[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1934
  • Last Modified:

Getting a RPC error when running dcpromo in a Win2008R2 server to 2003 AD

Hi,

I have a 2003 Active Directory. with 2003 domain and forest level. I am putting a W08R2 server on the domain and promoting it to DC.
The r2 is in a remote office which is connected to main office (HQ) and DC by a firewall ipsec vpn that works fine.
On the 2003 DC I created the Sites and subnets.
I joined the r2 to the domain making i a member server
I ran the adprep32 /forestprep and adprep32 /domainprep and adprep32 /domainprep /gprep from the r2 files from the 2003 DC. All completed okay.
On R2 I added the AD DS from roles. Then ran dcpromo. It was installing dns and gc role and syncing and updating from ad schema, then I get the error attached. "The RPC server is unavailable" and then fails.
I am logged on and using the administrator account that is a member of the domain/ enterprise/ schema administrators group.
The DNS1 on the R2  server is pointing to the DNS server in HQ. and pinging okay.
On the r2 server in services.msi I can connect to another computer and select the DC in HQ no problem
I added the below reg entry as a fix for my problem
1.Start Registry Editor.
2.Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters
Note If the Parameters key does not exist, create it now.
3.On the Edit menu, point to New, and then click DWORD Value.
4.Type MaxPacketSize, and then press ENTER.
5.Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.
6.Quit Registry Editor.
7.Restart your computer.

This was to force Kerberos to use TCP instead of UDP in Windows but did not work, even a QWORD entry as it’s 64bit.
 This did not work as in the packets where still in UDP (checked sessions on my fortigate firewall.)

So I am stuck and need some expert help. I will be watching replays so will give a quick reply,

Thank You.

GNS


dcpromo-error.jpg
0
ggntt
Asked:
ggntt
1 Solution
 
Krzysztof PytkoActive Directory EngineerCommented:
Please ensure that you have all necessary ports allowed on your firewall or routers ACL. To verify which ports are required see this MS article at
http://technet.microsoft.com/en-us/library/bb727063.aspx

Regards,
Krzysztof
0
 
Darius GhassemCommented:
Looks like a firewall issue like iSiek stated.

Run dcdiag on primary as well and post
0
 
ggnttAuthor Commented:
Thanks for reply.

My firewall rule allow all services through the vpn tunnel from Remote Site where R2 is to HQ where 2003 DC is.
See attached.

Thanks.

GNS
Firewall-rule.jpg
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
ggnttAuthor Commented:
Results of the dcdiag on 2003 DC

C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Timahoe\BRADYSRV1
      Starting test: Connectivity
         ......................... BRADYSRV1 passed test Connectivity

Doing primary tests

   Testing server: Timahoe\BRADYSRV1
      Starting test: Replications
         ......................... BRADYSRV1 passed test Replications
      Starting test: NCSecDesc
         ......................... BRADYSRV1 passed test NCSecDesc
      Starting test: NetLogons
         ......................... BRADYSRV1 passed test NetLogons
      Starting test: Advertising
         ......................... BRADYSRV1 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... BRADYSRV1 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... BRADYSRV1 passed test RidManager
      Starting test: MachineAccount
         ......................... BRADYSRV1 passed test MachineAccount
      Starting test: Services
         ......................... BRADYSRV1 passed test Services
      Starting test: ObjectsReplicated
         ......................... BRADYSRV1 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... BRADYSRV1 passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... BRADYSRV1 failed test frsevent
      Starting test: kccevent
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 10/06/2011   14:57:45
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 10/06/2011   14:57:45
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 10/06/2011   15:02:46
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 10/06/2011   15:02:46
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 10/06/2011   15:07:47
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 10/06/2011   15:07:48
            (Event String could not be retrieved)
         ......................... BRADYSRV1 failed test kccevent
      Starting test: systemlog
         ......................... BRADYSRV1 passed test systemlog
      Starting test: VerifyReferences
         ......................... BRADYSRV1 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : Brady
      Starting test: CrossRefValidation
         ......................... Brady passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Brady passed test CheckSDRefDom

   Running enterprise tests on : Brady.ad
      Starting test: Intersite
         ......................... Brady.ad passed test Intersite
      Starting test: FsmoCheck
         ......................... Brady.ad passed test FsmoCheck

C:\Program Files\Support Tools>
0
 
ggnttAuthor Commented:
Hi,

I have now opened up all necessary ports on both firewalls, but still not working.

- GNS
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Please recreate Site link between these 2 sites (delete old one and create the new one). After that run on your DC  in command-line

Repadmin
/syncall

And wait until replication will finish. Rerun dcpromo and

Repadmin /showrepl /all /intersite /verbose

Krzysztof
0
 
ggnttAuthor Commented:
Hi,

I actually get a different RPC error this time. Getting closer. I can see changes on the 2003 AD like the site for remote nos had the New Server adding in.

-GNS
dcpromo-error--2.jpg
0
 
ggnttAuthor Commented:
Hi iSiek,

As the R2 is not yet a there is no site link, but just the server name. See pic

-Thanks

GNS
Sites-AD.jpg
0
 
ggnttAuthor Commented:
Ah, I know what you mean, I deleted the site and recreated it again, but it still fails on dcpromo.
0
 
SandeshdubeyCommented:
It seems your windows 2003 DC FRS is in Journal Wrap error state.Check the FRS event log.
If it is in Journal Wrap error state rebuild the sysvol by auth and non auth restore.Take the backup of the sysvol folder of all DC and then proceed with the same.If single 2003 DC is present you need to do auth restore(d4).
http://support.microsoft.com/kb/290762

Also check the below Poert are open on firewall.
Port Assignments for Active Directory Replication

Service Name               UDP         TCP
LDAP                             389         389
LDAP                                            636
GC                                                3268
Kerboros                         88         88
DNS                                 53         53
smb over IP                     445       445

Once done you can proceed with promotion of DC.

0
 
ggnttAuthor Commented:
Hi Guys,

UPDATE;
I took the R2 server to the HQ last night and dcpromo worked. And replication ran okay. I only had it on the network for 35 mins before I powered down the new R2 DC. I am back in the remote office now and still need to resolve the RPC error, so it must be connection, rules, traffic, ports issues.

The firewall vpn link betwen the two sites, allows "any" service through. I still created all the customised services stated by Krzysztof in the MS link (BELOW) on both firewalls and amended the rule for the vpn link to allow any and the cust services, but still no look.


PC endpoint mapper
 135/tcp, 135/udp
 
Network basic input/output system (NetBIOS) name service
 137/tcp, 137/udp
 
NetBIOS datagram service
 138/udp
 
NetBIOS session service
 139/tcp
 
RPC dynamic assignment
 1024-65535/tcp
 
Server message block (SMB) over IP (Microsoft-DS)
 445/tcp, 445/udp
 
Lightweight Directory Access Protocol (LDAP)
 389/tcp
 
LDAP ping
 389/udp
 
LDAP over SSL
 636/tcp
 
Global catalog LDAP
 3268/tcp
 
Global catalog LDAP over SSL
 3269/tcp
 
Kerberos
 88/tcp, 88/udp
 
Domain Name Service (DNS)
 53/tcp1, 53/udp
 
Thanks

-GNS
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Please try to run portyqry command-line tool on your R2 in remote location to check if really all ports are accessible. If not, the we will know which one is blocked

In case that tool is not available on your server, please download it from MS
http://www.microsoft.com/download/en/details.aspx?id=17148

and short description for that tool also on MS site at
http://support.microsoft.com/kb/832919

Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
*portqry not portyqry (typo) ;)

Krzysztof
0
 
ggnttAuthor Commented:
Hi,


I pinged the 2003 dc and got the ip of the servers 2nd nic that is on a seperate network. I logged on to 03 server and on that nic propertes I untick reg in dns. The deleted the record for that ip in dns. On r2 .flushdns and pinged again and got the proper IP. I ran the rep now in sites and watched the logs. Every time I reboot the R2 sever the DNS services starts and then stops. Now in the logs there is no error. in FPS or DS.

-GNS
0
 
Krzysztof PytkoActive Directory EngineerCommented:
It looks like you have multihomed DC. So, for that please read this MS article and fix your DC with multiple NICs
http://support.microsoft.com/kb/272294

Krzysztof
0
 
ggnttAuthor Commented:
Thanks Krzysztof, I did that.

0
 
Krzysztof PytkoActive Directory EngineerCommented:
OK, is it possible to disable that additional NIC on your DC to check if that causes replication problem? If so, please disable it and check once again

Krzysztof
0
 
ggnttAuthor Commented:
Sorry meant I have just did that after your post. rather thanI have done that before.

 
0
 
Krzysztof PytkoActive Directory EngineerCommented:
OK :) So, let's wait for results. If you have any progress with replication and DNS service, please let me know

Krzysztof
0
 
ggnttAuthor Commented:
Hi

I have opened a webportal chat with Fortinet (Firewall) support, as when I break the link between the two DCs I cannot open up AD Users &Computer nor Sites on R as it cannot contact domain!!
Still some issues as it should get that info from itself,

-GNS
0
 
ggnttAuthor Commented:
It works. the sysvol and netlogon folders appears as shares on the R2. and its reconignised as a DC

Thanks all.

I have a lot of hours to catch up on, so  I will post the solution(s) when finished.

Thanks,

-GNS
0
 
ggnttAuthor Commented:
It works. the sysvol and netlogon folders appears as shares on the R2. and its reconignised as a DC

Thanks all.

I have a lot of hours to catch up on, so  I will post the solution(s) when finished.

Thanks,

-GNS
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now