Solved

Windows 2008 R2 DC RPC, LDAP Bind Failures

Posted on 2013-02-01
11
289 Views
Last Modified: 2013-09-09
Just recently one of our DC's at a remote site is no longer replicating to our primary data-center/site.

From the affected DC and local clients at site B:

1. Unable to browse \\SiteA-DC\netlogon
2. Unable to connect to network shares on SiteA-DC
3. I am able to browse by IP\share of SiteA-DC
4. Domain clients at Site B are unable to auth to domain shares at site A

See attached DCDiag output
mf1tam-dcdiag.txt
0
Comment
Question by:Lee Seeman
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38843761
0
 

Author Comment

by:Lee Seeman
ID: 38843786
trgrassijr55,

We have not firewall blocking traffic between the two sites. I have disabled IPv6. But problem still persists...

Any other thoughts?
0
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38843850
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:Lee Seeman
ID: 38844406
trgrassijr55,

I have seen that article and went through it, it doesn't exactly apply.
0
 

Author Comment

by:Lee Seeman
ID: 38844418
Again, it is very strange....the DC that's reporting these problems can browse via \\IPaddress\netlogon but not by name or fqdn, this also applies to the domain clients that are at this site.
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38845085
Try below steps on culprit DC (STITCH)

Secure channel between the DC’s broken:
 
Follow these steps to reset KDC password taken from
http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
 
1. Stop the Key Distribution Center (KDC) service on Server2. To do so, open
 a Command Prompt, type net stop KDC, and press Enter.
 
2. Load Kerbtray.exe. You can do so by clicking Start, clicking Run, and
 then typing c:\program files\resource kit\kerbtray.exe and pressing Enter.
 You should see a little green ticket icon in your system tray in the lower
 right corner of your desktop.
 
3. Purge the ticket cache on Server2, right-click the green ticket icon in
 your system tray, and then click Purge Tickets. You should receive a
 confirmation that your ticket cache was purged. Click OK.
 
4. Reset the Server domain controller account password on Server1 (the PDC
 emulator).
 
To do so, open a command prompt and type: netdom /resetpwd /server:server2
 /userd:domain.com\administrator /passwordd:password, and then press Enter.
 
5. Synchronize the domain. To do so, open a command prompt, type repadmin
 /syncall, and then press Enter.
 
6. Start the KDC service on Server2. To do so, open a command prompt, type
 net start KDC, and press Enter. This completes the process, and the domain
 controllers should be replicating success-fully now
0
 

Author Comment

by:Lee Seeman
ID: 38845119
Removing the GC role and taking the problematic DC offline allowed clients to use a different logonserver and successfully access shares other DC's. I will force demotion on this tombstoned DC and re-introduce it to domain.
0
 

Author Comment

by:Lee Seeman
ID: 38845127
sarang_tinguria,

I didn't want to follow these steps as it would have impacted other DC's in the forest that are replicating and functioning fine.
0
 

Author Comment

by:Lee Seeman
ID: 38845134
I may have other DC's showing signs of replication issues....I will report back soon.
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38845231
Ok Can you post repadmin /replsum
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 38845598
To get the clear view of the issue.Can you post the dcdiag /q,repadmin /replsum,net share and ipconfig /all details of DC.

Also ensure that you have set dns correctly as this http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Required port are open for AD replication:http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

 Disable the firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

Note:It could be due to AV(McAfee,Symantec, Trend, etc) or 3rd party security application which act as firewall and block AD communuctaion.AV like Symantec,trend,etc have new features to "protect network traffic".Please check AV setting and disable the same if defined.

Hope this helps
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
RRAS AND DNS 15 46
Replication dns zone issue 2 29
Event 4625 - Account Name: _ 3 28
Active Directory Forest 5 33
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question