[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 979
  • Last Modified:

Cannot find Global Catalog

Greetings!

I manage a small 80+ user shop with a single domain controller and a seperate, dedicated Exchange server.  (All 2003, Sp2)

When running Active Directory Users & Computers on anyother system, other than the DC, I run into error warnings.

For example, when clicking on the 'Members' tab of a security group, I get this message:

"A global catalog cannot be located to retrieve the icons for the members list..."

This does NOT happen when I am using ADUC on the Domain Controller.

My Question:
What could prevent Global Catalog from being available to other member servers or workstations?    (Yes, Global Catalog IS checked in NTDS settings in ADSS -- there is only 1 DC.) I sometimes get similar errors from Outlook.

BTW, Exchange is working fine -- but there are problems when adding new users mailboxes when I use the ADUC on the exchange server.  Fine when on DC.

Thanks in advance!!!

Jon
0
graceout
Asked:
graceout
  • 11
  • 4
  • 2
  • +1
2 Solutions
 
Krzysztof PytkoActive Directory EngineerCommented:
Could you take print screen from command-line where you run command

ipconfig /all

please?

I suppose that is a problem of DNS server misconfiguration.
0
 
Mike ThomasConsultantCommented:
Check member server and client ip configuration settings, maybe flush their dns cache using ipconfig/flushdns, hve you changed IP of the DC's or anything like that recently?
0
 
SjoerdvWCommented:
Sounds like a DNS problem. Can you run the following command to confirm that the GC is registered to DNS properly

nslookup gc._msdcs.[yourdomain.com]
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
graceoutAuthor Commented:
All servers and workstation have the DC's IP addreess as the Primary DSN server.

The secondary is the DNS server across the WAN in Corporate which forwards to the ISP.

I have forwarding set up on the DC's DNS AD zone which also points to this secondary.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Please restart your netlogon service on DNS server.

net stop netlogon
net start netlogon

and check again
0
 
Krzysztof PytkoActive Directory EngineerCommented:
If it won't help run DNS test from command-line and put results here

dcdiag /test:dns

thanks in advance
0
 
graceoutAuthor Commented:
SjoerdvW:  this command returns "*** Can't Find __________: Non existent domain."

In fact, I usually get errors from "nslookup [hostname]" even though I've checked through DNS server properties and reverse lookups.

0
 
graceoutAuthor Commented:
DCDIAG was run FROM the Exchange server, but added the /s: tag which identifies BALAD as the DC.
The DC IS 1292.168.7.10

Definately something funky going on.  It's like our DNS server is forwarding everything...
DNStest.jpg
0
 
graceoutAuthor Commented:
In fact, ANY "nslookup [hostname] returns:  *** dc.domain.com can't find hostname: Query refused.

Again, all primary dns servers ARE the domain controller AND dns server.
0
 
Mike ThomasConsultantCommented:
Create a new forward lookup zone named _msdcs.mydomain.com , Store it in AD,
allow dynamic updates, then restart the Netlogon service byt typing "net stop netlogon && net start netlogon"
0
 
Krzysztof PytkoActive Directory EngineerCommented:
do you have more than 1 nic on dns server?
0
 
graceoutAuthor Commented:
Only 1 NIC on DC/DNS server.

iSiek:  I have just done this -- although there WAS a _msdcs folder inside the AD zone.

Still getting 'Cant find ... query refused' on all nslookups.
0
 
graceoutAuthor Commented:
Starting to think the real question is:  Why is my DNS server refusing queries?
0
 
graceoutAuthor Commented:
I guess everyone is giving up, but I wanted to mention one other thing I noticed:

When I perform "nslookup hostname" it fails as before, but when I perform

"nslookup hostname.fully.qualified.domain.name" it suceeds.

Any final ideas?
0
 
SjoerdvWCommented:
Can you add fully.qualified.domain.name to the "DNS suffix for this connection" in the ip properties of you're network connection?

(this can also be done through DHCP, Server Options, 15 DNS domain Name)
0
 
graceoutAuthor Commented:
SjoerdvW:  This is already done -- and if also done mannually, does not resolve this problem.

Adding this "DNS Suffix" only insures that connections  (pings, etc.) get resolved within the domain.  One can ping HOSTNAME without needing to qualify it.


0
 
graceoutAuthor Commented:
SjoerdvW:

You asked me to do this: "Can you run the following command to confirm that the GC is registered to DNS properly:  nslookup gc._msdcs.[yourdomain.com] "

What do I need to do to properly register GC in DNS?

You get full points when you show me how.

Thanks!
0
 
graceoutAuthor Commented:
Comments led me to my own resolution, but did not provide a solution.
0

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 11
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now