Solved

Cannot find Global Catalog

Posted on 2010-08-26
19
967 Views
Last Modified: 2012-06-21
Greetings!

I manage a small 80+ user shop with a single domain controller and a seperate, dedicated Exchange server.  (All 2003, Sp2)

When running Active Directory Users & Computers on anyother system, other than the DC, I run into error warnings.

For example, when clicking on the 'Members' tab of a security group, I get this message:

"A global catalog cannot be located to retrieve the icons for the members list..."

This does NOT happen when I am using ADUC on the Domain Controller.

My Question:
What could prevent Global Catalog from being available to other member servers or workstations?    (Yes, Global Catalog IS checked in NTDS settings in ADSS -- there is only 1 DC.) I sometimes get similar errors from Outlook.

BTW, Exchange is working fine -- but there are problems when adding new users mailboxes when I use the ADUC on the exchange server.  Fine when on DC.

Thanks in advance!!!

Jon
0
Comment
Question by:graceout
  • 11
  • 4
  • 2
  • +1
19 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33531332
Could you take print screen from command-line where you run command

ipconfig /all

please?

I suppose that is a problem of DNS server misconfiguration.
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33531370
Check member server and client ip configuration settings, maybe flush their dns cache using ipconfig/flushdns, hve you changed IP of the DC's or anything like that recently?
0
 
LVL 7

Accepted Solution

by:
SjoerdvW earned 250 total points
ID: 33531391
Sounds like a DNS problem. Can you run the following command to confirm that the GC is registered to DNS properly

nslookup gc._msdcs.[yourdomain.com]
0
 

Author Comment

by:graceout
ID: 33531420
All servers and workstation have the DC's IP addreess as the Primary DSN server.

The secondary is the DNS server across the WAN in Corporate which forwards to the ISP.

I have forwarding set up on the DC's DNS AD zone which also points to this secondary.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33531445
Please restart your netlogon service on DNS server.

net stop netlogon
net start netlogon

and check again
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33531467
If it won't help run DNS test from command-line and put results here

dcdiag /test:dns

thanks in advance
0
 

Author Comment

by:graceout
ID: 33531485
SjoerdvW:  this command returns "*** Can't Find __________: Non existent domain."

In fact, I usually get errors from "nslookup [hostname]" even though I've checked through DNS server properties and reverse lookups.

0
 

Author Comment

by:graceout
ID: 33531715
DCDIAG was run FROM the Exchange server, but added the /s: tag which identifies BALAD as the DC.
The DC IS 1292.168.7.10

Definately something funky going on.  It's like our DNS server is forwarding everything...
DNStest.jpg
0
 

Author Comment

by:graceout
ID: 33531795
In fact, ANY "nslookup [hostname] returns:  *** dc.domain.com can't find hostname: Query refused.

Again, all primary dns servers ARE the domain controller AND dns server.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 24

Assisted Solution

by:Mike Thomas
Mike Thomas earned 250 total points
ID: 33531806
Create a new forward lookup zone named _msdcs.mydomain.com , Store it in AD,
allow dynamic updates, then restart the Netlogon service byt typing "net stop netlogon && net start netlogon"
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33531814
do you have more than 1 nic on dns server?
0
 

Author Comment

by:graceout
ID: 33531979
Only 1 NIC on DC/DNS server.

iSiek:  I have just done this -- although there WAS a _msdcs folder inside the AD zone.

Still getting 'Cant find ... query refused' on all nslookups.
0
 

Author Comment

by:graceout
ID: 33532198
Starting to think the real question is:  Why is my DNS server refusing queries?
0
 

Author Comment

by:graceout
ID: 33532440
I guess everyone is giving up, but I wanted to mention one other thing I noticed:

When I perform "nslookup hostname" it fails as before, but when I perform

"nslookup hostname.fully.qualified.domain.name" it suceeds.

Any final ideas?
0
 
LVL 7

Expert Comment

by:SjoerdvW
ID: 33532943
Can you add fully.qualified.domain.name to the "DNS suffix for this connection" in the ip properties of you're network connection?

(this can also be done through DHCP, Server Options, 15 DNS domain Name)
0
 

Author Comment

by:graceout
ID: 33532975
SjoerdvW:  This is already done -- and if also done mannually, does not resolve this problem.

Adding this "DNS Suffix" only insures that connections  (pings, etc.) get resolved within the domain.  One can ping HOSTNAME without needing to qualify it.


0
 

Author Comment

by:graceout
ID: 33533385
SjoerdvW:

You asked me to do this: "Can you run the following command to confirm that the GC is registered to DNS properly:  nslookup gc._msdcs.[yourdomain.com] "

What do I need to do to properly register GC in DNS?

You get full points when you show me how.

Thanks!
0
 

Author Comment

by:graceout
ID: 33535372
0
 

Author Closing Comment

by:graceout
ID: 33535388
Comments led me to my own resolution, but did not provide a solution.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Use these top 10 tips to master the art of email signature design. Create an email signature design that will easily wow recipients, promote your brand and highlight your professionalism.
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now