[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2814
  • Last Modified:

Windows Server 2008 R2 Distributed File System issues

OK, I will make this short and provide details as requested, and it may just be a silly question.

I have two Server 2K8 R2 SP1 servers running DFS replication.  I have verified that this works as expected.  But, when I try to use the 'Diagnostic Reports' in the DFS management MMC, it fails every time with a DCOM issue:

Cannot connect to reporting DCOM server.  
  Description: The RPC server is unavailable.  
  Last occurred: Tuesday, April 26, 2011 at 2:18:43 PM (GMT-6:00)
  Suggested action: Verify that the DFS Replication Service is installed on the server and that RPC traffic is not blocked by firewalls or port filtering. For information about troubleshooting RPC issues see RPC KB 839880.  

The firewall is not blocking this traffic, so I am at a loss why the actual replication works but not the test?

David Griswold
0
david_griswold
Asked:
david_griswold
  • 6
  • 4
1 Solution
 
Justin OwensITIL Problem ManagerCommented:
Do you also get DCOM errors when using command line management (DFSCMD)?  When this failure occurs, does anything show up in the Event Logs?

DrUltima
0
 
david_griswoldAuthor Commented:
The "DFSCMD /view <share> /full" command returns what is expected without errors.

Here is the event error when running the report:

Log Name:      System
Source:        Microsoft-Windows-DistributedCOM
Date:          4/27/2011 10:56:56 AM
Event ID:      10009
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      OW-FS03.domain.local
Description:
DCOM was unable to communicate with the computer ow-fs01.domain.local using any of the configured protocols.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
    <EventID Qualifiers="49152">10009</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2011-04-27T15:56:56.000000000Z" />
    <EventRecordID>1913</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>OW-FS03.domain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">ow-fs01.domain.local</Data>
    <Binary>3C5265636F726423313A20436F6D70757465723D286E756C6C293B5069643D3635363B342F32372F323031312031353A35363A35363A3233343B5374617475733D313732373B47656E636F6D703D323B4465746C6F633D313731303B466C6167733D303B506172616D733D313B7B506172616D23303A307D3E3C5265636F726423323A20436F6D70757465723D286E756C6C293B5069643D3635363B342F32372F323031312031353A35363A35363A3233343B5374617475733D2D313037333630363634373B47656E636F6D703D323B4465746C6F633D313436343B466C6167733D303B506172616D733D303B3E3C5265636F726423333A20436F6D70757465723D286E756C6C293B5069643D3635363B342F32372F323031312031353A35363A35363A3233343B5374617475733D2D313037333630363634373B47656E636F6D703D31383B4465746C6F633D3239323B466C6167733D303B506172616D733D303B3E3C5265636F726423343A20436F6D70757465723D286E756C6C293B5069643D3635363B342F32372F323031312031353A35363A35363A3233343B5374617475733D36343B47656E636F6D703D31383B4465746C6F633D3239303B466C6167733D303B506172616D733D313B7B506172616D23303A307D3E</Binary>
  </EventData>
</Event>
0
 
Justin OwensITIL Problem ManagerCommented:
10009 is a pretty generic error and can be caused by a host of different things, from drivers to peripheral hardware to viruses to misconfiguration in the system.  Can you give us a little more info on what is on that server, what it does other than DFS, etc.?

DrUltima
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
david_griswoldAuthor Commented:
I think I have discovered the issue.  It is a firewall issue, but not blocking - NATting.  I will have to wait until tonight to push out the updated policy.

David
0
 
Justin OwensITIL Problem ManagerCommented:
That would definitely be problematic. I will continue to monitor and wait for your update.

DrUltima
0
 
david_griswoldAuthor Commented:
OK, so the NATting issue was a non-issue.  Traffic is going through - there is no blocking of ports 135 or 445 or any other ports.  I have TCPDUMPs from my firewall that shows the traffic.  I am at a loss now.  Let me know if you would like to see that TCPDUMP file.

David
0
 
david_griswoldAuthor Commented:
Well, I think I found the solution and it is the firewall if this is correct.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk33371

I will push policy tonight and test and update the question tomorrow.

David
0
 
Justin OwensITIL Problem ManagerCommented:
Thanks for the update!  I will continue to monitor....

DrUltima
0
 
david_griswoldAuthor Commented:
So, it was a combination of things that needed to be changed to allow the DCOM traffic.

1) the 'Any' entry in Services does not include all of the services needed for DCE-RPC to work correctly, so, instead you have to create either a explicit group of services that includes all the services you want to allow and include a service called 'ALL_DCE_RPC' or create a new security rule for just 'ALL_DCE_RPC'.
2) Smart Defense by default may block some of the DCE-RPC traffic that is required, so you either have to disable those rules if you are on the version of Checkpoint that we are on (R65).  It is supposed to be fixed in a later version.
3) I had to configured the windows servers that needed to communicate with each other via DCOM to use a smaller, lower set of ports (5000-5100) for the dynamic ports they use to communicate on.  This has to be done either via the registry or in the 'Component Services' admin tool.
4) then, I had to create a new checkpoint service definition for the dynamic port range and include that in the security rules for communication between the servers in question.

http://support.microsoft.com/kb/154596

Maybe I should start answering other people's questions!

David
0
 
david_griswoldAuthor Commented:
I was able to find an answer to my own issues.  In hindsight, this was as much a Checkpoint firewall issue as it was a MS Server issue, so I should have put it in that category as well.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now