Re: Big trouble with DC in China
- From: "Ace Fekay [MVP]" <PleaseSubstituteMyActualFirstName&LastNameHere@xxxxxxxxxxx>
- Date: Thu, 10 Nov 2005 23:21:34 -0500
In news:44B256F5-4FE3-4F36-8AEF-81B9237479B8@xxxxxxxxxxxxx,
max98037 <max98037@xxxxxxxxxxxxxxxxxxxxxxxxx> made this post, which I then
commented about below:
> Please help! Great wisdom is in need
>
> We have a branch office in China - which is connected by a
> firewall-to-firewall IPSec VPN. Our conection is not at all without
> packet loss, by the way.
>
> We have 2 other DCs in the states that support our main offices.
>
> I just added a new DC/DNS/WINS server to support our branch office in
> China. I have added a site with the subnet and configured links.
> Since then, this server has so may errors in the event logs (KCC,
> DNS, FRS) that I wouldnt know where to start. But Ill list a few
> anyway:
>
> --------------------------------------------------------------------------------------
> Event Type: Warning
> Event Source: NTDS KCC
> Event Category: Knowledge Consistency Checker
> Event ID: 1925
> Date: 11/10/2005
> Time: 4:20:17 PM
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: PORTLAND
> Description:
> The attempt to establish a replication link for the following writable
> directory partition failed.
>
> Directory partition:
> CN=Configuration,DC=company,DC=com
> Source domain controller:
> CN=NTDS
> Settings,CN=CHINA,CN=Servers,CN=China,CN=Sites,CN=Configuration,DC=company,DC=com
> Source domain controller address:
> 22da5d1e-8271-4fcf-acb3-04d870397976._msdcs.dolan.corp
> Intersite transport (if any):
> CN=IP,CN=Inter-Site
> Transports,CN=Sites,CN=Configuration,DC=company,DC=com
>
> This domain controller will be unable to replicate with the source
> domain controller until this problem is corrected.
>
> User Action
> Verify if the source domain controller is accessible or network
> connectivity is available.
>
> Additional Data
> Error value:
> 1727 The remote procedure call failed and did not execute.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> ---------------------------------------------------------------------------
> Event Type: Warning
> Event Source: NTDS KCC
> Event Category: Knowledge Consistency Checker
> Event ID: 1925
> Date: 11/10/2005
> Time: 4:13:56 PM
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: PORTLAND
> Description:
> The attempt to establish a replication link for the following writable
> directory partition failed.
>
> Directory partition:
> CN=Schema,CN=Configuration,DC=company,DC=com
> Source domain controller:
> CN=NTDS
> Settings,CN=CHINA,CN=Servers,CN=China,CN=Sites,CN=Configuration,DC=company,DC=com
> Source domain controller address:
> 22da5d1e-8271-4fcf-acb3-04d870397976._msdcs.dolan.corp
> Intersite transport (if any):
> CN=IP,CN=Inter-Site
> Transports,CN=Sites,CN=Configuration,DC=company,DC=com
>
> This domain controller will be unable to replicate with the source
> domain controller until this problem is corrected.
>
> User Action
> Verify if the source domain controller is accessible or network
> connectivity is available.
>
> Additional Data
> Error value:
> 1727 The remote procedure call failed and did not execute.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> -------------------------------------------------------------------------------------
> Event Type: Warning
> Event Source: DNS
> Event Category: None
> Event ID: 4510
> Date: 11/9/2005
> Time: 9:35:13 PM
> User: N/A
> Computer: CHINA
> Description:
> The DNS server was unable to connect to the domain naming FSMO
> PORTLAND.company.com. No modifications to Directory Partitions are
> possible until the FSMO server is available for LDAP connections. The
> event data contains the error code.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: af 20 00 00 ¯ ..
> Event Type: Warning
> Event Source: DNS
> Event Category: None
> Event ID: 4510
> Date: 11/9/2005
> Time: 9:35:13 PM
> User: N/A
> Computer: CHINA
> Description:
> The DNS server was unable to connect to the domain naming FSMO
> PORTLAND.company.com. No modifications to Directory Partitions are
> possible until the FSMO server is available for LDAP connections. The
> event data contains the error code.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: af 20 00 00 ¯ ..
> ----------------------------------------------------------------------
> Event Type: Error
> Event Source: DNS
> Event Category: None
> Event ID: 4016
> Date: 11/9/2005
> Time: 9:35:13 PM
> User: N/A
> Computer: CHINA
> Description:
> The DNS server timed out attempting an Active Directory service
> operation on ---. Check Active Directory to see that it is
> functioning properly. The event data contains the error.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 55 00 00 00 U...
> --------------------------------------------------------------------------------------
>
> These errrors look so grimm that I am afraid to join our workstations
> over there to the domain. Could this be due to our unreliable link
> and if so is there nothing we can do to make this work? Please tell
> me it is possible I could have misconfigured something along the way.
> This is my first time preparing a DC overseas.
To add to smpclient@xxxxxxxxx's questions, the possibilities as to why this
is occuring are numerous, from hardware, configuration info, DNS IP
properties misconfig (not using ONLY your internal DNS servers meaning if
you are using an ISP's DNS server, this can cause MAJOR issues across the
board).
Are you aware of any MTU alterations in the VPN devices? MTUs lower than
1500 can cause these errors. Are there firewalls between the sites? ADSL
line?
How is your DNS infrastructure configured? Are the zones AD Integrated or
are they Primary/Secondaries?
Check out this site:
http://www.eventid.net/display.asp?eventid=1925&eventno=2447&source=NTDS%20KCC&phase=1
Also, do the SRV records exit? Does the _msdcs record for the forest root,
and any other domains exist? Does this record exist?
22da5d1e-8271-4fcf-acb3-04d870397976._msdcs.dolan.corp
If so, is the IP pingable?
If pingable, try a dsquery test against the other server, or all servers
(using *):
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/46ba1426-43fd-4985-b429-cd53d3046f01.mspx
Lastly, what was changed, if anything, prior to this occuring? Changes could
be anything from a service pack, hotfix, router firmware or software
upgrade, etc.
There was one hotfix update a few weeks ago that caused problems on machines
that admins had altered the default C:\ drive permissions.
Systems that have changed the default Access Control List permissions on the
%windir%\registration directory may experience various problems after you
install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC
http://support.microsoft.com/kb/909444
Run a dcdiag /v /fix on your servers and post the results please. Try not to
edit the domain names and server names please, otherwise it makes it a
little more difficult to read and translate. Can you also post an ipconfig
/all from your servers please? Same thing goes with the editing please.
I had a client about a year ago with major issues with replication. After 2
days meddling with it and not getting it to work, he finally mentioned that
a firmware upgrade was made on his Sonic Wall. I looked at the Sonic Wall
config, and the MTU was dropped to 1492 and wouldn't let me set it to 1500.
I asked him to put the original firmware back on it, and replication all of
a sudden took off. I suggested for him to keep the old firmware until he
finds out why the restrictions on the MTU settings from Sonic Wall.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================
.
- Follow-Ups:
- Re: Big trouble with DC in China
- From: Spin
- Re: Big trouble with DC in China
- From: Andrei Ungureanu
- Re: Big trouble with DC in China
- References:
- Big trouble with DC in China
- From: max98037
- Big trouble with DC in China
- Prev by Date: Re: Add custom fields to a user account
- Next by Date: Re: Big trouble with DC in China
- Previous by thread: Re: Big trouble with DC in China
- Next by thread: Re: Big trouble with DC in China
- Index(es):
Relevant Pages
|
