Solved

Windows 2008 R2 DC RPC, LDAP Bind Failures

Posted on 2013-02-01
11
293 Views
Last Modified: 2013-09-09
Just recently one of our DC's at a remote site is no longer replicating to our primary data-center/site.

From the affected DC and local clients at site B:

1. Unable to browse \\SiteA-DC\netlogon
2. Unable to connect to network shares on SiteA-DC
3. I am able to browse by IP\share of SiteA-DC
4. Domain clients at Site B are unable to auth to domain shares at site A

See attached DCDiag output
mf1tam-dcdiag.txt
0
Comment
Question by:Lee Seeman
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38843761
0
 

Author Comment

by:Lee Seeman
ID: 38843786
trgrassijr55,

We have not firewall blocking traffic between the two sites. I have disabled IPv6. But problem still persists...

Any other thoughts?
0
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38843850
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:Lee Seeman
ID: 38844406
trgrassijr55,

I have seen that article and went through it, it doesn't exactly apply.
0
 

Author Comment

by:Lee Seeman
ID: 38844418
Again, it is very strange....the DC that's reporting these problems can browse via \\IPaddress\netlogon but not by name or fqdn, this also applies to the domain clients that are at this site.
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38845085
Try below steps on culprit DC (STITCH)

Secure channel between the DC’s broken:
 
Follow these steps to reset KDC password taken from
http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
 
1. Stop the Key Distribution Center (KDC) service on Server2. To do so, open
 a Command Prompt, type net stop KDC, and press Enter.
 
2. Load Kerbtray.exe. You can do so by clicking Start, clicking Run, and
 then typing c:\program files\resource kit\kerbtray.exe and pressing Enter.
 You should see a little green ticket icon in your system tray in the lower
 right corner of your desktop.
 
3. Purge the ticket cache on Server2, right-click the green ticket icon in
 your system tray, and then click Purge Tickets. You should receive a
 confirmation that your ticket cache was purged. Click OK.
 
4. Reset the Server domain controller account password on Server1 (the PDC
 emulator).
 
To do so, open a command prompt and type: netdom /resetpwd /server:server2
 /userd:domain.com\administrator /passwordd:password, and then press Enter.
 
5. Synchronize the domain. To do so, open a command prompt, type repadmin
 /syncall, and then press Enter.
 
6. Start the KDC service on Server2. To do so, open a command prompt, type
 net start KDC, and press Enter. This completes the process, and the domain
 controllers should be replicating success-fully now
0
 

Author Comment

by:Lee Seeman
ID: 38845119
Removing the GC role and taking the problematic DC offline allowed clients to use a different logonserver and successfully access shares other DC's. I will force demotion on this tombstoned DC and re-introduce it to domain.
0
 

Author Comment

by:Lee Seeman
ID: 38845127
sarang_tinguria,

I didn't want to follow these steps as it would have impacted other DC's in the forest that are replicating and functioning fine.
0
 

Author Comment

by:Lee Seeman
ID: 38845134
I may have other DC's showing signs of replication issues....I will report back soon.
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38845231
Ok Can you post repadmin /replsum
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 38845598
To get the clear view of the issue.Can you post the dcdiag /q,repadmin /replsum,net share and ipconfig /all details of DC.

Also ensure that you have set dns correctly as this http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Required port are open for AD replication:http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

 Disable the firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

Note:It could be due to AV(McAfee,Symantec, Trend, etc) or 3rd party security application which act as firewall and block AD communuctaion.AV like Symantec,trend,etc have new features to "protect network traffic".Please check AV setting and disable the same if defined.

Hope this helps
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question