Jump to content

Problems with Domain Controller - 2003 Server

Arrow_Runner

By Arrow_Runner
in Windows 2000/2003/NT4

 Share

Recommended Posts

Arrow_Runner

Arrow_Runner

Posted
Posted (edited)

Symptoms

* Time not sync'd sometimes

* Eventviewer errors

* No Domain Controller Available

* No Time Server Available

* Group policy not updating

* Windows XP Firewall was originally broken on clients

* A logon script band-aid fixed this problem

* Errors when adding PCs to the domain - but it still works

* Profiles will not load occasionally

These errors are rather random and don't seem to have any pattern. Most of the time things work, but sometimes they don't.

The server itself isn't under hardly any load, and I'm pretty sure there's no network congestion.

It's a DC, file server, exchange server, DNS, and has IIS for something...

Any ideas? I can post eventvwr messages if that would help.

I'm also looking to see if I can script something like nmap to continuously check ports/services on the DC, to see if there's some sort of pattern or certain service that's dropping.

:blink:

Edited by Arrow_Runner
Link to comment
Share on other sites

nmX.Memnoch

nmX.Memnoch

Posted
Posted (edited)

Start with the Time sync'ing errors. Time sync'ing problems can wreak havoc on a domain.

How to configure an authoritative time server in Windows Server 2003

And also this:

15. Check the Default Domain Controllers group policy and the Default Domain group policy and any others that could affect the PDCe or other DCs. Check the following areas:

Computer configuration/Administrative Templates /System/Windows Time service/Time Providers

Ensure that all three settings listed are set to "not configured".

Edited by nmX.Memnoch
Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted

Also note that the vast majority of AD problems come down to DNS problems, so making sure your DNS is pristine (and you aren't using ANY public DNS servers on ANY of your boxes) is a good start as well.

Link to comment
Share on other sites
Stoic Joker

Stoic Joker

Posted
Posted

One thing that Windows Time article doesn't mention is that the time service generally starts before the DNS service. So if you are running with a single server (and it appears you are) the time service tends to fail on it's first try if you use the time server's DNS domain name. To avoid this simply use the IP address of which ever stratum 1 (or 2) external time server you pick.

On the other, I'm with Cluberti ... It sounds like a DNS issue.

Link to comment
Share on other sites
Arrow_Runner

Arrow_Runner

Posted
  • Author
Posted

I'm pretty sure DNS is working fine, this is how it's set up

We have 4 subnets for PCs.

The DNS server is set to point at itself for DNS with our ISPs 2 DNS servers as Forwarders.

The Forward Lookup Zone is had 3 entries for the DNS/DC IP, one for mail.domain.local, one for dc.domain.local, and one that says (same as parent folder).

There is only 1 reverse lookup zone, there should be 4 I think. Nslookup for IPs on the other 3 subnets fails, but works fine on the reverse zone subnet.

The DNS/DC is listed in the Reverse Lookup Zone twice, once with a PTR record and once as a Name Server.

The DNS server passes simple self-tests and works with Nslookups.

I've found that some PCs are more prone to errors than others. Some only have 1 netlogon or time error in eventvwr while others always fail updating time....

Link to comment
Share on other sites
Arrow_Runner

Arrow_Runner

Posted
  • Author
Posted
Are all of the client machines pointing at the DC for DNS, and only at the DC for DNS?

Yes

It doesn't sound like the clients are registering themselves with the DNS server, are you statically assigning IPs?

Yes, we're not running DHCP. For a client to work correctly, does it need more on the DNS server other than a HOST record in the FWD Lookup Zone? Most, if not all of the first subnet PCs have a Pointer record in the Reverse Lookup Zone as well, and even those ones have intermittent problems.

Link to comment
Share on other sites
deda

deda

Posted
Posted

You can use these simple commands to configure time sync, without make changes on register. On server and clients:

Server:

w32tm /config /syncfromflags:manual /manualpeerlist:time-a.nist.gov [or another time server]

w32tm /config /update

Client:

w32tm /config /syncfromflags:manual /manualpeerlist:server name or IP address

w32tm /config /update

Link to comment
Share on other sites
Arrow_Runner

Arrow_Runner

Posted
  • Author
Posted

Thanks for the info on the time related stuff, but I'm more concerned on the netlogon errors and group policy not updating on PCs. I think the time issue will clear up when I find the solution to those problems.

If I haven't mentioned, Group Policy will load on PCs about 7 out of 10 times. Sometimes just logging on and off and on and off, I'll find a few times where none of the policies I set for the Firewall Ports have loaded, although the Firewall Service is forced on per GP.

Link to comment
Share on other sites
Stoic Joker

Stoic Joker

Posted
Posted

The Host A records are required and the PTR records are good to have, but not mandatory. If you have enough machines to require 4 subnets, you really should consider using DHCP to cut down on the administrative overhead.

Why are you forcing the client firewalls on inside the domain? The only firewall should be at the internal/external network border, internally they're really more of a nuisance.

Link to comment
Share on other sites
Arrow_Runner

Arrow_Runner

Posted
  • Author
Posted

As far as the subnets go, the #1 reason why we aren't running DHCP is because we run a special application that requires PCs to have a static IP.

As far as the Firewalls go, I see you're point where they could just as easily be turned off, but due to the type of industry my company is in, security should be as high as possible.

Link to comment
Share on other sites
Stoic Joker

Stoic Joker

Posted
Posted
As far as the subnets go, the #1 reason why we aren't running DHCP is because we run a special application that requires PCs to have a static IP.

All of them?

As far as the Firewalls go, I see you're point where they could just as easily be turned off, but due to the type of industry my company is in, security should be as high as possible.

Okay... But security should be layered and carefully monitored. Not shoveled on and assumed. There is no point in blocking (firewalling) ports that aren't open in the first place. Unnecessary services should be turned off to make them un-exploitable. Proper passwords (and policy), NTFS permissions, Share permissions, and running internal IPSec tunnels will make things secure, while also being accessible as/when/if needed (by the "right people").

The software firewall is just queering the deal by being put in a situation where it's trying to decide if it should load or not while other services are trying to get started.

Note: Software firewalls fail open under attack, so their rather pointless IMO.

Link to comment
Share on other sites
Arrow_Runner

Arrow_Runner

Posted
  • Author
Posted
You're welcome! :)

Excuse me, but I have two questions:

1. How many network cards are installed on your server?

2. There is a mandatory need for all these subnets?

Hugs...

There is just one NIC in the server.

And I got here after everything was set up, but there are 4 physical locations, so it does make some sense. I still would have done it a little differently though.

Link to comment
Share on other sites
Arrow_Runner

Arrow_Runner

Posted
  • Author
Posted (edited)
All of them?

Yup. There's only 50ish PCs total, so it's not a huge hassle though.

Okay... But security should be layered and carefully monitored. Not shoveled on and assumed. There is no point in blocking (firewalling) ports that aren't open in the first place. Unnecessary services should be turned off to make them un-exploitable. Proper passwords (and policy), NTFS permissions, Share permissions, and running internal IPSec tunnels will make things secure, while also being accessible as/when/if needed (by the "right people").

The software firewall is just queering the deal by being put in a situation where it's trying to decide if it should load or not while other services are trying to get started.

Note: Software firewalls fail open under attack, so their rather pointless IMO.

I completely understand what you mean by layered and not shoveled. I'm semi-in-the-process of researching for a full IT audit here to get things right. One of the things I'm going to try and push is a white-list software restriction policy.

The real issue here is not how I set up the firewall, it's that I set up the firewall and Group Policy should be making it happen, but it doesn't always. How can I use soft-restriction policies if they're only going to work MOST of the time?

I should have also mentioned that the XP firewall stops functioning correctly as soon as I reboot after adding the PC to the domain. The firewall would be off but the PC would not accept incoming connections(ex. for remote admin) I've had to script a fix in the logon script which has helped a lot, but it's only a band-aid since the problem is still intermittent.

I think what I'm going to do now is block inheritence on a GPO so I can add a new PC without any policies or logon scripts affecting it. I THINK there may be a conflicting policy of some sort.

Edited by Arrow_Runner
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...