2003R2 DC cannot be accessed by 2008 servers not on its Domain
I have 3 domains, DomainA, DomainB, and DomainC. I have a Windows2003R2 server that is a domain controller for DomainA. I can ping this server from all other servers in DomainA, B and C. From any other Windows 2000/3 servers I can connect to admin shares, RDP, or use any other service on the 2003R2DC just fine from both DomainA, B, and C. From a Windows2008SP2 DC on DomainA I can connect to the admin shares on the Windows2003R2 DC just fine. The problem I am running into is, that for 2008 machines not on DomainA (verified with both R2 and standard) I am unable to connect to any port on the Windows2003R2 domain controller. I can ping it, but I cannot telnet to port 3389 and establish a 3-way handshake (but I can from any other machine so long as it is not a W2k8 server on DomainB or DomainC) nor can I browse any admin shares or connect to any other service/port listening. The issue seems to be specific to non-DomainA Windows2008 Servers connecting to a DomainA Windows 2003 DC. The non-DomainA W2k8 servers can connect to other DomainA W2k3 servers as long as they aren't in the DC role. I can connect to DomainA W2k3 servers from a non-DomainA W2k8 server so long as that w2k3 server isn't a DC. This seems to be something specific to the local DomainA DC policy that is blocking connections, but only from non-DomainA 2008 servers and I don't know where it is. For grins I attempted to add one of the machines I was trying to access this server from into the Access This Computer from the Network user rights assignment in the default domain controller policy but that had no impact. Any ideas?
June 8th, 2012 11:21am

Hi brianw76, Thanks for posting here. Is there any other security software also installed on this Windows Server 2003 domain controller of domain A? like firewall, IDS..etc? We can also check the local group policy on this domain controller to ensure there is no any rule(especially IPsec policy )that will probably affect the incoming connection . Do we have another Windows Server 2003 domain controller of Domain A that has been applied same policies and settings ? Of course wed suggest to first check the connectivity on this problematic domain controller by using Potqry utility and capture the traffic form window server 2008 non domain joined host by network monitor and analysis the result to troubleshoot: How to Use Portqry to Troubleshoot Active Directory Connectivity Issues http://support.microsoft.com/kb/310456/ How to configure a firewall for domains and trusts http://support.microsoft.com/kb/179442/ Microsoft Network Monitor 3.4 http://www.microsoft.com/en-us/download/details.aspx?id=4865 Meanwhile, could we also temporarily disable the Windows built-in Firewall on these non-domain joined Windows Server 2008 host with following the steps in the KB article below? I Need to Disable Windows Firewall http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
June 10th, 2012 11:08pm

Thank you for the reply Tiger Li. There is no other security software installed, and the firewall is disabled. Again, I can telnet to port 3389 from any other machine either on or off the domain just fine, but a 3-way handshake will not even complete if I attempt to do so from the 2008 server that is not on the same domain as the 2003DC on the domain. Both domain controllers on the domain experience the same behavior which originally led me to believe it was the default domain controller security settings at fault (since this is only on DCs and not any other machine on the domain), but I didn't see any settings that appeared to affect this. If you know of what specific settings I can look at I will do so and confirm what we have. The IPSec policies all show that the policies are unassigned for Server, Client, and Secure Server. NetMon shows the Syn packet leaving the 2008 server and never getting an AckSyn reply back on any of the ports that are open and listening. The ports are obviously working properly since I can telnet to them just fine from anything other than a w2k8 server outside of this domain. It looks like the traffic is being dropped at the packet level on the w2k3 domain controllers for all traffic coming from non-domain w2k8 boxes. Even with the IPSec Services service stopped I get the same results. What is specific about W2k3 to W2k8 communication when only one of the boxes is a member of the domain?
June 11th, 2012 9:11am

Hi, DCs has more secrity policies applies more than member server, so this issue may be caused by security policy settings. Anyway, please help to collect following informaiton for the further research. 1. Did you face any error when trying to connect to 2K3DC in domain A from Non-dmian 2K8? if so, please tell me the error message. 2. Please run following command to dump the group policy setting on 2k3 DC and paste the output. Gpresult /vBest regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
June 12th, 2012 5:31am

HI, Please help confirming points. 1. Do you mean that non-domain W2k3 servers can connect the 2K3DC in domain A? 2. If we try to access the shared folder on 2k3DC in domain from non-domian W2k8 servers, do you see any error? 3. As you mentioned, the non-domain w2k8 Server can connect member W2k3 server in domainA, but cannnot connect to W2k3 DC in domian A. so i'm afraid this issue may be caused by security settings on DC side. Anyway, if you feel comfortable to past gpresult from non-domain W2k8 Server, please past it. Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
June 13th, 2012 6:40am

Yes, non-domain W2k3 servers can connect to the W2k3DC in domain A just fine. Additionally, domain A W2k8 servers can connect to the W2k3DC in domain A just fine. The only thing that doesn't work is non-domain W2k8 servers connecting to W2k3DC in domain A. I can't access shares, or any ports that are listening (verified with a netstat -an on the W2k3DC) from the non-domain W2k8 servers. However, from another non-domain W2k3 server on the same subnet as the W2k8 server I can connect to all shares/ports just fine (confirming this isn't a routing issue or firewall blocking anything.) To eliminate needless troubleshooting my focus is not on connecting to a share, but simply to establish a 3-way handshake on any active listening TCP port on the W2k3DC. The fact that I can't establish a 3-way handshake (no Ack-Syn from the W2k3DC) is the most basic level of communication that needs to occur before troubleshooting anything higher up in the stack. It is likely there is some security setting being applied that is blocking this, I'm just looking for which one it could be. gpresult /v doesn't show any gpo being applied to this server that isn't being applied to the rest of our servers (for which we can communicate with just fine). I am just looking for what could be stopping communication only from W2k8 servers connecting to a W2k3DC and assumed this was a fairly basic question for which a specific control was responsible.
Free Windows Admin Tool Kit Click here and download it now
June 13th, 2012 9:50am

Additionally, I just verified I can connect from a non-domain W2k8 server to a domain A W2k8DC without an issue. So this isn't specific to being able to connect to all domain controllers, just to the W2k3 domain controllers from a non-domain W2k8 server.
June 13th, 2012 10:14am

There is no error message. I can ping the server just fine, but I cannot negotiate a 3-way handshake for any TCP/IP port that is open. Like I said earlier, the only commonality is that non-domain W2k8 servers are unable to connect, but any other server either on or off the domain can connect without issue. To simplify, port 3389 is published and I can remote desktop to the server just fine from all machines on or off the domain except for the W2k8 boxes. From the W2k8 servers I cannot even telnet to port 3389, so the packets get dropped before any authentication has a chance to occur. 3389 is just an example, but there are many other ports that are actively listening that experience the exact same results so I don't want to get bogged down on troubleshooting remote desktop since I know this isn't application specific. I agree that this has something to do with the hardened security of a domain controller, I just can't pinpoint which setting it is in order to resolve it. I don't know if there is a setting on the DC or on the non-domain W2k8 servers that may need to be "downgraded" in order to facilitate communication between these groups of servers. I can't paste the gpresult in a public forum due to security concerns, however there are no policies being applied that are not being applied to all other machines in the domain that are working properly. The only thing being applied specifically to the W2k3 DCs that aren't applied elsewhere would be the default domain controller policy.
Free Windows Admin Tool Kit Click here and download it now
June 13th, 2012 1:02pm

Hi, please disable RSS, TCP Offload and Auto-tuning features on both computer in questuion for a test . You can follow the steps below to do so: a. Open the Command Prompt as Administrator permission. b. At the command prompt, type the following command, and then press ENTER: netsh int tcp set global chimney=disabled netsh int tcp set global rss=disabled netsh interface tcp set global autotuninglevel=disabled c. Disable RSS and TCP Offload features in the NIC settings. (NIC settingConfigure--Advanced). d. Then please restart the system. if it is not working, we may need to collect a more log for the troubleshooting. Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
June 14th, 2012 6:10am

Hi, please disable RSS, TCP Offload and Auto-tuning features on both computer in questuion for a test . You can follow the steps below to do so: a. Open the Command Prompt as Administrator permission. b. At the command prompt, type the following command, and then press ENTER: netsh int tcp set global chimney=disabled netsh int tcp set global rss=disabled netsh interface tcp set global autotuninglevel=disabled c. Disable RSS and TCP Offload features in the NIC settings. (NIC settingConfigure--Advanced). d. Then please restart the system. if it is not working, we may need to collect a more log for the troubleshooting. Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2012 6:18am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics