1. Run the Directory Services MPSReports on the problem domain controllers to gather data.
2. Collect information on network hardware (routers, switches, firewalls) that separate partner domain controllers.
3. Verify the following ports are open on any network hardware separating the domain controllers:
389 TCP (LDAP) or TCP 686 if using Secure Sockets Layer (SSL).
389 UDP (LDAP ping).
88 TCP/UDP (Kerberos).
53 TCP/UDP (DNS).
445 TCP/UDP (SMB over IP traffic).
- Verify RPC ports, for more information see KB articles 224196, 154596, and 319553.
- Portqry can be used to test if these ports are open. For more information see KB article 310456.
4. Follow the steps listed in KB article 159211 to test for black hole router issues. These may occur when a network router receives a packet larger than the Maximum Transfer Unit (MTU) of the next network segment, and that packet's IP layer "don't fragment" bit is flagged, the router should send an Internet Control Message Protocol (ICMP) destination unreachable message back to the sending host. When this does not happen, packets can be dropped, causing a variety of errors that will vary with the application that is communicating over the failed link.
5. Check for Kerberos fragmentation. To do this, type ping <destination computer> -f -l 1500. Start with 1500 first, working up to 2000. If it fails before 2000, then packets are probably being fragmented. For more information see KB article 244474.
Posts
