Solved

Event IDs 1645, 1655, and 1126 on 2008 R2 DC

Posted on 2011-03-15
7
4,545 Views
Last Modified: 2013-01-24
I have 3 DCs in a domain (see related question for more info). On my DC that holds 4 of the 5 FSMO roles, I am getting the 3 errors below in the order listed. We had an old DC that has been removed from the domain but I have verified its removal in all aspects of DNS and AD.

Event ID 1645:
Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
 
Destination directory server:
\\Fileserv3.naaccr.local
SPN:
GC/Fileserv3.naaccr.local/naaccr.local@naaccr.local
 
User Action
Verify that the names of the destination directory server and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination directory server has been recently promoted, it will be necessary for the local directory server?s account data to replicate to the KDC before this directory server can be authenticated.

Event ID 1655:
Active Directory Domain Services attempted to communicate with the following global catalog and the attempts were unsuccessful.
 
Global catalog:
\\Fileserv3.naaccr.local
 
The operation in progress might be unable to continue. Active Directory Domain Services will use the domain controller locator to try to find an available global catalog server.
 
Additional Data
Error value:
1396 Logon Failure: The target account name is incorrect.

Event ID 1126:
Active Directory Domain Services was unable to establish a connection with the global catalog.
 
Additional Data
Error value:
8430 The directory service encountered an internal failure.
Internal ID:
3200db0
 
User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.

The error messages above appear once per hour starting 15 minutes after AD DS is restarted. When I force replication using the Sites & Services snap-in, everything looks fine and I get no error messages. repladmin shows all replication completed successfully. dcdiag shows everything is OK except for the errors listed above and Event ID 1055 saying that the processing of group policy failed and Event ID 40961 saying that the Security System could not establish a secured connection with the server <name of local server>. No authentication protocol was available.  The only odd thing I've encountered is that when I ping the server from itself, it returns the IPv6 address instead of the IPv4 address. I tried forcing it to return IPv4 by using the hosts file but I received the same errors after restarting AD DS.
0
Comment
Question by:Maximus5684
7 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Go to Network Connections change the binding order so IPv4 is listed first.

http://thebackroomtech.com/2009/01/15/howto-edit-network-card-bindings-in-windows-server-2008/
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Check over these as well.

http://technet.microsoft.com/en-us/library/cc756429(WS.10).aspx

http://support.microsoft.com/kb/305837

Make sure time is sync properly.

Is the server the event is stating it is having issues with working properly?
0
 
LVL 10

Expert Comment

by:Muzafar Momin
Comment Utility
pls share the result of dcdiag
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 
LVL 3

Author Comment

by:Maximus5684
Comment Utility
The binding order is correct (IPv4 first on both protocols). The SPNs are correct and replication is happening properly. Time sync also seems to be happening properly, but I'm really not sure on this one because I don't know how to properly check it.

Yes, these events are happening on the server that is having the problem. Other clients are also having trouble getting group policy from the server. I'm getting RSoP errors on my local machine and a few others. I'm also getting this error on my local machine: The Security System could not establish a secured connection with the server LDAP/mailserv2.naaccr.local/naaccr.local@NAACCR.LOCAL (different server than the one with the errors). No authentication protocol was available.

Here are the results of DCDiag:

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = Fileserv3
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\FILESERV3
      Starting test: Connectivity
         ......................... FILESERV3 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\FILESERV3
      Starting test: Advertising
         ......................... FILESERV3 passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... FILESERV3 passed test FrsEvent
      Starting test: DFSREvent
         ......................... FILESERV3 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... FILESERV3 passed test SysVolCheck
      Starting test: KccEvent
         ......................... FILESERV3 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... FILESERV3 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... FILESERV3 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... FILESERV3 passed test NCSecDesc
      Starting test: NetLogons
         ......................... FILESERV3 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... FILESERV3 passed test ObjectsReplicated
      Starting test: Replications
         ......................... FILESERV3 passed test Replications
      Starting test: RidManager
         ......................... FILESERV3 passed test RidManager
      Starting test: Services
         ......................... FILESERV3 passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x000003EE
            Time Generated: 03/16/2011   08:19:39
            Event String:
            The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
         An error event occurred.  EventID: 0x000003EE
            Time Generated: 03/16/2011   08:24:40
            Event String:
            The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
         An error event occurred.  EventID: 0x000003EE
            Time Generated: 03/16/2011   08:29:41
            Event String:
            The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
         An error event occurred.  EventID: 0x000003EE
            Time Generated: 03/16/2011   08:34:42
            Event String:
            The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
         An error event occurred.  EventID: 0x000003EE
            Time Generated: 03/16/2011   08:39:43
            Event String:
            The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
         An error event occurred.  EventID: 0x000003EE
            Time Generated: 03/16/2011   08:44:44
            Event String:
            The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
         A warning event occurred.  EventID: 0x0000A001
            Time Generated: 03/16/2011   08:49:14
            Event String:
            The Security System could not establish a secured connection with th
e server LDAP/Fileserv3.naaccr.local/naaccr.local@NAACCR.LOCAL. No authenticatio
n protocol was available.
         A warning event occurred.  EventID: 0x0000A001
            Time Generated: 03/16/2011   08:49:44
            Event String:
            The Security System could not establish a secured connection with th
e server ldap/Fileserv3.naaccr.local/naaccr.local@NAACCR.LOCAL. No authenticatio
n protocol was available.
         An error event occurred.  EventID: 0x000003EE
            Time Generated: 03/16/2011   08:49:45
            Event String:
            The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
         An error event occurred.  EventID: 0x000003EE
            Time Generated: 03/16/2011   08:54:46
            Event String:
            The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
         An error event occurred.  EventID: 0x000003EE
            Time Generated: 03/16/2011   08:59:47
            Event String:
            The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
         An error event occurred.  EventID: 0x000003EE
            Time Generated: 03/16/2011   09:04:48
            Event String:
            The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
         An error event occurred.  EventID: 0x000003EE
            Time Generated: 03/16/2011   09:09:49
            Event String:
            The processing of Group Policy failed. Windows could not authenticat
e to the Active Directory service on a domain controller. (LDAP Bind function ca
ll failed). Look in the details tab for error code and description.
         ......................... FILESERV3 failed test SystemLog
      Starting test: VerifyReferences
         ......................... FILESERV3 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : naaccr
      Starting test: CheckSDRefDom
         ......................... naaccr passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... naaccr passed test CrossRefValidation

   Running enterprise tests on : naaccr.local
      Starting test: LocatorCheck
         ......................... naaccr.local passed test LocatorCheck
      Starting test: Intersite
         ......................... naaccr.local passed test Intersite
0
 
LVL 3

Accepted Solution

by:
Maximus5684 earned 0 total points
Comment Utility
I think I'm seeing something that might be causing all of this. I have one domain controller that is also my Certification Authority for the domain (Mailserv2). From looking at the issued and revoked certificates in the Certification Authority snap-in on that machine, it looks like I might have accidentally revoked the wrong certificate when I took my old DC out of service. My other two DCs look to have valid, unexpired certificates but the root CA does not and there is a revoked certificate with that DC/CA's name on it with the reason of "Cease of Operation" (which is what I would have chosen when revoking the old DC's certificate [the old DC was a secondary CA]). Perhaps I chose the wrong DC when revoking the certificate and now the whole chain no longer trusts the root CA because it doesn't (and can't because of the revocation) have a valid certificate assigned to it. That seems like it would make sense with all the KDC and authentication errors. Please let me know if this sounds correct, and if so, how to fix it.

Thanks.
0
 
LVL 3

Author Closing Comment

by:Maximus5684
Comment Utility
No one seemed to come to this conclusion and no one offered a solution after I made this comment. I uninstalled certificate services on our CA after revoking all certificates, then installed it on a new server and re-issued all certificates. This solved the problem.
0
 

Expert Comment

by:hugonieto
Comment Utility
Hi guys!! I have a similar issue with Event ID 1126!! one of my servers can't communicate with the GC and can't replicate..... Here is the link of my post! Do you think you can give me a hand?


http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28007396.html#a38815319




Thanks!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now