Windows 2003 Domain Controller keeps getting orphaned from the domain.

I have a DC that keeps getting orphaned from the domain.  This happened back in October of 07.  I finally got it rejoined after going through removing all the lingering objects, etc, and now it has happend again.

I am running a port scan from the orphaned server to its closest neighborhood DC.  Here are the results.
==== End of RPC Endpoint Mapper query response ====

TCP port 137 (netbios-ns service): NOT LISTENING

TCP port 139 (netbios-ssn service): LISTENING

TCP port 445 (microsoft-ds service): LISTENING

TCP port 389 (ldap service): LISTENING

Using ephemeral source port
Sending LDAP query to TCP port 389...


It hangs on sending a LDAP query to TCP port 389 to its neighbor DC.

To me, this is a firewall port block issue.  Any ideas?
LVL 9
iCoreKCAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sliiconmanCommented:
Sounds like a firewall or port restricition.
0
sliiconmanCommented:
OOPs somehow I hit submit.  What network device is this connected to? Are there any port blocks or MAC filtering going on?
0
iCoreKCAuthor Commented:
This is exactly what I am thinking, but the Network Team cannot see anything on the firewall logs being blocked.

0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

sliiconmanCommented:
Well will they accept a network capture? That should show the traffic being blocked or the error coming back. Do they have access to sniff the wire?

Is anything listening on port 636 (LDAPS) by chance? Not really used but just thinking. Can you ping the other nodes on the network?
0
iCoreKCAuthor Commented:
Also, you will see port 389 Listening on my first post above.  And then it hangs on it's literal LDAP request to that same port that is listing.

Now, this would seem to me that the port is open on the firewall, but for some reason it is not getting the LDAP information to or from its target.
0
sliiconmanCommented:
RIght I agree on the LDAP port sorry I wAsnt being clear. That is what the network capture would be helpful for.
0
iCoreKCAuthor Commented:
I am Wiresharking both sides now and will post the results here.
0
ChiefITCommented:
Port 137 is a Netbios port used for the Browser service:

If you are using ISA firewall, the ISA firewall has to have rules set for the browser service to work.

Also, Netbios will not propogate across different subnets, different subnets masks, over a firewall, over NAT or any other type of potential port blockage.

The alternative fix to the browser service is to impliment WINS on clients and servers. I call it the WINS/WAN configuration of the browser service because of how the following article fixes these types of issues.

The following article best explains fixes and work arounds for the domain browser service. The article is for a NT4 server, but everything applies to a 2003 server as well, (including registry edits to determine the function of the browser). It's a good read for anyone who has browser issues.
http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/net/chptr3.mspx?mfr=true
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
iCoreKCAuthor Commented:
The only port that seems to be affected is 389.

WINS is not that important in a Windows 2003 domain.
0
ChiefITCommented:
You are correct in saying WINS is not important for LDAP queries. (But, WINS may be important if you run into browser problems. I saw port 137 not listening and assumed that was the original problem. Sorry for my assumption.)

ldap            389/tcp    Lightweight Directory Access Protocol
ldap            389/udp    Lightweight Directory Access Protocol

Port 389 can be blocked by antivirus software. Port 389 has been a target by mass mailing worms. So AV manufacturers included port blocking for some AV products on top of the firewall you already have. Sometimes you need to add an exception to your AV software for your mail client, (or mail server), software to work. To test this theory, temporarily disable your AV software.

If it is conclusive that the AV software is blocking port 389, then let us know what AV software you have and what mail client/server products you are running. I know the exact fix to McAfee, but don't know about Symantec or other AV software packages.


0
iCoreKCAuthor Commented:
Checked the AV on both servers in question and 389 is open.  

Still working on this with our network team.  
0
iCoreKCAuthor Commented:
One more thing.  When I try to rejoin the domain by pointing at this servers same site DC, it will not find a domain controller.  When I attempt to rejoin the domain by pointing at a DC half way across the country it works fine.

It has to be a port issue.
0
sliiconmanCommented:
Sure sounds like a port issue. maybe it is a port issue on the other DC? I assume you are not using IPsec correct?I am not sure what your network team will post. Do they secure ports a certain way? You may or may not want to post that kind of information on here if people know where you work.

I would ask if they MAC filter, and new NAC installs?

just sounds like a port issue still. What did the packet capture show?
0
ChiefITCommented:
Can't contact the domain controller sounds like the netbios translation isn't being done to the DC, almost sounds like the SVR and/or HOST A DNS record doesn't exist in DNS. Is your DNS server external, internal or internal and the same server as the server you are trying to contact? If it were a permissions problem, I would guess all of your problems are related to the LDAP port. Try to ping the server by using it's computer name:
Example: ping MYSERVER1

If you problems pinging, try going to the server and registering its DNS setting by going to the cmd prompt and typing IPconfig /Registerdns. Then type, 'net stop netlogon'. Then, 'net start netlogon'. Now force replicate that DNS Host A to all servers on that LAN.

An alternative problem that can cause intermittant coms is the router configurations. You should not have external DNS servers on your Router's list of DNS servers. Otherwise you may bypass the server and go straight out to the internet for DNS queries.
0
iCoreKCAuthor Commented:
Chief,

The DNS is fine and can resolve any DC in the domain.  It can do an NSLOOKUP on our "domain".com and pulls back all the ips for the DCs.

No problems resolving or pinging at all.  All DNS is internal.

What we are seeing here is a port blockage.  Port 389 is shown as listening, but cannot pull anything from AD.
0
ChiefITCommented:
Have you ever had ISA on this server, especially ISA client? ISA client is not supported on 2003 server. It has to be removed, not disabled. It will not work with LDAP.

Also Mozilla Thunderbird has some port blocking in it. I think you have to configure it to block port 389.
0
iCoreKCAuthor Commented:
No, no ISA on this box. It is just a DC with DNS/WINS and AD etc.
0
iCoreKCAuthor Commented:
It appears that we are going to have to completely rebuild this server before I add it back into the domain.

I will keep everyone posted when the testing begins again.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.