?
Solved

Windows 2008 R2 DC RPC, LDAP Bind Failures

Posted on 2013-02-01
11
Medium Priority
?
306 Views
Last Modified: 2013-09-09
Just recently one of our DC's at a remote site is no longer replicating to our primary data-center/site.

From the affected DC and local clients at site B:

1. Unable to browse \\SiteA-DC\netlogon
2. Unable to connect to network shares on SiteA-DC
3. I am able to browse by IP\share of SiteA-DC
4. Domain clients at Site B are unable to auth to domain shares at site A

See attached DCDiag output
mf1tam-dcdiag.txt
0
Comment
Question by:Freda Driscoll-Sbar
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38843761
0
 

Author Comment

by:Freda Driscoll-Sbar
ID: 38843786
trgrassijr55,

We have not firewall blocking traffic between the two sites. I have disabled IPv6. But problem still persists...

Any other thoughts?
0
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38843850
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:Freda Driscoll-Sbar
ID: 38844406
trgrassijr55,

I have seen that article and went through it, it doesn't exactly apply.
0
 

Author Comment

by:Freda Driscoll-Sbar
ID: 38844418
Again, it is very strange....the DC that's reporting these problems can browse via \\IPaddress\netlogon but not by name or fqdn, this also applies to the domain clients that are at this site.
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38845085
Try below steps on culprit DC (STITCH)

Secure channel between the DC’s broken:
 
Follow these steps to reset KDC password taken from
http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
 
1. Stop the Key Distribution Center (KDC) service on Server2. To do so, open
 a Command Prompt, type net stop KDC, and press Enter.
 
2. Load Kerbtray.exe. You can do so by clicking Start, clicking Run, and
 then typing c:\program files\resource kit\kerbtray.exe and pressing Enter.
 You should see a little green ticket icon in your system tray in the lower
 right corner of your desktop.
 
3. Purge the ticket cache on Server2, right-click the green ticket icon in
 your system tray, and then click Purge Tickets. You should receive a
 confirmation that your ticket cache was purged. Click OK.
 
4. Reset the Server domain controller account password on Server1 (the PDC
 emulator).
 
To do so, open a command prompt and type: netdom /resetpwd /server:server2
 /userd:domain.com\administrator /passwordd:password, and then press Enter.
 
5. Synchronize the domain. To do so, open a command prompt, type repadmin
 /syncall, and then press Enter.
 
6. Start the KDC service on Server2. To do so, open a command prompt, type
 net start KDC, and press Enter. This completes the process, and the domain
 controllers should be replicating success-fully now
0
 

Author Comment

by:Freda Driscoll-Sbar
ID: 38845119
Removing the GC role and taking the problematic DC offline allowed clients to use a different logonserver and successfully access shares other DC's. I will force demotion on this tombstoned DC and re-introduce it to domain.
0
 

Author Comment

by:Freda Driscoll-Sbar
ID: 38845127
sarang_tinguria,

I didn't want to follow these steps as it would have impacted other DC's in the forest that are replicating and functioning fine.
0
 

Author Comment

by:Freda Driscoll-Sbar
ID: 38845134
I may have other DC's showing signs of replication issues....I will report back soon.
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38845231
Ok Can you post repadmin /replsum
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 1500 total points
ID: 38845598
To get the clear view of the issue.Can you post the dcdiag /q,repadmin /replsum,net share and ipconfig /all details of DC.

Also ensure that you have set dns correctly as this http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Required port are open for AD replication:http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

 Disable the firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

Note:It could be due to AV(McAfee,Symantec, Trend, etc) or 3rd party security application which act as firewall and block AD communuctaion.AV like Symantec,trend,etc have new features to "protect network traffic".Please check AV setting and disable the same if defined.

Hope this helps
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question