Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Windows 2008 DC not allowing connections from different subnet

Posted on 2009-05-05
6
Medium Priority
?
1,234 Views
Last Modified: 2013-12-04
Hi,

I recently built a new external Windows 2008 domain in a new forest at windows 2008 level. This domain is to be hosted externally to our internal domain, which is a windows 2003 domain level domain. I eventually plan to create a one way trust where the external domain trusts the internal domain. However, I am having communications issues between internal DCs and my new Windows 2008 DC. Below is the situation:

ExtServer1 - Win 2008 SP1 DC (located in "external subnet 1")
ExtServer2 - Win 2008 SP1 DNS member server (located in "external subnet 1")
ExtServer3 - Win 2003 SP2 ISA member server (located in "external subnet 1")

IntServer1 - Win 2003 SP2 DC (located in "internal subnet 10")
IntServer2 - Win 2003 SP2 DC (located in "internal subnet 11")
IntWporkstation1 - Win XP SP3 workstation (located in "internal subnet 12")

From ExtServer2: telnet ExtServer1 389 (works fine)
From ExtServer3: telnet ExtServer1 389 (works fine)

From IntServer1: telnet ExtServer1 389 (does not work)
From IntServer2: telnet ExtServer1 389 (does not work)
From IntWorkstation1: telnet ExtServer1 389 (does not work)

From IntServer1: telnet ExtServer2 53 (works fine)
From IntServer2: telnet ExtServer2 53 (works fine)
From IntWorkstation1: telnet ExtServer2 53 (works fine)

Basically, I can not access this DC "ExtServer1" from any other subnet. Access fromt he same subnet works fine. I have a full access from internal subnets to external subnets, so no network issues blocking access to this server. Also I can get to this subnet, as you can see from the tests to another member server in the "external" subnet domain.

I am new to windows 2008, but have seen a lot of changes int he windows firewall and security space. Can anyone point me int he right direction or tell me what could be the issue here? Once I have successfully able to communicate from my internal subnets to this DC, I can create my trust and be on my way with other tasks.

Thanks.
kineticexpert
0
Comment
Question by:kineticexpert
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 

Author Comment

by:kineticexpert
ID: 24302685
Sorry, also to add to this. Prior to completing a DCPROMO on this windows 2008 server (ExtServer1), I was able to successfully copy across files to the server from any server/workstation in internal subnets (i.e. IntServer1, IntServer2, IntWorkstation1). However, now I can not access at all from the internal subnets as mentioned above.

So one would assume some policy has been applied since becoming a domain controller.

Thanks.
Adrian
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24302947
Have you checked the firewall settings on the 2008 DC?   I'd even disalbe it for a quick test too.
A network trace would really come in handy here.
You could also run portqry from the internal box to the 2008 DC and see what the results are from IntServer1 to ExtServer1
Thanks
Mike
0
 

Author Comment

by:kineticexpert
ID: 24303467
Hi Mike,
Thanks for the response. How would you suggesst I do a network trace? I have tried using network monitor, but have not been successful in trying to understand it.
I used portqry and got the below results.

=============================================

 Starting portqry.exe -n 10.48.128.50 -e 389 -p TCP ...

Querying target system called:

 10.48.128.50

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 389 (ldap service): FILTERED
portqry.exe -n 10.48.128.50 -e 389 -p TCP exits with return code 0x00000002.

Thanks.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Accepted Solution

by:
kineticexpert earned 0 total points
ID: 24303540
OK, I feel like an absolute tool right now. But I have fixed the network communications to this server from the internal subnets.
It ended up being a specific translation on the firewall:
ExtServer1 to IntServer2 was being translated

Not sure why it affected all internal networks from accessing ExtServer1, when it was specificallly only to one single server being translated.
Anyway, I beleive my issues are sorted.

Thanks.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24303631
well done!!
So now does that portqry come back as "listening"
Thanks
 
Mike
0
 

Author Comment

by:kineticexpert
ID: 24303811
yeah it does...
quite a handy little tool to use. I was relying on my network logs, which wasn't showing anything...so hence thought it was fine.
Thanks.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question