First, let me say I'm experienced with VMware but relatively new to Xenserver.
There are 3 Xenservers at this site. Two of them are running Xenserver 6.1 and are in a pool. The third is a separate single server which I recently upgraded from Xenserver 6.1 to Xenserver 7.0 so that I could install a Windows 2016 VM. There are 2 DCs in this small network, DC2 on one of the servers in the pool and DC3 on the Xenserver that was just upgraded.
I'm currently having a strange problem with active directory. When I run dcdiag on DC2 I get the following error for DC3:
Role Domain Owner = CN=NTDS Settings,CN=DC3,CN=Servers
Ldap search capability attribute search failed on server DC3,
return value = 81
Warning: DC3 is the Domain Owner, but is not responding to LDAP
......................... GPSP-DC2 failed test KnowsOfRoleHolders
If I run dcdiag on DC3, it passes all tests. I even ran a specific test on DC3 for advertising, and that also showed no errors. Also, replication is working fine between the two DCs.
In researching this issue, the most common cause of a failure like this is a firewall. The Windows firewall on both machines is DISABLED by group policy, so it's not a Windows firewall issue. There is no other software or hardware firewall on the network.
I've done some research. If I try turning off the firewall on the upgraded server by issuing "disable firewall" or "disable firewalld" I get a "command not found" response, so neither of these firewalls is running. I then ran an iptables list, but I'm not sure I understand what the contents of this table means. Here is a screen capture of that output.
Do I need to open some ports for AD to function properly? Is there something else I'm missing?