Re: Big trouble with DC in China
- From: "Spin" <Spin@xxxxxxxx>
- Date: Sat, 12 Nov 2005 01:25:07 -0500
Ace, PLEASE trim your posts. Otherwise we have to scroll a mile long to
find your answer. Which is usually pretty good, btw.
--
Spin
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@xxxxxxxxxxx> wrote in
message news:%23CUvodn5FHA.1148@xxxxxxxxxxxxxxxxxxxxxxx
> In news:44B256F5-4FE3-4F36-8AEF-81B9237479B8@xxxxxxxxxxxxx,
> max98037 <max98037@xxxxxxxxxxxxxxxxxxxxxxxxx> made this post, which I then
> commented about below:
>> Please help! Great wisdom is in need
>>
>> We have a branch office in China - which is connected by a
>> firewall-to-firewall IPSec VPN. Our conection is not at all without
>> packet loss, by the way.
>>
>> We have 2 other DCs in the states that support our main offices.
>>
>> I just added a new DC/DNS/WINS server to support our branch office in
>> China. I have added a site with the subnet and configured links.
>> Since then, this server has so may errors in the event logs (KCC,
>> DNS, FRS) that I wouldnt know where to start. But Ill list a few
>> anyway:
>>
>> --------------------------------------------------------------------------------------
>> Event Type: Warning
>> Event Source: NTDS KCC
>> Event Category: Knowledge Consistency Checker
>> Event ID: 1925
>> Date: 11/10/2005
>> Time: 4:20:17 PM
>> User: NT AUTHORITY\ANONYMOUS LOGON
>> Computer: PORTLAND
>> Description:
>> The attempt to establish a replication link for the following writable
>> directory partition failed.
>>
>> Directory partition:
>> CN=Configuration,DC=company,DC=com
>> Source domain controller:
>> CN=NTDS
>> Settings,CN=CHINA,CN=Servers,CN=China,CN=Sites,CN=Configuration,DC=company,DC=com
>> Source domain controller address:
>> 22da5d1e-8271-4fcf-acb3-04d870397976._msdcs.dolan.corp
>> Intersite transport (if any):
>> CN=IP,CN=Inter-Site
>> Transports,CN=Sites,CN=Configuration,DC=company,DC=com
>>
>> This domain controller will be unable to replicate with the source
>> domain controller until this problem is corrected.
>>
>> User Action
>> Verify if the source domain controller is accessible or network
>> connectivity is available.
>>
>> Additional Data
>> Error value:
>> 1727 The remote procedure call failed and did not execute.
>>
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>>
>> ---------------------------------------------------------------------------
>> Event Type: Warning
>> Event Source: NTDS KCC
>> Event Category: Knowledge Consistency Checker
>> Event ID: 1925
>> Date: 11/10/2005
>> Time: 4:13:56 PM
>> User: NT AUTHORITY\ANONYMOUS LOGON
>> Computer: PORTLAND
>> Description:
>> The attempt to establish a replication link for the following writable
>> directory partition failed.
>>
>> Directory partition:
>> CN=Schema,CN=Configuration,DC=company,DC=com
>> Source domain controller:
>> CN=NTDS
>> Settings,CN=CHINA,CN=Servers,CN=China,CN=Sites,CN=Configuration,DC=company,DC=com
>> Source domain controller address:
>> 22da5d1e-8271-4fcf-acb3-04d870397976._msdcs.dolan.corp
>> Intersite transport (if any):
>> CN=IP,CN=Inter-Site
>> Transports,CN=Sites,CN=Configuration,DC=company,DC=com
>>
>> This domain controller will be unable to replicate with the source
>> domain controller until this problem is corrected.
>>
>> User Action
>> Verify if the source domain controller is accessible or network
>> connectivity is available.
>>
>> Additional Data
>> Error value:
>> 1727 The remote procedure call failed and did not execute.
>>
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>> -------------------------------------------------------------------------------------
>> Event Type: Warning
>> Event Source: DNS
>> Event Category: None
>> Event ID: 4510
>> Date: 11/9/2005
>> Time: 9:35:13 PM
>> User: N/A
>> Computer: CHINA
>> Description:
>> The DNS server was unable to connect to the domain naming FSMO
>> PORTLAND.company.com. No modifications to Directory Partitions are
>> possible until the FSMO server is available for LDAP connections. The
>> event data contains the error code.
>>
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>> Data:
>> 0000: af 20 00 00 ¯ ..
>> Event Type: Warning
>> Event Source: DNS
>> Event Category: None
>> Event ID: 4510
>> Date: 11/9/2005
>> Time: 9:35:13 PM
>> User: N/A
>> Computer: CHINA
>> Description:
>> The DNS server was unable to connect to the domain naming FSMO
>> PORTLAND.company.com. No modifications to Directory Partitions are
>> possible until the FSMO server is available for LDAP connections. The
>> event data contains the error code.
>>
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>> Data:
>> 0000: af 20 00 00 ¯ ..
>> ----------------------------------------------------------------------
>> Event Type: Error
>> Event Source: DNS
>> Event Category: None
>> Event ID: 4016
>> Date: 11/9/2005
>> Time: 9:35:13 PM
>> User: N/A
>> Computer: CHINA
>> Description:
>> The DNS server timed out attempting an Active Directory service
>> operation on ---. Check Active Directory to see that it is
>> functioning properly. The event data contains the error.
>>
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>> Data:
>> 0000: 55 00 00 00 U...
>> --------------------------------------------------------------------------------------
>>
>> These errrors look so grimm that I am afraid to join our workstations
>> over there to the domain. Could this be due to our unreliable link
>> and if so is there nothing we can do to make this work? Please tell
>> me it is possible I could have misconfigured something along the way.
>> This is my first time preparing a DC overseas.
>
> To add to smpclient@xxxxxxxxx's questions, the possibilities as to why
> this is occuring are numerous, from hardware, configuration info, DNS IP
> properties misconfig (not using ONLY your internal DNS servers meaning if
> you are using an ISP's DNS server, this can cause MAJOR issues across the
> board).
>
> Are you aware of any MTU alterations in the VPN devices? MTUs lower than
> 1500 can cause these errors. Are there firewalls between the sites? ADSL
> line?
>
> How is your DNS infrastructure configured? Are the zones AD Integrated or
> are they Primary/Secondaries?
>
> Check out this site:
> http://www.eventid.net/display.asp?eventid=1925&eventno=2447&source=NTDS%20KCC&phase=1
>
> Also, do the SRV records exit? Does the _msdcs record for the forest root,
> and any other domains exist? Does this record exist?
> 22da5d1e-8271-4fcf-acb3-04d870397976._msdcs.dolan.corp
> If so, is the IP pingable?
>
> If pingable, try a dsquery test against the other server, or all servers
> (using *):
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/46ba1426-43fd-4985-b429-cd53d3046f01.mspx
>
> Lastly, what was changed, if anything, prior to this occuring? Changes
> could be anything from a service pack, hotfix, router firmware or software
> upgrade, etc.
>
> There was one hotfix update a few weeks ago that caused problems on
> machines that admins had altered the default C:\ drive permissions.
>
> Systems that have changed the default Access Control List permissions on
> the
> %windir%\registration directory may experience various problems after you
> install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC
> http://support.microsoft.com/kb/909444
>
> Run a dcdiag /v /fix on your servers and post the results please. Try not
> to edit the domain names and server names please, otherwise it makes it a
> little more difficult to read and translate. Can you also post an ipconfig
> /all from your servers please? Same thing goes with the editing please.
>
> I had a client about a year ago with major issues with replication. After
> 2 days meddling with it and not getting it to work, he finally mentioned
> that a firmware upgrade was made on his Sonic Wall. I looked at the Sonic
> Wall config, and the MTU was dropped to 1492 and wouldn't let me set it to
> 1500. I asked him to put the original firmware back on it, and replication
> all of a sudden took off. I suggested for him to keep the old firmware
> until he finds out why the restrictions on the MTU settings from Sonic
> Wall.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> If this post is viewed at a non-Microsoft community website, and you were
> to respond to it through that community's website, I may not see your
> reply unless that website posts replies back to the original Microsoft
> forum. Therefore, please direct all replies ONLY to the Microsoft public
> newsgroup this thread originated in so all can benefit or ensure the web
> community posts it back to the original forum.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft MVP - Windows Server Directory Services
> Microsoft Certified Trainer
> Infinite Diversities in Infinite Combinations.
> =================================
>
.
- Follow-Ups:
- Re: Big trouble with DC in China
- From: Ace Fekay [MVP]
- Re: Big trouble with DC in China
- References:
- Big trouble with DC in China
- From: max98037
- Re: Big trouble with DC in China
- From: Ace Fekay [MVP]
- Big trouble with DC in China
- Prev by Date: Re: Domain Controller Load Testing [URGENT]
- Next by Date: newbie question: joining a domain
- Previous by thread: Re: Big trouble with DC in China
- Next by thread: Re: Big trouble with DC in China
- Index(es):
Relevant Pages
|
