Re: Big trouble with DC in China
- From: "Andrei Ungureanu" <AndreiUngureanu@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 11 Nov 2005 02:11:03 -0800
also I have 2 comments:
1.Please check if RPC traffic is allowed on your VPN links.
2.If you are using ISA2004 please install ISA SP1.
Andrei Ungureanu
www.eventid.net
"Ace Fekay [MVP]" wrote:
> In news:44B256F5-4FE3-4F36-8AEF-81B9237479B8@xxxxxxxxxxxxx,
> max98037 <max98037@xxxxxxxxxxxxxxxxxxxxxxxxx> made this post, which I then
> commented about below:
> > Please help! Great wisdom is in need
> >
> > We have a branch office in China - which is connected by a
> > firewall-to-firewall IPSec VPN. Our conection is not at all without
> > packet loss, by the way.
> >
> > We have 2 other DCs in the states that support our main offices.
> >
> > I just added a new DC/DNS/WINS server to support our branch office in
> > China. I have added a site with the subnet and configured links.
> > Since then, this server has so may errors in the event logs (KCC,
> > DNS, FRS) that I wouldnt know where to start. But Ill list a few
> > anyway:
> >
> > --------------------------------------------------------------------------------------
> > Event Type: Warning
> > Event Source: NTDS KCC
> > Event Category: Knowledge Consistency Checker
> > Event ID: 1925
> > Date: 11/10/2005
> > Time: 4:20:17 PM
> > User: NT AUTHORITY\ANONYMOUS LOGON
> > Computer: PORTLAND
> > Description:
> > The attempt to establish a replication link for the following writable
> > directory partition failed.
> >
> > Directory partition:
> > CN=Configuration,DC=company,DC=com
> > Source domain controller:
> > CN=NTDS
> > Settings,CN=CHINA,CN=Servers,CN=China,CN=Sites,CN=Configuration,DC=company,DC=com
> > Source domain controller address:
> > 22da5d1e-8271-4fcf-acb3-04d870397976._msdcs.dolan.corp
> > Intersite transport (if any):
> > CN=IP,CN=Inter-Site
> > Transports,CN=Sites,CN=Configuration,DC=company,DC=com
> >
> > This domain controller will be unable to replicate with the source
> > domain controller until this problem is corrected.
> >
> > User Action
> > Verify if the source domain controller is accessible or network
> > connectivity is available.
> >
> > Additional Data
> > Error value:
> > 1727 The remote procedure call failed and did not execute.
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> >
> > ---------------------------------------------------------------------------
> > Event Type: Warning
> > Event Source: NTDS KCC
> > Event Category: Knowledge Consistency Checker
> > Event ID: 1925
> > Date: 11/10/2005
> > Time: 4:13:56 PM
> > User: NT AUTHORITY\ANONYMOUS LOGON
> > Computer: PORTLAND
> > Description:
> > The attempt to establish a replication link for the following writable
> > directory partition failed.
> >
> > Directory partition:
> > CN=Schema,CN=Configuration,DC=company,DC=com
> > Source domain controller:
> > CN=NTDS
> > Settings,CN=CHINA,CN=Servers,CN=China,CN=Sites,CN=Configuration,DC=company,DC=com
> > Source domain controller address:
> > 22da5d1e-8271-4fcf-acb3-04d870397976._msdcs.dolan.corp
> > Intersite transport (if any):
> > CN=IP,CN=Inter-Site
> > Transports,CN=Sites,CN=Configuration,DC=company,DC=com
> >
> > This domain controller will be unable to replicate with the source
> > domain controller until this problem is corrected.
> >
> > User Action
> > Verify if the source domain controller is accessible or network
> > connectivity is available.
> >
> > Additional Data
> > Error value:
> > 1727 The remote procedure call failed and did not execute.
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> > -------------------------------------------------------------------------------------
> > Event Type: Warning
> > Event Source: DNS
> > Event Category: None
> > Event ID: 4510
> > Date: 11/9/2005
> > Time: 9:35:13 PM
> > User: N/A
> > Computer: CHINA
> > Description:
> > The DNS server was unable to connect to the domain naming FSMO
> > PORTLAND.company.com. No modifications to Directory Partitions are
> > possible until the FSMO server is available for LDAP connections. The
> > event data contains the error code.
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> > Data:
> > 0000: af 20 00 00 ¯ ..
> > Event Type: Warning
> > Event Source: DNS
> > Event Category: None
> > Event ID: 4510
> > Date: 11/9/2005
> > Time: 9:35:13 PM
> > User: N/A
> > Computer: CHINA
> > Description:
> > The DNS server was unable to connect to the domain naming FSMO
> > PORTLAND.company.com. No modifications to Directory Partitions are
> > possible until the FSMO server is available for LDAP connections. The
> > event data contains the error code.
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> > Data:
> > 0000: af 20 00 00 ¯ ..
> > ----------------------------------------------------------------------
> > Event Type: Error
> > Event Source: DNS
> > Event Category: None
> > Event ID: 4016
> > Date: 11/9/2005
> > Time: 9:35:13 PM
> > User: N/A
> > Computer: CHINA
> > Description:
> > The DNS server timed out attempting an Active Directory service
> > operation on ---. Check Active Directory to see that it is
> > functioning properly. The event data contains the error.
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> > Data:
> > 0000: 55 00 00 00 U...
> > --------------------------------------------------------------------------------------
> >
> > These errrors look so grimm that I am afraid to join our workstations
> > over there to the domain. Could this be due to our unreliable link
> > and if so is there nothing we can do to make this work? Please tell
> > me it is possible I could have misconfigured something along the way.
> > This is my first time preparing a DC overseas.
>
> To add to smpclient@xxxxxxxxx's questions, the possibilities as to why this
> is occuring are numerous, from hardware, configuration info, DNS IP
> properties misconfig (not using ONLY your internal DNS servers meaning if
> you are using an ISP's DNS server, this can cause MAJOR issues across the
> board).
>
> Are you aware of any MTU alterations in the VPN devices? MTUs lower than
> 1500 can cause these errors. Are there firewalls between the sites? ADSL
> line?
>
> How is your DNS infrastructure configured? Are the zones AD Integrated or
> are they Primary/Secondaries?
>
> Check out this site:
> http://www.eventid.net/display.asp?eventid=1925&eventno=2447&source=NTDS%20KCC&phase=1
>
> Also, do the SRV records exit? Does the _msdcs record for the forest root,
> and any other domains exist? Does this record exist?
> 22da5d1e-8271-4fcf-acb3-04d870397976._msdcs.dolan.corp
> If so, is the IP pingable?
>
> If pingable, try a dsquery test against the other server, or all servers
> (using *):
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/46ba1426-43fd-4985-b429-cd53d3046f01.mspx
>
> Lastly, what was changed, if anything, prior to this occuring? Changes could
> be anything from a service pack, hotfix, router firmware or software
> upgrade, etc.
>
> There was one hotfix update a few weeks ago that caused problems on machines
> that admins had altered the default C:\ drive permissions.
>
> Systems that have changed the default Access Control List permissions on the
> %windir%\registration directory may experience various problems after you
> install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC
> http://support.microsoft.com/kb/909444
>
> Run a dcdiag /v /fix on your servers and post the results please. Try not to
> edit the domain names and server names please, otherwise it makes it a
> little more difficult to read and translate. Can you also post an ipconfig
> /all from your servers please? Same thing goes with the editing please.
>
> I had a client about a year ago with major issues with replication. After 2
> days meddling with it and not getting it to work, he finally mentioned that
> a firmware upgrade was made on his Sonic Wall. I looked at the Sonic Wall
> config, and the MTU was dropped to 1492 and wouldn't let me set it to 1500.
> I asked him to put the original firmware back on it, and replication all of
> a sudden took off. I suggested for him to keep the old firmware until he
> finds out why the restrictions on the MTU settings from Sonic Wall.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> If this post is viewed at a non-Microsoft community website, and you were to
> respond to it through that community's website, I may not see your reply
> unless that website posts replies back to the original Microsoft forum.
> Therefore, please direct all replies ONLY to the Microsoft public newsgroup
> this thread originated in so all can benefit or ensure the web community
> posts it back to the original forum.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft MVP - Windows Server Directory Services
> Microsoft Certified Trainer
> Infinite Diversities in Infinite Combinations.
> =================================
>
>
>
.
- References:
- Big trouble with DC in China
- From: max98037
- Re: Big trouble with DC in China
- From: Ace Fekay [MVP]
- Big trouble with DC in China
- Prev by Date: Re: Big trouble with DC in China
- Next by Date: Group policy issue............
- Previous by thread: Re: Big trouble with DC in China
- Next by thread: Re: Big trouble with DC in China
- Index(es):
Relevant Pages
|
