Solved

DFS DR can't be connected from USER zone if AD1 down

Posted on 2007-11-29
10
577 Views
Last Modified: 2008-06-24
Hi All,

COMPUTER INFO:
-All servers using Win2k3 Standard Edition 2GB RAM
-All users using laptop/desktop XP Pro 2GB RAM
-IP of each Computer
AD1: 192.168.1.2
EXCHANGE1: 192.168.1.3
AD2: 192.168.4.2
LAPTOP1: 192.168.3.101
AD1 and AD2: hold Global Catalog
DFS using Domain Stored in AD
AD1 & AD2 are: AD,DNS,DFS

NETWORK INFO:
PROD Zone: 192.168.1.x
DR Zone: 192.168.4.x
USER Zone: 192.168.3.x

HISTORY:
-If AD1 and AD2 up
user login as Administrator domain a/c in LAPTOP1 or EXCHANGE1 can connect to DFS share using \\domain.local\public
user login as Administrator domain a/c in LAPTOP1 or EXCHANGE1 can connect to DFS in AD2 using ip \\192.168.4.2\public

PROBLEM:
-If AD1 down
user login as Administrator domain a/c in LAPTOP1 can't connect to DFS share using \\domain.local\public
user login as Administrator domain a/c in LAPTOP1 can't connect to DFS AD2 share using IP \\192.168.4.2\public
user login as Administrator domain a/c in EXCHANGE1 can connect to DFS AD2 share using \\domain.local\public
user login as Administrator domain a/c in LAPTOP1 can RDP or ping to AD2

QUESTIONS:
-why if AD1 down, user in LAPTOP1 can't access AD2 DFS using IP but user in EXCHANGE1 can.
No DNS issue here because using IP
No Network issue here because user in LAPTOP can RDP to AD2
Maybe I need to check whether DNS in LAPTOP has both AD1&AD2 ip or not
Both AD1 & AD2 hold Global Catalaog
Is it because FSMO Role?
What other possibilities?

thanks
0
Comment
Question by:nbctcp
  • 5
  • 3
10 Comments
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
I think you'll find the DFS root is in AD1 - likely on the Exchange server maybe?

0
 

Author Comment

by:nbctcp
Comment Utility
How do I verify only AD1 has DFS Roots?
Can I have DFS Roots in AD2 too?

MORE INFO:
-user DNS point to AD1 and AD2
-user login as Domain Administrator
-Namespace Server point to:
\\AD1\Public
\\AD2\Public
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
When you setup DFS it asks you where the root will live - by server name.

See this for a picture of what I speak of:

http://www.windowsnetworking.com/articles_tutorials/Windows2003-Distributed-File-System.html

Which icon do you show:  http://www.windowsitpro.com/articles/images/dfstypes.gif

Also, if you run this command:  dfsutil /insite:\\example.com\dfsroot /enable
you will prevent client from looking for a server outsite it's site.  Now...this is where you need to make sure your Sites and Subnets are configured correctly in AD Sites and Services and the servers are place into the correct Site.  Do NOT move the root server (First DC in the forest) out of Default-First-Site-Name - simply rename that ugly site name to the name that means something for your root location.

0
 

Author Comment

by:nbctcp
Comment Utility
Dear Netman66,

MORE INFO:
-Win2k3 R2 SP2
-Namespace Server point to:
\\AD1\Public Default-First-Site-Name
\\AD2\Public Default-First-Site-Name
-AD1 and AD2 = AD+DFS

I have PROD Zone and DR Zone
PROD ZONE:
AD1
EXCHANGE1
SQL1

DR ZONE:
AD2
EXCHANGE2
SQL2

From there I can see that both AD1 and AD2 is in the same Default-First-Site-Name
If I want to achieve if AD1 down USER zone can still access \\domain.local\Public.
What I suppose to do next?
Do I need to create Default-Second-Site-Name and move AD2 into it?
Will it affecting my Exchange 2007 that currently working fine?

thanks
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 51

Expert Comment

by:Netman66
Comment Utility
You stated in your original post that there are 3 subnets (according to your IP scheme).

Depending on the subnet mask these may be completely separate networks even though you may have them on the same wire.  I suspect if the subnet mask confirms these are on different networks then you have some type of layer 3 device routing between them.

If that is the case then, yes, you need to create a second Site and associate the correct subnet to it, then move the server into that new site.

This allows clients to locate a server more easily.  Since your clients appear on a different network also then you're going to have to associate that subnet to one of the sites - which will force all the users to access one server for DFS.

I'm not sure why you have all this carved up in this manner, but I'm sure there was a reason.
0
 

Author Comment

by:nbctcp
Comment Utility
I follow the procedure below in my POC:
-create Default-Second-Site-Name
-create some Subent
-move DR AD to Default-Second-Site-Name

It perfectly work in my POC:
-from user zone I can still access \\domain.local\Public if AD1 down with delay 5s
but
in my client site when I follow the same procedure, I still got unresponsive situation when accessing \\domain.local\Public if AD1.
The different between my POC and my client is in my client using NIC Teaming
The reason we put USER, PROD and DR in different subnet is because we want control what protocol allowed between user and server zone. Currently in my client site is ALLOW ALL
Can someone guide me on how to troubleshoot.
thanks

Configure Active Directory Sites and Services:
Open Console      
- click Start-Programs-Administrative Tools- Active Directory Sites and Services
- click Sites-New Site
Name: Default-Second-Site-Name
Click DEFAULTSIPSITELINK
Click OK 2x
- Right click Sites-Default First Site Name-Servers-DRESSVR301-Move
  Click Default-Second-Site-Name
  Click OK
- Right click Sites-Default Second Site Name-Servers- DRESSVR301-NTDS Settings-Properties
  Click Global Catalog
  Click OK

Open Console in PRESSVR301      
- Right click Sites-Default Second Site Name-Servers- DRESSVR301-NTDS Settings-Properties
  Click Global Catalog
  Click OK
Create Subnets      - Right click Sites-Subnets-New Subnet
Address: 10.0.0.0
Mask: 255.255.255.0
Click Default-First-Site-Name
Click OK
Follow the same steps above for subnet 10.0.1.0, 10.0.2.0,10.0.3.0,10.0.4.0,10.0.5.0
- Right click Sites-Subnets-New Subnet
Address: 10.0.6.0
Mask: 255.255.255.0
Click Default-Second-Site-Name
Click OK

# dfsutil /path:\\esuria.local\public /insite /display
# dfsutil /path:\\esuria.local\public /insite /disable
# dfsutil /path:\\esuria.local\public /targetfailback /display
# dfsutil /path:\\esuria.local\public /targetfailback /enable
0
 

Author Comment

by:nbctcp
Comment Utility
I got some more info when ran these command in AD1 and AD2:
AD1
# dcdiag /e /c /v
# netdiag /test:dns /debug
[WARNING] Cannot find a primary authoritative DNS server for the name
            'bicbcprsvr-001.domain.local.'. [ERROR_TIMEOUT]
            The name 'bicbcprsvr-001.domain.local.' may not be registered in DNS.
      Interface {D8EEF498-32AD-4CCB-AF9A-6B613ED19E9F}
        DNS Domain:
        DNS Servers:
        IP Address:         Expected registration with PDN (primary DNS domain name):
          Hostname: bicbcprsvr-001.domain.local.
          [WARNING] Cannot find a primary authoritative DNS server for the name
            'bicbcprsvr-001.domain.local.'. [ERROR_TIMEOUT]
            The name 'bicbcprsvr-001.domain.local.' may not be registered in DNS.
Check the DNS registration

AD2
# dcdiag /e /c /v
Testing server: Default-First-Site-Name\BICBCPRSVR-001
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         [BICBCPRSVR-001] LDAP bind failed with error 58,
         The specified server cannot perform the requested operation..
         ***Error: The machine, BICBCPRSVR-001 could not be contacted, because of a bad net  response.  Check to make sure that this machine is a Domain Controller.

Doing primary tests
   Testing server: Default-First-Site-Name\BICBCPRSVR-001
      Skipping all tests, because server BICBCPRSVR-001 is
      not responding to directory service requests
   
   Testing server: Default-Second-Site-Name\BICBCDRSVR-001
      Starting test: Replications
         * Replications Check
         [Replications Check,BICBCDRSVR-001] A recent replication attempt failed:
            From BICBCPRSVR-001 to BICBCDRSVR-001
            Naming Context: DC=ForestDnsZones,DC=domain,DC=local
            The replication generated an error (1727):
            The remote procedure call failed and did not execute.
            The failure occurred at 2007-12-08 10:50:16.
            The last success occurred at 2007-12-08 10:00:55.
            1 failures have occurred since the last success.
Name,CN=Sites,CN=Configuration,DC=domain,DC=local
         Warning: BICBCPRSVR-001 is the Schema Owner, but is not responding to LDAP Bind.
         Role Domain Owner = CN=NTDS Settings,CN=BICBCPRSVR-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
         Warning: BICBCPRSVR-001 is the Domain Owner, but is not responding to LDAP Bind.
         Role PDC Owner = CN=NTDS Settings,CN=BICBCPRSVR-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
         Warning: BICBCPRSVR-001 is the PDC Owner, but is not responding to LDAP Bind.
         Role Rid Owner = CN=NTDS Settings,CN=BICBCPRSVR-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
         Warning: BICBCPRSVR-001 is the Rid Owner, but is not responding to LDAP Bind.

# netdiag /test:dns /debug
Description: TEAM : Team #0
Packets SendError:               3
0
 

Author Comment

by:nbctcp
Comment Utility
Case can be closed.
After following this link http://support.microsoft.com/kb/870964.
I can successfully connect to AD2 DFS if AD1 down.
So basically I need to configure iSCSI driver load first before load File Sharing.
Otherwise the file sharing of AD2  will disappear when AD2 rebooted.

thanks
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
Comment Utility
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now