RE: XEN preventing W2K3 Server from joining AD domain?

To: "Jean-Yves Migeon" <jeanyves.migeon%free.fr@localhost>
Subject: RE: XEN preventing W2K3 Server from joining AD domain?
From: "Doug Sampson" <dougs%dawnsign.com@localhost>
Date: Fri, 17 Dec 2010 14:38:20 -0800

> > I've considered changing from a bridge to a router but I wanted to
be
> > sure I've covered all possibilities using the bridge before looking
into
> > the router mode. I also have a few Windows 2003 servers that have
> > successfully joined the AD domain as member servers.
> 
> There are a few things that could come into effect. The best way to
know
> what is happening (at a connection level) is to quickly tcpdump
> trafic from your AD to your virtualized Windows server, and see if it
> goes through when authenticating to domain.
> 
> # tcpdump -ni <egress-interface> ether host 00:16:3e:00:00:13
> 
> If yes, check the date in the windows server. In virtualized
> environments, clock skew can be important, and as AD has some
> Kerberos thrown in (although I am not familiar with the
implementation),
> too much drift is likely to make the join fail.

I'm no tcpdump expert but I went ahead and tried. Results as follows:

xen# tcpdump -ni wm0 src or dst 192.168.101.4 and ether host
00:16:3e:00:00:13
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on wm0, link-type EN10MB (Ethernet), capture size 96 bytes
14:22:05.674037 IP 192.168.101.43.57510 > 192.168.101.4.53: 4464+ SRV?
_ldap._tcp.dc._msdcs.dawnsign.com. (51)
14:22:05.674670 IP 192.168.101.4.53 > 192.168.101.43.57510: 4464*
2/0/2[|domain]
14:22:05.675127 IP 192.168.101.43.1153 > 192.168.101.4.389: UDP, length
129
14:22:05.675819 IP 192.168.101.4.389 > 192.168.101.43.1153: UDP, length
167
14:22:40.700988 IP 192.168.101.43.57288 > 192.168.101.4.53: 23608+ SRV?
_ldap._tcp.dc._msdcs.dawnsign.com. (51)
14:22:40.702221 IP 192.168.101.4.53 > 192.168.101.43.57288: 23608*
2/0/2[|domain]
14:22:41.324153 IP 192.168.101.43.1157 > 192.168.101.4.389: UDP, length
172
14:22:41.325440 IP 192.168.101.4.389 > 192.168.101.43.1157: UDP, length
180
14:22:41.730786 IP 192.168.101.43.137 > 192.168.101.4.137: NBT UDP
PACKET(137): QUERY; REQUEST; UNICAST
14:22:41.731324 IP 192.168.101.4.137 > 192.168.101.43.137: NBT UDP
PACKET(137): QUERY; NEGATIVE; RESPONSE; UNICAST
14:22:44.545191 IP 192.168.101.43.59809 > 192.168.101.4.53: 37060+ SRV?
_ldap._tcp.dc._msdcs.dawnsign.com. (51)
14:22:44.545613 IP 192.168.101.4.53 > 192.168.101.43.59809: 37060*
2/0/2[|domain]
14:22:44.553309 IP 192.168.101.43.1163 > 192.168.101.4.389: UDP, length
129
14:22:44.554065 IP 192.168.101.4.389 > 192.168.101.43.1163: UDP, length
167
14:22:44.658225 IP 192.168.101.43.1164 > 192.168.101.4.389: UDP, length
172
14:22:44.658892 IP 192.168.101.4.389 > 192.168.101.43.1164: UDP, length
180
14:22:44.762538 IP 192.168.101.43.1165 > 192.168.101.4.389: UDP, length
172
14:22:44.762956 IP 192.168.101.4.389 > 192.168.101.43.1165: UDP, length
180
14:22:45.574901 IP 192.168.101.43.137 > 192.168.101.4.137: NBT UDP
PACKET(137): QUERY; REQUEST; UNICAST
14:22:45.575488 IP 192.168.101.4.137 > 192.168.101.43.137: NBT UDP
PACKET(137): QUERY; NEGATIVE; RESPONSE; UNICAST
14:22:47.857110 IP 192.168.101.43 > 192.168.101.4: ICMP echo request, id
512, seq 7424, length 40
14:22:47.857567 IP 192.168.101.4 > 192.168.101.43: ICMP echo reply, id
512, seq 7424, length 40
14:22:47.857786 IP 192.168.101.43.1167 > 192.168.101.4.445: S
2679016794:2679016794(0) win 65535 <mss 1460,nop,nop,sackOK>
14:22:47.858006 IP 192.168.101.43 > 192.168.101.4: ICMP echo request, id
512, seq 7680, length 40
14:22:47.858332 IP 192.168.101.4.445 > 192.168.101.43.1167: S
3575348173:3575348173(0) ack 2679016795 win 16384 <mss
1460,nop,nop,sackOK>
14:22:47.858334 IP 192.168.101.4 > 192.168.101.43: ICMP echo reply, id
512, seq 7680, length 40
14:22:47.858587 IP 192.168.101.43.1167 > 192.168.101.4.445: . ack 1 win
65535
14:22:47.858662 IP 192.168.101.43.1167 > 192.168.101.4.445: P 1:138(137)
ack 1 win 65535
14:22:47.859100 IP 192.168.101.4.445 > 192.168.101.43.1167: P 1:182(181)
ack 138 win 65398
14:22:47.866714 IP 192.168.101.43.1167 > 192.168.101.4.445: F 138:138(0)
ack 182 win 65354
14:22:47.867161 IP 192.168.101.4.445 > 192.168.101.43.1167: F 182:182(0)
ack 139 win 65398
14:22:47.867395 IP 192.168.101.43.1167 > 192.168.101.4.445: . ack 183
win 65354


I am not sure how to interpret this. This is the tcpdump dump of my
attempt to join the domU Win server to the AD domain. 192.168.101.4 is
the AD server and 192.168.101.43 is the domU Win guest.

On a separate issue, I noticed that after the initial bootup of the domU
Win guest, time synchronization no longer works. The time is within 5
minutes of the AD server's time so it shouldn't be a factor. But I am at
this point suspecting the virtual network interface as being the
culprit. But, again, I am unsure as to how to go about diagnosing it.

Are there other vif types besides ioemu that I could look into? I see
that Windows detected and installed the Realtek RTL8139 driver for the
virtual interface. Is this the correct driver to use? I googled for
various vif types but couldn't locate any.

Any additional assistance you could provide would be greatly
appreciated.

~Doug

Follow-Ups:
- RE: XEN preventing W2K3 Server from joining AD domain?
  - From: Doug Sampson
- Re: XEN preventing W2K3 Server from joining AD domain?
  - From: Jean-Yves Migeon

References:
- XEN preventing W2K3 Server from joining AD domain?
  - From: Doug Sampson
- Re: XEN preventing W2K3 Server from joining AD domain?
  - From: Jean-Yves Migeon

Prev by Date: Re: XEN preventing W2K3 Server from joining AD domain?
Next by Date: Re: Upgrading in the XEN world
Previous by Thread: Re: XEN preventing W2K3 Server from joining AD domain?
Next by Thread: Re: XEN preventing W2K3 Server from joining AD domain?
Indexes:

Home | Main Index | Thread Index | Old Index