[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Windows 2008 R2 DC RPC, LDAP Bind Failures

Posted on 2013-02-01
11
Medium Priority
?
304 Views
Last Modified: 2013-09-09
Just recently one of our DC's at a remote site is no longer replicating to our primary data-center/site.

From the affected DC and local clients at site B:

1. Unable to browse \\SiteA-DC\netlogon
2. Unable to connect to network shares on SiteA-DC
3. I am able to browse by IP\share of SiteA-DC
4. Domain clients at Site B are unable to auth to domain shares at site A

See attached DCDiag output
mf1tam-dcdiag.txt
0
Comment
Question by:Lee Seeman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38843761
0
 

Author Comment

by:Lee Seeman
ID: 38843786
trgrassijr55,

We have not firewall blocking traffic between the two sites. I have disabled IPv6. But problem still persists...

Any other thoughts?
0
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38843850
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:Lee Seeman
ID: 38844406
trgrassijr55,

I have seen that article and went through it, it doesn't exactly apply.
0
 

Author Comment

by:Lee Seeman
ID: 38844418
Again, it is very strange....the DC that's reporting these problems can browse via \\IPaddress\netlogon but not by name or fqdn, this also applies to the domain clients that are at this site.
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38845085
Try below steps on culprit DC (STITCH)

Secure channel between the DC’s broken:
 
Follow these steps to reset KDC password taken from
http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
 
1. Stop the Key Distribution Center (KDC) service on Server2. To do so, open
 a Command Prompt, type net stop KDC, and press Enter.
 
2. Load Kerbtray.exe. You can do so by clicking Start, clicking Run, and
 then typing c:\program files\resource kit\kerbtray.exe and pressing Enter.
 You should see a little green ticket icon in your system tray in the lower
 right corner of your desktop.
 
3. Purge the ticket cache on Server2, right-click the green ticket icon in
 your system tray, and then click Purge Tickets. You should receive a
 confirmation that your ticket cache was purged. Click OK.
 
4. Reset the Server domain controller account password on Server1 (the PDC
 emulator).
 
To do so, open a command prompt and type: netdom /resetpwd /server:server2
 /userd:domain.com\administrator /passwordd:password, and then press Enter.
 
5. Synchronize the domain. To do so, open a command prompt, type repadmin
 /syncall, and then press Enter.
 
6. Start the KDC service on Server2. To do so, open a command prompt, type
 net start KDC, and press Enter. This completes the process, and the domain
 controllers should be replicating success-fully now
0
 

Author Comment

by:Lee Seeman
ID: 38845119
Removing the GC role and taking the problematic DC offline allowed clients to use a different logonserver and successfully access shares other DC's. I will force demotion on this tombstoned DC and re-introduce it to domain.
0
 

Author Comment

by:Lee Seeman
ID: 38845127
sarang_tinguria,

I didn't want to follow these steps as it would have impacted other DC's in the forest that are replicating and functioning fine.
0
 

Author Comment

by:Lee Seeman
ID: 38845134
I may have other DC's showing signs of replication issues....I will report back soon.
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38845231
Ok Can you post repadmin /replsum
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 1500 total points
ID: 38845598
To get the clear view of the issue.Can you post the dcdiag /q,repadmin /replsum,net share and ipconfig /all details of DC.

Also ensure that you have set dns correctly as this http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Required port are open for AD replication:http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

 Disable the firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

Note:It could be due to AV(McAfee,Symantec, Trend, etc) or 3rd party security application which act as firewall and block AD communuctaion.AV like Symantec,trend,etc have new features to "protect network traffic".Please check AV setting and disable the same if defined.

Hope this helps
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question