rmstrnglaw
asked on
Cannot create DC at new site 'RPC Server Not Found'
I've been struggling all day to promote a new DC in a branch site.
The main office is on 192.168.44.0/24 with a branch on x.x.45.0/24.
The PDC is located at .44.2 and the remote DC will be located at .45.2
Most of the process completes. Both systems are in the Domain Controllers OU and are members of the Domain Controllers security group. DNS is resolving by name to all systems across a VPN line joining a pair of Hotbrick firewall/router boxes.
Two sites have been created by Subnet. I have tried promoting the DC with and without DNS (normally I prefer to wait on DNS until I have the DC raised and functional since I am running ADI).
The domain and forest are functional level 2008.
I know, this feels like I should be asking about Fabrikam and Contoso doesn't it?
Sorry it's not a multiple choice... I need to find the permissions error/omission.
The main office is on 192.168.44.0/24 with a branch on x.x.45.0/24.
The PDC is located at .44.2 and the remote DC will be located at .45.2
Most of the process completes. Both systems are in the Domain Controllers OU and are members of the Domain Controllers security group. DNS is resolving by name to all systems across a VPN line joining a pair of Hotbrick firewall/router boxes.
Two sites have been created by Subnet. I have tried promoting the DC with and without DNS (normally I prefer to wait on DNS until I have the DC raised and functional since I am running ADI).
The domain and forest are functional level 2008.
I know, this feels like I should be asking about Fabrikam and Contoso doesn't it?
Sorry it's not a multiple choice... I need to find the permissions error/omission.
The operation failed because:
Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller CN=NTDS Settings,CN=DC2,CN=Servers,CN=Vistazo,CN=Sites,CN=Configuration,DC=rmstrnglaw,DC=local on the remote AD DC DC1.rmstrnglaw.local. Ensure the provided network credentials have sufficient permissions.
"The RPC server is unavailable."
RPC errors between sites, particularly with VPNs in the mix, are typically indicative of DNS issues or ports being blocked. Stick Wireshark on the line and/or check your router/VPN logs to see if anything is getting blocked.
ASKER
It shouldn't be DNS related since everything resolves by name and IP without a hitch.
It'll have to be a wireshark... since AD would require every port over 1043 to be opened and defeat the purpose of a firewall altogether. Thanks for the suggestion.
I'll get back to you in a couple of hours, heading to the main office now to handle a few things anyhow.
It'll have to be a wireshark... since AD would require every port over 1043 to be opened and defeat the purpose of a firewall altogether. Thanks for the suggestion.
I'll get back to you in a couple of hours, heading to the main office now to handle a few things anyhow.
ASKER
Okay the only thing I'm finding with Wireshark is a bad checksum on DNS query requests to port 53. Nothing that would make the RPC server unavailable.
Besides, the hardware units are using an IPSec tunnel so the hardware should be pushing everything right through. There is a global rule on the servers to allow all domain-authenticated traffic unrestricted access from all branch-office subnets.
What are you kidding me? .pcap is restricted even when inside of a .zip archive? Come on EE... this does not make my life any easier here. I've attached the CSV instead.
DC2 is 192.168.45.2
DC1 is using 192.168.44.2 (internal) and 192.168.44.3 (internet)
.3 should not be registering itself in DNS but it's a sneaky bastard and likes to show up in there anyway.
Again, I have a site-to-site VPN stup between a pair of Hotbrick firewall/routers. The networks are effectively jonied. Filters are set up by GPO to allow all subnets full access.
Wireshark.zip
Besides, the hardware units are using an IPSec tunnel so the hardware should be pushing everything right through. There is a global rule on the servers to allow all domain-authenticated traffic unrestricted access from all branch-office subnets.
What are you kidding me? .pcap is restricted even when inside of a .zip archive? Come on EE... this does not make my life any easier here. I've attached the CSV instead.
DC2 is 192.168.45.2
DC1 is using 192.168.44.2 (internal) and 192.168.44.3 (internet)
.3 should not be registering itself in DNS but it's a sneaky bastard and likes to show up in there anyway.
Again, I have a site-to-site VPN stup between a pair of Hotbrick firewall/routers. The networks are effectively jonied. Filters are set up by GPO to allow all subnets full access.
Wireshark.zip
The default behaviour is that the NIC shall register itself in DNS. Uncheck the checkbox in TCP/IP-settings->advanced- >DNS
To get the DC-communication working over firewall, see http://support.microsoft.com/kb/555381
To get the DC-communication working over firewall, see http://support.microsoft.com/kb/555381
ASKER
Already did that, it's still registering.
The real question... is that relevant to my problem?
The real question... is that relevant to my problem?
ASKER
Okay I'm going to try forcing replication through a specific range of upper end ports via GPO.
http://technet.microsoft.com/en-us/library/bb727063.aspx
Most of those ports are already open. The details on forcing replication through ports via registry key are also listed in this article. If this works, I'm going to wish (once again) that I could assign points to myself. If it doesn't, I really hope I've provided enough information to get some good suggestions.
More when I've had a bit of time to tweak my hardware.
http://technet.microsoft.com/en-us/library/bb727063.aspx
Most of those ports are already open. The details on forcing replication through ports via registry key are also listed in this article. If this works, I'm going to wish (once again) that I could assign points to myself. If it doesn't, I really hope I've provided enough information to get some good suggestions.
More when I've had a bit of time to tweak my hardware.
ASKER
No dice. Please note again I am connected through a site-to-site VPN and Windows Firewall is turned off.
I do have an alternate error message though.
----------
The operation failed because:
Active Directory Domain Services could not setup replication notifications for the directory partition DC=rmstrnglaw,DC=local on the remote Active Directory Domain Controller DC1.rmstrnglaw.local.
"The RPC server is unavailable."
----------
All FSMO roles are functioning, so far as I can tell. ipconfig looks good. I have name resolution. DC2 is pointing at DC1 for DNS and clearly resolving the domain. This is a replication failure.
Hell I've even forced the ports.
What diagnostics can I put up that may help determine the problem? I have even attempted to clean out old metadata but get errors that the OS was never a server so that isn't the issue.
I do have an alternate error message though.
----------
The operation failed because:
Active Directory Domain Services could not setup replication notifications for the directory partition DC=rmstrnglaw,DC=local on the remote Active Directory Domain Controller DC1.rmstrnglaw.local.
"The RPC server is unavailable."
----------
All FSMO roles are functioning, so far as I can tell. ipconfig looks good. I have name resolution. DC2 is pointing at DC1 for DNS and clearly resolving the domain. This is a replication failure.
Hell I've even forced the ports.
What diagnostics can I put up that may help determine the problem? I have even attempted to clean out old metadata but get errors that the OS was never a server so that isn't the issue.
Just to confirm, did you do the registry editing for changing the ports on *all* DCs and also restarted them?
Is the DCs correctly registered in DNS (SRV-records)?
Any errors in netdiag or dcdiag?
Anything in the eventlog?
Bad/outdated driver for the NIC?
Is the DCs correctly registered in DNS (SRV-records)?
Any errors in netdiag or dcdiag?
Anything in the eventlog?
Bad/outdated driver for the NIC?
ASKER
_gc
_kerberos
_kpasswd
_ldap
All properly registered to dc1.rmstrnglaw.local.
DCDiag Results are in the code box
I am not finding any new NIC drivers and have not seen anything in the event log but will look again.
I will have to install a 2008 compatible version of netdiag on the box.
_kerberos
_kpasswd
_ldap
All properly registered to dc1.rmstrnglaw.local.
DCDiag Results are in the code box
I am not finding any new NIC drivers and have not seen anything in the event log but will look again.
I will have to install a 2008 compatible version of netdiag on the box.
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Users\ian>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Embarcadero\DC1
Starting test: Connectivity
......................... DC1 passed test Connectivity
Doing primary tests
Testing server: Embarcadero\DC1
Starting test: Advertising
......................... DC1 passed test Advertising
Starting test: FrsEvent
......................... DC1 passed test FrsEvent
Starting test: DFSREvent
......................... DC1 passed test DFSREvent
Starting test: SysVolCheck
......................... DC1 passed test SysVolCheck
Starting test: KccEvent
......................... DC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC1 passed test MachineAccount
Starting test: NCSecDesc
......................... DC1 passed test NCSecDesc
Starting test: NetLogons
[DC1] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... DC1 failed test NetLogons
Starting test: ObjectsReplicated
......................... DC1 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,DC1] DsReplicaGetInfo(PENDING_OPS, NULL) failed,
error 0x2105 "Replication access was denied."
......................... DC1 failed test Replications
Starting test: RidManager
......................... DC1 passed test RidManager
Starting test: Services
Could not open NTDS Service on DC1, error 0x5 "Access is denied."
......................... DC1 failed test Services
Starting test: SystemLog
......................... DC1 passed test SystemLog
Starting test: VerifyReferences
......................... DC1 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : rmstrnglaw
Starting test: CheckSDRefDom
......................... rmstrnglaw passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... rmstrnglaw passed test CrossRefValidation
Running enterprise tests on : rmstrnglaw.local
Starting test: LocatorCheck
......................... rmstrnglaw.local passed test LocatorCheck
Starting test: Intersite
......................... rmstrnglaw.local passed test Intersite
C:\Users\ian>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I just prefer to separate the gigabit switch traffic from internet traffic on my servers. It's not strictly necessary though.
I'll try shutting one off but would consider that more of a workaround than a solution if it changes things. I'm not a very good MCSE if I can't figure out how to run a server without turning of 3/4 NICs.
I'll try shutting one off but would consider that more of a workaround than a solution if it changes things. I'm not a very good MCSE if I can't figure out how to run a server without turning of 3/4 NICs.
ASKER
I'll be damned, that fixed it. Have your points - you solved the issue.
Now it's up to me to figure out how to make things load balance properly with multiple NICs.
Now it's up to me to figure out how to make things load balance properly with multiple NICs.
ASKER
How to make multiple NICs work was beyond the scope of my original question. Take your points, don't spend them all in one place ;)