• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 746
  • Last Modified:

"The Directory Service failed to create the server object..." "The RPC server is unavailable" adding 2000server to a domain with 2003server as 1st domain controller in 1st forest

I have a brand new windows2003 server up and running with active directory and dns, with a new domain/forest/etc (the only 1 in our organization) called 'umapinc.com'.  In a testing environment (i.e. this server and an identical one sitting right next to it on the same lan/subnet) I was able to add a second windows2003 server no problem.  Unfortunately, neither of these servers will reside in this lan/subnet location, but are both slated to be installed in other offices.  I tried adding the 2000 server that does belong in this office to the domain with both 2003 servers still next to me on the local lan, but it had multiple problems(some of which looked like it was pointing to 2003server #2 as the primary server, though I could be mistaken, but which of course would have been wrong - even though dns was set correctly to point to 2003server #1 as primary, and itself as secondary).

So, I tried removing the 2000 server from a.d., which repeatedly failed, saying something like it couldn't contact the primary server to remove itself, etc.  I then had the same problem with the 2003server #2 when I tried to remove it.  I would up removing the 2003server #2 using 'dcpromo /forceremoval', formatted and reinstalled the 2000server, since it isn't really a production server yet, and removed active directory altogether from the 2003server #1 (the 1st).  I then removed DNS from #1 and reinstalled active directory, letting it configure dns along the way, again for the domain 'umapinc.com'.  I now had to ship server#2 across the country to the office where I will install it, so I can't do anything with it.  However, after finishing all configuration on #1, and recreating the A.D. environment of users, sites, ou's, etc., I went to configure DNS on the 2000 server, which it did successfully(or so it looked), but now when I run dcpromo on the 2000 server to try to add it as an additional d.c. for the existing domain 'umapinc.com', it comes up with the correct name for the 1st/primary controller (#1) in it's first steps, but when it gets to the 'creating the server object' step, it fails every time I try, stating 'the directory service failed to create the server object for (....this server....umapinc.com....on server #1.)  Please ensure the network credentials provided have sufficient access to add a replica. "The RPC server is unavailable".   over.....and over.....and over....no matter what I try *augh*!

I've made sure the userid and password I give it to use in dcpromo is a member of domain admins, schema admins, enterprise admins,  and tried the checkbox for 'trust for account delegation' in the userid is turned on.  I can ping #1.umapinc.com (the real name is umegis1.umapinc.com, but #1 makes this easier to follow), and nslookup returns the proper ip address for server and name.  Furthermore, the rpcss service is running on both #1 and the 2000server.  I've googled this to death and looked in Experts-Exchange at identical or nearly identical problems and tried their suggestions, which include the above tests.  Still I can't get this going.  I wonder in the back of my mind if #2 will have the same problem when I go to dcpromo it in a week when I'm travelling to our remote office to install it, but I have no idea at this point, because I don't know what the problem is.  All I can see that is different from the initial successful test of A.D. is these:
1)Initially, I was working with 2 identical 2003 servers, #1 and #2
2)Initially, I was using the 2 servers on the same lan/subnet.  Replication and everything was going smoothly.

Now, however, I'm trying to get the 2000server attached as a new d.c., not just an identical 2003server.  Also, now #1 is in another office, connected to this office over vpn through Cisco routers and Cisco PIX, which otherwise has worked just fine for the past 6 years.  I noticed in another post on this issue that the guy said something about the 2 servers being in 2 different offices and having problems, and then later he took the one server to the same office as the other, and something started happening, although it didn't fix everything.  The things that make me dismiss the idea that the separate wan locations are the problem are: a)I k.n.o.w. active directory is supposed to work across wan vpn links, is it not? and b)the 2000server had problems from the get go, even though #1, #2, and 2000server were initially right next to each other, physically, and on the same lan.  

Now, I have the next week to get this working smoothly with #1 and 2000server, while #2 is en route to our remote office.  But come a week from Monday (5/23), I need this working smoothly so I can fire up #2 and add it as another d.c. to our umapinc.com domain.  So, for now...HELP!! :-)
(and b.t.w. #1 and #2 are W2003 SP1, and 2000server is running SP4 and all are completely up to date with Windows Update)
0
atyar
Asked:
atyar
  • 11
  • 7
  • 3
2 Solutions
 
vico1CIOCommented:
There is onething that you forgot to do: adprep /forestprep you must run this tool before you join the servers did you do that?

Now for you VPN connection, Your problems seems to be from NAT and LAT Take a good look (on both servers) to see if they are setup properly. Or BYpass the Cisco all together and Connect the two servers VIA VPN and see if you still have the problem. Start simple first there is too many other factor that can cause you problem.


Vico1
0
 
atyarAuthor Commented:
Well, I had not specifically tried to run the adprep utility as you suggested, but when I did so after reading your post, it returned a message saying that it had already been run, therefore it will not run again.  Still, I tried joining 2000server to the domain and it fails at the very same step.

As for the Cisco idea, I really can't bypass Cisco - the vpn link is the only link between our two offices between the Cisco equipment.  Perhaps you have something in mind by what you mean with 'Connect the two servers VIA VPN and see if you still have the problem." that I'm not understanding.  Could you elaborate on what you're suggesting with this?
0
 
vico1CIOCommented:
When I say Bypass, I mean instead of connecting the server thru a network, Do an End-to-End VPN.
Windows 2000 and 2003 comes with build-in VPN

The thing is, you don't know for sure that your problem is coming from the servers, or something is causing it along the way.
By doing a VPN between the two servers you are bypassing everything between them.
From your post, you said:"2)Initially, I was using the 2 servers on the same lan/subnet.  Replication and everything was going smoothly."
Install RAS in the servers.
Then use VPN to connect them directly.

I hope that Helped.
vico1


0
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

 
atyarAuthor Commented:
Well, my point #2, unfortunately, involved 2003 servers on both......when I tried adding 2000server to the domain while the main d.c. was on the same subnet, it had problems - somehow it was relating to the #2 as a primary server, rather than #1, even though dns pointed to #1, and multiple other errors were coming up in the event viewer.  Also, this was a server that used to be a domain server on another network in another office years ago, and I thought maybe I should just reinstall it from scratch and do a 'clean' installation onto the domain.  So, I killed a.d. on #2 before I shipped it out to the remote office.  I also killed a.d. on #1, so the domain no longer existed.  Then, I re-created the domain on #1 and got everything running error free on #1, which was then in its true office location (across the street from the office in which I and 2000server operate, joined to our office with Cisco vpn).  Now, I'm trying to do the clean add of freshly-installed 2000server onto the domain, and am getting the errors I describe.

A couple of thoughts on your suggestion - one is - it occurred to me that the Cisco configuration could be a culprit, much as you're getting at in your suggestion.  I need this to work over the vpn, however, for security and other considerations, so I think on Monday I'll get a Cisco TAC case started to examine my firewall configurations on both sides and see if I need to add anything for A.D. - I quite possibly might need to.  If Cisco comes up dry with an explanation for my problems, I'll post the results back to this thread.  If Cisco is the problem, you'll get the points, as you started me along that line of thinking.  If Cisco isn't it, we still have some work to do first :-)
0
 
vico1CIOCommented:
Ok
let's see what'll happen.

Good luck!

Vico1
0
 
atyarAuthor Commented:
So far, not much help from Cisco - appears I've drawn a cisco tech who is inexperienced with a.d. - *sigh*.
He's trying to help with troubleshooting the idea that the vpn link is not passing the rpc traffic, but in a slow manner.  In the meantime, I found another post on E.E. with the same problem (unfortunately no resolution shown), but I invited someone who commented on that issue to view this thread and offer any advice, which the profile said they're open to.  I tried installing a vpn client on the 2000server to connect to the remote office network before running dcpromo, in case that might 'bypass a problem', but then dns lookups to find the domain didn't even work, so had to scratch that idea :(
0
 
atyarAuthor Commented:
b.t.w. I just tried your idea of setting up r.a.s. on both servers, and then connecting over a vpn link between the two, and the same error occurred. I paid attention to the connection icons for both the lan and newly-created vpn link on 2000server, and I saw it funneling traffic through (i.e. lights were blinking back and forth) the vpn, but no luck.
0
 
vico1CIOCommented:
Do you have any firewall running on either servers or port filtering enable on any of them?
0
 
atyarAuthor Commented:
Unfortunately not - matter of fact, windows firewall doesn't even seem to run when rras is configured, and I found documentation to that effect on the web.
'For my next trick'.........I'm installing Windows 2000 Server on a laptop, that I 'hope' will do the same thing when I try to add it as a second domain controller.  Then, I'm going to take it over to the other office so it's on the same lan as #1, and then try to add it.  That should tell us for sure if it's a vpn-link/wan issue between the two offices or not. (I think :)
0
 
atyarAuthor Commented:
Ok, so far so good.....or is it bad....anyway
Dcpromo on the laptop failed at the same step and same error message as 2000server has been.  So, next I'll take it over to the other office and try it there.....
0
 
Debsyl99Commented:
Hi

You asked me to have a look - so here I am! Can I just check as I'm a bit short of time today and so have just scanned your posts through. Have you managed to add a 2000 DC yet successfully? If not - could you check on the domain functional level and let me know what it is? Just a thought,

Deb :))

Useful Site
What are the domain and forest function levels in a Windows Server 2003-basedActive Directory?
http://www.petri.co.il/understanding_function_levels_in_windows_2003_ad.htm
0
 
vico1CIOCommented:
Then the problem is on the primary DC.

I would like you to take a look at the following link:
http://support.microsoft.com/default.aspx?scid=kb;en-us;838179

Vico1
0
 
atyarAuthor Commented:
Well, my test with the laptop running 2000server was successful.  I tried adding it to the domain as a 2nd d.c. across the vpn wan link, and it failed with the 'rpc server' message, as stated above.  Then, I took it across the street and connected it on the same lan as #1, the primary and only d.c. on the domain, and it added to the domain gracefully without error, replicated all a.d. objects, etc., and then was able to gracefully demote back down to a member server on the domain without error.

I'd say the blame rests squarely on the vpn/wan configuration not passing the necessary traffic through, don't you agree?  That's where I was hoping Deb might have some insight to share, as she had posted on another post with this problem about the type of traffic needed to pass for a.d.

Thanks for the other ideas.  As a matter of fact, yesterday I checked that domain functional level and changed it from Win2K mixed to Win2K native, hoping that might have some effect, but it didn't do anything for this particular problem.

Might either of you have any further suggestions?  I'm going to take the results of this test back and bug the Cisco tech to step it up a bit, given what I at least interpret as a pretty convincing implication of the Cisco config being the problem....

Thanks again! -Al
0
 
atyarAuthor Commented:
By the way, Vico, I'm still wondering if the ras connection might be a workaround.  The way I set it up though, was internal address to internal address, which means it is still going through the Cisco vpn tunnel, and still prone to the same problem.  Did you have some other way in mind to create that ras link, that would somehow avoid the vpn tunnel?
0
 
vico1CIOCommented:
I was hoping that the tunnel would shield the traffic protecting it along the path that seems to be the problem.

So don't even waste your time on that previous link since the problem seems to converge on the link between the Servers.
As far as Cisco they are very good when it comes to customer service.
Maybe you should direct them to this link for them to see the steps that you have already taken. that will probably give them a head start on this issue.

I have a client where the two servers are connected with VPN and it is working fine. that was not by choice but I had to work with the limited ressources that I had.

The only problem was somtimes VPN would drop out of the blue. To work around that I created a small script on both servers to check each other and to initiate the VPN IF they do not see each other. If your issue come to that I will be glad to send you the script.

Vico1
0
 
Debsyl99Commented:
Hi

Yes I would agree - just wanted to check that out first. Have you configured active directory sites and services - the new dc will need to be in a different site within AD - you'll also need to configure the site link to pass the necessary traffic - use IP. Make sure the new DC is also on a separate subnet - and then define the subnets in the Sites and Services snap-in.

Also have you attempted to open up traffic between the sites via the wan link? And how?
Step-by-Step Guide to Active Directory Sites and Services
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/adsrv.mspx

In relation to the Pix - you'll need to make sure you've established a secure tunnel first, configure the relevant interfaces - then permit traffic over the tunnel between the two servers on the relevant ports required for AD. We use Ipsec - 3des-sha encryption. What's the pix you're using?

Can you confirm how far you've got with this? My previous post had included a link to AD ports for replication over firewalls - am assuming you already checked this and implemented it, but let me know.

I set up a successful site to site vpn - site servers on 3 sites - using pix 501/506 and all is well with replication, so let me know. I did have to get the secure tunnel working first - although I did configure the second dc to be in a separate site within AD prior to relocating it to another office.

0
 
atyarAuthor Commented:
Well, I was testing some with Cisco, and got it to successfully add to the domain and replicate by completely removing my access lists from the interfaces on the router in the office with the pdc.  From there, we removed statements that were blocking tcp port 593 from the access lists, as that is specifically listed as an rpc-utilized port.  However, I continue to get some errors when re-applying the access lists, so I'm looking at those now to see if I need to eliminate some more of what they're blocking.  Here's the access lists as they stand, now - these were enacted a few years ago during the blaster worm fiasco, so some of what they're doing is obsolete, I'm sure.
Access-list 125 is on our Ethernet0 interface, while 115 is on the FastEthernet0 interface:
access-list 115 permit ip 172.20.56.0 0.0.3.255 172.20.40.0 0.0.3.255
access-list 115 permit ip 172.20.56.0 0.0.3.255 172.20.48.0 0.0.3.255
access-list 115 permit ip 172.20.56.0 0.0.3.255 192.168.1.0 0.0.0.255
access-list 115 permit ip host 172.20.56.98 10.0.0.0 0.0.0.255
access-list 115 permit ip host 172.20.56.2 11.0.0.0 0.0.0.255
access-list 115 permit ip 172.20.56.0 0.0.3.255 172.20.44.0 0.0.3.255
access-list 115 deny   udp any any eq tftp
access-list 115 deny   tcp any any eq 135
access-list 115 deny   udp any any eq 135
access-list 115 deny   udp any any eq netbios-ns
access-list 115 deny   udp any any eq netbios-dgm
access-list 115 deny   tcp any any eq 139
access-list 115 deny   udp any any eq netbios-ss
access-list 115 deny   tcp any any eq 445
access-list 115 deny   tcp any any eq 4444
access-list 115 permit ip any any
access-list 125 deny   53 any any
access-list 125 deny   55 any any
access-list 125 deny   77 any any
access-list 125 deny   pim any any
access-list 125 deny   udp any any eq tftp
access-list 125 deny   tcp any any eq 135
access-list 125 deny   udp any any eq 135
access-list 125 deny   tcp any any eq 445
access-list 125 deny   tcp any any eq 4444
access-list 125 deny   icmp any any redirect
access-list 125 deny   udp any any eq snmp
access-list 125 permit esp any any
access-list 125 permit udp any eq isakmp any eq isakmp
access-list 125 permit ip 172.20.40.0 0.0.3.255 172.20.56.0 0.0.3.255
access-list 125 permit ip 172.20.48.0 0.0.3.255 172.20.56.0 0.0.3.255
access-list 125 permit ip 192.168.1.0 0.0.0.255 172.20.56.0 0.0.3.255
access-list 125 permit ip 10.0.0.0 0.0.0.255 host 172.20.56.98
access-list 125 permit ip 11.0.0.0 0.0.0.255 host 172.20.56.2
access-list 125 permit ip 172.20.44.0 0.0.3.255 172.20.56.0 0.0.3.255
access-list 125 deny   ip 0.0.0.0 0.255.255.255 any
access-list 125 deny   ip 10.0.0.0 0.255.255.255 any
access-list 125 deny   ip 127.0.0.0 0.255.255.255 any
access-list 125 deny   ip 169.254.0.0 0.0.255.255 any
access-list 125 deny   ip 172.16.0.0 0.15.255.255 any
access-list 125 deny   ip 192.168.0.0 0.0.255.255 any
access-list 125 deny   ip 224.0.0.0 15.255.255.255 any
access-list 125 deny   ip 240.0.0.0 7.255.255.255 any
access-list 125 deny   ip 248.0.0.0 7.255.255.255 any
access-list 125 deny   ip host 255.255.255.255 any
access-list 125 permit icmp any any echo
access-list 125 permit icmp any any echo-reply
access-list 125 permit icmp any any unreachable
access-list 125 permit icmp any any packet-too-big
access-list 125 permit icmp any any time-exceeded

And the pix is a 515e, running 6.3(4), which I only upgraded yesterday from 6.0, at Cisco's recommendation.
I'm going to keep the access-lists unapplied and run through a cycle of promoting, rebooting, and seeing how it does.  What it was doing after we got past the initial promo problem, when it rebooted, it would hang on the 'loading personal settings' step, and I'd see in the event viewer that it was having trouble contacting, rpc server not available again, etc.
0
 
atyarAuthor Commented:
In looking over my access lists, I see access-list 115 is already permitting all traffic between our subnets at the top of its list, so I doubt that is a culprit in my problem.  Access-list 125, however, denies certain ports before it gets to the statement about allowing all traffic between our subnets.  Since access-lists are evaluated top to bottom until it finds a match, I added statements to the top of list 125 allowing all traffic between the specific ip's of the 2ndary servers and the ip of the pdc behind this router.  If my understanding of access lists serves me, I think that will nullify any problems with the access lists going forward.  Do you agree?
0
 
atyarAuthor Commented:
Ok......like Drew Carey says on 'Whose Line is it Anyway'.....
1000 points for everybody!

After adding the access-list statements to allow all traffic between d.c's, I was down to a user profile setting error in event viewer and slow logon.  I found a utility on Microsoft's site called 'uhpci something or other', a user hive cleanup utility that streamlines the personal settings stage in startup.  After installing this and rebooting, 2000server boots quickly and error-free, properly replicating the domain.

Woot!
0
 
Debsyl99Commented:
Yay! - glad to hear it

Deb :))
0
 
vico1CIOCommented:
Cool! :)
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 11
  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now