Front-end server setup problem 1

[jheaton]

I am attempting to setup a Front-end Exchange server in our DMZ per Microsoft recommendations. Our internal network is 192.168.1.0/24 and our DMZ network is 192.168.2.0/24. I have been trying to follow the MS Technet article on the subject, but I have apparently missed something. This is what I’ve done so far. I created a member server on our internal LAN. I then moved it to our DMZ and gave it a new static IP to correspond with the DMZ network (192.168.2.6). Following the Technet article & MS KB article 224196 (configuring RPC to use a single alt. port), I configured our intranet firewall as follows. I also added a static route to point back to our internal network on our front-end server. So, the default route goes to the internet firewall unless the ip address is 192.168.1.0. If it is in the 192.168.1.0 range, traffic should route to the intranet firewall.

Port Source IP Destination IP Protocol
---- ----------- --------------- --------
80 192.168.2.6 192.168.1.7 TCP
25 192.168.2.6 192.168.1.7 TCP
443 192.168.2.6 192.168.1.7 TCP
691 192.168.2.6 192.168.1.7 TCP
389 192.168.2.6 192.168.1.15 TCP
389 192.168.2.6 192.168.1.15 UDP
3268 192.168.2.6 192.168.1.15 TCP
88 192.168.2.6 192.168.1.15 TCP
88 192.168.2.6 192.168.1.15 UDP
53 192.168.2.6 192.168.1.15 TCP
53 192.168.2.6 192.168.1.15 UDP
135 192.168.2.6 192.168.1.15 TCP
7778* 192.168.2.6 192.168.1.15 TCP


* = Alt. Port for AD replication
192.168.2.6 = Front-end Exchange server
192.168.1.7 = Back-end Exchange server
192.168.1.15 = A DC / DNS server on the internal network


Most things seem to work correctly, in that I’m not seeing much in the way of errors in the event log. I am having the following three issues. I’m not sure if they are related.

#1
In the event log, I see the following error:

Event ID: 1054
Source: Userenv
Description: Windows cannot obtain the domain controller name for your computer network. (an unexplained network error occurred) Group Policy Processing Aborted.

#2
When I try to login remotely using Terminal Services, I get the following error message.
The system cannot log you on due to the following error:
The RPC server is unavailable.

#3
Netdiag fails the following tests

Redir and Browser test . . . . . . : Failed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{72E6D2B3-9EF9-4401-A0D4-B5B330A90FA5}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{72E6D2B3-9EF9-4401-A0D4-B5B330A90FA5}
The browser is bound to 1 NetBt transport.
[FATAL] Cannot send mailslot message to '\\VICTORY*\MAILSLOT\NET\NETLOGON' v
ia redir. [ERROR_BAD_NETPATH]


DC list test . . . . . . . . . . . : Failed
'VICTORY': No DCs are up.


Trust relationship test. . . . . . : Failed
'VICTORY': No DCs are up (Cannot run test).
Secure channel for domain 'VICTORY' is to '\\svrdc2.Victory'.

* note Victory. is our internal domain name (yes, it's a single level domain, but it is a Windows 2003 R2 domain)

* svrdc2 is the same server referenced as 192.168.1.15

I have not attempted to install Exchange 2003 yet, because I’m afraid the results of the netdiag test indicate a problem. Any ideas or solutions that anyone has on these issues would be much appreciated. Thanks!

 

[skialta]

What if you do a host file for the name of your domain controllers and also you backend Exchange box and reboot?

 

[jheaton]

Thanks for the suggestion, but after adding the host file, I am still seeing the same results. The message in the Application Event log & Net Diag are identical to what they were before. I am relatively sure that DNS resolution is working to some degree because I can ping external addresses from the Front-end server with it configured to use 192.168.1.15 as it's only DNS server. I do appreciate your thoughts, though. If you can think of anything else, please let me know.

 

[WhoKilledKenny]

You cannot use hosts files as you must have the appropriate service info for servers such as global catalog and LDAP.

You can configure the front-end server to not use RPCs to locate domain controller services within the intranet. You can edit the "Directory Access" tav in the server's properties in Exchange Systems Manager to specify the name of the domain controller and global catalog that the front-end server will use.

 

[WhoKilledKenny]

Warning - FYI: if RPC is not enabled, you would need to configure the virtual server to allow anonymous access, which is not recommended.

Are you using IPSec between the front-end and the back-end servers? If so you will need to enable IP packet filtering instead of port filtering to limit traffic.

Also, looks like you did this but just to verify...
When assigning static port 7778, you did this on all global catalog server via the registry, correct?

 

[jheaton]

WhoKilledKenny,
Where do I configure the front-end server to not use RPCs to locate a domain controller? Is this a local security policy setting?

Yes, I configured port 7778 using the registry per MS's KB article.

 

[WhoKilledKenny]

Open Exchange System Manager(from any exchange server) drill down the tree to your front end server(s). Right-click on the server -> properties -> Directory Access tab.

 

[jheaton]

Our front-end server doesn't have Exchange on it yet. I haven't installed Exchange on it because I was afraid of the above error messages being an indication that it couldn't fully talk to the domain. Should I attempt to install Exchange anyway?

 

[WhoKilledKenny]

The server(s)(front end) you have installed in the DMZ, has it been made a memeber of you domain or is the error keeping it from becoming one?

 

[jheaton]

It's a member of the domain. It was physically installed on the local network. I then moved it over to the DMZ and gave it a new static IP.

 

[WhoKilledKenny]

Are you having any issues logging on the domain from the new server?

You said you were going to attempt to install Exchange (front end) into your org. What happens when you attempt this?

 

[jheaton]

Exchange refuses to install on the front-end server. The following error message appears when I try to select components to install:

- Setup encountered an error when trying to contact Windows Active Directory. The error was:
- Failed to contact the Schema Master for this AD Forest

-----------------------------------------------------
? - I'm relatively sure this means that there is something incomplete with the ports that are open on my firewall. I'm just not sure what.

If it makes a difference, we have two DC's on our network. In addition to being DC's they are both internal DNS servers for our network.

SVRDC (192.168.1.14) holds the following fsmo roles.
- Schema Master
- Domain Master
- Infrastructure

SVRDC2 (192.168.1.15) holds the following fsmo roles.
- PDC
- RID

SVRDC2 is also the Global Catalog Server

 

[WhoKilledKenny]

From your post It looks like everything is set up ok. The error does state a DNS issue, have you tried to do an nslookup on your domain to see if your dns responds? From the Front-End server 'c:\nslookup domainname.com'

If feasable, can you temporarily open all ports between the FE and your DC - If issue goes away then you can focus on is being a firewall configuration issue.

Here is a good link (you might have read it aleady).

http://www.microsoft.com/technet/pr...1f0-34c5-4c7b-a99e-fc9203f7dd3b.mspx?mfr=true

FYI: just on another note (aside from this issue) - if you have only two DC's, Make them both GC's.

 

[jheaton]

It's definitely a firewall issue. I am unable to unblock all the ports leading from the DMZ to Internal network, but I got around this by connecting the frontend server to the internal network via our VPN. Not only did the netdiag error message go away, but Exchange no longer complained about not being able to contact schema master when i started the install. I discontinued the actuall install there because i'm not sure of the ramifications of installing Exchange and then disconnecting the VPN connection. Will I go back to having trouble if I do this? What other ports need to be opened that I'm missing?

 

[WhoKilledKenny]

I don't see that you are missing any ports. And it looks like the FE ports to the BE ports and the FE ports to the DC ports are correct. Unless there is a direction issue (inbound vs. outbound).

Another suggestion I saw on Microsoft's site was to install the DNS Server service on the FE servers. Configured as a stand alone zone (no zone transfers back and forth with your AD Zones) in which you would have to statically enter the entries and service records for your domain controller. This is the equivalent of a Host file on steroids.

I would only look at the above in last case scenario... I would keep digging into the firewall until it's resolved.

 

[jheaton]

OK, So I finally broke down and looked at a packet sniffer to see which ports my FE server is trying to connect to. It turns out the culprit is SMB! Once I open up either port 445 or 139, everything seems to work correctly. I can login using RDP and Exchange installs without complaints. Ofcourse, there are now over a dozen ports opened up between my FE server and by domain controller. I can't help but to wonder how much more secure it is to have the FE server in my DMZ. :-(

Thank you WhoKilledKenny for all your continuing help on this issue. I really appreciate it!

 

[WhoKilledKenny]

No problem... Glad you found your issue.