Re: 2008 DC Stops responding to local logins
- From: Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
- Date: Thu, 22 Jan 2009 07:26:21 +0000 (UTC)
Hello forrestsjs,
Was the server installed from an image? I assume it is listed correct under the ADUC DC's OU on all DC's in the domain?
Have a look on this articles, seems that the promotion does not work correct, which causes the replication problem. https://technet.microsoft.com/en-us/library/cc756638.aspx
http://www.eventid.net/display.asp?eventid=1232&eventno=3527&source=NTDS%20Replication&phase=1
Try resetting the secure channel(nltest is included in 2008):
nltest /sc_change_pwd:yourdomain.com
Then restart the server.
Download PortQryUI and run the tool to make sure the firewall has all ports open.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi Meinolf,
Yes this is the only DC of 10 total that has the issue. Yes, it has
DNS connectivity, however, the mechanism that allows it to UPDATE DDNS
is intermittent, causing occasional errors in the logs, but the SRV
records do always exist and can be reached. Our DCs just fail maybe 2
of 3 times that they might try to update their SRV records which never
generally need updating anyway. Yes our firewall rules allow it to
connect and another DC is working fine in the same network location as
part of the empty root domain.
The server seems to be working fine, then perhaps during heavy
utilization stops listening on port 88 at least and stops allowing
local logins. It does however seem to be authenticating users perhaps
via NTLMv2 during these "hangs."
I'm posting some IPConfig below, but it doesn't really show much...the
"working one below" is not the other root domain in this same
location, but really all of our dcs have the same basic setup.
repladmin /showrepl is all clean across domains/dc except for an error
at the end of the output
DsReplicaGetInfo() failed with status 8453 (0x2105):
Replication access was denied.
DsReplicaGetInfo() failed with status 8453 (0x2105):
Replication access was denied.
Thanks,
Forrrest
THIS ONE HANGS
Windows IP Configuration
Host Name . . . . . . . . . . . . : dcontroller05
Primary Dns Suffix . . . . . . . : campus.university.edu
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : campus.university.edu
university.edu
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : campus.university.edu
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II
GigE
(NDIS VBD Client)
Physical Address. . . . . . . . . : 00-1E-C9-50-3C-52
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.215.234(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 192.168.215.225
DNS Servers . . . . . . . . . . . : 192.168.136.9
192.168.206.12
192.168.136.12
192.168.206.9
NetBIOS over Tcpip. . . . . . . . : Disabled
THIS ONE IS WORKING FINE
**********************************************************************
******************************
Windows IP Configuration
Host Name . . . . . . . . . . . . : dcontroller07
Primary Dns Suffix . . . . . . . : campus.university.edu
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : campus.university.edu
university.edu
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : campus.university.edu
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II
GigE
(NDIS VBD Client)
Physical Address. . . . . . . . . : 00-1E-C9-50-3C-42
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.70.195(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.70.1
DNS Servers . . . . . . . . . . . : 192.168.136.9
192.168.206.9
192.168.136.12
192.168.206.12
NetBIOS over Tcpip. . . . . . . . : Enabled
"Meinolf Weber [MVP-DS]" wrote:
Hello forrestsjs,
Is that the only DC with problems? AD relies on DNS and it must have
always
a DNS server reachable, you state that is not the case? Is the
firewall disabled
or at least opened for all ports a DC has to have open?
http://support.microsoft.com/kb/555381
Please post an unedited ipconfig /all from the problem DC and one
correct running DC.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
We have a 2008 DC that seems to lose most network connectivity, but
not all, every few days. We are total 2008 environment still in 2003
functional mode. We have an empty root domain and two child
domains..this DC is in the main resource child domain.
When the problem occurs, our monitoring system immediately notices
that it is not responding to kerberos:88 any longer. We can then not
reach it via RDP and it will not accept ctrl-alt-del at the console.
I can basic ping it. At a rough estimation to this point, it seems
it may coincide with the heavy traffic periods...8:30am login blitz.
It is a GC and does normally show significant connections from an
exchange server under normal conditions.
Our campus environment is forced to use a BIND DNS implementation
for the SRV records. Although, I get numerous errors logged from
this, it essentially works most of the time, and the SRV records are
always there. It does however muddy up the error logs making problem
resolution more difficult. I'm pasting a verbose output of the
dcdiag below. I've seen errors 1188 (DS RPC) and 1232 around the
time on at least one occasion of the problem. The DNS errors in the
dcdiag output can be ignored. Our DCs cannot always reach the DNS
server so routine updates sometimes fail, but they work often enough
that they are always there.
This section of the dcdiag errors are what puzzle me
Starting test: Replications
* Replications Check
[Replications Check,dcontroller05]
DsReplicaGetInfo(PENDING_OPS,
NULL)
failed, error 0x2105 "Replication access was denied."
......................... dcontroller05 failed test Replications
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
Could not open NTDS Service on dcontroller05, error 0x5
"Access is denied."
Full OUTPUT
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine dcontroller05, is a Directory
Server.
Home Server = dcontroller05
snip
...
* Found 13 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: universityCampus\dcontroller05
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... dcontroller05 passed test
Connectivity
Doing primary tests
Testing server: universityCampus\dcontroller05
Starting test: Advertising
The DC dcontroller05 is advertising itself as a DC and having
a DS.
The DC dcontroller05 is advertising as an LDAP server
The DC dcontroller05 is advertising as having a writeable
directory
The DC dcontroller05 is advertising as a Key Distribution
Center
The DC dcontroller05 is advertising as a time server
The DS dcontroller05 is advertising as a GC.
......................... dcontroller05 passed test
Advertising
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC dcontroller05 for domain campus.university.edu in
site
universityCampus
Checking machine account for DC dcontroller05 on DC
dcontroller05.
* SPN found
:LDAP/dcontroller05.campus.university.edu/campus.university.edu
* SPN found :LDAP/dcontroller05.campus.university.edu
* SPN found :LDAP/dcontroller05
* SPN found :LDAP/dcontroller05.campus.university.edu/CAMPUS
* SPN found
:LDAP/3cca744e-246b-476c-a1c1-b4d3893981d1._msdcs.ad.university.edu
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/3cca744e-246b-476c-a1c1-b4d389
39
81d1/campus.university.edu
* SPN found
:HOST/dcontroller05.campus.university.edu/campus.university.edu
* SPN found :HOST/dcontroller05.campus.university.edu
* SPN found :HOST/dcontroller05
* SPN found :HOST/dcontroller05.campus.university.edu/CAMPUS
* SPN found
:GC/dcontroller05.campus.university.edu/ad.university.edu
[dcontroller05] DsReplicaGetInfo(KCC_DS_CONNECT_FAILURES)
failed
with
error 8453,
Replication access was denied..
[dcontroller05] Unable to query the list of KCC connection
failures.
Continuing...
[dcontroller05] No security related replication errors were found on
this
DC! To target the connection to a specific source DC use
/ReplSource:<DC>.
......................... dcontroller05 passed test
CheckSecurityError
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
DC=campus,DC=university,DC=edu.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Schema,CN=Configuration,dc=ad,DC=university,DC=edu.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Configuration,dc=ad,DC=university,DC=edu.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=Biology,dc=ad,DC=university,DC=edu.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
dc=ad,DC=university,DC=edu.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... dcontroller05 passed test
CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours
after the
SYSVOL has been shared. Failing SYSVOL replication problems
may cause
Group Policy problems.
An Warning Event occurred. EventID: 0x800034C8
Time Generated: 01/20/2009 09:39:50
Event String:
......................... dcontroller05 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... dcontroller05 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... dcontroller05 passed test
SysVolCheck
Starting test: FrsSysVol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... dcontroller05 passed test FrsSysVol
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the
last 15
minutes.
......................... dcontroller05 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=dcontroller01,CN=Servers,CN=universityCampus,CN=Sites,CN
=C
onfiguration,dc=ad,DC=university,DC=edu
Role Domain Owner = CN=NTDS
Settings,CN=dcontroller01,CN=Servers,CN=universityCampus,CN=Sites,CN
=C
onfiguration,dc=ad,DC=university,DC=edu
Role PDC Owner = CN=NTDS
Settings,CN=dcontroller04,CN=Servers,CN=universityCampus,CN=Sites,CN
=C
onfiguration,dc=ad,DC=university,DC=edu
Role Rid Owner = CN=NTDS
Settings,CN=dcontroller04,CN=Servers,CN=universityCampus,CN=Sites,CN
=C
onfiguration,dc=ad,DC=university,DC=edu
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=dcontroller03,CN=Servers,CN=universityCampus,CN=Sites,CN
=C
onfiguration,dc=ad,DC=university,DC=edu
......................... dcontroller05 passed test
KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC dcontroller05 on DC
dcontroller05.
* SPN found
:LDAP/dcontroller05.campus.university.edu/campus.university.edu
* SPN found :LDAP/dcontroller05.campus.university.edu
* SPN found :LDAP/dcontroller05
* SPN found :LDAP/dcontroller05.campus.university.edu/CAMPUS
* SPN found
:LDAP/3cca744e-246b-476c-a1c1-b4d3893981d1._msdcs.ad.university.edu
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/3cca744e-246b-476c-a1c1-b4d389
39
81d1/campus.university.edu
* SPN found
:HOST/dcontroller05.campus.university.edu/campus.university.edu
* SPN found :HOST/dcontroller05.campus.university.edu
* SPN found :HOST/dcontroller05
* SPN found :HOST/dcontroller05.campus.university.edu/CAMPUS
* SPN found
:GC/dcontroller05.campus.university.edu/ad.university.edu
......................... dcontroller05 passed test
MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC
dcontroller05.
* Security Permissions Check for
DC=campus,DC=university,DC=edu
(Domain,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,dc=ad,DC=university,DC=edu
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,dc=ad,DC=university,DC=edu
(Configuration,Version 3)
* Security Permissions Check for
DC=Biology,dc=ad,DC=university,DC=edu
(Domain,Version 3)
* Security Permissions Check for
dc=ad,DC=university,DC=edu
(Domain,Version 3)
......................... dcontroller05 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\dcontroller05\netlogon
Verified share \\dcontroller05\sysvol
[dcontroller05] User credentials does not have permission to
perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... dcontroller05 failed test NetLogons
Starting test: ObjectsReplicated
dcontroller05 is in domain DC=campus,DC=university,DC=edu Checking
for CN=dcontroller05,OU=Domain
Controllers,DC=campus,DC=university,DC=edu in domain
.
- References:
- Re: 2008 DC Stops responding to local logins
- From: forrestsjs
- Re: 2008 DC Stops responding to local logins
- Prev by Date: Re: remote installation of AV?
- Next by Date: Re: remote installation of AV?
- Previous by thread: Re: 2008 DC Stops responding to local logins
- Next by thread: Re: 2008 DC Stops responding to local logins
- Index(es):
Relevant Pages
|
