Active Directory: Firewalled Domain Controller Issues
In implementing a new child domain recently I encountered some strange and typically unhelpful error messages which turned out to be firewall related. Moral of the story, ensure that all of your domain controllers can communicate with each other on all of the ports listed here: http://social.technet.microsoft.com/wiki/contents/articles/active-directory-replication-over-firewalls.aspx
Also, ensure that all of your clients can also communicate on these ports.
Symptoms
When trying to create a new account using dsa.msc:
Windows cannot verify that the user name is unique because the following error occurred while contacting the global catalog: a local error has occurred.
When trying to modify group membership via dsa.msc:
The following Active Directory Domain Services error occurred: The system detected a possible attempt to compromise security.
When browsing the GC using adsiedit.msc:
Operation failed: Error code: 0x80090350. The system detected a possible attempt to compromise security.
Confirm time is the same on all Domain Controllers in the forest, this is especially important if you domain is a child domain.
Test srv records for GC:
- nslookup
- set type=srv
- _ldap._tcp.<site name>._sites.gc._msdcs.<fully qualified domain name>
Confirm replication is working as expected: repadmin /showreps
GC is browsabel via ADSIedit connecting on port 3268