Windows Server - Domain Controllers Can't reach Default Gateway...

Asked By Dave Onex

09-Nov-09 03:41 PM

Hi Folks;

Neither of my domain controllers can reach the default gateway even though
it is properly defined and there are valid forward and reverse records in
DNS. Pinging the DG results in...nothing. !

Every other machine on the network can ping the DG. All machines are on one
LAN segment with one default gateway.

Everything here is Windows 2000 Advanced Server and ISA 2004.

Background....

I made some network changes by promoting a different machine to become the
DC for the domain. Everything went well and the original machine was demoted
back to standard server. No issues - all is well. Event logs are spotless. A
perfect DCPROMO if ever there was one.

I then promoted a different machine to become a supplemental DC and
everything went well with one issue - FRS reports it is having problems
connecting to the existing DC and reports that it is likely a DNS issue.

I check the DNS network wide and find that there are proper forward and
reverse entries for the server in question. I triple check by looking them
up from a dos prompt - all OK.

So why does FRS fail? Unknown.

I then run netdiag /fix and it reports that the only issue is that it cannot
connect to the default gateway. I check the default gateway and it is
correct! I then ping the default gateway and what do I find? No response.
How can that be?

After checking all machines I find that the only two that cannot ping the
default gateway are the Domain Controllers. The DG is properly defined in
each case and there are valid forward and reverse entries in the DNS for the
DG.

I have no clue what is wrong. The key might be that only the domain
controllers cannot reach the DG. Can anyone help?

Thanks!
Dave

09-Nov-09 04:40 PM

I seem to have fixed it. It appears to have been a firewall issue where the
firewall was denying ICMP traffic from those two servers :-)

Best;
Dave

10-Nov-09 08:23 PM

I was going to say it was probably an ISA issue. If ISA is on a DC, it can
be extremely problematic for a number of reasons. First, it is a DC. If a DC
has more than one NIC, IP address or RRAS on it, it causes a complexity that
causes DNS registration issues. On top of that, if you install ISA, the
complications logirithmically increase.

Glad you figured it out.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

12-Nov-09 04:36 PM

Hi Ace;

In my case the ISA is just a member of the domain - not a domain controller.
Making the ISA a domain controller would be, in my mind, a recipe for
disaster especially from a security standpoint.

I did find one other thing though and it was important. On one of the domain
controllers the active directory DNS zone for my domain was missing an
important entry. In the _msdcs area of  DNS it was missing the CNAME entry
with the GUID for the other domain controller. That's why it could not
replicate with the other domain controller.

When I was testing the DNS I was just  using the other domain controllers
machine name. I did not realize that that record in that area of the DNS had
to be there. In fact, I'd never ventured into the active directory entries
in DNS :-)

Anyway, got it cased and just wanted to update this thread for archival
purposes.

Best;
Dave

12-Nov-09 11:21 PM

I am glad you got to the bottom of it. The CNAME GUID, among other SRV
records, are all important records. What was the cause of the missing
records? Normally restarting the Netlogon service on a DC will create the
SRV records. If all things are configured properly, one thing you can do is
delete the system32\config\netlogon.dns and netlogon.bak files, then run
ipconfig /registerdns, then restart Netlogon. If they are still not being
created, then I suspect a misconfiguration somewhere.

As long as you are only using the internal DNS servers, the zone name allows
updates, the Primary DNS Suffix (look at an ipconfig /all) matches the zone
name in DNS, and the domain is not a single label name, you should be good
to go. You can use this list as things to look for when troubleshooting
Dynamic DNS registration problems.

Ace

13-Nov-09 09:20 PM

Excellent tips Ace - they certainly would have cased it for me. I do not know
why the second Domain controller did not have an entry for the first. Once I
figured that out I just copied the entry from the first to the second and
everything worked perfectly :-)

it is possible that there was a DNS issue - the network has 4 DNS servers and
they are pretty complex. I set them up years ago and, generally, I have never
looked at them since. So every time I have to make changes I have to revisit
DNS and get a handle on it all over again. The neat thing is, there is
nothing like a network with perfect DNS. Resolution is instant and
everything is snappy :-)

Thanks again, those were/are really good tips.

Best;
Dave

14-Nov-09 12:57 PM

Ok, you got me confused now. You have 4 DNS servers, but you have two DCs,
correct? Or have I misread this?

The best solution for AD is to use Windows DNS on the DCs themselves. Using
BIND or a non-DC for DNS will introduce complications that if not properly
designed, will cause AD issues.

The best recommendation as I mentioned, is to use Windows DNS. If you have
say two DCs, in DC1, point to itself as the first DNS entry, and the partner
DC2 as the second entry. In DC2, point to itself as first and DC1 as the
second entry. This is assuming that the zone is AD integrated.

If you have four DCs, all DCs should point to themselves as the first entry,
and choose one of the others as the second entry.

If a BIND server is being used, the design would be based on what capacity
the BIND servers are providing the network. If you are using them as a proxy
resolver, eg as the forwarders for your WIndows DNS servers, and the clients
are not using them, then there will be no problem. If you are using them for
AD, BIND does not support Kerberos security nor AD integration. AD
integration means the zone info is store in the actual AD database which is
replicated to all DCs. A BIND or non-DC as a DNS server does not support this
feature.

Ace

14-Nov-09 02:39 PM

No confusion needed - you got it!

I have two DC's with AD integrated DNS and one other MS DNS server
configured as a secondary to DC1.
I then have one more DNS server sitting at the edge on ISA 2004 that
resolves external requests from external users.

26-Nov-09 03:02 AM

Ace, are you still monitoring this thread? I got myself in a little bit of
trouble.... :-(

26-Nov-09 01:08 PM

What did you do?

26-Nov-09 02:03 PM

I tried to make my network faster :-0
You found it (the new post). :-)