AD Replication

  • Thread starter Thread starter Matt
  • Start date Start date
M

Matt

Ok I got some major problems. After that Welchia virus
came through our servers I applied the rpc patch and the
dcom patch over the SP4 pack. After rebooting my two
domain controllers replication keeps failing. I have
researched every error message on the web, reinstalled
SP's, patches, everything short of destorying and
restarting over. Let me give you a brief overview of what
I have done. On DC1 (which holds all master roles) I have
tried to replicate AD connections and I keep getting this
error message. There are no more endpoints available from
the end point mapper. Error 1753.

I thought maybe it was a rpc problem hence the patching
and repatching. Second I deleted DNS and reinstalled.
What I have found is that DC1 seems to be working ok.
It's only when it tries to contact DC2 when the problem
starts. Using DCDIAG on DC1 works fine excpet the
replication part to DC2.

Now on DC2 here's the weird part. If I go into AD users
and computers and then into group policies I start to get
some problems. I will go to the security parts of the
policy and add a user. When I click on check names I get
that nice message about the endpoint mapper. So I cancel
out of it and start looking at the event log. I get
errors of something to the effect that the system cannot
verify user account info. It's almost like either FRS is
not letting the ports connect or even though I'm logged
in as admin, it's like the system has no way of verifying
security to the DC2 server. It also gives the error
message in DCDIAG to the effect that DS cannot Bind. Then
the majority of it's tests don't even start because of
this binding problem. The error code (which I don't
remmeber) relates to something called
EPT_S_NOT_REGISTERED. What does that mean? So the only
thing I can figure is that either AD is not being
notified, some kind of internal dns problem not relating
to DC1, or this endpoint mapper problem 1753
EPT_S_NOT_REGISTERED.

So if you are the God of AD and Replication HELP!!!

Also why does Microsoft provide DCDIAG if all you keep
getting is that enpoint mapper problem with error 1753
that MS don't list? It's great finding the top Win2k
events that list those error codes but has no fix.
 
Hi there,

The error message "no more endpoints available from the
endpoint mapper" is cause by the high ports (1024-65535)
is block between the 2 DCs - beside port 135, the AD
replciation need high port 1024-65535 to make connection.
Did you got any firewall or any device block the
connection between the 2 DCs?

Check also the DNS server SRV record + alias record -
check whether the 2 DCs got all the necessary records!
Especially the alias record - AD replication is based on
the alias to locate the server.

If you open AD Users & Computers MMC on the second DC and
find that it is point back to the first DC then your
second DC is not fully replicated the SYSVOL! Make sure
there is no block on the connections between the 2 DCs.

Regard,
Chai
 
Ok I checked that and i'm pretty sure I have all my
records. I know I have two A records that point to both
servers and I can ping the dc(x).domainname.com and I can
also ping by ip address. On the second domain controller
if I run dcdiag I get this info...

Performing initial setup: [dc2] Direcotry Binding Error
1753. There are no more endpoints available from the
endpoint mapper.
This may limit some of the tests that can ber performed.
Done gathering initial Info.

Doing initial requried tests
Testing server: default-first-site-name\dc2
start test: connectivity
[dc2] dsbind() failed with error 1753,
There are no more endpoints available from the endpoint
mapper.
DC2 failed test connectivity

Doing Primary tests
Testing server: default-first-site-name\dc2
skipping all tests, becuase server dc2 is not responding
to directory service requests

Running enterprise tests on : domainname.com
starting test: intersite - passed
Starting test: fsmocheck - passed

Then I ran netstat -an and got

Active Connections

Proto Local Address Foreign Address
State
TCP 0.0.0.0:88 0.0.0.0:0
LISTENING
TCP 0.0.0.0:135 0.0.0.0:0
LISTENING
TCP 0.0.0.0:389 0.0.0.0:0
LISTENING
TCP 0.0.0.0:445 0.0.0.0:0
LISTENING
TCP 0.0.0.0:464 0.0.0.0:0
LISTENING
TCP 0.0.0.0:636 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1055 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1057 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1096 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1102 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1121 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1227 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1347 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1775 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1776 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1777 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1778 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1955 0.0.0.0:0
LISTENING
TCP 0.0.0.0:2777 0.0.0.0:0
LISTENING
TCP 0.0.0.0:3372 0.0.0.0:0
LISTENING
TCP 0.0.0.0:3709 0.0.0.0:0
LISTENING
TCP 0.0.0.0:3939 0.0.0.0:0
LISTENING
TCP 0.0.0.0:3941 0.0.0.0:0
LISTENING
TCP 0.0.0.0:3989 0.0.0.0:0
LISTENING
TCP 0.0.0.0:5800 0.0.0.0:0
LISTENING
TCP 0.0.0.0:5900 0.0.0.0:0
LISTENING
TCP 10.2.100.2:139 0.0.0.0:0
LISTENING
TCP 10.2.100.2:389 10.2.100.2:3939
ESTABLISHED
TCP 10.2.100.2:389 10.2.100.2:3941
ESTABLISHED
TCP 10.2.100.2:389 10.2.100.2:3979
TIME_WAIT
TCP 10.2.100.2:389 10.2.100.2:3982
TIME_WAIT
TCP 10.2.100.2:389 10.2.100.2:3985
TIME_WAIT
TCP 10.2.100.2:389 10.2.100.2:3988
TIME_WAIT
TCP 10.2.100.2:389 10.2.100.2:3994
TIME_WAIT
TCP 10.2.100.2:445 10.2.100.2:3989
ESTABLISHED
TCP 10.2.100.2:2777 10.2.100.1:1026
ESTABLISHED
TCP 10.2.100.2:3709 10.2.100.2:389
CLOSE_WAIT
TCP 10.2.100.2:3939 10.2.100.2:389
ESTABLISHED
TCP 10.2.100.2:3941 10.2.100.2:389
ESTABLISHED
TCP 10.2.100.2:3980 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:3981 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:3983 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:3984 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:3986 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:3987 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:3989 10.2.100.2:445
ESTABLISHED
TCP 10.2.100.2:3990 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:3991 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:3992 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:3993 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:3995 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:3996 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:5900 10.2.254.2:3891
ESTABLISHED
TCP 127.0.0.1:389 127.0.0.1:1775
ESTABLISHED
TCP 127.0.0.1:389 127.0.0.1:1776
ESTABLISHED
TCP 127.0.0.1:389 127.0.0.1:1778
ESTABLISHED
TCP 127.0.0.1:1057 127.0.0.1:389
CLOSE_WAIT
TCP 127.0.0.1:1775 127.0.0.1:389
ESTABLISHED
TCP 127.0.0.1:1776 127.0.0.1:389
ESTABLISHED
TCP 127.0.0.1:1778 127.0.0.1:389
ESTABLISHED
TCP 127.0.0.1:2638 0.0.0.0:0
LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1032 *:*
UDP 0.0.0.0:1051 *:*
UDP 0.0.0.0:1056 *:*
UDP 0.0.0.0:1287 *:*
UDP 0.0.0.0:1345 *:*
UDP 0.0.0.0:1347 *:*
UDP 0.0.0.0:1724 *:*
UDP 0.0.0.0:1774 *:*
UDP 0.0.0.0:1956 *:*
UDP 0.0.0.0:2967 *:*
UDP 0.0.0.0:3938 *:*
UDP 10.2.100.2:88 *:*
UDP 10.2.100.2:123 *:*
UDP 10.2.100.2:137 *:*
UDP 10.2.100.2:138 *:*
UDP 10.2.100.2:389 *:*
UDP 10.2.100.2:464 *:*
UDP 10.2.100.2:500 *:*

Any more ideas?
 
Hi there,

OK, so now is DC1 can replicate to DC2 or not?
Or. DC2 can replicate to DC1 or not?

If the problems is on DC2 then maybe your DC2 alias name -
found it _MSDCS.yourdomain folder in DNS Server is not in?
Can you check something like 1212wdwddwdw? If not try to
create the alias name and point to the correct DC.

IF you get the error message indicate that the that is not
more endpoint then that must got something block the
connection between the 2 servers - do you Server install
personal firewall? Please check it out.

Regards,
Chai
 
Well DC1 when dcdiag is ran only gives the Endpoint
mapper error when it tries to verify replication to DC2.
Neither DC's can replicate to each other. I would double
check tommorrow if that record is there. So far I have
found two records for both domain controllers and their
approate ip address. They are also on the same lan line
with the address of DC1 10.2.100.1 and DC2 10.2.100.2.

I tried to delete the auto generated sites in ad sites
and services and well the one for that local domain
creates the auto generated but not the other. EX: DC1
shows in ad to regenerate that ad connection to DC2. But
on DC1 where it shows the second domain controller it
does not create the auto generation. Vice versa on the
second domain controller. If I right click and tell it to
replicate then is says soemthing to the effect that the
directory is either in the process of starting up or
shutting down.

If you want send me a email to my work email so I can
respond faster. This is drivng me batty. I'm almost to
the point of Fdisking the drive and starting over. Then I
would have to do that ugly ndsutil meta data cleanup. :(
 
Back
Top