Servers unable to communicate

[David Fusfeld]

Ok I have a bit of a wierd issue. I've inherited a Win2000 AD network from
an old SysAdmin. We have two domains, OFFICE.COM and DEVELOPMENT.COM, both
in house on the same physical LAN. The previous admin setup a two-way trust
between the domains. However, the DCs in the two domains are not talking.
They can not ping each other, and there appears to be no communication
between them. Whats odd is they are on the same subnet (10.10.10.x) and both
can ping the rest of the devices on the network, just not each other.

Is there a setting or policy that jumps out as needing to be looked at? Any
direction is appreciated, I'm scratching my head a bit.

David Fusfeld

 

[Phillip Windell]

Personal Firewalls (Windows Firewall) can/will cause communication problems.
My recommendation is to never run them,...I don't trust them as far as I can
throw them,..but that is just me.

Did you make changes to either DNS in either Domain? The DNS in each domain
needs to be "aware" of the other one.

The best solution is to not have only *one* domain,...or have two Child
Domains under the main one. I also recommend not using ".com" but use
".loc" or ".local" (".loc" is best).

With one domain = "company.loc"
With Childs = "office.company.loc" and "development.company.loc"

I personally favor just one simple domain. You don't need multiple domains
to create a good security environments,...that is just a misconception
created by those who still confuse the old "NT way" of doing this vs use an
Active Directory domain. Even Child Domains only have a real purpose in very
large, very complex organizations and most of the time are not needed
either.

 

[Doug Sherman [MVP]]

Presumably these are two separate forests, otherwise there would be no need
for trusts. If the DCs cannot ping eachother by IP address, probably the
IPs or subnet masks are misconfigured, or they have a firewall blocking ICMP
echo. If you can ping by IP but not by name, check the DNS configuration.
If OFFICE.COM machines point to the OFFICE.COM DC for DNS and
DEVELOPMENT.COM machines point to the DEVELOPMENT.COM DC, try configuring a
standard secondary zone for the other domain on each DNS server.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

 

[Phillip Windell]

If OFFICE.COM machines point to the OFFICE.COM DC for DNS and
DEVELOPMENT.COM machines point to the DEVELOPMENT.COM DC, try
configuring a standard secondary zone for the other domain on each DNS

server.

I know that would need to be done, but I have never actually been in a
situation to have to do that. When it is done, how does the new Zone in
each get populated. So if a new machine is added to one of the domains and
is automatically added in DNS, how does the additional Zone in the other DNS
in the other Domain know that it happend and be able to add it in those
records too?

 

[David Fusfeld]

Just to clarify, there is no personal firewall blocking. More comments
inline below:

I personally favor just one simple domain. You don't need multiple domains
to create a good security environments,...that is just a misconception
created by those who still confuse the old "NT way" of doing this vs use
an
Active Directory domain. Even Child Domains only have a real purpose in
very
large, very complex organizations and most of the time are not needed
either.

Agreed, but because I've inherited this structure, i'm left to deal with
what i've got for the time being.\

Presumably these are two separate forests, otherwise there would be no
need
for trusts. If the DCs cannot ping eachother by IP address, probably the
IPs or subnet masks are misconfigured, or they have a firewall blocking
ICMP
echo. If you can ping by IP but not by name, check the DNS configuration.
If OFFICE.COM machines point to the OFFICE.COM DC for DNS and
DEVELOPMENT.COM machines point to the DEVELOPMENT.COM DC, try configuring
a
standard secondary zone for the other domain on each DNS server.

They are seperate forests. I cannot ping by IP , so its at a lower level
than name resolution.

The previous SysAdmin had "played" with domain security policy settings, so
i'm almost wondering if there is something buried in there that he enabled
that I have to find now.

David

 

[Doug Sherman [MVP]]

When you create a standard secondary zone, the wizard will ask you to
specify the IP of the primary server you want to receive the records from.
In the DNS console for the primary server/zone (this can be an AD integrated
zone) you select properties and click on the Zone Transfers tab. You can
configure the zone to allow transfers to the IP of the secondary server.
You can also add the secondary server to the Notify (button) list. The
secondary zone should populate immediately. Thereafter I think the default
update period is 15 minutes. If the secondary server is on the notify list,
changes should update immediately.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

 

[Phillip Windell]

Just to clarify, there is no personal firewall blocking. More comments
inline below:
Ok.

Agreed, but because I've inherited this structure, i'm left to deal with
what i've got for the time being.\

I understand. The one I have here right now was only 75% finished when I
took over. It was originally three Domains,...only one of the three exists
anymore.

They are seperate forests. I cannot ping by IP , so its at a lower level
than name resolution.

Experiment. There are two kinds of Names that depend on different things.
Compare pinging by IP# (you said that worked), then by internal AD/FQDN
(ping "machine.company.loc"), and ping by Netbios Name ("ping machinename").
What works and what doesn't may tell us something.

If the AD/FQDN works but netbios naming doesn't ping,..... then we know DNS
is OK but Netbios over TCP/IP, or WINS, or the Computer Browser Service may
have issues.

If Netbios Naming pings OK but not AD/FQDNs then maybe there are DNS issues.

*Note:* even if the Ping itself fails, it may still show the IP# it resolved
to on the screen and what will tell you something.

The previous SysAdmin had "played" with domain security policy settings, so
i'm almost wondering if there is something buried in there that he enabled
that I have to find now.

Maybe,..but I can't think of what that might be right now.
But if you want, you could compare the policy to one that hasn't been
altered. To do that find an old machine you can load the Server OS on. Make
it a DC of a "test" domain. It should be totally alone,...no trusts or any
kind of relationship at all the existing domains. Leave everything at the
*Defaults*. Now you can use it to compare with so that you will know what
the original GPO Defaults would have been before they were messed with. I
always keep a few Images of OS installs in Virtual PC just for this type of
stuff.

 

[Phillip Windell]

Ok,...sounds good.
Thanks, Doug,..

 

[Doug Sherman [MVP]]

I haven't used secondary zones in awhile - it's mostly useful in trust
situations and works quite well. With Windows Server 2003 you would
probably use conditional forwarders instead.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

Ok,...sounds good.
Thanks, Doug,..

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

When you create a standard secondary zone, the wizard will ask you to
specify the IP of the primary server you want to receive the records from.
In the DNS console for the primary server/zone (this can be an AD integrated
zone) you select properties and click on the Zone Transfers tab. You can
configure the zone to allow transfers to the IP of the secondary server.
You can also add the secondary server to the Notify (button) list. The
secondary zone should populate immediately. Thereafter I think the default
update period is 15 minutes. If the secondary server is on the notify list,
changes should update immediately.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

other
DNS

 

[David Fusfeld]

Experiment. There are two kinds of Names that depend on different things.
Compare pinging by IP# (you said that worked), then by internal AD/FQDN
(ping "machine.company.loc"), and ping by Netbios Name ("ping
machinename").
What works and what doesn't may tell us something.

I cannot ping by IP.

Thanks,
David Fusfeld
MCSE, MCP+I

 

[Phillip Windell]

Disable the host-based firewall (aka ICF, aka Windows Firewall) on all the
LAN machines. Nothing wrecks a network faster than that thing.

If it still won't ping anywhere then you are going to have to start at the
bottom and work upwards, starting with the cabling. I cannot physically see
your network, I am "blind" here and there is only so much I can do with
Emails.