ncomper
asked on
Member server behind F/W joining Domain but no SPN created on object and cant log on
Hi
We have put two servers behind a Firewall and joined them to the domain, they joined ok without error but noticed they took a long time to startup at applying computer settings and then when I logged on got the below message.
the security database on the server does not have a computer account for this workstation trust relationship
Looking on the object i see that the SPN was empty, I tried dropping it from domain deleting the AD object and rejoining but the same issue. I got the network team to change rule to permit all and it worked fine. The list of ports we had opened are below
TCP 135 : MS-RPC
TCP 1025 & 1026 : AD Login & replication
TCP 389 : LDAP
TCP & UDP 53 : DNS
TCP 445 : Microsoft-ds
TCP 139 : SMB
UDP 137 & 138 : NetBIOS related
UDP 88 : Kerberos v5
We also opened 49155 as we see connections on that
Are there any ports we have missied.
A 2nd thing that was noticed was even though the Subnet these servers are in has been added to the AD site that they are located at (HongKong), the servers where trying to connect to domain controllers in New York, London and Singapore on port 389
My understanding is that if you have accocoated the subnet to a site it then they should not need to contact DC's outside that site
Our domain is a Windows 2008 single domain / forest model, as this is the case all DC's are global catolog's too.
Thanks
We have put two servers behind a Firewall and joined them to the domain, they joined ok without error but noticed they took a long time to startup at applying computer settings and then when I logged on got the below message.
the security database on the server does not have a computer account for this workstation trust relationship
Looking on the object i see that the SPN was empty, I tried dropping it from domain deleting the AD object and rejoining but the same issue. I got the network team to change rule to permit all and it worked fine. The list of ports we had opened are below
TCP 135 : MS-RPC
TCP 1025 & 1026 : AD Login & replication
TCP 389 : LDAP
TCP & UDP 53 : DNS
TCP 445 : Microsoft-ds
TCP 139 : SMB
UDP 137 & 138 : NetBIOS related
UDP 88 : Kerberos v5
We also opened 49155 as we see connections on that
Are there any ports we have missied.
A 2nd thing that was noticed was even though the Subnet these servers are in has been added to the AD site that they are located at (HongKong), the servers where trying to connect to domain controllers in New York, London and Singapore on port 389
My understanding is that if you have accocoated the subnet to a site it then they should not need to contact DC's outside that site
Our domain is a Windows 2008 single domain / forest model, as this is the case all DC's are global catolog's too.
Thanks
If you associated the subnet to site still your dc should be contact with other DC for replication AD and group policy.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the responses
Sushil - Correct i would expect the DC acting as the Bridgehead for that site would replicate with DC's in other sites, however i would not expect workstations / member servers to try and authenticate with remote DC's when the subnet they are in is specified on their AD site which was what we were seeing.
Mahesh - I will take a look at those links, Thanks
Sushil - Correct i would expect the DC acting as the Bridgehead for that site would replicate with DC's in other sites, however i would not expect workstations / member servers to try and authenticate with remote DC's when the subnet they are in is specified on their AD site which was what we were seeing.
Mahesh - I will take a look at those links, Thanks
ASKER
Thanks