Solved

Cannot create DC at new site 'RPC Server Not Found'

Posted on 2008-06-19
13
2,669 Views
Last Modified: 2012-06-21
I've been struggling all day to promote a new DC in a branch site.

The main office is on 192.168.44.0/24 with a branch on x.x.45.0/24.

The PDC is located at .44.2 and the remote DC will be located at .45.2

Most of the process completes. Both systems are in the Domain Controllers OU and are members of the Domain Controllers security group. DNS is resolving by name to all systems across a VPN line joining a pair of Hotbrick firewall/router boxes.

Two sites have been created by Subnet. I have tried promoting the DC with and without DNS (normally I prefer to wait on DNS until I have the DC raised and functional since I am running ADI).

The domain and forest are functional level 2008.

I know, this feels like I should be asking about Fabrikam and Contoso doesn't it?

Sorry it's not a multiple choice... I need to find the permissions error/omission.
The operation failed because:
 
Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller CN=NTDS Settings,CN=DC2,CN=Servers,CN=Vistazo,CN=Sites,CN=Configuration,DC=rmstrnglaw,DC=local on the remote AD DC DC1.rmstrnglaw.local. Ensure the provided network credentials have sufficient permissions.
 
"The RPC server is unavailable."

Open in new window

0
Comment
Question by:rmstrnglaw
  • 9
  • 3
13 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 21828121
RPC errors between sites, particularly with VPNs in the mix, are typically indicative of DNS issues or ports being blocked.  Stick Wireshark on the line and/or check your router/VPN logs to see if anything is getting blocked.
0
 
LVL 1

Author Comment

by:rmstrnglaw
ID: 21832969
It shouldn't be DNS related since everything resolves by name and IP without a hitch.

It'll have to be a wireshark... since AD would require every port over 1043 to be opened and defeat the purpose of a firewall altogether. Thanks for the suggestion.

I'll get back to you in a couple of hours, heading to the main office now to handle a few things anyhow.
0
 
LVL 1

Author Comment

by:rmstrnglaw
ID: 21834663
Okay the only thing I'm finding with Wireshark is a bad checksum on DNS query requests to port 53. Nothing that would make the RPC server unavailable.

Besides, the hardware units are using an IPSec tunnel so the hardware should be pushing everything right through. There is a global rule on the servers to allow all domain-authenticated traffic unrestricted access from all branch-office subnets.

What are you kidding me? .pcap is restricted even when inside of a .zip archive? Come on EE... this does not make my life any easier here. I've attached the CSV instead.

DC2 is 192.168.45.2
DC1 is using 192.168.44.2 (internal) and 192.168.44.3 (internet)

.3 should not be registering itself in DNS but it's a sneaky bastard and likes to show up in there anyway.

Again, I have a site-to-site VPN stup between a pair of Hotbrick firewall/routers. The networks are effectively jonied. Filters are set up by GPO to allow all subnets full access.



Wireshark.zip
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21835360
The default behaviour is that the NIC shall register itself in DNS. Uncheck the checkbox in TCP/IP-settings->advanced->DNS
To get the DC-communication working over firewall, see http://support.microsoft.com/kb/555381
0
 
LVL 1

Author Comment

by:rmstrnglaw
ID: 21838299
Already did that, it's still registering.

The real question... is that relevant to my problem?
0
 
LVL 1

Author Comment

by:rmstrnglaw
ID: 21848334
Okay I'm going to try forcing replication through a specific range of upper end ports via GPO.

http://technet.microsoft.com/en-us/library/bb727063.aspx

Most of those ports are already open. The details on forcing replication through ports via registry key are also listed in this article. If this works, I'm going to wish (once again) that I could assign points to myself. If it doesn't, I really hope I've provided enough information to get some good suggestions.

More when I've had a bit of time to tweak my hardware.
0
 
LVL 1

Author Comment

by:rmstrnglaw
ID: 21848840
No dice. Please note again I am connected through a site-to-site VPN and Windows Firewall is turned off.

I do have an alternate error message though.

----------
The operation failed because:

Active Directory Domain Services could not setup replication notifications for the directory partition DC=rmstrnglaw,DC=local on the remote Active Directory Domain Controller DC1.rmstrnglaw.local.

"The RPC server is unavailable."
----------

All FSMO roles are functioning, so far as I can tell. ipconfig looks good. I have name resolution. DC2 is pointing at DC1 for DNS and clearly resolving the domain. This is a replication failure.

Hell I've even forced the ports.

What diagnostics can I put up that may help determine the problem? I have even attempted to clean out old metadata but get errors that the OS was never a server so that isn't the issue.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21848927
Just to confirm, did you do the registry editing for changing the ports on *all* DCs and also restarted them?

Is the DCs correctly registered in DNS (SRV-records)?
Any errors in netdiag or dcdiag?
Anything in the eventlog?
Bad/outdated driver for the NIC?
0
 
LVL 1

Author Comment

by:rmstrnglaw
ID: 21850608
_gc
_kerberos
_kpasswd
_ldap

All properly registered to dc1.rmstrnglaw.local.

DCDiag Results are in the code box

I am not finding any new NIC drivers and have not seen anything in the event log but will look again.

I will have to install a 2008 compatible version of netdiag on the box.

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.
 
C:\Users\ian>dcdiag
 
Directory Server Diagnosis
 
Performing initial setup:
   Trying to find home server...
   Home Server = DC1
   * Identified AD Forest.
   Done gathering initial info.
 
Doing initial required tests
 
   Testing server: Embarcadero\DC1
      Starting test: Connectivity
         ......................... DC1 passed test Connectivity
 
Doing primary tests
 
   Testing server: Embarcadero\DC1
      Starting test: Advertising
         ......................... DC1 passed test Advertising
      Starting test: FrsEvent
         ......................... DC1 passed test FrsEvent
      Starting test: DFSREvent
         ......................... DC1 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC1 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC1 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC1 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC1 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... DC1 passed test NCSecDesc
      Starting test: NetLogons
         [DC1] User credentials does not have permission to perform this
         operation.
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... DC1 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC1 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,DC1] DsReplicaGetInfo(PENDING_OPS, NULL) failed,
         error 0x2105 "Replication access was denied."
         ......................... DC1 failed test Replications
      Starting test: RidManager
         ......................... DC1 passed test RidManager
      Starting test: Services
            Could not open NTDS Service on DC1, error 0x5 "Access is denied."
         ......................... DC1 failed test Services
      Starting test: SystemLog
         ......................... DC1 passed test SystemLog
      Starting test: VerifyReferences
         ......................... DC1 passed test VerifyReferences
 
 
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation
 
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation
 
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
 
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
 
   Running partition tests on : rmstrnglaw
      Starting test: CheckSDRefDom
         ......................... rmstrnglaw passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... rmstrnglaw passed test CrossRefValidation
 
   Running enterprise tests on : rmstrnglaw.local
      Starting test: LocatorCheck
         ......................... rmstrnglaw.local passed test LocatorCheck
      Starting test: Intersite
         ......................... rmstrnglaw.local passed test Intersite
 
C:\Users\ian>

Open in new window

0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 500 total points
ID: 21864327
Re-read earlier posts, and remembered that multihomed servers have given headache before.
The extra NIC's self-registering record in DNS may be the reason for the problem when resulting in round-robin for the hostname and the replication tries to use the unreachable IP.
Weird that the NIC keeps registering itself if you have disabled the "register this connection's addresses in DNS".
Is the extra NIC necessary?
0
 
LVL 1

Author Comment

by:rmstrnglaw
ID: 21867888
I just prefer to separate the gigabit switch traffic from internet traffic on my servers. It's not strictly necessary though.

I'll try shutting one off but would consider that more of a workaround than a solution if it changes things. I'm not a very good MCSE if I can't figure out how to run a server without turning of 3/4 NICs.
0
 
LVL 1

Author Comment

by:rmstrnglaw
ID: 21868074
I'll be damned, that fixed it. Have your points - you solved the issue.

Now it's up to me to figure out how to make things load balance properly with multiple NICs.
0
 
LVL 1

Author Closing Comment

by:rmstrnglaw
ID: 31470676
How to make multiple NICs work was beyond the scope of my original question. Take your points, don't spend them all in one place ;)
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question