AD problems after Xenserver upgrade

First, let me say I'm experienced with VMware but relatively new to Xenserver.

There are 3 Xenservers at this site. Two of them are running Xenserver 6.1 and are in a pool. The third is a separate single server which I recently upgraded from Xenserver 6.1 to Xenserver 7.0 so that I could install a Windows 2016 VM.  There are 2 DCs in this small network, DC2 on one of the servers in the pool and DC3 on the Xenserver that was just upgraded.

I'm currently having a strange problem with active directory.  When I run dcdiag on DC2 I get the following error for DC3:

         Role Domain Owner = CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
         Ldap search capability attribute search failed on server DC3,
         return value = 81
         Warning: DC3 is the Domain Owner, but is not responding to LDAP
         ......................... GPSP-DC2 failed test KnowsOfRoleHolders

If I run dcdiag on DC3, it passes all tests. I even ran a specific test on DC3 for advertising, and that also showed no errors. Also, replication is working fine between the two DCs.

In researching this issue, the most common cause of a failure like this is a firewall.  The Windows firewall on both machines is DISABLED by group policy, so it's not a Windows firewall issue.  There is no other software or hardware firewall on the network.

I've done some research. If I try turning off the firewall on the upgraded server by issuing "disable firewall" or "disable firewalld" I get a "command not found" response, so neither of these firewalls is running.  I then ran an iptables list, but I'm not sure I understand what the contents of this table means.  Here is a screen capture of that output.


Do I need to open some ports for AD to function properly? Is there something else I'm missing?
LVL 39
Hypercat (Deb)Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Download and install Active Directory Replication Status Tool, it will allow you see a better picture of who doesn't talk to who. Install it on each DC in the domain.
Hypercat (Deb)Author Commented:
As expected this tool shows pretty much the same thing as I described and as the dcdiag coupled with repadmin /showrepl.  On DC3, there were no errors either in Configuration/Scope section or the Replication Status section. Specifically on DC3 in the Replication Status section, it showed replication completing successfully in BOTH directions.  On DC2, there was an error in the Configuration/Scope showing a failure to get the replication status for DC3.  In the Replication Status section, it showed success for the replication from DC3 to DC2 but failure from DC2 to DC3.
There are links to articles on how to address and resolve the issue, in the tool.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Hypercat (Deb)Author Commented:
I didn't see any links but will look further.  I was running things remotely on a small screen so couldn't see all of the output.
Hypercat (Deb)Author Commented:
Still didn't see any links in the AD Replication Status tool.  However, I did look up the error I was seeing (microsoft.sirona.collection. collection exception) and again found only suggestions that there was a firewall issue or a problem with antivirus software, neither of which make sense, since none of these settings or software had changed.

I started checking (again) DNS SRV records and such, and in this process also decided to check the NIC card settings on both DCs.  I noticed that one DC had IPv6 enabled and the other didn't.  I recalled that one of my colleagues had disabled IPv6 on DC2 because of some DHCP problems he was troubleshooting. On the theory that "you NEVER KNOW!" I decided to disable IPv6 also on DC3.  You NEVER KNOW worked once again, and miraculously now replication is working fine on both DCs in both directions.

Thanks for your suggestions even though in the end I managed to stumble across the real cause and fix the problem myself on this one!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Hypercat (Deb)Author Commented:
Although I followed Ronin's suggested, it didn't provide any additional information that helped me solve the issue.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.