Global Catalog inconsistencies

[Dave Mulvey]

Got a bit of a strange problem which I think is caused by a problem
with the GC, but after a week of scratching my head I'm not sure about
anything now!

I run the domain controllers for a sub-domain of the root domain...
let's call them DC1.division.company.com and DC2.division.company.com.

The Setup......
DC1 holds amongst others the Infrastructure Master role, and DC2 holds
the Global Catalog. DC1 and DC2 both have DNS servers running in
AD-integrated mode, with DC1 the primary and DC2 the secondary of DC1.
They use the DC's of the root domain for forward lookups.

Both DC1 and DC2's DNS client is looking at DC1 as primary and DC2 as
secondary. All other clients and member servers on the network use
DC1 and DC2 for primary and secondary DNS, and all are within the
division.company.com domain.

The Problem....
If I try to access the GC on either one of the domain controllers -
for example searching for printers or people - it works fine. This
goes for resources in the division.company.com domain, the company.com
domain, and any other child of the company.com domain.

However if I try to do the same thing on a member server or client
machine, I can only list resources in the division.company.com domain.
If I try to list resources in the company.com domain or 'all of the
directory' it just times out, sometimes saying that it cannot contact
the global catalog.

I've gone though all the checklists and everything seems fine.... DC2
is advertising as a GC, the GC DNS records are there, and there aren't
any event errors being logged in any of the views.

Does anyone have any ideas what could be causing the problem? Could
there be anything wrong with the DC's in the company.com domain?

Thanks in advance.

 

[Matjaz Ladava]

It depends which global catalog server it is trying to contact ? Check all
your _gc records in your DNS server and see if those servers are available.
I would use LDP tool to connect to global catalog server (port 3268) and do
some testing.

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000)
(e-mail address removed)
http://ladava.com

 

[Dave Mulvey]

Thanks for your response, Matjez. I've already done some initial
testing with the LDP tool and everything appears to be OK.

Regarding the _gc records in DNS, there is a record listed in _tcp for
DC2 in the company.com zone (amongst all of the other GC's in the
tree), but there are no _gc records in the division.company.com zone.
Is this normal?

 

[Matjaz Ladava]

The right records that should be registered in your dns can be found in
%systemroot%\system32\config in netlogon.dns.
Do you want to say, that in your child domain DNS, there is no entries for
GC's ? Are there any GC's in your child domain (division.company.com) ? if
they are there, then you should have _gc records (under _tcp,
tcp_.sitename._sites....)
In your division.company.zone, there should be _msdc, _sites, _tcp _udp
sub-entries.

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000)
(e-mail address removed)
http://ladava.com

 

[Dave Mulvey]

The DNS servers on the two domain controllers contain the
configuration for both the company.com and the division.company.com
domains, and both have similar structure (containing _tcp, _msdc,
etc.). The only real difference that might be relevent is that under
_tcp in the company.com domain there's listed all of the GC's in the
whole organisation with _gc records (including my one - DC2).

However in the division.company.com configuration, under _tcp there's
no mention of any GC's. The only service types listed are _kerberos,
_kpasswd and _ldap.

My GC - DC2 - is registered in the child domain (i.e. - its FQDN is
DC2.division.company.com).

Thanks,
Dave

 

[Matjaz Ladava]

What you are seeing in your DNS is quite right GC's are registered under
_tcp in forest name like:
_gc._tcp.ForestName and _gc._tcp.SiteName._sites.forestname
It is strange why your clients don't locate GC, but you can connect to GC
(to port 3268 not 389) using LDP tool from the client.

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000)
(e-mail address removed)
http://ladava.com