none
DCDIAG /Test:Connectivity reveals DCs can't connect to the PDC DC? RRS feed

  • Question

  • Hello,

    A DCDIAG /Test:Connectivity test reveals a DC in our Forest cannot contact/connect with the PDC DC.  In our topology, this DC, DC3 is in a Site Link with DC2, and DC2 has contact/connectivity with the PDC DC, so is it essential DC3 has the ability to directly connect to the PDC DC if an upstream DC, DC2, has direct connectivity to the PDC DC?  Can you please explain the reasons for your answer.  Thanks in advance.


    Tuesday, June 28, 2011 11:36 AM

Answers

  • There is a bridgehead server for each partition of the domain and forest.  If the DC needs to update its RID's or a password management issue, then yes it needs to contact the PDCe.

    Could you please provide the error details what you have given so far isn't enough to provide much help.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights. 

    • Marked as answer by SdeDot Friday, July 8, 2011 2:10 AM
    Tuesday, June 28, 2011 11:46 AM
    Moderator
  • Hello,

    if the firewall on the DC in your case or a hardware firewall is open for ALL required AD ports DCs can communicate, they will not, as in your case, ask another DC for updating the PDCEmulator.

    There is a difference on the network level for connectivity and the replication between the DCs themselves. So if you open port 389 for example on a firewall it MUST be open for all DCs and networks where a DC is located so all DCs have connectivity.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by SdeDot Friday, July 8, 2011 2:10 AM
    Sunday, July 3, 2011 1:32 PM

All replies

  • There is a bridgehead server for each partition of the domain and forest.  If the DC needs to update its RID's or a password management issue, then yes it needs to contact the PDCe.

    Could you please provide the error details what you have given so far isn't enough to provide much help.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights. 

    • Marked as answer by SdeDot Friday, July 8, 2011 2:10 AM
    Tuesday, June 28, 2011 11:46 AM
    Moderator
  • The test I run is "dcdiag.exe
    /v /d /e /s:pdcdc /test:connectivity"

    A snapshot of the results I get is:

    Testing server: AN\ANACHP001
          Starting test: Connectivity
             * Active Directory LDAP Services Check
             Server ANACHP001
     resolved to these IP addresses: 10.20.28.20, but
             none of the addresses could be reached (pinged). Please check the
             network.
             Error: 0x2b02 "Error due to lack of resources."
             This error more often means that the targeted server is shutdown or
             disconnected from the network.
             Got error while checking LDAP and RPC connectivity. Please check your
             firewall settings.
             ......................... ANACHP001 failed test Connectivity

    When I run PortQueries from the PDC to this DC, I see all ports are 'filtered' or closed to this DC.


    Tuesday, June 28, 2011 11:53 AM
  • Is local windows firewall service is disabled, if not disable it. If portquery tool informs the port is blocked, then the port is blocked, you are required to involve your network/security team.

    Above error to indicates its not able to communicate to other DC's.

    How to use Portqry to troubleshoot Active Directory connectivity issues

    http://support.microsoft.com/kb/816103

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, June 28, 2011 12:20 PM
    Moderator
  • The test I run is "dcdiag.exe
    /v /d /e /s:pdcdc /test:connectivity"

    A snapshot of the results I get is:

    Testing server: AN\ANACHP001
          Starting test: Connectivity
             * Active Directory LDAP Services Check
             Server ANACHP001
     resolved to these IP addresses: 10.20.28.20, but
             none of the addresses could be reached (pinged). Please check the
             network.
             Error: 0x2b02 "Error due to lack of resources."
             This error more often means that the targeted server is shutdown or
             disconnected from the network.
             Got error while checking LDAP and RPC connectivity. Please check your
             firewall settings.
             ......................... ANACHP001 failed test Connectivity

    When I run PortQueries from the PDC to this DC, I see all ports are 'filtered' or closed to this DC.


    Hello,

    required ports for AD replication: http://technet.microsoft.com/en-us/library/bb727063.aspx

    Use PortQry v2 for check.

    Needed ports should be opened in both directions.

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

    Tuesday, June 28, 2011 3:19 PM
  • Im still looking for any comments/feedback on my original question in that in our topology, DC3 is in a seperate site and in a Site Link with DC2, and DC2, being in a seperate site, has contact/connectivity with the PDC DC (or DC which has all the FSMO roles), which is in a seperate site, so is it essential DC3 has the ability to directly connect to the PDC DC if an upstream DC, DC2, has direct connectivity to the PDC DC? If so, what specific reasons does a DC need to directly contact the PDC DC?
    Thursday, June 30, 2011 12:27 PM
  • So I would think we need direct connection from DC3 to DC1, which holds all of the FSMO roles due to the following.  Comments?

    RID Master FSMO Role: The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move.

    When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.

    Each Windows 2003 DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. There is one RID master per domain in a directory. 

     

    PDC Emulator FSMO Role: The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000,Windows 2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.

    The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.

     

    In a Windows domain, the PDC emulator role holder retains the following functions: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator. The PDC emulator performs all of the functionality that a Microsoft Windows 2003 Server-based PDC or earlier PDC performs for Windows 2003 based or earlier clients.

    In normal scenario password is updated first on PDC and then replicated across all DC’s in the domain. If PDC is not contactable then authenticating DC will update the password and it will be replicated over. In this scenario user may report that they are not able to logon or have issue will accessing any object in AD, since password is not synchronized on all DC’s.

    Friday, July 1, 2011 11:24 PM
  • Hello,

    " If so, what specific reasons does a DC need to directly contact the PDC DC?"

    This was already answered from Paul Bergson.

    For your connectivity problems please make sure the firewalls are not blocking any traffic: http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

    Additional please upload the following files:

    ipconfig /all >c:\ipconfig.txt [from each DC/DNS Server]
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)


    As the output will become large, DON'T post them into the thread, please use Windows Sky Drive (skydrive.live.com) [with open access!] and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Sunday, July 3, 2011 9:19 AM
  • Thanks for the response Meinolf.

    Paul Bergson gave me some general ideas as to why there needs to be direct connectivity from DC3 to the FSMO role holder machine, DC1, so I would like to understand that in detail which is as follows:

    1. The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain, in this case DC1. Each Windows DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC, in this case DC3, issues a request for additional RIDs to the domain's RID master which in this case is DC1. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. There is one RID master per domain in a directory.  So if DC3 does not have direct connectivity to DC1, but DC3 connects to DC2 and DC2 has direct connection to DC1, will the RIDs be updated on DC3 through DC2?

    2. Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. Authentication failures that occur at a given DC, in this case DC3 in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user, which in this case is DC1. Account lockout is processed on the PDC emulator or DC1. In normal scenario password is updated first on PDC and then replicated across all DC’s in the domain. If PDC is not contactable then authenticating DC will update the password and it will be replicated over. In this scenario user may report that they are not able to logon or have issue will accessing any object in AD, since password is not synchronized on all DC’s.

    We know by design currently that the AD ports are not open through the firewall between DC1 and DC3, but they are open between DC3 and DC2 and between DC2 and DC1, so I dont think its necessary to post the files.  The question again is "is it essential DC3 has the ability to directly connect to the RID/PDC DC if an upstream DC, DC2, has direct connectivity to the RID/PDC DC?"  From the reasons I specified above, it seems direct connectivity between DC3 and DC1 is required.  Thanks in advance.

    Sunday, July 3, 2011 12:55 PM
  • Hello,

    if the firewall on the DC in your case or a hardware firewall is open for ALL required AD ports DCs can communicate, they will not, as in your case, ask another DC for updating the PDCEmulator.

    There is a difference on the network level for connectivity and the replication between the DCs themselves. So if you open port 389 for example on a firewall it MUST be open for all DCs and networks where a DC is located so all DCs have connectivity.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by SdeDot Friday, July 8, 2011 2:10 AM
    Sunday, July 3, 2011 1:32 PM
  • Thanks Meinolf.

    If I can clarify what you are saying, if a hardware firewall prevents direct connectivity from DC3 to DC1, there is no mechanism which forwards a request to update the PDCEmulator from DC3 to DC2, then DC2 to DC1, correct?  This would be my understanding as well.

    Im not sure I understand your second point if you could please clarify.

    Sunday, July 3, 2011 6:18 PM
  • Hello,

    not only a hardware firewall, just each firewall must allow all ports that AD requires for replication/connectivity, otherwise AD will not work correct. And another DC is not able to forward information to the PDCEmulator the way you describe it.

    If a DC has to update/forward to the PDCEmulator it wait until this is available again.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Sunday, July 3, 2011 7:17 PM