Arrow_Runner Posted October 12, 2007 Share Posted October 12, 2007 (edited) Symptoms * Time not sync'd sometimes * Eventviewer errors * No Domain Controller Available * No Time Server Available * Group policy not updating * Windows XP Firewall was originally broken on clients * A logon script band-aid fixed this problem * Errors when adding PCs to the domain - but it still works * Profiles will not load occasionally These errors are rather random and don't seem to have any pattern. Most of the time things work, but sometimes they don't. The server itself isn't under hardly any load, and I'm pretty sure there's no network congestion. It's a DC, file server, exchange server, DNS, and has IIS for something...Any ideas? I can post eventvwr messages if that would help.I'm also looking to see if I can script something like nmap to continuously check ports/services on the DC, to see if there's some sort of pattern or certain service that's dropping. Edited October 12, 2007 by Arrow_Runner Link to comment Share on other sites More sharing options...
nmX.Memnoch Posted October 12, 2007 Share Posted October 12, 2007 (edited) Start with the Time sync'ing errors. Time sync'ing problems can wreak havoc on a domain.How to configure an authoritative time server in Windows Server 2003And also this:15. Check the Default Domain Controllers group policy and the Default Domain group policy and any others that could affect the PDCe or other DCs. Check the following areas:Computer configuration/Administrative Templates /System/Windows Time service/Time ProvidersEnsure that all three settings listed are set to "not configured". Edited October 12, 2007 by nmX.Memnoch Link to comment Share on other sites More sharing options...
cluberti Posted October 12, 2007 Share Posted October 12, 2007 Also note that the vast majority of AD problems come down to DNS problems, so making sure your DNS is pristine (and you aren't using ANY public DNS servers on ANY of your boxes) is a good start as well. Link to comment Share on other sites More sharing options...
Stoic Joker Posted October 15, 2007 Share Posted October 15, 2007 One thing that Windows Time article doesn't mention is that the time service generally starts before the DNS service. So if you are running with a single server (and it appears you are) the time service tends to fail on it's first try if you use the time server's DNS domain name. To avoid this simply use the IP address of which ever stratum 1 (or 2) external time server you pick.On the other, I'm with Cluberti ... It sounds like a DNS issue. Link to comment Share on other sites More sharing options...
Arrow_Runner Posted October 22, 2007 Author Share Posted October 22, 2007 I'm pretty sure DNS is working fine, this is how it's set upWe have 4 subnets for PCs.The DNS server is set to point at itself for DNS with our ISPs 2 DNS servers as Forwarders.The Forward Lookup Zone is had 3 entries for the DNS/DC IP, one for mail.domain.local, one for dc.domain.local, and one that says (same as parent folder).There is only 1 reverse lookup zone, there should be 4 I think. Nslookup for IPs on the other 3 subnets fails, but works fine on the reverse zone subnet.The DNS/DC is listed in the Reverse Lookup Zone twice, once with a PTR record and once as a Name Server.The DNS server passes simple self-tests and works with Nslookups.I've found that some PCs are more prone to errors than others. Some only have 1 netlogon or time error in eventvwr while others always fail updating time.... Link to comment Share on other sites More sharing options...
Stoic Joker Posted October 23, 2007 Share Posted October 23, 2007 Are all of the client machines pointing at the DC for DNS, and only at the DC for DNS?It doesn't sound like the clients are registering themselves with the DNS server, are you statically assigning IPs? Link to comment Share on other sites More sharing options...
Arrow_Runner Posted October 23, 2007 Author Share Posted October 23, 2007 Are all of the client machines pointing at the DC for DNS, and only at the DC for DNS?YesIt doesn't sound like the clients are registering themselves with the DNS server, are you statically assigning IPs?Yes, we're not running DHCP. For a client to work correctly, does it need more on the DNS server other than a HOST record in the FWD Lookup Zone? Most, if not all of the first subnet PCs have a Pointer record in the Reverse Lookup Zone as well, and even those ones have intermittent problems. Link to comment Share on other sites More sharing options...
deda Posted October 23, 2007 Share Posted October 23, 2007 You can use these simple commands to configure time sync, without make changes on register. On server and clients:Server:w32tm /config /syncfromflags:manual /manualpeerlist:time-a.nist.gov [or another time server]w32tm /config /updateClient:w32tm /config /syncfromflags:manual /manualpeerlist:server name or IP addressw32tm /config /update Link to comment Share on other sites More sharing options...
Arrow_Runner Posted October 23, 2007 Author Share Posted October 23, 2007 Thanks for the info on the time related stuff, but I'm more concerned on the netlogon errors and group policy not updating on PCs. I think the time issue will clear up when I find the solution to those problems.If I haven't mentioned, Group Policy will load on PCs about 7 out of 10 times. Sometimes just logging on and off and on and off, I'll find a few times where none of the policies I set for the Firewall Ports have loaded, although the Firewall Service is forced on per GP. Link to comment Share on other sites More sharing options...
Stoic Joker Posted October 23, 2007 Share Posted October 23, 2007 The Host A records are required and the PTR records are good to have, but not mandatory. If you have enough machines to require 4 subnets, you really should consider using DHCP to cut down on the administrative overhead.Why are you forcing the client firewalls on inside the domain? The only firewall should be at the internal/external network border, internally they're really more of a nuisance. Link to comment Share on other sites More sharing options...
Arrow_Runner Posted October 23, 2007 Author Share Posted October 23, 2007 As far as the subnets go, the #1 reason why we aren't running DHCP is because we run a special application that requires PCs to have a static IP.As far as the Firewalls go, I see you're point where they could just as easily be turned off, but due to the type of industry my company is in, security should be as high as possible. Link to comment Share on other sites More sharing options...
deda Posted October 24, 2007 Share Posted October 24, 2007 You're welcome! Excuse me, but I have two questions:1. How many network cards are installed on your server?2. There is a mandatory need for all these subnets?Hugs... Link to comment Share on other sites More sharing options...
Stoic Joker Posted October 24, 2007 Share Posted October 24, 2007 As far as the subnets go, the #1 reason why we aren't running DHCP is because we run a special application that requires PCs to have a static IP.All of them?As far as the Firewalls go, I see you're point where they could just as easily be turned off, but due to the type of industry my company is in, security should be as high as possible.Okay... But security should be layered and carefully monitored. Not shoveled on and assumed. There is no point in blocking (firewalling) ports that aren't open in the first place. Unnecessary services should be turned off to make them un-exploitable. Proper passwords (and policy), NTFS permissions, Share permissions, and running internal IPSec tunnels will make things secure, while also being accessible as/when/if needed (by the "right people").The software firewall is just queering the deal by being put in a situation where it's trying to decide if it should load or not while other services are trying to get started.Note: Software firewalls fail open under attack, so their rather pointless IMO. Link to comment Share on other sites More sharing options...
Arrow_Runner Posted October 24, 2007 Author Share Posted October 24, 2007 You're welcome! Excuse me, but I have two questions:1. How many network cards are installed on your server?2. There is a mandatory need for all these subnets?Hugs...There is just one NIC in the server.And I got here after everything was set up, but there are 4 physical locations, so it does make some sense. I still would have done it a little differently though. Link to comment Share on other sites More sharing options...
Arrow_Runner Posted October 24, 2007 Author Share Posted October 24, 2007 (edited) All of them?Yup. There's only 50ish PCs total, so it's not a huge hassle though.Okay... But security should be layered and carefully monitored. Not shoveled on and assumed. There is no point in blocking (firewalling) ports that aren't open in the first place. Unnecessary services should be turned off to make them un-exploitable. Proper passwords (and policy), NTFS permissions, Share permissions, and running internal IPSec tunnels will make things secure, while also being accessible as/when/if needed (by the "right people").The software firewall is just queering the deal by being put in a situation where it's trying to decide if it should load or not while other services are trying to get started.Note: Software firewalls fail open under attack, so their rather pointless IMO.I completely understand what you mean by layered and not shoveled. I'm semi-in-the-process of researching for a full IT audit here to get things right. One of the things I'm going to try and push is a white-list software restriction policy.The real issue here is not how I set up the firewall, it's that I set up the firewall and Group Policy should be making it happen, but it doesn't always. How can I use soft-restriction policies if they're only going to work MOST of the time?I should have also mentioned that the XP firewall stops functioning correctly as soon as I reboot after adding the PC to the domain. The firewall would be off but the PC would not accept incoming connections(ex. for remote admin) I've had to script a fix in the logon script which has helped a lot, but it's only a band-aid since the problem is still intermittent.I think what I'm going to do now is block inheritence on a GPO so I can add a new PC without any policies or logon scripts affecting it. I THINK there may be a conflicting policy of some sort. Edited October 24, 2007 by Arrow_Runner Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now