"Cannot obtain domain controller name..."

[Brion Keagle]

We have a firewall environment with resource servers talking to DC/DNS
servers through the firewall. The servers all have the error message
"Windows cannot obtain the domain controller name for your network." The
servers are still functioning OK, but logons are slow, and this error
message seems to be generated every time somone logs on.

Everything I can find on the web indicates that this error is caused because
the resource servers cannot find the domain controller resource record in
DNS. Yet DNS is not broken... I can surf the web and run nslookup on any of
the resource servers with no problem.

Question: Does the DNS request for a DC Resource Record use a different port
than a normal DNS request?

What else could be going on?

Thanks!

 

[Cary Shultz [A.D. MVP]]

Brion,

You might want to consider setting up a Site-to-Site VPN environment or take
a look at the following MS Article:

http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp

HTH,

Cary

 

[Yor Suiris]

You are confused with Internet DNS and Windows DNS. For the Internet DNS
means "Domain Name Servers", for MS DNS means "Domain Name Services". The
Two are not the same. For your Win2K Domain to work you need a Win2K DNS
server on YOUR network. ISP's DNS will not handle Win2K DNS. Just install
DNS on one of your DCs, set it to forward request to your ISPs DNS and point
all your WSs to your local DNS.

 

[Brion Keagle]

Thanks, but the problem is not with replication - it is with client
connections (in this case, when I say "client" I mean other servers such as
web servers.)

I guess I should clarify our environment a little. We have two DMZs - our
"regular" DMZ allows very limited access from the internet in to our web
servers, etc. We also have another DMZ, or SubDMZ, which is another
screened subnet. No traffic from the internet is allowed whatsoever to this
DMZ. Only limited access is allowed from the web servers in the DMZ to
resource servers in the SubDMZ.

The DCs are located in the SubDMZ. The DCs are also DNS servers. I have
created an AD site which encompasses both the DMZ and SubDMZ. They are
replicating just fine with DNS/DCs back on the LAN. That's not the problem.

The problem is with communication between the webservers in the DMZ and the
DNS/DCs in the SubDMZ. I am seeing the error message on the webservers.
Yet, when I run nslookup at any of the webservers, they can all resolve
hosts (such as www.microsoft.com or any computer in our organization) just
fine. So DNS is working. No doubt about it. Yet from what I can see, the
webservers are generating the error message because they are not getting a
DC resource record from DNS. I have verified the resource records are
created correctly on the DNS servers. That's not the problem either. The
web servers just can't seem to get DC resource records from the DNS/DCs...

Something must be blocked at the firewall, but what?

Thanks!