none
Unable to connect to domain controller... several error messages

    Question

  • I have noticed here lately I get a Configuration Storage Access Blocked; Configuration changes cannot be loaded by Forefront TMG services; Upstream chaining credentials; and Denied Connections per Minute from One IP Address Limit Exceeded.

    Apperantly the TMG server can no longer communicate with the domain controller. DNS on the internal nic points directly to the DNS server which is the domain controller. All the other computers can ping the TMG server with the fqdn and ip, but the TMG server can only ping internal computers by IP addresses. If you try to ping using a FQDN it resolves it to the external IP address.

    Apperantly it also can not establish an SSL connection with the exchange server by its ip address and the VOIP server has exceeded its connections per minute limit.

    I can not get any changes I make on the TMG server to apply because it can not communicate with a domain controller.  How do I fix all this? I have attempted to google on the web but it hasnt helped.

    Sunday, April 18, 2010 2:59 AM

Answers

  • On TMG, at a command prompt, run 'nslookup'.  This will return the IP address of TMG's default DNS server.  If it shows the external ISPs DNS server, you can change the adapter binding order so the the Internal NIC is bound first.  After making this change, verify with 'nslookup' that the default DNS server is the internal DNS server.

     

    Regards,

    Richard Barker (MSFT)

    Tuesday, May 25, 2010 1:49 PM

All replies

  • Hi,

    are you using the same DNS namespace for internal and external? Than you have to use a split DNS configuration. Please also check that you doesn't have a DNS server entry on the external NIC on TMG.

    Try some NSLOOKUP / DNSLINT checks, to find the problem.

    Please also check if TMG allows DNS name resolution from LOCALHOST to your internal DNS Server. There is a system policy rule which allows this request

     

     


    regards Marc - www.nt-faq.de - www.it-training-grote.de - www.forefront-tmg.de
    Sunday, April 18, 2010 5:31 AM
  • Im a total newbie when it comes to DNS... What do you mean by Split DNS? I have the DNS Server on the DC and all the clients point to it and then it has fowarders that point to OpenDNS DNS Servers to resolve external names. The TMG internal nic DNS points to the DC and the external nic is DHCP so it gets DNS IP information from the ISP.

    Did I do something wrong here?

    I will check TMG to see if DNS from localhost is allowed but I cant get it to apply if I have to change it because Configuration Storage Access is Blocked still because it cant find a domain controller. How do i get around this?
    Monday, April 19, 2010 1:00 AM
  • Ok so what is the easiest way to setup a split-level dns or can someone point me thru instructions. DNS is something I do not mess with every day. I just go with what active directory sets up and thats it. TMG is does things so differently and im learning as I go with it so setting up the split-level dns is going to be a first for me since ive never had to.

    Right now our current network is...

    Internet - Cable Modem
    (Suddenlink ISP / DHCP IP address)

    Forefront TMG Server
    AMD Athlon 64 2200, 4 gb ram, Windows Server 2008 R2 Enterprise
    2 nic (1 external hooked to cable modem / 1 internal 10.10.1.0/255.255.255.0.)

    Domain Controller
    Dell poweredge 2850 dual intel xeon 3.2 ghz x64, 8gb ram, dual nic, Windows Server 2008 R2 Enterprise
    DC, DNS, DHCP (DHCP Addressing done from 2nd nic)
    AD is setup for 2008 R2 domain controllers only

    Exchange Server
    Dell poweredge 2850 dual intel xeon 3.2ghz x64 16gb ram, dual nic (only using 1), Windows Server 2008 R2 Enterprise

    Elastix VoIP PBX Server
    Dell optiplex computer p4 2.4ghz 1 nic

     

    Is setting up a split-level dns setup easy, or is it going to require another internal server or can I still just have the one domain controller for the moment?

    Tuesday, April 20, 2010 2:33 AM
  • If you suspect problems communicating with the DC, run the following command (from a command prompt) on TMG:

    nltest /dsgetdc: /force

    What are the results?

     

    Regards,

    Richard Barker (MSFT)

    Tuesday, April 20, 2010 10:05 PM
  • Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>nltest /dsgetdc: /force
                     DC: \\DC1.domain.net
              Address: \\10.10.1.100
           Dom Guid: e908c4c9-a60c-45c9-a05e-87dd089af839
         Dom Name: domain.net
       Forest Name: domain.net
      Dc Site Name: Default-First-Site-Name
    Our Site Name: Default-First-Site-Name
                  Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
    DNS_FOREST CLOSE_SITE FULL_SECRET WS
    The command completed successfully

    C:\Windows\system32>

    It can apperantly see the DC so why can it not access the configuration storage? It still tells me Configuration Storage Access Blocked and that it can't communicate to a domain controller.

    Wednesday, April 21, 2010 1:24 AM
  • Hi,

     

    Thank you for the post.

     

     The TMG internal nic DNS points to the DC and the external nic is DHCP so it gets DNS IP information from the ISP.

    The problem here is that ISA doesn’t know what is internal or external when trying to resolve names. This means ISA can end up trying to resolve internal names to the external ISP.  Once it receives “name not found”, the ISA Server computer won’t look for the internal name again and you will fail to participate in the domain.

     

    Regards,


    Nick Gu - MSFT
    Thursday, April 22, 2010 8:57 AM
    Moderator
  • well I can understand that but how do I fix this?  Changing from a dynamic public ip to a static public ip costs to much a month so its going to have to stay as a dynamic public ip.  I never had any problems with pfSense but then again TMG is a completely different firewall.

    So is there a way to work around this still using a dynamic external IP and it look at internal dns first? Can i stick a router like a netgear fvs114 in front of the TMG server and let it handle the external dynamic public IP and then that would give the TMG server a static IP for its external nic.

    Friday, April 23, 2010 12:45 AM
  • Can I do it like that? Put a router in front of the TMG server so the tmg server has static IPs and the router in front is the one handling the dynamic IP address from our ISP?

    Sunday, April 25, 2010 2:03 AM
  • Nick has explained it well and yes, a router in front should do the trick as this will allow the ISA's external nic to have a blank DNS entry thereby always looking at the only dns ip address it knows about - the internal nic entry pointing to your DC DNS.

    Keith


    Keith Alabaster - MVP/Forum Moderator
    Sunday, May 23, 2010 8:32 AM
    Moderator
  • On TMG, at a command prompt, run 'nslookup'.  This will return the IP address of TMG's default DNS server.  If it shows the external ISPs DNS server, you can change the adapter binding order so the the Internal NIC is bound first.  After making this change, verify with 'nslookup' that the default DNS server is the internal DNS server.

     

    Regards,

    Richard Barker (MSFT)

    Tuesday, May 25, 2010 1:49 PM
  • You can make sure that the Internal NIC is first in the binding order. That may help. In general, it is best practice to have DNS defined only on your Internal NIC, no DNS defined on External, and the DNS that is defined should be DNS servers under your control (internal to the organization).
    Tuesday, May 25, 2010 7:36 PM
    Answerer
  • Hi,

    I have read through this thread and found the information very helpful, as I am experiencing the exact same problem.

    I am rather new to TMG. Following some of the posts here this is what I have.

    As soon as I try and publish a new Non-Web Server protocol and apply, TMG reverts back to previous settings because it cannot connect to Domain Controller.  I also get the messages " Configuration Storage Access Blocked; Configuration changes cannot be loaded by Forefront TMG services; ".

    When doing nslookup from a command prompt as described above on the TMG server it returns the ISP's dns server. I have checked the binding order and my internal network card is first.

    Some other information:

    Using Hyper-V and the TMG server is a VM on Hyper-V.  Also the DHCP server.

    Domain controller is Hyper-V host as well.

    Any help will be greatly appreciated.

     

     

    Tuesday, June 15, 2010 5:47 AM