• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 762
  • Last Modified:

AD and DNS problem

I'm having a bad problem with my AD environment since I added an addition DC to the mix. Both servers are Windows 2003 with SP1

Orginally there was 1 DC which is also a Citrix server. It handles DNS and DHCP along with ISA 2000. It has one internal Nic (10.0.0.3) and one external Nic (192.168.1.100). The gateway is configured on the external nic. Before I came to this company, problems were reported with it's DNS and it had been turned off.

I added another DC with DNS, DHCP and CG for redundancy but not Citrix. I installed ISA 2004 to it and removed ISA from the original server. This server also has an internal and external Nic. As of right now, I have policy rules in ISA to allow for communication between the servers. I am thinking that I should just allow any and all communication between both servers on both Nics instead of defining specific ports.

This morning the Citrix server couldn't logged into. The Domain Name feild was blank. A reboot fixed it but when I run a netdiag I am seeing problems. Specifically on the Citrix DC, I get the following:

DC list test . . . . . . . . . . . : Failed
        Failed to enumerate DCs by using the browser. [ERROR_NO_BROWSER_SERVERS_
FOUND]


Trust relationship test. . . . . . : Skipped
______________________________________________________

On the new DC I get:

DC list test . . . . . . . . . . . : Failed
        Failed to enumerate DCs by using the browser. [ERROR_NO_BROWSER_SERVERS_
FOUND]


Trust relationship test. . . . . . : Passed
    Secure channel for domain 'GILEADCS' is to '\\citrix.gileadcs.lan'.
______________________________________________________

There was also errors in the event log:
Userenv 1053 - was logged when the problem first started
Netlogon 5782 - was logged after about 45 minutes from the above

Lastly, when running a DCDiag on both servers, they both get this error:

      Starting test: FsmoCheck
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         ......................... gileadcs.lan failed test FsmoCheck


Can someone help me out with these problems? Let me know what other information you would like and I will supply it. Thanks

Mas

0
mascoloj
Asked:
mascoloj
  • 4
  • 4
  • 3
2 Solutions
 
vsg375Commented:
Hi,

Is replication correct ? This can be checked by using the following command :

repadmin / showreps

Please perform the test on both servers.

Is your LDAP functional ? Check this way :

portqry -n servername -e 389
portqry -n servername -e 3268

Perform this test on each of the 2 servers, where servername is the name of the replication partner.

Now the FSMO part :

Check that the first server (the "original one" ) is holding the proper FSMO roles. If it's the case, and the other server can't locate it,  it's likely that one of your ISA policies is the culprit. Try either to disable the FW or create a rule allowing all traffic to pass through.

Post the results here.

HTH
GL
Cheers
0
 
mascolojAuthor Commented:


Repadmin performed on both servers completed successfully.
The FSMO roles are all on the Citrix server.
The windows Time service is not running on the Citrix server (Access Denied) and is running on the SQL server

Portqry is another story. It seems that server "Citrix" is trying to resolve the "SQL" server on it's external Nic - which is wrong
When run from "SQL", it resolves "Citrix" on it's internal Nic and completes successfully. Below are the results from each server for portqry

Run from CITRIX Server:
Querying target system called:

 sql

Attempting to resolve name to IP address...

Name resolved to 192.168.1.101


TCP port 389 (ldap service): FILTERED

H:\>portqry -n sql -e 3268

Querying target system called:

 sql

Attempting to resolve name to IP address...

Name resolved to 192.168.1.101


TCP port 3268 (unknown service): FILTERED
______________________________________________
Run from SQL Server:
Querying target system called:

 citrix

Attempting to resolve name to IP address...

Name resolved to 10.0.0.3


TCP port 389 (ldap service): LISTENING

Sending LDAP query to TCP port 389...

LDAP query response:


currentdate: 03/21/2006 19:20:58 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=gileadcs,DC=lan
dsServiceName: CN=NTDS Settings,CN=CITRIX,CN=Servers,CN=Middletown,CN=Sites,CN=C
onfiguration,DC=gileadcs,DC=lan
namingContexts: DC=gileadcs,DC=lan
defaultNamingContext: DC=gileadcs,DC=lan
schemaNamingContext: CN=Schema,CN=Configuration,DC=gileadcs,DC=lan
configurationNamingContext: CN=Configuration,DC=gileadcs,DC=lan
rootDomainNamingContext: DC=gileadcs,DC=lan
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 643513
supportedSASLMechanisms: GSSAPI
dnsHostName: citrix.gileadcs.lan
ldapServiceName: gileadcs.lan:citrix$@GILEADCS.LAN
serverName: CN=CITRIX,CN=Servers,CN=Middletown,CN=Sites,CN=Configuration,DC=gile
adcs,DC=lan
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 0
forestFunctionality: 0
domainControllerFunctionality: 2


======== End of LDAP query response ========

C:\Documents and Settings\administrator.GILEADCS>portqry -n citrix -e 3268

Querying target system called:

 citrix

Attempting to resolve name to IP address...

Name resolved to 10.0.0.3


TCP port 3268 (unknown service): LISTENING

Sending LDAP query to TCP port 3268...

LDAP query response:


currentdate: 03/21/2006 19:21:42 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=gileadcs,DC=lan
dsServiceName: CN=NTDS Settings,CN=CITRIX,CN=Servers,CN=Middletown,CN=Sites,CN=C
onfiguration,DC=gileadcs,DC=lan
namingContexts: DC=gileadcs,DC=lan
defaultNamingContext: DC=gileadcs,DC=lan
schemaNamingContext: CN=Schema,CN=Configuration,DC=gileadcs,DC=lan
configurationNamingContext: CN=Configuration,DC=gileadcs,DC=lan
rootDomainNamingContext: DC=gileadcs,DC=lan
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 643513
supportedSASLMechanisms: GSSAPI
dnsHostName: citrix.gileadcs.lan
ldapServiceName: gileadcs.lan:citrix$@GILEADCS.LAN
serverName: CN=CITRIX,CN=Servers,CN=Middletown,CN=Sites,CN=Configuration,DC=gile
adcs,DC=lan
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 0
forestFunctionality: 0
domainControllerFunctionality: 2
0
 
vsg375Commented:
Alright... Thanks for posting the results. It looks like your SQL server is filtering ports 389 and 3268. If I inderstand well, this server hosts the ISA server. What you can do is open TCP ports 389 and 3268 in ISA FW and see what happens, but... <quote> It seems that server "Citrix" is trying to resolve the "SQL" server on it's external Nic - which is wrong<quote>

Yeah, that's the problem... your ISA receives requests on ports 389 / 3268 from the EXTERNAL network, and in that case, of course, FW rules apply, which explains the "FILTERED" response. Might be a routing problem... Check your routing tables and let's see what happens.

All the rest looks normal to me and replication seems to be OK. We'll see to the time server problem afterwards.

GL
Cheers
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

 
MazaraatCommented:
sorry for the long post....
First you need start with making sure your DNS structure is configured properly, then work on your back-to-back ISa configuration, and lastly create rules that allow your citrix to function.

Step 1 DNS (http://www.windowsecurity.com/pages/article_p.asp?id=443)

How are the NICs on both ISA servers configured?
THe INTERNAL ISA (2004) should have its NIC settings like this:

=Internal interface:
IP address: address valid on the network segment the interface is connected to
Subnet Mask: mask appropriate for network segment that interface is connected to
Default Gateway: NONE!
DNS Server: address of DNS server on the internal network
WINS Server: address of WINS server on the internal network
Note: Adapter will dynamically register with internal DNS server
NetBIOS over TCP/IP is enabled

=External interface:
IP address: address valid on the network segment the interface is connected to
Subnet Mask: mask appropriate for network segment that interface is connected to
Default Gateway: IP address of the internal interface of the external ISA Server
DNS Server: address of DNS server on the internal network
WINS Server: NONE!
Note: Adapter will NOT dynamically register with internal DNS server
NetBIOS over TCP/IP is disabled

The External ISA (2000) should have its NIC settings configured like this:
Internal interface:

IP address: address valid on the DMZ segment
Subnet Mask: mask appropriate for the DMZ segment
Default Gateway: NONE!
DNS Server: variable
WINS Server: variable
Note: Adapter will NOT dynamically register with DNS server
NetBIOS over TCP/IP is enable or disabled – depends on requirements

External interface:

IP address: according to your ISP
Subnet Mask: according to your ISP
Default Gateway: Assigned by your ISP, or your router connecting to the Internet
DNS Server: address of DNS server of your ISP
WINS Server: NONE!
Note: Adapter will NOT dynamically register with internal DNS server
NetBIOS over TCP/IP is disabled

If you want to enable the DNS service on the ISA2000 server make sure the service is listening on the internal interface, and has the forwarder pointed to your ISP.  The If you decide to enable your DNS server on the 2000, then configure your ISA 2004 DNS server to forward to the ISA2000.

If you decide not to run DNS on the ISA2000 server and only run it on the ISA2004 server, configure the DNS to point to its internal interface, and have the forwarder pointed to you ISP.

Once this is confirmed/completed we go to configuring ISA rules to allow Active directory to talk properly (most of the information is found in the above article), then we configure citrix to work properly.

As a side note, do you need to have the ISA2000 server as a DC?  You may find it easier to demote that server and configure rules in the ISA2004 box to allow citrix to authenticate....

http://www.mcse.ms/archive99-2005-3-1478755.html http://www.isaserver.org/tutorials/ISA_SERVER__Citrix_Metaframe_Acces.html

Move the FSMO roles (http://www.petri.co.il/transferring_fsmo_roles.htm) then demote the server...if you decide to..
0
 
mascolojAuthor Commented:
vsg375,
OK, here is what I have done so far....
I have created 2 rules on the ISA server to allow all traffic between these 2 servers to travel unhindered in both directions. I then reran the portqry test and it was successful.
I then re-examined the Nics and found the External Nic on the Citrix Box was registering in DNS and Netbios was turned on so I fixed both of those problems.

I believe I am half way there now!

I am still having problems with the FSMOCheck:
 Starting test: FsmoCheck
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         ......................... gileadcs.lan failed test FsmoCheck

And the Services Test fails as well:
Starting test: Services
            IsmServ Service is stopped on [CITRIX]
            w32time Service is stopped on [CITRIX]
         ......................... CITRIX failed test Services

Any ideas?

PS - Mazaraat - I only have 1 ISA server which is ISA 2004. ISA 2000 was on our Citrix box but I removed it which is when my grief started. I did however re-examine the Nics due to your post.
0
 
vsg375Commented:
That's why I initially asked you about FSMO roles. The server holding the PDC role also is the time server. According to the info you gave me, it looks like the time service refuses to start on CITRIX, which happens to host the PDC emulator role. A workaround could be to transfer the role to SQL and see what happens. IMHO it should do the trick but it doesn't explain the initial problem.

In any case, one of the two DCs should be advertising as a time server, otherwise, your AD won't be happy at all.

If you're not familiar with transferring FSMO roles, please let me know, i'll give you the whole procedure.

GL
Cheers
0
 
MazaraatCommented:
Can you manually set the time on the citrix server ? command shell net time \\pdcemulator /set /y

Are you able to logon now?
0
 
mascolojAuthor Commented:
I actually have the page from Microsoft on transferring the roles. My citrix server went down again today even though everything was going so well. As I write this the server is rebooting. I am going to transfer the roles to the SQL server because the Citrix server sees to be too squirely. Did I mention I didn't build this Citrix server? It's the crap left over from the last Admin. I can't wait to rebuild it!
0
 
vsg375Commented:
wise decision to transfer all FSMO roles, and I bear with you as regards to the crap left by some predecessors.... ;o)

Let us know how things are going

GL
Cheers
0
 
mascolojAuthor Commented:
Well, with your help this problem is solved although there are now other problems for me to contend with but I will save that for another question. Thanks for all your help.

Mas
0
 
MazaraatCommented:
Glad we could help!


Gary
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 4
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now