Domain Controllers Can't reach Default Gateway...
in [Active Directory]
|
From: Dave Onex on 9 Nov 2009 15:41 Hi Folks; Neither of my domain controllers can reach the default gateway even though it's properly defined and there are valid forward and reverse records in DNS. Pinging the DG results in...nothing. ! Every other machine on the network can ping the DG. All machines are on one LAN segment with one default gateway. Everything here is Windows 2000 Advanced Server and ISA 2004. Background.... I made some network changes by promoting a different machine to become the DC for the domain. Everything went well and the original machine was demoted back to standard server. No issues - all is well. Event logs are spotless. A perfect DCPROMO if ever there was one. I then promoted a different machine to become a supplemental DC and everything went well with one issue - FRS reports it's having problems connecting to the existing DC and reports that it's likely a DNS issue. I check the DNS network wide and find that there are proper forward and reverse entries for the server in question. I triple check by looking them up from a dos prompt - all OK. So why does FRS fail? Unknown. I then run netdiag /fix and it reports that the only issue is that it cannot connect to the default gateway. I check the default gateway and it's correct! I then ping the default gateway and what do I find? No response. How can that be? After checking all machines I find that the only two that can't ping the default gateway are the Domain Controllers. The DG is properly defined in each case and there are valid forward and reverse entries in the DNS for the DG. I have no clue what's wrong. The key might be that only the domain controllers can't reach the DG. Can anyone help? Thanks! Dave
From: Dave Onex on 9 Nov 2009 16:40 I seem to have fixed it. It appears to have been a firewall issue where the firewall was denying ICMP traffic from those two servers :-) Best; Dave "Dave Onex" <dave(a)microsoft.com> wrote in message news:egNEM0XYKHA.3696(a)TK2MSFTNGP02.phx.gbl... > Hi Folks; > > Neither of my domain controllers can reach the default gateway even though > it's properly defined and there are valid forward and reverse records in > DNS. Pinging the DG results in...nothing. ! > > Every other machine on the network can ping the DG. All machines are on > one LAN segment with one default gateway. > > Everything here is Windows 2000 Advanced Server and ISA 2004. > > Background.... > > I made some network changes by promoting a different machine to become the > DC for the domain. Everything went well and the original machine was > demoted back to standard server. No issues - all is well. Event logs are > spotless. A perfect DCPROMO if ever there was one. > > I then promoted a different machine to become a supplemental DC and > everything went well with one issue - FRS reports it's having problems > connecting to the existing DC and reports that it's likely a DNS issue. > > I check the DNS network wide and find that there are proper forward and > reverse entries for the server in question. I triple check by looking them > up from a dos prompt - all OK. > > So why does FRS fail? Unknown. > > I then run netdiag /fix and it reports that the only issue is that it > cannot connect to the default gateway. I check the default gateway and > it's correct! I then ping the default gateway and what do I find? No > response. How can that be? > > After checking all machines I find that the only two that can't ping the > default gateway are the Domain Controllers. The DG is properly defined in > each case and there are valid forward and reverse entries in the DNS for > the DG. > > I have no clue what's wrong. The key might be that only the domain > controllers can't reach the DG. Can anyone help? > > Thanks! > Dave > >
From: Ace Fekay [MCT] on 10 Nov 2009 20:23 "Dave Onex" <dave(a)microsoft.com> wrote in message news:eoyhKVYYKHA.4516(a)TK2MSFTNGP02.phx.gbl... >I seem to have fixed it. It appears to have been a firewall issue where the >firewall was denying ICMP traffic from those two servers :-) > > Best; > Dave > > "Dave Onex" <dave(a)microsoft.com> wrote in message > news:egNEM0XYKHA.3696(a)TK2MSFTNGP02.phx.gbl... >> Hi Folks; >> >> Neither of my domain controllers can reach the default gateway even >> though it's properly defined and there are valid forward and reverse >> records in DNS. Pinging the DG results in...nothing. ! >> >> Every other machine on the network can ping the DG. All machines are on >> one LAN segment with one default gateway. >> >> Everything here is Windows 2000 Advanced Server and ISA 2004. >> >> Background.... >> >> I made some network changes by promoting a different machine to become >> the DC for the domain. Everything went well and the original machine was >> demoted back to standard server. No issues - all is well. Event logs are >> spotless. A perfect DCPROMO if ever there was one. >> >> I then promoted a different machine to become a supplemental DC and >> everything went well with one issue - FRS reports it's having problems >> connecting to the existing DC and reports that it's likely a DNS issue. >> >> I check the DNS network wide and find that there are proper forward and >> reverse entries for the server in question. I triple check by looking >> them up from a dos prompt - all OK. >> >> So why does FRS fail? Unknown. >> >> I then run netdiag /fix and it reports that the only issue is that it >> cannot connect to the default gateway. I check the default gateway and >> it's correct! I then ping the default gateway and what do I find? No >> response. How can that be? >> >> After checking all machines I find that the only two that can't ping the >> default gateway are the Domain Controllers. The DG is properly defined in >> each case and there are valid forward and reverse entries in the DNS for >> the DG. >> >> I have no clue what's wrong. The key might be that only the domain >> controllers can't reach the DG. Can anyone help? >> >> Thanks! >> Dave >> >> > > I was going to say it was probably an ISA issue. If ISA is on a DC, it can be extremely problematic for a number of reasons. First, it's a DC. If a DC has more than one NIC, IP address or RRAS on it, it causes a complexity that causes DNS registration issues. On top of that, if you install ISA, the complications logirithmically increase. Glad you figured it out. -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer For urgent issues, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
From: Dave Onex on 12 Nov 2009 16:36 Hi Ace; In my case the ISA is just a member of the domain - not a domain controller. Making the ISA a domain controller would be, in my mind, a recipe for disaster especially from a security standpoint. I did find one other thing though and it was important. On one of the domain controllers the active directory DNS zone for my domain was missing an important entry. In the _msdcs area of DNS it was missing the CNAME entry with the GUID for the other domain controller. That's why it couldn't replicate with the other domain controller. When I was testing the DNS I was just using the other domain controllers machine name. I didn't realize that that record in that area of the DNS had to be there. In fact, I'd never ventured into the active directory entries in DNS :-) Anyway, got it cased and just wanted to update this thread for archival purposes. Best; Dave "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message news:O2yri2mYKHA.4932(a)TK2MSFTNGP02.phx.gbl... > "Dave Onex" <dave(a)microsoft.com> wrote in message > news:eoyhKVYYKHA.4516(a)TK2MSFTNGP02.phx.gbl... >>I seem to have fixed it. It appears to have been a firewall issue where >>the firewall was denying ICMP traffic from those two servers :-) >> >> Best; >> Dave >> >> "Dave Onex" <dave(a)microsoft.com> wrote in message >> news:egNEM0XYKHA.3696(a)TK2MSFTNGP02.phx.gbl... >>> Hi Folks; >>> >>> Neither of my domain controllers can reach the default gateway even >>> though it's properly defined and there are valid forward and reverse >>> records in DNS. Pinging the DG results in...nothing. ! >>> >>> Every other machine on the network can ping the DG. All machines are on >>> one LAN segment with one default gateway. >>> >>> Everything here is Windows 2000 Advanced Server and ISA 2004. >>> >>> Background.... >>> >>> I made some network changes by promoting a different machine to become >>> the DC for the domain. Everything went well and the original machine was >>> demoted back to standard server. No issues - all is well. Event logs are >>> spotless. A perfect DCPROMO if ever there was one. >>> >>> I then promoted a different machine to become a supplemental DC and >>> everything went well with one issue - FRS reports it's having problems >>> connecting to the existing DC and reports that it's likely a DNS issue. >>> >>> I check the DNS network wide and find that there are proper forward and >>> reverse entries for the server in question. I triple check by looking >>> them up from a dos prompt - all OK. >>> >>> So why does FRS fail? Unknown. >>> >>> I then run netdiag /fix and it reports that the only issue is that it >>> cannot connect to the default gateway. I check the default gateway and >>> it's correct! I then ping the default gateway and what do I find? No >>> response. How can that be? >>> >>> After checking all machines I find that the only two that can't ping the >>> default gateway are the Domain Controllers. The DG is properly defined >>> in each case and there are valid forward and reverse entries in the DNS >>> for the DG. >>> >>> I have no clue what's wrong. The key might be that only the domain >>> controllers can't reach the DG. Can anyone help? >>> >>> Thanks! >>> Dave >>> >>> >> >> > > > I was going to say it was probably an ISA issue. If ISA is on a DC, it can > be extremely problematic for a number of reasons. First, it's a DC. If a > DC has more than one NIC, IP address or RRAS on it, it causes a complexity > that causes DNS registration issues. On top of that, if you install ISA, > the complications logirithmically increase. > > Glad you figured it out. > > > -- > Ace > > This posting is provided "AS-IS" with no warranties or guarantees and > confers no rights. > > Please reply back to the newsgroup or forum for collaboration benefit > among responding engineers, and to help others benefit from your > resolution. > > Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA > 2003/2000, MCSA Messaging 2003 > Microsoft Certified Trainer > > For urgent issues, please contact Microsoft PSS directly. Please check > http://support.microsoft.com for regional support phone numbers. >
From: Ace Fekay [MCT] on 12 Nov 2009 23:21
"Dave Onex" <dave(a)microsoft.com> wrote in message news:%23dFH0A%23YKHA.4148(a)TK2MSFTNGP04.phx.gbl... > Hi Ace; > > In my case the ISA is just a member of the domain - not a domain > controller. Making the ISA a domain controller would be, in my mind, a > recipe for disaster especially from a security standpoint. > > I did find one other thing though and it was important. On one of the > domain controllers the active directory DNS zone for my domain was missing > an important entry. In the _msdcs area of DNS it was missing the CNAME > entry with the GUID for the other domain controller. That's why it > couldn't replicate with the other domain controller. > > When I was testing the DNS I was just using the other domain controllers > machine name. I didn't realize that that record in that area of the DNS > had to be there. In fact, I'd never ventured into the active directory > entries in DNS :-) > > Anyway, got it cased and just wanted to update this thread for archival > purposes. > > Best; > Dave I'm glad you got to the bottom of it. The CNAME GUID, among other SRV records, are all important records. What was the cause of the missing records? Normally restarting the Netlogon service on a DC will create the SRV records. If all things are configured properly, one thing you can do is delete the system32\config\netlogon.dns and netlogon.bak files, then run ipconfig /registerdns, then restart Netlogon. If they're still not being created, then I suspect a misconfiguration somewhere. As long as you are only using the internal DNS servers, the zone name allows updates, the Primary DNS Suffix (look at an ipconfig /all) matches the zone name in DNS, and the domain is not a single label name, you should be good to go. You can use this list as things to look for when troubleshooting Dynamic DNS registration problems. Ace |