none
ports open

    Question

  • Hi all,

    We have one domain controller behind firewall.  We have several different sites which have
    domain controllers.  Do I need to configure firewall to let every other DC at different site
    can connect to this DC?

    Thank you.

    Wednesday, November 13, 2013 5:14 PM

All replies

  • Well it will need to coommunicate with at least one DC for replication purposes.
    http://blogs.dirteam.com/blogs/paulbergson/archive/2012/05/15/windows-2000-2003-replication-through-a-firewall.aspx

    My link is still ok.  RPC ports has slightly changed but if you lock down the ports it is still correct.  I also have links to help.


    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, November 13, 2013 5:32 PM
    Moderator
  • Thanks Paul.

    We did open ports for all DCs except one DC (DC5) at one site.  DC name behind FW: DC1

    But, recently, we got 13508 on DC1's file replication service  whcich claims that DC5 is having trouble replicating to DC1.  I checked repadmin /showrepl no error and DC5 is not configured to replicate to DC1 in AD sites and services.

    Can anyone help me why 13508 shows on DC1's replication service log even DC5 is not configured to replicate to DC1 in AD sites and services?

    Thank you.

    ------------

    log:

    The File Replication Service is having trouble enabling replication from DC5 to DC1 for c:\windows\sysvol\domain using the DNS name \\DC5.local. FRS will keep retrying.

    Following are some of the reasons you would see this warning.

    Wednesday, November 13, 2013 6:31 PM
  • Is DC1 RID and/or PDC?  If so it would need to be able to talk to DC1.

    Wednesday, November 13, 2013 10:37 PM
  • No.  Here is the detail:

    ------------------------------------

    one forest and domain (different sites)
    DC5 (not behind FW);  DC name behind FW: DC1
    Both DC5 and DC1 are not FSMO holders.  This event error ID 13508
    only shows in the FRS event log of DC1 (behind FW).

    any idea? Thank you!

    ---------------------

    Event Type: Warning
    Event Source: NtFrs
    Event Category: None
    Event ID: 13508
    Date:  11/14/2013
    Time:  2:40:11 AM
    User:  N/A
    Computer: DC1 (behind FW)
    Description:
    The File Replication Service is having trouble enabling replication from \\D5.mycompany.local to DC1 for c:\windows\sysvol\domain using the DNS name \\D5.mycompany.local FRS will keep retrying.
     Following are some of the reasons you would see this warning.
     
     [1] FRS can not correctly resolve the DNS name \\D5.mycompany.local from this computer.
     [2] FRS is not running on \\D5.mycompany.local.
     [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
     
     This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 00 00 00 00               ....   

    ----------------------------------

    Thursday, November 14, 2013 4:30 PM
  • I know you said you've checked sites and services but when you go there and expand the site, expand the servers container, expand the server, and right-click and go to properties on both servers (in question) NTDS Settings - in the NTDS Settings Properties window on the Connections tab, you don't see the other server listed?  I know you said you checked repadmin /showrepl but the other day we had an issue where connections were showing up in the GUI and not showing in other places and vice versa.
    Thursday, November 14, 2013 5:29 PM
  • hi Kelly,

    I checked again and double click each server and expand NTDS settings; also, check connections tab which includes replicate from and replicate to:

    >NTDS Settings - in the NTDS Settings Properties window on the Connections tab, you don't see the other server listed?

    Right. I do not see D5 listed in D1's connections at all.

    I do not know why 13508 generated on DC1?  (only 13508; no 13509 id)

    Thank you.

    Thursday, November 14, 2013 6:37 PM
  • Ok take a look in ADSI Edit.  Open ADSI Edit right click and click Connect to.  In the "Select a well known Naming Context" select configuration and then click OK. Expand it out and drill down to Sites and expand that.  Find the site that DC1 is in and expand it, expand Servers, expand DC1, and then click on CN=NTDS Settings.  In there you see the ADSI Edit version of the GUI.  See if you can find DC5 in there.  You can double click and open the nTDSConnections and the fromServer attribute is the one you are looking for.
    Thursday, November 14, 2013 9:13 PM
  • Hi Kelly,

    Thanks for your continuing support.

    I checked adsiedit as you instructed.

    >Find the site that DC1 is in and expand it, expand Servers, expand DC1, and then click on CN=NTDS Settings.  In >there you see the ADSI Edit version of the GUI.  See if you can find DC5 in there.  You can double click and open >the nTDSConnections and the fromServer attribute is the one you are looking for.

    DC5 is not in fromserver attribute. 

    any other idea? 

    Thank you.


    • Edited by SGryzbowski Friday, November 15, 2013 5:32 PM
    Friday, November 15, 2013 2:40 PM
  • I know you said in your third post "one forest and domain (different sites)" but I want to confirm that all the DCs are in different sites?

    Also, in sites and services expand out inter-site transports and click on IP (or smtp but I'm assuming it's all over IP) and look to see if there is a site connection to the site of DC5

    Monday, November 18, 2013 6:16 PM
  • Run PortQryUI from both sides of the DC's that is experiencing replication issues.
    http://www.microsoft.com/en-us/download/details.aspx?id=24009

    Run the Domains and Trusts predefined query, my guess is that you will find filtered ports.


    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, November 19, 2013 1:05 PM
    Moderator
  • Respectfully, that's not an answer and I'm not sure why it's marked as such.  I'm not even sure if the user is stilling having issues as they haven't replied. We know the ports are blocked so running portqry isn't going to help the user based on what has been talked about.
    Friday, November 22, 2013 1:22 AM
  • Yes.  some sites have two DCs; some site has one DC etc...

    >Also, in sites and services expand out inter-site transports and click on IP (or smtp but I'm assuming it's all over >IP) and look to see if there is a site connection to the site of DC5

    Yes. it's the different site from DC1.

    Friday, November 22, 2013 1:24 AM
  • Hi Kelly,

    Apologize for proposed a not proper answer, and thanks very much

    for your reminding and efforts on the forum.

    I will pay more attention on this and hope that won't affect the discussion here.

    Best regards

    Michael


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, November 22, 2013 4:56 AM
    Moderator
  • Hi Kelly,

    Thank you.

    BTW, here is my detail of my issue.

    ---------------------------------------------------

    one forest and domain (several different sites)
     DC5 (not behind FW) at site1;  DC name behind FW: DC1 at site3

    In the AD sites and services, DC1 are replicated from DC6 at site1;
    DC7 at site2

     Both DC5 and DC1 are not FSMO holders.  This event error ID 13508
     only shows in the FRS event log of DC1 (behind FW).
     
    do not know why event error ID 13508 generated and no event id 13509 generated and asked for replication from
    DC5 at site1 even DC5 is not shown as connection object in the AD sites and services.

    ---------------------

    Event Type: Warning
     Event Source: NtFrs
     Event Category: None
     Event ID: 13508
     Date:  11/14/2013
     Time:  2:40:11 AM
     User:  N/A
     Computer: DC1 (behind FW)
     Description:
     The File Replication Service is having trouble enabling replication from \\D5.mycompany.local to DC1 for c:\windows\sysvol\domain using the DNS name \\D5.mycompany.local FRS will keep retrying.
     Following are some of the reasons you would see this warning.
     
      [1] FRS can not correctly resolve the DNS name \\D5.mycompany.local from this computer.
     [2] FRS is not running on \\D5.mycompany.local.
     [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
     
      This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
     
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
     Data:
     0000: 00 00 00 00               ....   

    ----------------------------------


    • Edited by SGryzbowski Friday, November 29, 2013 3:19 PM
    Monday, November 25, 2013 9:24 PM
  • Hi,

    Apology for the delay.

    Regarding Event ID 13508, have you read this article?:

    Troubleshooting File Replication Service

    http://technet.microsoft.com/en-us/library/bb727056.aspx

    Please check if there are event ID 13509 logged, A single FRS event ID 13508 does not mean anything is broken or not working, as long as it is followed by FRS event ID 13509, which indicates that the problem was resolved. Based on the time between FRS event IDs 13508 and 13509, you can determine if a real problem needs to be addressed. More information, please check the link provided above.

    In addition, please run DCdiag commands on both of the DC1 and DC5 to see if the DCs are in good condition.

    Hope this helps,

    Best regards

    Michael


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, November 29, 2013 5:46 AM
    Moderator
  • check out this link:

    http://support.microsoft.com/kb/224196


    Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Friday, November 29, 2013 9:25 AM