[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3191
  • Last Modified:

DCDIAG returns Directory Binding Error 1726 - DNS Issue?

Hi everyone, I am running Win2K3 SP2 with 2 DC's on one subnet and the PDC running Exchange 2003, ISA 2004 and IIS 6 and am getting persistent errors on the PDC that seem to be DNS related. Black box to me.

DCDIAG returns the following issues:

Connecting to AD - Directory Binding Error 1726:  The remote procedure call failed.

RPC Services Check - DsBindWithSpnEx() failed with error 1726, The remote procedure call failed.. also error -1073606647.

FsmoCheck - Warning: Couldn't verify this server as a PDC using DsListRoles()

Here is the ipconfig/all config:
Windows IP Configuration
   Host Name . . . . . . . . . . . . : aguirre
   Primary Dns Suffix  . . . . . . . : amazonia.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : amazonia.com

Ethernet adapter External NIC:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
 VBD Client)
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 70.91.104.193
   Subnet Mask . . . . . . . . . . . : 255.255.255.252
   Default Gateway . . . . . . . . . : 70.91.104.194
   DNS Servers . . . . . . . . . . . : 68.87.68.162
                                       68.87.74.162
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Internal NIC:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
 VBD Client) #2
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.254.11
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.254.11
   Primary WINS Server . . . . . . . : 192.168.254.11

Any pointers would ge greatly appreciated. TIA
0
Martinator2000
Asked:
Martinator2000
  • 12
  • 10
1 Solution
 
dfxdeimosCommented:
1) There is no such thing as a PDC in Active Directory. All DCs exist in a multi-master state. There is something called the "PDC Emulator" role that functions as the central time source and allows for backwards compatibility with really old desktop OSes.

2) It is not recommended that your domain controllers be "multihoned" or have NICs in different subnets. A dedicated ISA server would be the best idea.

3) Post the output of a "NETDOM /QUERY FSMO" from the command line.

4) Open the DNS management console on the DC that is also the ISA server, right click on the server name, choose "Properties", click on the "Interfaces" tab, uncheck the box next to the address that is on the internet facing NIC (the "External" network in ISA), click OK.

5) Open a command prompt and type "IPCONFIG /REGISTERDNS". Then wait 10 minutes and re-run the DCDIAG and post the results here.
0
 
Martinator2000Author Commented:
Thank you for you reply.
NETDOM failed with "the remote procedure call failed".
DNS Admin shows that I only have the Internal NIC under interfaces and there are no checkboxes on that tab.
I ran IPCONFIG /REGISTERDNS and after 10 minutes, I still get the exact same errors in DCDIAG.
0
 
dfxdeimosCommented:
Can you post the output of an "IPCONFIG /ALL" command from ALL of your Domain Controllers?
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
Martinator2000Author Commented:
The ipconfig for the problem server is the same as listed above.
Here is the other one:

Windows IP Configuration
   Host Name . . . . . . . . . . . . : artemis
   Primary Dns Suffix  . . . . . . . : amazonia.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : amazonia.com

Ethernet adapter Broadcom NetXtreme Dual Port Gigabit Ethernet Adapter - Onboard
 - Link A:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.254.14
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.254.11
   DNS Servers . . . . . . . . . . . : 192.168.254.11
   Primary WINS Server . . . . . . . : 192.168.254.11

C:\Documents and Settings\administrator.AMAZONIA>
0
 
dfxdeimosCommented:
(1) On the first server, "External NIC":

    (A) Remove the DNS information

(2) On the first server, "Internal NIC":

    (A) Set the Primary DNS & WINS server to "127.0.0.1"
    (C) Make sure the forwarders in the DNS console are set to forward unservicable request to "68.87.68.162"
          & "68.87.74.162" in that order

(3) On the second server's NIC:

    (A) Set the Primary DNS & WINS server to "127.0.0.1"
    (B) Set the Secondary DNS server to "192.168.254.11"
    (C) Make sure the forwarders in the DNS console are set to forward unservicable request to "192.168.254.11"

(4) On the second server run an "IPCONFIG /REGISTERDNS"

(5) On the first server run an "IPCONFIG /REGISTERDNS"

(6) After 10 minutes post the output of both a DCDIAG and NETDIAG here.
0
 
dfxdeimosCommented:
Also, please post the output of a "NETDOM /QUERY FSMO" from the command line.
0
 
Martinator2000Author Commented:
Thanks for your reply. I made all of the suggested changes, registered dns and waited a while. I am still getting the binding error 1726 in dcdiag and a few others.

Here are the results for the Main Domain Controller: AGUIRRE:
-------------------------------------------------------------------------------------------
C:\Documents and Settings\Administrator>ipconfig /all
Windows IP Configuration
   Host Name . . . . . . . . . . . . : aguirre
   Primary Dns Suffix  . . . . . . . : amazonia.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : amazonia.com

Ethernet adapter External NIC:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
 VBD Client)
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 70.91.104.193
   Subnet Mask . . . . . . . . . . . : 255.255.255.252
   Default Gateway . . . . . . . . . : 70.91.104.194
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Internal NIC:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
 VBD Client) #2
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.254.11
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 127.0.0.1
                                       68.87.68.168
                                       68.87.74.168
   Primary WINS Server . . . . . . . : 127.0.0.1
-------------------------------------------------------------------------------------------
C:\Documents and Settings\Administrator>dcdiag
Domain Controller Diagnosis

Performing initial setup:
   [aguirre] Directory Binding Error 1726:
   The remote procedure call failed.
   This may limit some of the tests that can be performed.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\AGUIRRE
      Starting test: Connectivity
         [AGUIRRE] DsBindWithSpnEx() failed with error 1726,
         The remote procedure call failed..
         ......................... AGUIRRE failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\AGUIRRE
      Skipping all tests, because server AGUIRRE is
      not responding to directory service requests

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : amazonia
      Starting test: CrossRefValidation
         ......................... amazonia passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... amazonia passed test CheckSDRefDom

   Running enterprise tests on : amazonia.com
      Starting test: Intersite
         ......................... amazonia.com passed test Intersite
      Starting test: FsmoCheck
         ......................... amazonia.com passed test FsmoCheck
-------------------------------------------------------------------------------------------
C:\Documents and Settings\Administrator>netdiag
........................................
    Computer Name: AGUIRRE
    DNS Host Name: aguirre.amazonia.com
    System info : Microsoft Windows Server 2003 R2 (Build 3790)
    Processor : x86 Family 6 Model 15 Stepping 11, GenuineIntel
    List of installed hotfixes :
        KB915800-v9
        KB924667-v2
        KB925398_WMP64
        KB925876
        KB925902
        KB926122
        KB927891
        KB929123
        KB930178
        KB931784
        KB932168
        KB933729
        KB933854
        KB935839
        KB935840
        KB936021
        KB936357
        KB936782
        KB938127
        KB938127-IE7
        KB938464
        KB941202
        KB941568
        KB941569
        KB941644
        KB941672
        KB941693
        KB942763
        KB942830
        KB942831
        KB943055
        KB943460
        KB943484
        KB943485
        KB943729
        KB944338
        KB944533-IE7
        KB944653
        KB945553
        KB946026
        KB947864
        KB947864-IE7
        KB948496
        KB948590
        KB948745
        KB948881
        KB949014
        KB950759-IE7
        KB950760
        KB950762
        KB950974
        KB951066
        KB951698
        KB951746
        KB951748
        KB952069
        KB952954
        KB954211
        KB954550-v5
        KB954600
        KB955069
        KB955839
        KB956391
        KB956802
        KB956803
        KB956841
        KB957097
        KB958215-IE7
        KB958644
        KB958687
        KB958690
        KB960225
        KB960714-IE7
        KB960715
        KB961063
        KB961064
        KB961118
        KB961260-IE7
        KB967715
        Q147222
Netcard queries test . . . . . . . : Passed

Per interface results:
    Adapter : Internal NIC
        Netcard queries test . . . : Passed
        Host Name. . . . . . . . . : aguirre
        IP Address . . . . . . . . : 192.168.254.11
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . :
        Primary WINS Server. . . . : 127.0.0.1
        Dns Servers. . . . . . . . : 127.0.0.1
                                     68.87.68.168
                                     68.87.74.168


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Skipped
            [WARNING] No gateways defined for this adapter.

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.
            No remote names have been found.

        WINS service test. . . . . : Failed
            The test failed.  We were unable to query the WINS servers.

    Adapter : External NIC
        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : aguirre
        IP Address . . . . . . . . : 70.91.104.193
        Subnet Mask. . . . . . . . : 255.255.255.252
        Default Gateway. . . . . . : 70.91.104.194
        NetBIOS over Tcpip . . . . : Disabled
        Dns Servers. . . . . . . . :

        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Skipped
            NetBT is disabled on this interface. [Test skipped]

        WINS service test. . . . . : Skipped
            NetBT is disable on this interface. [Test skipped].

Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{49707130-26C5-4454-99F0-852625B88F21}
    1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '127.0.0.1' a
nd other DCs also have some of the names registered.
       [WARNING] The DNS entries for this DC cannot be verified right now on DNS
 server 68.87.68.168, ERROR_TIMEOUT.
       [WARNING] The DNS entries for this DC cannot be verified right now on DNS
 server 68.87.74.168, ERROR_TIMEOUT.

Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{49707130-26C5-4454-99F0-852625B88F21}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{49707130-26C5-4454-99F0-852625B88F21}
    The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Failed
    [WARNING] Cannot call DsBind to aguirre.amazonia.com (192.168.254.11). [RPC_
S_CALL_FAILED]

Trust relationship test. . . . . . : Skipped

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed
    [WARNING] Failed to query SPN registration on DC 'aguirre.amazonia.com'.

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped
    No active remote access connections.

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information

The command completed successfully
-------------------------------------------------------------------------------------------
C:\Documents and Settings\Administrator>netdom /query fsmo
The remote procedure call failed.

The command failed to complete successfully.


C:\Documents and Settings\Administrator>
0
 
dfxdeimosCommented:
Can you check the RPC Service and confirm that it is in the "running" state?

Are you running any sort of firewall on either of these machines?
0
 
Martinator2000Author Commented:
Yes, the RPC service is running and on right click none of the start/stop/restart options are enabled. Not sure if that means anything.

We are running ISA 2004 and MS FIrewall. I did stop ISA to fix another issue in Exchange earlier and tested dcdiag when ISA was down and still got the same erorr.

I will try that again and if I get a different result will post it in a minute.
0
 
dfxdeimosCommented:
Take a look in the System Event logs of both domain controllers and post any Error or Warning entires that you find that seem to be related to the issue you are seeing.
0
 
Martinator2000Author Commented:
Ooops I take it back.

The dcdiag runs cleanly when I shut down ISA 2004 and MS FIrewall. Same for the Exchange System Attendant which was also failing to start.

Then I restarted ISA 2004 and everything was still good but I lost my internet access, so I restarted the firewall service to be able to post this.

Somehow MS Firewall is blocking things on the server.

Do I really need that when I am running ISA 2004?
Why did internet access fail after disabling the firewall?
0
 
dfxdeimosCommented:
The ISA server should automatically disable the Windows Firewall when it is installed.

I am not sure why you are losing connectivity when you disable the Windows Firewall...
0
 
Martinator2000Author Commented:
This is totally bizarre. All of my previous problems go away when I shut down the MS Firewall Service.

But now I get a whole new set of problems.

1. No internet access from the server or anywhere else in the network.
2. I can't ping the server from anywhere in the network, other servers are still there
3. I can't run an ISA monitoring query on that server, it says the server is not responding when I hit Start Query.

There are problably more issues.

Any ideas???
0
 
dfxdeimosCommented:
Can you do a configuration dump of your firewall rules so I can take a look?
0
 
Martinator2000Author Commented:
Here are the system and firewall policies.


2009-Apr-15-system-policy.txt
2009-Apr-15-firewall-policy.txt
0
 
dfxdeimosCommented:
Is this ISA 2004 or 2006? I don't have an instance here (at home) to import those rules into, can you send me a screen shot of the firewall rules?
0
 
Martinator2000Author Commented:
0
 
dfxdeimosCommented:
Hmm...

Your internet access rule should be the second to the last rule in your firewall policy.

Can you RDP from an internal computer to the ISA server when you have the Windows Firewall disabled?

Can your run the ISA Server Best Practices Analyzer?

Can you post any relevant event log entries?
0
 
Martinator2000Author Commented:
I have moved the rule down.

We don't use Terminal Server but since I can't evern ping the server when the firewall is disabled, I would think not.

I ran the ISA BPA and it reported that the Exchange RPC rule was blocking all other RPC request. So I reconfigured that and now I get the following ISA BPA issues

All Issues  
  The /3GB startup switch is set on the local computer :  
  The server specified in a Web publishing rule cannot find the certificate or the private key for the certificate :  
  The server specified in a Web publishing rule cannot find the certificate or the private key for the certificate :  
  One or more certificates in the local computer store do not have a private key :  
  The HTTP redirection port specified in a Web publishing rule is not port 80. :  
  The HTTP redirection port specified in a Web publishing rule is not port 80. :  
  The HTTP redirection port specified in an Outlook Web Access publishing rule is not port 80 :  
  The SSL redirection port specified in a Web publishing rule is not port 443 :  
  The SSL redirection port specified in a Web publishing rule is not port 443 :  
  DNS search order is blank :  
  This computer has more than 4 GB of memory :  
  An Outlook Web Access publishing rule listens on an HTTP port. :  
  Path maximum transmission unit (MTU) discovery is disabled :  

Also the DCDIAG errors have now changed to

Performing initial setup:
   [aguirre] Directory Binding Error 1727:
   The remote procedure call failed and did not execute.

      Starting test: Connectivity
         [AGUIRRE] DsBindWithSpnEx() failed with error 1727,
         The remote procedure call failed and did not execute..
0
 
dfxdeimosCommented:
Just to be honest, idealy you would not have the DC and Exchange server running on the ISA server. If it were me I would have a seperate ISA server, a DC running DNS and DHCP, and then a seperate Exchange server. I know that you probably won't be able to reconfigure it in this way as it is a production network, but in the future it may be something for you to think about... just my $.02.

Just to confirm though...

(1) All IP addresses are assigned statically.
(2) The external NIC of the ISA server has no DNS information
(3) The internal NIC of the ISA server points towards itself for DNS (127.0.0.1), clear other DNS entries.
(4) The NIC in the second DC points towards itself for DNS (127.0.0.1), clear other DNS entries.
(5) In the DNS properties on the second DC, forwarders are set to first forward to DC #1, then to the IPs of your ISP's DNS servers.
(6) In the DNS properties on the first DC, forwarders are set to forward the to IPs of your ISP's DNS servers.

I know we have gone through this, but I would like you to do the following again:

(1) On the first DC, run an IPCONFIG /REGISTERDNS. After 5 minutes, restart the DC. Wait for it to come back up.
(2) On the second DC, run an IPCONFIG /REGISTERDNS. After 5 minutes, restart the DC. Wait for it to come back up.
(3) Run a NETDIAG /FIX on the first DC. Post the results.
(4) Run a DCDIAG on the first DC. Post the results.

Sorry we haven't come to a resolution yet, but I will continue to work with you.
0
 
Martinator2000Author Commented:
Thank you Richard, I really appreciate your help.

After your procedure, both netdiag and dcdiag ran cleanly and there were only a couple of errors in the event log unlike the dozens I used to get.

Cheers!!!!
0
 
dfxdeimosCommented:
Awesome, glad you got that resolved!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 12
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now