none
Site and services AD

    Întrebare

  • Hello everyone,
    i have a problem with the replication of two dc. Basically when I try to force replication via AD sites and services I get this error:
    "The following error occured During the attempt to synchronize naming contex prova.com from Contex A domain controller to domain controller B.
    The RPC is unavailable. The operation will not continue.
    This condition may be Caused by a DNS lookup problem "

    Also when i launch this: repadmin /showreps i get this error:Last error: 1256 (0x4e8):The remote system is not available.

    The two DCs are in different datacenters, but between them they have created a rule on any-any firewall then exclude that it may be a problem of that type.

    The strange thing is that the problem occurs only in one direction ie from B to A. DC In my configuration, A is the primary DC.

    Another strange thing if I restart the DC B (secondary) and try again to force replication from AD sites and services everything works properly.

    I tried forcing the resolution of names through the hosts file but the error remains..

    Someone can help me?

    Thank you,
    Luca

    16 martie 2012 09:28

Răspunsuri

  • First of all thank you all for the answers and for help.

    Then after following your suggestions I have indeed verified that the DNS configuration was wrong.

    By making the change,this morning I did a check and now replication seems to work both the primary andt he secondary DC.

    In fact,running the command repadmin/showreps not display errors.

    But now I wanted to ask one last question:

    all of you asked me why I you were using the public IP instead of private:

    banally are two good reasons:
    The two DC are in datacenter geographically separated and in a datacenter also does not have the option of using private ip.


    You do what you suggestin this case?

    Thanks again,

    Luca



    17 martie 2012 09:21
  • Hi,

    I would not use public IP addresses or mutliple NICs(for RRAS or ISA) on domain controller whether they are in datacenter or at regular location for the security reason.

    Multihomed DCs or public IP configuration on DC wILL cause numerous issues. It's highly recommended to single home all DCs and use a non-DC for the multihoming purposes. If it is the internet gateway, it is recommended to purchase an inexpensive, or cable/DLS router, or even better, a Cisco or similar firewall to perform the task, which if it is compromised by an internet attacker remotely, can further compromise the rest of the internal network.

    Read this thread:  http://forums.techarena.in/active-directory/1206965.htm


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    17 martie 2012 09:40

Toate mesajele

  • Run Dcdiag /q and Repadmin /replsum  on your Domain controller B and post the result here.

    Also make sure all the necessary firewall ports are open.

    http://social.technet.microsoft.com/wiki/contents/articles/active-directory-replication-over-firewalls.aspx

    http://blogs.technet.com/b/janelewis/archive/2006/11/13/ports-used-in-active-directory-replication.aspx

    Additionally you can use PortQry tool to check the firewall ports. You can download it from the below link.

    http://www.microsoft.com/download/en/details.aspx?id=17148

    Using PortQry for Troubleshooting.

    http://blogs.technet.com/b/askds/archive/2009/01/22/using-portqry-for-troubleshooting.aspx

    Test your DNS configuration.

    http://support.microsoft.com/kb/321046

    Hope this helps.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    16 martie 2012 09:33
  • Hi,

    The "RPC server unavailable" error can occur for the following reasons: DNS problems, Time synchronization problem, Network connectivity problem

    Troubleshooting:

    Additional, Active Directory Replication Over Firewalls
    http://social.technet.microsoft.com/wiki/contents/articles/active-directory-replication-over-firewalls.aspx

    Ports requirement for AD.
    http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    16 martie 2012 09:57
  • Hi,

    There are no more primary and Secondary DC's.  Can you please post your ipconfig/ all and repadmin/replsum from both of your DC's.

     


    Regards, Mohan R Sr. Administrator - Server Support

    16 martie 2012 09:59
  • The error "The RPC is unavailable" can be due to connectivity issues like fluctuation in the network, high latency, outdated NIC card or due to blocked ports on the firewall. I would start first verifying the connectivity between two sites, name resolution and then firewall ports.

    Even though all the ports are opened, i would confirm running portquery tool and see what it tells in its results.

    http://blogs.technet.com/b/abizerh/archive/2009/06/11/troubleshooting-rpc-server-is-unavailable-error-reported-in-failing-ad-replication-scenario.aspx

    Also, i guess antivirus can be too sometime responsible for blocking the communication. Its strange restarting the DC resolves the issue.  Can you also check there is no memory leak issues, when there is memory leak issue server is hanged due to memory assigned to earlier resources is not freed and when you restart it will again work for sometime again when its memory is used and not freed when process has completed the execution. You can use poolmon to monitor memory leak issues.

    Can you make sure server is updated with latest SP,patches, NIC and its drivers to rule out any issues with the server itself.


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    16 martie 2012 10:00
    Moderator
  • Can you post unedited ipconfig /all >c:\ipconfig.txt from both the DC.

    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    16 martie 2012 10:56
    Moderator
  • Still I am able to see RPC unavailable.

    Error 1722 is a RPC error. Did you try running PortQry Tool and check the neccessary ports are open ( I know you have defined some rule on firewall but still I suggest you to run PortQry and post the result here.

    Refer below link to understand this better.

    Troubleshooting Error 1722

    http://support.microsoft.com/kb/2102154

    Troubleshooting RPC server Unavailable problem

    http://social.technet.microsoft.com/wiki/contents/articles/4494.troubleshooting-the-rpc-server-is-unavailable.aspx

    Error 1256,

    http://support.microsoft.com/kb/2200187

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    16 martie 2012 11:05
  • Primary DC DNS server IP address is pointing to 127.0.0.1. Can you please change this with appropriate IP address.

    Eg - If your DNS server IP address is 77.95.227.1 then place this in primary DNS server.

    I belive on Both the DC'S DNS service is installed , If yes then,

    On Primary DC - DNS server IP should be - 174.36.247.196

    On Secondary DC - DNS server IP should be - 77.95.227.1

    try this and let us know the result.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    16 martie 2012 11:13
  • You DC Rutan is multihomed and also you are using wrong DNS IP in the preferred DNS server. Multihoming the DC is not recommended. Point Rutan DC to either another DC with DNS or itself for the DNS in preferred DNS server and in alternate DNS server either to itself or secondary DNS. Also, for IPv6, use dynamic IP means select automatic.

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/a1583d7f-fa59-4497-89de-666d683e53a0/

    Do the same thing on the other DC too. Disable all the NIC from both the DC except one used for the production.

    http://awinish.wordpress.com/2011/03/08/dns-recommendations-from-microsoft/

    Any reason for using public IP for the DC? It can be invite security risks to the DC's instead use private IP.


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    16 martie 2012 11:15
    Moderator
  • Hi,

    DNS configuration is not proper on DC, also you are using public IP address and multiple NICs (multihomed) on domain controller.

    MULTIHOMED domain controller and public IP address is not recommended, it always results in multiple problems.

    Configure the DNS as per the Best practices for DNS client settings on Domain Controller.
    http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    16 martie 2012 11:23
  • You are getting the error "The RPC server is unavailable" relates to port being blocked or network connectivity issue or due to dns misconfig.I would suggest contact network/security team to verify whether all the related AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.

    Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
    Disable Windows Firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

    It can also be caused by antivirus software with many of them sporting a new feature called "network traffic protection," which can efffectively block necessary AD traffic

    Active Directory and Active Directory Domain Services Port Requirements
    http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

    Troubleshooting “RPC server is unavailable” error, reported in failing AD replication scenario.
    http://blogs.technet.com/b/abizerh/archive/2009/06/11/troubleshooting-rpc-server-is-unavailable-error-reported-in-failing-ad-replication-scenario.aspx

    Ensure the following DNS setting on DC.
    1. Each DC / DNS server points to its private IP address as primary DNS server and other remote/local DNS servers as secondary in TCP/IP properties.
    2. Each DC has just one IP address and single network adapter is enabled.
    3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
    4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.
    Do not put private DNS IP addresses in forwarder list.
    5.Assigning static IP address to DC if IP address is assigned by DHCP server to DC.It is strongly not recommended.

    -->>MULTIHOMING Domain controllers is not recommended, it always results in multiple problems.
    ------------------------------------
    1. Domain Controllers should not be multi-homed
    2. Being a VPN Server and even simply running RRAS makes it multi-homed.
    3. DNS even just all by itself, is better on a single homed machine.
    4. Domain Controllers with the PDC Role are automatically Domain Master Browser. Master Browsers should not be multi-homed

    272294 - Active Directory Communication Fails on Multihomed Domain Controllers http://support.microsoft.com/default.aspx?scid=kb;en-us;272294

    191611 - Symptoms of Multihomed Browsers
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    17 martie 2012 00:46
  • First of all thank you all for the answers and for help.

    Then after following your suggestions I have indeed verified that the DNS configuration was wrong.

    By making the change,this morning I did a check and now replication seems to work both the primary andt he secondary DC.

    In fact,running the command repadmin/showreps not display errors.

    But now I wanted to ask one last question:

    all of you asked me why I you were using the public IP instead of private:

    banally are two good reasons:
    The two DC are in datacenter geographically separated and in a datacenter also does not have the option of using private ip.


    You do what you suggestin this case?

    Thanks again,

    Luca



    17 martie 2012 09:21
  • Hi,

    I would not use public IP addresses or mutliple NICs(for RRAS or ISA) on domain controller whether they are in datacenter or at regular location for the security reason.

    Multihomed DCs or public IP configuration on DC wILL cause numerous issues. It's highly recommended to single home all DCs and use a non-DC for the multihoming purposes. If it is the internet gateway, it is recommended to purchase an inexpensive, or cable/DLS router, or even better, a Cisco or similar firewall to perform the task, which if it is compromised by an internet attacker remotely, can further compromise the rest of the internal network.

    Read this thread:  http://forums.techarena.in/active-directory/1206965.htm


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    17 martie 2012 09:40
  • Glad to hear that your Problem got resolved.

    About your data center question, refer below article which will help you to understand this better.

    http://www.webhostingtalk.com/showthread.php?t=1010776

    http://research.microsoft.com/en-us/people/chguo/comm152-chen.pdf

    Management of Static IP address in Data center.

    http://serverfault.com/questions/39953/management-of-static-ip-addresses-in-the-data-center

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    17 martie 2012 09:42
  • I would also not recommend to configured Public IP address to DC or configure multiple NIC as now you are aware of the impact of Multihomed Domain Controllers.You have to also DISABLE the unused NIC in Networking section. Otherwise, it will still try to register even with the 169.254.x.x address. If disabled,Windows ignores it.

    You can configure RRAS/VPN role on other server or router,firewall etc to perform NAT for you.

    However if you have budget issue configure the second NIC on the DC with public IP address and removed the DNS registration from the NIC setting.

    Go to the properties of the NIC, select TCP/IP, properties, advanced, select DNS TAB, make sure that the last 2 options are not selected: "Register this Connection's address in DNS" and "Use this connection's DNS suffix in DNS registration". 

    Then open DNS mmc console, right click on the server icon and choose properties: make sure that the server is configured to respond only to the correct address (Make sure that the option "Respond All Address" is not
    selected).      

    Also check the NIC binding the NIC which is having private IP address should be in first order.Refer below link NIC.
    http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/

    However I would recommend avoid configuring Public IP address on DC as it is not recommended.

    Hope this helps...

      


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    17 martie 2012 21:07