locked
Server 2008 R2 - DCDIAG problem - no output?? RRS feed

  • Question

  • I am trying to run dcdiag in a 2008 R2 domain.  Single domain in the forest.  7 domain controllers in the domain.  On ALL domain controllers, the only output given is:

     

    C:\>dcdiag

    Directory Server Diagnosis

    Performing initial setup:
       Trying to find home server...
       Home Server = <local server name>
       * Identified AD Forest.

     

     

    NO output is given after that, no matter what I try.  Has anyone ever seen this?  I have not been able to find the correct combination of search terms to yield any relevant results..

     

    Thanks!

    Friday, January 27, 2012 8:06 PM

Answers

  • Rob,

    Good article, and I've seen it before, but forgot about it.

    As for EXX, I thought he said earlier that he disabled the AV, and this is assuming no Windows firewall is enabled, or at least if it's a DC, this sort of traffic will be allowed anyway udner the Domain Profile.

    During the ICMP check, it's using an ICMP ping (some may argue it's an LDAP ping), but I'm curious if it's using the LdapIpAddress record for the DSA check or the LDAP Bind.

    If the LdapIpAddress is part of what it's looking for, then it comes back to the subnet ID as one of the records, assuming of course it's a /24. :-)

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    • Marked as answer by Elytis Cheng Thursday, February 2, 2012 9:42 AM
    Wednesday, February 1, 2012 5:09 AM

All replies

  • Hello,

    do you run dcdiag from an elevated command prompt?

    Do you use ist direct on the DC only or also tried it from a member machine with Windows 7 for example?

    Are the machines created from a not sysprepped image?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Friday, January 27, 2012 8:42 PM
  • I would recommend to reboot the server once if it is not rebooted for more days.

    Open the Cmd as Run as administrator and execute the dcdiag.

    If still the issue persist you can download resource kit tool and open the cmd from start-->All Program-->resource kit-->Command(Run as admin).

    Resource kit tool download.
    http://www.microsoft.com/download/en/details.aspx?id=17657
     

    Also let us know is this a newly installed server?

    Are you login with admin privilages?

    Also ensure correct dns setting on the DC.

    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Saturday, January 28, 2012 2:37 AM
  • I would check the dcdiag version and also check if DNS is working properly. In 2008 R2 you can also run BPA  to verify is there any issue with the AD.

    I would confirm DNS settings and DC is pointed to local DNS server only.

    http://technet.microsoft.com/en-us/library/dd392255%28WS.10%29.aspx

     

    Regards


    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com/


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Saturday, January 28, 2012 8:42 AM
  • Yes, I ran it from an elevated command prompt.  The account I am using is a Domain Admin.  No, I don't have access to a Win7 machine.  I've run it from each of the servers, and even tried to run it from one server against another.  Same results.

     

    DNS logs are clean, and DNS is properly configured.  Some of these DCs were promoted ~45 days ago, some of them have been around for 2 years.  netdom query fsmo returns the proper otuput on each of the DCs.  The Directory Services logs are clean also (aside from the regular stuff).

     

     


    • Edited by exx1976 Saturday, January 28, 2012 3:14 PM
    Saturday, January 28, 2012 3:14 PM
  • Hi,

    If DNS events are clean, check DS, FRS and application events for any errors.

    For DCDIAG tool, as sandesh suggested before, did you try to download resource kit tool and run DCDIAG command from there?

    Meanwhile, in Windows Server 2008 R2, instead of DCDIAG you may consider and confirm using Best Practices Analyzer for Active Directory Domain Services

    Best Practices Analyzer for Active Directory Domain Services: http://technet.microsoft.com/en-us/library/dd391875(WS.10).aspx

    Regards,


    Abhijit Waikar - MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA
    Saturday, January 28, 2012 4:15 PM
  • The application logs are also clean as they relate to DS.  A couple of the machines have known FRS issues, but I would expect that dcdiag would still run, if not on them, then definitely on one of the ones without FRS trouble.

     

    A little background - I'm a senior consulting engineer with a lot of background in AD.  My MCSE design core was AD design.  I'm performing a health check for a customer, and this is the first time that either I, or our senior AD guy (a Microsoft Certified Master) have ever seen this before.  Another odd tidbit - the ADTD doesn't show the Schema FSMO role holder, or give any information about the Schema in the domains VSD.  That is odd.  Again, so far, everything that I've seen tells me that the directory is in decent shape overall (a few FRS problems, and some certificate issues), nothing that would make me think there are serious issues that can't be resolved fairly quickly.

    There is no resource kit for server 2008 that I'm aware of, all the resource kit tool are already included with the OS..  ?? 

    Thanks!


    • Edited by exx1976 Saturday, January 28, 2012 4:44 PM
    Saturday, January 28, 2012 4:40 PM
  • Dcdiag is built into Windows Server 2008 R2 and Windows Server 2008. For 2003, support tool is available.

    So all your Domain Controllers are windows 2008R2?

    Ensure the Each DC should points its private IP as primary DNS and other remote DNS server,s IP as alternate DNS.

    Regards,


    Abhijit Waikar - MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA
    Saturday, January 28, 2012 7:46 PM
  • Have you downloaded resource kit tool and executed the dcdiag and what was the output.

    Can you run chkdsk in read only mode on C volume(assuming ntds,sysvol,log file are on C volume).Can you check the same and update.

    Also exclude the sysvol and ntds folder from AV scan and reboot the server and check.

    If you run dcdiag on other server are you facing same issue?

    What does netdom query fsmo return are all the role available?


    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

     

     

    Sunday, January 29, 2012 1:27 AM
  • Hello,

    "There is no resource kit for server 2008 that I'm aware of, all the resource kit tool are already included with the OS.. ?? "

    Correct, all supported tools are included in Windows server 2008 or higher.

    In your case as everything seems ok except for dcdiag output, i suggest that you open a support case at Microsoft so the technicians can have a deeper look into the systems. Even if that is not free of cost they will work until everything is running again without changing the support costs.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Sunday, January 29, 2012 10:05 AM
  • Is there an AV running? Many of the new AVs have a network traffic protection feature that can cause AD communications issues. Just a thought to disable any AV on the DC before running the dcdiag.

    Also, try running it with outputting the data to a text file, dcdiag /v > c:\dcdiag.txt. See if the text file is giving you the same output as in the CMD prompt.

    One more thing, if dcdiag.exe is corrupted, you can run an sfc /verifyfile c:\windows\system32\dcdiag.exe to scan the integrity of the file, and if corrupted, run sfc /scanfile c:\windows\system32\dcdiag.exe to repair it.

    Curious, does a repadmin work, such as running repadmin /showreps?

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Sunday, January 29, 2012 7:11 PM
  • Meinolf - yes, everything appears functional, just the odd issue with dcdiag and the ADTD not showing me schema info.  I agree that I could probably drop the issue and refer the customer to PSS, but I'd rather try to solve it and look like superman myself.  :)

     

    Whoever asked - netdom query fsmo shows correct output on all 7 servers, they all know who one another are and are in agreement.

     

    Ace - finally, some info worth chasing!  There is AV on the boxes, Trend Corporate edition.  I've never had issues with Trend in the past, but I will try to disable it and see what happens.  I'm not counting on anything.  I do have dcdiag output from MPSreports, and the output there, while more than I get by running it manually, is still abbreviated.  It goes through the normal "lookup' parts, shows DNs, etc, but -- it doesn't even otuput any of the testing information.  This, too, is consistent across all 7 DCs.  Repadmin works.  I've done repadmin /showrepl, repadmin /showutdvec, and the whole 9.  All of that is fine.  DNSlint also works fine.

     

    One thing that *I* as suspect of, even though I'm being told by the senior coworker that it's not an issue - IPv6 is enabled on all these DCs.  However, they are set to autoconfigure, and they are set to use ::1 for DNS.  IPconfig /all shows that the ::1 DNS server is the first entry.  There are no IPv6 scopes configured in any of the DHCP servers, and there are no AAAA records in any of the DNS serers.  On one server, I tried disabling IPv6, no change.  I removed the ::1 entry as the first DNS server - no change.  My thought is that since IPv6 takes precedence over IPv4, and nothing else in the network is configured to use IPv6, they aren't routing the traffic, and the DCs can't communicate with one another using it.  But, I don't think that would affect a dcdiag, would it?  At this point I'm open to anything that sounds logical, as long as it does not require installing software or making lots of changes to the environment.  Long-term, I will need to fix it, but I need to find the cause first.

     

    One other thing to note:  In forestdnszones and domaindnszones, there is an addition A record that points to a network address (x.x.x.0).  These A records do not exist anywhere else except under the root of those two zones.  The don't appear to be advertising ldap or kerberos or gc or anything else.  Not sure if that is relevant.

     

    Thanks!

    Sunday, January 29, 2012 10:00 PM
  • Ace - one last thing to note - I don't think it's file corruption since the dcdiag output is the same on all 7 DCs.

    Sunday, January 29, 2012 10:06 PM
  • Hello,

     

    Please run IPCONFIG /ALL on DCs and post here unedited result.

     

    Regards

    Sunday, January 29, 2012 10:27 PM
  • Umm, no.  But if you tell me what you're looking for, I'll be more than happy to provide the answer.  I'm not posting unedited configs of a customers environment.
    Sunday, January 29, 2012 10:46 PM
  • Umm, no.  But if you tell me what you're looking for, I'll be more than happy to provide the answer.  I'm not posting unedited configs of a customers environment.


    Hello,

     

    Sorry, but I have to say something:
    1 - Here are the bests AD people (MVPs, MSFTs, MCCs and others) and help people for Free.
    2 - You're not the only one that have made ​​70-297.
    3 - You're not the only one that posted here unedited IPCONFIG /ALL reuslt.
    4 - You do not give information and need solution!!
    5 - If you have no trust, then call MS support team.

     

    I think, you must read this post and watch how to problem solved (this is just one example, you can find more).

    Issue with windows server 2008 R2 active directory access

     

    Thanks for your understanding

    Regards


    • Edited by Patris_70 Monday, January 30, 2012 1:16 AM
    Monday, January 30, 2012 1:15 AM
  • Ace - one last thing to note - I don't think it's file corruption since the dcdiag output is the same on all 7 DCs.


    It was a thought. This is actually the first I've heard of a dcdiag providing truncated results. Also, I just like to point out, the info Patris requested is actually a normal request on our part that many do provide, but it's ok if you can't provide it, based on your company's security policies. No problem. But I wouldn't have thought it would warrant Patris' post to be viewed as "abuse."

    Anyway, just to see if we can help, the reason why we ask for this data is it provides a few things for us to evaluate and to help diagnose with at least eliminating any possible basic problems or misconfigs, such as:

    • Ensuring that the DCs are only using themselves or other internal DC for DNS and no outside DNS or the router as a DNS address.
    • Ensuring that an AD single label DNS domain name doesn't exist.
    • Ensuring that no DCs are multihomed (RRAS, multiple NICs, multiple IPs, iSCSI or clustering doesn't exist - which are all extermemly problematic on a DC.
    • IP routing is not enabled.
    • WINS proxy is not enabled.
    • Primary DNS suffix exists and matches the AD DNS domain name (which is not single label). If missing, this is called a disjointed namespace.

    Anyway, these are things we would be looking for.

    So far you've eliminated file corruption. Ok, good. IPv6 wouldn't have anything to do with this, and I would honestly recommend to re-enable it. Microsoft recommends to not disable it, since it's now tied into the operating system. Here are a couple of links to review reagarding IPv6:

    Should I disable IPv6? No. Microsoft no longer recommendeds disabling IPv6. 
    This article also contains information on how to Disable RSS TCP Chimney Feature and removing IPv6.
    How to remove "::1" IPv6 DNS address that shows up in an ipconfg /all
    Published by Ace Fekay, MCT, MVP DS on May 27, 2010 at 10:43 AM  650  0
    http://msmvps.com/blogs/acefekay/archive/2010/05/27/how-to-disable-rss-tcp-chimney-feature-and-ipv6.aspx

    The Cable Guy - Support for IPv6 in Windows Server 2008 R2 and Windows 7, by Joseph Davies, Microsoft, Inc.
    "IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function."
    http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

    Curious, are there any restrictions created with the domain admin account, or rights on the machine or any DCs in a GPO possibly linked at the domain level or the DC OU?

    What do the event logs show? Any errors in any of the logs, especially the DS logs?

    And keep in mind, we're just trying to help!

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Monday, January 30, 2012 5:24 AM
  • Wow, this is going off the rails quick..  I hate being viewed as a "n00b"..  Honestly, I know why he asked for that.  I think his response was slightly less than professional, and was rather presumptive, but it was not I that marked it as abusive..  Perhaps someone else felt similar?  I was just going to be a good sport and ignore it.  There was one thing I did want to address about it though..

     

    "If you have no trust, then call MS support team."

     

    Perhaps it is not you that I do not trust.  You DO realize this is the internet, and these pages are freely viewable by anyone and everyone, right?

     

     

    Anyhow..  The list of things you'd be looking for in ipconfig have already been ruled out.  Those are usually the first things I look for.

     

    The DS logs are mostly clean, with the exception of ONE of the DC's reporting a single 2108 approximately 2 months ago.  The only things I noted in any of them were lots of complaints about LDAPs not being enabled, and you should enable it, etc etc.  Site layout is good, KCC is functioning as normal.  As for the other logs, standard stuff:  some subnets not added to sites/services, stuff like that.  Nothing that gives me any cause for concern.  I'm honestly about to report that the environment is, overall, in good condition (needs minor attention), but I'm just not comfortable doing so until I can point the finger at this dcdiag issue.

     

    I haven't thought to look at GPOs, I will do so tomorrow.  I would have to think that even if you wanted to, you couldn't configure a GPO to produce this type of strange output, but it's worth a look.

     

    I know you're trying to to help, and to you, a great big huge THANK YOU!  :)

    Monday, January 30, 2012 6:25 AM
  • exx1976, my understanding of dcdiag is that the first thing that it does is to try and contact all domain controllers in the forest (no matter what switches you use), and this is the point where it appears to be hanging in your case.

    The odd A records in forestdnszones and domaindnszones might be indicitive of domain controller(s) that may have previously existed (but don't now) and there are still pointers to them ... almost as if they where not demoted properly ... not too sure about that, but worth looking into further.

    What I might try is to run dcdiag from one command prompt, and then from another command prompt on the same server run something like:

        netstat -na | find "SYN_SENT"

    several times to see if there is a connection being attempted to a particular IP address(es) that are not responding & if so, trace them from there.

    It can be a little tricky trying to analyse this sort of stuff just with netstat, so if they have netmon installed, or allow it to be installed on one Domain Controller, you would be able to monitor the connections being made by dcdiag with greater detail & ease.


    <edit> I don't know exactly what this hotfix does, but describs a problem similar to what you are experiencing - http://support.microsoft.com/kb/979294 </edit>
    • Edited by RobH_AU Monday, January 30, 2012 7:39 AM add info
    Monday, January 30, 2012 7:37 AM
  • I'm aware of how DCs leave stuff behind, and you might have to use metadata cleanup and such, but those A records aren't left over from a DC.  The IP in the A record is literally a network address - meaning, it's on a network boundary and couldn't possibly be a host IP.  ie - your workstation is 192.168.1.2, and the subnet mask is 255.255.255.0.  That means that 192.168.1.255 is the broadcast address, and 192.168.1.0 is the network address.  The 192.168.1.0 address is what's in DNS..

     

    I have to head to another client site in a minute, but I'l be remoting into this customer later this evening to take a look again.  I will add the netstat to the list of things to check.

     

    Thank you all, I'll post more info when I get back.

    Monday, January 30, 2012 2:18 PM
  • I'm not sure what you mean by an existing "A" record in DNS that shows up as a Subnet ID (192.168.1.0)? That's not an IP, as you stated, rather a subnet ID, so that can't exist as a DNS A or any other type of DNS record, unless it's some sort of custom SRV (non-AD) type record.

    Just an FYI, and not sure if you knew this or not, the LdapIpAddress "A" records, the ones that show up as "same as parent" (which is actually a blank hostname record), are registered by each DC's netlogon service. These are one of the SRV (yes, this is actually an SRV record - service locaiton record), that a DC's netlogon service registers into DNS. They must not be altered, and if they were for a specific DC, the DC's netlogon service re-registers these records every 60 minutes. These records are used by clients, servers, and DCs to apply GPOs, enumerate DFS locations and other DC to DC communications. However, if any additional blank host name records (same as parent) records were added, as in some cases for example, some admins may try adding one for their internal website, then it will cause problems, Further, if there is an A record that shows up as a subnet ID (which I have not seen yet to this day working with AD since 1999), I'm not sure how the DCs or other machines, would react, however assumingly with some issues. If this is the case, what Rob mentioned about dcdiag, may be what the end result may be.

    If you feel some things have been left behind after a proper DC demotion, and yes, there are some things that need to be cleaned up, such as manually deleting non-existing DC LdapIpAddress, GcIpAddress, zone NS records (check zone properties, Nameservers tab), Sites, etc, you may want to take a look at the following blog for what to look for:

    Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, and more)
    http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

     

    Or it may be something as simple as the hotfix Rob posted. That would make it really easy. :-)

    Ace

     

     

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Monday, January 30, 2012 6:24 PM
  • No, I know what you're saying about the network address..  I've been doing AD since 2000 was in beta, and up until 2 weeks ago, I had never seen this before, either.  But, in the last two weeks, I've seen it in two customer environments (this one, and one other).  It's a (same as parent) A record, and it's a network address.  I have NO idea how it got there, or what it's purpose is.  The other environment that I saw it in I did not run a dcdiag in (I wasn't doing an AD health check, I was there on some Citrix work and just happened to notice it).

     

    I just got home from that other client site, I'm going to go check some of this stuff now via VPN and I'll let you know later what I find.  I'm well familiar with orphaned DCs, ntdsutil, the configuration container, DNS, all that stuff.  I've had more than one DC come apart on me in my years, unfortunately..

     

    Thanks again!

    Monday, January 30, 2012 9:09 PM
  • 192.168.1.0 would be a valid IP address if you made a supernet like 192.168.0.0/23 ... would it not?

    Unusual, yes. But to me it appears possible.

    Tuesday, January 31, 2012 3:30 AM
  • 192.168.1.0 would be a valid IP address if you made a supernet like 192.168.0.0/23 ... would it not?

    Unusual, yes. But to me it appears possible.


    Technically, it's valid for a subnet larger than a /24. In any large network over a /24, we try to shy away when designing it from using any of the "0" IPs to reduce confusion. After all, you have a larger IP base to play with. :-)

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Tuesday, January 31, 2012 3:40 AM
  • No, I know what you're saying about the network address..  I've been doing AD since 2000 was in beta, and up until 2 weeks ago, I had never seen this before, either.  But, in the last two weeks, I've seen it in two customer environments (this one, and one other).  It's a (same as parent) A record, and it's a network address.  I have NO idea how it got there, or what it's purpose is.  The other environment that I saw it in I did not run a dcdiag in (I wasn't doing an AD health check, I was there on some Citrix work and just happened to notice it).

     

    I just got home from that other client site, I'm going to go check some of this stuff now via VPN and I'll let you know later what I find.  I'm well familiar with orphaned DCs, ntdsutil, the configuration container, DNS, all that stuff.  I've had more than one DC come apart on me in my years, unfortunately..

     

    Thanks again!


    I hear you. And I've been teaching it since the beta, pre-RTM 1999 days. I would honestly delete it, unless of course as Rob pointed out, that the subnet is larger than /24 and there really is a DC with that IP.

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Tuesday, January 31, 2012 3:41 AM
  • Further reference material on DCDIAG: http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx

    The "Initial Required Tests" section may be of particular interest - including the statement "Blocking ICMP will prevent DCDIAG from working."

    Network firewall ... Windows firewall.. may also be worth checking.

    Wednesday, February 1, 2012 4:41 AM
  • Rob,

    Good article, and I've seen it before, but forgot about it.

    As for EXX, I thought he said earlier that he disabled the AV, and this is assuming no Windows firewall is enabled, or at least if it's a DC, this sort of traffic will be allowed anyway udner the Domain Profile.

    During the ICMP check, it's using an ICMP ping (some may argue it's an LDAP ping), but I'm curious if it's using the LdapIpAddress record for the DSA check or the LDAP Bind.

    If the LdapIpAddress is part of what it's looking for, then it comes back to the subnet ID as one of the records, assuming of course it's a /24. :-)

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    • Marked as answer by Elytis Cheng Thursday, February 2, 2012 9:42 AM
    Wednesday, February 1, 2012 5:09 AM