet DC (one of this is the GC)

Sorry for the problem but is something that I carry with me since 6 months
and I would like to eliminate it.

Matteo

"Mark Hewitson" wrote:

Yes it uses DNS, but it seems the problems is running the query to the GC not
the DNS server

Do you allow ldap across your firewall?

"Matteo" wrote:

Sorry, I was really poor of infos, I hope to be complete now:
Intranet
I have two dc that both of them are dns server too:
the zone is active directory integrated, and include Forward lookup zone and
Reverse lookup zone
Both of the servers forward dns request for Extranet domain via conditional
forwarding to the Extranet dns server.

Extranet
I have one dc that is dns server too:
the zone is active directory integrated, and include Forward lookup zone and
Reverse lookup zone
The server forward dns request via conditional forwarding to the 2 Intranet
dns servers.



"Kevin D. Goodknecht Sr. [MVP]" wrote:

Read inline please.

In news:3226C83E-B050-408F-8AE1-D4CC03379794@xxxxxxxxxxxxx,
Matteo <Matteo@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
Dear all,

I am facing with this issue, the envirnoment is:

into the Intranet we have a 2003 domain at the Interim level that is
trusted in a one-way trust relationship by the extranet domain
(Windows Server 2003 functional level) that is located into the dmz.

Actually each time I have to add an Intranet account into Extranet
groups the DSA.msc snap in is waiting at least 2 minutes after
recognizing the account, it seems that wait a reponse from something
that doesn't arrive and after the timeout show me informations that
found.

Cheking with the firewall log that divide Lan from DMZ I don't have
nothing blocked between the DC of the extranet and the DC of the
INTRANET, any idea?



Another strange thing happen connecting via RDP to the Extranet DC
with a Intranet user account, It takes at least 5 minutes to login
also if it's not the first time (I mean it has to create the profile,
and apply personal settings and so on)



I am thinking in a DNS problem but I cannot realize what is doing
this.


It could be DNS, but you did not tell us how you have DNS set up.
Where are the DNS zones hosted at for these two domains?
How is the extranet DC finding the intranet DC? (Stub zone, Secondary zone,
or Conditional Forwarder)


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================



.

Relevant Pages

  • Re: DNS related issue in a 2003 trust environment
    ... No I did not set fixed ports changing registry keys, ... the intranet dcs have all the ports open going to extranet into the firewall, ... I have two dc that both of them are dns server too: ...
    (microsoft.public.windows.server.dns)
  • Re: DNS related issue in a 2003 trust environment
    ... Extranet DC --> Intranet DC1 ... I have two dc that both of them are dns server too: ... the zone is active directory integrated, and include Forward lookup zone and ...
    (microsoft.public.windows.server.dns)
  • Re: DNS related issue in a 2003 trust environment
    ... Have you set fixed ports for RPC on your DC's as below: ... can you manually run LDAP query to internal DC from the extranet DC ... Extranet DC --> Intranet DC1 ... I have two dc that both of them are dns server too: ...
    (microsoft.public.windows.server.dns)
  • Re: DNS related issue in a 2003 trust environment
    ... I checked what the firewall block during an Intranet user addition ... between Extranet DC and both of Intranet DC ... I have two dc that both of them are dns server too: ... the zone is active directory integrated, and include Forward lookup zone and ...
    (microsoft.public.windows.server.dns)
  • Re: Revised text WAS Re: How users have access from extranet to portal server
    ... buy the "SharePoint Products and Technologies Resource ... Kit" which has a good chapter on Backup and Restore. ... >> from the Intranet and from the Extranet. ...
    (microsoft.public.sharepoint.portalserver)