dcdiag - Starting test: KnowsOfRoleHolders - DsBindWithSpnEx() failed with error 1722

Discussion:

(too old to reply)

Felix

2006-02-05 01:29:36 UTC

Ran DCDIAG on my domain controller which resides in another site (This is
just an additional domain controller) and I receive the following error on
it.
SRV2 is the Schema Owner and Domain Role Owner. I appreciate any kind of
info and how to fix this replication problems. I did ran a portqry and I had
problems with 3 out of 4 ports not listening. I am not sure whether that
might be the reason, but just a thought. But, I will leave it to the experts
to get back. I have also posted in my previous posting in networking group
about the portquery what I did and the results of it.

Starting test: KnowsOfRoleHolders
[SRV2] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
Warning: WRROOT2 is the Schema Owner, but is not responding to DS
RPC B
ind.
[SRV2] LDAP search failed with error 58,
The specified server cannot perform the requested operation..
Warning: SRV2 is the Schema Owner, but is not responding to LDAP
Bin
d.
Warning: SRV2 is the Domain Owner, but is not responding to DS RPC
B
ind.
Warning: SRV2 is the Domain Owner, but is not responding to LDAP
Bin
d.

Paul Williams [MVP]

2006-02-05 10:11:53 UTC

Permalink

Are the firewalls or switches that separate the sites blocking any ports?

Are you able to resolve the remote DCs? To test, run the following command:

nslookup -type=srv _ldap._tcp.sitename._sites.dc._msdcs.domain-name.com

Are you able to use PORTQRY against the Schema master? To do so, query TCP
135 and then query one of the high ports listed in the RPC endpoint mapper
output.

Download PORTQRY from Microsoft if it isn't installed as part of your
support tools.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Paul Bergson

2006-02-06 01:54:05 UTC

Permalink

I would suggest PortQryUI and select the "Domains and Trusts" option.

Also if the dc is between a firewall which ports are open? Check the link
below on the details of open ports it details which ports need to be open
for dc to dc replication (It is a trust link but it is correct on port
openings).

Click on the NT4 -v- Active Directory Trust (Look for the "Configure 2003
Firewall Ports...")

http://pbbergs.dynu.com/windows/articles.htm
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.

Post by Paul Williams [MVP]
Are the firewalls or switches that separate the sites blocking any ports?
nslookup -type=srv _ldap._tcp.sitename._sites.dc._msdcs.domain-name.com
Are you able to use PORTQRY against the Schema master? To do so, query TCP
135 and then query one of the high ports listed in the RPC endpoint mapper
output.
Download PORTQRY from Microsoft if it isn't installed as part of your
support tools.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Felix

2006-02-06 13:37:39 UTC

Permalink

Hi Guys!

Sorry, I had posted this in Networking, but will post here. I did a portqry
from our main DC on the main site to the remote DC and this is what I got.
In some cases I got all the ports as NOT LISTENING.

I did a portqry and found out that the following ports are showing up as NOT
LISTENING. Could this be on the router side that it could be turned off and
needed to be enabled? I did this from a working domain controller to the
server that is having problems with AD replication, FRS etc...and this is
the result I got. In one of the server all the ports are NOT LISTENING which
includes port 1025. Thanks and I appreciate your response.

TCP port 1094 (unknown service): NOT LISTENING

TCP port 1025 (unknown service): LISTENING

TCP port 1029 (unknown service): NOT LISTENING

TCP port 6004 (unknown service): NOT LISTENING

Post by Paul Bergson
I would suggest PortQryUI and select the "Domains and Trusts" option.
Also if the dc is between a firewall which ports are open? Check the link
below on the details of open ports it details which ports need to be open
for dc to dc replication (It is a trust link but it is correct on port
openings).
Click on the NT4 -v- Active Directory Trust (Look for the "Configure 2003
Firewall Ports...")
http://pbbergs.dynu.com/windows/articles.htm
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.

Paul Williams [MVP]

2006-02-06 15:38:07 UTC

Permalink

You should query TCP135 and then look at the ports provided as the response.
Check the DS ones via additional PORTQRYs.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Felix

2006-02-06 18:03:39 UTC

Permalink

1. I was able to resolve the remote DC's with the nslookup command. (>
nslookup -type=srv _ldap._tcp.sitename._sites.dc._msdcs.domain-name.com)

2. I did a portqry from the domain controller which is having a problem to
our main root DNS server and this is the error I get

tarting portqry.exe -n wrroot2.domain.com -e 135 -p TCP ...

Querying target system called:

wrroot2.domain.com

Attempting to resolve name to IP address...

Failed to resolve name to IP address
portqry.exe -n wrroot2.domain.com -e 135 -p TCP exits with return code
0x00000063.

3. Finally from one DC in the main site I ran the PorqryUI tool and tried to
query 1094,1025,1029,6004 and I got the following:

TCP port 1094 (unknown service): NOT LISTENING
TCP port 1025 (unknown service): LISTENING
TCP port 1029 (unknown service): NOT LISTENING
TCP port 6004 (unknown service): NOT LISTENING

So, this is my diagnosis from whatever you requested me.