?
Solved

AD and DNS problem

Posted on 2006-03-21
11
Medium Priority
?
759 Views
Last Modified: 2008-01-09
I'm having a bad problem with my AD environment since I added an addition DC to the mix. Both servers are Windows 2003 with SP1

Orginally there was 1 DC which is also a Citrix server. It handles DNS and DHCP along with ISA 2000. It has one internal Nic (10.0.0.3) and one external Nic (192.168.1.100). The gateway is configured on the external nic. Before I came to this company, problems were reported with it's DNS and it had been turned off.

I added another DC with DNS, DHCP and CG for redundancy but not Citrix. I installed ISA 2004 to it and removed ISA from the original server. This server also has an internal and external Nic. As of right now, I have policy rules in ISA to allow for communication between the servers. I am thinking that I should just allow any and all communication between both servers on both Nics instead of defining specific ports.

This morning the Citrix server couldn't logged into. The Domain Name feild was blank. A reboot fixed it but when I run a netdiag I am seeing problems. Specifically on the Citrix DC, I get the following:

DC list test . . . . . . . . . . . : Failed
        Failed to enumerate DCs by using the browser. [ERROR_NO_BROWSER_SERVERS_
FOUND]


Trust relationship test. . . . . . : Skipped
______________________________________________________

On the new DC I get:

DC list test . . . . . . . . . . . : Failed
        Failed to enumerate DCs by using the browser. [ERROR_NO_BROWSER_SERVERS_
FOUND]


Trust relationship test. . . . . . : Passed
    Secure channel for domain 'GILEADCS' is to '\\citrix.gileadcs.lan'.
______________________________________________________

There was also errors in the event log:
Userenv 1053 - was logged when the problem first started
Netlogon 5782 - was logged after about 45 minutes from the above

Lastly, when running a DCDiag on both servers, they both get this error:

      Starting test: FsmoCheck
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         ......................... gileadcs.lan failed test FsmoCheck


Can someone help me out with these problems? Let me know what other information you would like and I will supply it. Thanks

Mas

0
Comment
Question by:mascoloj
  • 4
  • 4
  • 3
11 Comments
 
LVL 9

Accepted Solution

by:
vsg375 earned 1600 total points
ID: 16250034
Hi,

Is replication correct ? This can be checked by using the following command :

repadmin / showreps

Please perform the test on both servers.

Is your LDAP functional ? Check this way :

portqry -n servername -e 389
portqry -n servername -e 3268

Perform this test on each of the 2 servers, where servername is the name of the replication partner.

Now the FSMO part :

Check that the first server (the "original one" ) is holding the proper FSMO roles. If it's the case, and the other server can't locate it,  it's likely that one of your ISA policies is the culprit. Try either to disable the FW or create a rule allowing all traffic to pass through.

Post the results here.

HTH
GL
Cheers
0
 

Author Comment

by:mascoloj
ID: 16250520


Repadmin performed on both servers completed successfully.
The FSMO roles are all on the Citrix server.
The windows Time service is not running on the Citrix server (Access Denied) and is running on the SQL server

Portqry is another story. It seems that server "Citrix" is trying to resolve the "SQL" server on it's external Nic - which is wrong
When run from "SQL", it resolves "Citrix" on it's internal Nic and completes successfully. Below are the results from each server for portqry

Run from CITRIX Server:
Querying target system called:

 sql

Attempting to resolve name to IP address...

Name resolved to 192.168.1.101


TCP port 389 (ldap service): FILTERED

H:\>portqry -n sql -e 3268

Querying target system called:

 sql

Attempting to resolve name to IP address...

Name resolved to 192.168.1.101


TCP port 3268 (unknown service): FILTERED
______________________________________________
Run from SQL Server:
Querying target system called:

 citrix

Attempting to resolve name to IP address...

Name resolved to 10.0.0.3


TCP port 389 (ldap service): LISTENING

Sending LDAP query to TCP port 389...

LDAP query response:


currentdate: 03/21/2006 19:20:58 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=gileadcs,DC=lan
dsServiceName: CN=NTDS Settings,CN=CITRIX,CN=Servers,CN=Middletown,CN=Sites,CN=C
onfiguration,DC=gileadcs,DC=lan
namingContexts: DC=gileadcs,DC=lan
defaultNamingContext: DC=gileadcs,DC=lan
schemaNamingContext: CN=Schema,CN=Configuration,DC=gileadcs,DC=lan
configurationNamingContext: CN=Configuration,DC=gileadcs,DC=lan
rootDomainNamingContext: DC=gileadcs,DC=lan
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 643513
supportedSASLMechanisms: GSSAPI
dnsHostName: citrix.gileadcs.lan
ldapServiceName: gileadcs.lan:citrix$@GILEADCS.LAN
serverName: CN=CITRIX,CN=Servers,CN=Middletown,CN=Sites,CN=Configuration,DC=gile
adcs,DC=lan
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 0
forestFunctionality: 0
domainControllerFunctionality: 2


======== End of LDAP query response ========

C:\Documents and Settings\administrator.GILEADCS>portqry -n citrix -e 3268

Querying target system called:

 citrix

Attempting to resolve name to IP address...

Name resolved to 10.0.0.3


TCP port 3268 (unknown service): LISTENING

Sending LDAP query to TCP port 3268...

LDAP query response:


currentdate: 03/21/2006 19:21:42 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=gileadcs,DC=lan
dsServiceName: CN=NTDS Settings,CN=CITRIX,CN=Servers,CN=Middletown,CN=Sites,CN=C
onfiguration,DC=gileadcs,DC=lan
namingContexts: DC=gileadcs,DC=lan
defaultNamingContext: DC=gileadcs,DC=lan
schemaNamingContext: CN=Schema,CN=Configuration,DC=gileadcs,DC=lan
configurationNamingContext: CN=Configuration,DC=gileadcs,DC=lan
rootDomainNamingContext: DC=gileadcs,DC=lan
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 643513
supportedSASLMechanisms: GSSAPI
dnsHostName: citrix.gileadcs.lan
ldapServiceName: gileadcs.lan:citrix$@GILEADCS.LAN
serverName: CN=CITRIX,CN=Servers,CN=Middletown,CN=Sites,CN=Configuration,DC=gile
adcs,DC=lan
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 0
forestFunctionality: 0
domainControllerFunctionality: 2
0
 
LVL 9

Expert Comment

by:vsg375
ID: 16252847
Alright... Thanks for posting the results. It looks like your SQL server is filtering ports 389 and 3268. If I inderstand well, this server hosts the ISA server. What you can do is open TCP ports 389 and 3268 in ISA FW and see what happens, but... <quote> It seems that server "Citrix" is trying to resolve the "SQL" server on it's external Nic - which is wrong<quote>

Yeah, that's the problem... your ISA receives requests on ports 389 / 3268 from the EXTERNAL network, and in that case, of course, FW rules apply, which explains the "FILTERED" response. Might be a routing problem... Check your routing tables and let's see what happens.

All the rest looks normal to me and replication seems to be OK. We'll see to the time server problem afterwards.

GL
Cheers
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 12

Assisted Solution

by:Mazaraat
Mazaraat earned 400 total points
ID: 16253295
sorry for the long post....
First you need start with making sure your DNS structure is configured properly, then work on your back-to-back ISa configuration, and lastly create rules that allow your citrix to function.

Step 1 DNS (http://www.windowsecurity.com/pages/article_p.asp?id=443)

How are the NICs on both ISA servers configured?
THe INTERNAL ISA (2004) should have its NIC settings like this:

=Internal interface:
IP address: address valid on the network segment the interface is connected to
Subnet Mask: mask appropriate for network segment that interface is connected to
Default Gateway: NONE!
DNS Server: address of DNS server on the internal network
WINS Server: address of WINS server on the internal network
Note: Adapter will dynamically register with internal DNS server
NetBIOS over TCP/IP is enabled

=External interface:
IP address: address valid on the network segment the interface is connected to
Subnet Mask: mask appropriate for network segment that interface is connected to
Default Gateway: IP address of the internal interface of the external ISA Server
DNS Server: address of DNS server on the internal network
WINS Server: NONE!
Note: Adapter will NOT dynamically register with internal DNS server
NetBIOS over TCP/IP is disabled

The External ISA (2000) should have its NIC settings configured like this:
Internal interface:

IP address: address valid on the DMZ segment
Subnet Mask: mask appropriate for the DMZ segment
Default Gateway: NONE!
DNS Server: variable
WINS Server: variable
Note: Adapter will NOT dynamically register with DNS server
NetBIOS over TCP/IP is enable or disabled – depends on requirements

External interface:

IP address: according to your ISP
Subnet Mask: according to your ISP
Default Gateway: Assigned by your ISP, or your router connecting to the Internet
DNS Server: address of DNS server of your ISP
WINS Server: NONE!
Note: Adapter will NOT dynamically register with internal DNS server
NetBIOS over TCP/IP is disabled

If you want to enable the DNS service on the ISA2000 server make sure the service is listening on the internal interface, and has the forwarder pointed to your ISP.  The If you decide to enable your DNS server on the 2000, then configure your ISA 2004 DNS server to forward to the ISA2000.

If you decide not to run DNS on the ISA2000 server and only run it on the ISA2004 server, configure the DNS to point to its internal interface, and have the forwarder pointed to you ISP.

Once this is confirmed/completed we go to configuring ISA rules to allow Active directory to talk properly (most of the information is found in the above article), then we configure citrix to work properly.

As a side note, do you need to have the ISA2000 server as a DC?  You may find it easier to demote that server and configure rules in the ISA2004 box to allow citrix to authenticate....

http://www.mcse.ms/archive99-2005-3-1478755.html http://www.isaserver.org/tutorials/ISA_SERVER__Citrix_Metaframe_Acces.html

Move the FSMO roles (http://www.petri.co.il/transferring_fsmo_roles.htm) then demote the server...if you decide to..
0
 

Author Comment

by:mascoloj
ID: 16257089
vsg375,
OK, here is what I have done so far....
I have created 2 rules on the ISA server to allow all traffic between these 2 servers to travel unhindered in both directions. I then reran the portqry test and it was successful.
I then re-examined the Nics and found the External Nic on the Citrix Box was registering in DNS and Netbios was turned on so I fixed both of those problems.

I believe I am half way there now!

I am still having problems with the FSMOCheck:
 Starting test: FsmoCheck
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         ......................... gileadcs.lan failed test FsmoCheck

And the Services Test fails as well:
Starting test: Services
            IsmServ Service is stopped on [CITRIX]
            w32time Service is stopped on [CITRIX]
         ......................... CITRIX failed test Services

Any ideas?

PS - Mazaraat - I only have 1 ISA server which is ISA 2004. ISA 2000 was on our Citrix box but I removed it which is when my grief started. I did however re-examine the Nics due to your post.
0
 
LVL 9

Expert Comment

by:vsg375
ID: 16257456
That's why I initially asked you about FSMO roles. The server holding the PDC role also is the time server. According to the info you gave me, it looks like the time service refuses to start on CITRIX, which happens to host the PDC emulator role. A workaround could be to transfer the role to SQL and see what happens. IMHO it should do the trick but it doesn't explain the initial problem.

In any case, one of the two DCs should be advertising as a time server, otherwise, your AD won't be happy at all.

If you're not familiar with transferring FSMO roles, please let me know, i'll give you the whole procedure.

GL
Cheers
0
 
LVL 12

Expert Comment

by:Mazaraat
ID: 16257682
Can you manually set the time on the citrix server ? command shell net time \\pdcemulator /set /y

Are you able to logon now?
0
 

Author Comment

by:mascoloj
ID: 16260005
I actually have the page from Microsoft on transferring the roles. My citrix server went down again today even though everything was going so well. As I write this the server is rebooting. I am going to transfer the roles to the SQL server because the Citrix server sees to be too squirely. Did I mention I didn't build this Citrix server? It's the crap left over from the last Admin. I can't wait to rebuild it!
0
 
LVL 9

Expert Comment

by:vsg375
ID: 16260061
wise decision to transfer all FSMO roles, and I bear with you as regards to the crap left by some predecessors.... ;o)

Let us know how things are going

GL
Cheers
0
 

Author Comment

by:mascoloj
ID: 16278875
Well, with your help this problem is solved although there are now other problems for me to contend with but I will save that for another question. Thanks for all your help.

Mas
0
 
LVL 12

Expert Comment

by:Mazaraat
ID: 16282100
Glad we could help!


Gary
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question