Global Catalog / Domain Controller loses connection to Exchange

I have a server called File2k3. It's a Win2k3 server standard. Global
Catalog and Domain Controller.

My exchange server is called Mail2k3.

When the systems come up, they see eachother just fine... after about an
hour, the Mail2k3 box can not ping the file2k3 box, and Outlook/exchange gets
awfully slow. I ran a netstat and see a TON of ports to file2k3 in a
CLOSE_WAIT state. If i reboot file2k3 (which is also our DNS Server), when
it comes up its fine again.

File2k3, can ping mail2k3 PERFECTLY everytime (even when Mail2k3 cant ping
it)..

Both are up to latest service packs and hotfixes...

Has anyone seen this before? I am forced to reboot the server 20x a day!

 

Hi,

When you try to ping the File2k3 server do you use name or IP address? Does
it work if you use IP address?

Can you check the event logs on both servers (specially Application and
System Event logs) and see if there are any errors. Post back with these
errors...

Can you also post here the results of command

ipconifg /all

from both servers?

 

I can not ping by IP, Or by Name from mail2k3 to File2k3... But the other way
around it works perfectally fine (ip or name)...

Now both machines have Dual Gigabit NIC's (Onboard and a 3com) and the
secondary one is just not connected... I am gonna hook them up today to see
if it is a NIC issue.. (I doubt it, there would be other factors)...

Little more background:

-File2k3 is our DNS server with the proper ISP DNS's forwarded...
-File2k3 is our Global Catalog, and Domain Controller

-Mail2k3 WAS a domain controller, that was taken down by 2 microsoft tech's
about 5 days ago on a $245 Support Call.. They did all the proper steps to
make it Just an exchange server and not anything else.



Here is the IP config for each machine..

FILE2K3:

Windows IP Configuration

Host Name . . . . . . . . . . . . : file2k3
Primary Dns Suffix . . . . . . . : pastongroup.com
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : pastongroup.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : pastongroup.com
Description . . . . . . . . . . . : 3Com Gigabit NIC
Physical Address. . . . . . . . . : 00-0A-5E-1A-01-41
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.3

MAIL2K3:



Windows IP Configuration



Host Name . . . . . . . . . . . . : mail2k3
Primary Dns Suffix . . . . . . . : pastongroup.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : pastongroup.com



PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.114
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com Gigabit NIC
Physical Address. . . . . . . . . : 00-0A-5E-1A-02-C3
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.30
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.3

***

Here is the ping from Mail2k3 to File2k3:

Pinging file2k3.pastongroup.com [192.168.1.3] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.1.3:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

And here is From FILE2k3 to MAIL2k3:

Pinging mail2k3.pastongroup.com [192.168.1.30] with 32 bytes of data:

Reply from 192.168.1.30: bytes=32 time<1ms TTL=128
Reply from 192.168.1.30: bytes=32 time<1ms TTL=128
Reply from 192.168.1.30: bytes=32 time<1ms TTL=128
Reply from 192.168.1.30: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.1.30:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

***

Now here is what I notice when I do a NETSTAT -A on mail2k3... there are a
ton of ports in a CLOSE_WAIT state, which has to be why the pings arent
getting thru and the LDAP etc is failing...

FROM MAIL2K3 (Netstat -a) spit to a txt file.

Active Connections

Proto Local Address Foreign Address State
TCP mail2k3:smtp mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:http mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:epmap mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:https mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:microsoft-ds mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:593 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:691 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:1029 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:1033 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:1037 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:1149 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:1160 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:1166 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3ptp mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:3389 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:6001 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:6002 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:6004 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:7930 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:12174 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:34571 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:34572 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:34573 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:38292 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:48974 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:48975 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:48976 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:48977 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:48981 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:48998 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:1031 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:1179 mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:http ten11.bwc.na.blackberry.net:34159 TIME_WAIT
TCP mail2k3:netbios-ssn mail2k3.pastongroup.com:0 LISTENING
TCP mail2k3:netbios-ssn ext211.pastongroup.com:1667 ESTABLISHED
TCP mail2k3:microsoft-ds ext286.pastongroup.com:2879 ESTABLISHED
TCP mail2k3:microsoft-ds ext263.pastongroup.com:1702 ESTABLISHED
TCP mail2k3:microsoft-ds ext290.pastongroup.com:1115 ESTABLISHED
TCP mail2k3:microsoft-ds ext292.pastongroup.com:2457 ESTABLISHED
TCP mail2k3:microsoft-ds ext206.pastongroup.com:3725 ESTABLISHED
TCP mail2k3:microsoft-ds ext273.pastongroup.com:4323 ESTABLISHED
TCP mail2k3:691 mail2k3.pastongroup.com:48987 ESTABLISHED
TCP mail2k3:691 mail2k3.pastongroup.com:48997 ESTABLISHED
TCP mail2k3:691 mail2k3.pastongroup.com:49052 ESTABLISHED
TCP mail2k3:691 mail2k3.pastongroup.com:49055 ESTABLISHED
TCP mail2k3:1079 web2k3.pastongroup.com:ldap CLOSE_WAIT
TCP mail2k3:1080 web2k3.pastongroup.com:ldap CLOSE_WAIT
TCP mail2k3:kpop file2k3.pastongroup.com:ldap CLOSE_WAIT
TCP mail2k3:1150 web2k3.pastongroup.com:ldap CLOSE_WAIT
TCP mail2k3:1288 file2k3.pastongroup.com:ldap CLOSE_WAIT
TCP mail2k3ptp ool-457251fd.dyn.optonline.net:1151
ESTABLISHED
TCP mail2k3ptp ool-457b9bc5.dyn.optonline.net:2912
ESTABLISHED
TCP mail2k3:1788 web2k3.pastongroup.com:ldap CLOSE_WAIT
TCP mail2k3:2638 web2k3.pastongroup.com:ldap CLOSE_WAIT
TCP mail2k3:2740 file2k3.pastongroup.com:ldap CLOSE_WAIT
TCP mail2k3:3389 ext288.pastongroup.com:3032 ESTABLISHED
TCP mail2k3:3908 web2k3.pastongroup.com:ldap CLOSE_WAIT
TCP mail2k3:3916 file2k3.pastongroup.com:3268 ESTABLISHED
TCP mail2k3:3918 file2k3.pastongroup.com:3268 ESTABLISHED
TCP mail2k3:3919 web2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:3920 web2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:3921 web2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:3922 web2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:3923 web2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:3924 web2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:3925 web2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:3926 web2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:3927 web2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:3929 file2k3.pastongroup.com:3268 ESTABLISHED
TCP mail2k3:3930 file2k3.pastongroup.com:3268 ESTABLISHED
TCP mail2k3:3935 file2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:3936 file2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:3937 file2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:3938 file2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:3939 file2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:3940 file2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:3942 file2k3.pastongroup.com:3268 ESTABLISHED
TCP mail2k3:3946 web2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:3991 web2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:3998 web2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:4459 file2k3.pastongroup.com:3268 ESTABLISHED
TCP mail2k3:4908 file2k3.pastongroup.com:3268 ESTABLISHED
TCP mail2k3:5217 web2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:5325 file2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:5377 web2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:5426 file2k3.pastongroup.com:ldap CLOSE_WAIT
TCP mail2k3:5515 web2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:5535 web2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:5741 web2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:5769 web2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:5771 file2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:5778 web2k3.pastongroup.com:ldap ESTABLISHED
TCP mail2k3:5800 file2k3.pastongroup.com:netbios-ssn
ESTABLISHED
TCP mail2k3:5888 ext240.pastongroup.com:netbios-ssn TIME_WAIT
TCP mail2k3:5901 file2k3.pastongroup.com:epmap TIME_WAIT
TCP mail2k3:5908 ext286.pastongroup.com:microsoft-ds
ESTABLISHED
TCP mail2k3:5915 192.168.1.200:9100 TIME_WAIT
TCP mail2k3:5917 ext292.pastongroup.com:microsoft-ds
ESTABLISHED
TCP mail2k3:5923 ext263.pastongroup.com:microsoft-ds
ESTABLISHED
TCP mail2k3:5928 file2k3.pastongroup.com:epmap TIME_WAIT
TCP mail2k3:5930 web2k3.pastongroup.com:ldap TIME_WAIT
TCP mail2k3:5931 file2k3.pastongroup.com:ldap TIME_WAIT
TCP mail2k3:5932 file2k3.pastongroup.com:3268 TIME_WAIT
TCP mail2k3:5933 web2k3.pastongroup.com:ldap TIME_WAIT
TCP mail2k3:5934 file2k3.pastongroup.com:domain TIME_WAIT
TCP mail2k3:5935 file2k3.pastongroup.com:domain TIME_WAIT
TCP mail2k3:5937 file2k3.pastongroup.com:microsoft-ds
ESTABLISHED
TCP mail2k3:5940 web2k3.pastongroup.com:ldap TIME_WAIT
TCP mail2k3:5941 web2k3.pastongroup.com:microsoft-ds
ESTABLISHED
TCP mail2k3:47666 file2k3.pastongroup.com:3268 CLOSE_WAIT
TCP mail2k3:48987 mail2k3.pastongroup.com:691 ESTABLISHED
TCP mail2k3:48997 mail2k3.pastongroup.com:691 ESTABLISHED
TCP mail2k3:48998 ext286.pastongroup.com:2130 ESTABLISHED
TCP mail2k3:48998 ext228.pastongroup.com:4869 ESTABLISHED
TCP mail2k3:48998 ext263.pastongroup.com:1148 ESTABLISHED
TCP mail2k3:48998 EXT285:2018 ESTABLISHED
TCP mail2k3:48998 ext270.pastongroup.com:1190 ESTABLISHED
TCP mail2k3:48998 ext256.pastongroup.com:2208 ESTABLISHED
TCP mail2k3:48998 ext290.pastongroup.com:1141 ESTABLISHED
TCP mail2k3:48998 ext240.pastongroup.com:1275 ESTABLISHED
TCP mail2k3:48998 ext292.pastongroup.com:3766 ESTABLISHED
TCP mail2k3:48998 ext227.pastongroup.com:3811 ESTABLISHED
TCP mail2k3:48998 ext275.pastongroup.com:1119 ESTABLISHED
TCP mail2k3:48998 ext297.pastongroup.com:2418 ESTABLISHED
TCP mail2k3:48998 ext200.pastongroup.com:1251 ESTABLISHED
TCP mail2k3:48998 ext209.pastongroup.com:1096 ESTABLISHED
TCP mail2k3:48998 ext299.pastongroup.com:1653 ESTABLISHED
TCP mail2k3:48998 ext206.pastongroup.com:3831 ESTABLISHED
TCP mail2k3:48998 ext273.pastongroup.com:3103 ESTABLISHED
TCP mail2k3:48998 ext236.pastongroup.com:1127 ESTABLISHED
TCP mail2k3:48998 ext211.pastongroup.com:1266 ESTABLISHED
TCP mail2k3:48998 ext269.pastongroup.com:1154 ESTABLISHED
TCP mail2k3:48998 ext217.pastongroup.com:3694 ESTABLISHED
TCP mail2k3:48998 ext233.pastongroup.com:2778 ESTABLISHED
TCP mail2k3:48998 ext293.pastongroup.com:2177 ESTABLISHED
TCP mail2k3:48998 ext276.pastongroup.com:1755 ESTABLISHED
TCP mail2k3:48998 192.168.1.105:1629 ESTABLISHED
TCP mail2k3:48998 ext269.pastongroup.com:3829 ESTABLISHED
TCP mail2k3:48998 ext282.pastongroup.com:2949 ESTABLISHED
TCP mail2k3:48998 ext282.pastongroup.com:2952 ESTABLISHED
TCP mail2k3:48998 ira.pastongroup.com:1638 ESTABLISHED
TCP mail2k3:48998 EXT272:1103 ESTABLISHED
TCP mail2k3:48998 ext279.pastongroup.com:4178 ESTABLISHED
TCP mail2k3:48998 ext277.pastongroup.com:4431 ESTABLISHED
TCP mail2k3:48998 ext248.pastongroup.com:1114 ESTABLISHED
TCP mail2k3:48998 ext234.pastongroup.com:4836 ESTABLISHED
TCP mail2k3:48998 ext288.pastongroup.com:2854 ESTABLISHED
TCP mail2k3:48998 scottxp.pastongroup.com:3144 ESTABLISHED
TCP mail2k3:49052 mail2k3.pastongroup.com:691 ESTABLISHED
TCP mail2k3:49055 mail2k3.pastongroup.com:691 ESTABLISHED
TCP mail2k3:50087 file2k3.pastongroup.com:1025 ESTABLISHED
TCP mail2k3:50094 file2k3.pastongroup.com:ldap CLOSE_WAIT
TCP mail2k3:50095 file2k3.pastongroup.com:ldap CLOSE_WAIT
TCP mail2k3:50098 file2k3.pastongroup.com:3268 CLOSE_WAIT
TCP mail2k3:50099 file2k3.pastongroup.com:3268 CLOSE_WAIT
TCP mail2k3:53777 file2k3.pastongroup.com:1025 ESTABLISHED
TCP mail2k3:netbios-ssn mail2k3.pastongroup.com:0 LISTENING
UDP mail2k3:epmap *:*
UDP mail2k3:microsoft-ds *:*
UDP mail2k3:isakmp *:*
UDP mail2k3:1025 *:*
UDP mail2k3:1026 *:*
UDP mail2k3:1027 *:*
UDP mail2k3:1028 *:*
UDP mail2k3:1030 *:*
UDP mail2k3:1032 *:*
UDP mail2k3:1034 *:*
UDP mail2k3:1035 *:*
UDP mail2k3hone *:*
UDP mail2k3:1184 *:*
UDP mail2k3:1241 *:*
UDP mail2k3:1242 *:*
UDP mail2k3:l2tp *:*
UDP mail2k3:3456 *:*
UDP mail2k3:3457 *:*
UDP mail2k3:4500 *:*
UDP mail2k3:38037 *:*
UDP mail2k3:38293 *:*
UDP mail2k3:48982 *:*
UDP mail2k3:49001 *:*
UDP mail2k3:ntp *:*
UDP mail2k3:1047 *:*
UDP mail2k3:1057 *:*
UDP mail2k3:1069 *:*
UDP mail2k3:1078 *:*
UDP mail2k3:1100 *:*
UDP mail2k3:1161 *:*
UDP mail2k3:1173 *:*
UDP mail2k3:1182 *:*
UDP mail2k3:1183 *:*
UDP mail2k3:1219 *:*
UDP mail2k3:1631 *:*
UDP mail2k3:1670 *:*
UDP mail2k3:3456 *:*
UDP mail2k3:3457 *:*
UDP mail2k3:5297 *:*
UDP mail2k3:48984 *:*
UDP mail2k3:48991 *:*
UDP mail2k3:49036 *:*
UDP mail2k3:49039 *:*
UDP mail2k3:bootps *:*
UDP mail2k3:bootpc *:*
UDP mail2k3:ntp *:*
UDP mail2k3:netbios-ns *:*
UDP mail2k3:netbios-dgm *:*
UDP mail2k3:2535 *:*
UDP mail2k3:bootps *:*
UDP mail2k3:ntp *:*
UDP mail2k3:netbios-ns *:*
UDP mail2k3:netbios-dgm *:*




--
Network Administrator
Simon Paston & Sons Agency

 

Why do you have IP Routing enabled on both your servers? This is not the
default nor usual setting.

After you try and ping the server and it fails -- can you run the following
command

arp -a

What is the output of the arp command?

--
Mike
Microsoft MVP - Windows Security

 

An Additional note:

I enabled the secondary NIC's (File2k3 @ 192.168.1.20, MAIL2k3 @
192.168.1.21) and Added the DNS Record in the DNS Lookup Zones...

Mail can now ping File Perfectly to 192.168.1.20, but it still times out on
192.168.1.3...

This is not acceptable because the /20 address is also going thru a 100 meg
switch and not the gigabit router.. just an FYI.

I did a ipconfig /flushdns on the mail2k3 server so it would see the DNS
change.

This is VERY Strange.
--
Network Administrator
Simon Paston & Sons Agency

 

I dont know why IP routing is on.. I did not setup these servers, an
outsource company did.. Should I turn that off? We have a simple network
here with no need for specific routes.. We have 1 gateway for our internet
and 3 servers, 50 workstations. No remote offices etc...

Here is the command from both machines:


FILE2K3

Interface: 192.168.1.30 --- 0x10003
Internet Address Physical Address Type
192.168.1.1 00-0f-b5-8c-85-7b dynamic
192.168.1.3 00-0a-5e-1a-01-41 dynamic
192.168.1.7 00-0a-5e-1a-02-f1 dynamic
192.168.1.8 00-14-22-0a-19-9a dynamic
192.168.1.31 00-0a-5e-1a-b9-9b dynamic
192.168.1.43 00-0c-f1-92-cd-46 dynamic
192.168.1.44 00-0c-f1-92-c6-90 dynamic
192.168.1.46 00-0c-f1-92-cc-f0 dynamic
192.168.1.48 00-0c-f1-92-cd-5d dynamic
192.168.1.49 00-0c-f1-92-51-50 dynamic
192.168.1.53 00-0c-f1-92-f7-c8 dynamic
192.168.1.55 00-0c-f1-92-de-fe dynamic
192.168.1.58 00-0c-f1-92-f8-1c dynamic
192.168.1.60 00-0c-f1-92-cd-76 dynamic
192.168.1.63 00-0c-f1-92-df-dd dynamic
192.168.1.64 00-0c-f1-92-f7-ff dynamic
192.168.1.65 00-0c-f1-92-df-30 dynamic
192.168.1.66 00-0c-f1-92-f6-e7 dynamic
192.168.1.67 00-0c-f1-92-c3-07 dynamic
192.168.1.68 00-0c-f1-92-f7-88 dynamic
192.168.1.69 00-0c-f1-92-df-14 dynamic
192.168.1.70 00-0c-f1-92-c7-c3 dynamic
192.168.1.71 00-0c-f1-92-cb-d6 dynamic
192.168.1.72 00-0c-f1-92-cc-fb dynamic
192.168.1.73 00-0c-f1-92-de-1c dynamic
192.168.1.74 00-0c-f1-92-f8-65 dynamic
192.168.1.104 00-10-83-59-d0-f6 dynamic
192.168.1.107 00-60-b0-41-f6-1a dynamic
192.168.1.109 00-01-e6-3b-b4-0b dynamic
192.168.1.125 00-0c-f1-92-ef-0c dynamic
192.168.1.127 00-0c-f1-92-f7-bd dynamic
192.168.1.130 00-0c-f1-92-df-42 dynamic
192.168.1.131 00-0c-f1-92-cc-ae dynamic
192.168.1.146 00-0c-f1-92-f3-a9 dynamic
192.168.1.155 08-00-09-bd-f6-54 dynamic
192.168.1.156 00-0c-f1-92-c6-9a dynamic
192.168.1.159 00-0c-f1-92-de-65 dynamic
192.168.1.191 00-08-0d-90-3c-2a dynamic
192.168.1.200 08-00-09-bd-16-43 dynamic
192.168.1.202 00-01-e6-7e-c3-6b dynamic
192.168.1.223 00-0c-f1-92-f8-26 dynamic
192.168.1.227 00-0c-f1-92-51-93 dynamic
192.168.1.252 00-11-85-fb-26-7b dynamic


Interface: 192.168.1.3 --- 0x10003
Internet Address Physical Address Type
192.168.1.1 00-0f-b5-8c-85-7b dynamic
192.168.1.7 00-0a-5e-1a-02-f1 dynamic
192.168.1.8 00-14-22-0a-19-9a dynamic
192.168.1.30 00-0a-5e-1a-02-c3 dynamic
192.168.1.31 00-0a-5e-1a-b9-9b dynamic
192.168.1.40 00-0c-f1-92-e5-de dynamic
192.168.1.42 00-0c-f1-92-46-d1 dynamic
192.168.1.43 00-0c-f1-92-cd-46 dynamic
192.168.1.44 00-0c-f1-92-c6-90 dynamic
192.168.1.45 00-0c-f1-92-e5-a4 dynamic
192.168.1.46 00-0c-f1-92-cc-f0 dynamic
192.168.1.48 00-0c-f1-92-cd-5d dynamic
192.168.1.49 00-0c-f1-92-51-50 dynamic
192.168.1.53 00-0c-f1-92-f7-c8 dynamic
192.168.1.55 00-0c-f1-92-de-fe dynamic
192.168.1.56 00-0c-f1-92-cd-3b dynamic
192.168.1.58 00-0c-f1-92-f8-1c dynamic
192.168.1.59 00-0c-f1-92-dc-ae dynamic
192.168.1.63 00-0c-f1-92-df-dd dynamic
192.168.1.64 00-0c-f1-92-f7-ff dynamic
192.168.1.65 00-0c-f1-92-df-30 dynamic
192.168.1.66 00-0c-f1-92-f6-e7 dynamic
192.168.1.67 00-0c-f1-92-c3-07 dynamic
192.168.1.68 00-0c-f1-92-f7-88 dynamic
192.168.1.69 00-0c-f1-92-df-14 dynamic
192.168.1.70 00-0c-f1-92-c7-c3 dynamic
192.168.1.71 00-0c-f1-92-cb-d6 dynamic
192.168.1.72 00-0c-f1-92-cc-fb dynamic
192.168.1.73 00-0c-f1-92-de-1c dynamic
192.168.1.74 00-0c-f1-92-f8-65 dynamic
192.168.1.88 00-0c-f1-92-f7-ea dynamic
192.168.1.114 00-0a-5e-1a-02-c3 dynamic
192.168.1.125 00-0c-f1-92-ef-0c dynamic
192.168.1.127 00-0c-f1-92-f7-bd dynamic
192.168.1.130 00-0c-f1-92-df-42 dynamic
192.168.1.131 00-0c-f1-92-cc-ae dynamic
192.168.1.146 00-0c-f1-92-f3-a9 dynamic
192.168.1.156 00-0c-f1-92-c6-9a dynamic
192.168.1.159 00-0c-f1-92-de-65 dynamic
192.168.1.164 00-0c-f1-92-f8-6d dynamic
192.168.1.223 00-0c-f1-92-f8-26 dynamic


MAIL2K3:



--
Network Administrator
Simon Paston & Sons Agency

 

I think the IP routing was enabled because of the dual NIC's in the system...
When i went into RRAS it shows:

LOOPBACK 127.0.0.1
LOCAL AREA CONNECTION 192.168.1.30
INTERNAL 192.168.1.114

Note that Mail2k3 is also our VPN EndPoint / DHCP Server.
--
Network Administrator
Simon Paston & Sons Agency

 

Hi,

In general Active Directory server should not be multihomed (multiple
NIC) -- (not a recommended configuration). There are quite a few problems
when domain controller is multihomed... Here are few of them...

Troubleshooting browser Event ID 8021 and 8032 on master browsers
http://support.microsoft.com/?id=135404

Clients cannot log on to domain controllers that are Windows Server
2003-based DNS servers, and network interfaces that are not registered in
DNS can still perform dynamic updates
http://support.microsoft.com/default.aspx?scid=kb;en-us;832478

--
Mike
Microsoft MVP - Windows Security

 

If I understand you correctly -- Mail2K3 server does not have anything in
the arp cache?

--
Mike
Microsoft MVP - Windows Security

 

Well the secondary NIC's have anways been disabled... I just enabled them for
this test.. Originally i believe they were putin there for redundancy just
incase...

Should i delete the IP routing? Will that have adverse affects? I have
full backups just incase. There should be no set routes for anything on my
network.. It should flow free so to speak.
--
Network Administrator
Simon Paston & Sons Agency

 

In

Mike's referring to DCs in general should not be multihomed. A home can also
be a dialup interface, PPP interface, etc. Also evident that RRAS can be a
nasty issue as well with DCs. If you want to run RRAS on a machine, it's
highly suggested and recommended to utilize a member server for this
purpose, and not an Exchange box. There are multiple steps you can take to
clean this up, and I can post them if youlike, but they include reg entries
that need to be made to modify a DC's default behavior.

Honestly I would disable RRAS, make sure the extra NICs are disabled, delete
any dialup or PPP interfaces, delete those entries in DNS, and you should
get a good night sleep. The way you have it setup, you are loosing valuable
personal time and creating yourself too much stress.

If you want me to post those steps, I will be glad to do so...

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy. - [Me]

 

Yes please post the steps.

All i want to obtain is getting the Global Catalog server to stop this WEIRD
behavior.

Why would one interface stop being able to accept incoming connections via
ping, when access to fileshares and all still work...

I can take the VPN endpoint off the mail server, because i have a hardware
endpoint i want to use instead.

Is the scenario you talk about easy?
--
Network Administrator
Simon Paston & Sons Agency

 

In

Scenario as in altering a DC's default behavior? No it IS NOT and NOT
recommended. I really rather see you use a hardware solution for VPN access.
Pix boxes are cool and relatively inexpensive for the features and security
they offer. If you insist on using a WIndows machine for such, here are the
steps... Get a bottle of Crown and case of beer to celebrate once you're
done...

Here are the steps... Good luck.

================================
(USe this one):
********************************
Multihomed DCs, DNS, RRAS servers.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Below are the manual steps in more detail, which I had outlined in the above
paragraph:

Honestly, multi-homed DCs are not recommended because of the associated
issues that can occur, as you've encountered. We usually recommend
purchasing an inexpensive Linksys, DLink, etc, Cable/DSL router to perform
NAT for you, take out the extra NIC off the DC, but still let the DC handle
DHCP (and not the router).

Little background on AD and DNS:
First, just to get this out of the way, if you have your ISP's DNS addresses
in your IP configuration (DCs and clients), they need to be REMOVED.

If the ISP's DNS is in there, this will cause additional problems.

Also, AD registers certain records in DNS in the form of SRV records that
signify AD's resource and service locations. When there are multiple NICs,
each NIC registers. IF a client, or another DC queries DNS for this DC, it
may get the wrong record. One factor controlling this is Round Robin. If a
DC or client on another subnet that the DC is not configured on queries for
it, Round Robin will kick in offering one or the other. If the wrong one
gets offered, it may not have a route to it. On the other hand, Subnetmask
Priortization will ensure a querying client will get an IP that corresponds
to the subnet it's on, which will work. To insure everything works, stick
with one NIC.

Since this DC is multi-homed, it requires additional configuration to
prevent the public interface addresses from being registered in DNS. This
creates a problem for internal clients locating AD to authenticate and find
other services and resources such as the Global Catalog, file sharing and
the SYSVOL DFS share and can cause GPO errors with Userenv 1000 events to be
logged, authenticating to shares and printers, logging on takes forever,
among numerous other issues.

But if you like, there are some registry changes to eliminate the
registration of the external NIC. Here's the whole list of manual steps to
follow.

But believe me, it's much easier to just get a separate NAT device or
multihome a non-DC then having to alter the DC. - Good luck!

1. Insure that all the NICS only point to your internal DNS server(s) only
and none others, such as your ISP's DNS servers' IP addresses.

2. In Network & Dialup properties, Advanced Menu item, Advanced Settings,
move the internal NIC (the network that AD is on) to the top of the binding
order (top of the list).

3. Disable the ability for the outer NIC to register. The procedure, as
mentioned, involves identifying the outer NIC's GUID number. This link will
show you how:
246804 - How to Enable-Disable Windows 2000 Dynamic DNS Registrations (per
NIC too):
http://support.microsoft.com/?id=246804

4. Disable NetBIOS on the outside NIC. That is performed by choosing to
disable NetBIOS in IP Properties, Advanced, and you will find that under the
"WINS" tab. You may want to look at step #3 in the article to show you how
to disable NetBIOS on the RRAS interfaces if this is a RRAS server.
296379 - How to Disable NetBIOS on an Incoming Remote Access Interface
[Registry Entry]:
http://support.microsoft.com/?id=296379

Note: A standard Windows service, called the "Browser service", provides the
list of machines, workgroup and domain names that you see in "My Network
Places" (or the legacy term "Network Neighborhood"). The Browser service
relies on the NetBIOS service. One major requirement of NetBIOS service is a
machine can only have one name to one IP address. It's sort of a
fingerprint. You can't have two brothers named Darrell. A multihomed machine
will cause duplicate name errors on itself because Windows sees itself with
the same name in the Browse List (My Network Places), but with different
IPs. You can only have one, hence the error generated.

5. Disable the "File and Print Service" and disable the "MS Client Service"
on the outer NIC. That is done in NIC properties by unchecking the
respective service under the general properties page. If you need these
services on the outside NIC (which is unlikely), which allow other machines
to connect to your machine for accessing resource on your machine (shared
folders, printers, etc.), then you will probably need to keep them enabled.

6. Uncheck "Register this connection" under IP properties, Advanced
settings, "DNS" tab.

7. Delete the outer NIC IP address, disable Netlogon registration, and
manually create the required records

a. In DNS under the zone name, (your DNS domain name), delete the outer NIC's
IP references for the "LdapIpAddress". If this is a GC, you will need to
delete the GC IP record as well (the "GcIpAddress"). To do that, in the DNS
console, under the zone name, you will see the _msdcs folder. Under that,
you will see the _gc folder. To the right, you will see the IP address
referencing the GC address. That is called the GcIpAddress. Delete the IP
addresses referencing the outer NIC.

i. To stop these two records from registering that information, use the
steps provided in the links below:
Private Network Interfaces on a Domain Controller Are Registered in
DNShttp://support.microsoft.com/?id=295328

ii. The one section of the article that disables these records is done with
this registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
(Create this Multi-String Value under it):
Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ
Values: LdapIpAddress
GcIpAddress

iii. Here is more information on these and other Netlogon Service records:
Restrict the DNS SRV resource records updated by the Netlogon service
[including GC]:
http://www.microsoft.com/technet/tr...proddocs/standard/sag_dns_pro_no_rr_in_ad.asp

b. Then you will need to manually create these two records in DNS with the
IP addresses that you need for the DC. To create the

LdapIpAddress, create a new host under the domain, but leave the "hostname"
field blank, and provide the internal IP of the DC, which results in a

record that looks like:
(same as parent) A 192.168.5.200 (192.168.5.200 is used for illustrative
purposes)

i. You need to also manually create the GcIpAddress as well, if this is a
GC. That would be under the _msdcs._gc SRV record under the zone. It is
created in the same fashion as the LdapIpAddress mentioned above.

8. In the DNS console, right click the server name, choose properties, then
under the "Interfaces" tab, force it only to listen to the internal NIC's IP
address, and not the IP address of the outer NIC.

9. Since this is also a DNS server, the IPs from all NICs will register,
even if you tell it not to in the NIC properties. See this to show you how
to stop that behavior (this procedure is for Windows 2000, but will also
work for Windows 2003):
275554 - The Host's A Record Is Registered in DNS After You Choose Not to
Register the Connection's Address:
http://support.microsoft.com/?id=275554

10. If you haven't done so, configure a forwarder. You can use 4.2.2.2 if
not sure which DNS to forward to until you've got the DNS address of your
ISP. How to set a forwarder?
Depending on your operating system,choose one of the following articles:

300202 - HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/?id=300202&FR=1

323380 - HOW TO: Configure DNS for Internet Access in Windows Server 2003
(How to configure a forwarder):
http://support.microsoft.com/d/id?=323380


<==*** Some additional reading ***==>
More links to read up and understand what is going on:

292822 - Name Resolution and Connectivity Issues on Windows 2000 Domain
Controller with Routing and Remote Access and DNS Insta {DNS and RRAS and
unwanted IPs registering]:
http://support.microsoft.com/?id=292822

246804 - How to enable or disable DNS updates in Windows 2000 and in Windows
Server 2003
http://support.microsoft.com/?id=246804

295328 - Private Network Interfaces on a Domain Controller Are Registered in
DNS
[also shows DnsAvoidRegisterRecords LdapIpAddress to avoid reg sameasparent
private IP]:
http://support.microsoft.com/?id=295328

306602 - How to Optimize the Location of a DC or GC That Resides Outside of
a Client's
Site [Includes info LdapIpAddress and GcIpAddress information and the SRV
mnemonic values]:
http://support.microsoft.com/?id=306602

825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003 (including how-to configure a forwarder):
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036

291382 - Frequently asked questions about Windows 2000 DNS and Windows
Server 2003 DNS
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

296379 - How to Disable NetBIOS on an Incoming Remote Access Interface
[Registry Entry]:
http://support.microsoft.com/?id=296379

_________________________
+++++++++++++++++++++++++++++++++++++++++++++++++++++++


Ace

 

Woah, holy macarol... Let me add a few things cause im not doin all that yet...

The secondary NIC's in the servers are ALWAYS Disabled. No wires plugged in
and Disabled in control panel. No IP's associated to them. I only turned it
on to see if it would ping , which it did.

Now i have a netgear firewall that has built in VPN Endpoint, so im ok with
turning that off.

Every PC in the company only has the 192.168.1.3 ip in the DNS config, which
points to our DNS Server (file2k3)

I would imagine the IP Routing is on because of the VPN portion of the
server. I am not so familiar with the RRAS and turning it all off then i have
to fix the peoples VPN COnnection from their homes.

Aside from hardware failure... the thing i am trying to resolve.. cause i
think it has gotten lost in translation here..

Mail2k3 stops pinging File2k3. File2k3 can still ping Mail2k3. Outlook
slows to a crawl with the popup "Outlook is waiting for the server yadda
yadda" because mail2k3 cant see file2k3 i guess... File shares on mail2k3 to
file2k3 Work perfectly.

File 2k3 is our Primary DC and GC. Web2k3 is the other DC. They sync
perfectly.

If i reboot File2k3, then mail2k3 can ping it again just fine for a few
hours ot 30 mins, then it stops again...

I see a bunch of connections in a Time_wait, or whatever state it was i
posted.. It seems like file2k3 is not ending the proper transmissions and
reopening the port. Bothup to the latest service packs etc....

Now tommorow I will post some event log, maybe it will help.
--
Chris Baldassano
--------------------
Network Administrator
Simon Paston & Sons Agency
Lynbrook, NY

 

In

The event logs will help.

SInce this is a DC, RRAS causes issues. THe articles I provided as part of
that info show that. Why not use the Netgear firewall, if it has VPN
support, as the VPN server for your folks?

Ace