0

Sometime last week (while I was on leave) something changed in my network/domain which I cannot pinpoint and we have the below behavior.

My 2 DCs are 2008 R2 and are on a 10.2.128.0/24 subnet (as well as other servers). My clients reside on a 10.2.132.0/22 network.

When a client is on 10.2.132.x address in works ok, when the IP from DHCP (or manually set) is on 10.2.133.x 134.x 135.x it says that it cannot find the domain controller or asks for username and pass. When trying to join domain from these IPs I get: DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain culture.gr: The query was for the SRV record for _ldap._tcp.dc._msdcs.xxx.xxx

Nslookup works, ping works, telnet on 53 works, dcdiag shows no errors, replication is ok, DNS no errors, DHCP no errors...

nslookup _ldap._tcp.dc._msdcs.xxx.xxx Server: dc2.xxx.xxx Address: 10.2.128.22

Name: _ldap._tcp.dc._msdcs.xxx.xxx

If I manually move the client to 10.2.132.xx range it works...

Any suggestions are welcome.

tfonias74
  • 28
  • 3
  • You have two different net masks there, are those correct? – Davidw Dec 03 '19 at 06:27
  • Yes, they connect through a core switch that does the routing of the VLANs. It has been working like that for years with no issues.. I cannot find out what has changed during the last week. – tfonias74 Dec 03 '19 at 06:29
  • The DNS servers are integrated with Active Directory, correct? – Davidw Dec 03 '19 at 06:57
  • 1
    by the way, you should really upgrade your DCs to at least 2016. It's not really that difficult unless your client OSes are old as well – LeeM Dec 03 '19 at 07:22
  • 1
    We are planning to upgrade next year (after upgrading a large part of the infrastructure). – tfonias74 Dec 03 '19 at 08:53

2 Answers2

1

Is the 10.2.132.0/22 subnet defined in AD Sites and Services and assigned to a site?

Maybe someone typoed /24 instead or intended to break it down to class-C subnets and didn't add the additional subnets to the site definitions.

Are the clients registering themselves in DNS on the DCs? IF DHCP is doing it, the clients don't need to be on the domain)?

If there's a firewall between these subnets, are all the required AD ports open bidirectionally between the problem subnets and all the DCs? DNS, Kerberos, LDAP, SMB, RPC, etc.

To check the SRV records from a client, the proper syntax for the nslookup is:

nslookup -type=SRV _ldap._tcp.dc._msdcs.example.com

You should see a list that includes all the DCs in the domain. Try it on a client in the working subnet first for comparision.

Also check that an appropriate DC can be resolved for the AD site the problem client would be in:

nslookup -type=SRV _ldap._tcp.[SiteName]._sites.dc._msdcs.example.com
LeeM
  • 1,388
  • 9
  • 14
0

Well the problem was somehow caused by the Cisco ASA that handles the traffic among the various LAN segments, even though no one claims to have changed something.

Thanks Trix for the info especially the FW ports, we had to manually add those plus some more. After adding the rule the operation is back to normal.

tfonias74
  • 28
  • 3