Solved

DFS replication accords different subnets not working

Posted on 2014-10-28
25
455 Views
Last Modified: 2014-11-09
Hello All,

I have setup DFS before on client machines across VPN link without a problem, but this round its not working

In our shop i have 2 subnets ( We are adding a location so i am staging this before hand)

#1 - 192.168.1.0/24 - main office
#2 -192.168.100.0/24 - new office

I have 1 DC's (1 on each subnet). They have no problems replicating between each other.

They are both connected via a managed switch, traffic is not being routed over the internet.

Setup:
DFS installed on both DC's with a test folder to replicate

Errors
- In the DFS console the "TEST" never shows up.

Things i have tried
- Setting up the TEST on the same subnet -> Works
- Setting up a brand new 2008r2 machine and tryng to replicate across -> Failed
- Can ping each server: YES
- access shares: Yes
- replicate AD / DNS : yes

Errors in the event log:
 - The DFS Replication service encountered an error communicating with partner
 - Error: 1753 (There are no more endpoints available from the endpoint mapper.)
- Error: 9026 (The connection is invalid)

I have google the crap out of these events and have tried everything.

Google/ Experts exchange recommendations i have tried
- checking "READ" permissions in ADSI for DFSR-GlobalSettings
- removing DFS and re-installing (both sides)
- Installing WINS
0
Comment
Question by:P spademan
  • 14
  • 11
25 Comments
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40409305
Please Logon as an administrator and open an elevated CMD prompt.

in
cmd (run each command in separate line and enter)


 CD to %systemroot%\system32\wbem

MOFCOMP.EXE dfsrprov.mof

MOFCOMP.EXE dfsrprov.mfl

net stop winmgmt

net start winmgmt

net start iphlpsvc

net stop dfsr

net start dfsr



if that doesnt help run that before you run before steps (after restart)

 netsh int ip reset c:\Reset.txt

 netsh winsock reset

(restart computer and then run top commands)
0
 

Author Comment

by:P spademan
ID: 40409338
Hi Jan,

Already tried that, sorry, so many things we have done today, its hard to make a list.

Some more information.

- Provisioned brand new 2008r2 servers on both sides = failed
- replication between servers on the SAME subnet = works!

replication INSIDE each subnet works just fine, its just across the subnet that is failing

Other things we have tried
 - remove AV
 - firewalls are OFF
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40409442
if it is not wmi it will be dns

try that

1 edit host files on both servers

to point to each other

http://www.howtogeek.com/howto/27350/beginner-geek-how-to-edit-your-hosts-file/

so
assuming

192.168.100.1  is ip of new office dfs
and
192.168.1.1 is ip of main office dfs server
in  main office server host file you will have that

192.168.100.1 newofficeserver.domainname.local


in new office server host file you will have

192.168.1.1  mainofficeserverdfs.domainname.local

or better solution would be to do that:

 if you have spare network ports on both servers you  could try yo add ips only for these servers (to have network adapters specific only for dfs replication between them) (on  the same subnet)

so it would look like that

in  main office server host file you will have that

192.168.1.254 newofficeserver.domainname.local (static ip on second adapter)


in new office server host file you will have

192.168.1.1  mainofficeserverdfs.domainname.local

This allows clients to see newofficeserver.domainname.local as 192.168.100.1 and the DFSR servers to see it as 192.168.1.254 - same subnet - it would also  allow you to use a dedicated NIC for DFSR traffic :)
0
 

Author Comment

by:P spademan
ID: 40409471
Hi Jan,

Its not a DNS issue. i have already ensured that both servers are resolving to the correct IP addresses.

In fact in the event log it has the correct IP

Capture.PNG
20141028 16:58:56.860 3652 DOWN  3290 DownstreamTransport::SetupBinding Setting authentication information for partner: OFFICE\FILESERVER$
20141028 16:58:56.860 3652 DOWN  3472 DownstreamTransport::SetupBinding Setup connId:{E3A5445F-05D3-4DCE-B7BC-8BB90ADA4EF7} remoteAddress:FILESERVER.XXXXXXXXXX  stringBinding:[5bc1ed07-f5f5-485f-9dfd-6fd0acf9a23c@ncacn_ip_tcp:FILESERVER]
20141028 16:58:56.876 3652 DOWN  4083 [ERROR] DownstreamTransport::EstablishConnection EstablishConnection failed. Check that the connection partner is valid. If not then recreate the connection with valid partner. connId:{E3A5445F-05D3-4DCE-B7BC-8BB90ADA4EF7} rgName:TEST partnerName:FILESERVER partnerDns:FILESERVER.XXXXXXXXX Error:
+	[Error:9027(0x2343) DownstreamTransport::EstablishConnection downstreamtransport.cpp:4045 3652 C A failure was reported by the remote partner]
+	[Error:9026(0x2342) DownstreamTransport::EstablishConnection downstreamtransport.cpp:4045 3652 C The connection is invalid]
20141028 16:58:56.876 3652 DOWN  7139 BandwidthThrottler::PrepareForShutdown Preparing for Shutdown. rgId:79643009-3DFB-42F6-8413-A08A193D9F53 rgName:TEST connId:E3A5445F-05D3-4DCE-B7BC-8BB90ADA4EF7 ptr:0000000012F434F0
20141028 16:58:56.876 3652 INCO  5777 InConnection::ConnectNetwork New connection connId:{E3A5445F-05D3-4DCE-B7BC-8BB90ADA4EF7} transport:0000000000000000 unghostTransport:0000000000000000
20141028 16:58:56.876 3652 INCO  5780 InConnection::ConnectNetwork connId:{E3A5445F-05D3-4DCE-B7BC-8BB90ADA4EF7} fatalRemoteError:0
20141028 16:58:56.876 3652 INCO  6837 [WARN] InConnection::ReConnectAsync Failed to connect, (attempts: 25) connId:{E3A5445F-05D3-4DCE-B7BC-8BB90ADA4EF7} Error:
+	[Error:9027(0x2343) InConnection::ConnectNetwork inconnection.cpp:5783 3652 C A failure was reported by the remote partner]
+	[Error:9027(0x2343) DownstreamTransport::EstablishConnection downstreamtransport.cpp:4123 3652 C A failure was reported by the remote partner]
+	[Error:9027(0x2343) DownstreamTransport::EstablishConnection downstreamtransport.cpp:4045 3652 C A failure was reported by the remote partner]
+	[Error:9026(0x2342) DownstreamTransport::EstablishConnection downstreamtransport.cpp:4045 3652 C The connection is invalid]
20141028 16:58:56.876 3652 EVNT  1185 EventLog::Report Logging eventId:5012 parameterCount:9
20141028 16:58:56.876 3652 EVNT  1205 EventLog::Report         eventId:5012 parameter1:E3A5445F-05D3-4DCE-B7BC-8BB90ADA4EF7
20141028 16:58:56.876 3652 EVNT  1205 EventLog::Report         eventId:5012 parameter2:FILESERVER
20141028 16:58:56.876 3652 EVNT  1205 EventLog::Report         eventId:5012 parameter3:TEST
20141028 16:58:56.876 3652 EVNT  1205 EventLog::Report         eventId:5012 parameter4:FILESERVER.XXXXXXX
20141028 16:58:56.876 3652 EVNT  1205 EventLog::Report         eventId:5012 parameter5:FILESERVER
20141028 16:58:56.876 3652 EVNT  1205 EventLog::Report         eventId:5012 parameter6:192.168.100.21
20141028 16:58:56.876 3652 EVNT  1205 EventLog::Report         eventId:5012 parameter7:9026
20141028 16:58:56.876 3652 EVNT  1205 EventLog::Report         eventId:5012 parameter8:The connection is invalid
20141028 16:58:56.876 3652 EVNT  1205 EventLog::Report         eventId:5012 parameter9:79643009-3DFB-42F6-8413-A08A193D9F53

Open in new window

0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40409552
spademan can you amuse me and try putting second network interface (on the new subnet server) onto same subnet ip as of main office one

and then modify host file in both server to point to each other


or try adding secondary ip to respective network card of new server - so it is in old subnet  (and modify host file on old server)

http://superuser.com/questions/571575/connect-to-two-lan-networks-with-a-single-card

do you have any routing between subnets? - or is it working all on level 2
0
 

Author Comment

by:P spademan
ID: 40409623
Hi Jan,

I have already tried that route. If i have 2 servers on the same subnet, they will replicate. If they are are different subnets they fail.

The routing is done via the router (1921)

interface GigabitEthernet0/1.1
 description -- VLAN1 --
 encapsulation dot1Q 1 native
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in

interface GigabitEthernet0/1.100
 description -- VLAN100 -- NEW_OFFICE
 encapsulation dot1Q 100
 ip address 192.168.100.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 no cdp enable

Open in new window


Switch is managed (SG300)
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40409683
where is you inter-vlan routing?

ip route 0.0.0.0 0.0.0.0   102.168.1.1  (your gateway ip)
ip route 192.168.100.0 255.255.255.0 GigabitEthernet0/1.100
ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/1.1

and trunk port?

interface GigabitEthernet0/0
 description TRUNK
 no ip address
 duplex full
 speed 1000
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40409689
and on your switch(s)  (assuming you have vlans configured on it) you will have to configure ports connecting to router  as trunk - so traffic from other vlan can flow


configure terminal
int GigabitEthernet 0/1
switchport mode trunk
0
 

Author Comment

by:P spademan
ID: 40409691
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, GigabitEthernet0/1.1
L        192.168.1.1/32 is directly connected, GigabitEthernet0/1.1
      192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.100.0/24 is directly connected, GigabitEthernet0/1.100
L        192.168.100.1/32 is directly connected, GigabitEthernet0/1.100

interface GigabitEthernet0/1
 description --- INSIDE INTERFACE ----
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly in
 duplex auto
 speed auto
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40409698
is port on your swich configured as trunk? with switchport mode trunk?
0
 

Author Comment

by:P spademan
ID: 40409699
Hi Jan,

everything else works, the vlan routing is working, i can ping,share files, access IIS between the 2 vlan's.

replication is working (this command was run on (domainserver2):

==== INBOUND NEIGHBORS ======================================

DC=office,DC=XXX,DC=ca
    X\DOMAINSERVER via RPC
        DSA object GUID: 3a4593a2-8b31-4d6e-a4cc-ba59abe6134b
        Last attempt @ 2014-10-28 17:13:12 was successful.

CN=Configuration,DC=office,DC=XXX,DC=ca
    X\DOMAINSERVER via RPC
        DSA object GUID: 3a4593a2-8b31-4d6e-a4cc-ba59abe6134b
        Last attempt @ 2014-10-28 17:13:12 was successful.

CN=Schema,CN=Configuration,DC=office,DC=XXX,DC=ca
    X\DOMAINSERVER via RPC
        DSA object GUID: 3a4593a2-8b31-4d6e-a4cc-ba59abe6134b
        Last attempt @ 2014-10-28 17:13:12 was successful.

DC=DomainDnsZones,DC=office,DC=XXX,DC=ca
    X\DOMAINSERVER via RPC
        DSA object GUID: 3a4593a2-8b31-4d6e-a4cc-ba59abe6134b
        Last attempt @ 2014-10-28 17:13:12 was successful.

DC=ForestDnsZones,DC=office,DC=XXX,DC=ca
    X\DOMAINSERVER via RPC
        DSA object GUID: 3a4593a2-8b31-4d6e-a4cc-ba59abe6134b
        Last attempt @ 2014-10-28 17:13:12 was successful.
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40409701
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40409704
can you see ip route commands in your router configuration?

ip route 0.0.0.0 0.0.0.0   102.168.1.1  (your gateway ip)
ip route 192.168.100.0 255.255.255.0 GigabitEthernet0/1.100
ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/1.1


And  just to exclude vlan problems do that:

 try adding secondary ip to respective network card of new server - so it is in old subnet  (and modify host file on old server) (make sure it is in the same vlan "port range" on the switch
0
 

Author Comment

by:P spademan
ID: 40409705
Hi Jan,

no to familiar with that but i assume no:

#show vtp status
VTP Version                     : 2
Configuration Revision          : 0
Maximum VLANs supported locally : 20
Number of existing VLANs        : 5
VTP Operating Mode              : Transparent
VTP Domain Name                 : MAU
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x30 0x0D 0xD5 0x20 0x4A 0x45 0xF7 0xC6
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40409708
yup that's fine

port going from swich to router - is that trunk port?


###################
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swvtp.html#wp1205076


VTP Mode
Description
VTP server

In VTP server mode, you can create, modify, and delete VLANs, and specify other configuration parameters (such as the VTP version) for the entire VTP domain. VTP servers advertise their VLAN configurations to other switches in the same VTP domain and synchronize their VLAN configurations with other switches based on advertisements received over trunk links.

VTP server is the default mode.

Note In VTP server mode, VLAN configurations are saved in NVRAM. If the switch detects a failure while writing a configuration to NVRAM, VTP mode automatically changes from server mode to client mode. If this happens, the switch cannot be returned to VTP server mode until the NVRAM is functioning.

VTP client

A VTP client behaves like a VTP server and transmits and receives VTP updates on its trunks, but you cannot create, change, or delete VLANs on a VTP client. VLANs are configured on another switch in the domain that is in server mode.

In VTP versions 1 and 2, in VTP client mode, VLAN configurations are not saved in NVRAM. In VTP version 3, VLAN configurations are saved in NVRAM in client mode.

VTP transparent

VTP transparent switches do not participate in VTP. A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. However, in VTP version 2 or version 3, transparent switches do forward VTP advertisements that they receive from other switches through their trunk interfaces. You can create, modify, and delete VLANs on a switch in VTP transparent mode.

In VTP versions 1 and 2, the switch must be in VTP transparent mode when you create extended-range VLANs. VTP version 3 also supports creating extended-range VLANs in client or server mode. See the "Configuring Extended-Range VLANs" section on page 13-10.

In VTP versions 1 and 2, the switch must be in VTP transparent mode when you create private VLANs and when they are configured, you should not change the VTP mode from transparent to client or server mode. VTP version 3 also supports private VLANs in client and server modes. See Chapter 16, "Configuring Private VLANs."

When the switch is in VTP transparent mode, the VTP and VLAN configurations are saved in NVRAM, but they are not advertised to other switches. In this mode, VTP mode and domain name are saved in the switch running configuration, and you can save this information in the switch startup configuration file by using the copy running-config startup-config privileged EXEC command.

VTP off

A switch in VTP off mode functions in the same manner as a VTP transparent switch, except that it does not forward VTP advertisements on trunks.

##################
0
 

Author Comment

by:P spademan
ID: 40409710
I added the following statements:

ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/1.1
ip route 192.168.100.0 255.255.255.0 GigabitEthernet0/1.100

Still no change.
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40409714
is port going from switch to router a trunk port?
0
 

Author Comment

by:P spademan
ID: 40409715
Router Setup:

Ge 0/0 -> Wan
Ge 0/1-> LAN (trunked with VLAN 1/100) -> Switch (SG300)

Is that what you are asking?
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40409716
Check if your config is similar to attached one
Router-on-a-Stick.pdf
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40409718
yes
it should be also trunked with vlan 100
0
 

Author Comment

by:P spademan
ID: 40409729
Hi Jan,

The config is similar. The router is a 1921 not a 36xx.

as it stands right now. i have a DC on 1 subnet and a DC on the other. They are replicating AD data to each other no problems.

DFSR.. just will not take

Additional information from the DFSR report:

DFS Replication cannot replicate with partner DOMAINSERVER2 for replication group TEST5. The partner did not recognize the connection or the replication group configuration. The DFS Replication service used partner DNS name DomainServer2.XXX.ca, IP address 192.168.100.200, and WINS address DomainServer2 but failed with error ID: 9026 (The connection is invalid). Event ID: 5012
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40409733
try adding secondary ip to respective network card of new server - so it is in old subnet  (and modify host file on old server)  - so it doesnt rely on wins or dnes (host file take precedence) (make sure it is in the same vlan "port range" on the switch
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40417517
Any udpate?
0
 

Accepted Solution

by:
P spademan earned 0 total points
ID: 40422674
Hi Jan,

Yes.

The solution is: to be more patient. When i returned in the morning the replication was working.

Here is what was happening.

1) AD is on different subnets and setup that way in sites and services, so it only replicates ever so often
2) When testing on the SAME subnet the local AD server was up to date so it started almost instantly.

Over the last couple of days i have been able to force it to start right away using this guide:

http://faultbucket.ca/2012/08/fixing-a-dfsr-connection-problem/

The command:

repadmin /syncall /e /A /P

Run on both servers forces it to show up and start right away. I was trying this before but only on 1 server, not both.

Thanks again for all you help with this issue, but i guess the lesson here is to take time out from problems and re-visit them when your head is clear.

Thanks,
0
 

Author Closing Comment

by:P spademan
ID: 40431042
See my commends
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now