DNS Dropouts
Hi All,
I've recently been handed control of a customers network having issues...
The are getting random DNS Failures...there setup is:
1x Forefont TMG 2010 box providing Firewalling and Proxy
1x Server 2008 DC
1x Server 2003 R2 DC
What is happening, every 3-5 days (more often towards the end of the week) no clients will be able to resolve the DNS name of the Proxy Server and therefore cannot get out. There are also some servers (XenApp, CRM etc) that are affected as well. Until now,
they've been flushing and then registering the DNS cache on each PC/Server having issues to get it back...this is not ideal :)
Running DCDIAG /DnsAll /Q qives me the following errors:
Has anyone else come across this error before or have any tips on troubleshooting this issue?
David Robertson MCP, VCP4, AST
July 29th, 2012 8:55pm
Hi,
Please refer following
Troubleshooting AD Replication error 1722: The RPC server is unavailable
http://support.microsoft.com/kb/2102154
Troubleshooting RPC Endpoint Mapper errors using the Windows Server 2003 Support Tools from the product CD
http://support.microsoft.com/kb/839880
You might need re-validate network firewall and TMG settings and ports which are opened/blocked.
Make sure firewall is configured to allow ports which are necessary to run AD and AD DS Services
Active Directory and Active Directory Domain Services Port Requirements
http://technet.microsoft.com/en-us/library/dd772723(ws.10).aspx
Event viewer on DCs might as well reveal some more information.I do not represent the organisation I work for, all the opinions expressed here are my own.
This posting is provided "AS IS" with no warranties or guarantees and confers no rights.
- .... .- -. -.- ... --..-- ... .- -. - --- ... ....
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2012 9:00pm
Hi,
Please refer following
Troubleshooting AD Replication error 1722: The RPC server is unavailable
http://support.microsoft.com/kb/2102154
Troubleshooting RPC Endpoint Mapper errors using the Windows Server 2003 Support Tools from the product CD
http://support.microsoft.com/kb/839880
You might need re-validate network firewall and TMG settings and ports which are opened/blocked.
Make sure firewall is configured to allow ports which are necessary to run AD and AD DS Services
Active Directory and Active Directory Domain Services Port Requirements
http://technet.microsoft.com/en-us/library/dd772723(ws.10).aspx
Event viewer on DCs might as well reveal some more information.I do not represent the organisation I work for, all the opinions expressed here are my own.
This posting is provided "AS IS" with no warranties or guarantees and confers no rights.
- .... .- -. -.- ... --..-- ... .- -. - --- ... ....
July 29th, 2012 9:06pm
Ahh thank you very much...it appears the 2008 DC is missing 'ncacn_np' and 'ncacn_ip_udp' and the 2003 DC is missing 'ncacn_ip_udp' as well (From Step 2).
It mentions importing from a good Server to add the entries...can I safely import 'ncacn_np' from 2003 -> 2008 DC? And how do I rectify 'ncacn_ip_udp' that is missing from both Servers?...I have in fact looked at the functioning DC's in other sites on
their WAN and found none have 'ncan_ip_udp' they all have another file, 'ncadg_ip_udp' instead....
David Robertson MCP, VCP4, AST
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2012 9:39pm
It mentions importing from a good Server to add the entries...can I safely import 'ncacn_np' from 2003 -> 2008 DC? And how do I
rectify 'ncacn_ip_udp' that is missing from both Servers?.
Instead of importing the reg keys, try creating missing keys manually. Take system state backup before doing any changes on DCs.
I have in fact looked at the functioning DC's in other sites on their WAN and found none have 'ncan_ip_udp' they all have another file, 'ncadg_ip_udp' instead....
Sorry, not really sure what to suggest on this. If they are functioning without any issues, you might want them to leave as it is :-)
I do not represent the organisation I work for, all the opinions expressed here are my own.
This posting is provided "AS IS" with no warranties or guarantees and confers no rights.
- .... .- -. -.- ... --..-- ... .- -. - --- ... ....
July 29th, 2012 9:55pm
Hi,
Error message DsBindWithSpnEx() failed with error 1722 indicated RPC server is unavailable error.
It shows that the computer which you run dcdiag /dnsall /q has RPC connection issue with your DC and DNS server.
You mentioned you have Forefront TMG 2010 as Firewall and proxy server, I think you mean internet firewall, but whats your intranet firewall? Do you use Forefront client or Windows built-in firewall program?
Please refer to these articles to check Domain services needed port over firewall.
Configuring an Intranet Firewall
http://technet.microsoft.com/en-us/library/bb125069.aspx
Active Directory Replication Over Firewalls
http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls-en-us.aspx
For more information please refer to following MS articles:
DCDiag and DsBindWithSpnEx() Error
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/d2804f30-626b-419d-a85a-eeda0a9b7d1d
Active directory replication issue
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/330dddf3-7492-42cb-885d-e8049cc5fcd8/
Hope this helps!
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.Lawrence
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
July 31st, 2012 1:15am
Hi,
Error message DsBindWithSpnEx() failed with error 1722 indicated RPC server is unavailable error.
It shows that the computer which you run dcdiag /dnsall /q has RPC connection issue with your DC and DNS server.
You mentioned you have Forefront TMG 2010 as Firewall and proxy server, I think you mean internet firewall, but whats your intranet firewall? Do you use Forefront client or Windows built-in firewall program?
Please refer to these articles to check Domain services needed port over firewall.
Configuring an Intranet Firewall
http://technet.microsoft.com/en-us/library/bb125069.aspx
Active Directory Replication Over Firewalls
http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls-en-us.aspx
For more information please refer to following MS articles:
DCDiag and DsBindWithSpnEx() Error
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/d2804f30-626b-419d-a85a-eeda0a9b7d1d
Active directory replication issue
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/330dddf3-7492-42cb-885d-e8049cc5fcd8/
Hope this helps!
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.Lawrence
TechNet Community Support
July 31st, 2012 1:17am
Hi, TMG is the Internet Firewall and Proxy...no Intranet Firewall.
I am working through some of the links provided by Santosh, but not getting very far.David Robertson MCP, VCP4, AST
Free Windows Admin Tool Kit Click here and download it now
July 31st, 2012 4:31pm
Hi,
Since you get error with ID 1722 when connect to DNS server, that indicate RPC server is unavailable. So seems you cant event connect to DNS server, not to mention DNS resolution.
I think we should focus on troubleshoot RPC is unavailable issue.
The process of an RPC client connection to an RPC server can be broken down into four phases.
Phase 1: Name Resolution: Name resolution is the act of resolving a name to an IP address. This normally takes two forms: NetBIOS Name Resolution or the more common DNS Name Resolution.
Phase 2: TCP session establishment: TCP session establishment is the act of establishing a TCP connection between the RPC client and the RPC server. TCP sessions will be initiated by the RPC client via a TCP 3-way handshake with the RPC server.
Phase 3: RPC Discovery: When a client wants to connect to the RPC server supplied by the application it will contact the computer that hosts the RPC Server and discover how to connect
to the RPC Server.
Phase 4: RPC Communication: RPC Communication is the act of making RPC requests to the application endpoint and receiving RPC responses from this application.
Data needed to troubleshoot the issue:
Identify the client and server computers reporting the RPC error. Identify the DNS and WINS servers used by these computers. To do this:
On each machine, open a command prompt and run
ipconfig /all. Determine the IP address of both machines. If the server is part of a cluster get the cluster resource IP address as well. Identify the DNS servers and WINS servers that the RPC client is configured to use.
Note: You can also obtain this information by opening
Control Panel\Network and Sharing Center, clicking Local Area Connection and selecting Properties.
Identify the application(s) reporting RPC Server Unavailable
Simultaneous network traces (using Wireshark, Netmon, or a comparable network sniffer) from the machines hosting the RPC client and RPC Server while reproducing the task that results in a RPC Server Unavailable error.
The network captures on both hosts should be started first.
From a command prompt on the client run ipconfig /flushdns and nbtstat R to clear the name resolution caches.
Reproduce the error.
Stop the traces and save them.
For more information please refer to following MS articles:
Troubleshooting "The RPC server is unavailable"
http://social.technet.microsoft.com/wiki/contents/articles/4494.troubleshooting-the-rpc-server-is-unavailable.aspx
Replication error 1722 The RPC server is unavailable
http://technet.microsoft.com/en-us/library/replication-error-1722-the-rpc-server-is-unavailable(v=ws.10).aspx
How IT Works: Troubleshooting RPC Errors
http://technet.microsoft.com/en-us/magazine/2007.07.howitworks.aspx
Hope this helps!
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.Lawrence
TechNet Community Support
July 31st, 2012 11:05pm
Hi,
Since you get error with ID 1722 when connect to DNS server, that indicate RPC server is unavailable. So seems you cant event connect to DNS server, not to mention DNS resolution.
I think we should focus on troubleshoot RPC is unavailable issue.
The process of an RPC client connection to an RPC server can be broken down into four phases.
Phase 1: Name Resolution: Name resolution is the act of resolving a name to an IP address. This normally takes two forms: NetBIOS Name Resolution or the more common DNS Name Resolution.
Phase 2: TCP session establishment: TCP session establishment is the act of establishing a TCP connection between the RPC client and the RPC server. TCP sessions will be initiated by the RPC client via a TCP 3-way handshake with the RPC server.
Phase 3: RPC Discovery: When a client wants to connect to the RPC server supplied by the application it will contact the computer that hosts the RPC Server and discover how to connect
to the RPC Server.
Phase 4: RPC Communication: RPC Communication is the act of making RPC requests to the application endpoint and receiving RPC responses from this application.
Data needed to troubleshoot the issue:
Identify the client and server computers reporting the RPC error. Identify the DNS and WINS servers used by these computers. To do this:
On each machine, open a command prompt and run
ipconfig /all. Determine the IP address of both machines. If the server is part of a cluster get the cluster resource IP address as well. Identify the DNS servers and WINS servers that the RPC client is configured to use.
Note: You can also obtain this information by opening
Control Panel\Network and Sharing Center, clicking Local Area Connection and selecting Properties.
Identify the application(s) reporting RPC Server Unavailable
Simultaneous network traces (using Wireshark, Netmon, or a comparable network sniffer) from the machines hosting the RPC client and RPC Server while reproducing the task that results in a RPC Server Unavailable error.
The network captures on both hosts should be started first.
From a command prompt on the client run ipconfig /flushdns and nbtstat R to clear the name resolution caches.
Reproduce the error.
Stop the traces and save them.
For more information please refer to following MS articles:
Troubleshooting "The RPC server is unavailable"
http://social.technet.microsoft.com/wiki/contents/articles/4494.troubleshooting-the-rpc-server-is-unavailable.aspx
Replication error 1722 The RPC server is unavailable
http://technet.microsoft.com/en-us/library/replication-error-1722-the-rpc-server-is-unavailable(v=ws.10).aspx
How IT Works: Troubleshooting RPC Errors
http://technet.microsoft.com/en-us/magazine/2007.07.howitworks.aspx
Hope this helps!
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.Lawrence
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
July 31st, 2012 11:07pm
Hi,
I would like to confirm what is the current situation? Have you resolved the problem?
If there is anything that we can do for you, please do not hesitate to let us know, and we will be happy to help.Lawrence
TechNet Community Support
August 2nd, 2012 10:07pm
Hi Lawrence, I've gotten snowed under the last day or so...will hopefully get back onto this on Monday...interestingly enough, they haven't had any dropouts since I started this thread...David Robertson MCP, VCP4, AST
Free Windows Admin Tool Kit Click here and download it now
August 2nd, 2012 11:38pm
Okey, please try above solutions and give feedback if you have any progress.
Any questions or confusions please feel free to let know.Lawrence
TechNet Community Support
August 3rd, 2012 1:44am
Hi,
I would like to confirm what is the current situation? Have you resolved the problem?
If there is anything that we can do for you, please do not hesitate to let us know, and we will be happy to help.Lawrence
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
August 7th, 2012 10:15pm
Quick thought, would it be easier to Demote the 2003 DC as they need to move to full 2008 AD eventually anyway...this would fix the issues?David Robertson MCP, VCP4, AST
August 13th, 2012 6:09pm
Quick thought, would it be easier to Demote the 2003 DC as they need to move to full 2008 AD eventually anyway...this would fix the issues?
David Robertson MCP, VCP4, AST
Hello again,
Migrating DCs to 2008/R2 would be a good idea however, please do ensure that necessary ports are allowed to communicate between DCs and TMG is not blocking the ports.I do not represent the organisation I work for, all the opinions expressed here are my own.
This posting is provided "AS IS" with no warranties or guarantees and confers no rights.
- .... .- -. -.- ... --..-- ... .- -. - --- ... ....
Free Windows Admin Tool Kit Click here and download it now
August 13th, 2012 7:38pm