But i am getting this error in very large amount and very frequently.
Subs
Hi,
It
seems the secure channel is broken. You can test by removing the computer from the domain, delete the computer account,
then
add the computer back to the domain and let the computer account be recreated.
For domain controller, use below to reset secure channel:
http://support.microsoft.com/kb/325850
Regards,
Abhijit Waikar — MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA
Hello,
are the machines installed from an image that is NOT prepared with sysprep?
Best regards Meinolf Weber Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.
This is because the secure channel between the machine has been broken. Is all these errors coming from a single machine ? Youw ould need to reset the computer account and probably remove and add the machine back to domain.
Regards Rahul A
I agree with Meinolf, did you prepare the system with image/clone, if yes is sysprep/new sid tool been executed to assign unique SID to them? Second question is all you machine is updated with latest SP and patches and do you have consistent network connection
across client and DC? The another reason for broken secure channel can be due to existing duplicate computer objects or host records in AD/DNS.
http://awinish.wordpress.com/2010/12/24/when-secure-channel-is-broken/
Regards
Awinish Vishwakarma
MY BLOG:
awinish.wordpress.com
This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Thanks Meinolf,
Please explain this a bit more, i am not getting your point.
Subs
Thanks Awinish,
No I have not installed these from any clone CD
These errors are coming from different machines randomly.
When I am searching an faulty computer name in AD it is showing only single computer name, then how can I identify that three are duplicate computer name exist in
AD.
For DNS I have configured the Scavenging, the period is 7 days, should I reduce this.
Subs
Please explain this a bit more, i am not getting your point.
Subs
SYSPREP: It is an image based installation, you can create image on one reference computer, and duplicate it to computers with the same hardware abstraction layer, meaning this computers will use the same hardware platform (CPU) and will use
the same hal.dll file as an interface between the operating system and the hardware. When deploying computers using images, you copy the entire computer configuration including the computer name and SID (security identifier).
You can use the SYSPREP tool to solve duplicate computer names and duplicate SIDs (security identifier) problem, caused by this method of deployment.
Read more on SYSPREP:
http://technet.microsoft.com/en-us/library/cc783215(WS.10).aspx
http://www.petri.co.il/using_sysprep_in_an_image_based_installation.htm
How many machines are affected with this error messages? Are some of them Domian Controllers?
If you have not prepared the system with image/clone then you need to think about secure channel, information and links about secure channel are provided in my earlier post.
Regards,
Abhijit Waikar — MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA
It seems to be dns name resolution issue.The error message indicates that
secure channel between the cleint server and DC is broken rejoining the PC to domain
will fix the issue.
However since it is coming frequently check the below.
(1)Check the DNS & WINS entries on client PC?
—>> IP configuration on clients and member servers:
————————————
1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
2. Do not set public DNS server in TCP/IP setting of client/member server.
(2)Check whether the Firewall service is ON of OFF?
Refer link this to diable the firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx
(3)Are there any sort of AV or 3rd party security app? Lately, many AVs (McAfee, Symantec, Trend, etc), seem to have a *trend,* so to speak, of causing AD and other communications problems with their new «protect network traffic» (or similar) feature that acts
like a firewall.
(4)Is the Client PC connected to wireless n/w how is the IP assigned to client static or dyncamic?Some times wireless n/w cause the issue.Connect to PC to wired n/w and check the status.
(5)Check the status of the machines account in the AD?(It may be disabled)
If the Machine account is disable enable the sam
(6)Also check the DNS console for duplicate record for the host machine and remove the same.
I would also rcommend to check the health of DC as well run dcdiag /q and repadmin /replsum and post the error if any.
Regarding the DNS Scavenging setting you have configured to 7 days that is OK.
To find out duplicate SID refer below link.
http://support.microsoft.com/kb/816099
Hope this helps
Regards,
Sandesh Dubey.
——————————-
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
My Blog: http://sandeshdubey.wordpress.com
This posting is provided AS IS with no warranties, and confers no rights.
Thanks Meinolf,
Please explain this a bit more, i am not getting your point.
Subs
Hello,
if you use images/clones and this is not prepared with sysprep(the ONLY Microsoft supported way) all machines have the same SID and this can run into multiple problems, machines are having problems with secure channels, GPO applying and still some more.
More details about cloning and sysprep:
http://support.microsoft.com/kb/314828 http://technet.microsoft.com/en-us/library/cc766514(WS.10).aspx
«No I have not installed these from any clone CD«
This is not about the CD, it is about using a preinstalled machine and built a clone/image from that one.
Best regards Meinolf Weber Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.
- Edited by
Friday, January 13, 2012 7:15 AM
Thanks for this comprehensive answer.
1.
DNS setting is correct.
2.
No public DNS in client DNS setting.
3.
Firewall setting is on, but the Windows firewall is off from control panel.
4.
We are using McAfee AV
5.
Client PCs are not connected with the wireless network
6.
We have assigned the IPs dynamically using Router as DHCP.
7.
Machine account are enabled.
8.
Dcdiag result is posted and no error in replication check.
DCDIAG,
https://skydrive.live.com/redir.aspx?cid=85e7b22b0c07394f&resid=85E7B22B0C07394F!116&parid=85E7B22B0C07394F!108&authkey=!AIXJp3Jinhz2vdU
One more thing, the lease period
for IPs in DHCP (Router) is 24 hours, I think I should increase this to
7 days as per my scavenging setting in DNS or reduce the scavenging setting to 24 hours, which one is best ?
Subs
Hello,
as this is not really going on that way please upload the following files:
ipconfig /all >c:ipconfig.txt [from each DC/DNS Server]
dcdiag /v /c /d /e /s:dcname >c:dcdiag.txt
netdiag /v >c:netdiag.txt [from each DC, netdiag may work but isn’t supported with Windows server 2008 and don’t run on Windows server 2008 R2]
repadmin /showrepl dc* /verbose /all /intersite >c:repl.txt [«dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
dnslint /ad /s «DCipaddress» (http://support.microsoft.com/kb/321045)
As the output will become large, DON’T
post them into the thread, please use Windows Sky Drive (skydrive.live.com) [with open access!] and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.
**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc’s in the forest. If you have significant numbers of DC’s this test could generate significant detail and take a long time. You also want to take into account slow links to dc’s will
also add to the testing time.
Best regards Meinolf Weber Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.
Since Ip address is assigned by dhcp,assign Static IP address
and check the same.
Also ensure that Register this connection’s address in DNS is checked in the TCPIP setting of DNS tab.
Disable unrequired NIC if multiple NIC is present on the Clent PC.
Also is this only the PC facing issue or its multiple PC.
If multiple PC are facing the issue check the health of DC.Run dcdiag /q and repadmin /replsum to check for ant errors or warning and post the logs.
Hope this helps
Regards,
Sandesh Dubey.
——————————-
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
My Blog: http://sandeshdubey.wordpress.com
This posting is provided AS IS with no warranties, and confers no rights.
Since Ip address is assigned by dhcp,assign Static IP address
and check the same.Also ensure that Register this connection’s address in DNS is checked in the TCPIP setting of DNS tab.
Disable unrequired NIC if multiple NIC is present on the Clent PC.
Also is this only the PC facing issue or its multiple PC.
If multiple PC are facing the issue check the health of DC.Run dcdiag /q and repadmin /replsum to check for ant errors or warning and post the logs.
Hope this helps
Regards,
Sandesh Dubey.
——————————-
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
My Blog: http://sandeshdubey.wordpress.com
This posting is provided AS IS with no warranties, and confers no rights.
Hi,
I already provide this in my previous post.
Subs
Hello,
as this is not really going on that way please upload the following files:
ipconfig /all >c:ipconfig.txt [from each DC/DNS Server]
dcdiag /v /c /d /e /s:dcname >c:dcdiag.txt
netdiag /v >c:netdiag.txt [from each DC, netdiag may work but isn’t supported with Windows server 2008 and don’t run on Windows server 2008 R2]repadmin /showrepl dc* /verbose /all /intersite >c:repl.txt [«dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
dnslint /ad /s «DCipaddress» (http://support.microsoft.com/kb/321045)As the output will become large, DON’T
post them into the thread, please use Windows Sky Drive (skydrive.live.com) [with open access!] and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc’s in the forest. If you have significant numbers of DC’s this test could generate significant detail and take a long time. You also want to take into account slow links to dc’s will
also add to the testing time.
Best regards Meinolf Weber Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.
Hi Meinolf,
Thanks for your reply,
I am getting this error for many of the computer account and very frequently.
As you told, the Output is below
https://skydrive.live.com/redir.aspx?cid=85e7b22b0c07394f&resid=85E7B22B0C07394F!108&parid=85E7B22B0C07394F!106&authkey=!AHCCa5ftZs4njJ4
The lease time set on my DHCP (router) is 24 Hours, and my scavenging time is 7 Days.
Now,
Should I increase my lease period for my IPs to 7 Days?
What will be the refresh interval in DNS scavenging ?
What will be the no refresh interval ?
Similarly, I am getting NETLOGON 5807 which is indicating that there are some client machines whose IP addresses don’t map to any of the existing sites,
But when I am checking logs (‘%SystemRoot%debugnetlogon.log’) all the IP segment already added in AD site and services.
Subs
Subs,
Earlier you said DNS settings are correct and not using external DNS. Is the router being used as a DNS server?
I noticed this in the dcdiag:
A warning event occurred. EventID: 0x000003F6
Time Generated: 01/16/2012 09:38:58
Event String:
Name resolution for the name
www.microsoft.com timed out after none of the configured DNS servers responded.
That’s indicative of DNS issues.
I also noticed the following, which are indicative of replication failure, and more than likely directly related to DNS problems as by the indicated RPC errors below, which is 99% of the time caused by DNS issues.
Starting test: DFSREvent
The DFS Replication Event Log.
The event log DFS Replication on server
DR-DC2.My_DOMAIN.com could not be queried, error 0x6ba
«The RPC server is unavailable.»
……………………. DR-DC2 failed test DFSREvent
Starting test: KccEvent
* The KCC Event log test
The event log Directory Service on server
DR-DC2.My_DOMAIN.com could not be queried, error 0x6ba
«The RPC server is unavailable.»
……………………. DR-DC2 failed test KccEvent
I also noticed hardware errors, below.
A warning event occurred. EventID: 0x00000011
Time Generated: 01/16/2012 08:51:55
Event String:
A corrected hardware error has occurred.
Component: PCI Express Root Port
Error Source: Advanced Error Reporting (PCI Express)
Bus:Device:Function: 0x0:0x0:0x0
Vendor ID:Device ID: 0x8086:0x3406
Class Code: 0x30000
Is this your NIC? Is so, that could be the cause of everything, that is as long as it’s not something else.
What type of server is it? If a Dell, HP, Lenovo, etc, you can check with the supplied diagnostics the manufacturers provide. If a third party server, or self built, try to find out what this hardware is.
Is there a firewall on it? ANtivirus software? AV is known to block AD communications.
Also, I think you may still be unsure what Sysprep is? Previously Meinolf and others asked if you had cloned an image. You responded that you did not use a cloned CD. As Meinolf said, it’s not about what CD you used and was not the answer we were looking
for.
If you had imaged one machine using something like Ghost or Altaris, or other imaging tools, and you made multiple machines from that one image, then you will have multiple machines with identical SIDs. AD uses the SIDS to identify machines. If there are
multiples, then there will be problems that arise from it.
To circumvent this when cloning, we use Sysprep on teh original machine before we copy the image. This tool simply forces the machine at initial boot to generate a new, unique SID. so subsequent machines you make off it are now all unique.
I would also suggest to change DHCP from the router/firewall to a Windows DHCP. THe Windows DHCP APIs work hand in hand with the WIndows DNS APIs for Secure Updates to work using Kerberos. You can also configure WIndows DHCP to own all records so it
can keep all records it regsiters updated, otherwise you may see duplicates. I can offer more on this, but let’s not distract too far from the current issue.
Ace
Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP — Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Thanks Ace, to pointing these errors,
The name resolution error is for External DNS only, as I have configured the DNS to resolve the internal name only, this is as per requirement.
No, I am not using router as DNS, the DCs DNS is pointing to their local ip and ADC IP.
If there are the pure DNS errors, then please suggest me to resolve this.
We don’t have any clone or image, we have installed these computer individually from license MS OS or some has inbuilt OS, so this is not the case here.
For the HW error, I have SUN HW
About your last question,
I cannot change my DHCP to windows, as this is management decision, may you please answer the questions about DHCP which I have asked in my pre. post.
Subs
- Edited by
VLCC
Monday, January 16, 2012 6:22 AM
In the dcdiag /q you are getiing the error «The RPC server is unavailable» relates to port being blocked or network connectivity issue or due to dns misconfig.I would suggest contact network/security team to verify whether all the related
AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.
Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
Disable Windows Firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx
It can also be caused by antivirus software with many of them sporting a new feature called «network traffic protection,» which can efffectively block necessary AD traffic
Active Directory and Active Directory Domain Services Port Requirements
http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx
Troubleshooting “RPC server is unavailable” error, reported in failing AD replication scenario.
http://blogs.technet.com/b/abizerh/archive/2009/06/11/troubleshooting-rpc-server-is-unavailable-error-reported-in-failing-ad-replication-scenario.aspx
Ensure the following dns setting on DC:
1. Each DC / DNS server points to its private IP address as primary DNS server and other remote/local DNS servers as secondary in TCP/IP properties.
2. Each DC has just one IP address and single network adapter is enabled.
3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
4. Once you are done, run «ipconfig /flushdns & ipconfig /registerdns», restart DNS and NETLOGON service each DC.
Do not put private DNS IP addresses in forwarder list.
5.Assigning static IP address to DC if IP address is assigned by DHCP server to DC.It is strongly not recommended.
Hope this helps
Regards,
Sandesh Dubey.
——————————-
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
My Blog: http://sandeshdubey.wordpress.com
This posting is provided AS IS with no warranties, and confers no rights.
Thanks sandesh for suggesting this excellent tool.
The windows firewall is off on all the DCs.
I am getting error 0x00000002. And 0x00000001 for my DR site AD servers, please suggeste me how to explore this more or the ports are not open from Firewall
end.
Also, please go through my earlier post and answer the question which I have asked about the DNS configuration.
1.
Each DC / DNS server points to its private IP address as primary DNS server and other remote/local DNS servers as secondary in TCP/IP properties.
Already done.
2. Each DC has just one IP address and single network adapter is enabled.
Already done.
3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
No IP in forwarder.
4. Once you are done, run «ipconfig /flushdns & ipconfig /registerdns», restart DNS and NETLOGON service each DC.
Do not put private DNS IP addresses in forwarder list.
5.Assigning static IP address to DC if IP address is assigned by DHCP server to DC.It is strongly not recommended.
Already done.
Subs
- Edited by
VLCC
Monday, January 16, 2012 7:28 AM
Below is the detail error.
i qery the same for local host, but it is throwing the same error, if the error is same for the localhost also then the firewall is not the culprit.
detail error is below
Attempting to resolve IP address to a name…
IP address resolved to Dc1
querying…
TCP port 53 (domain service): LISTENING
UDP port 53 (domain service): LISTENING or FILTERED
Sending DNS query to UDP port 53…
DNS query timed out
portqry.exe -n 10.10.10.12 -e 53 -p BOTH exits with return code 0x00000002.
———————
TCP port 88 (kerberos service): LISTENING
UDP port 88 (kerberos service): LISTENING or FILTERED
portqry.exe -n 10.10.10.12 -e 88 -p BOTH exits with return code 0x00000002.
————————
UDP port 138 (netbios-dgm service): LISTENING or FILTERED
portqry.exe -n 10.10.10.12 -e 138 -p UDP exits with return code 0x00000002.
———————
querying…
TCP port 42 (nameserver service): NOT LISTENING
portqry.exe -n 10.10.10.12 -e 42 -p TCP exits with return code 0x00000001.
Subs
- Edited by
VLCC
Monday, January 16, 2012 11:49 AM
- Remove From My Forums
-
Вопрос
-
Здравствуйте.
Есть необходимость удалить остатки данных неудачно пониженной роли дочернего домена. Как я понял это произошло потому что какая то реплика прошла не корректно. В общем жесткий диск сервера был просто отформатирован.
В данный момент вместо этого дочернего поднят другой просто название поддомена слегка изменено.
Руководствуюсь статьей Удаление данных из Active Directory после неудачного понижения роли контроллера домена
все сервера 2008 (не R2)
Вот например в этой статье есть пункт: Первый метод на каком сервере выполнять команды ntdsutil ? в корневом AD?
-
Перемещено
22 апреля 2012 г. 16:27
move (От:Windows Server 2008)
-
Перемещено
Ответы
-
Вы в синтаксисе ошиблись :
C:Windowssystem32>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: connect to server srv003
Binding to srv003 …
Connected to srv003 using credentials of locally logged on user.
server connections: quit
metadata cleanup: select operation target
select operation target: list domainsну и тд…..
После того как вы очистите NTDSUTIL , дождитесь репликации. И если нужно то почистите DNS от остатков. А так же в оснастки посмотрите , удалилось ли все. Как вариант потом воспользоваться утилитой ADSIEdit и почистить ручками все ненужное. (У меня иногда оставались данные о DHCP, DNS серверах на этом Domain Controller )
Если сообщение было информативным, отметьте его как правильный ответ. Сразу видно ответ на вопрос
-
Помечено в качестве ответа
deadmaus
23 марта 2010 г. 11:02
-
Помечено в качестве ответа
- Remove From My Forums
-
Question
-
Hi all, I have
two AD Sites. All except one
Servers are Windows Server 2008 R2.Everything worked fine, but I have two weeks
to replication errors between the two
Sites. Users created at one of the sites
is not replicated to the other.I see the following events in the
DCs:Event id1864 Microsoft-Windows-ActiveDirectory_DomainService
Event id 2093 Microsoft-Windows-ActiveDirectory_DomainService
Event id 1925 ActiveDirectory_DomainServiceWhen I run repadmin / showpl
Active Directory Replication with state
DsBindWithCred Error.Error of 1722
(0x6ba): The RPC server is unavailable.I tried communicating with PortQuery
tool, and everything seems to be correct.The DCs that are in the same
Site, are replicated correctly.I CAN NOT BE HAPPENING,
Can you help?thank you very much
Microsoft Certified IT Professional Server Administrator
Answers
-
Hi all, after opening dynamic ports, replication works
correctly.Thank you very much to all for your support.
Microsoft Certified IT Professional Server Administrator
-
Marked as answer by
Tuesday, July 30, 2013 6:43 AM
-
Marked as answer by
Exchange Server 2010 Service Pack 3 Exchange Server 2010 Enterprise Exchange Server 2010 Standard More…Less
Symptoms
Consider the following scenario:
-
You use a MAPI or Collaborative Data Objects (CDO)-based application to log on to a mailbox in a Microsoft Exchange Server 2010 environment.
-
Your user account is the last logon object on the remote procedure call (RPC) connection.
-
The application does not send a remote operation (ROP) request for more than 2 minutes.
-
The application tries to log you off from the mailbox.
In this scenario, the Microsoft Exchange RPC Client Access service throws a ServerUnavailableException exception. Additionally, the RPC_S_SERVER_UNAVAILABLE (0x6BA) error code is returned in the application.
Resolution
To resolve this issue, install the following update rollup:
2803727 Description of Update Rollup 1 for Exchange Server 2010 Service Pack 3
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the «Applies to» section.
Need more help?
Want more options?
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
Обновлено 04.01.2023
Добрый день уважаемые читатели и подписчики, в прошлый раз мы с вами устраняли проблему в Active Directory, а именно ошибку 14550 DfsSvc и netlogon 5781 на контроллере домена, сегодня же продолжается эпопея с продолжением этих ошибок, а именно от них мы избавились, но прилетели новые: Ошибка 1722. Сервер RPC и за последние 24 часа после предоставления SYSVOL в общий доступ зафиксированы предупреждения или сообщения об ошибках. Сбои при репликации SYSVOL могут стать причиной проблем групповой политики. Давайте разбираться в чем дело.
Устраняем ошибку 1722 сервер rpc недоступен
Сетевые проблемы с репликацией и их решение, читайте по ссылке выше, про 14550. И так напомню, у меня есть два домена, родительский и дочерний. В дочернем 3 контроллера домена Active Directory. После переноса одного контроллера домена из одного сайта, ко всем остальным стали появляться ошибки 1722. Сервер RPC не доступен и сервер RPC и за последние 24 часа после предоставления SYSVOL.
Выявил я их при диагностике репликации между контроллерами домена, с помощью команды:
Данная команда показывает все ошибки репликации на предприятии. Вот как выглядит ошибка:
Сервер RPC и за последние 24 часа после предоставления SYSVOL в общий доступ зафиксированы предупреждения или сообщения об ошибках. Сбои при репликации SYSVOL могут стать причиной проблем групповой политики.
Первым делом, чтобы проверить, что с репликацией все хорошо, нужно удостовериться, что по UNC пути \ваш домен доступна на чтение папка SYSVOL и NETLOGON.
Если они не доступны, то нужно проверить права на папки и проверьте доступность портов службы RPC TCP/UDP 135, возможно у вас они закрыты на брандмауэре, лучше на время тестирования его вообще отключить.
PS C:Users> Test-NetConnection dc07 -Port 135
ComputerName : dc07
RemoteAddress : 10.91.101.17
RemotePort : 135
InterfaceAlias : Ethernet0
SourceAddress : 10.91.101.7
TcpTestSucceeded : True
Если все нормально, то двигаемся дальше. Давайте теперь проверим, когда в последний раз реплицировались контроллеры домена, делается это командой:
В итоге я обнаружил, что у меня dc7 и dc13 имеют ошибку 1722 Сервер RPC недоступен. Порты 135 я проверил, они слушались. Кто не знает как проверить, то вот вам команда telnet в помощь.
Далее посмотрите в логах Windows 📃журналы «Active Directory Web Services«, «ActiveDirectory_DomainService» и «DFS Replication«, возможно вы там найдете дополнительные детали. Например, у меня была ошибка:
ID 5008: The DFS Replication service failed to communicate with partner DC1 for replication group Domain System Volume. This error can occur if the host is unreachable, or if the DFS Replication service is not running on the server.
Partner DNS Address: DC1.pyatilistnik.org
Optional data if available:
Partner WINS Address: DC1
Partner IP Address: 192.168.1.26
The service will retry the connection periodically.
Additional Information:
Error: 1722 (The RPC server is unavailable.)
Connection ID: 9BBE21A2-46E3-4444-9D40-2967F4BA3400
Replication Group ID: E9198376-3944-4218-89BE-D4EC89CA73E8
В результате данный контроллер разрешался под старым IP-адресом, чтобы это поправить вам нужно почистить локальный кэш на контроллере, где появилась данная ошибка.
Когда с разрешением имени станет все нормально, у вас появится событие:
ID 5004: The DFS Replication service successfully established an inbound connection with partner DC1 for replication group Domain System Volume.
Additional Information:
Connection Address Used: DC1
Connection ID: 9BBE21A2-46E3-4C74-4444-2967F4BA3400
Replication Group ID: E9198376-39FD-4444-89BE-D4EC89CA73E8
Следующим шагом, идет 🛠проверка DNS серверов, в настройках стека TCP/IP. Если у вас более одного контроллера домена, то у вас первым dns сервером в настройках сетевого интерфейса должен идти dns другого контроллера домена, затем либо адрес текущего или петлевой Ip, а уже затем любые, что вам нужны.
Так, что правильный порядок DNS серверов, это 90 процентов случаев
Теперь снова выполнив команду repadmin /replsummary, я увидел, что все репликации прошли успешно. Так же советую запустить вручную репликацию AD, и проверить нет ли ошибок, убедитесь, так же, что команда dcdiag /a /q не дает ошибок. Так же если у вас развитая система сайтов AD, дождитесь времени репликации между ними.
Еще бывает, что на событие 1722 наслаивается ошибка:
Обновление 07.08.2022
Еще заметил интересную вещь, если в логах ошибки перестали появляться, но repadmin показывает ошибку, то нужно смотреть на количество неудачных попыток, если все хорошо, то счетчик начнет уменьшаться, но опять совместно с ошибкой. Как только ошибок станет меньше двух, ошибка уйдет.
Проверка DNS в лесу с несколькими доменами
На, что еще вы можете обратить внимание, если у вас, как и у меня лес состоит из главного корневого домена и нескольких дочерних, то обязательно убедитесь, что у вас правильно все прописано в DNS. Приведу пример, при попытке выполнить команду принудительной репликации:
Я периодически получал ошибку:
SyncAll reported the following errors:
Error contacting server CN=NTDS Settings,CN=DC1,CN=Servers,CN=Holding,CN=Sites,CN=Configuration,DC=Pyatilistnik,DC=org (network error): 1722 (0x6ba):
The RPC server is unavailable.
Хотя реплики все ходили без проблем, судя по repadmin /replsummary, но dcdiag /a /q показывает ошибки, что данный контроллер домена у меня определяется со старым IP-адресом, который я менял при миграции виртуальной машины в новое адресное пространство.
……………………. DC1 failed test Connectivity
Although the Guid DNS name
(d06896a3-be4b-4b8a-b75f-e52e07526a0f._msdcs.Pyatilistnik.org) resolved to
the IP address (192.168.11.1), which could not be pinged, the server
name (DC2.Pyatilistnik.org) resolved to the IP address
(10.97.11.10) and could be pinged. Check that the IP address is
registered correctly with the DNS server.
Got error while checking LDAP and RPC connectivity. Please check your
firewall settings.
Обязательно через команду nslookup проверьте, что ваши контроллеры домена разрешаются в правильный IP и, что IP разрешается в правильное DNS имя. Далее открываем «Управление DNS» оснастку и находим основную зону. Разверните ее, чтобы отобразить все контейнеры. Мультидоменной среде, вы увидите, что корневая основная зона, содержит в себе еще контейнеры с дочерними доменами, в которых вы увидите список ваших DNS серверов и контроллеров домена. Тут у вас может быть:
- ⛔️Не весь список актуальных DNS серверов
- ⛔️Список DNS серверов, но с неправильными IP-адресами в которые они разрешаются
У меня dc6 уже точно не было, что уже нужно удалить.
Далее щелкните по любому DNS серверу из списка. У вас откроется окно свойств, где видно в какие IP-адреса разрешаются имена, у меня тут и фигурировали dc1 и dc2 со старыми именами. Тут и получалось, что ошибка «(network error): 1722 (0x6ba)» была плавающая. Когда обращение по разрешению IP-адреса контроллера шло к правильному серверу с валидным IP, все было хорошо, но как только доходило до неправильной записи, была ошибка.
Теперь перейдите к редактированию неправильной записи, и попробуйте ее разрезолвить, если с этим проблем нет, то получите актуальный IP-адрес, если не получается, то смотрите обратную зону или задайте значение вручную.
И вот там уже нужно больше телодвижений. Вот так вот просто решается ошибка 1722 сервер RPC не доступен на контроллере домена по Windows Server 2012 R2. Если у вас есть чем дополнить статью, то просьба написать это в комментариях.