• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 980
  • Last Modified:

Cannot find Global Catalog

Greetings!

I manage a small 80+ user shop with a single domain controller and a seperate, dedicated Exchange server.  (All 2003, Sp2)

When running Active Directory Users & Computers on anyother system, other than the DC, I run into error warnings.

For example, when clicking on the 'Members' tab of a security group, I get this message:

"A global catalog cannot be located to retrieve the icons for the members list..."

This does NOT happen when I am using ADUC on the Domain Controller.

My Question:
What could prevent Global Catalog from being available to other member servers or workstations?    (Yes, Global Catalog IS checked in NTDS settings in ADSS -- there is only 1 DC.) I sometimes get similar errors from Outlook.

BTW, Exchange is working fine -- but there are problems when adding new users mailboxes when I use the ADUC on the exchange server.  Fine when on DC.

Thanks in advance!!!

Jon
0
graceout
Asked:
graceout
  • 11
  • 4
  • 2
  • +1
2 Solutions
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Could you take print screen from command-line where you run command

ipconfig /all

please?

I suppose that is a problem of DNS server misconfiguration.
0
 
Mike ThomasConsultantCommented:
Check member server and client ip configuration settings, maybe flush their dns cache using ipconfig/flushdns, hve you changed IP of the DC's or anything like that recently?
0
 
SjoerdvWCommented:
Sounds like a DNS problem. Can you run the following command to confirm that the GC is registered to DNS properly

nslookup gc._msdcs.[yourdomain.com]
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
graceoutAuthor Commented:
All servers and workstation have the DC's IP addreess as the Primary DSN server.

The secondary is the DNS server across the WAN in Corporate which forwards to the ISP.

I have forwarding set up on the DC's DNS AD zone which also points to this secondary.
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Please restart your netlogon service on DNS server.

net stop netlogon
net start netlogon

and check again
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
If it won't help run DNS test from command-line and put results here

dcdiag /test:dns

thanks in advance
0
 
graceoutAuthor Commented:
SjoerdvW:  this command returns "*** Can't Find __________: Non existent domain."

In fact, I usually get errors from "nslookup [hostname]" even though I've checked through DNS server properties and reverse lookups.

0
 
graceoutAuthor Commented:
DCDIAG was run FROM the Exchange server, but added the /s: tag which identifies BALAD as the DC.
The DC IS 1292.168.7.10

Definately something funky going on.  It's like our DNS server is forwarding everything...
DNStest.jpg
0
 
graceoutAuthor Commented:
In fact, ANY "nslookup [hostname] returns:  *** dc.domain.com can't find hostname: Query refused.

Again, all primary dns servers ARE the domain controller AND dns server.
0
 
Mike ThomasConsultantCommented:
Create a new forward lookup zone named _msdcs.mydomain.com , Store it in AD,
allow dynamic updates, then restart the Netlogon service byt typing "net stop netlogon && net start netlogon"
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
do you have more than 1 nic on dns server?
0
 
graceoutAuthor Commented:
Only 1 NIC on DC/DNS server.

iSiek:  I have just done this -- although there WAS a _msdcs folder inside the AD zone.

Still getting 'Cant find ... query refused' on all nslookups.
0
 
graceoutAuthor Commented:
Starting to think the real question is:  Why is my DNS server refusing queries?
0
 
graceoutAuthor Commented:
I guess everyone is giving up, but I wanted to mention one other thing I noticed:

When I perform "nslookup hostname" it fails as before, but when I perform

"nslookup hostname.fully.qualified.domain.name" it suceeds.

Any final ideas?
0
 
SjoerdvWCommented:
Can you add fully.qualified.domain.name to the "DNS suffix for this connection" in the ip properties of you're network connection?

(this can also be done through DHCP, Server Options, 15 DNS domain Name)
0
 
graceoutAuthor Commented:
SjoerdvW:  This is already done -- and if also done mannually, does not resolve this problem.

Adding this "DNS Suffix" only insures that connections  (pings, etc.) get resolved within the domain.  One can ping HOSTNAME without needing to qualify it.


0
 
graceoutAuthor Commented:
SjoerdvW:

You asked me to do this: "Can you run the following command to confirm that the GC is registered to DNS properly:  nslookup gc._msdcs.[yourdomain.com] "

What do I need to do to properly register GC in DNS?

You get full points when you show me how.

Thanks!
0
 
graceoutAuthor Commented:
Comments led me to my own resolution, but did not provide a solution.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

  • 11
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now