Solved

Active Directory not functioning properly

Posted on 2004-09-26
10
4,058 Views
Last Modified: 2010-02-20
I am running Windows Server 2003 and am getting error messages in event viewer.  

Error 1:
Event ID 4001 DNS
The DNS server was unable to open zone 1.168.192.in-addr.arpa in the Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
(Also got that for my WAN NIC as well)

Error 2:
Event ID 1655 Global catalog
Active Directory attempted to communicate with the following global catalog and the attempts were unsuccessful.
Global catalog:
\\NS1.mydomain.com
The operation in progress might be unable to continue. Active Directory will use the domain controller locator to try to find an available global catalog server.
 
Error 3:
Event ID 1126 Global catalog
Active Directory was unable to establish a connection with the global catalog.
Additional Data
Error value:
8430 The directory service encountered an internal failure.
Internal ID:
3200c45
User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller.  You may use the nltest utility to diagnose this problem.

Here's what I get with DCDiag:
Domain Controller Diagnosis

Performing initial setup:
   [ns1] Directory Binding Error 1727:
   The remote procedure call failed and did not execute.
   This may limit some of the tests that can be performed.
   Done gathering initial info.

Doing initial required tests

   Testing server: Mydomain\NS1
      Starting test: Connectivity
         [NS1] DsBindWithSpnEx() failed with error 1727,
         The remote procedure call failed and did not execute..
         ......................... NS1 failed test Connectivity

Doing primary tests

   Testing server: Mydomain\NS1
      Skipping all tests, because server NS1 is
      not responding to directory service requests

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
       ......................... ForestDnsZones passed test CrossRefValidation
**************
Everything else, including the above entry) passed successfully.

I tried running NTDSUTIL and Esustutl in DS restore mode to no avail.  
Since most everything's dependent on AD and because it's a Global Catalog server as well, I keep getting the 'Remote procedure call failed and did not execute' errors everywhere.  Why it's happening is beyond me.  Anyone have any ideas?  Thanks.

0
Comment
Question by:bleujaegel
  • 5
  • 4
10 Comments
 
LVL 6

Expert Comment

by:Casca1
ID: 12155521
Let's look at the output of an IPconfig /all. Since this is appears to be a DNS issue, we need start from scratch, and verify all settings.
In particular, the DNS error message points at a reverse zone. This shouldn't cause AD to fail; but with all the other errors indicating AD didn't load properly, and it appears to be related to communications, and AD relys on DNS for communication, then we have to conclude DNS is the issue.
Is your network using the reserved network of 192.168.1.0? The reverse lookup says it thinks you are.All that is for reverse lookups, though, and shouldn't be in the way.go to DNSConsole, right click the server, go to properties, monitoring, and test your DNS. Let's see what it returns.
Good Luck!
0
 
LVL 2

Author Comment

by:bleujaegel
ID: 12155603
I tested the DNS and it passed both tests.  Interestingly enough the DHCP service fails to start as well.   I get the same error 'Remote procedure call failed and did not execute'.  The problem does seem to point to DNS, but I can't find anything wrong with it yet...

Here is the IPCONFIG:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : ns1
   Primary Dns Suffix  . . . . . . . : mydomain.net
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : mydomain.net

Ethernet adapter LAN:

   Connection-specific DNS Suffix  . : mydomain.net
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter
   Physical Address. . . . . . . . . : 00-07-E9-13-EF-92
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   Primary WINS Server . . . . . . . : 192.168.1.1

Ethernet adapter WAN:

   Connection-specific DNS Suffix  . : mydomain.net
   Description . . . . . . . . . . . : NVIDIA nForce MCP Networking Controller
   Physical Address. . . . . . . . . : 00-0C-76-E4-37-28
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : My IP
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway . . . . . . . . . : ISP Gateway
   DNS Servers . . . . . . . . . . . : ISP DNS 1
                                       ISP DNS 2
0
 
LVL 6

Expert Comment

by:Casca1
ID: 12155637
Hmmm, I was hoping you had the internal DNS set to 127.0.0.1... 8-)
How is network communication working? Can you ping everything internally? From client to server and server to client by IP and by name?
What about LMhosts; Do you have one in use?
Check the status of the RPC services...
My services are set to start RPC automatically, and RPC locator is set to manual. The RPC service is started, but the locator is not.
Check your settings. You might even try a restart of the RPC.
Then we'll start digging in a little deeper into the services, next. Let's see what the status is on these and move forward.
0
 
LVL 2

Author Comment

by:bleujaegel
ID: 12155741
Thanks for the fast response!

On the Server, I pinged Yahoo by name and IP, so reverse lookup is working.  I pinged both NIC's and localhost.  From client, I pinged everything on server and the internet in forward and reverse.  No hitches there.  RPC services are running...even restarted them.  Isn't there a tool for viewing AD?  ADSI or something.  Would like to run Insight for Active Directory or Netpro but don't have that kind of cash.  If you know of any good tools, please let me know.  Thanks again.
0
 
LVL 2

Author Comment

by:bleujaegel
ID: 12155853
Also, I ran netdiag and everything passed except one item:

DC list test . . . . . . . . . . . : Failed
    [WARNING] Cannot call DsBind to mydomain.net
(My Wan IP). [RPC_S_CAL
L_FAILED_DNE]
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 6

Expert Comment

by:Casca1
ID: 12156019
Well, That wasn't quite what I meant, but DNS seems to respond as expected, so I have to chage tact here a little.
How do the entries to your DNS server look? DO you have the little subdomains, like
_msdcs
_sites
_tcp
Etc? Is the zone complete?Pinging by IP tests the hardware, pinging by hostname is the test for record entries. Your problem is not the records. It's in resource location, or in configuration.
Tell me about your setup. How many DC's, how many of those are GC's, how is your site(s) configured?
If DHCP isn't working, how are clients getting their address?
0
 
LVL 2

Author Comment

by:bleujaegel
ID: 12157818
DNS does have the above mentioned subdomains.  I only have 1 DC.  It is multihomed.  I have RRAS, Exchange, IIS, TS, RIS, DHCP, and Wins installed.  Only 1 laptop uses DHCP (occasionally), the rest were static.

I tried unchecking 'Gobal Catalog' and restarting, then re-checking to see if that would fix the problem.  I also reinstalled DNS then AD, but it only seemed to make things worse.  No matter what I do I keep getting the 'The remote procedure call failed..' error for everything (Exchange, DHCP, AD sites and subnets, etc.).  

Here is my DCDIAG after the reinstall:

Domain Controller Diagnosis

Performing initial setup:
   [ns1] Directory Binding Error 1727:
   The remote procedure call failed and did not execute.
   This may limit some of the tests that can be performed.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\NS1
      Starting test: Connectivity
         [NS1] DsBindWithSpnEx() failed with error 1726,
         The remote procedure call failed..
         ......................... NS1 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\NS1
      Skipping all tests, because server NS1 is
      not responding to directory service requests

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : (MyDomain)
      Starting test: CrossRefValidation
         ......................... MyDomain passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... MyDomain passed test CheckSDRefDom

   Running enterprise tests on : MyDomain.net
      Starting test: Intersite
         ......................... MyDomain.net passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 135
5
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
         A KDC could not be located - All the KDCs are down.
         ......................... MyDomain.net failed test FsmoCheck

This one is pretty nasty.  Thanks for the help!
0
 
LVL 6

Accepted Solution

by:
Casca1 earned 250 total points
ID: 12166123
When's the last restore?
What you need to do is rebuild the server from scratch, from what I can tell. Somethings busted, and busted bad.
While RPC SAYS it's running, it most obviously isn't responding to queries.
Ordinarily, I would start looking at hardware, or another system not communicating, but that's not it. Not using ISA, so it isn't getting in the way. Tell me, did you did you recently enable RRAS and set some default routes? Or attempt to configure like NAT or something? Possibly try to setup a VPN connection?
Something is blocking communication. While it might be possible to troubleshoot and resolve, in a production environment, you need an answer that fixes your problem. While it's a little drastic, a complete re-install and then restore from a recent backup , preferably from before the last major change, should fix you back up.
Jeez, I've done something similiar, a couple times, and it sure got me in some hot water. But, I'm also being allowed to build my test network.
8-)
Good Luck!
0
 
LVL 2

Author Comment

by:bleujaegel
ID: 12331435
I forgot to mention that I had ISA installed, so you were partially right.  Uninstalling ISA got rid of the 'Remote Procedure Call' error.  In the end, I'm not sure what else went wrong, but I just decided to reinstall.  Thanks for the help.
0
 
LVL 11

Expert Comment

by:marek1712
ID: 23219455
I had similar problem - just solved it moment ago.
"[serwerAD] Directory Binding Error 1727:
   Win32 Error 1727"
In my case it was Kaspersky Internet Security with two stupid rules:
"Block local TCP/UDP services".
C:\Users\Administrator>dcdiag
 

Directory Server Diagnosis
 

Performing initial setup:

   Trying to find home server...

   Home Server = serwerAD

   [serwerAD] Directory Binding Error 1727:

   Win32 Error 1727

   This may limit some of the tests that can be performed.

   * Identified AD Forest.

   Done gathering initial info.
 

Doing initial required tests
 

   Testing server: Default-First-Site-Name\SERWERAD

      Starting test: Connectivity

         [SERWERAD] DsBindWithSpnEx() failed with error 1722,

         Win32 Error 1722.

         ......................... SERWERAD failed test Connectivity
 

Doing primary tests
 

   Testing server: Default-First-Site-Name\SERWERAD

      Skipping all tests, because server SERWERAD is not responding to

      directory service requests.
 
 

   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation
 

   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation
 

   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation
 

   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation
 

   Running partition tests on : przyklad

      Starting test: CheckSDRefDom

         ......................... przyklad passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... przyklad passed test CrossRefValidation
 

   Running enterprise tests on : przyklad.pl

      Starting test: LocatorCheck

         ......................... przyklad.pl passed test LocatorCheck

      Starting test: Intersite

         ......................... przyklad.pl passed test Intersite

Open in new window

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
This video discusses moving either the default database or any database to a new volume.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now