- Remove From My Forums
-
Question
-
Dear all,
Im exeprence replication errors bettwen site to site replication.
Error:
Repadmin can’t connect to a «home server», because of the following error. Try
specifying a different
home server with /homeserver:[dns name]
Error: An LDAP lookup operation failed with the following error:LDAP Error 81(0x51): Server Down
Server Win32 Error 0(0x0):
Extended Information:This error occurs if I’m connected by the main WAN line (satilite), but if I change to backup line wokrs fine.
I was in the way to troubleshooting this issue with Netowrk TEAM, and they ask me wich ports are use when replication occurs so they can troubleshoot it.
I will kindly ask your help and add on this issue and also if you could provide details about all ports and flow of the replication.
Thanks in advance
Answers
-
Hi,
You need to check couple of the options to fix this issue.
1. Check DNS settings on NIC (preferred should be itself if it holds DNS role)
2. Repadmin /replsum at elivated command prompt. If you notice any errors work on that.
3. Add Antivirus exceptions for SYSVOL, NTDS folders
4. Restart Netlogon, DNS and ipconfig /flushdns & ipconfig /registerdns
5. If none of the above options doesn’t work, provide us ipconfig /all and DCDiag /v logs for better understanding about the issue.
-
Edited by
Saturday, December 1, 2012 3:06 PM
-
Marked as answer by
Yan Li_
Thursday, December 6, 2012 2:23 AM
-
Edited by
-
-
Marked as answer by
Yan Li_
Thursday, December 6, 2012 2:23 AM
-
Marked as answer by
-
-
Marked as answer by
Yan Li_
Thursday, December 6, 2012 2:23 AM
-
Marked as answer by
-
You have to start that the traffic on your main WAN connection is not filtered. Active Directory ports used for AD replication should be opened in both directions:
http://technet.microsoft.com/en-us/library/bb727063.aspxYou can use PortQryUI to check the filtering.
Of course, you should also check that the routing is correctly set for this connection. This can be checked using ping requests / responses (I suppose that ICMP traffic is not blocked).
Note also that AD replication behind a NAT device is not supported. That is why you will need to check if one of the routers used or the main WAN connection is using NAT. If it is the case, you will need to disable it (In your case, with a dedicated site
to site connection, NAT should not be required).Of course, dcdiag and repadmin commands should provide you with more details about the issue.
This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.
-
Edited by
Mr XMVP
Sunday, December 2, 2012 3:19 PM -
Marked as answer by
Yan Li_
Thursday, December 6, 2012 2:23 AM
-
Edited by
-
-
Marked as answer by
Yan Li_
Thursday, December 6, 2012 2:23 AM
-
Marked as answer by
-
-
Marked as answer by
Yan Li_
Thursday, December 6, 2012 2:24 AM
-
Marked as answer by
При неудачном подключении к LDAPs определить причину проблемы со стороны клиента крайне затруднительно по причине «информативности» вывода:
ld = ldap_sslinit("DC.domain", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to DC.domain.
Имея доступ к журналу событий System (Event viewer) на контроллере домена можно определить причину (коих может быть великое множество).
В данной заметке раскажу про часто встречающуюся проблему после конфигурации LDAPS, а именно ошибку аутентификации в Secure Channel (Schannel)
Log Name: System Source: Schannel Date: 21.01.2016 12:28:12 Event ID: 36874 Task Category: None Level: Error Keywords: User: SYSTEM Computer: DC.domain Description: An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
Проблема заключается в том, что по умолчанию TLS 1.2 отключен на стороне сервера.
Конкретно в Вашем случае отключено может быть что угодно (SSL…,TLS….).
Соединение не удается и следом за Event ID: 36874 следует:
Log Name: System Source: Schannel Date: 21.01.2016 12:28:12 Event ID: 36888 Task Category: None Level: Error Keywords: User: SYSTEM Computer: DC.domain Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.
Решение
Решением является включение TLS 1.2.
Оперативно это можно выполнить через правку реестра путем создания ключа TLS 1.2ClientDisabledByDefault в ветке реестра HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2ClientDisabledByDefault
Значение ключа DisabledByDefault должно быть выключено (1). 
В случае проблем не с TLS 1.2 действия аналогичны. Более подробно параметры реестра для SCHANNEL можно посмотреть здесь.
- Remove From My Forums
-
Question
-
Dear all,
Im exeprence replication errors bettwen site to site replication.
Error:
Repadmin can’t connect to a «home server», because of the following error. Try
specifying a different
home server with /homeserver:[dns name]
Error: An LDAP lookup operation failed with the following error:LDAP Error 81(0x51): Server Down
Server Win32 Error 0(0x0):
Extended Information:This error occurs if I’m connected by the main WAN line (satilite), but if I change to backup line wokrs fine.
I was in the way to troubleshooting this issue with Netowrk TEAM, and they ask me wich ports are use when replication occurs so they can troubleshoot it.
I will kindly ask your help and add on this issue and also if you could provide details about all ports and flow of the replication.
Thanks in advance
Answers
-
Hi,
You need to check couple of the options to fix this issue.
1. Check DNS settings on NIC (preferred should be itself if it holds DNS role)
2. Repadmin /replsum at elivated command prompt. If you notice any errors work on that.
3. Add Antivirus exceptions for SYSVOL, NTDS folders
4. Restart Netlogon, DNS and ipconfig /flushdns & ipconfig /registerdns
5. If none of the above options doesn’t work, provide us ipconfig /all and DCDiag /v logs for better understanding about the issue.
-
Edited by
Saturday, December 1, 2012 3:06 PM
-
Marked as answer by
Yan Li_
Thursday, December 6, 2012 2:23 AM
-
Edited by
-
-
Marked as answer by
Yan Li_
Thursday, December 6, 2012 2:23 AM
-
Marked as answer by
-
-
Marked as answer by
Yan Li_
Thursday, December 6, 2012 2:23 AM
-
Marked as answer by
-
You have to start that the traffic on your main WAN connection is not filtered. Active Directory ports used for AD replication should be opened in both directions:
http://technet.microsoft.com/en-us/library/bb727063.aspxYou can use PortQryUI to check the filtering.
Of course, you should also check that the routing is correctly set for this connection. This can be checked using ping requests / responses (I suppose that ICMP traffic is not blocked).
Note also that AD replication behind a NAT device is not supported. That is why you will need to check if one of the routers used or the main WAN connection is using NAT. If it is the case, you will need to disable it (In your case, with a dedicated site
to site connection, NAT should not be required).Of course, dcdiag and repadmin commands should provide you with more details about the issue.
This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.
-
Edited by
Mr XMVP
Sunday, December 2, 2012 3:19 PM -
Marked as answer by
Yan Li_
Thursday, December 6, 2012 2:23 AM
-
Edited by
-
-
Marked as answer by
Yan Li_
Thursday, December 6, 2012 2:23 AM
-
Marked as answer by
-
-
Marked as answer by
Yan Li_
Thursday, December 6, 2012 2:24 AM
-
Marked as answer by
Recently I run into the problem where Exchange return with the error:
“An Active Directory error 0x51 occured when trying to check the suitability of Server…”
Weird thing this happened not for all commands. It was somehow randomly, but this caused several issues:
- prompt for credential (which was the most ugly side effect!)
- errors in scripts
- CmdLets didn’t return all values
- …..
When I first saw this error I had a déjà-vu. Last year I had a very long running case with Microsoft, where I had the very similar errors. But back in time Exchange 2010 on Windows Server 2008 R2 was affected. After several Gigabyte of network and LDAP traces it turned out to be an ICMP issue on the OS level:
The LDAP check is using ICMP to evaluate whether the server is up or down. And there was a bug in the ICMP stack, which result in an 0x51 LDAP error even the server was up and healthy. Read this KB for more information.
But now I started seeing this for Exchange 2013 CU10 on Windows Server 2012 R2.
How bad is it?
First I needed to know if this happens on a few server or on all. Therefore I needed to crawl the event logs across all Exchange servers for the EventID 2070. To speed things up I wrote the following function:
function Collect-Events (){
param(
[Parameter(ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$true,Position=0)]
[Alias('fqdn')]
[string] $computername = $env:computername,
[parameter( Mandatory=$false, ValueFromPipelineByPropertyName=$false,Position=1)]
[string]$EventID = '2070',
[parameter( Mandatory=$false, ValueFromPipelineByPropertyName=$false,Position=2)]
[string]$Eventlog = 'Application',
[parameter( Mandatory = $false, ValueFromPipelineByPropertyName=$false,Position=3)]
[DateTime]$StartTime = $((Get-Date).AddHours(-12)),
[parameter( Mandatory=$false, ValueFromPipelineByPropertyName=$false,Position=4)]
[ValidateSet("Critical","Error","Warning","Information","Verbose")]
[string]$Severity
)
process
{
Write-Host "Processing $Computername....."
If ($Severity) {
switch ($Severity) {
"Critical" {$level = 1}
"Error" {$level = 2}
"Warning" {$level = 3}
"Information" {$level = 4}
"Verbose" {$level = 5}
}
Get-WinEvent -ComputerName $Computername -FilterHashtable @{logname=$Eventlog;id=$EventID;StartTime=$StartTime;Level=$level} -ErrorAction SilentlyContinue
}
Else {
Get-WinEvent -ComputerName $Computername -FilterHashtable @{logname=$Eventlog;id=$EventID;StartTime=$StartTime} -ErrorAction SilentlyContinue
}
}
}
This function has already the correct Event Log(Application) and EventID(2070) predefined. Now you can easily search across your Exchange servers. The following example search for EventID 2070 within the last 2 hours:
$2070 = Get-ExchangeServer | Collect-Events -StartTime (Get-Date).addhours(-2)
It turned out to be a general issue and not only on a few servers. Feel free to use this function to search for different events.
Root cause
After turning on logging for MSExchange ADAccess I could see the servers were heavily using Out-of-Site DC’s and GC’s. Shortly I’ve found the following KB, which explained a lot:
https://support.microsoft.com/kb/3088777
Before you start panic: This is only an issue in larger environments with multiple AD sites! Smaller ones shouldn’t be affected. Just to get an idea: In my case we have over 280 AD sites across the globe and not always the needed network bandwidth and latency, which is in general okay as in our scenario Exchange shouldn’t contact the most of them.
How to fix?
To fix this issue and change the behavior you just have to follow the KB article and edit the file Microsoft.Exchange.Directory.TopologyService.exe.config, and restart the service MSExchangeADTopology.
I have to admin just to restart this service sounds easy, but in the end you have to reboot the server. Not always all depending services could be gracefully restarted with MSExchangeADTopology service.
Conclusion
This change was made in CU6. From Microsoft perspective I understand why the change was made. Cloudwise it makes sense, but for larger on-premise installations this could really cause issue.
I hope this helps someone!