Windows XP LDAP Domain Issues

[Mantheren]

Hello,

I Hope someone can help me out because I have had this problem for a while and never quite figured out how to fix it. Now however we are switching to XP and this makes the problem a bit larger, because XP systems cannot join the domain.

Having had this problem for a while I think I have narrowed it down to the LDAP sercive not running on the TCP port 389, as can be seen in the portqry result of the tcp port for LDAP below:

============================================= 
Starting portqry.exe -n server.domain.com -e 389 -p TCP ...
 
Querying target system called: 
server.domain.com
 
Attempting to resolve name to IP address...
Name resolved to 192.168.0.1
 
querying...
TCP port 389 (ldap service): LISTENING
 
Using ephemeral source port
Sending LDAP query to TCP port 389...
 
LDAP query to port 389 failed
Server did not respond to LDAP query
 
portqry.exe -n server.domain.com -e 389 -p TCP exits with return code 0x00000000.

The LDAP Service is runnning on UDP port 389 just not on TCP, so it's probably not the LDAP service it's self. ( portqry does get a reply on the UDP port )

I have tested:

• DNS ( Which I am almost sure is correct )
• Firewalls ( All disabled )
• Connectivity ( Routing, all systems can be reached from everywhere in the network )
• SYSVOL and NETLOGON both shared and accessible from the network.

I just do not know what the problem is anymore.

The domain server is multihomed ( two network cards in same pc ) but I believe it is set up correct since i have complete routing, dns and dhcp functionality.

Some additional information and symptoms of the problem:

• Windows 2000 systems can join the domain but cannot contact the GPO ( Group Policy Objects )
• Windows XP systems cannot join domain at all. Just returns an error saying the server is not opperational. ( probably meaning, can not contact the LDAP service )
• Administrative tools on clients cannot connect to the Users and Computers tool, the Domains and trusts tool or the sites and services tool. They can connect to DNS DHCP and so on.
• Clients cannot access domain User and Computer in the Sharing and security tabs for folders.

All these symtoms do not occur on the server itsself, there it is possible to access Users and Computer tools and such.

Additionally:

• On the server dcdiag returns with all passed
• On the server netdiag returns with most passed except for 3 warnings about some WINS entries that are missing

  [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

• On the Clients Users can log in and access User bassed secured shared folders on the network. So Domain security does work.
• Domain users can only be added to shared folders by typing them in manually when creating a share, no lists are given.

All in all this always has been a major problem that never got solved. I have workarounds for almost everything mentioned here except for the new XP systems that cannot join the Domain.

Aaarrrggg... This problem has cost me a lot time and effort and it is still not resolved. I really hope someone here can point me in the right direction, and help me solve this persistant issue.

If you want anymore information please ask...

Thanks In Advance,
Mantheren

 

[Mantheren]

No One has any ideas? Thats a darn shame...

Mantheren

 

[muckshifter]

Sorry to admit but it ain't up my street ... Tom is one who may be able to shed some light. But he err, only pops in on the odd occasion.

 

[Mantheren]

Hello again,

Well it's been about a year since I first posted this problem, and I have been working on this issue every now and again, but it's always been haunting me.
Yesterday I finally found a solution to this issue...

The Problem:
I could not add XP systems to my windows 2000 domain. Each time I tried to add one, I received a message saying:
"The specifed server cannot perform the requested operation"

Te Resolution:
Removed the H323 Gateway using netsh as follows, "netsh routing ip nat delete h323"


Basically what that did is turn off the LDAP proxy from the NAT router (this action also turns off the H.323 proxy support).

For ICS users, you must implement RRAS in place of ICS because it is not possible to disable the LDAP proxy in ICS.
If you need to turn the H.323 proxy back on, type the following command at a command prompt:
"netsh routing ip nat add h323"

Btw here is a link to the Microsoft kb explaining how to disable/enable the proxy:
http://support.microsoft.com/kb/838834

Ok... So that is how it was solved...
Basically all the other 'domain related' issues also dissapeared as soon as I deleted the H.323 proxy.

Well I just thought I would post the resolution here, just in case anybody happens to stumble appon this thread, and has the same problem...

Mantheren

 

[MalcolmW]

No One has any ideas? Thats a darn shame...

I Googled LDAP Domain Issues and got 998,000 hits!

Someone, somewhere knows about your problem. You have to keep digging!

 

[Mantheren]

I Googled LDAP Domain Issues and got 998,000 hits!

Someone, somewhere knows about your problem. You have to keep digging!

Um... that was a year ago,
My problem is fixed, all I just did was post how I fixed it (read the last post again)

 

[Ian]

Well I just thought I would post the resolution here, just in case anybody happens to stumble appon this thread, and has the same problem...

Very considerate indeed Mantheren Thanks for taking the time to post back here for other readers

 

[MalcolmW]

No One has any ideas? Thats a darn shame...

Mantheren

It was to the above message that I responded in good faith. I readily admit to not reading the whole thread to which m'lud I plead guilty without any plea of mitigation.

I am glad to note that you fixed the problem