Solved

DFS DR can't be connected from USER zone if AD1 down

Posted on 2007-11-29
10
585 Views
Last Modified: 2008-06-24
Hi All,

COMPUTER INFO:
-All servers using Win2k3 Standard Edition 2GB RAM
-All users using laptop/desktop XP Pro 2GB RAM
-IP of each Computer
AD1: 192.168.1.2
EXCHANGE1: 192.168.1.3
AD2: 192.168.4.2
LAPTOP1: 192.168.3.101
AD1 and AD2: hold Global Catalog
DFS using Domain Stored in AD
AD1 & AD2 are: AD,DNS,DFS

NETWORK INFO:
PROD Zone: 192.168.1.x
DR Zone: 192.168.4.x
USER Zone: 192.168.3.x

HISTORY:
-If AD1 and AD2 up
user login as Administrator domain a/c in LAPTOP1 or EXCHANGE1 can connect to DFS share using \\domain.local\public
user login as Administrator domain a/c in LAPTOP1 or EXCHANGE1 can connect to DFS in AD2 using ip \\192.168.4.2\public

PROBLEM:
-If AD1 down
user login as Administrator domain a/c in LAPTOP1 can't connect to DFS share using \\domain.local\public
user login as Administrator domain a/c in LAPTOP1 can't connect to DFS AD2 share using IP \\192.168.4.2\public
user login as Administrator domain a/c in EXCHANGE1 can connect to DFS AD2 share using \\domain.local\public
user login as Administrator domain a/c in LAPTOP1 can RDP or ping to AD2

QUESTIONS:
-why if AD1 down, user in LAPTOP1 can't access AD2 DFS using IP but user in EXCHANGE1 can.
No DNS issue here because using IP
No Network issue here because user in LAPTOP can RDP to AD2
Maybe I need to check whether DNS in LAPTOP has both AD1&AD2 ip or not
Both AD1 & AD2 hold Global Catalaog
Is it because FSMO Role?
What other possibilities?

thanks
0
Comment
Question by:nbctcp
  • 5
  • 3
10 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 20378029
I think you'll find the DFS root is in AD1 - likely on the Exchange server maybe?

0
 

Author Comment

by:nbctcp
ID: 20379121
How do I verify only AD1 has DFS Roots?
Can I have DFS Roots in AD2 too?

MORE INFO:
-user DNS point to AD1 and AD2
-user login as Domain Administrator
-Namespace Server point to:
\\AD1\Public
\\AD2\Public
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20379238
When you setup DFS it asks you where the root will live - by server name.

See this for a picture of what I speak of:

http://www.windowsnetworking.com/articles_tutorials/Windows2003-Distributed-File-System.html

Which icon do you show:  http://www.windowsitpro.com/articles/images/dfstypes.gif

Also, if you run this command:  dfsutil /insite:\\example.com\dfsroot /enable
you will prevent client from looking for a server outsite it's site.  Now...this is where you need to make sure your Sites and Subnets are configured correctly in AD Sites and Services and the servers are place into the correct Site.  Do NOT move the root server (First DC in the forest) out of Default-First-Site-Name - simply rename that ugly site name to the name that means something for your root location.

0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:nbctcp
ID: 20379691
Dear Netman66,

MORE INFO:
-Win2k3 R2 SP2
-Namespace Server point to:
\\AD1\Public Default-First-Site-Name
\\AD2\Public Default-First-Site-Name
-AD1 and AD2 = AD+DFS

I have PROD Zone and DR Zone
PROD ZONE:
AD1
EXCHANGE1
SQL1

DR ZONE:
AD2
EXCHANGE2
SQL2

From there I can see that both AD1 and AD2 is in the same Default-First-Site-Name
If I want to achieve if AD1 down USER zone can still access \\domain.local\Public.
What I suppose to do next?
Do I need to create Default-Second-Site-Name and move AD2 into it?
Will it affecting my Exchange 2007 that currently working fine?

thanks
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20379854
You stated in your original post that there are 3 subnets (according to your IP scheme).

Depending on the subnet mask these may be completely separate networks even though you may have them on the same wire.  I suspect if the subnet mask confirms these are on different networks then you have some type of layer 3 device routing between them.

If that is the case then, yes, you need to create a second Site and associate the correct subnet to it, then move the server into that new site.

This allows clients to locate a server more easily.  Since your clients appear on a different network also then you're going to have to associate that subnet to one of the sites - which will force all the users to access one server for DFS.

I'm not sure why you have all this carved up in this manner, but I'm sure there was a reason.
0
 

Author Comment

by:nbctcp
ID: 20406052
I follow the procedure below in my POC:
-create Default-Second-Site-Name
-create some Subent
-move DR AD to Default-Second-Site-Name

It perfectly work in my POC:
-from user zone I can still access \\domain.local\Public if AD1 down with delay 5s
but
in my client site when I follow the same procedure, I still got unresponsive situation when accessing \\domain.local\Public if AD1.
The different between my POC and my client is in my client using NIC Teaming
The reason we put USER, PROD and DR in different subnet is because we want control what protocol allowed between user and server zone. Currently in my client site is ALLOW ALL
Can someone guide me on how to troubleshoot.
thanks

Configure Active Directory Sites and Services:
Open Console      
- click Start-Programs-Administrative Tools- Active Directory Sites and Services
- click Sites-New Site
Name: Default-Second-Site-Name
Click DEFAULTSIPSITELINK
Click OK 2x
- Right click Sites-Default First Site Name-Servers-DRESSVR301-Move
  Click Default-Second-Site-Name
  Click OK
- Right click Sites-Default Second Site Name-Servers- DRESSVR301-NTDS Settings-Properties
  Click Global Catalog
  Click OK

Open Console in PRESSVR301      
- Right click Sites-Default Second Site Name-Servers- DRESSVR301-NTDS Settings-Properties
  Click Global Catalog
  Click OK
Create Subnets      - Right click Sites-Subnets-New Subnet
Address: 10.0.0.0
Mask: 255.255.255.0
Click Default-First-Site-Name
Click OK
Follow the same steps above for subnet 10.0.1.0, 10.0.2.0,10.0.3.0,10.0.4.0,10.0.5.0
- Right click Sites-Subnets-New Subnet
Address: 10.0.6.0
Mask: 255.255.255.0
Click Default-Second-Site-Name
Click OK

# dfsutil /path:\\esuria.local\public /insite /display
# dfsutil /path:\\esuria.local\public /insite /disable
# dfsutil /path:\\esuria.local\public /targetfailback /display
# dfsutil /path:\\esuria.local\public /targetfailback /enable
0
 

Author Comment

by:nbctcp
ID: 20436036
I got some more info when ran these command in AD1 and AD2:
AD1
# dcdiag /e /c /v
# netdiag /test:dns /debug
[WARNING] Cannot find a primary authoritative DNS server for the name
            'bicbcprsvr-001.domain.local.'. [ERROR_TIMEOUT]
            The name 'bicbcprsvr-001.domain.local.' may not be registered in DNS.
      Interface {D8EEF498-32AD-4CCB-AF9A-6B613ED19E9F}
        DNS Domain:
        DNS Servers:
        IP Address:         Expected registration with PDN (primary DNS domain name):
          Hostname: bicbcprsvr-001.domain.local.
          [WARNING] Cannot find a primary authoritative DNS server for the name
            'bicbcprsvr-001.domain.local.'. [ERROR_TIMEOUT]
            The name 'bicbcprsvr-001.domain.local.' may not be registered in DNS.
Check the DNS registration

AD2
# dcdiag /e /c /v
Testing server: Default-First-Site-Name\BICBCPRSVR-001
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         [BICBCPRSVR-001] LDAP bind failed with error 58,
         The specified server cannot perform the requested operation..
         ***Error: The machine, BICBCPRSVR-001 could not be contacted, because of a bad net  response.  Check to make sure that this machine is a Domain Controller.

Doing primary tests
   Testing server: Default-First-Site-Name\BICBCPRSVR-001
      Skipping all tests, because server BICBCPRSVR-001 is
      not responding to directory service requests
   
   Testing server: Default-Second-Site-Name\BICBCDRSVR-001
      Starting test: Replications
         * Replications Check
         [Replications Check,BICBCDRSVR-001] A recent replication attempt failed:
            From BICBCPRSVR-001 to BICBCDRSVR-001
            Naming Context: DC=ForestDnsZones,DC=domain,DC=local
            The replication generated an error (1727):
            The remote procedure call failed and did not execute.
            The failure occurred at 2007-12-08 10:50:16.
            The last success occurred at 2007-12-08 10:00:55.
            1 failures have occurred since the last success.
Name,CN=Sites,CN=Configuration,DC=domain,DC=local
         Warning: BICBCPRSVR-001 is the Schema Owner, but is not responding to LDAP Bind.
         Role Domain Owner = CN=NTDS Settings,CN=BICBCPRSVR-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
         Warning: BICBCPRSVR-001 is the Domain Owner, but is not responding to LDAP Bind.
         Role PDC Owner = CN=NTDS Settings,CN=BICBCPRSVR-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
         Warning: BICBCPRSVR-001 is the PDC Owner, but is not responding to LDAP Bind.
         Role Rid Owner = CN=NTDS Settings,CN=BICBCPRSVR-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
         Warning: BICBCPRSVR-001 is the Rid Owner, but is not responding to LDAP Bind.

# netdiag /test:dns /debug
Description: TEAM : Team #0
Packets SendError:               3
0
 

Author Comment

by:nbctcp
ID: 20497054
Case can be closed.
After following this link http://support.microsoft.com/kb/870964.
I can successfully connect to AD2 DFS if AD1 down.
So basically I need to configure iSCSI driver load first before load File Sharing.
Otherwise the file sharing of AD2  will disappear when AD2 rebooted.

thanks
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 21861137
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question