Solved

FRSdiag issues on Server 2008 R2

Posted on 2011-03-04
10
3,687 Views
Last Modified: 2012-05-11
We have:

1 Server 2003R2 domain controller, "Thor", with FRSDiag installed
1 Server 2008R2 domain controller, "Helix", with a fresh install of FRSDiag
1 Server 2008R2 domain controller, "Zenith"

I have been running FRSDiag at least weekly on Thor with all three servers selected.  Run this morning, it completed promptly with no errors.

Thor will be retired eventually so I want to run it on Helix.  I looked for a new version or a replacement program but did not find one.  Is there a version newer than 1.7 or a different program with the same functionality?  

When I ran it from Helix with all three servers selected:

1.  Completed very quickly with no errors for Helix.
2.  On Zenith, it stalled on the first line and finally came back with: "Detecting this machine's domain role ... Could not check DomainRole, will just treat it like a Domain Controller. The exception message was: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)"  Checking the event viewer I see one Security-Kerberos Event 4 (pasted below) and 2 DistributedCOM events (pasted below).  The second time I ran it, I got the same DCOM errors but no Kerberos error.  I don't understand how to fix this issue or if it can be fixed.  I don't get this problem when FRSDiag is run from the Server 2003R2 box.  The rest of the processing goes promptly without errors until the last step (see question 4).

3.  Processing Thor, it stalls on the first line, but eventually comes back normally: "Detecting this machine's domain role ... Domain Controller".  However the rest of the processing takes 5-6 times as long as on Zenith.  We used to have another 2003 domain controller and that processing was much faster.  Any idea why it takes so long?  Eventually it did complete with no errors.

4.  Processing all three servers, it stalls on the Generating CAB last step for a while, and although a CAB folder is created, no CAB file is created for any of the three servers.  MakeCAB.exe does exist in System32

Any suggestions on how to fix the RPC error on Zenith, why it runs so slow on Thor, or how to make it generate CABS.  Alternatively is there another program or best practice for periodically checking the status of the domain?

Thanks very much.

Ravi

------------------------------



Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          3/4/2011 9:51:25 AM
Event ID:      4
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      HELIX.hungermountain.com
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server zenith$. The target name used was RPCSS/zenith.hungermountain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (HUNGERMOUNTAIN.COM) is different from the client domain (HUNGERMOUNTAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
    <EventID Qualifiers="16384">4</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2011-03-04T14:51:25.000000000Z" />
    <EventRecordID>16323</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>HELIX.hungermountain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="Server">zenith$</Data>
    <Data Name="TargetRealm">HUNGERMOUNTAIN.COM</Data>
    <Data Name="Targetname">RPCSS/zenith.hungermountain.com</Data>
    <Data Name="ClientRealm">HUNGERMOUNTAIN.COM</Data>
    <Binary>
    </Binary>
  </EventData>
</Event>

--------------------

Log Name:      System
Source:        Microsoft-Windows-DistributedCOM
Date:          3/4/2011 9:51:25 AM
Event ID:      10009
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      HELIX.hungermountain.com
Description:
DCOM was unable to communicate with the computer zenith using any of the configured protocols.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
    <EventID Qualifiers="49152">10009</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2011-03-04T14:51:25.000000000Z" />
    <EventRecordID>16324</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>HELIX.hungermountain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">zenith</Data>
    <Binary>3C5265636F726423313A20436F6D70757465723D286E756C6C293B5069643D3831363B332F342F323031312031343A35313A32353A3132323B5374617475733D313832353B47656E636F6D703D323B4465746C6F633D313436313B466C6167733D303B506172616D733D303B3E3C5265636F726423323A20436F6D70757465723D286E756C6C293B5069643D3831363B332F342F323031312031343A35313A32353A3132323B5374617475733D313832353B47656E636F6D703D323B4465746C6F633D3135313B466C6167733D303B506172616D733D313B7B506172616D23303A2D323134363839333032327D3E3C5265636F726423333A20436F6D70757465723D286E756C6C293B5069643D3831363B332F342F323031312031343A35313A32353A3132323B5374617475733D2D323134363839333032323B47656E636F6D703D333B4465746C6F633D3135303B466C6167733D303B506172616D733D343B7B506172616D23303A397D7B506172616D23313A327D7B506172616D23323A307D7B506172616D23333A313339367D3E</Binary>
  </EventData>
</Event>
0
Comment
Question by:HungerMountain
  • 6
  • 4
10 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35037654
Post dcdiag
0
 

Author Comment

by:HungerMountain
ID: 35038065
 Attached is the output of dcdiag run on all three servers.  

Thor failed System Log, but I don't think it is related.  We commonly get these errors for users and computers and have concluded they can be ignored.  Here is an example of one of the events for a user "bibiu":

Event Type:      Error
Event Source:      KDC
Event Category:      None
Event ID:      27
Date:            3/4/2011
Time:            11:27:33 AM
User:            N/A
Computer:      THOR
Description:
While processing a TGS request for the target server krbtgt/HUNGERMOUNTAIN.COM, the account bibiu@HUNGERMOUNTAIN.COM did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18.  The accounts available etypes were 23  -133  -128  3  1.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

20110304-Zenith-DCDiag.txt
20110304-Thor-DCDIAG.txt
20110304-HELIX-DCDIAG.TXT
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35038148
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35038165
0
 

Author Comment

by:HungerMountain
ID: 35038594
Hi dariusq,

Thanks for the links.  However they seem to relate to the Event 27 in Thor's system log, not my original questions on FRSdiag.  I have seen the first two before when we were obsessing on the Event 27 error and trying to remove it quite a while ago.  In particular, I noted the response below that said it could be ignored:

Resolution

The Event ID 27  error that is being logged on the Windows Server 2003 domain
controller can  safely be ignored as it is by design. The domain controller is just  
informing the client what encryption types it supports. The Windows Server  2008
servers are then falling back to one of the supported encryption types.  
It is possible to modify the default encryption type that Windows Server  2008 uses.
This will prevent the error from being logged on the Windows  Server 2003 domain
controller. You will have to add the following registry  value to the Windows Server
2008 servers.  

HKLM\System\CurrentControlSet\Control\LSA\Kerberos\Parameters
Value  Name: DefaultEncryptionType
Value Type: Reg_DWORD
Value Data: 0x17(23)

We DID add the above key to both of the Server 2008R2 domain controllers (Zenith and Helix) long ago, but contrary to the advice given, it did NOT prevent the event from being logged on the 2003 server Thor.  So we decided to heed the first part of the advice and simply ignore them since there is no functional problem and we will retire Thor as a domain controller in a year or less.

But I don't understand how the Event 27 on Thor could have any bearing on the RPC Server unavailable error issued when FRSdiag on Helix tried to query Zenith for its DomainRole.  I suppose the slow processing on Thor could perhaps be related, but Helix did not record any events with regard to Thor.

So I am back to my base question regarding whether FRSdiag 1.7 works normally in a 64-bit environment of Server 2008R2.  It DOES work; just slowly on Thor and with that initial complaint re Zenith RPC.  I can continue running it from Thor until it is retired since it works faster there, and it does process Zenith after complaining, so none of these issues are critical problems.  I just wonder if I'm the only one experiencing these issues and what the best practice for quickly checking the health of a domain is where Server 2008R2 domain controllers are installed.  Its much easier to run FRSdiag pointed to all three servers than to log into each one and run dcdiag and repadmin /showreps.  Plus you get a snapshot of the current health status in case you want to go back and see when a problem might have begun.

Regards,

Ravi

P.S.  The third link you sent is broken for me:   http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/ecf15eb9-26cf-483b-b1e3-1b1c7e4901e80
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35038627
I don't like FRSDIAG in a windows 2008 server running within a domain.

Repadmin is a better solution you should be running your  test from each DCs gives you a better look at this systems.

Dcdiag is a good tool as well.

But you are not having FRS issues you would see this in the dcdiag
0
 

Author Comment

by:HungerMountain
ID: 35039018
Thanks.  Given the issues I'm experiencing I understand your perspective.  I'm not thrilled about using a program written in 2003 on a 64-bit 2008 OS either.

Perhaps someone else can suggest an updated solution.  FRSdiag does run repadmin on each selected server, but it doesn't display the full results like you get if you log in and run it.  I think you are right that you don't get the same information as running dcdiag.  I do run it occassionally, but lately I'd begun to rely on frsdiag.  Maybe that wasn't such a great idea.  Those event 27 errors that pop up in dcdiag are aggrivating even if they can be safely ignored.  Perhaps that's why I quit running it so often. :)

Regards,

Ravi
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35039250
FRSDiag shouldn't be run on a Windows 2008 Server
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 35040119
Sorry meant to say FRSDiag is currently not supported under Windows 2008 Server as well
0
 

Author Closing Comment

by:HungerMountain
ID: 35056890
Still wish someone would write a functionally equivalent replacement that is supported under 2008R2.

Oh well...
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now