replication errors across sites

I recently added a DC to an existing domain that had two existing DCs. I created a second site in AD sites and services, added the new server to the new site and shipped the server to the 2nd location. The sites are connected by VPN. I can ping servers by IP address across the VPN but not by name. DCDIAG /test:DNS passes at both sites. repadmin /replsum fails error 1722 "The RPC server is unavailable" when replicating across the VPN. Local replication between the two original DCs has 0 errors. repadmin /syncall runs with no errors.
LVL 7
rettif9ManagerAsked:
Who is Participating?
 
Michael PfisterCommented:
So DNS seems to be ok. Any chance the VPN solution or a firewall in between is blocking some TCP ports/port ranges?

I'd follow the Microsoft guide here https://support.microsoft.com/en-us/help/2102154/troubleshooting-ad-replication-error-1722-the-rpc-server-is-unavailabl
Part "4.  Verify network ports" describes a utility named PortQryUI- I'd test the required connection ports from Birm to GC and vice versa.

If thats ok, run on DC in GC:

dcdiag /TEST:DNS /V /E /F:dcdiag_dns.log
dcdiag /V /E /F:dcdiag.log

Open in new window

and attach both log files here
0
 
Michael PfisterCommented:
Post output of
ipconfig /all

Open in new window

for all 3 servers.
All servers have the DNS role and DNS is Active Directory integrated?
0
 
rettif9ManagerAuthor Commented:
Michael,

Some additional explanation is necessary. This is a new customer for me. Both sites have been in existence for many years. Both sites have the same domain name but they are not in the same forest. There is no AD connection between the two domains. The objective is to remedy that. That's why the new server was built and shipped to the site I'll call GC. The two sites are connected by a site-to-site VPN via 2 Merakis. Site 1 I'll call Birm is subnet 10.0.0.0/24 Site GC is subnet 192.168.0.0/24 Site GC has a 2008 DC server that has been there for several years. The new server is 2012 DC. Obviously I can't have both servers at GC site on-line at the same time. I can only test the 2012 server during off hours by disconnecting the production environment from the Meraki and then connecting the new 2012 server to the Meraki. The 2012 server (GC-DC2) is disconnected right now but I know the ipconfig /all info for it.
IP address    192.168.0.8
SM                  255.255.255.0
Gateway        192.168.0.1

DNS 1             192.168.0.8
DNS 2              127.0.0.1

Ipconfig for Site Birm\mayco-dc (2008 DC)

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator.MAYCO>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : MAYCO-DC
   Primary Dns Suffix  . . . . . . . : MAYCO.LOCAL
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : MAYCO.LOCAL

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : mayco.local
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Ada
pter
   Physical Address. . . . . . . . . : 00-15-5D-00-D7-08
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.0.4(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.0.1
   DNS Servers . . . . . . . . . . . : 10.0.0.5
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

The second DC in Birm is a 2003 server we plan to retire in the near future. I don't have remote access to it but I can provide the following;

IP address     10.0.0.4
SM                   255/255/255/0
Gateway         10.0.0.1
DNS1               10.0.0.4
DNS 2               127.0.0.1

These are the only Domain Controllers at the two sites. They all have the AD integrated DNS role. I won't be able to put GC-DC2 back on line until 5PM CST Replication between the two Birm site DCs is successful.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
rettif9ManagerAuthor Commented:
I just noticed a misconfiguration on Mayco-DC. the ipconfig:DNS setting is 10.0.0.5 That is the IP of Mayco-DBS the 2003 DC It doesn't seem to be affecting replication though. I'll correct the ipconfig info for mayco-dbs above. edit of previous comment not permitted. IP of mayco-dbs is 10.0.0.5
0
 
Michael PfisterCommented:
> I can ping servers by IP address across the VPN but not by name.
This is strange. As you said the new DC in GC was set up in Birm, so it should have replicated the DNS zones and therefore name resolution should be ok.
You didn't say which way the name resolution doesn't work. If its from the DC in GC to Birm, change the primary DNS server in GC to point to the DC in Birm
IP address    192.168.0.8
SM                  255.255.255.0
Gateway        192.168.0.1

DNS 1             10.0.0.5
DNS 2             192.168.0.8


Then check if name resolution is working now
0
 
rettif9ManagerAuthor Commented:
I only tested from GC to Birm. I'll try that tonight thanks. DNS in GC-DC2 lists A records for PC's and servers in Birm so I assume replication was successful before it was shipped. AD Sites and services lists subnets, sites, and servers on both GC-DC2 and in Mayco-dc (this was manually configured). I'm expecting to find a configuration error somewhere. At least that's what I'm looking for.
0
 
Michael PfisterCommented:
> DNS in GC-DC2 lists A records for PC's and servers in Birm
Thats why I don't understand why you can't get  a name resolution from GC for systems in Birm.
When testing in GC, before changing the DNS, try:

ipconfig /flushdns
ping mayco-dc
ipconfig /flushdns
ping mayco-dc.mayco.local

nslookup mayco-dc
nslookup mayco-dc.mayco.local

Then switch  DNS 1 to point to MAYCO-DC, then re-test.
0
 
rettif9ManagerAuthor Commented:
After ipconfig /flushdns on mayco-dc and on maycodc2-gc I ran these commands from mayco-dc. I can also map drives to shared folders on mayco-dc from mayco-dc2-gc and view shared folders in Windows Explorer. Still seeing errors in repadmin.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator.MAYCO>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : MAYCO-DC
   Primary Dns Suffix  . . . . . . . : MAYCO.LOCAL
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : MAYCO.LOCAL

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : mayco.local
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Ada
pter
   Physical Address. . . . . . . . . : 00-15-5D-00-D7-08
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.0.4(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.0.1
   DNS Servers . . . . . . . . . . . : 10.0.0.5
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.mayco.local:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : mayco.local
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\Administrator.MAYCO>ping mayco-dc2-gc

Pinging mayco-dc2-gc.mayco.local [192.168.0.8] with 32 bytes of data:
Reply from 192.168.0.8: bytes=32 time=32ms TTL=127
Reply from 192.168.0.8: bytes=32 time=31ms TTL=127
Reply from 192.168.0.8: bytes=32 time=31ms TTL=127
Reply from 192.168.0.8: bytes=32 time=35ms TTL=127

Ping statistics for 192.168.0.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 31ms, Maximum = 35ms, Average = 32ms

C:\Users\Administrator.MAYCO>nslookup mayco-dc2-gc
5.0.0.10.in-addr.arpa
        primary name server = localhost
        responsible mail addr = nobody.invalid
        serial  = 1
        refresh = 600 (10 mins)
        retry   = 1200 (20 mins)
        expire  = 604800 (7 days)
        default TTL = 10800 (3 hours)
Server:  UnKnown
Address:  10.0.0.5

Name:    mayco-dc2-gc.MAYCO.LOCAL
Address:  192.168.0.8


C:\Users\Administrator.MAYCO>repadmin /replsum
Replication Summary Start Time: 2018-01-09 19:24:53

Beginning data collection for replication summary, this may take awhile:
  ......


Source DSA          largest delta    fails/total %%   error
 MAYCO-DBS                 33m:46s    0 /   5    0
 MAYCO-DC                  24m:42s    0 /  10    0
 MAYCO-DC2-GC      26d.09h:09m:05s   10 /  10  100  (1722) The RPC server is una
vailable.





C:\Users\Administrator.MAYCO>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\MAYCO-DC
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 1cf2d762-91fb-49e1-b1af-4522dc506c5f
DSA invocationID: 8caea906-7780-4de1-9597-a79a1fe7705c

==== INBOUND NEIGHBORS ======================================

DC=MAYCO,DC=LOCAL
    GraniteCity\MAYCO-DC2-GC via RPC
        DSA object GUID: 15df6e3a-8d66-47c1-9668-a7c5d5a9626a
        Last attempt @ 2018-01-09 04:51:26 failed, result 1722 (0x6ba):
            The RPC server is unavailable.
        206 consecutive failure(s).
        Last success @ 2017-12-14 10:42:50.
    Default-First-Site-Name\MAYCO-DBS via RPC
        DSA object GUID: 2fd8f4fa-e9ce-4cad-bcec-8a868b222092
        Last attempt @ 2018-01-09 19:21:25 was successful.

CN=Configuration,DC=MAYCO,DC=LOCAL
    GraniteCity\MAYCO-DC2-GC via RPC
        DSA object GUID: 15df6e3a-8d66-47c1-9668-a7c5d5a9626a
        Last attempt @ 2018-01-09 04:53:04 failed, result 1722 (0x6ba):
            The RPC server is unavailable.
        206 consecutive failure(s).
        Last success @ 2017-12-14 10:43:57.
    Default-First-Site-Name\MAYCO-DBS via RPC
        DSA object GUID: 2fd8f4fa-e9ce-4cad-bcec-8a868b222092
        Last attempt @ 2018-01-09 18:51:07 was successful.

CN=Schema,CN=Configuration,DC=MAYCO,DC=LOCAL
    GraniteCity\MAYCO-DC2-GC via RPC
        DSA object GUID: 15df6e3a-8d66-47c1-9668-a7c5d5a9626a
        Last attempt @ 2018-01-09 04:53:25 failed, result 1722 (0x6ba):
            The RPC server is unavailable.
        206 consecutive failure(s).
        Last success @ 2017-12-14 10:15:48.
    Default-First-Site-Name\MAYCO-DBS via RPC
        DSA object GUID: 2fd8f4fa-e9ce-4cad-bcec-8a868b222092
        Last attempt @ 2018-01-09 18:51:07 was successful.

DC=ForestDnsZones,DC=MAYCO,DC=LOCAL
    GraniteCity\MAYCO-DC2-GC via RPC
        DSA object GUID: 15df6e3a-8d66-47c1-9668-a7c5d5a9626a
        Last attempt @ 2018-01-09 04:51:26 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
        206 consecutive failure(s).
        Last success @ 2017-12-14 10:39:14.
    Default-First-Site-Name\MAYCO-DBS via RPC
        DSA object GUID: 2fd8f4fa-e9ce-4cad-bcec-8a868b222092
        Last attempt @ 2018-01-09 18:51:07 was successful.

DC=DomainDnsZones,DC=MAYCO,DC=LOCAL
    GraniteCity\MAYCO-DC2-GC via RPC
        DSA object GUID: 15df6e3a-8d66-47c1-9668-a7c5d5a9626a
        Last attempt @ 2018-01-09 04:51:26 failed, result 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.
        206 consecutive failure(s).
        Last success @ 2017-12-14 10:39:11.
    Default-First-Site-Name\MAYCO-DBS via RPC
        DSA object GUID: 2fd8f4fa-e9ce-4cad-bcec-8a868b222092
        Last attempt @ 2018-01-09 19:20:02 was successful.

Source: GraniteCity\MAYCO-DC2-GC
******* 206 CONSECUTIVE FAILURES since 2017-12-14 10:43:57
Last error: 1256 (0x4e8):
            The remote system is not available. For information about network tr
oubleshooting, see Windows Help.


C:\Users\Administrator.MAYCO>

Same Commands run on mayco-dc2-gc


C:\Users\Administrator.MAYCO.000>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : MAYCO-DC2-GC
   Primary Dns Suffix  . . . . . . . : MAYCO.LOCAL
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : MAYCO.LOCAL

Ethernet adapter NIC2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
   Physical Address. . . . . . . . . : 54-9F-35-10-94-94
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter NIC1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 54-9F-35-10-94-92
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.8(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.8
                                       127.0.0.1
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{20A494FB-32D3-4627-948A-BCFDAE9C9E72}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{71458712-925A-4D9F-93F0-24C8ECFC33F6}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\Administrator.MAYCO.000>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\Administrator.MAYCO.000>nslookup mayco-dc
8.0.168.192.in-addr.arpa
        primary name server = localhost
        responsible mail addr = nobody.invalid
        serial  = 1
        refresh = 600 (10 mins)
        retry   = 1200 (20 mins)
        expire  = 604800 (7 days)
        default TTL = 10800 (3 hours)
Server:  UnKnown
Address:  192.168.0.8

Name:    mayco-dc.MAYCO.LOCAL
Address:  10.0.0.4


C:\Users\Administrator.MAYCO.000>repadmin /replsum
Replication Summary Start Time: 2018-01-09 19:31:44

Beginning data collection for replication summary, this may take awhile:
  ......


Source DSA          largest delta    fails/total %%   error
 MAYCO-DBS                 40m:37s    0 /   5    0
 MAYCO-DC                  31m:33s    0 /  10    0
 MAYCO-DC2-GC      26d.09h:15m:56s   10 /  10  100  (1722) The RPC server is una
vailable.





C:\Users\Administrator.MAYCO.000>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
GraniteCity\MAYCO-DC2-GC
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 15df6e3a-8d66-47c1-9668-a7c5d5a9626a
DSA invocationID: e3783ddb-8a8b-450a-a839-f8155e80214e

==== INBOUND NEIGHBORS ======================================

DC=MAYCO,DC=LOCAL
    Default-First-Site-Name\MAYCO-DC via RPC
        DSA object GUID: 1cf2d762-91fb-49e1-b1af-4522dc506c5f
        Last attempt @ 2018-01-09 19:02:25 was successful.

CN=Configuration,DC=MAYCO,DC=LOCAL
    Default-First-Site-Name\MAYCO-DC via RPC
        DSA object GUID: 1cf2d762-91fb-49e1-b1af-4522dc506c5f
        Last attempt @ 2018-01-09 19:02:25 was successful.

CN=Schema,CN=Configuration,DC=MAYCO,DC=LOCAL
    Default-First-Site-Name\MAYCO-DC via RPC
        DSA object GUID: 1cf2d762-91fb-49e1-b1af-4522dc506c5f
        Last attempt @ 2018-01-09 19:02:25 was successful.

DC=DomainDnsZones,DC=MAYCO,DC=LOCAL
    Default-First-Site-Name\MAYCO-DC via RPC
        DSA object GUID: 1cf2d762-91fb-49e1-b1af-4522dc506c5f
        Last attempt @ 2018-01-09 19:02:25 was successful.

DC=ForestDnsZones,DC=MAYCO,DC=LOCAL
    Default-First-Site-Name\MAYCO-DC via RPC
        DSA object GUID: 1cf2d762-91fb-49e1-b1af-4522dc506c5f
        Last attempt @ 2018-01-09 19:02:25 was successful.


C:\Users\Administrator.MAYCO.000>
0
 
Michael PfisterCommented:
Is the Windows firewall enabled on GC DC? If yes make sure the firewall starts with the domain profile. Seen this failing sometimes and Windows firewall comes up with Public profile which blocks most ports. Had to set the Network Location Awareness service to delayed start to solve this.
0
 
rettif9ManagerAuthor Commented:
Multiple ports were blocked. I opened the ports recommended in the link you provided;

run on Mayco-DC

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator.MAYCO>repadmin /replsum
Replication Summary Start Time: 2018-01-10 21:19:13

Beginning data collection for replication summary, this may take awhile:
  ......


Source DSA          largest delta    fails/total %%   error
 MAYCO-DBS                 23m:37s    0 /   5    0
 MAYCO-DC              02h:14m:38s    0 /  10    0
 MAYCO-DC2-GC          01h:23m:03s    0 /   5    0


Destination DSA     largest delta    fails/total %%   error
 MAYCO-DBS             01h:29m:47s    0 /  10    0
 MAYCO-DC                  23m:39s    0 /   5    0
 MAYCO-DC2-GC          02h:14m:40s    0 /   5    0

run on Mayco-DC2-GC

Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\Administrator.MAYCO.000>repadmin /replsum
Replication Summary Start Time: 2018-01-10 21:22:59

Beginning data collection for replication summary, this may take awhile:
  ......


Source DSA          largest delta    fails/total %%   error
 MAYCO-DBS                 27m:23s    0 /   5    0
 MAYCO-DC              02h:18m:24s    0 /  10    0
 MAYCO-DC2-GC          01h:26m:49s    0 /   5    0


Destination DSA     largest delta    fails/total %%   error
 MAYCO-DBS             01h:33m:33s    0 /  10    0
 MAYCO-DC                  27m:23s    0 /   5    0
 MAYCO-DC2-GC          02h:18m:26s    0 /   5    0

Do I need to do any additional tests?
dcdiag.log
dcdiag_dns.log
0
 
Michael PfisterCommented:
Much better now!

The time service on MAYCO-DBS isn't running and time is no longer in sync, please check:
  * Active Directory RPC Services Check
         The clock difference between the home server MAYCO-DC2-GC and target
         server MAYCO-DBS is greater than one minute. This may cause Kerberos
         authentication failures.

Open in new window

It also shows some Kerberos errors in system event log which might be connected. Please check system event log after fixing the time issue

On MAYCO-DC2-GC the GPO "RMMinstaller " has problems.
           The assignment of application Agent from policy RMMinstaller failed.  The error was : %%1274

Could be connected to this: https://cs.mailstore.com/index.php?/Knowledgebase/Article/View/70/9/error-message-the-assignment-of-application-from-policy-failed-the-error-was--1274
0
 
rettif9ManagerAuthor Commented:
Mayco-DBS is scheduled to be retired soon. It is a 2003 server. I'll try to start the service and re-sync it, but I don't want to spend a lot of time on it. Looks like there might be several possible causes. We are planning to replace it with a re-purposed 2012 server.

Run on Mayco-DC

C:\Users\Administrator.MAYCO>netdom query fsmo
Schema master               MAYCO-DC.MAYCO.LOCAL
Domain naming master        MAYCO-DC.MAYCO.LOCAL
PDC                         MAYCO-DC.MAYCO.LOCAL
RID pool manager            MAYCO-DC.MAYCO.LOCAL
Infrastructure master       MAYCO-DC.MAYCO.LOCAL
The command completed successfully.


C:\Users\Administrator.MAYCO>W32tm /query /source
pool.ntp.org,0x1exit

mayco-DC is a Hyper-V VM. I'll check to make sure Integration is turned off on the host.

I knew I had a problem with the GPO I just haven't had time to chase it down yet. Thanks for the link. The GPO was intended to install a management agent on client PCs. We encountered a number of problems and ended up manually installing the agent because there was a previous agent that was blocking deployment that had to be manually removed. I would like the GPO to install the agent on new PCs going forward so I'll chase this down.
0
 
rettif9ManagerAuthor Commented:
Checked Mayco-DC the time is now correct. I did check the Host server, the time integration service is turned off. i think I can consider this question resolved.
0
 
rettif9ManagerAuthor Commented:
Thanks Michael, You did an excellent job and followed through till the question was completely resolved.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.