none
DCDIAG failure RRS feed

  • Question

  • We are upgrading our Forest and Domains from Server 2003 to 2012. We have 1 2003 DNS servers and 2 2012 DNS servers (all AD Integrated and all domain controllers) in our root domain. When I run a Dcdiag /test:DNS /v /e /f:dns.txt from the 2003 DNS against the 2012 DNS server I get the following error:

    TEST: Authentication (Auth)
                      Error: Authentication failed with specified credentials
                      [Error details: 1203 (Type: Win32 - Description: No network provider accepted the given network path.) - Add connection failed]
                     
                   TEST: Basic (Basc)
                       Microsoft Windows Server 2012 Standard (Service Pack level: 0.0) is supported
                      Error: Open Service Control Manager failed
                      [Error details: 1722 (Type: Win32 - Description: The RPC server is unavailable.) - Could not open Service Control Manager]

    I have looked around quite a bit and could not find much helpful info regarding the same errors so we did a packet capture and found the following:

    The request is going out as follows:

    CN=DNS,Settings,CN=BGOGODC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=winco,DC=local

    The response is coming in as follows:

    CN=BGOGODC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=winco,DC=local......0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:

    .'CN=BGOGODC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=winco,DC=local'

    I know this is an LDAP error but I am unsure of how to go about resolving what the issue is. Any help would be greately appreciated.

    I can post a full dcdiag if needed.


    Russ

    • Moved by TorstenMMVP Wednesday, June 5, 2013 6:24 AM moved to Server forum
    Tuesday, June 4, 2013 4:36 PM

Answers

  • Sorry it took so long to reply but after extensive testing and research, here is what I found:

    We are indeed experiencing the issue where where Windows Server 2008 R2 DNS Servers (or later) can only be managed by computers running Windows Server 2008 or later. see this article:

    http://support.microsoft.com/kb/2027440

    It also seems like it affects running DCDIAG between 2003 and 2012 server versions.

    To test this I performed the following steps:

    1) I ran the following commands on my 2012 DNS Servers and noted the results:

    C:\>Dnscmd.exe /info /RpcAuthLevel

    C:\>Dnscmd.exe /info /RpcProtocol

    the results for both were:

    Dword:  5 (00000005)

    2) I then Changed the above values by running the commands as follows:

    C:\>Dnscmd.exe /config /RpcAuthLevel 0

    C:\>Dnscmd.exe /config / RpcProtocol 7

    3) Restarted the DNS service on my 2012 DNS Servers and then ran DCDIAG again from my 2003 server and it still failed with an RPC error.

    4) I then started the Remote Procedure Call (RPC) Locator Service (Startup Type was manual) on my 2012 DNS Server and re-ran DCDIAG from my 2003 server and it passed with no issues.

    5) After I confirmed this was the issue I re-ran the above commands with the following parameters to reset the values:

    C:\>Dnscmd.exe /config /RpcAuthLevel 5

    C:\>Dnscmd.exe /config /RpcProtocol 5

    6) I ran the following commands to verify the old values:

    C:\>Dnscmd.exe /info /RpcAuthLevel

    C:\>Dnscmd.exe /info /RpcProtocol

    6) Restart DNS service and stop the Remote Procedure Call (RPC) Locator Service

    Knowing this issue exists, I believe I can safely ignore the DCDIAG errors since I will be retiring my 2003 DNS servers in the coming months.

    I searched my AD with adsiedit and could not find the following value:

     CN=DNS,Settings,CN=BGOGODC01,CN=Servers,CN=Default-First-Site-name,CN=Sites,CN=Configuration,DC=winco,DC=local

    We believe it to be an issue with our packet capture tool.


    Russ

    Tuesday, June 11, 2013 8:35 PM

All replies

  • Hi Russ,

    You're in the Configuration Manager forum, you're most likely going to get better help in the Server forums:

    http://social.technet.microsoft.com/Forums/en-US/category/windowsserver

    Good luck.

    Tuesday, June 4, 2013 6:30 PM
  • I will repost in the correct forum. Thanks.

    Russ

    Tuesday, June 4, 2013 7:26 PM
  • As an addition, I have noticed this error only appears inthe DCDIAG log on the 1 2003 server in the root domain. If i run DCDIAG from all other servers, even from our Child domains the dcdiag log is clean. In 2 of our child domains we are currently running 2003 and 2012 DNS servers side by side with no issues. The issue is only in our root domain. I have looked thru ADSI edit and can find no reference to the "CN=DNS,Settings" as shown below.

    CN=DNS,Settings,CN=BGOGODC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local.

    Before we upgraded our Forest and Domain we ran dcdiag and the reports were clean. After the Schema upgrade and install of the 2012 DC's we started to receive this error.

    I have looded in ADSIEDIT and cannot find any reference to the CN=DNS,Settings

    Any ideas on how to correct this would be appreciated.


    Russ

    Wednesday, June 5, 2013 2:14 PM
  • If BGOGODC01 is removed from network try running metdata cleanup command check if the references are present or not.Check DNS console as well and AD sites and services.http://www.petri.co.il/delete_failed_dcs_from_ad.htm

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Wednesday, June 5, 2013 3:24 PM
  • BGOGODC01 is one of our new 2012 DNS servers.

    The request (from the packet capture) looks like it is trying to go to:

    CN=DNS,Settings,CN=BGOGODC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local.

    The response basically says I can't find the path above. We see this error in the DCDIAG to all 2012 DNS servers but not to our 2003 DNS servers. FRom what I could find so far I just know it is an LDAP error but not sure if it a compatability issue between 2003 and 2012 DNS servers or if something in my Schema from the 2012 upgrade went awry.

    I really do appreciate any insight on what is happening here.


    Russ

    Wednesday, June 5, 2013 7:57 PM
  • There should not exist such entry CN=DNS, Settings under the server, correct entry should be CN=NTDS Settings, CN=BGOGODC01, ....

    About the error you got, both error codes 1203  and 1722 points to network related problem, please make sure no network connectivity issue occurs between the 2003 DNS server and the 2012 DNS server, and check necessary ports are opened between them.

    http://support.microsoft.com/kb/179442/en-us

    Regards,

    Diana


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, June 6, 2013 1:56 PM
  • Thank you for the reply. We have no firewall or blocks between the servers.

    Where can I look to see the cn=DNS,settings setting. I am assuming adsiedit, but in looking around, i could not find it.


    Russ

    Thursday, June 6, 2013 6:49 PM
  • Is it possible we are experiencing the issue where Windows Server 2008 R2 DNS Servers can only be managed by computers running Windows Server 2008 or later? If I run the DNSCMD as referred to in the article, I get the exact same errors.

    http://support.microsoft.com/kb/2027440

    I do know that I can also run the following commands to disable RPC integrity.

    dnscmd /config /RpcAuthLevel 0

    dnscmd /Conf /RpcProtocol 7

    I would like to run these commands on the 2012 server experiencing the issue just to test and see if it resolves the issue. If so, I would like to return these options back to what they were originally and just let the error ride till we decommission the 2003 servers in the upcoming months. Where can I locate the default values before I test the changes on them? 


    Russ

    Thursday, June 6, 2013 10:11 PM
  • Thank you for the reply. We have no firewall or blocks between the servers.

    Where can I look to see the cn=DNS,settings setting. I am assuming adsiedit, but in looking around, i could not find it.


    Russ

    I checked my 2012 domain controller, no CN=DNS, Settings as well. As I said before, it should be:

    CN=NTDS Settings,CN=BGOGODC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=winco,DC=local

    You can see it in adsiedit, right-click ADSI Edit, click Connect to, then select Configuration under Naming Context dropdown box, expand step by step.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, June 11, 2013 7:40 AM
  • Is it possible we are experiencing the issue where Windows Server 2008 R2 DNS Servers can only be managed by computers running Windows Server 2008 or later? If I run the DNSCMD as referred to in the article, I get the exact same errors.

    http://support.microsoft.com/kb/2027440

    I do know that I can also run the following commands to disable RPC integrity.

    dnscmd /config /RpcAuthLevel 0

    dnscmd /Conf /RpcProtocol 7

    I would like to run these commands on the 2012 server experiencing the issue just to test and see if it resolves the issue. If so, I would like to return these options back to what they were originally and just let the error ride till we decommission the 2003 servers in the upcoming months. Where can I locate the default values before I test the changes on them? 


    Russ

    I did not find the default values, according to my testing, these two commands write the registry entry rpcauthlevel and rpcprotocol under HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters, and then set their value data to 0 and 7, respectively, I think you can delete the registry entry for reverting to default state.

    Regards,

    Diana


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, June 11, 2013 7:59 AM
  • Sorry it took so long to reply but after extensive testing and research, here is what I found:

    We are indeed experiencing the issue where where Windows Server 2008 R2 DNS Servers (or later) can only be managed by computers running Windows Server 2008 or later. see this article:

    http://support.microsoft.com/kb/2027440

    It also seems like it affects running DCDIAG between 2003 and 2012 server versions.

    To test this I performed the following steps:

    1) I ran the following commands on my 2012 DNS Servers and noted the results:

    C:\>Dnscmd.exe /info /RpcAuthLevel

    C:\>Dnscmd.exe /info /RpcProtocol

    the results for both were:

    Dword:  5 (00000005)

    2) I then Changed the above values by running the commands as follows:

    C:\>Dnscmd.exe /config /RpcAuthLevel 0

    C:\>Dnscmd.exe /config / RpcProtocol 7

    3) Restarted the DNS service on my 2012 DNS Servers and then ran DCDIAG again from my 2003 server and it still failed with an RPC error.

    4) I then started the Remote Procedure Call (RPC) Locator Service (Startup Type was manual) on my 2012 DNS Server and re-ran DCDIAG from my 2003 server and it passed with no issues.

    5) After I confirmed this was the issue I re-ran the above commands with the following parameters to reset the values:

    C:\>Dnscmd.exe /config /RpcAuthLevel 5

    C:\>Dnscmd.exe /config /RpcProtocol 5

    6) I ran the following commands to verify the old values:

    C:\>Dnscmd.exe /info /RpcAuthLevel

    C:\>Dnscmd.exe /info /RpcProtocol

    6) Restart DNS service and stop the Remote Procedure Call (RPC) Locator Service

    Knowing this issue exists, I believe I can safely ignore the DCDIAG errors since I will be retiring my 2003 DNS servers in the coming months.

    I searched my AD with adsiedit and could not find the following value:

     CN=DNS,Settings,CN=BGOGODC01,CN=Servers,CN=Default-First-Site-name,CN=Sites,CN=Configuration,DC=winco,DC=local

    We believe it to be an issue with our packet capture tool.


    Russ

    Tuesday, June 11, 2013 8:35 PM
  • Yes, no CN=DNS Settings entry exists, each domain controller has CN=NTDS Settings under servername, and this DC's replication connection is created under NTDS Setting container, it can also be viewed in Active Directory Sites and Services console.

    In usual, we use Network Monitor and Wireshark to capture network packet.

    Regards,

    Diana


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, June 14, 2013 1:50 AM