Can't logon to domain on remote member server 1

[Trackhappy]

OK. We have an AD domain with various sites and DC's all running ok. We have one link to a remote site via VPN on Pix units. A W2K server at remote end built fresh. Able to RDP or TS to it and control as local Admin. WINS is running on it, and able to replicate from master WINS. Able to resolve hosts ok, and add it to our domain. What we can't do is logon to the domain on it (get Please wait while Domain list is created, then RPC Server is unavaiable). Message RPC Server is unavailable. Tried net time, note it is in a different TZ from us. Also, even though WINS replcates, we cannot manage the remote WINS from the local console, or vice-versa. Pix guys reckon there are no port resrictions. A litte monitor utility shows traffic flowing on ports 137, 445 among others. Netlogon errors in log, once again pointing to RPC unavailable. A Me and the rest here are kinda stumped. Any ideas?

 

[JGillespie]

You mention WINS is running ok, but what about DNS.

AD is all about DNS not WINS

Jamie Gillespie
Senior IT Technician
South Cheshire College
j-gillespie@s-cheshire.ac.uk

 

[Trackhappy]

DNS is fine. As I said, the rest of the network/AD is running well. DNS is set to the same DNS as all the other machines. This machine is not a DC yet, so just a member server pointing at DNS on our network. Hosts resolve fine. We had DNS running on this server before we rebuilt it, zone transfers fine. The error has not changed after the rebuild, except we have lost the cached accounts so can only logon a local Admin. Seems like it can't contact the PDC (Emulator). Back on our main network (local) I can add a server just fine, using the same DNS/WINS settings. Also at other sites, the difference being they are linked by Frame Relay, no PIX/VPN involved. My current theory is port restrictions, but which ports? Net view works to a remote host. 445 maybe? But I could see traffic on 445, although no monitoring has been done for low level errors yet.
?????

 

[jtb]

need local "site" (is it defined as a site? nudge, nudge, wink, wink) to include at least 1 DC/GC... maybe even separate domain, depending on link bandwidth and reliability... look up W2K deployment guidelines again...



JTB
Have Certs, Will Travel
"A knight without armour in a [cyber] land."

 

[Trackhappy]

You are quite correct, and when we are able to logon to the box it will become a DC/DNS for that site. It was working before Firewall changes were made. It previously went via a Cisco router-based VPN passed through the firewalls, whereas it now goes via a VPN between two PIX boxes. There is a site defined in AD already. Hey maybe that is the problem. I'll remove that site until it is a DC again.
Get back to you all soon.

 

[Trackhappy]

That would have been too easy. Firewall guys at the South Africa end are having a look at the rules. Ran the MS diagnostic tools and found nothing exceptional except once again the old RPC Server is unavailable. Seems to be able to list DC's ok, which I felt sure was what it couldn't do. What I don't understand is what process allowed me to authenticate to add the box to the domain, but won't allow me to authenticate to logon to the domain on the box itself. It must be the machine account, but then it is in the domain. What am I missing? Any other ideas most appreciated.

 

[itsp1965]

From the sound of it although you say that RPC traffic is flowing it still sounds like the RPC traffic is being blocked. Make sure that all of the following; UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445, 593 have not blocked by the firewall

 

[Trackhappy]

According to the Firewall guys, they can see traffic arrive at both of our DC's with acks and fins on 445 from this host. Now, I have to ask, what is required for a logon to our domain on this (member server) machine, that is obviously not required to join it to our domain in the first place using a domain admin logon? You would think that the procedure for adding a machine to the domain would be far more demanding than a (simple?) logon to the domain.
Am I missing something fundamental here?. Should I be able to logon to a machine the other side of a fixed VPN wihtout a DC there as yet? Guess I gotta log a call with the mighty M$ and see what they have to say. Don't be shy chaps (and she-chaps), give me all you got. Using some tools the M$ guys gave me last time I logged a call, the machine can enumerate (love that word!) a list of DC's. Heeeelp!

 

[BuckWeet]

object-group service logon_udp udp
port-object eq domain
port-object eq 389
port-object eq ntp
port-object eq 88
port-object eq netbios-ns
port-object eq netbios-dgm
object-group service logon_tcp tcp
port-object eq 1026
port-object eq 135
port-object eq ldap
port-object eq netbios-ssn
port-object eq 445
port-object eq 88
port-object eq domain


This is from my Cisco PIX, this is the ports that I had to open just to get logons to work with no deny messages popping up in the firewall..

definately much more than what MS mentions..

BuckWeet

 

[Trackhappy]

Thanks BuckWheet that is absolutley fantastic. I'll get South Africa to put that in as soon as they can and see what happens. I have access to the Australian end, but not the SA end. Makes it difficult for this exercise, but with your help we'll get there.

 

[Trackhappy]

And the Oscar goes to......

Port 135.
Thanks to you all. It took some serious arm twisting but I finally got through to the requisite techie who found the rule in the PIX.
Works a treat now.