locked
DCDIAG & WFW - failed test Connectivity RRS feed

  • Question

  • We have problem with our doman controllers running Windows 2008 (server HOMER) and Windows 2008 R2 (server CARL).

    If we enable Windows Firewall (WFW) on Windows 2008, I get on Windows 2008 R2 this 'dcdiag /s:homer' command result (notice the errors):

    *****
    Directory Server Diagnosis

    Performing initial setup:
       Trying to find home server...
       Home Server = CARL
       * Identified AD Forest.
       Done gathering initial info.

    Doing initial required tests
      
       Testing server: Default-First-Site-Name\HOMER
          Starting test: Connectivity
             ......................... HOMER passed test Connectivity

    Doing primary tests

       Testing server: Default-First-Site-Name\HOMER
          Starting test: Advertising
             ......................... HOMER passed test Advertising
          Starting test: FrsEvent
             The event log File Replication Service on server HOMER.faf.cuni.cz
             could not be queried, error 0x6ba "The RPC server is unavailable."
             ......................... HOMER failed test FrsEvent
          Starting test: DFSREvent
             ......................... HOMER passed test DFSREvent
          Starting test: SysVolCheck
             ......................... HOMER passed test SysVolCheck
          Starting test: KccEvent
             The event log Directory Service on server HOMER.faf.cuni.cz could not
             be queried, error 0x6ba "The RPC server is unavailable."
             ......................... HOMER failed test KccEvent
          Starting test: KnowsOfRoleHolders
             ......................... HOMER passed test KnowsOfRoleHolders
          Starting test: MachineAccount
             ......................... HOMER passed test MachineAccount
          Starting test: NCSecDesc
             ......................... HOMER passed test NCSecDesc
          Starting test: NetLogons
             ......................... HOMER passed test NetLogons
          Starting test: ObjectsReplicated
             ......................... HOMER passed test ObjectsReplicated
          Starting test: Replications
             ......................... HOMER passed test Replications
          Starting test: RidManager
             ......................... HOMER passed test RidManager
          Starting test: Services
             ......................... HOMER passed test Services
          Starting test: SystemLog
             The event log System on server HOMER.faf.cuni.cz could not be queried,
             error 0x6ba "The RPC server is unavailable."
             ......................... HOMER failed test SystemLog
          Starting test: VerifyReferences
             ......................... HOMER passed test VerifyReferences
      
    *****


    When we diable the WFW, all tests are OK. The WFW settings are default, the only change is the non-default RDP port and corresponding WFW rule - no other change. The default rules (e.g. "Active Directory Domain Controller - *", "File and Printer Sharing *", RPC or WMI) are enabled.

    More, If we run the 'dcdiag /e' on Windows 2008 with or without WFW enabled, we get always this result (notice the errors):

    *****

    Directory Server Diagnosis

    Performing initial setup:
       Trying to find home server...
       Home Server = HOMER
       * Identified AD Forest.
       Done gathering initial info.

    Doing initial required tests
      
       Testing server: Default-First-Site-Name\CARL
          Starting test: Connectivity
             Message 0x621 not found.
             Got error while checking LDAP and RPC connectivity. Please check your
             firewall settings.
             ......................... CARL failed test Connectivity
      
       Testing server: Default-First-Site-Name\HOMER
          Starting test: Connectivity
             Message 0x621 not found.
             Got error while checking LDAP and RPC connectivity. Please check your
             firewall settings.
             ......................... HOMER failed test Connectivity

    Doing primary tests
      
       Testing server: Default-First-Site-Name\CARL
          Skipping all tests, because server CARL is not responding to directory
          service requests.
      
       Testing server: Default-First-Site-Name\HOMER
          Skipping all tests, because server HOMER is not responding to directory
          service requests.
      
      
      
       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test
             CrossRefValidation
      
       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test
             CrossRefValidation
      
       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
      
       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
      
       Running partition tests on : faf
          Starting test: CheckSDRefDom
             ......................... faf passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... faf passed test CrossRefValidation
      
       Running enterprise tests on : faf.cuni.cz
          Starting test: LocatorCheck
             ......................... faf.cuni.cz passed test LocatorCheck
          Starting test: Intersite
             ......................... faf.cuni.cz passed test Intersite
    *****


    Can anybody help us with this strange problem?

    Thanks!
    R.*
    Thursday, October 15, 2009 7:07 AM

Answers

  • HI Ravo,

    please be aware that I faced issue like this before and it was like a nightmare but after a lot of investigation  I found the problem in the switch because it was drop some kind of packets not all packets and not all time so it was a very  hassle  issue that’s why I am asking you to check your infrastructure .

    And if you find your devices are well please use replmon into the 2 DCs and generate reports then post it here we will try to help as we can

     

    Thanks Ravo

    • Marked as answer by Mervyn Zhang Tuesday, October 27, 2009 1:49 AM
    Thursday, October 22, 2009 6:41 AM
  • Hello Sameh,

    you wouldn't believe it - on the HOMER server there was NIC teaming defined. After disabling the NIC teaming the dcdiag works fine! One can say only "Wow!"

    However, thanks for hint!
    R.*
    • Marked as answer by Mervyn Zhang Tuesday, October 27, 2009 1:49 AM
    Monday, October 26, 2009 8:57 PM

All replies

  • Thursday, October 15, 2009 7:15 AM
  • Hello Mainolf,

    thanks for the links, I'll chek them. However, the AD replication seems to be ok (no errors can be found int he Event log).
    R.*
    Thursday, October 15, 2009 7:25 AM
  • HI

    I think you need to define the firewall to open dynamic ports used by windows server 2008

    Please refer to this link

    http://support.microsoft.com/default.aspx/kb/929851

    Thanks

    Thursday, October 15, 2009 8:02 AM
  • Hello sameh,

    thanks for link. I'll try to compare the WFW rules on Windows 2008 and Windows 2008 R2. Do you know any differences about RPC-related traffic proccesing in WFW 2008 and WFW 2008 R2?

    Thanks!
    R.*
    Thursday, October 15, 2009 9:39 AM
  • You welcome ravo

    Please see this link it may help

    http://technet.microsoft.com/en-us/library/cc732839(WS.10).aspx


    Thanks

    Thursday, October 15, 2009 9:50 AM
  • Hello sameh,

    I've set the WFW by your last link and the RPC-related errors have disappeared on both DCs (both are W2k8 R2, I was wrong, mea culpa!). However, the 'failed test Connectivity' errors on the 'HOMER' server are remain (no difference between WFW turned on or turned off):

    **********

    Doing initial required tests

       Testing server: Default-First-Site-Name\CARL
          Starting test: Connectivity
             Message 0x621 not found.
             Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
             ......................... CARL failed test Connectivity

       Testing server: Default-First-Site-Name\HOMER
          Starting test: Connectivity
             Message 0x621 not found.
             Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
             ......................... HOMER failed test Connectivity

    Doing primary tests

       Testing server: Default-First-Site-Name\CARL
          Skipping all tests, because server CARL is not responding to directory service requests.

       Testing server: Default-First-Site-Name\HOMER
          Skipping all tests, because server HOMER is not responding to directory service requests.

    **********

    I can full manage the CARL server from the HOMER server (Computer management, ADUC coneccted to the CARL, telnet to LDAP(S) GC(S) ports working), no errors in the Event logs, the 'repadmin /showrepl' show all is ok...

    Strange...

    R.*
    Tuesday, October 20, 2009 7:40 AM
  • Hello Ravo

    Do have any connection devices between the those DCs or they connected in the same switch if you have any devices between them like wan optimizer please check this device and if you haven’t please try to use the below

    1.       Nslookup to ensure correct NS record for both serves

    2.       Please check DNS database and ensure that the two servers haven’t  APIA IP registered with their names  

    Please update me

    Thanks            

     

    Tuesday, October 20, 2009 7:51 AM
  • Hello sameh,

    there is no 'special' device between the DCs (but switch, indeed, AFAIK both server are connected to the same switch, however not sure :)

    ad 1) all NS/A records seems to be ok
    ad 2) please, what is 'APIA IP'

    Thanks,
    R.*
    Tuesday, October 20, 2009 8:00 AM
  • sorry ravo i mean APIPA IP like begain with 169
    Tuesday, October 20, 2009 8:06 AM
  • I see,

    no, there is any APIPA IP in the DNS. I've check the reverse DNS zone and there is also all ok.
    R.*
    Tuesday, October 20, 2009 8:09 AM
  • Ravo the error mainly point to connectivity failure between 2 DCs and you checked firewall and open all dynamic ports used for replication you also turned the firewall off and the result was same so the only way you have and it’s my personal suggestion to check connectivity in the down level

    Please check

    -          Network cables (change it if you can one by one to know if it was the reason)

    -          Network cards

    -          Switch (try to use another one if you have )

    But please do this tests one by one don’t change all that devices at the same time to be able to know the reason

     

    Thanks            

    Tuesday, October 20, 2009 8:19 AM
  • Sameh,

    thanks for suggestions! I'll check the L1/L2 infrastructurem however I wonder the one way is working ok (dcdiag on CARL do not report any errors) and the opposite way is not working at all (dcdiag on HOMER report connectivity issue on BOTH servers)...

    There is some kind of "goblin" (as we said :))

    Thanks
    R.*
    Wednesday, October 21, 2009 5:29 PM
  • HI Ravo,

    please be aware that I faced issue like this before and it was like a nightmare but after a lot of investigation  I found the problem in the switch because it was drop some kind of packets not all packets and not all time so it was a very  hassle  issue that’s why I am asking you to check your infrastructure .

    And if you find your devices are well please use replmon into the 2 DCs and generate reports then post it here we will try to help as we can

     

    Thanks Ravo

    • Marked as answer by Mervyn Zhang Tuesday, October 27, 2009 1:49 AM
    Thursday, October 22, 2009 6:41 AM
  • Hello Sameh,

    you wouldn't believe it - on the HOMER server there was NIC teaming defined. After disabling the NIC teaming the dcdiag works fine! One can say only "Wow!"

    However, thanks for hint!
    R.*
    • Marked as answer by Mervyn Zhang Tuesday, October 27, 2009 1:49 AM
    Monday, October 26, 2009 8:57 PM
  • Thanks ravo very much for your feedback, hope to we work together again and again

    Tuesday, October 27, 2009 6:51 AM
  • Hello Sameh,

    you wouldn't believe it - on the HOMER server there was NIC teaming defined. After disabling the NIC teaming the dcdiag works fine! One can say only "Wow!"

    However, thanks for hint!
    R.*

    Hello All,

    Same thing here, I had a NLB network team using the HP NCU, when i disabled it....errors went away!.... i disable the firewall prior to this actions but the error keep hiting me!

    thank you all for this thread!


    JQ
    Tuesday, January 12, 2010 3:47 PM
  • I had exactly the same problem at a client's site today. Team of network adapters caused the DC to not function properly. This was fine as a 2003 DC, but not as a 2008 DC. We removed the team, and everything was fine.

    So the question is, how am I supposed to add network load balancing and redundancy to this server and yet still have it as a working DC?
    Tuesday, January 26, 2010 5:28 PM
  • Hi,

    I had de same problem on a new secondary Windows Server 2008 R2 DC on an HP server with NIC teaming and firewall is off.

    Everything seems to be OK. I

    I don't see any warning or error on the events viewer and replication works but if I use dcdiag i got the same error:

    Got error while checking LDAP and RPC connectivity. Please check your
             firewall settings.
             ......................... Server failed test Connectivity


    I can't dismount my network team for the momment.


    Any update about this problem?

    Thanks!

    Jim

    Friday, February 5, 2010 7:41 PM
  • Jim,

    It's a Microsoft issue with DCDiag. Get this hotfix

    http://support.microsoft.com/kb/978387

    I've tested it and it's resolved my issue.

    James
    Fieldzy
    • Proposed as answer by O. Brazhko Wednesday, June 30, 2010 12:25 PM
    Thursday, February 18, 2010 4:14 AM
  • Hi Fieldzy,

    Thank you for your answer.

    If I understand this is only an issue with DCDiag command and that don't affect anything else?

    If it's the case, I will wait for Update instead of applying this hotfix.

    Thanks!

    Jim
    Monday, February 22, 2010 3:49 PM
  • Hi Fieldzy,

    ThanX for the info. It solved my issue.

    DJ.

    Monday, June 28, 2010 7:49 AM
  • Thanks. It worked for me.
    Wednesday, June 30, 2010 12:26 PM
  • Thanks again.

    HP servers with NIC teaming issue is solved.

    Thursday, December 9, 2010 10:39 PM
  • Fiedzy,

    your Hotfix did it. Thanks allot!

    Stijn

    Tuesday, March 22, 2011 12:50 PM