How to connect to domain in same

I am really at a lost to what has changed.  I have two domains a staff and student domain, they have been working well all school year, enabling connectivity between them all year.  As of recently I am unable to access servers on the student domain from the staff, but can still access staff servers from student network (see attachment).  I can ping the servers both with ip and FQDN.  Not sure where to start to investigation.
domain-error.jpg
ISSitAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

authen-techCommented:
Just to test,

See if you can get to the share by replacing the server name with it's ip address:
\\xxx.xxx.xxx.xxx\ISS Images

0
artoaperjanCommented:
Hi
First check the Trust between domains
try to delete and recreate them

if your trust created successfully then your DNS is ok
if not then check the DNS

pleas come back with the following.
1. Did recreation fixed your problem?
2. what Server OS are you using ? 2000 / 2003
3. what is your Functional leverl Mixed / Win2000 / win2003 ?

ok this is for now.
0
ChiefITCommented:
Sounds like you have a firewall up on the server you are trying to reach. Ping goes out on port 123, I believe. So, that is not a true test.

DNS is on port 53, and Netbios is on 137. Since you are using the UNC paths to communicate with, that is a function of the browser service.

I believe there is either a firewall blocking 137 or you have two browsers competing with one another.

To check for a browser fight, go into My Network Places and see if the computer you are trying to reach is in the list. Also check the domain controller you are trying to reach and see if there are any 8032 or 8031 event errors that say something like "xxxcomputer thinks it is the domain master browser, the browser service has stopped and an election will be forced".
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

ISSitAuthor Commented:
Thank you for your responses. Authen-tech, I cannot ping as you suggested.  artoaperjan - I think you are right, seems to point to DNS.  Attached are two messages I got from trying to validate trust.  From my network (vanaheim) the outgoing trust check was successful, but the return was not stated no logon server was available.  From my DC on the student network it just stated that could not find a DC.  Does this imply that the error is with the DNS on my student net since it could not find the server.  Again from staff network I can not connect to any student system, but from the student network, no problem.
Both servers are running Windows 2003, functional leverl for staff is 2003, for student it is 2000, I think this was an oversight as I felt there is not reason to not do so.  
CheifIT there are issues with systems vying for master browser.  In the log it was systems on my student network, could this not be due to dns if systems are unable to find the server?
trust-error-from-midgard.jpg
trust-error-from-vanaheim.jpg
0
ChiefITCommented:
""CheifIT there are issues with systems vying for master browser.  In the log it was systems on my student network, could this not be due to dns if systems are unable to find the server?""
_____________________________________________
REFERENCE MATERIAL:
Let me provide you with an article that you can follow along with:
http://www.microsoft.com/smallbusiness/support/articles/ref_net_ports_ms_prod.mspx
___________________________________________
GETTING USE TO THE PORTS AND HOW THEY WORK OVER A VPN:
DNS is not related to a master browser problem. So, you may have two separate problems.

DNS is on port 53
Master browser is on Netbios port 137 and Netbios datagram ports 138 and 139.
The netlogon service (ports 137, 138 and 139, and 445 for SMB) requires RPC (on port 135).

Since you can ping by FQDN and IP address, it appears like your DNS records are working. However.
_______________________________________________________________________
MASTER BROWSER & NETLOGON SERVICES,  OVER A VPN:
Netbios broadcasts will not propogate through a VPN or over NAT. Both Netlogon and the Master Browser Service use netbios broadcasts on ports 137, 138 and 139. Since you have this issue. I have a fix for the Browser service that should also fix the Netlogon service. I call it the WINS/WAN configuration of the Master Browser. On this article, it tells you how to stop browser elections fights by forcing certain nodes to be a domain master browser, master browser and backup browser. For each subnet, you will need a master browser and I suggest a backup browser.  By default, the highest operating system with Roles becomes the domain master browser.

The below article also tells you how to communicate over NAT or VPN Tunnel. It is the WINS WAN configuration of the Master Browser service.

http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/net/chptr3.mspx?mfr=true

Please NOTE: This is an NT4 article. There is no difference in NT4 and 2003 server, save one exception. NT4 registry key says "IsDomainMasterBrowser" while 2003 server shortened that to "IsDomainMaster"
__________________________________________________________________________________
FIXING THE NETLOGON SERVICE WHEN YOU BRING A NEW SERVER ON LINE:
Furthermore, I found that these steps usually work when bringing a new server on line, I find these steps help. Restarting the netlogon service registers the SRV records in DNS. Reregistering the HOST A DNS records allows for domain replication of DNS records and the NETLOGON/SYSVOL shares.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23356031.html



0
artoaperjanCommented:
Hi ISSit

good job
so now we go forward.
next two things that you need to check are
First- the trust validation is dependent on DNS and some domain services, but we take DNS now it is easy to check.
so DNS check i would suggest to do a ping to a name like in my case i have servers DC1 DC2 and so on
so when you ping DC1 your reply should be
DC1.Domain.com
and so on
When you are adding Trust or Removing Trust it checking for the First domain and then all the other domains.
so you need to add your DCs to the domain and i would suggest to have at least two AC DNSs and also add them to the name servers.
Check my uploaded image.

honestly i believe that your case is DNS problem.

but now about the second things-
you have to check that master services of the domain controller.
like for example Global Catalog, logon service, master browser and so on.
just search in Google for "transfer or seize FSMO roles" you will see all the instructions.
well do this then check back.

i believe that your problem is DNS Ping all the servers from all the servers i mean from DCs and when all pings are ok then try to remove the Trust from the one that failed to verify and add it again.
DNS.JPG
0
ISSitAuthor Commented:
artoaperjan- from my staff network I can ping other servers in the same domain with just the server name, but for servers on the student network in need to put in the fqdn, after which it goes through.  Attached are the shots from my DNS, I need to state that I set up a secondary Foward lookup zone on the student network which holds informaton on the systems on the staff side.  
With respect to roles, my dc on the student network, holds all 5 roles.  The 2 servers on the staff network split, one server has schema and domain, the other has the remaining 3 (according to the ntdsutil app.
dns-vanaheim1.jpg
dns-vanaheim2.jpg
dns-midgard1.jpg
dns-midgard2.jpg
0
ChiefITCommented:
You are getting through fine on DNS:

"from my staff network I can ping other servers in the same domain with just the server name, but for servers on the student network in need to put in the fqdn, after which it goes through."

This is a WINS record problem, same with netlogon and the browser service.
0
ISSitAuthor Commented:
CheifIT, odd, I recently added a WINS server on the staff network to accomodate an application I was running.  Prior to that I never had one in service.  As I said I only have the one, do not quite understand how that could be causing this.  Is there a way to confirm this?
0
ChiefITCommented:
What happens is this:

A client will send out a netbios broadcast that says "I am here" The server picks that up and populates the browselist with it. Then the server also sends back a reply, that says "I see you" so the client doesn't elect a master browser. Now that the Server has a browselist populated by these netbios broadcasts from clients and other servers, the server shares that.

The problem is the server can't share that over a VPN. So, you have to put WINS on the server to bypass the VPN.

If your clients saw a WINS server, they will go there, but the Browselist may be on another node. So, the node the WINS server service is installed on must not be your master brower, (which by default is the domain master)

Below is a chronology of a DNS record. Even though DNS is a different entity from WINS, WINS works the same way. The client will try to resolve Netbios translation itself, prior to going to the prefered WINS server.

http://www.experts-exchange.com/Networking/Protocols/DNS/Q_23204162.html

So, to get this to work right, you will want to install WINS on the Master browser for the student and domain master of the staff. Then, on each subnet, you want a backup browser for redundancy. Then you want WINS records between the staff and Student mater browser servers. Please note, that by default, the highest operating system with holder of roles wins the master browser role. An example of the WINS/WAN configuration is in the article below:

http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/net/chptr3.mspx?mfr=true
0
ChiefITCommented:
This picture may help:

You are loosing it because the WINS server you configured doesn't have the browselist. Wins servers should be on the DC carrying the browselist and WINS pointer records to the applications you need WINS for: You could configure that WINS server to be a master browser for that subnet and communicate with the Domain Master in the Staff subnet. These are registry edits that defines who is a domain master, and who is a master, and who is a backup browser. These registry edits will be found on the article above.

There is a pic attached:
 It is a free body diagram of what you want.

browser-interaction.JPG
0
ChiefITCommented:
So, the node the WINS server service is installed on must not be your master brower

this should say:

 So, the node the WINS server service is installed on must be your master brower
0
ISSitAuthor Commented:
Feel like an idiot now, I had not made changes to the firewall so did not consider it as a possible issue, but turns out that was the problem all along.  Was not allowing a particular port.  Thank all of you for your help and time.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.