Errors, DCs no longer replicating
My domain controllers have stopped replicating. When I try to force replication I either get the error "There are no more endpoints available from the endpoint mapper" or "the target principal name is incorrect.
Some of my users are beginning to have authentication issues of course. I do not know what caused this and I don't seem to be able to fix it. Can anyone provide guidance?
I have already confirmed time sync is working and correct.
Thanks
Some of my users are beginning to have authentication issues of course. I do not know what caused this and I don't seem to be able to fix it. Can anyone provide guidance?
I have already confirmed time sync is working and correct.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Saad,
This link references the setting in the RPC protocol in the registry. I followed directions and there is no RPC protocol listed in the area indicated in the registry.
Lanee
This link references the setting in the RPC protocol in the registry. I followed directions and there is no RPC protocol listed in the area indicated in the registry.
Lanee
ASKER
Sajid,
I tried the steps in the link you gave. All issues indicated are true in my case but it did not resolve them. Still saying Target name incorrect or no endpoints available.
I tried the steps in the link you gave. All issues indicated are true in my case but it did not resolve them. Still saying Target name incorrect or no endpoints available.
what version of windows server has your dns server?
ASKER
DNS is installed on my main DC that has all of my roles on it. It is running Win Server 2012 R2. Yesterday is restarted the RPC service and the RPC locator service and I was able to replicate all of my other AD servers except this one. I still had this one failing but then this morning, I am back to square one and none of them will replicate and causing authentication issues.
Confused.
Lanee
Confused.
Lanee
change the DNS to be only pointing at the original DC – . Then at the command line do a repadmin /kcc, then repadmin /syncall, then a repadmin /syncall /P , the try replicate now
ASKER
Very odd thing happened. Same as yesterday afternoon. All of a sudden I was able to replicate all of my servers in Sites and Services and the couple of users that were having authentication problems got authenticated. I thought all was well but not 10 minutes later, I have done nothing else and another user cannot authenticate and servers will not replicate again. Target name is incorrect or no endpoint available. It's crazy.
To resolve this issue, first determine which domain controller is the current primary domain controller (PDC) Emulator operations master role holder. To do this, use either of the following methods:
Install the Netdom.exe utility , and then run the following command:
netdom query fsmo
Start the Active Directory Users and Computers snap-in, right-click the domain, and then click Operations Masters. Click the PDC tab; the current role holder is displayed in the Operations Master window. On this tab, you can change the operations master role to the current computer in the second window (if this computer is not the current holder).
Use the Ntdsutil.exe utility (that is included in Windows 2000), and the Resource Kit command-line utility. However, these interfaces are recommended for more advanced users.
On domain controllers that are experiencing this issue, disable the Kerberos Key Distribution Center service (KDC). To do so:
Click Start, point to Programs, click Administrative Tools, and then click Services.
Double-click KDC, set the startup type to Disabled, and then restart the computer.
After the computer restarts, use the Netdom utility to reset the secure channels between these domain controllers and the PDC Emulator operations master role holder. To do so, run the following command from the domain controllers other than the PDC Emulator operations master role holder:
netdom resetpwd /server:server_name /userd:domain_name\adminis
Where server_name is the name of the server that is the PDC Emulator operations master role holder.
After you reset the secure channel, restart the domain controllers. Even if you attempt to reset the secure channel using the Netdom utility, and the command does not complete successfully, proceed with the restart process.
If only the PDC Emulator operations master role holder is running, the KDC forces the other domain controllers to resynchronize with this computer, instead of issuing themselves a new Kerberos ticket.
After the computers have finished restarting, start the Services program, restart the KDC service, and then attempt replication again.
Install the Netdom.exe utility , and then run the following command:
netdom query fsmo
Start the Active Directory Users and Computers snap-in, right-click the domain, and then click Operations Masters. Click the PDC tab; the current role holder is displayed in the Operations Master window. On this tab, you can change the operations master role to the current computer in the second window (if this computer is not the current holder).
Use the Ntdsutil.exe utility (that is included in Windows 2000), and the Resource Kit command-line utility. However, these interfaces are recommended for more advanced users.
On domain controllers that are experiencing this issue, disable the Kerberos Key Distribution Center service (KDC). To do so:
Click Start, point to Programs, click Administrative Tools, and then click Services.
Double-click KDC, set the startup type to Disabled, and then restart the computer.
After the computer restarts, use the Netdom utility to reset the secure channels between these domain controllers and the PDC Emulator operations master role holder. To do so, run the following command from the domain controllers other than the PDC Emulator operations master role holder:
netdom resetpwd /server:server_name /userd:domain_name\adminis
Where server_name is the name of the server that is the PDC Emulator operations master role holder.
After you reset the secure channel, restart the domain controllers. Even if you attempt to reset the secure channel using the Netdom utility, and the command does not complete successfully, proceed with the restart process.
If only the PDC Emulator operations master role holder is running, the KDC forces the other domain controllers to resynchronize with this computer, instead of issuing themselves a new Kerberos ticket.
After the computers have finished restarting, start the Services program, restart the KDC service, and then attempt replication again.
This article was referenced above in the first answer posted to your question:
https://support.microsoft.com/en-us/help/2089874/troubleshooting-ad-replication-error-1753-there-are-no-more-endpoints
I'm unclear whether you followed it. It's a quite thorough article on how to troubleshoot this error. Have you followed all these steps and still have no resolution to your question?
https://support.microsoft.com/en-us/help/2089874/troubleshooting-ad-replication-error-1753-there-are-no-more-endpoints
I'm unclear whether you followed it. It's a quite thorough article on how to troubleshoot this error. Have you followed all these steps and still have no resolution to your question?
Deactivate the service “Key Distribution Center”
Restart Domain Controller
Start a command-box as administrator and enter the following command:
netdom resetpwd /Server:dc-mit-pdc-Emulato
Restart Domain Controller
Reset the service “Key Distribution Center” to automatic start and start
Restart Domain Controller
Start a command-box as administrator and enter the following command:
netdom resetpwd /Server:dc-mit-pdc-Emulato
Restart Domain Controller
Reset the service “Key Distribution Center” to automatic start and start
ASKER
Thanks everyone for the assistance. It turns out that my DNS servers had been changed and they did not know where to pull their information from exactly.
Lanee
Lanee
Try this :
https://www.netwrix.com/kb/2085