Global Catalog / Domain Controller loses connection to Exchange

Discussion in 'Server Networking' started by Chris Baldassano, May 1, 2006.

  1. I have a server called File2k3. It's a Win2k3 server standard. Global
    Catalog and Domain Controller.

    My exchange server is called Mail2k3.

    When the systems come up, they see eachother just fine... after about an
    hour, the Mail2k3 box can not ping the file2k3 box, and Outlook/exchange gets
    awfully slow. I ran a netstat and see a TON of ports to file2k3 in a
    CLOSE_WAIT state. If i reboot file2k3 (which is also our DNS Server), when
    it comes up its fine again.

    File2k3, can ping mail2k3 PERFECTLY everytime (even when Mail2k3 cant ping
    it)..

    Both are up to latest service packs and hotfixes...

    Has anyone seen this before? I am forced to reboot the server 20x a day!
     
    Chris Baldassano, May 1, 2006
    #1
    1. Advertisements

  2. Hi,

    When you try to ping the File2k3 server do you use name or IP address? Does
    it work if you use IP address?

    Can you check the event logs on both servers (specially Application and
    System Event logs) and see if there are any errors. Post back with these
    errors...

    Can you also post here the results of command

    ipconifg /all

    from both servers?
     
    Miha Pihler [MVP], May 1, 2006
    #2
    1. Advertisements

  3. I can not ping by IP, Or by Name from mail2k3 to File2k3... But the other way
    around it works perfectally fine (ip or name)...

    Now both machines have Dual Gigabit NIC's (Onboard and a 3com) and the
    secondary one is just not connected... I am gonna hook them up today to see
    if it is a NIC issue.. (I doubt it, there would be other factors)...

    Little more background:

    -File2k3 is our DNS server with the proper ISP DNS's forwarded...
    -File2k3 is our Global Catalog, and Domain Controller

    -Mail2k3 WAS a domain controller, that was taken down by 2 microsoft tech's
    about 5 days ago on a $245 Support Call.. They did all the proper steps to
    make it Just an exchange server and not anything else.



    Here is the IP config for each machine..

    FILE2K3:

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : file2k3
    Primary Dns Suffix . . . . . . . : pastongroup.com
    Node Type . . . . . . . . . . . . : Broadcast
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : Yes
    DNS Suffix Search List. . . . . . : pastongroup.com

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . : pastongroup.com
    Description . . . . . . . . . . . : 3Com Gigabit NIC
    Physical Address. . . . . . . . . : 00-0A-5E-1A-01-41
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.1.3
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.1.1
    DNS Servers . . . . . . . . . . . : 192.168.1.3

    MAIL2K3:



    Windows IP Configuration



    Host Name . . . . . . . . . . . . : mail2k3
    Primary Dns Suffix . . . . . . . : pastongroup.com
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : Yes
    DNS Suffix Search List. . . . . . : pastongroup.com



    PPP adapter RAS Server (Dial In) Interface:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
    Physical Address. . . . . . . . . : 00-53-45-00-00-00
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.1.114
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . :

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : 3Com Gigabit NIC
    Physical Address. . . . . . . . . : 00-0A-5E-1A-02-C3
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.1.30
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.1.1
    DNS Servers . . . . . . . . . . . : 192.168.1.3

    ***

    Here is the ping from Mail2k3 to File2k3:

    Pinging file2k3.pastongroup.com [192.168.1.3] with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Ping statistics for 192.168.1.3:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    And here is From FILE2k3 to MAIL2k3:

    Pinging mail2k3.pastongroup.com [192.168.1.30] with 32 bytes of data:

    Reply from 192.168.1.30: bytes=32 time<1ms TTL=128
    Reply from 192.168.1.30: bytes=32 time<1ms TTL=128
    Reply from 192.168.1.30: bytes=32 time<1ms TTL=128
    Reply from 192.168.1.30: bytes=32 time<1ms TTL=128

    Ping statistics for 192.168.1.30:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

    ***

    Now here is what I notice when I do a NETSTAT -A on mail2k3... there are a
    ton of ports in a CLOSE_WAIT state, which has to be why the pings arent
    getting thru and the LDAP etc is failing...

    FROM MAIL2K3 (Netstat -a) spit to a txt file.

    Active Connections

    Proto Local Address Foreign Address State
    TCP mail2k3:smtp mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:http mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:epmap mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:https mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:microsoft-ds mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:593 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:691 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:1029 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:1033 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:1037 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:1149 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:1160 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:1166 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:pptp mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:3389 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:6001 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:6002 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:6004 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:7930 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:12174 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:34571 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:34572 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:34573 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:38292 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:48974 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:48975 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:48976 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:48977 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:48981 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:48998 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:1031 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:1179 mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:http ten11.bwc.na.blackberry.net:34159 TIME_WAIT
    TCP mail2k3:netbios-ssn mail2k3.pastongroup.com:0 LISTENING
    TCP mail2k3:netbios-ssn ext211.pastongroup.com:1667 ESTABLISHED
    TCP mail2k3:microsoft-ds ext286.pastongroup.com:2879 ESTABLISHED
    TCP mail2k3:microsoft-ds ext263.pastongroup.com:1702 ESTABLISHED
    TCP mail2k3:microsoft-ds ext290.pastongroup.com:1115 ESTABLISHED
    TCP mail2k3:microsoft-ds ext292.pastongroup.com:2457 ESTABLISHED
    TCP mail2k3:microsoft-ds ext206.pastongroup.com:3725 ESTABLISHED
    TCP mail2k3:microsoft-ds ext273.pastongroup.com:4323 ESTABLISHED
    TCP mail2k3:691 mail2k3.pastongroup.com:48987 ESTABLISHED
    TCP mail2k3:691 mail2k3.pastongroup.com:48997 ESTABLISHED
    TCP mail2k3:691 mail2k3.pastongroup.com:49052 ESTABLISHED
    TCP mail2k3:691 mail2k3.pastongroup.com:49055 ESTABLISHED
    TCP mail2k3:1079 web2k3.pastongroup.com:ldap CLOSE_WAIT
    TCP mail2k3:1080 web2k3.pastongroup.com:ldap CLOSE_WAIT
    TCP mail2k3:kpop file2k3.pastongroup.com:ldap CLOSE_WAIT
    TCP mail2k3:1150 web2k3.pastongroup.com:ldap CLOSE_WAIT
    TCP mail2k3:1288 file2k3.pastongroup.com:ldap CLOSE_WAIT
    TCP mail2k3:pptp ool-457251fd.dyn.optonline.net:1151
    ESTABLISHED
    TCP mail2k3:pptp ool-457b9bc5.dyn.optonline.net:2912
    ESTABLISHED
    TCP mail2k3:1788 web2k3.pastongroup.com:ldap CLOSE_WAIT
    TCP mail2k3:2638 web2k3.pastongroup.com:ldap CLOSE_WAIT
    TCP mail2k3:2740 file2k3.pastongroup.com:ldap CLOSE_WAIT
    TCP mail2k3:3389 ext288.pastongroup.com:3032 ESTABLISHED
    TCP mail2k3:3908 web2k3.pastongroup.com:ldap CLOSE_WAIT
    TCP mail2k3:3916 file2k3.pastongroup.com:3268 ESTABLISHED
    TCP mail2k3:3918 file2k3.pastongroup.com:3268 ESTABLISHED
    TCP mail2k3:3919 web2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:3920 web2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:3921 web2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:3922 web2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:3923 web2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:3924 web2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:3925 web2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:3926 web2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:3927 web2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:3929 file2k3.pastongroup.com:3268 ESTABLISHED
    TCP mail2k3:3930 file2k3.pastongroup.com:3268 ESTABLISHED
    TCP mail2k3:3935 file2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:3936 file2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:3937 file2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:3938 file2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:3939 file2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:3940 file2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:3942 file2k3.pastongroup.com:3268 ESTABLISHED
    TCP mail2k3:3946 web2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:3991 web2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:3998 web2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:4459 file2k3.pastongroup.com:3268 ESTABLISHED
    TCP mail2k3:4908 file2k3.pastongroup.com:3268 ESTABLISHED
    TCP mail2k3:5217 web2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:5325 file2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:5377 web2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:5426 file2k3.pastongroup.com:ldap CLOSE_WAIT
    TCP mail2k3:5515 web2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:5535 web2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:5741 web2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:5769 web2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:5771 file2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:5778 web2k3.pastongroup.com:ldap ESTABLISHED
    TCP mail2k3:5800 file2k3.pastongroup.com:netbios-ssn
    ESTABLISHED
    TCP mail2k3:5888 ext240.pastongroup.com:netbios-ssn TIME_WAIT
    TCP mail2k3:5901 file2k3.pastongroup.com:epmap TIME_WAIT
    TCP mail2k3:5908 ext286.pastongroup.com:microsoft-ds
    ESTABLISHED
    TCP mail2k3:5915 192.168.1.200:9100 TIME_WAIT
    TCP mail2k3:5917 ext292.pastongroup.com:microsoft-ds
    ESTABLISHED
    TCP mail2k3:5923 ext263.pastongroup.com:microsoft-ds
    ESTABLISHED
    TCP mail2k3:5928 file2k3.pastongroup.com:epmap TIME_WAIT
    TCP mail2k3:5930 web2k3.pastongroup.com:ldap TIME_WAIT
    TCP mail2k3:5931 file2k3.pastongroup.com:ldap TIME_WAIT
    TCP mail2k3:5932 file2k3.pastongroup.com:3268 TIME_WAIT
    TCP mail2k3:5933 web2k3.pastongroup.com:ldap TIME_WAIT
    TCP mail2k3:5934 file2k3.pastongroup.com:domain TIME_WAIT
    TCP mail2k3:5935 file2k3.pastongroup.com:domain TIME_WAIT
    TCP mail2k3:5937 file2k3.pastongroup.com:microsoft-ds
    ESTABLISHED
    TCP mail2k3:5940 web2k3.pastongroup.com:ldap TIME_WAIT
    TCP mail2k3:5941 web2k3.pastongroup.com:microsoft-ds
    ESTABLISHED
    TCP mail2k3:47666 file2k3.pastongroup.com:3268 CLOSE_WAIT
    TCP mail2k3:48987 mail2k3.pastongroup.com:691 ESTABLISHED
    TCP mail2k3:48997 mail2k3.pastongroup.com:691 ESTABLISHED
    TCP mail2k3:48998 ext286.pastongroup.com:2130 ESTABLISHED
    TCP mail2k3:48998 ext228.pastongroup.com:4869 ESTABLISHED
    TCP mail2k3:48998 ext263.pastongroup.com:1148 ESTABLISHED
    TCP mail2k3:48998 EXT285:2018 ESTABLISHED
    TCP mail2k3:48998 ext270.pastongroup.com:1190 ESTABLISHED
    TCP mail2k3:48998 ext256.pastongroup.com:2208 ESTABLISHED
    TCP mail2k3:48998 ext290.pastongroup.com:1141 ESTABLISHED
    TCP mail2k3:48998 ext240.pastongroup.com:1275 ESTABLISHED
    TCP mail2k3:48998 ext292.pastongroup.com:3766 ESTABLISHED
    TCP mail2k3:48998 ext227.pastongroup.com:3811 ESTABLISHED
    TCP mail2k3:48998 ext275.pastongroup.com:1119 ESTABLISHED
    TCP mail2k3:48998 ext297.pastongroup.com:2418 ESTABLISHED
    TCP mail2k3:48998 ext200.pastongroup.com:1251 ESTABLISHED
    TCP mail2k3:48998 ext209.pastongroup.com:1096 ESTABLISHED
    TCP mail2k3:48998 ext299.pastongroup.com:1653 ESTABLISHED
    TCP mail2k3:48998 ext206.pastongroup.com:3831 ESTABLISHED
    TCP mail2k3:48998 ext273.pastongroup.com:3103 ESTABLISHED
    TCP mail2k3:48998 ext236.pastongroup.com:1127 ESTABLISHED
    TCP mail2k3:48998 ext211.pastongroup.com:1266 ESTABLISHED
    TCP mail2k3:48998 ext269.pastongroup.com:1154 ESTABLISHED
    TCP mail2k3:48998 ext217.pastongroup.com:3694 ESTABLISHED
    TCP mail2k3:48998 ext233.pastongroup.com:2778 ESTABLISHED
    TCP mail2k3:48998 ext293.pastongroup.com:2177 ESTABLISHED
    TCP mail2k3:48998 ext276.pastongroup.com:1755 ESTABLISHED
    TCP mail2k3:48998 192.168.1.105:1629 ESTABLISHED
    TCP mail2k3:48998 ext269.pastongroup.com:3829 ESTABLISHED
    TCP mail2k3:48998 ext282.pastongroup.com:2949 ESTABLISHED
    TCP mail2k3:48998 ext282.pastongroup.com:2952 ESTABLISHED
    TCP mail2k3:48998 ira.pastongroup.com:1638 ESTABLISHED
    TCP mail2k3:48998 EXT272:1103 ESTABLISHED
    TCP mail2k3:48998 ext279.pastongroup.com:4178 ESTABLISHED
    TCP mail2k3:48998 ext277.pastongroup.com:4431 ESTABLISHED
    TCP mail2k3:48998 ext248.pastongroup.com:1114 ESTABLISHED
    TCP mail2k3:48998 ext234.pastongroup.com:4836 ESTABLISHED
    TCP mail2k3:48998 ext288.pastongroup.com:2854 ESTABLISHED
    TCP mail2k3:48998 scottxp.pastongroup.com:3144 ESTABLISHED
    TCP mail2k3:49052 mail2k3.pastongroup.com:691 ESTABLISHED
    TCP mail2k3:49055 mail2k3.pastongroup.com:691 ESTABLISHED
    TCP mail2k3:50087 file2k3.pastongroup.com:1025 ESTABLISHED
    TCP mail2k3:50094 file2k3.pastongroup.com:ldap CLOSE_WAIT
    TCP mail2k3:50095 file2k3.pastongroup.com:ldap CLOSE_WAIT
    TCP mail2k3:50098 file2k3.pastongroup.com:3268 CLOSE_WAIT
    TCP mail2k3:50099 file2k3.pastongroup.com:3268 CLOSE_WAIT
    TCP mail2k3:53777 file2k3.pastongroup.com:1025 ESTABLISHED
    TCP mail2k3:netbios-ssn mail2k3.pastongroup.com:0 LISTENING
    UDP mail2k3:epmap *:*
    UDP mail2k3:microsoft-ds *:*
    UDP mail2k3:isakmp *:*
    UDP mail2k3:1025 *:*
    UDP mail2k3:1026 *:*
    UDP mail2k3:1027 *:*
    UDP mail2k3:1028 *:*
    UDP mail2k3:1030 *:*
    UDP mail2k3:1032 *:*
    UDP mail2k3:1034 *:*
    UDP mail2k3:1035 *:*
    UDP mail2k3:phone *:*
    UDP mail2k3:1184 *:*
    UDP mail2k3:1241 *:*
    UDP mail2k3:1242 *:*
    UDP mail2k3:l2tp *:*
    UDP mail2k3:3456 *:*
    UDP mail2k3:3457 *:*
    UDP mail2k3:4500 *:*
    UDP mail2k3:38037 *:*
    UDP mail2k3:38293 *:*
    UDP mail2k3:48982 *:*
    UDP mail2k3:49001 *:*
    UDP mail2k3:ntp *:*
    UDP mail2k3:1047 *:*
    UDP mail2k3:1057 *:*
    UDP mail2k3:1069 *:*
    UDP mail2k3:1078 *:*
    UDP mail2k3:1100 *:*
    UDP mail2k3:1161 *:*
    UDP mail2k3:1173 *:*
    UDP mail2k3:1182 *:*
    UDP mail2k3:1183 *:*
    UDP mail2k3:1219 *:*
    UDP mail2k3:1631 *:*
    UDP mail2k3:1670 *:*
    UDP mail2k3:3456 *:*
    UDP mail2k3:3457 *:*
    UDP mail2k3:5297 *:*
    UDP mail2k3:48984 *:*
    UDP mail2k3:48991 *:*
    UDP mail2k3:49036 *:*
    UDP mail2k3:49039 *:*
    UDP mail2k3:bootps *:*
    UDP mail2k3:bootpc *:*
    UDP mail2k3:ntp *:*
    UDP mail2k3:netbios-ns *:*
    UDP mail2k3:netbios-dgm *:*
    UDP mail2k3:2535 *:*
    UDP mail2k3:bootps *:*
    UDP mail2k3:ntp *:*
    UDP mail2k3:netbios-ns *:*
    UDP mail2k3:netbios-dgm *:*




    --
    Network Administrator
    Simon Paston & Sons Agency


     
    Chris Baldassano, May 1, 2006
    #3
  4. Why do you have IP Routing enabled on both your servers? This is not the
    default nor usual setting.

    After you try and ping the server and it fails -- can you run the following
    command

    arp -a

    What is the output of the arp command?

    --
    Mike
    Microsoft MVP - Windows Security


     
    Miha Pihler [MVP], May 1, 2006
    #4
  5. An Additional note:

    I enabled the secondary NIC's (File2k3 @ 192.168.1.20, MAIL2k3 @
    192.168.1.21) and Added the DNS Record in the DNS Lookup Zones...

    Mail can now ping File Perfectly to 192.168.1.20, but it still times out on
    192.168.1.3...

    This is not acceptable because the /20 address is also going thru a 100 meg
    switch and not the gigabit router.. just an FYI.

    I did a ipconfig /flushdns on the mail2k3 server so it would see the DNS
    change.

    This is VERY Strange.
    --
    Network Administrator
    Simon Paston & Sons Agency


     
    Chris Baldassano, May 1, 2006
    #5
  6. I dont know why IP routing is on.. I did not setup these servers, an
    outsource company did.. Should I turn that off? We have a simple network
    here with no need for specific routes.. We have 1 gateway for our internet
    and 3 servers, 50 workstations. No remote offices etc...

    Here is the command from both machines:


    FILE2K3

    Interface: 192.168.1.30 --- 0x10003
    Internet Address Physical Address Type
    192.168.1.1 00-0f-b5-8c-85-7b dynamic
    192.168.1.3 00-0a-5e-1a-01-41 dynamic
    192.168.1.7 00-0a-5e-1a-02-f1 dynamic
    192.168.1.8 00-14-22-0a-19-9a dynamic
    192.168.1.31 00-0a-5e-1a-b9-9b dynamic
    192.168.1.43 00-0c-f1-92-cd-46 dynamic
    192.168.1.44 00-0c-f1-92-c6-90 dynamic
    192.168.1.46 00-0c-f1-92-cc-f0 dynamic
    192.168.1.48 00-0c-f1-92-cd-5d dynamic
    192.168.1.49 00-0c-f1-92-51-50 dynamic
    192.168.1.53 00-0c-f1-92-f7-c8 dynamic
    192.168.1.55 00-0c-f1-92-de-fe dynamic
    192.168.1.58 00-0c-f1-92-f8-1c dynamic
    192.168.1.60 00-0c-f1-92-cd-76 dynamic
    192.168.1.63 00-0c-f1-92-df-dd dynamic
    192.168.1.64 00-0c-f1-92-f7-ff dynamic
    192.168.1.65 00-0c-f1-92-df-30 dynamic
    192.168.1.66 00-0c-f1-92-f6-e7 dynamic
    192.168.1.67 00-0c-f1-92-c3-07 dynamic
    192.168.1.68 00-0c-f1-92-f7-88 dynamic
    192.168.1.69 00-0c-f1-92-df-14 dynamic
    192.168.1.70 00-0c-f1-92-c7-c3 dynamic
    192.168.1.71 00-0c-f1-92-cb-d6 dynamic
    192.168.1.72 00-0c-f1-92-cc-fb dynamic
    192.168.1.73 00-0c-f1-92-de-1c dynamic
    192.168.1.74 00-0c-f1-92-f8-65 dynamic
    192.168.1.104 00-10-83-59-d0-f6 dynamic
    192.168.1.107 00-60-b0-41-f6-1a dynamic
    192.168.1.109 00-01-e6-3b-b4-0b dynamic
    192.168.1.125 00-0c-f1-92-ef-0c dynamic
    192.168.1.127 00-0c-f1-92-f7-bd dynamic
    192.168.1.130 00-0c-f1-92-df-42 dynamic
    192.168.1.131 00-0c-f1-92-cc-ae dynamic
    192.168.1.146 00-0c-f1-92-f3-a9 dynamic
    192.168.1.155 08-00-09-bd-f6-54 dynamic
    192.168.1.156 00-0c-f1-92-c6-9a dynamic
    192.168.1.159 00-0c-f1-92-de-65 dynamic
    192.168.1.191 00-08-0d-90-3c-2a dynamic
    192.168.1.200 08-00-09-bd-16-43 dynamic
    192.168.1.202 00-01-e6-7e-c3-6b dynamic
    192.168.1.223 00-0c-f1-92-f8-26 dynamic
    192.168.1.227 00-0c-f1-92-51-93 dynamic
    192.168.1.252 00-11-85-fb-26-7b dynamic


    Interface: 192.168.1.3 --- 0x10003
    Internet Address Physical Address Type
    192.168.1.1 00-0f-b5-8c-85-7b dynamic
    192.168.1.7 00-0a-5e-1a-02-f1 dynamic
    192.168.1.8 00-14-22-0a-19-9a dynamic
    192.168.1.30 00-0a-5e-1a-02-c3 dynamic
    192.168.1.31 00-0a-5e-1a-b9-9b dynamic
    192.168.1.40 00-0c-f1-92-e5-de dynamic
    192.168.1.42 00-0c-f1-92-46-d1 dynamic
    192.168.1.43 00-0c-f1-92-cd-46 dynamic
    192.168.1.44 00-0c-f1-92-c6-90 dynamic
    192.168.1.45 00-0c-f1-92-e5-a4 dynamic
    192.168.1.46 00-0c-f1-92-cc-f0 dynamic
    192.168.1.48 00-0c-f1-92-cd-5d dynamic
    192.168.1.49 00-0c-f1-92-51-50 dynamic
    192.168.1.53 00-0c-f1-92-f7-c8 dynamic
    192.168.1.55 00-0c-f1-92-de-fe dynamic
    192.168.1.56 00-0c-f1-92-cd-3b dynamic
    192.168.1.58 00-0c-f1-92-f8-1c dynamic
    192.168.1.59 00-0c-f1-92-dc-ae dynamic
    192.168.1.63 00-0c-f1-92-df-dd dynamic
    192.168.1.64 00-0c-f1-92-f7-ff dynamic
    192.168.1.65 00-0c-f1-92-df-30 dynamic
    192.168.1.66 00-0c-f1-92-f6-e7 dynamic
    192.168.1.67 00-0c-f1-92-c3-07 dynamic
    192.168.1.68 00-0c-f1-92-f7-88 dynamic
    192.168.1.69 00-0c-f1-92-df-14 dynamic
    192.168.1.70 00-0c-f1-92-c7-c3 dynamic
    192.168.1.71 00-0c-f1-92-cb-d6 dynamic
    192.168.1.72 00-0c-f1-92-cc-fb dynamic
    192.168.1.73 00-0c-f1-92-de-1c dynamic
    192.168.1.74 00-0c-f1-92-f8-65 dynamic
    192.168.1.88 00-0c-f1-92-f7-ea dynamic
    192.168.1.114 00-0a-5e-1a-02-c3 dynamic
    192.168.1.125 00-0c-f1-92-ef-0c dynamic
    192.168.1.127 00-0c-f1-92-f7-bd dynamic
    192.168.1.130 00-0c-f1-92-df-42 dynamic
    192.168.1.131 00-0c-f1-92-cc-ae dynamic
    192.168.1.146 00-0c-f1-92-f3-a9 dynamic
    192.168.1.156 00-0c-f1-92-c6-9a dynamic
    192.168.1.159 00-0c-f1-92-de-65 dynamic
    192.168.1.164 00-0c-f1-92-f8-6d dynamic
    192.168.1.223 00-0c-f1-92-f8-26 dynamic


    MAIL2K3:



    --
    Network Administrator
    Simon Paston & Sons Agency


     
    Chris Baldassano, May 1, 2006
    #6
  7. I think the IP routing was enabled because of the dual NIC's in the system...
    When i went into RRAS it shows:

    LOOPBACK 127.0.0.1
    LOCAL AREA CONNECTION 192.168.1.30
    INTERNAL 192.168.1.114

    Note that Mail2k3 is also our VPN EndPoint / DHCP Server.
    --
    Network Administrator
    Simon Paston & Sons Agency


     
    Chris Baldassano, May 1, 2006
    #7
  8. Hi,

    In general Active Directory server should not be multihomed (multiple
    NIC) -- (not a recommended configuration). There are quite a few problems
    when domain controller is multihomed... Here are few of them...

    Troubleshooting browser Event ID 8021 and 8032 on master browsers
    http://support.microsoft.com/?id=135404

    Clients cannot log on to domain controllers that are Windows Server
    2003-based DNS servers, and network interfaces that are not registered in
    DNS can still perform dynamic updates
    http://support.microsoft.com/default.aspx?scid=kb;en-us;832478

    --
    Mike
    Microsoft MVP - Windows Security

     
    Miha Pihler [MVP], May 1, 2006
    #8
  9. If I understand you correctly -- Mail2K3 server does not have anything in
    the arp cache?

    --
    Mike
    Microsoft MVP - Windows Security

     
    Miha Pihler [MVP], May 1, 2006
    #9
  10. Well the secondary NIC's have anways been disabled... I just enabled them for
    this test.. Originally i believe they were putin there for redundancy just
    incase...

    Should i delete the IP routing? Will that have adverse affects? I have
    full backups just incase. There should be no set routes for anything on my
    network.. It should flow free so to speak.
    --
    Network Administrator
    Simon Paston & Sons Agency


     
    Chris Baldassano, May 1, 2006
    #10
  11. In
    Mike's referring to DCs in general should not be multihomed. A home can also
    be a dialup interface, PPP interface, etc. Also evident that RRAS can be a
    nasty issue as well with DCs. If you want to run RRAS on a machine, it's
    highly suggested and recommended to utilize a member server for this
    purpose, and not an Exchange box. There are multiple steps you can take to
    clean this up, and I can post them if youlike, but they include reg entries
    that need to be made to modify a DC's default behavior.

    Honestly I would disable RRAS, make sure the extra NICs are disabled, delete
    any dialup or PPP interfaces, delete those entries in DNS, and you should
    get a good night sleep. The way you have it setup, you are loosing valuable
    personal time and creating yourself too much stress.

    If you want me to post those steps, I will be glad to do so...

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Having difficulty reading or finding responses to your post?
    Instead of the website you're using, I suggest to use OEx (Outlook Express
    or any other newsreader), and configure a news account, pointing to
    news.microsoft.com. This is a direct link to the Microsoft Public
    Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
    to easily find, track threads, cross-post, sort by date, poster's name,
    watched threads or subject.

    It's easy:
    How to Configure OEx for Internet News
    http://support.microsoft.com/?id=171164

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    Infinite Diversities in Infinite Combinations
    Assimilation Imminent. Resistance is Futile
    "Very funny Scotty. Now, beam down my clothes."

    The only thing in life is change. Anything more is a blackhole consuming
    unnecessary energy. - [Me]
     
    Ace Fekay [MVP], May 2, 2006
    #11
  12. Yes please post the steps.

    All i want to obtain is getting the Global Catalog server to stop this WEIRD
    behavior.

    Why would one interface stop being able to accept incoming connections via
    ping, when access to fileshares and all still work...

    I can take the VPN endpoint off the mail server, because i have a hardware
    endpoint i want to use instead.

    Is the scenario you talk about easy?
    --
    Network Administrator
    Simon Paston & Sons Agency


     
    Chris Baldassano, May 2, 2006
    #12
  13. In
    Scenario as in altering a DC's default behavior? No it IS NOT and NOT
    recommended. I really rather see you use a hardware solution for VPN access.
    Pix boxes are cool and relatively inexpensive for the features and security
    they offer. If you insist on using a WIndows machine for such, here are the
    steps... Get a bottle of Crown and case of beer to celebrate once you're
    done...

    Here are the steps... Good luck.

    ================================
    (USe this one):
    ********************************
    Multihomed DCs, DNS, RRAS servers.
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++
    Below are the manual steps in more detail, which I had outlined in the above
    paragraph:

    Honestly, multi-homed DCs are not recommended because of the associated
    issues that can occur, as you've encountered. We usually recommend
    purchasing an inexpensive Linksys, DLink, etc, Cable/DSL router to perform
    NAT for you, take out the extra NIC off the DC, but still let the DC handle
    DHCP (and not the router).

    Little background on AD and DNS:
    First, just to get this out of the way, if you have your ISP's DNS addresses
    in your IP configuration (DCs and clients), they need to be REMOVED.

    If the ISP's DNS is in there, this will cause additional problems.

    Also, AD registers certain records in DNS in the form of SRV records that
    signify AD's resource and service locations. When there are multiple NICs,
    each NIC registers. IF a client, or another DC queries DNS for this DC, it
    may get the wrong record. One factor controlling this is Round Robin. If a
    DC or client on another subnet that the DC is not configured on queries for
    it, Round Robin will kick in offering one or the other. If the wrong one
    gets offered, it may not have a route to it. On the other hand, Subnetmask
    Priortization will ensure a querying client will get an IP that corresponds
    to the subnet it's on, which will work. To insure everything works, stick
    with one NIC.

    Since this DC is multi-homed, it requires additional configuration to
    prevent the public interface addresses from being registered in DNS. This
    creates a problem for internal clients locating AD to authenticate and find
    other services and resources such as the Global Catalog, file sharing and
    the SYSVOL DFS share and can cause GPO errors with Userenv 1000 events to be
    logged, authenticating to shares and printers, logging on takes forever,
    among numerous other issues.

    But if you like, there are some registry changes to eliminate the
    registration of the external NIC. Here's the whole list of manual steps to
    follow.

    But believe me, it's much easier to just get a separate NAT device or
    multihome a non-DC then having to alter the DC. - Good luck!

    1. Insure that all the NICS only point to your internal DNS server(s) only
    and none others, such as your ISP's DNS servers' IP addresses.

    2. In Network & Dialup properties, Advanced Menu item, Advanced Settings,
    move the internal NIC (the network that AD is on) to the top of the binding
    order (top of the list).

    3. Disable the ability for the outer NIC to register. The procedure, as
    mentioned, involves identifying the outer NIC's GUID number. This link will
    show you how:
    246804 - How to Enable-Disable Windows 2000 Dynamic DNS Registrations (per
    NIC too):
    http://support.microsoft.com/?id=246804

    4. Disable NetBIOS on the outside NIC. That is performed by choosing to
    disable NetBIOS in IP Properties, Advanced, and you will find that under the
    "WINS" tab. You may want to look at step #3 in the article to show you how
    to disable NetBIOS on the RRAS interfaces if this is a RRAS server.
    296379 - How to Disable NetBIOS on an Incoming Remote Access Interface
    [Registry Entry]:
    http://support.microsoft.com/?id=296379

    Note: A standard Windows service, called the "Browser service", provides the
    list of machines, workgroup and domain names that you see in "My Network
    Places" (or the legacy term "Network Neighborhood"). The Browser service
    relies on the NetBIOS service. One major requirement of NetBIOS service is a
    machine can only have one name to one IP address. It's sort of a
    fingerprint. You can't have two brothers named Darrell. A multihomed machine
    will cause duplicate name errors on itself because Windows sees itself with
    the same name in the Browse List (My Network Places), but with different
    IPs. You can only have one, hence the error generated.

    5. Disable the "File and Print Service" and disable the "MS Client Service"
    on the outer NIC. That is done in NIC properties by unchecking the
    respective service under the general properties page. If you need these
    services on the outside NIC (which is unlikely), which allow other machines
    to connect to your machine for accessing resource on your machine (shared
    folders, printers, etc.), then you will probably need to keep them enabled.

    6. Uncheck "Register this connection" under IP properties, Advanced
    settings, "DNS" tab.

    7. Delete the outer NIC IP address, disable Netlogon registration, and
    manually create the required records

    a. In DNS under the zone name, (your DNS domain name), delete the outer NIC's
    IP references for the "LdapIpAddress". If this is a GC, you will need to
    delete the GC IP record as well (the "GcIpAddress"). To do that, in the DNS
    console, under the zone name, you will see the _msdcs folder. Under that,
    you will see the _gc folder. To the right, you will see the IP address
    referencing the GC address. That is called the GcIpAddress. Delete the IP
    addresses referencing the outer NIC.

    i. To stop these two records from registering that information, use the
    steps provided in the links below:
    Private Network Interfaces on a Domain Controller Are Registered in
    DNShttp://support.microsoft.com/?id=295328

    ii. The one section of the article that disables these records is done with
    this registry entry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
    (Create this Multi-String Value under it):
    Registry value: DnsAvoidRegisterRecords
    Data type: REG_MULTI_SZ
    Values: LdapIpAddress
    GcIpAddress

    iii. Here is more information on these and other Netlogon Service records:
    Restrict the DNS SRV resource records updated by the Netlogon service
    [including GC]:
    http://www.microsoft.com/technet/tr...proddocs/standard/sag_dns_pro_no_rr_in_ad.asp

    b. Then you will need to manually create these two records in DNS with the
    IP addresses that you need for the DC. To create the

    LdapIpAddress, create a new host under the domain, but leave the "hostname"
    field blank, and provide the internal IP of the DC, which results in a

    record that looks like:
    (same as parent) A 192.168.5.200 (192.168.5.200 is used for illustrative
    purposes)

    i. You need to also manually create the GcIpAddress as well, if this is a
    GC. That would be under the _msdcs._gc SRV record under the zone. It is
    created in the same fashion as the LdapIpAddress mentioned above.

    8. In the DNS console, right click the server name, choose properties, then
    under the "Interfaces" tab, force it only to listen to the internal NIC's IP
    address, and not the IP address of the outer NIC.

    9. Since this is also a DNS server, the IPs from all NICs will register,
    even if you tell it not to in the NIC properties. See this to show you how
    to stop that behavior (this procedure is for Windows 2000, but will also
    work for Windows 2003):
    275554 - The Host's A Record Is Registered in DNS After You Choose Not to
    Register the Connection's Address:
    http://support.microsoft.com/?id=275554

    10. If you haven't done so, configure a forwarder. You can use 4.2.2.2 if
    not sure which DNS to forward to until you've got the DNS address of your
    ISP. How to set a forwarder?
    Depending on your operating system,choose one of the following articles:

    300202 - HOW TO: Configure DNS for Internet Access in Windows 2000
    http://support.microsoft.com/?id=300202&FR=1

    323380 - HOW TO: Configure DNS for Internet Access in Windows Server 2003
    (How to configure a forwarder):
    http://support.microsoft.com/d/id?=323380


    <==*** Some additional reading ***==>
    More links to read up and understand what is going on:

    292822 - Name Resolution and Connectivity Issues on Windows 2000 Domain
    Controller with Routing and Remote Access and DNS Insta {DNS and RRAS and
    unwanted IPs registering]:
    http://support.microsoft.com/?id=292822

    246804 - How to enable or disable DNS updates in Windows 2000 and in Windows
    Server 2003
    http://support.microsoft.com/?id=246804

    295328 - Private Network Interfaces on a Domain Controller Are Registered in
    DNS
    [also shows DnsAvoidRegisterRecords LdapIpAddress to avoid reg sameasparent
    private IP]:
    http://support.microsoft.com/?id=295328

    306602 - How to Optimize the Location of a DC or GC That Resides Outside of
    a Client's
    Site [Includes info LdapIpAddress and GcIpAddress information and the SRV
    mnemonic values]:
    http://support.microsoft.com/?id=306602

    825036 - Best practices for DNS client settings in Windows 2000 Server and
    in Windows Server 2003 (including how-to configure a forwarder):
    http://support.microsoft.com/default.aspx?scid=kb;en-us;825036

    291382 - Frequently asked questions about Windows 2000 DNS and Windows
    Server 2003 DNS
    http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

    296379 - How to Disable NetBIOS on an Incoming Remote Access Interface
    [Registry Entry]:
    http://support.microsoft.com/?id=296379

    _________________________
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++


    Ace
     
    Ace Fekay [MVP], May 2, 2006
    #13
  14. Woah, holy macarol... Let me add a few things cause im not doin all that yet...

    The secondary NIC's in the servers are ALWAYS Disabled. No wires plugged in
    and Disabled in control panel. No IP's associated to them. I only turned it
    on to see if it would ping , which it did.

    Now i have a netgear firewall that has built in VPN Endpoint, so im ok with
    turning that off.

    Every PC in the company only has the 192.168.1.3 ip in the DNS config, which
    points to our DNS Server (file2k3)

    I would imagine the IP Routing is on because of the VPN portion of the
    server. I am not so familiar with the RRAS and turning it all off then i have
    to fix the peoples VPN COnnection from their homes.

    Aside from hardware failure... the thing i am trying to resolve.. cause i
    think it has gotten lost in translation here..

    Mail2k3 stops pinging File2k3. File2k3 can still ping Mail2k3. Outlook
    slows to a crawl with the popup "Outlook is waiting for the server yadda
    yadda" because mail2k3 cant see file2k3 i guess... File shares on mail2k3 to
    file2k3 Work perfectly.

    File 2k3 is our Primary DC and GC. Web2k3 is the other DC. They sync
    perfectly.

    If i reboot File2k3, then mail2k3 can ping it again just fine for a few
    hours ot 30 mins, then it stops again...

    I see a bunch of connections in a Time_wait, or whatever state it was i
    posted.. It seems like file2k3 is not ending the proper transmissions and
    reopening the port. Bothup to the latest service packs etc....

    Now tommorow I will post some event log, maybe it will help.
    --
    Chris Baldassano
    --------------------
    Network Administrator
    Simon Paston & Sons Agency
    Lynbrook, NY


     
    Chris Baldassano, May 4, 2006
    #14
  15. In
    The event logs will help.

    SInce this is a DC, RRAS causes issues. THe articles I provided as part of
    that info show that. Why not use the Netgear firewall, if it has VPN
    support, as the VPN server for your folks?

    Ace
     
    Ace Fekay [MVP], May 5, 2006
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.