none
Multi Server AD Global Catalog Configuration

    Question

  • Hi,

    I have a 3 domain controller setup in office,

    Domain and forest functional levels are Server 2003,

    PDC = Server 2008 R2 Std (holds all FSMO roles of the network incl GC, 20% DHCP Scope)
    BDC = Server 2003 R2 Std (mail server and GC)
    SDC = Server 2008 R2 Std (GC, 80% DHCP Scope)

    we are about to add another physical location (site 2) to our network which will be linked together with the current (site 1) as one network blocking DHCP between sites to have separated halves of the DHCP scope,

    The PDC and BDC will be moving to site 2 leaving the SDC on it's own at site 1 for at the most a week before everything is setup and up and running at site 2

    I have done a test for a few days by taking down the SDC for a few days as a trial for the PDC and BDC being on their own,

    however, I started experiencing an error bringing up management consoles for the domain saying that it can't contact a Global Catalog server referencing the SDC, if i then manually specified the server to connect to it worked without complaints, password changes from client machines worked as expected, adding removing users worked as expected, and when bringing the SDC back online all changes replicated without issue,

    What i am a bit confused about, is the error about a global catalog server being offline when the 2 online servers held global catalog and one held all the FSMO roles.

    anyone have any ideas on what potentially could cause this problem and if it is something that could be rectified or is it (for some reason) by design?

    Sunday, March 18, 2012 11:11 AM

Answers

All replies

  • just to add,

    i dug out an entry out of the directory services event log from the PDC

    Active Directory Domain Services was unable to establish a connection with the global catalog. 
     
    Additional Data 
    Error value:
    1355 The specified domain either does not exist or could not be contacted. 
    Internal ID:
    3200e25 
     
    User Action: 
    Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.

    Sunday, March 18, 2012 11:49 AM
  • Hi,

    It seems the name resolution (DNS configuration) problem on the domain controller.

    Are the all DCs are DNS servers?

    Follow this and ensure the everything is in place: http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

    Also post the dcdiag /q and ipconfig /all all 3 DCs.


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Sunday, March 18, 2012 12:19 PM
  • Yes, All DC's are DNS Servers,

    PDC

    dcdiag /q didn't produce any output

    ipconfig /all

    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : pdc
       Primary Dns Suffix  . . . . . . . : domain.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : domain.local
    
    Ethernet adapter Local Area Connection:
    
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Local Area Connection - Virtual Network
       Physical Address. . . . . . . . . : 48-5B-39-ED-1B-87
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.7.2(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.7.3
       DNS Servers . . . . . . . . . . . : 192.168.7.2
                                           192.168.7.8
                                           192.168.7.4
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Ethernet adapter Physical 2:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Realtek RTL8169/8110 Family PCI Gigabit E
    thernet NIC (NDIS 6.20)
       Physical Address. . . . . . . . . : 00-08-54-51-57-1A
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    
    Ethernet adapter Local Area Connection 1:
    
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : LocalNetwork
       Physical Address. . . . . . . . . : 00-15-5D-07-02-0A
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Autoconfiguration IPv4 Address. . : 169.254.102.51(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.0.0
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Tunnel adapter isatap.{19897360-EDF7-4DE8-B706-8B336006941B}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter Teredo Tunneling Pseudo-Interface:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter isatap.{1A141796-1983-4B0D-A46B-6FA31910D6FD}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter isatap.{B75F291C-4482-4357-A21D-6E6C68B12E18}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes


    BDC

    dcdiag /q didn't produce any output

    ipconfig /all

    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : bdc
       Primary Dns Suffix  . . . . . . . : domain.local
       Node Type . . . . . . . . . . . . : Unknown
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : domain.local
    
    Ethernet adapter Local Area Connection 2:
    
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Ada
    pter #3
       Physical Address. . . . . . . . . : 00-15-5D-07-02-00
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 192.168.7.4
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.7.3
       DNS Servers . . . . . . . . . . . : 192.168.7.4
                                           192.168.7.2
                                           192.168.7.8
    
    Tunnel adapter Teredo Tunneling Pseudo-Interface:
    
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%5
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Disabled
    
    Tunnel adapter Automatic Tunneling Pseudo-Interface:
    
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : C0-A8-07-04
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : fe80::5efe:192.168.7.4%2
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS over Tcpip. . . . . . . . : Disabled

    SDC

    dcdiag /q didn't produce any output

    ipconfig /all

    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : sdc
       Primary Dns Suffix  . . . . . . . : domain.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : domain.local
    
    Ethernet adapter Local Area Connection:
    
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Local Area Connection - Virtual Network
       Physical Address. . . . . . . . . : 54-04-A6-D4-2C-53
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.7.8(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.7.3
       DNS Servers . . . . . . . . . . . : 192.168.7.8
                                           192.168.7.2
                                           192.168.7.4
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Tunnel adapter isatap.{727E5961-8CDA-4B79-84CA-FC41AECB89AE}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter Teredo Tunneling Pseudo-Interface:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Thanks


    Sunday, March 18, 2012 8:39 PM
  • Hello,

    PDC

    dcdiag /q didn't produce any output

    ipconfig /all

    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : pdc
       Primary Dns Suffix  . . . . . . . : domain.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : domain.local
    
    Ethernet adapter Local Area Connection:
    
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Local Area Connection - Virtual Network
       Physical Address. . . . . . . . . : 48-5B-39-ED-1B-87
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.7.2(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.7.3
       DNS Servers . . . . . . . . . . . : 192.168.7.2
                                           192.168.7.8
                                           192.168.7.4
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Ethernet adapter Physical 2:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Realtek RTL8169/8110 Family PCI Gigabit E
    thernet NIC (NDIS 6.20)
       Physical Address. . . . . . . . . : 00-08-54-51-57-1A
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    
    Ethernet adapter Local Area Connection 1:
    
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : LocalNetwork
       Physical Address. . . . . . . . . : 00-15-5D-07-02-0A
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Autoconfiguration IPv4 Address. . : 169.254.102.51(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.0.0
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Tunnel adapter isatap.{19897360-EDF7-4DE8-B706-8B336006941B}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter Teredo Tunneling Pseudo-Interface:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter isatap.{1A141796-1983-4B0D-A46B-6FA31910D6FD}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter isatap.{B75F291C-4482-4357-A21D-6E6C68B12E18}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Please disable all unused NIC cards. See Ace's article about multihomed DCs: http://blogs.dirteam.com/blogs/acefekay/archive/2009/08/03/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

    Please proceed like that:

    • Make all DCs points to 192.168.7.2 as primary DNS server
    • Delete all unused DNS records in your DNS system
    • Run ipconfig /registerdns and restart netlogon on all your DCs
    • Make sure that needed ports for AD replication re not blocked: http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx

    Once done, run repadmin /syncall and check the output of dcdiag on all DCs you have.

    If the problem is solved then you can do that:

    • Make each DC points to its private IP address as primary DNS server
    • Make sure that each DC points to other DCs as secondary DNS servers


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Sunday, March 18, 2012 8:51 PM
  • Hello,

    I have disabled the adapter that was obtaining apipa address and the currently unused "physical 2" nic on the PDC

    i am not 100% on why the servers are showing Tunnel Adapters, none of the servers have RRAS role installed, (the BDC did at one point in the past but since has been removed about 8 months ago)

    i have pointed all servers primary dns to the PDC run ipconfig /registerdns which returned no issues in event logs on any of the servers

    repadmin /syncall returned no errors

    running dcdiag on all servers passed all tests


    Sunday, March 18, 2012 10:00 PM
  • Glad to hear that problem has been resolved.

    Regarding Tunnel adaptors, this might be due to IP V6.

    Follow below link which explains what does these tunnel adator do,

    http://programming4.us/desktop/2762.aspx

    http://technet.microsoft.com/en-us/network/cc987595.aspx

    http://technet.microsoft.com/en-us/library/bb726952.aspx

    Hope this will clear some of your doubts.

    If you want you can disabled these adaptors. Go through below link which explains to achieve this.

    http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/19/disabling-ipv6-on-windows-2008.aspx

    http://social.technet.microsoft.com/Forums/en-US/itprovistanetworking/thread/32b0c129-fa2d-431a-a275-4288c729605a/

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, March 19, 2012 6:22 AM
  • Hi,

     

    I suggest we confirm the GC setting again on the PDC and BDC servers.

     

    Please open AD Sites and Servers and right click “NTDS settings” on your PDC/BDC to select Properties. Please then confirm that the checkbox of Global Catalog is checked.

     

    In the meantime, we should verify Global Catalog in DNS Registrations:

     

    http://technet.microsoft.com/en-us/library/cc739586(v=ws.10).aspx

     

    http://technet.microsoft.com/en-us/library/cc753187.aspx

     

    Regards

     

    Kevin

    Monday, March 19, 2012 6:23 AM
  • Hi,

    Thanks for the additional links about the tunnel adapters, i have got a better idea on their purpose, until now i had never thought much of them

    in regards to the GC settings, the NTDS setting on all 3 DC's have global catalog checked and all servers show correctly in DNS

    i will run another test over this coming weekend to confirm if the changes done here have provided a solution to the original problem

    Thanks

    Monday, March 19, 2012 7:41 AM
  • Is your BDC is also a Exchange server, if yes running Exchange on the DC is not a good idea from the security/performance and GC utilization. If exchange is running on the GC it will not use any other GC apart from the DC it is being installed.

    Several Exchange Server directory components, such as Directory Service Access (DSAccess), Directory Service Proxy (DSProxy), and the Message Categorizer will not fail over to any other domain controller or global catalog server.

    http://technet.microsoft.com/en-us/library/aa997060%28v=exchg.80%29.aspx


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, March 19, 2012 9:55 AM
    Moderator
  • Is your BDC is also a Exchange server, if yes running Exchange on the DC is not a good idea from the security/performance and GC utilization. If exchange is running on the GC it will not use any other GC apart from the DC it is being installed.

    Several Exchange Server directory components, such as Directory Service Access (DSAccess), Directory Service Proxy (DSProxy), and the Message Categorizer will not fail over to any other domain controller or global catalog server.

    http://technet.microsoft.com/en-us/library/aa997060%28v=exchg.80%29.aspx


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    DisclaimerThis posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Hi,

    No, we we don't run exchange, we run a system called SmarterMail for our mail server,

    exchange is a bit "over-the-top" for our simple requirements :)

    Thanks

    Monday, March 19, 2012 10:38 AM
  • Oh that's ok, i have seen BDC = Server 2003 R2 Std (mail server and GC) in your post, so thought of confirming it.

    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, March 19, 2012 11:34 AM
    Moderator