Unable to connect to AD related mmc from WIN 10 machine when there is no local DC on site

  • 99 Views
  • Last Post 6 days ago
nidhin_ck posted this 2 weeks ago

P {margin-top:0;margin-bottom:0;}

Hi Experts,


We have a strange situation in our organization. We are unable to connect to ADUC/AD sites & services or any other AD related mmc from WIndows 10 machines if there is no Domain controller locally. (ie over the WAN we have this issue). Till Win 8.1 we dont have any issues.


This is the error message we are receiving.





We also unable to connect to \domain.com  on first try.. if we try one or two times it gets connected. But if we try to access SYSVOL or NETLOGON directly (\domain.com]SYSVOL)  we are not facing any issues.


We are working with MS for months on \domain.com issue. but we are no where. 


Regards,

Nidhin.CK

Order By: Standard | Newest | Votes
PhilipElder posted this 2 weeks ago

NETBIOS traversal allowed at the edge providing the site-to-site VPN?



 

Make sure there’s no rules in the edge that are blocking and/or filtering the packets.

 



Philip Elder MCTS

Microsoft High Availability MVP

E-mail:

PhilipElder@xxxxxxxxxxxxxxxx

Phone: +1 (780) 458-2028

Web:

www.mpecsinc.com

Cloud:

www.CanadianCloudWorx.com



Blog:

blog.mpecsinc.ca

Twitter:

Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00

PM, Monday thru Friday.




 

show

aakash posted this 2 weeks ago

Do you limit what ports the clients are able to access?  One of our environments had firewall rules set up such that only the first 100 dynamic RPC ports were allowed to the DCs

and this used to mostly work before Win10.  However with Windows 10, it uses the entire RPC port range and so if this is something that is being restricted, try opening it up.

 

An alternative to allowing netbios traversal is to try disabling netbios altogether and just rely on the DNS suffixes to see if that works (we’ve started to disable netbios on

Win10).

 



-Aakash Shah



 

show

nidhin_ck posted this 2 weeks ago

P {margin-top:0;margin-bottom:0;}







H Philip & Akash,








I have disabled NETBIOS on the Win10 client machine & it didn't resolve this issue. So do i need to still worry about NETBIOS traversal?








I will check the RPC ports & packet filtering with our network team.





































Regards,



Nidhin.CK









show

idarryl posted this 2 weeks ago

Download Port Query GUIhttp://www.microsoft.com/en-gb/download/details.aspx?id=24009
Choose Domains and Trusts, point it towards a couple of close DCs in the domain. If you have problems reading the output, paste it here. 
~Darryl


show

PhilipElder posted this 2 weeks ago

Nidhin,

 



 

I suspect the edge providing DHCP services does not supply the mentioned setting above.



 

The only place we disable NetBIOS is in relation to cluster network objects. Otherwise, we don’t disable it plus we make sure NetBIOS

traverse is enabled for remote sites with no server.

 

What is the reason for disabling it?

 



Philip Elder MCTS

Microsoft High Availability MVP

E-mail:

PhilipElder@xxxxxxxxxxxxxxxx

Phone: (780) 458-2028

www.CommodityClusters.Com

Blog Site

Twitter: MPECSInc

Skype: MPECS Inc.

Cloud: Canadian Cloud Worx

 

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru

Friday.




 

show

nidhin_ck posted this 2 weeks ago

P {margin-top:0;margin-bottom:0;}







Hi Philip,








I've disabled NETBIOS on client machine to test as suggested by Akash. I have reverted the settings.













Hi Darryl,








Please find the PortQuery results below








=============================================




Starting portqry.exe -n DC1.DOMAIN.COM -e 135 -p TCP ...




TCP port 135 (epmap service): LISTENING




portqry.exe -n DC1.DOMAIN.COM -e 135 -p TCP exits with return code 0x00000000.




=============================================







Starting portqry.exe -n DC1.DOMAIN.COM -e 389 -p BOTH ...




TCP port 389 (ldap service): LISTENING




UDP port 389 (unknown service): LISTENING or FILTERED







Using ephemeral source port




Sending LDAP query to UDP port 389...







LDAP query to port 389 failed




Server did not respond to LDAP query







portqry.exe -n DC1.DOMAIN.COM -e 389 -p BOTH exits with return code

0x00000001.




=============================================







Starting portqry.exe -n DC1.DOMAIN.COM -e 636 -p TCP ...




TCP port 636 (ldaps service): LISTENING




portqry.exe -n DC1.DOMAIN.COM -e 636 -p TCP exits with return code 0x00000000.




=============================================







Starting portqry.exe -n DC1.DOMAIN.COM -e 3268 -p TCP ...




TCP port 3268 (msft-gc service): LISTENING




portqry.exe -n DC1.DOMAIN.COM -e 3268 -p TCP exits with return code 0x00000000.




=============================================







Starting portqry.exe -n DC1.DOMAIN.COM -e 3269 -p TCP ...




TCP port 3269 (msft-gc-ssl service): LISTENING




portqry.exe -n DC1.DOMAIN.COM -e 3269 -p TCP exits with return code 0x00000000.




=============================================







Starting portqry.exe -n DC1.DOMAIN.COM -e 53 -p BOTH ...




TCP port 53 (domain service): LISTENING




UDP port 53 (domain service): LISTENING




portqry.exe -n DC1.DOMAIN.COM -e 53 -p BOTH exits with return code 0x00000000.




=============================================







Starting portqry.exe -n DC1.DOMAIN.COM -e 88 -p BOTH ...




TCP port 88 (kerberos service): LISTENING




UDP port 88 (kerberos service): LISTENING or FILTERED




portqry.exe -n DC1.DOMAIN.COM -e 88 -p BOTH exits with return code

0x00000002.




=============================================







Starting portqry.exe -n DC1.DOMAIN.COM -e 445 -p TCP ...




TCP port 445 (microsoft-ds service): LISTENING




portqry.exe -n DC1.DOMAIN.COM -e 445 -p TCP exits with return code 0x00000000.




=============================================







Starting portqry.exe -n DC1.DOMAIN.COM -e 137 -p UDP ...




portqry.exe -n DC1.DOMAIN.COM -e 137 -p UDP exits with return code

0x80000003.




=============================================







Starting portqry.exe -n DC1.DOMAIN.COM -e 138 -p UDP ...




UDP port 138 (netbios-dgm service): LISTENING or FILTERED




portqry.exe -n DC1.DOMAIN.COM -e 138 -p UDP exits with return code

0x00000002.




=============================================







Starting portqry.exe -n DC1.DOMAIN.COM -e 139 -p TCP ...




TCP port 139 (netbios-ssn service): LISTENING




portqry.exe -n DC1.DOMAIN.COM -e 139 -p TCP exits with return code 0x00000000.




=============================================







Starting portqry.exe -n DC1.DOMAIN.COM -e 42 -p TCP ...




TCP port 42 (nameserver service): NOT LISTENING




portqry.exe -n DC1.DOMAIN.COM -e 42 -p TCP exits with return code 0x00000001.











Regards,



Nidhin.CK




show

kurtbuff posted this 2 weeks ago

Both NetBIOS over TCP/IP and LLMNR need to be disabled (I was going to
say "die in a fire", but wanted to be more polite than that):
https://isc.sans.edu/diary/Is+it+time+to+get+rid+of+NetBIOS%3F/12454
< note="" the="" date="" https://www.blackhillsinfosec.com/how-to-disable-llmnr-why-you-want-to/="" kurt="" on="" fri,="" nov="" 30,="" 2018="" at="" 6:31="" am="" philip="" elder=""> wrote:
>
> Nidhin,
>
>
>
>
>
> I suspect the edge providing DHCP services does not supply the mentioned setting above.
>
>
>
> The only place we disable NetBIOS is in relation to cluster network objects. Otherwise, we don’t disable it plus we make sure NetBIOS traverse is enabled for remote sites with no server.
>
>
>
> What is the reason for disabling it?
>
>
>
> Philip Elder MCTS
>
> Microsoft High Availability MVP
>
> E-mail: PhilipElder@xxxxxxxxxxxxxxxx
>
> Phone: (780) 458-2028
>
> www.CommodityClusters.Com
>
> Blog Site
>
> Twitter: MPECSInc
>
> Skype: MPECS Inc.
>
> Cloud: Canadian Cloud Worx
>
>
>
>
>
> Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
>
>
>

show

nidhin_ck posted this 6 days ago

P {margin-top:0;margin-bottom:0;}







We took a network capture while connecting to AD mmc and found that SMB connection is getting closed. Same happens when we try to connect

\domain.com








In our environment, we do have CISCO WAAS configured with SMB accelerator feature enabled. Looks like this is causing this issue.








Anyone in this list has configured WAAS with SMB accelerator feature in your environment?













Regards,



Nidhin.CK









show

Close