Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 04:30 PM (PDT)
Microsoft Tech Community
LIVE
SOLVED

Server 2012R2 AD access and replication problems

Copper Contributor

I have a Server 2012R2 which has several symptoms related to AD access and replication.  Here are some examples and some related event log descriptions:

GPMC cannot connect to the AD.

DFRS replication fails - Error: 1726 (The remote procedure call failed.)

SMB outbound connections sometimes fail - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the target server.

Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology.

DNS - The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly.

 

The server is a 2012R2 Hyper-V guest, it was hosted on a Fujitsu server 2012R2.  It has been moved (VHD only) to a Dell server 2016 host, with a new vNIC and Hyper-V switch.  The problems described show no change both before and after the move.  The SYSVOL share seems to be normal.  The Windows firewall has been disabled.  SFC /SCANNOW and DISM healthchecks and restores have been completed.

 

Some help would be appreciated!

 

 

11 Replies

You can run;

Dcdiag /v /c /d /e /s:DCName >c:\dcdiag.log

(please replace DCName with your domain controller's netbios name)

ipconfig /all > C:\dc1.txt

then put files up on OneDrive and share a link.

 

 

 

The most immediate problem appears to be connectivity with LGNAD2 If this domain controller has been forcefully removed or no longer available then you can seize roles (if needed)

https://support.microsoft.com/en-us/help/255504/using-ntdsutil-exe-to-transfer-or-seize-fsmo-roles-t...

and perform cleanup.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc...

 

 

I agree that the most immediate problem appears to be connectivity with LGNAD2, however LGNAD2 is in a AD site with no local issues, LGNAD4 was added to the same site very recently with no problems.  I am unable to add another DC to the problem site alongside LGNAD1.

 

For comparison I have added dcdiag2.txt and dc2.txt to the same OneDrive share.

 

Thanks again,

Bob

There may be routing issues between the two networks.

192.168.1.254
192.168.100.254
 
 
 

Dave, your diagnosis has been similar to mine and I have also suspected a routing problem between the sites but extended pings look good, SMB file transfers are normal for the cross site shares which are available, and we are keeping routing as a potential cause.

However I do not understand how a site connection issue would affect AD operation within the one LGNAD1 site, GPMC will not load since it cannot connect and I cannot add a second DC.

best response confirmed by VI_Migration (Silver Contributor)
Solution

The dcdiag you ran from LGNAD1 is totally unaware of the new DC (LGNAD4) you added in other network plus it cannot connect to LGNAD2. I don't know how long ago this might have happened. Seems there is some blocking going on. One method would be to use PortQryUI tool to check domains and trusts ports.

https://www.microsoft.com/en-us/download/details.aspx?id=24009

tool does not install anything, just extract and run it. I'd try between two on the 192.168.100.xxx network so you know what to expect, then run from LGNAD1 --> LGNAD2 and LGNAD2-->LGNAD1

 

 

 

Thanks, The portqryui tool is new to me and the results are in the OneDrive already shared.

 

Running the tool at the AD1 site locally gave what looked like good results to LDAP queries, TCP port 389, UDP port 389, TCP port 636, and TCP port 3268; NETBIOS UDP port 137 but no others.  The inter site tests looked to be completely failing.

The inter site tests looked to be completely failing.

I'd agree. I'd get in touch with your inter-site network support group.

 

 

 

Dave, an MTU adjustment was required on the VPN appliances and replication is looking much better.

 

Thanks for your help!

Bob

 

Glad to hear.

 

 

1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Solution

The dcdiag you ran from LGNAD1 is totally unaware of the new DC (LGNAD4) you added in other network plus it cannot connect to LGNAD2. I don't know how long ago this might have happened. Seems there is some blocking going on. One method would be to use PortQryUI tool to check domains and trusts ports.

https://www.microsoft.com/en-us/download/details.aspx?id=24009

tool does not install anything, just extract and run it. I'd try between two on the 192.168.100.xxx network so you know what to expect, then run from LGNAD1 --> LGNAD2 and LGNAD2-->LGNAD1

 

 

 

View solution in original post