RE: [ActiveDir] Problem at remote site
Hi all: I wanted to update the list on what actually fixed my problem. I ended up calling MS for support because I was at my breaking point :). Turns out that I needed to set my MTU manually to 1390! Doh! That did the trick. I knew it was some simple but I didn't know it was that simple :). Thanks for all of your help Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Tuesday, August 09, 2005 5:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site I ended up sending another Dc to the site so I could just readd this server to the domain but AD will not start on that box. I keep getting an error - rpc server unavailable. We have approx 9 DCs (4 at HQ and one at each remote site). We have dcs at our other remote sites (diagram below): Site1 Site2 Site3 (wan connection using private sprint network) -- HQ -- site6 (business cable modem with vpn tunnel to corporate (internet)) Site4 Site5 The new DC can ping but anything else gets a RPC server unavailable unavailable error. I thought AD could replicate over a modem connection? So, I am not sure where I need to go from here. Any thoughts? Thank you for your time! Jennifer * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problem at remote site
Jennifer, Thanks for the update and the resolution. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Thursday, August 18, 2005 1:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site Hi all: I wanted to update the list on what actually fixed my problem. I ended up calling MS for support because I was at my breaking point :). Turns out that I needed to set my MTU manually to 1390! Doh! That did the trick. I knew it was some simple but I didn't know it was that simple :). Thanks for all of your help Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Tuesday, August 09, 2005 5:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site I ended up sending another Dc to the site so I could just readd this server to the domain but AD will not start on that box. I keep getting an error - rpc server unavailable. We have approx 9 DCs (4 at HQ and one at each remote site). We have dcs at our other remote sites (diagram below): Site1 Site2 Site3 (wan connection using private sprint network) -- HQ -- site6 (business cable modem with vpn tunnel to corporate (internet)) Site4 Site5 The new DC can ping but anything else gets a RPC server unavailable unavailable error. I thought AD could replicate over a modem connection? So, I am not sure where I need to go from here. Any thoughts? Thank you for your time! Jennifer * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problem at remote site
I ended up sending another Dc to the site so I could just readd this server to the domain but AD will not start on that box. I keep getting an error - rpc server unavailable. We have approx 9 DCs (4 at HQ and one at each remote site). We have dcs at our other remote sites (diagram below): Site1 Site2 Site3 (wan connection using private sprint network) -- HQ -- site6 (business cable modem with vpn tunnel to corporate (internet)) Site4 Site5 The new DC can ping but anything else gets a RPC server unavailable unavailable error. I thought AD could replicate over a modem connection? So, I am not sure where I need to go from here. Any thoughts? Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Sunday, August 07, 2005 2:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site I can only browse our file server but the connection if very slow to come up. I cannot browse any other server. I can; however, telnet to all ports on the boxes I cannot browse to. All of my clients at the remote site can browse these servers without issue. I am see tons of 1311 errors: Event Type: Error Event Source: NTDS KCC Event Category: Knowledge Consistency Checker Event ID: 1311 Date: 8/7/2005 Time: 1:30:21 PM User: N/A Computer: DC Description: The Directory Service consistency checker has determined that either (a) there is not enough physical connectivity published via the Active Directory Sites and Services Manager to create a spanning tree connecting all the sites containing the Partition CN=Configuration,DC=domain,DC=net, or (b) replication cannot be performed with one or more critical servers in order for changes to propagate across all sites (most often due to the servers being unreachable). For (a), please use the Active Directory Sites and Services Manager to do one of the following: 1. Publish sufficient site connectivity information such that the system can infer a route by which this Partition can reach this site. This option is preferred. 2. Add an ntdsConnection object to a Domain Controller that contains the Partition CN=Configuration,DC=domain,DC=net in this site from a Domain Controller that contains the same Partition in another site. For (b), please see previous events logged by the NTDS KCC source that identify the servers that could not be contacted. When I check the sites and services, I see a connector for all of the DCs in my site. I also noticed that the KCC configured it to be an IP not RPC connection. There aren't any ACLs, firewalls that are in the way of these servers. Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, August 07, 2005 12:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site Jennifer, I haven't paid close attention to the thread or the issues that you've been having - other than you had a problem getting it promoted. I suspect that the cause is likely related. First, Network Browse uses a completely different set of communication methods and the fact that you can or cannot see anything via browsing is really immaterial at this point. I'd suggest pings to the DCs on the other end of the connection and directed telnet over 389, 3268, 88, etc. to get a feel for the real communication abilities. Look this over as well. For 1311 Errors, this is a perfect starting point to resolve or narrow down the problems. http://support.microsoft.com/default.aspx?scid=kb;en-us;307593 Can you give us some detail (again... I know) on the remote and local connection methods - are there firewalls, ACLs on routers - anything that might be interfering with the wide variety of ports / protocols that AD Replication / AD Communication uses? Rick * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problem at remote site
What OS is the new DC running Windows Server 2003 SP1? Do you have a firewall in-between the remote site and HQ? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Tuesday, August 09, 2005 4:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site I ended up sending another Dc to the site so I could just readd this server to the domain but AD will not start on that box. I keep getting an error - rpc server unavailable. We have approx 9 DCs (4 at HQ and one at each remote site). We have dcs at our other remote sites (diagram below): Site1 Site2 Site3 (wan connection using private sprint network) -- HQ -- site6 (business cable modem with vpn tunnel to corporate (internet)) Site4 Site5 The new DC can ping but anything else gets a RPC server unavailable unavailable error. I thought AD could replicate over a modem connection? So, I am not sure where I need to go from here. Any thoughts? Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Sunday, August 07, 2005 2:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site I can only browse our file server but the connection if very slow to come up. I cannot browse any other server. I can; however, telnet to all ports on the boxes I cannot browse to. All of my clients at the remote site can browse these servers without issue. I am see tons of 1311 errors: Event Type: Error Event Source: NTDS KCC Event Category: Knowledge Consistency Checker Event ID: 1311 Date: 8/7/2005 Time: 1:30:21 PM User: N/A Computer: DC Description: The Directory Service consistency checker has determined that either (a) there is not enough physical connectivity published via the Active Directory Sites and Services Manager to create a spanning tree connecting all the sites containing the Partition CN=Configuration,DC=domain,DC=net, or (b) replication cannot be performed with one or more critical servers in order for changes to propagate across all sites (most often due to the servers being unreachable). For (a), please use the Active Directory Sites and Services Manager to do one of the following: 1. Publish sufficient site connectivity information such that the system can infer a route by which this Partition can reach this site. This option is preferred. 2. Add an ntdsConnection object to a Domain Controller that contains the Partition CN=Configuration,DC=domain,DC=net in this site from a Domain Controller that contains the same Partition in another site. For (b), please see previous events logged by the NTDS KCC source that identify the servers that could not be contacted. When I check the sites and services, I see a connector for all of the DCs in my site. I also noticed that the KCC configured it to be an IP not RPC connection. There aren't any ACLs, firewalls that are in the way of these servers. Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, August 07, 2005 12:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site Jennifer, I haven't paid close attention to the thread or the issues that you've been having - other than you had a problem getting it promoted. I suspect that the cause is likely related. First, Network Browse uses a completely different set of communication methods and the fact that you can or cannot see anything via browsing is really immaterial at this point. I'd suggest pings to the DCs on the other end of the connection and directed telnet over 389, 3268, 88, etc. to get a feel for the real communication abilities. Look this over as well. For 1311 Errors, this is a perfect starting point to resolve or narrow down the problems. http://support.microsoft.com/default.aspx?scid=kb;en-us;307593 Can you give us some detail (again... I know) on the remote and local connection methods - are there firewalls, ACLs on routers - anything that might be interfering with the wide variety of ports / protocols that AD Replication / AD Communication uses? Rick * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com
RE: [ActiveDir] Problem at remote site
Jennifer, RPC Server is Unavailable screams Name Resolution problem to me. Have you done a NetDiag or DCDiag on either of these systems? AD can replicate over a modem connection - I've done it connections with as little as 64k available to small sites (not my choice) as long as IP is available to / from. However, I really have to begin to suspect a DNS issue that you're fighting here now. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Tuesday, August 09, 2005 4:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site I ended up sending another Dc to the site so I could just readd this server to the domain but AD will not start on that box. I keep getting an error - rpc server unavailable. We have approx 9 DCs (4 at HQ and one at each remote site). We have dcs at our other remote sites (diagram below): Site1 Site2 Site3 (wan connection using private sprint network) -- HQ -- site6 (business cable modem with vpn tunnel to corporate (internet)) Site4 Site5 The new DC can ping but anything else gets a RPC server unavailable unavailable error. I thought AD could replicate over a modem connection? So, I am not sure where I need to go from here. Any thoughts? Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Sunday, August 07, 2005 2:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site I can only browse our file server but the connection if very slow to come up. I cannot browse any other server. I can; however, telnet to all ports on the boxes I cannot browse to. All of my clients at the remote site can browse these servers without issue. I am see tons of 1311 errors: Event Type: Error Event Source: NTDS KCC Event Category: Knowledge Consistency Checker Event ID: 1311 Date: 8/7/2005 Time: 1:30:21 PM User: N/A Computer: DC Description: The Directory Service consistency checker has determined that either (a) there is not enough physical connectivity published via the Active Directory Sites and Services Manager to create a spanning tree connecting all the sites containing the Partition CN=Configuration,DC=domain,DC=net, or (b) replication cannot be performed with one or more critical servers in order for changes to propagate across all sites (most often due to the servers being unreachable). For (a), please use the Active Directory Sites and Services Manager to do one of the following: 1. Publish sufficient site connectivity information such that the system can infer a route by which this Partition can reach this site. This option is preferred. 2. Add an ntdsConnection object to a Domain Controller that contains the Partition CN=Configuration,DC=domain,DC=net in this site from a Domain Controller that contains the same Partition in another site. For (b), please see previous events logged by the NTDS KCC source that identify the servers that could not be contacted. When I check the sites and services, I see a connector for all of the DCs in my site. I also noticed that the KCC configured it to be an IP not RPC connection. There aren't any ACLs, firewalls that are in the way of these servers. Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, August 07, 2005 12:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site Jennifer, I haven't paid close attention to the thread or the issues that you've been having - other than you had a problem getting it promoted. I suspect that the cause is likely related. First, Network Browse uses a completely different set of communication methods and the fact that you can or cannot see anything via browsing is really immaterial at this point. I'd suggest pings to the DCs on the other end of the connection and directed telnet over 389, 3268, 88, etc. to get a feel for the real communication abilities. Look this over as well. For 1311 Errors, this is a perfect starting point to resolve or narrow down the problems. http://support.microsoft.com/default.aspx?scid=kb;en-us;307593 Can you give us some detail (again... I know) on the remote and local connection methods - are there firewalls, ACLs on routers - anything that might be interfering with the wide variety of ports / protocols that AD Replication / AD Communication uses? Rick * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than
RE: [ActiveDir] Problem at remote site
I finally got the dcpromo to work but now I am having replication issues. Here is what I see in my logs: Event Type: Warning Event Source: Winlogon Event Category: None Event ID: 1010 Date: 8/6/2005 Time: 9:57:28 PM User: N/A Computer: DC Description: Automatic enrollment against the certification authority Subordinate Enterprise CA - SRV for a certificate of type DomainController has failed. (0x8001011f) This operation returned because the timeout period expired. . Another certification authority will be tried. Event Type: Error Event Source: NTDS KCC Event Category: Knowledge Consistency Checker Event ID: 1311 Date: 8/6/2005 Time: 10:11:08 PM User: N/A Computer: DC Description: The Directory Service consistency checker has determined that either (a) there is not enough physical connectivity published via the Active Directory Sites and Services Manager to create a spanning tree connecting all the sites containing the Partition CN=Configuration,DC=rb,DC=net, or (b) replication cannot be performed with one or more critical servers in order for changes to propagate across all sites (most often due to the servers being unreachable). For (a), please use the Active Directory Sites and Services Manager to do one of the following: 1. Publish sufficient site connectivity information such that the system can infer a route by which this Partition can reach this site. This option is preferred. 2. Add an ntdsConnection object to a Domain Controller that contains the Partition CN=Configuration,DC=rb,DC=net in this site from a Domain Controller that contains the same Partition in another site. For (b), please see previous events logged by the NTDS KCC source that identify the servers that could not be contacted. Event Type: Warning Event Source: NTDS KCC Event Category: Knowledge Consistency Checker Event ID: 1566 Date: 8/6/2005 Time: 10:11:08 PM User: N/A Computer: DC Description: All servers in site CN=domain,CN=Sites,CN=Configuration,DC=domain,DC=net that can replicate partition CN=Configuration,DC=domain,DC=net over transport CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=net are currently unavailable. I checked and this computer cannot browse to any of domain controllers (network is not available). I can browse the domain controllers from clients so it looks like this server is an issue. And the clients can browse this server. Any thoughts? Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, August 05, 2005 6:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site Hi Jennifer, I also had this happen to me at a remote site back in 2001 when I was implementing AD for Slamdunk Networks.. We found that the latency time was high... even though we had an IPSEC tunnel going through a full T1 at one site to a 10 MB pipe at Coporate. Try doing this on a weekend or late at night when the network is less utilized and see if that helps. What I ended up doing is building a DC at our HQ and shipping it to them. I am really glad that Microsoft came out with the new DCPromo / ADV switch for 2003. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jennifer Fountain Sent: Friday, August 05, 2005 3:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site Doh - we are still running 2000. upgrading soon but not there yet. I don't understand why it keeps giving me a service hasn't started due to timeout error while it's creating the service account. I have done this before at our remote site in sweden so I am baffled. :( Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, August 05, 2005 5:56 PM To: Medeiros, Jose; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site Oh.. one more thing, the DCPROMO /adv switch only works on a 2003 server. Jose :-) -Original Message- From: Medeiros, Jose Sent: Friday, August 05, 2005 2:10 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Problem at remote site Hi.. Replace the Cisco 1760 with a Sonic Wall. ( Just Kidding ). How about doing a system state backup of your local DC,transfer the file to the remote server, then promote your DC using the switch that tells it to use the system state file? Just a thought. Jose :-0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jennifer Fountain Sent: Friday, August 05, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem at remote site Hi all: I am connected a new remote site using a vpn concentrator and cisco 1760 router
RE: [ActiveDir] Problem at remote site
Jennifer, I haven't paid close attention to the thread or the issues that you've been having - other than you had a problem getting it promoted. I suspect that the cause is likely related. First, Network Browse uses a completely different set of communication methods and the fact that you can or cannot see anything via browsing is really immaterial at this point. I'd suggest pings to the DCs on the other end of the connection and directed telnet over 389, 3268, 88, etc. to get a feel for the real communication abilities. Look this over as well. For 1311 Errors, this is a perfect starting point to resolve or narrow down the problems. http://support.microsoft.com/default.aspx?scid=kb;en-us;307593 Can you give us some detail (again... I know) on the remote and local connection methods - are there firewalls, ACLs on routers - anything that might be interfering with the wide variety of ports / protocols that AD Replication / AD Communication uses? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Sunday, August 07, 2005 8:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site I finally got the dcpromo to work but now I am having replication issues. Here is what I see in my logs: Event Type: Warning Event Source: Winlogon Event Category: None Event ID: 1010 Date: 8/6/2005 Time: 9:57:28 PM User: N/A Computer: DC Description: Automatic enrollment against the certification authority Subordinate Enterprise CA - SRV for a certificate of type DomainController has failed. (0x8001011f) This operation returned because the timeout period expired. . Another certification authority will be tried. Event Type: Error Event Source: NTDS KCC Event Category: Knowledge Consistency Checker Event ID: 1311 Date: 8/6/2005 Time: 10:11:08 PM User: N/A Computer: DC Description: The Directory Service consistency checker has determined that either (a) there is not enough physical connectivity published via the Active Directory Sites and Services Manager to create a spanning tree connecting all the sites containing the Partition CN=Configuration,DC=rb,DC=net, or (b) replication cannot be performed with one or more critical servers in order for changes to propagate across all sites (most often due to the servers being unreachable). For (a), please use the Active Directory Sites and Services Manager to do one of the following: 1. Publish sufficient site connectivity information such that the system can infer a route by which this Partition can reach this site. This option is preferred. 2. Add an ntdsConnection object to a Domain Controller that contains the Partition CN=Configuration,DC=rb,DC=net in this site from a Domain Controller that contains the same Partition in another site. For (b), please see previous events logged by the NTDS KCC source that identify the servers that could not be contacted. Event Type: Warning Event Source: NTDS KCC Event Category: Knowledge Consistency Checker Event ID: 1566 Date: 8/6/2005 Time: 10:11:08 PM User: N/A Computer: DC Description: All servers in site CN=domain,CN=Sites,CN=Configuration,DC=domain,DC=net that can replicate partition CN=Configuration,DC=domain,DC=net over transport CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=net are currently unavailable. I checked and this computer cannot browse to any of domain controllers (network is not available). I can browse the domain controllers from clients so it looks like this server is an issue. And the clients can browse this server. Any thoughts? Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, August 05, 2005 6:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site Hi Jennifer, I also had this happen to me at a remote site back in 2001 when I was implementing AD for Slamdunk Networks.. We found that the latency time was high... even though we had an IPSEC tunnel going through a full T1 at one site to a 10 MB pipe at Coporate. Try doing this on a weekend or late at night when the network is less utilized and see if that helps. What I ended up doing is building a DC at our HQ and shipping it to them. I am really glad that Microsoft came out with the new DCPromo / ADV switch for 2003. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jennifer Fountain Sent: Friday, August 05, 2005 3:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site Doh - we are still running 2000. upgrading soon but not there yet. I don't understand why it keeps giving me a service hasn't started due to timeout error while it's creating the service
RE: [ActiveDir] Problem at remote site
I can only browse our file server but the connection if very slow to come up. I cannot browse any other server. I can; however, telnet to all ports on the boxes I cannot browse to. All of my clients at the remote site can browse these servers without issue. I am see tons of 1311 errors: Event Type: Error Event Source: NTDS KCC Event Category: Knowledge Consistency Checker Event ID: 1311 Date: 8/7/2005 Time: 1:30:21 PM User: N/A Computer: DC Description: The Directory Service consistency checker has determined that either (a) there is not enough physical connectivity published via the Active Directory Sites and Services Manager to create a spanning tree connecting all the sites containing the Partition CN=Configuration,DC=domain,DC=net, or (b) replication cannot be performed with one or more critical servers in order for changes to propagate across all sites (most often due to the servers being unreachable). For (a), please use the Active Directory Sites and Services Manager to do one of the following: 1. Publish sufficient site connectivity information such that the system can infer a route by which this Partition can reach this site. This option is preferred. 2. Add an ntdsConnection object to a Domain Controller that contains the Partition CN=Configuration,DC=domain,DC=net in this site from a Domain Controller that contains the same Partition in another site. For (b), please see previous events logged by the NTDS KCC source that identify the servers that could not be contacted. When I check the sites and services, I see a connector for all of the DCs in my site. I also noticed that the KCC configured it to be an IP not RPC connection. There aren't any ACLs, firewalls that are in the way of these servers. Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, August 07, 2005 12:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site Jennifer, I haven't paid close attention to the thread or the issues that you've been having - other than you had a problem getting it promoted. I suspect that the cause is likely related. First, Network Browse uses a completely different set of communication methods and the fact that you can or cannot see anything via browsing is really immaterial at this point. I'd suggest pings to the DCs on the other end of the connection and directed telnet over 389, 3268, 88, etc. to get a feel for the real communication abilities. Look this over as well. For 1311 Errors, this is a perfect starting point to resolve or narrow down the problems. http://support.microsoft.com/default.aspx?scid=kb;en-us;307593 Can you give us some detail (again... I know) on the remote and local connection methods - are there firewalls, ACLs on routers - anything that might be interfering with the wide variety of ports / protocols that AD Replication / AD Communication uses? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Sunday, August 07, 2005 8:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site I finally got the dcpromo to work but now I am having replication issues. Here is what I see in my logs: Event Type: Warning Event Source: Winlogon Event Category: None Event ID: 1010 Date: 8/6/2005 Time: 9:57:28 PM User: N/A Computer: DC Description: Automatic enrollment against the certification authority Subordinate Enterprise CA - SRV for a certificate of type DomainController has failed. (0x8001011f) This operation returned because the timeout period expired. . Another certification authority will be tried. Event Type: Error Event Source: NTDS KCC Event Category: Knowledge Consistency Checker Event ID: 1311 Date: 8/6/2005 Time: 10:11:08 PM User: N/A Computer: DC Description: The Directory Service consistency checker has determined that either (a) there is not enough physical connectivity published via the Active Directory Sites and Services Manager to create a spanning tree connecting all the sites containing the Partition CN=Configuration,DC=rb,DC=net, or (b) replication cannot be performed with one or more critical servers in order for changes to propagate across all sites (most often due to the servers being unreachable). For (a), please use the Active Directory Sites and Services Manager to do one of the following: 1. Publish sufficient site connectivity information such that the system can infer a route by which this Partition can reach this site. This option is preferred. 2. Add an ntdsConnection object to a Domain Controller that contains the Partition CN=Configuration,DC=rb,DC=net in this site from a Domain Controller that contains the same Partition in another site
RE: [ActiveDir] Problem at remote site
Hi.. Replace the Cisco 1760 with a Sonic Wall. ( Just Kidding ). How about doning a system state backup of your local DC and transfer the file to the remote server, then promote your DC using the switch that tells it to use the system state file? Just a thought. Jose :-0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jennifer Fountain Sent: Friday, August 05, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem at remote site Hi all: I am connected a new remote site using a vpn concentrator and cisco 1760 router. Works fine, I can get to servers, etc. While I get the DCs configured, I am trying to get my users to authenicate using a DC at corp site (trying to do all of this remotely - setup the Dc, etc). I am faced with two issues - none of my clients to log into the domain from the remote and the DC that I am configuring there keeps timing out before it is done installing AD. I have a bucable modem (1m down 768 up) Does anyone have any pointers on what I need to do to make this happen? Thanks for any advise :( Kind Regards, Jennifer Fountain Systems Administrator/Security RB Distribution 3400 E Walnut Street Colmar, PA 18915 * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problem at remote site
Oh.. one more thing, the DCPROMO /adv switch only works on a 2003 server. Jose :-) -Original Message- From: Medeiros, Jose Sent: Friday, August 05, 2005 2:10 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Problem at remote site Hi.. Replace the Cisco 1760 with a Sonic Wall. ( Just Kidding ). How about doing a system state backup of your local DC,transfer the file to the remote server, then promote your DC using the switch that tells it to use the system state file? Just a thought. Jose :-0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jennifer Fountain Sent: Friday, August 05, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem at remote site Hi all: I am connected a new remote site using a vpn concentrator and cisco 1760 router. Works fine, I can get to servers, etc. While I get the DCs configured, I am trying to get my users to authenicate using a DC at corp site (trying to do all of this remotely - setup the Dc, etc). I am faced with two issues - none of my clients to log into the domain from the remote and the DC that I am configuring there keeps timing out before it is done installing AD. I have a bucable modem (1m down 768 up) Does anyone have any pointers on what I need to do to make this happen? Thanks for any advise :( Kind Regards, Jennifer Fountain Systems Administrator/Security RB Distribution 3400 E Walnut Street Colmar, PA 18915 * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problem at remote site
Doh - we are still running 2000. upgrading soon but not there yet. I don't understand why it keeps giving me a service hasn't started due to timeout error while it's creating the service account. I have done this before at our remote site in sweden so I am baffled. :( Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, August 05, 2005 5:56 PM To: Medeiros, Jose; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site Oh.. one more thing, the DCPROMO /adv switch only works on a 2003 server. Jose :-) -Original Message- From: Medeiros, Jose Sent: Friday, August 05, 2005 2:10 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Problem at remote site Hi.. Replace the Cisco 1760 with a Sonic Wall. ( Just Kidding ). How about doing a system state backup of your local DC,transfer the file to the remote server, then promote your DC using the switch that tells it to use the system state file? Just a thought. Jose :-0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jennifer Fountain Sent: Friday, August 05, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem at remote site Hi all: I am connected a new remote site using a vpn concentrator and cisco 1760 router. Works fine, I can get to servers, etc. While I get the DCs configured, I am trying to get my users to authenicate using a DC at corp site (trying to do all of this remotely - setup the Dc, etc). I am faced with two issues - none of my clients to log into the domain from the remote and the DC that I am configuring there keeps timing out before it is done installing AD. I have a bucable modem (1m down 768 up) Does anyone have any pointers on what I need to do to make this happen? Thanks for any advise :( Kind Regards, Jennifer Fountain Systems Administrator/Security RB Distribution 3400 E Walnut Street Colmar, PA 18915 * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Problem at remote site
Hi Jennifer, I also had this happen to me at a remote site back in 2001 when I was implementing AD for Slamdunk Networks.. We found that the latency time was high... even though we had an IPSEC tunnel going through a full T1 at one site to a 10 MB pipe at Coporate. Try doing this on a weekend or late at night when the network is less utilized and see if that helps. What I ended up doing is building a DC at our HQ and shipping it to them. I am really glad that Microsoft came out with the new DCPromo / ADV switch for 2003. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jennifer Fountain Sent: Friday, August 05, 2005 3:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site Doh - we are still running 2000. upgrading soon but not there yet. I don't understand why it keeps giving me a service hasn't started due to timeout error while it's creating the service account. I have done this before at our remote site in sweden so I am baffled. :( Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, August 05, 2005 5:56 PM To: Medeiros, Jose; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site Oh.. one more thing, the DCPROMO /adv switch only works on a 2003 server. Jose :-) -Original Message- From: Medeiros, Jose Sent: Friday, August 05, 2005 2:10 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Problem at remote site Hi.. Replace the Cisco 1760 with a Sonic Wall. ( Just Kidding ). How about doing a system state backup of your local DC,transfer the file to the remote server, then promote your DC using the switch that tells it to use the system state file? Just a thought. Jose :-0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jennifer Fountain Sent: Friday, August 05, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem at remote site Hi all: I am connected a new remote site using a vpn concentrator and cisco 1760 router. Works fine, I can get to servers, etc. While I get the DCs configured, I am trying to get my users to authenicate using a DC at corp site (trying to do all of this remotely - setup the Dc, etc). I am faced with two issues - none of my clients to log into the domain from the remote and the DC that I am configuring there keeps timing out before it is done installing AD. I have a bucable modem (1m down 768 up) Does anyone have any pointers on what I need to do to make this happen? Thanks for any advise :( Kind Regards, Jennifer Fountain Systems Administrator/Security RB Distribution 3400 E Walnut Street Colmar, PA 18915 * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
