One of DCs problem

[Mykhaylo Khodorev]

Hi,
I'm experiencing continious problems with one of DCs. Today I tried to
connect to this server by LDAP and got the answer:
ld = ldap_open("primeserver.interbank.com", 389);
Established connection to primeserver.interbank.com.
Retrieving base DSA information...
Error<94>: ldap_parse_result failed: There is no result in the message
Getting 0 entries:

Another DC gives such answer:
ld = ldap_open("primestation.interbank.com", 389);
Established connection to primestation.interbank.com.
Retrieving base DSA information...
Result <0>: (null)
Matched DNs:
Getting 1 entries:1> currentTime: 3/11/2004 19:35:29 ;
1> subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=interbank,DC=com;
1> dsServiceName: CN=NTDS
Settings,CN=PRIMESTATION,CN=Servers,CN=KIEV,CN=Sites,CN=Configuration,DC=int
erbank,DC=com;
3> namingContexts: CN=Schema,CN=Configuration,DC=interbank,DC=com;
CN=Configuration,DC=interbank,DC=com; DC=interbank,DC=com;
1> defaultNamingContext: DC=interbank,DC=com;
1> schemaNamingContext: CN=Schema,CN=Configuration,DC=interbank,DC=com;
1> configurationNamingContext: CN=Configuration,DC=interbank,DC=com;
1> rootDomainNamingContext: DC=interbank,DC=com;
16> supportedControl: 1.2.840.113556.1.4.319; 1.2.840.113556.1.4.801;
1.2.840.113556.1.4.473; 1.2.840.113556.1.4.528; 1.2.840.113556.1.4.417;
1.2.840.113556.1.4.619; 1.2.840.113556.1.4.841; 1.2.840.113556.1.4.529;
1.2.840.113556.1.4.805; 1.2.840.113556.1.4.521; 1.2.840.113556.1.4.970;
1.2.840.113556.1.4.1338; 1.2.840.113556.1.4.474; 1.2.840.113556.1.4.1339;
1.2.840.113556.1.4.1340; 1.2.840.113556.1.4.1413;
2> supportedLDAPVersion: 3; 2;
12> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv;
MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime;
MaxActiveQueries; MaxPageSize; MaxQueryDuration; MaxTempTableSize;
MaxResultSetSize; MaxNotificationPerConn;
1> highestCommittedUSN: 1274477;
2> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO;
1> dnsHostName: PRIMESTATION.interbank.com;
1> ldapServiceName: interbank.com[email protected];
1> serverName:
CN=PRIMESTATION,CN=Servers,CN=KIEV,CN=Sites,CN=Configuration,DC=interbank,DC
=com;
2> supportedCapabilities: 1.2.840.113556.1.4.800; 1.2.840.113556.1.4.1791;
1> isSynchronized: TRUE;
1> isGlobalCatalogReady: FALSE;

 

[Mykhaylo Khodorev]

Right now I've found out this server answers on port 3268 and another DC
doesn't. Why their behavior is different? Could it be a problem?

 

[Joe Richards [MVP]]

Port 3268 is the global catalog port. It is only available on machines that are
defined as global catalogs.

joe



www.joeware.net

 

[Mykhaylo Khodorev]

Ok, but should GC server answer on port 389?

Port 3268 is the global catalog port. It is only available on machines that are
defined as global catalogs.

joe



www.joeware.net

 

[Joe Richards [MVP]]

No, the GC only responds on port 389.

Ok, but should GC server answer on port 389?

 

[Joe Richards [MVP]]

Well hold on... A GC will respond on 389 for queries for the domain the DC is a
domain controller for. On port 3268 it will respond to GC queries, i.e. anything
in the PAS for the entire forest.

joe

 

[Mykhaylo Khodorev]

So, my DC which is GC as well responds on port 3268 only. Actually it allows
to establish connections on port 389, but don't respond any LDAP requests on
port 389. On port 3268 server responds all LDAP requests. Is it right?

 

[Joe Richards [MVP]]

On port 389 it should only process requests for writaeable NCs on that DC,
everything else should generate referrals. The 3268 GC port will respond to
requests for all NC's, read or writeable.

A quick test to see if it is responding to queries on your LDAP port is to
download adfind from www.joeware.net on the free win32 tools page and doing the
following query

adfind -h servername -b -s base

That will query the root DSE on the LDAP port to see if it is live.

You can do the same against the GC port by

adfind -h servername -b -s base -gc

joe

 

[Mykhaylo Khodorev]

Here is a result

G:\Tools>adfind -h gatein1 -b -s base

AdFind V01.12.00cpp Joe Richards ([email protected]) May 2003

LDAP_BIND: [gatein1] Error 0x51 (81) - Server Down
Terminating program.

But when I connect by telnet to port 389 it connects. What could it be?

 

[Mykhaylo Khodorev]

Same problem occurs with all GC servers. Is it normal that GS server don't
work as LDAP servers?

 

[Mykhaylo Khodorev]

adfind -h servername -b -s base -gc gave same result for all DCs, while
clause without "-gc" could give some respond from non-GC servers.

 

[Joe Richards [MVP]]

If that is a Windows 2000/3 domain controller it is a huge problem, are you
getting tons of errors in the event logs? How is your replication?

Here is a result

G:\Tools>adfind -h gatein1 -b -s base

AdFind V01.12.00cpp Joe Richards ([email protected]) May 2003

LDAP_BIND: [gatein1] Error 0x51 (81) - Server Down
Terminating program.

But when I connect by telnet to port 389 it connects. What could it be?

On port 389 it should only process requests for writaeable NCs on that DC,
everything else should generate referrals. The 3268 GC port will respond to
requests for all NC's, read or writeable.

A quick test to see if it is responding to queries on your LDAP port is to
download adfind from www.joeware.net on the free win32 tools page and doing the
following query

adfind -h servername -b -s base

That will query the root DSE on the LDAP port to see if it is live.

You can do the same against the GC port by

adfind -h servername -b -s base -gc

joe

 

[Joe Richards [MVP]]

No GCs ARE LDAP servers. They listen on both 389 and 3268 assuming the server is
running correctly.

 

[Mykhaylo Khodorev]

I almost have no problems with replication. Just sometimes one of DCs in
another site can't replicate because of connectivity problems.
Only error (even warning) message I'm getting continuesly is:
Event Type: Warning
Event Source: NETLOGON
Event Category: None
Event ID: 5781
Date: 12.03.2004
Time: 12:58:29
User: N/A
Computer: PRIMESERVER
Description:
Dynamic registration or deregistration of one or more DNS records failed
because no DNS servers are available.
Data:
0000: 2a 23 00 00 *#..

althrough I checked all reasons noted in KB and didn't find any of them....

If that is a Windows 2000/3 domain controller it is a huge problem, are you
getting tons of errors in the event logs? How is your replication?

Here is a result

G:\Tools>adfind -h gatein1 -b -s base

AdFind V01.12.00cpp Joe Richards ([email protected]) May 2003

LDAP_BIND: [gatein1] Error 0x51 (81) - Server Down
Terminating program.

But when I connect by telnet to port 389 it connects. What could it be?

"Joe Richards [MVP]" <[email protected]> ???????/???????? ? ????????
?????????: news:[email protected]...

On port 389 it should only process requests for writaeable NCs on that DC,
everything else should generate referrals. The 3268 GC port will

respond
to

requests for all NC's, read or writeable.

A quick test to see if it is responding to queries on your LDAP port is to
download adfind from www.joeware.net on the free win32 tools page and doing the
following query

adfind -h servername -b -s base

That will query the root DSE on the LDAP port to see if it is live.

You can do the same against the GC port by

adfind -h servername -b -s base -gc

joe




On Tue, 16 Mar 2004 09:23:21 +0200, "Mykhaylo Khodorev"

So, my DC which is GC as well responds on port 3268 only. Actually it allows
to establish connections on port 389, but don't respond any LDAP

requests
on

port 389. On port 3268 server responds all LDAP requests. Is it right?

"Joe Richards [MVP]" <[email protected]> ???????/???????? ? ????????
?????????: Well hold on... A GC will respond on 389 for queries for the domain

the
DC

is a
domain controller for. On port 3268 it will respond to GC queries, i.e.
anything
in the PAS for the entire forest.

joe


On Mon, 15 Mar 2004 09:34:32 +0200, "Mykhaylo Khodorev"

Ok, but should GC server answer on port 389?

"Joe Richards [MVP]" <[email protected]> ???????/???????? ?
????????
?????????: Port 3268 is the global catalog port. It is only available on machines
that are
defined as global catalogs.

joe



www.joeware.net


On Thu, 11 Mar 2004 20:48:07 +0200, "Mykhaylo Khodorev"

Right now I've found out this server answers on port 3268 and another
DC
doesn't. Why their behavior is different? Could it be a problem?

"Mykhaylo Khodorev" <[email protected]>

ÓÏÏÂÝÉÌ/ÓÏÏÂÝÉÌÁ
×

ÎÏ×ÏÓÔÑÈ ÓÌÅÄÕÀÝÅÅ: Hi,
I'm experiencing continious problems with one of DCs. Today I
tried
to
connect to this server by LDAP and got the answer:
ld = ldap_open("primeserver.interbank.com", 389);
Established connection to primeserver.interbank.com.
Retrieving base DSA information...
Error<94>: ldap_parse_result failed: There is no result in the
message
Getting 0 entries:

Another DC gives such answer:
ld = ldap_open("primestation.interbank.com", 389);
Established connection to primestation.interbank.com.
Retrieving base DSA information...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
Dn:
1> currentTime: 3/11/2004 19:35:29 ;
1> subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=interbank,DC=com;
1> dsServiceName: CN=NTDS




Settings,CN=PRIMESTATION,CN=Servers,CN=KIEV,CN=Sites,CN=Configuration,DC

=
i

n
t
erbank,DC=com;
3> namingContexts: CN=Schema,CN=Configuration,DC=interbank,DC=com;
CN=Configuration,DC=interbank,DC=com; DC=interbank,DC=com;
1> defaultNamingContext: DC=interbank,DC=com;
1> schemaNamingContext:
CN=Schema,CN=Configuration,DC=interbank,DC=com;
1> configurationNamingContext:
CN=Configuration,DC=interbank,DC=com;
1> rootDomainNamingContext: DC=interbank,DC=com;
16> supportedControl: 1.2.840.113556.1.4.319;
1.2.840.113556.1.4.801;
1.2.840.113556.1.4.473; 1.2.840.113556.1.4.528;
1.2.840.113556.1.4.417;
1.2.840.113556.1.4.619; 1.2.840.113556.1.4.841;
1.2.840.113556.1.4.529;
1.2.840.113556.1.4.805; 1.2.840.113556.1.4.521;
1.2.840.113556.1.4.970;
1.2.840.113556.1.4.1338; 1.2.840.113556.1.4.474;
1.2.840.113556.1.4.1339;
1.2.840.113556.1.4.1340; 1.2.840.113556.1.4.1413;
2> supportedLDAPVersion: 3; 2;
12> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv;
MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime;
MaxActiveQueries; MaxPageSize; MaxQueryDuration; MaxTempTableSize;
MaxResultSetSize; MaxNotificationPerConn;
1> highestCommittedUSN: 1274477;
2> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO;
1> dnsHostName: PRIMESTATION.interbank.com;
1> ldapServiceName: interbank.com[email protected];
1> serverName:




CN=PRIMESTATION,CN=Servers,CN=KIEV,CN=Sites,CN=Configuration,DC=interban

k
,

D
C
=com;
2> supportedCapabilities: 1.2.840.113556.1.4.800;
1.2.840.113556.1.4.1791;
1> isSynchronized: TRUE;
1> isGlobalCatalogReady: FALSE;

happen
to

first
one?
Thanks.

 

[Mykhaylo Khodorev]

GC servers do listen port 389. But when I use Ldp tool they don't give any
information. This looks like:
ld = ldap_open("primeserver", 389);
Established connection to primeserver.
Retrieving base DSA information...
Error<94>: ldap_parse_result failed: There is no result in message
Getting 0 entries:
-----------

No GCs ARE LDAP servers. They listen on both 389 and 3268 assuming the server is
running correctly.

 

[Mykhaylo Khodorev]

Right now I've found out such problem occurs when I try to connect to the
server from LAN. If I connect to localhost on this server everything works.
Where can I fix it?

GC servers do listen port 389. But when I use Ldp tool they don't give any
information. This looks like:
ld = ldap_open("primeserver", 389);
Established connection to primeserver.
Retrieving base DSA information...
Error<94>: ldap_parse_result failed: There is no result in message
Getting 0 entries:
-----------
"Joe Richards [MVP]" <[email protected]> ???????/???????? ? ????????
?????????: news:[email protected]...

No GCs ARE LDAP servers. They listen on both 389 and 3268 assuming the server is
running correctly.

that

DC,

is

to

domain

 

[Mykhaylo Khodorev]

One more thing. I've found out LDAP service on this server correctly work
during 2-3 minutes after restart server. I guess some service prevent LDAP
server to work properly, but how to find which one? Is there some log of
services' starting?

GC servers do listen port 389. But when I use Ldp tool they don't give any
information. This looks like:
ld = ldap_open("primeserver", 389);
Established connection to primeserver.
Retrieving base DSA information...
Error<94>: ldap_parse_result failed: There is no result in message
Getting 0 entries:
-----------
"Joe Richards [MVP]" <[email protected]> ???????/???????? ? ????????
?????????: news:[email protected]...

No GCs ARE LDAP servers. They listen on both 389 and 3268 assuming the server is
running correctly.

that

DC,

is

to

domain