Solved

Cannot create DC at new site 'RPC Server Not Found'

Posted on 2008-06-19
13
2,649 Views
Last Modified: 2012-06-21
I've been struggling all day to promote a new DC in a branch site.

The main office is on 192.168.44.0/24 with a branch on x.x.45.0/24.

The PDC is located at .44.2 and the remote DC will be located at .45.2

Most of the process completes. Both systems are in the Domain Controllers OU and are members of the Domain Controllers security group. DNS is resolving by name to all systems across a VPN line joining a pair of Hotbrick firewall/router boxes.

Two sites have been created by Subnet. I have tried promoting the DC with and without DNS (normally I prefer to wait on DNS until I have the DC raised and functional since I am running ADI).

The domain and forest are functional level 2008.

I know, this feels like I should be asking about Fabrikam and Contoso doesn't it?

Sorry it's not a multiple choice... I need to find the permissions error/omission.
The operation failed because:
 

Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller CN=NTDS Settings,CN=DC2,CN=Servers,CN=Vistazo,CN=Sites,CN=Configuration,DC=rmstrnglaw,DC=local on the remote AD DC DC1.rmstrnglaw.local. Ensure the provided network credentials have sufficient permissions.
 

"The RPC server is unavailable."

Open in new window

0
Comment
Question by:rmstrnglaw
  • 9
  • 3
13 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
Comment Utility
RPC errors between sites, particularly with VPNs in the mix, are typically indicative of DNS issues or ports being blocked.  Stick Wireshark on the line and/or check your router/VPN logs to see if anything is getting blocked.
0
 
LVL 1

Author Comment

by:rmstrnglaw
Comment Utility
It shouldn't be DNS related since everything resolves by name and IP without a hitch.

It'll have to be a wireshark... since AD would require every port over 1043 to be opened and defeat the purpose of a firewall altogether. Thanks for the suggestion.

I'll get back to you in a couple of hours, heading to the main office now to handle a few things anyhow.
0
 
LVL 1

Author Comment

by:rmstrnglaw
Comment Utility
Okay the only thing I'm finding with Wireshark is a bad checksum on DNS query requests to port 53. Nothing that would make the RPC server unavailable.

Besides, the hardware units are using an IPSec tunnel so the hardware should be pushing everything right through. There is a global rule on the servers to allow all domain-authenticated traffic unrestricted access from all branch-office subnets.

What are you kidding me? .pcap is restricted even when inside of a .zip archive? Come on EE... this does not make my life any easier here. I've attached the CSV instead.

DC2 is 192.168.45.2
DC1 is using 192.168.44.2 (internal) and 192.168.44.3 (internet)

.3 should not be registering itself in DNS but it's a sneaky bastard and likes to show up in there anyway.

Again, I have a site-to-site VPN stup between a pair of Hotbrick firewall/routers. The networks are effectively jonied. Filters are set up by GPO to allow all subnets full access.



Wireshark.zip
0
 
LVL 31

Expert Comment

by:Henrik Johansson
Comment Utility
The default behaviour is that the NIC shall register itself in DNS. Uncheck the checkbox in TCP/IP-settings->advanced->DNS
To get the DC-communication working over firewall, see http://support.microsoft.com/kb/555381
0
 
LVL 1

Author Comment

by:rmstrnglaw
Comment Utility
Already did that, it's still registering.

The real question... is that relevant to my problem?
0
 
LVL 1

Author Comment

by:rmstrnglaw
Comment Utility
Okay I'm going to try forcing replication through a specific range of upper end ports via GPO.

http://technet.microsoft.com/en-us/library/bb727063.aspx

Most of those ports are already open. The details on forcing replication through ports via registry key are also listed in this article. If this works, I'm going to wish (once again) that I could assign points to myself. If it doesn't, I really hope I've provided enough information to get some good suggestions.

More when I've had a bit of time to tweak my hardware.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:rmstrnglaw
Comment Utility
No dice. Please note again I am connected through a site-to-site VPN and Windows Firewall is turned off.

I do have an alternate error message though.

----------
The operation failed because:

Active Directory Domain Services could not setup replication notifications for the directory partition DC=rmstrnglaw,DC=local on the remote Active Directory Domain Controller DC1.rmstrnglaw.local.

"The RPC server is unavailable."
----------

All FSMO roles are functioning, so far as I can tell. ipconfig looks good. I have name resolution. DC2 is pointing at DC1 for DNS and clearly resolving the domain. This is a replication failure.

Hell I've even forced the ports.

What diagnostics can I put up that may help determine the problem? I have even attempted to clean out old metadata but get errors that the OS was never a server so that isn't the issue.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
Comment Utility
Just to confirm, did you do the registry editing for changing the ports on *all* DCs and also restarted them?

Is the DCs correctly registered in DNS (SRV-records)?
Any errors in netdiag or dcdiag?
Anything in the eventlog?
Bad/outdated driver for the NIC?
0
 
LVL 1

Author Comment

by:rmstrnglaw
Comment Utility
_gc
_kerberos
_kpasswd
_ldap

All properly registered to dc1.rmstrnglaw.local.

DCDiag Results are in the code box

I am not finding any new NIC drivers and have not seen anything in the event log but will look again.

I will have to install a 2008 compatible version of netdiag on the box.

Microsoft Windows [Version 6.0.6001]

Copyright (c) 2006 Microsoft Corporation.  All rights reserved.
 

C:\Users\ian>dcdiag
 

Directory Server Diagnosis
 

Performing initial setup:

   Trying to find home server...

   Home Server = DC1

   * Identified AD Forest.

   Done gathering initial info.
 

Doing initial required tests
 

   Testing server: Embarcadero\DC1

      Starting test: Connectivity

         ......................... DC1 passed test Connectivity
 

Doing primary tests
 

   Testing server: Embarcadero\DC1

      Starting test: Advertising

         ......................... DC1 passed test Advertising

      Starting test: FrsEvent

         ......................... DC1 passed test FrsEvent

      Starting test: DFSREvent

         ......................... DC1 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... DC1 passed test SysVolCheck

      Starting test: KccEvent

         ......................... DC1 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... DC1 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... DC1 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... DC1 passed test NCSecDesc

      Starting test: NetLogons

         [DC1] User credentials does not have permission to perform this

         operation.

         The account used for this test must have network logon privileges

         for this machine's domain.

         ......................... DC1 failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... DC1 passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,DC1] DsReplicaGetInfo(PENDING_OPS, NULL) failed,

         error 0x2105 "Replication access was denied."

         ......................... DC1 failed test Replications

      Starting test: RidManager

         ......................... DC1 passed test RidManager

      Starting test: Services

            Could not open NTDS Service on DC1, error 0x5 "Access is denied."

         ......................... DC1 failed test Services

      Starting test: SystemLog

         ......................... DC1 passed test SystemLog

      Starting test: VerifyReferences

         ......................... DC1 passed test VerifyReferences
 
 

   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation
 

   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation
 

   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation
 

   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation
 

   Running partition tests on : rmstrnglaw

      Starting test: CheckSDRefDom

         ......................... rmstrnglaw passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... rmstrnglaw passed test CrossRefValidation
 

   Running enterprise tests on : rmstrnglaw.local

      Starting test: LocatorCheck

         ......................... rmstrnglaw.local passed test LocatorCheck

      Starting test: Intersite

         ......................... rmstrnglaw.local passed test Intersite
 

C:\Users\ian>

Open in new window

0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 500 total points
Comment Utility
Re-read earlier posts, and remembered that multihomed servers have given headache before.
The extra NIC's self-registering record in DNS may be the reason for the problem when resulting in round-robin for the hostname and the replication tries to use the unreachable IP.
Weird that the NIC keeps registering itself if you have disabled the "register this connection's addresses in DNS".
Is the extra NIC necessary?
0
 
LVL 1

Author Comment

by:rmstrnglaw
Comment Utility
I just prefer to separate the gigabit switch traffic from internet traffic on my servers. It's not strictly necessary though.

I'll try shutting one off but would consider that more of a workaround than a solution if it changes things. I'm not a very good MCSE if I can't figure out how to run a server without turning of 3/4 NICs.
0
 
LVL 1

Author Comment

by:rmstrnglaw
Comment Utility
I'll be damned, that fixed it. Have your points - you solved the issue.

Now it's up to me to figure out how to make things load balance properly with multiple NICs.
0
 
LVL 1

Author Closing Comment

by:rmstrnglaw
Comment Utility
How to make multiple NICs work was beyond the scope of my original question. Take your points, don't spend them all in one place ;)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now