Solved

Member server behind F/W joining Domain but no SPN created on object  and cant log on

Posted on 2014-02-11
4
881 Views
Last Modified: 2014-02-12
Hi

We have put two servers behind a Firewall and joined them to the domain, they joined ok without error but noticed they took a long time to startup at applying computer settings and then when I logged on got the below message.

the security database on the server does not have a computer account for this workstation trust relationship

Looking on the object i see that the SPN was empty, I tried dropping it from domain deleting the AD object and rejoining but the same issue. I got the network team to change rule to permit all and it worked fine.  The list of ports we had opened are below

TCP 135 : MS-RPC
TCP 1025 & 1026 : AD Login & replication
TCP 389 : LDAP
TCP & UDP 53 : DNS
TCP 445 : Microsoft-ds
TCP 139 : SMB
UDP 137 & 138 : NetBIOS related
UDP 88 : Kerberos v5
We also opened 49155 as we see connections on that

Are there any ports we have missied.

A 2nd thing that was noticed was even though the Subnet these servers are in has been added to the AD site that they are located at (HongKong), the servers where trying to connect to domain controllers in New York, London and Singapore on port 389

My understanding is that if you have accocoated the subnet to a site it then they should not need to contact DC's outside that site

Our domain is a Windows 2008 single domain / forest model, as this is the case all DC's are global catolog's too.

Thanks
0
Comment
Question by:ncomper
  • 2
4 Comments
 
LVL 18

Expert Comment

by:Sushil Sonawane
Comment Utility
If you associated the subnet to site still your dc should be contact with other DC for replication AD and group policy.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
You need to open entire 49152 - 65535 high TCP and UDP ports from all client subnets to domain controllers IP
It is primary requirements in case of 2008 and above DCs
List of all ports
•      TCP and UDP 53 – DNS
•      UDP 137, 138, 139 – NetBIOS
•      TCP 3268, 3269 – GC
•      TCP and UDP 445 – SMB
•      TCP and UDP 88, 464 – Kerberos
•      TCP and UDP 389, 636 – LDAP
•      TCP and UDP 42 – WINS (Optional)
•      TCP and UDP 135 – RPC
•      TCP 5722 – DFSR
•      UDP 123 – Windows Time
•      Ping protocol (Optional)
•      TCP and UDP (1024 – 5000) in case of windows 2003 & (49152 - 65535) in case of  2008 and above– High RPC ports

Above port range need to be opened between DC to DC bidirectional (Two way) and from client to DC one way

I saw that most of the time even if you restrict AD traffic to specific static ports, still it required minimum 255 high TCP ports to communicate properly

if you have DR site and DR DCs, then you need to open ports from your clients to DR DC as well in case of DR invoke

http://support.microsoft.com/kb/832017 - AD port requirements
http://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
http://support.microsoft.com/kb/929851 - dynamic port range change with Vista and above

Mahesh
0
 
LVL 5

Author Comment

by:ncomper
Comment Utility
Thanks for the responses

Sushil - Correct i would expect the DC acting as the Bridgehead for that site would replicate with DC's in other sites, however i would not expect workstations / member servers to try and authenticate with remote DC's when the subnet they are in is specified on their AD site which was what we were seeing.

Mahesh - I will take a look at those links, Thanks
0
 
LVL 5

Author Closing Comment

by:ncomper
Comment Utility
Thanks
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
LDAP and ADFS 1 20
AD FSMO Issues 14 62
GPO warning 15 24
People keep losing connection to file server 4 24
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now