| Author |
Message |
max98037
Guest
|
 Posted:
Fri Nov 11, 2005 1:50 am Post subject:
Big trouble with DC in China |
|
|
Please help! Great wisdom is in need
We have a branch office in China - which is connected by a
firewall-to-firewall IPSec VPN. Our conection is not at all without packet
loss, by the way.
We have 2 other DCs in the states that support our main offices.
I just added a new DC/DNS/WINS server to support our branch office in China.
I have added a site with the subnet and configured links. Since then, this
server has so may errors in the event logs (KCC, DNS, FRS) that I wouldnt
know where to start. But Ill list a few anyway:
--------------------------------------------------------------------------------------
Event Type: Warning
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1925
Date: 11/10/2005
Time: 4:20:17 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: PORTLAND
Description:
The attempt to establish a replication link for the following writable
directory partition failed.
Directory partition:
CN=Configuration,DC=company,DC=com
Source domain controller:
CN=NTDS
Settings,CN=CHINA,CN=Servers,CN=China,CN=Sites,CN=Configuration,DC=company,DC=com
Source domain controller address:
22da5d1e-8271-4fcf-acb3-04d870397976._msdcs.dolan.corp
Intersite transport (if any):
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=company,DC=com
This domain controller will be unable to replicate with the source domain
controller until this problem is corrected.
User Action
Verify if the source domain controller is accessible or network connectivity
is available.
Additional Data
Error value:
1727 The remote procedure call failed and did not execute.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
---------------------------------------------------------------------------
Event Type: Warning
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1925
Date: 11/10/2005
Time: 4:13:56 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: PORTLAND
Description:
The attempt to establish a replication link for the following writable
directory partition failed.
Directory partition:
CN=Schema,CN=Configuration,DC=company,DC=com
Source domain controller:
CN=NTDS
Settings,CN=CHINA,CN=Servers,CN=China,CN=Sites,CN=Configuration,DC=company,DC=com
Source domain controller address:
22da5d1e-8271-4fcf-acb3-04d870397976._msdcs.dolan.corp
Intersite transport (if any):
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=company,DC=com
This domain controller will be unable to replicate with the source domain
controller until this problem is corrected.
User Action
Verify if the source domain controller is accessible or network connectivity
is available.
Additional Data
Error value:
1727 The remote procedure call failed and did not execute.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------------------------
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4510
Date: 11/9/2005
Time: 9:35:13 PM
User: N/A
Computer: CHINA
Description:
The DNS server was unable to connect to the domain naming FSMO
PORTLAND.company.com. No modifications to Directory Partitions are possible
until the FSMO server is available for LDAP connections. The event data
contains the error code.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: af 20 00 00 ¯ ..
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4510
Date: 11/9/2005
Time: 9:35:13 PM
User: N/A
Computer: CHINA
Description:
The DNS server was unable to connect to the domain naming FSMO
PORTLAND.company.com. No modifications to Directory Partitions are possible
until the FSMO server is available for LDAP connections. The event data
contains the error code.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: af 20 00 00 ¯ ..
----------------------------------------------------------------------
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4016
Date: 11/9/2005
Time: 9:35:13 PM
User: N/A
Computer: CHINA
Description:
The DNS server timed out attempting an Active Directory service operation on
---. Check Active Directory to see that it is functioning properly. The
event data contains the error.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 55 00 00 00 U...
--------------------------------------------------------------------------------------
These errrors look so grimm that I am afraid to join our workstations over
there to the domain. Could this be due to our unreliable link and if so is
there nothing we can do to make this work? Please tell me it is possible I
could have misconfigured something along the way. This is my first time
preparing a DC overseas. |
|
| Back to top |
|
 |
Guest
|
| Posted:
Fri Nov 11, 2005 8:57 am Post subject:
Re: Big trouble with DC in China |
|
|
What replication links. were autogenerated and what replication links
did you configure. Here are the important things we need to help...
1.) Where are your master roles (assuming all 5 are on one box)
2.) If there are 3 sites, tell us what replication links exist between
what sites/servers |
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Fri Nov 11, 2005 9:50 am Post subject:
Re: Big trouble with DC in China |
|
|
To add to smpclient@gmail.com's questions, the possibilities as to why this
is occuring are numerous, from hardware, configuration info, DNS IP
properties misconfig (not using ONLY your internal DNS servers meaning if
you are using an ISP's DNS server, this can cause MAJOR issues across the
board).
Are you aware of any MTU alterations in the VPN devices? MTUs lower than
1500 can cause these errors. Are there firewalls between the sites? ADSL
line?
How is your DNS infrastructure configured? Are the zones AD Integrated or
are they Primary/Secondaries?
Check out this site:
http://www.eventid.net/display.asp?eventid=1925&eventno=2447&source=NTDS%20KCC&phase=1
Also, do the SRV records exit? Does the _msdcs record for the forest root,
and any other domains exist? Does this record exist?
22da5d1e-8271-4fcf-acb3-04d870397976._msdcs.dolan.corp
If so, is the IP pingable?
If pingable, try a dsquery test against the other server, or all servers
(using *):
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/46ba1426-43fd-4985-b429-cd53d3046f01.mspx
Lastly, what was changed, if anything, prior to this occuring? Changes could
be anything from a service pack, hotfix, router firmware or software
upgrade, etc.
There was one hotfix update a few weeks ago that caused problems on machines
that admins had altered the default C:\ drive permissions.
Systems that have changed the default Access Control List permissions on the
%windir%\registration directory may experience various problems after you
install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC
http://support.microsoft.com/kb/909444
Run a dcdiag /v /fix on your servers and post the results please. Try not to
edit the domain names and server names please, otherwise it makes it a
little more difficult to read and translate. Can you also post an ipconfig
/all from your servers please? Same thing goes with the editing please.
I had a client about a year ago with major issues with replication. After 2
days meddling with it and not getting it to work, he finally mentioned that
a firmware upgrade was made on his Sonic Wall. I looked at the Sonic Wall
config, and the MTU was dropped to 1492 and wouldn't let me set it to 1500.
I asked him to put the original firmware back on it, and replication all of
a sudden took off. I suggested for him to keep the old firmware until he
finds out why the restrictions on the MTU settings from Sonic Wall.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations.
================================= |
|
| Back to top |
|
|
Andrei Ungureanu
Guest
|
| Posted:
Fri Nov 11, 2005 1:50 pm Post subject:
Re: Big trouble with DC in China |
|
|
also I have 2 comments:
1.Please check if RPC traffic is allowed on your VPN links.
2.If you are using ISA2004 please install ISA SP1.
Andrei Ungureanu
www.eventid.net |
|
| Back to top |
|
|
SIME U via WinServerKB.co
Guest
|
| Posted:
Fri Nov 11, 2005 5:50 pm Post subject:
Re: Big trouble with DC in China |
|
|
Hi
Just a little note I heard that using smtp rather than ip for replication is
much better over suspect WAN links - maybe worth looking into this?
Simon |
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Sat Nov 12, 2005 1:50 am Post subject:
Re: Big trouble with DC in China |
|
|
Not if the DCs are part of the same domain. SMTP Site connectors are for
async lines and DO NOT SUPPORT replication of the Domain NC, NTFRS or Sysvol
folders between DCs of the same domain. They are designed for replicating
forest traffic, which means a separate domain altogether at that site, and
not domain specific traffic.
Ace |
|
| Back to top |
|
|
max98037
Guest
|
| Posted:
Sat Nov 12, 2005 1:50 am Post subject:
Re: Big trouble with DC in China |
|
|
Thank you all for your help!
To answer your questions:
3 DCs- Seattle, Portland, and China- each in its own site and each is an AD
integrated DNS server
All of our FSMO roles are held on the Portland DC
Site and server links between Portland-China, Seattle-Portland
Yes the DNS records exist. Yes the DCs are using internal DNS servers.
RPC is allowed on the VPN, as are all other service between the 2 networks.
We use Watchguard Firebox to a Watchguard SOHO and its MTU is 1500.
The errors occurred on the China DC immediately after promoting it to DC
And I understood that you cannot use SMTP replication to replicate between
domain controllers in the same domain—only inter-domain replication. |
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Sat Nov 12, 2005 1:50 am Post subject:
Re: Big trouble with DC in China |
|
|
Then everything seems ok, except the China DC. So that says something's up
with that link over there or m aybe the firewall service is turned on on
that DC. Obviously something is blocking it. Does the zone exist on that DC
and the necessary records.
Ace |
|
| Back to top |
|
|
Spin
Guest
|
| Posted:
Sat Nov 12, 2005 9:50 am Post subject:
Re: Big trouble with DC in China |
|
|
Ace, PLEASE trim your posts. Otherwise we have to scroll a mile long to
find your answer. Which is usually pretty good, btw.
--
Spin |
|
| Back to top |
|
|
max98037
Guest
|
| Posted:
Mon Nov 14, 2005 9:50 am Post subject:
Re: Big trouble with DC in China |
|
|
Thanks for the suggestions.
The firewall service is off and the zone does exist on the China DC.
As I had noted in my original post, we get some packet loss when pinging
this network. My greatest fear in this is that our link is not stable enough,
which wouldnt leave me with much to work with.
Would you suggest these problems are most likely caused by packet loss or is
there anything else you think we could try? |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in