Directory Server completely Hosed: Netlogon and SYSVOL replication through firewalls

-

hopefully can point me in right direction.

 

suspect filtered firewall traffic issue dc666 sits in between 2 replication partners.

thinking applying steps outlined in article: http://support.microsoft.com/kb/899148 (win2ksp2).

i rebuilt domain controller (dc666) scratch yesterday.  did metadata cleanup on it's replication partners, , made sure replication of ntds successful throughout domain.  after rebuild dcpromo'd dc , first indication got wrong  sysvol wasn't sharing , netlogon share wasn't created.

was thinking doing burflags registry thing rebuild contents of sysvol tree in entire domain, that's thirty separate domain controllers.

checked make sure junction points in sysvol there , were.

looking through event logs last night, pretty happy people able authenticate server.  directory service event logs looked , did dns.  morning came in , every thing messed up.  dns empty of records (complete replication existed yesterday).

the complication domain controller bridge between our dc000 (which holds fsmo roles, in (site-a) , upstream server several sites) , segregated site (default-first-site-name).  dc666 supposed replication (site-a) , (default-first-site-name) , push them in either direction.

another issue had when promoting dc666 joined dc999 (default-first-site-name), when wanted join dc000.  thinking disable dc666 dc999 filter?

about firewall in between:

sidewinder 6.1

dc000 (internal burb)

dc666 (services burb)

dc999 (external burb)

ip filters:

allow dc999 - dc000

tcp 53, 88, 123,135, 137, 389, 445, 500, 636, 1024-1065, 3268-3269, 49152

udp 53, 88, 123,135, 137, 389, 445,

allow dc000 - dc999

tcp 53, 88, 123,135, 137, 389, 445, 500, 636, 1024-1065, 3268-3269, 49152

udp 53, 88, 123,135, 137, 389, 445,

allow dc000 - dc666

tcp 53, 88, 123,135, 137, 389, 445, 500, 636, 1024-1065, 3268-3269, 49152

udp 53, 88, 123,135, 137, 389, 445,

allow dc666 - dc000

tcp 53, 88, 123,135, 137, 389, 445, 500, 636, 1024-1065, 3268-3269, 49152

udp 53, 88, 123,135, 137, 389, 445,

allow dc999, dc666

tcp 53, 88, 123,135, 137, 389, 445, 500, 636, 1024-1065, 3268-3269, 49152

udp 53, 88, 123,135, 137, 389, 445,

allow dc666 - dc999

tcp 53, 88, 123,135, 137, 389, 445, 500, 636, 1024-1065, 3268-3269, 49152

udp 53, 88, 123,135, 137, 389, 445,

 

questions:

can dcpromo dc666 down member server (hopefully without /forceremoval) rename , re-promote it?

daniel,

considering operating in firewalled environment, might want designate bridgehead servers each site control flow of intersite replication traffic , creation of automatic connections (or even conifgure them manually). if dcs not automatically added correct site during dcpromo, indicates site/subnet configuration not correct - have verified whether case?

you coud demote newly promoted dc (if this fails you need to clean ad metadata afterwards by following http://support.microsoft.com/kb/555846) i'd consider if ad replication functioning properly.

hth
marcin



Windows Server  >  Directory Services



Comments

Post a Comment

Popular posts from this blog

Edit Group Policy

-
i have pc has power settings pushed out default domain policy in ad environment. of course on local machine "some settings managed system adminstrator". the machine temporarily no longer in contact domain controller (it's been physically moved , not on same network now) can't updated gpo settings. i believe if edit local group policy won't make difference because of group policy processing , precedence. since it's temporary away ad network, still want use settings of ad user. is there somewhere in registry stored can edit power plan manually until can sync domain? (i need prevent sleeping while plugged in - it's set 1 hour) thanks! allen crist i found site: http://gpsearch.azurewebsites.net/#7916 i able add policy to hkey_local_machine\software\policies\microsoft\power using specs found on site. looks solved issue. i'll report if didn't. thanks! allen crist ...
Read more

Hyper-V VM not reaching OS 'Logon' screen

-
i trying migrate vm vmware hyper-v. so far have done following (seemingly successfully): prepare vmware vm conversion hyper-v format (vhd) within vmware workstation 8.0 environment following steps guide: http://social.technet.microsoft.com/forums/en/winserverhyperv/thread/ef8c12f7-c45d-442e-9a30-c43cd87df3b3   (i.e. remove vm tools, add new ide hard disk…) use vmdk2vhd application convert individual vmdk files vhd ones create new vm in hyper-v exporting in 3 newly converted vhd files at point have checked settings , powered on vm in hyper-v find although windows begins load expected manages reach screen prior login screen saying either of following messages: “windows starting up…” “the active directory rebuilding indices… please wait” to knowledge, albeit limited in area, vm should present me login screen since appears in vmware. if start vm in safe mode can login not desired affect. below details of vm: operating system: windows server 2003 (enterprise edit...
Read more

DNS question...

-
i new setting dns server....my domain name expl. "domain.com"....i set "a" record in forward lookup for  www.domain.com itself...."server's local ip"....i've added no other zones , i seem able resolve names except own....www.domain.com.....also, do i put my isp's dns ip's....for external dns's server can't resolve?....forwarding or in nic setup?......i want setup in my dns server don't have include them on client side..... thanks mark     not put isp dsn server address in settings on nic dc or clients. should point local dns server on dc. set dns forward public dns, such isp. bill Windows Server  >  Network Infrastructure Servers
Read more