Freda Driscoll-Sbar
asked on
Windows 2008 R2 DC RPC, LDAP Bind Failures
Just recently one of our DC's at a remote site is no longer replicating to our primary data-center/site.
From the affected DC and local clients at site B:
1. Unable to browse \\SiteA-DC\netlogon
2. Unable to connect to network shares on SiteA-DC
3. I am able to browse by IP\share of SiteA-DC
4. Domain clients at Site B are unable to auth to domain shares at site A
See attached DCDiag output
mf1tam-dcdiag.txt
From the affected DC and local clients at site B:
1. Unable to browse \\SiteA-DC\netlogon
2. Unable to connect to network shares on SiteA-DC
3. I am able to browse by IP\share of SiteA-DC
4. Domain clients at Site B are unable to auth to domain shares at site A
See attached DCDiag output
mf1tam-dcdiag.txt
ASKER
trgrassijr55,
We have not firewall blocking traffic between the two sites. I have disabled IPv6. But problem still persists...
Any other thoughts?
We have not firewall blocking traffic between the two sites. I have disabled IPv6. But problem still persists...
Any other thoughts?
Here is another one I found that might help
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/032aa074-86c4-4310-a1d2-74f4a4367f7b
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/032aa074-86c4-4310-a1d2-74f4a4367f7b
ASKER
trgrassijr55,
I have seen that article and went through it, it doesn't exactly apply.
I have seen that article and went through it, it doesn't exactly apply.
ASKER
Again, it is very strange....the DC that's reporting these problems can browse via \\IPaddress\netlogon but not by name or fqdn, this also applies to the domain clients that are at this site.
Try below steps on culprit DC (STITCH)
Secure channel between the DC’s broken:
Follow these steps to reset KDC password taken from
http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
1. Stop the Key Distribution Center (KDC) service on Server2. To do so, open
a Command Prompt, type net stop KDC, and press Enter.
2. Load Kerbtray.exe. You can do so by clicking Start, clicking Run, and
then typing c:\program files\resource kit\kerbtray.exe and pressing Enter.
You should see a little green ticket icon in your system tray in the lower
right corner of your desktop.
3. Purge the ticket cache on Server2, right-click the green ticket icon in
your system tray, and then click Purge Tickets. You should receive a
confirmation that your ticket cache was purged. Click OK.
4. Reset the Server domain controller account password on Server1 (the PDC
emulator).
To do so, open a command prompt and type: netdom /resetpwd /server:server2
/userd:domain.com\administ rator /passwordd:password, and then press Enter.
5. Synchronize the domain. To do so, open a command prompt, type repadmin
/syncall, and then press Enter.
6. Start the KDC service on Server2. To do so, open a command prompt, type
net start KDC, and press Enter. This completes the process, and the domain
controllers should be replicating success-fully now
Secure channel between the DC’s broken:
Follow these steps to reset KDC password taken from
http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
1. Stop the Key Distribution Center (KDC) service on Server2. To do so, open
a Command Prompt, type net stop KDC, and press Enter.
2. Load Kerbtray.exe. You can do so by clicking Start, clicking Run, and
then typing c:\program files\resource kit\kerbtray.exe and pressing Enter.
You should see a little green ticket icon in your system tray in the lower
right corner of your desktop.
3. Purge the ticket cache on Server2, right-click the green ticket icon in
your system tray, and then click Purge Tickets. You should receive a
confirmation that your ticket cache was purged. Click OK.
4. Reset the Server domain controller account password on Server1 (the PDC
emulator).
To do so, open a command prompt and type: netdom /resetpwd /server:server2
/userd:domain.com\administ
5. Synchronize the domain. To do so, open a command prompt, type repadmin
/syncall, and then press Enter.
6. Start the KDC service on Server2. To do so, open a command prompt, type
net start KDC, and press Enter. This completes the process, and the domain
controllers should be replicating success-fully now
ASKER
Removing the GC role and taking the problematic DC offline allowed clients to use a different logonserver and successfully access shares other DC's. I will force demotion on this tombstoned DC and re-introduce it to domain.
ASKER
sarang_tinguria,
I didn't want to follow these steps as it would have impacted other DC's in the forest that are replicating and functioning fine.
I didn't want to follow these steps as it would have impacted other DC's in the forest that are replicating and functioning fine.
ASKER
I may have other DC's showing signs of replication issues....I will report back soon.
Ok Can you post repadmin /replsum
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://social.technet.microsoft.com/Forums/nl/winserverDS/thread/d2804f30-626b-419d-a85a-eeda0a9b7d1d