Solved

Windows 2008 R2 DC RPC, LDAP Bind Failures

Posted on 2013-02-01
11
296 Views
Last Modified: 2013-09-09
Just recently one of our DC's at a remote site is no longer replicating to our primary data-center/site.

From the affected DC and local clients at site B:

1. Unable to browse \\SiteA-DC\netlogon
2. Unable to connect to network shares on SiteA-DC
3. I am able to browse by IP\share of SiteA-DC
4. Domain clients at Site B are unable to auth to domain shares at site A

See attached DCDiag output
mf1tam-dcdiag.txt
0
Comment
Question by:Lee Seeman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38843761
0
 

Author Comment

by:Lee Seeman
ID: 38843786
trgrassijr55,

We have not firewall blocking traffic between the two sites. I have disabled IPv6. But problem still persists...

Any other thoughts?
0
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38843850
0
Office 365 Advanced Training for Admins

Special Offer:  Buy 1 course, get 2nd free!  Buy the 'Managing Office 365 Identities & Requirements' course w/ Accelerated TestPrep, and automatically receive the 'Enabling Office 365 Services' course FREE!

 

Author Comment

by:Lee Seeman
ID: 38844406
trgrassijr55,

I have seen that article and went through it, it doesn't exactly apply.
0
 

Author Comment

by:Lee Seeman
ID: 38844418
Again, it is very strange....the DC that's reporting these problems can browse via \\IPaddress\netlogon but not by name or fqdn, this also applies to the domain clients that are at this site.
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38845085
Try below steps on culprit DC (STITCH)

Secure channel between the DC’s broken:
 
Follow these steps to reset KDC password taken from
http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
 
1. Stop the Key Distribution Center (KDC) service on Server2. To do so, open
 a Command Prompt, type net stop KDC, and press Enter.
 
2. Load Kerbtray.exe. You can do so by clicking Start, clicking Run, and
 then typing c:\program files\resource kit\kerbtray.exe and pressing Enter.
 You should see a little green ticket icon in your system tray in the lower
 right corner of your desktop.
 
3. Purge the ticket cache on Server2, right-click the green ticket icon in
 your system tray, and then click Purge Tickets. You should receive a
 confirmation that your ticket cache was purged. Click OK.
 
4. Reset the Server domain controller account password on Server1 (the PDC
 emulator).
 
To do so, open a command prompt and type: netdom /resetpwd /server:server2
 /userd:domain.com\administrator /passwordd:password, and then press Enter.
 
5. Synchronize the domain. To do so, open a command prompt, type repadmin
 /syncall, and then press Enter.
 
6. Start the KDC service on Server2. To do so, open a command prompt, type
 net start KDC, and press Enter. This completes the process, and the domain
 controllers should be replicating success-fully now
0
 

Author Comment

by:Lee Seeman
ID: 38845119
Removing the GC role and taking the problematic DC offline allowed clients to use a different logonserver and successfully access shares other DC's. I will force demotion on this tombstoned DC and re-introduce it to domain.
0
 

Author Comment

by:Lee Seeman
ID: 38845127
sarang_tinguria,

I didn't want to follow these steps as it would have impacted other DC's in the forest that are replicating and functioning fine.
0
 

Author Comment

by:Lee Seeman
ID: 38845134
I may have other DC's showing signs of replication issues....I will report back soon.
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38845231
Ok Can you post repadmin /replsum
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 38845598
To get the clear view of the issue.Can you post the dcdiag /q,repadmin /replsum,net share and ipconfig /all details of DC.

Also ensure that you have set dns correctly as this http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Required port are open for AD replication:http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

 Disable the firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

Note:It could be due to AV(McAfee,Symantec, Trend, etc) or 3rd party security application which act as firewall and block AD communuctaion.AV like Symantec,trend,etc have new features to "protect network traffic".Please check AV setting and disable the same if defined.

Hope this helps
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question