Windows Server

Justin · Guest

I have a forrest setup with currenlty only 1 domain. I have 4 sites. There
are 2 DC's in Site A with one DC each in the other 3 sites. I have only just
noticed a problem with some W2K3 servers just installed into Site A. We have
windows 2003 servers in this site already but they don't have the same
problem. The problem appears to be releated to the subnet they are in or
just have not seen the problem by chance. The W2K3 servers in our
172.16.xxx.xxx subnet have no problems the servers in the 172.23.xxx.xxx have
the problem. The problem is event id 1058 in the event log which basicaly
says it was unable to connect to \\domain.com.au\sysvol so group policy was
aborted. A quick check of the firewalls showed the server trying to connect
to a DC in another site for which netbios is not allowed hence the attemp to
map failed. Both the subnets are defined as being in site A so my logic was
that it should not have attempted to connect to the sysvol on that DC in the
first place. Ran a dfsutil.exe /spcinfo and it did show all the DC's listed
under domain.com.au with a plus next to a DC in it's site but when trying to
map to \\domain.com.au\sysvol still tried to access DC in another site.

There are 5 hosta records in DNS for domain.com.au pointing to all 5 DC's
(obviously auto created when a server is told to be a dc) and when you do a
ping from the servers on the domain you can see it round robin to the other
DC's (ping the domain ipconfig /flushdns ping the domain again). DNS is all
done from site A. ICMP is not allowed between clients and DC's in other
sites but ICMP is allowed between DC's from Site to site.

I also have NTFRS and NTDS configured with a static RCP port and allowed
through firewall so I have no replication issues with either AD or FRS shares
(only have the netlogin and sysvol anyway).

Did some testing and allowed the netbios through the firewall to the other
DC's in the other sites so it could connect to the share. Rebooted the
machine several times and checked out which DC the dfs was using for the
sysvol by mapping to \\domain.com.au and then doing a properties on the
sysvol share and looking at the dfs tab. I found that randomly it will
select a sysvol share from any of the sites while a dfsutil.exe /spcinfo
still showed a + symbol next to the DC in it's site under domain.com.au. I
have repeated the test on a server in the other subnet and have not seen it
once connect the dfs share to a dc outside it's site.

Any help in figuring why it is not using a sysvol share from the correct
site would be great.

Paul Williams [MVP] · Guest

Firstly, are you prepared to open 445 (SMB/TCP)? Win NT 5.x tries both the
NetBT 3 and 445 simultaneously.

Anyway, the referral should first access the closest root and then the
closest link. If either are unavailable (possibly not necessarily offline
or broken) the referral will be random.

The first place to start troubleshooting this kind of issue is to
double-check the sites and subnet associations in DSSITE.MSC. After that
you need to check the DNS registrations and the locations of the server
object (the NTDS Settings object's parent) of the root holder and any
replica's in DSSITE.MSC; that is, is the server object for that server in
the correct site?

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Justin · Guest

The problems was partly resolved by rebooting all my DC's. All my win2k
servers now have the DFS server listing with the servers in their site listed
first and the other servers from other sites in random order.

All my subnets are correct all my servers are objects whithin sites.

I guess now is why did it still fail to connect to a sysvols share
considering it should have kept trying the servers in the list till one
worked. Even if the ports are not open it should have kept trying the
servers in the list till it hit a server in it's site.

"Paul Williams [MVP]" wrote:

	Windows Server Forum Index -> DFS and FRS	All times are GMT
Page 1 of 1