- Remove From My Forums
-
Вопрос
-
Добрый день, коллеги!
Основной контроллер домена был поднят на Win Server 2012 (AD-DC), через какой-то время добавил резервный контроллер на Win Server 2016 (RD-DC).
После трагических события, на последнем (Win Server 2016 (RD-DC)), умер жёсткий диск, при попытке восстановить его из резервной копии, при загрузке сервер выпадал в «синий экран». Было решено его удалить из вручную. Сервер был «потушен»,
отключен от сети. Проверил роли FSMO, они все были на основном контроллере, с помощью ntdsutil произведена очистка (metadata cleanup). После чего с он был удалён из DNS (а также «серверов имен»).Что есть на данный момент:
ntfrsutl ds
ERROR — Cannot bind w/authentication to computer, (null); 000006d9 (1753)
ERROR — Cannot bind w/o authentication to computer, (null); 000006d9 (1753)
ERROR — Cannot RPC to computer, (null); 000006d9 (1753)dcdiag
Запуск проверки: Services
Неверный тип запуска службы: NtFrs на AD-DC, текущее значение —
DISABLED, ожидаемое значение — AUTO_START
Служба NtFrs в [AD-DC] остановлена
……………………. AD-DC — не пройдена проверка Services
Запуск проверки: SystemLog
……………………. AD-DC — пройдена проверка SystemLog
Запуск проверки: VerifyReferences
Проблемы у некоторых объектов, относящихся к DC AD-DC:
[1] Проблема: Отсутствует ожидаемое значение
Базовый объект: CN=AD-DC,OU=Domain Controllers,DC=domain,DC=loc
Описание базового объекта: «Объект учетной записи DC»
Имя атрибута объекта значения: frsComputerReferenceBL
Описание объекта значения: «Объект члена SYSVOL FRS»
Рекомендуемое действие: См. статью базы знаний: Q312862……………………. AD-DC — не пройдена проверка
VerifyReferencesК сожалению статья по Q312862 не помогает совсем, т.к. там описываются устаревшие формы репликации.
Пытался поднять новый резервный контроллер домена, он устанавливается успешно, но шара SYSVOL на нём не создаётся и репликация не проходит.
Ответы
-
По факту, за репликацию SYSVOL у вас отвечает DFSR, а FRS функционировать вообще не должна. Поэтому ошибки связанные с FRS (которые в первом сообщении темы) можно игнорировать. Ошибки эти возникают из-за того, что миграция репликации
SYSVOL на DFSR не может завершиться (о чём говорит статус «Удаление» для AD-DC).Данные конфигурации DFSR в AD выглядят нормально.
Причину, по которой миграция не может завершиться, надо смотреть в журнале событий DFSR и в логах DFSR в папке C:WINDOWSdebug: Dfsr№№№№№.log и DfsrMig_№№№.log. Одна из возмжных причин — защита от случайного удаления некоторых
объектов NTFRS в AD (см. например последнее сообщение в
этой теме с англоязычного форума, там есть удобный скрипт для снятия защиты).Точно так же причину, почему не реплицируется SYSVOL для нового контроллера домена, нужно смотреть в журналах событий и логах DFSR на старом и новом контроллерах домена. И вряд ли она связана с тем, что миграция
с FRS на DFSR не завершилась: на этой стадии миграция DFSR уже должна быть настроена и полноценно работать.
Слава России!
-
Помечено в качестве ответа
17 июля 2017 г. 17:26
-
Помечено в качестве ответа
-
ntfrsutl ds
ERROR — Cannot bind w/authentication to computer, (null); 000006d9 (1753)
ERROR — Cannot bind w/o authentication to computer, (null); 000006d9 (1753)
ERROR — Cannot RPC to computer, (null); 000006d9 (1753)dcdiag
Запуск проверки: Services
Неверный тип запуска службы: NtFrs на AD-DC, текущее значение —
DISABLED, ожидаемое значение — AUTO_START
Служба NtFrs в [AD-DC] остановлена
……………………. AD-DC — не пройдена проверка Services
Запуск проверки: SystemLog
……………………. AD-DC — пройдена проверка SystemLog
Запуск проверки: VerifyReferences
Проблемы у некоторых объектов, относящихся к DC AD-DC:
[1] Проблема: Отсутствует ожидаемое значение
Базовый объект: CN=AD-DC,OU=Domain Controllers,DC=domain,DC=loc
Описание базового объекта: «Объект учетной записи DC»
Имя атрибута объекта значения: frsComputerReferenceBL
Описание объекта значения: «Объект члена SYSVOL FRS»
Рекомендуемое действие: См. статью базы знаний: Q312862……………………. AD-DC — не пройдена проверка
VerifyReferencesК сожалению статья по Q312862 не помогает совсем, т.к. там описываются устаревшие формы репликации.
Пытался поднять новый резервный контроллер домена, он устанавливается успешно, но шара SYSVOL на нём не создаётся и репликация не проходит.
По сабжу немного помогла статья:
http://forum.oszone.net/post-2582726.html
После принудительной синхронизации DFSR-реплицированной SYSVOL (authoritative synchronization of DFSR-replicated SYSVOL (like «D4» for FRS)), надо ждать, минимум 1 час.
После репликация пойдёт, но ошибки (выше) останутся.
По первой «ошибке» (ntfrsutl ds), на самом деле это
не ошибка, а наследите файловой репликации — FRS, т.к. сама служба отключена. При установке домена с «нуля» на Win 2008R2 и выше, будет использоваться репликация
Distributed File System Replication (DFSR).По второй «ошибке»:
Наткнулся на вот такую статью — DCDiag error after upgrading to DFS-R:
«DFR-S replication of the SYSVOL replication group looks to be otherwise healthy.
This error is caused by some poor logic in dcdiag.exe when the domain controllers have been moved from the default “Domain Controllers” OU. If you move the domain controllers back to the default “Domain Controllers” OU the error will disappear. However, leaving
them where they are is likely to cause no problems, other than give you a dcdiag.exe error.Microsoft plan to fix this in Windows Server 2012.«
В общем, если у вас репликация работает нормально, но вы всё равно видите данный ошибки, то «забейте».
-
Помечено в качестве ответа
Vihor
17 июля 2017 г. 17:25
-
Помечено в качестве ответа
-
По второй ошибке: то, что в статье, на ваш случай не похоже. Потому что у вас контроллер находится как раз в Domain Controllers, и ошибка в dcdiag проявляться не должна. Запустите adsiedit.msc, подключитесь к домену (Default naming context) и
посмотрите в атрибутах объекта контроллера домена, чему у вас равен атрибут frsComputerReferenceBL (если его там нет, то проверьте, включен ли в фильтре показ атрибутов обратных ссылок — Backlink). После миграции на DFSR значение
этого атрибута должно стать пустым.
Слава России!
-
Помечено в качестве ответа
Vihor
18 июля 2017 г. 7:12
-
Помечено в качестве ответа
I’ve got a win 2003 server running a TFS server, and a Win 2008 server acting as a PDC.
A few days ago, I changed my DHCP and DNS server (which used to be the win 2008 server) to a Cisco Router.
Since then, I’ve not been able to log in on my TFS server, which keeps complaining that my domain doesn’t exists.
I’ve run dcdiag from my local Admin account to debug :
dcdiag /v /s:MYPDC /u:MYDOMAINBrann /p:*
Which returned me this error:
* Active Directory LDAP Services Check
The host 95cb8ce0-ecb1-43e3-87aa-e4ce74fe6._msdcs.MYDOMAIN could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
......................... MYPDC failed test Connectivity
I changed my DHCP server to use MYPDC as the primary DNS server again, and this error stopped appearing
I restarted the server, confident that the issue was solved, but now I’m getting this :
Starting test: VerifyReferences
Some objects relating to the DC IDS-SERVER have problems:
[1] Problem: Missing Expected Value
Base Object: CN=MYPDC,OU=Domain Controllers,DC=MYDOMAIN
Base Object Description: "DC Account Object"
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
......................... IDS-SERVER failed test VerifyReferences
I’ve tried troubleshooting File Replication service as suggested in Q312862, but I’m stuck at the beginning :
C:Documents and SettingsAdministrator>ntfrsutl ds TFS
ERROR - Cannot bind w/authentication to computer, TFS; 000006d9 (1753)
ERROR - Cannot bind w/o authentication to computer, TFS; 000006d9 (1753)
ERROR - Cannot RPC to computer, TFS; 000006d9 (1753)
C:Documents and SettingsAdministrator>ntfrsutl ds MYPDC
ERROR - Cannot RPC to computer, MYPDC; 000006d2 (1746)
Any ideas on what to try next?
Btw, other Vista computers on this domain can login just fine.
Hi,
I have a small client who has a Windows Server 2008 R2 child domain that runs as a DC and Exchange 2010. I am not seeing any issues in either domain in regards to email or DC permissions. However I am getting this error and have for a quite a while. Not sure if this is critical or not, since I am not getting any reports of problems from users.
I thought I should report it just in case the problem could persist into being a bigger issue.
Log Name: File Replication Service
Source: NtFrs
Date: 15/01/2011 1:27:56 PM
Event ID: 13575
Task Category: None
Level: Error
Keywords: Classic
Description:
This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.
Event Xml:
<Event xmlns=»http://schemas.microsoft.com/win/2004/08/events/event»>
DFS replication has no errors in the event log and appears to replicating correctly
The biggest issue is not being able to start the NTFRS service and when I reboot the computer it works for a while then it goes back to not starting in a timely manner.
When I run NTFRSutl I get the following error
PS C:Windowssystem32> ntfrsutl.exe ds
ERROR — Cannot bind w/authentication to computer, (null); 000006d9 (1753)
ERROR — Cannot bind w/o authentication to computer, (null); 000006d9 (1753)
ERROR — Cannot RPC to computer, (null); 000006d9 (1753)
PS C:Windowssystem32> ntfrsutl.exe sets
ERROR — Cannot bind w/authentication to computer, (null); 000006d9 (1753)
ERROR — Cannot bind w/o authentication to computer, (null); 000006d9 (1753)
ERROR — Cannot RPC to computer, (null); 000006d9 (1753)
Any help would be greatly appreciated
Thomas R Grassi Jr
unread,
Mar 7, 2009, 5:47:43 PM3/7/09
to
I have two Windows 2003 R2 Standard DC servers SP2
trying to get file replication sysvol netlogon shares working.
ran this command on DC1 ntfrsutil ds dc1
results
ERROR cannot bind w/authentication to computer, dc1 000006d9 (1753)
ERROR Cannot bind w/o authentication to computer dc1 000006d9 (1753)
ERROR Cannot RPC to computer dc1 000006d9 (1753)
I turned off my windows firewall services and get the same results
On DC2 I issue the same command and get the same results
When I issue ntfrsutl dc dc2 the results are what I would expect.
Also I can run ntfrsutl dc dc2 from dc1 and it reports good informatuion.
So My DC1 has a problem which I am not sure where to look at this point
I have been following a KB257338 article for my SYSVOL and NETLOGON shares
issue which happens to be on DC2
DC2 has been recently added to the network.
The shares for SYSVOlL and NETLOGON were not created.
This is why I was running ntfrsutl dc dc1 and then I discovered this problem
Any ideas or help thanks
Tom
Isaac Oben -MCSE, MCITP
unread,
Mar 7, 2009, 7:32:07 PM3/7/09
to
Hello Thomas,
How long ago did you add DC2 to the network as a domain controller? I am
msking this because, it might just be that DC2 have not completed
initialization of sysvol . Please do an ipconfig /all and a dcdiag /v on
both dc1 and dc 2 respectively and post to the forum.
Isaac
«Thomas R Grassi Jr» <thomas…@hotmail.com> wrote in message
news:Oc$FtOznJ…@TK2MSFTNGP03.phx.gbl…
Thomas R Grassi Jr
unread,
Mar 8, 2009, 5:04:49 AM3/8/09
to
Isaac
It was about 1 week ago I brought it online
Yes DC2 did not complete initialzation of sysvol
I turned off windows firewall on both dc’s
made some changes to the registry per kb319553 kb224196
I was at work today and when I came home I saw that SYSVOL and NETLOGON was
created as shares and now when I run
ntfrsutl dc dc1 it shows valid info
now the big test will be turning on the firewalls on both dcs to see what
happens
Thanks
tom
«Isaac Oben -MCSE, MCITP» <isaac…@nospam.gmail.com> wrote in message
news:uJKOFJ0n…@TK2MSFTNGP06.phx.gbl…
Ace Fekay [Microsoft Certified Trainer]
unread,
Mar 8, 2009, 10:27:32 AM3/8/09
to
In news:OMemEJ5n…@TK2MSFTNGP05.phx.gbl,
Thomas R Grassi Jr <thomas…@hotmail.com>, posted the following:
> Isaac
>
> It was about 1 week ago I brought it online
> Yes DC2 did not complete initialzation of sysvol
>
> I turned off windows firewall on both dc’s
>
> made some changes to the registry per kb319553 kb224196
>
> I was at work today and when I came home I saw that SYSVOL and
> NETLOGON was created as shares and now when I run
> ntfrsutl dc dc1 it shows valid info
>
> now the big test will be turning on the firewalls on both dcs to see
> what happens
>
> Thanks
>
> tom
Tom,
AD communication between DCs requires 29 ports opened and free and clear,
including the dynamic ephemeral response ports (UDP > 1023). I recommend
there are no firewalls (whether local or on a VPN/router) between domain
controllers in a forest blocking ports. This will insure DCs can communicate
with each other, as well as clients can communicate with the DCs.
—
Ace
This posting is provided «AS-IS» with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
ace…@mvps.RemoveThisPart.org
For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Meinolf Weber [MVP-DS]
unread,
Mar 8, 2009, 5:27:50 PM3/8/09
to
Hello Thomas,
Please try to stick to one posting and do not post that much different one’s
all belonging to the same problem.
You should think about using a newsreader where you can use crossposting
and have all answers readable for anybody.
http://www.blakjak.demon.co.uk/mul_crss.htm
Best regards
Meinolf Weber
Disclaimer: This posting is provided «AS IS» with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Thomas R Grassi Jr
unread,
Mar 8, 2009, 5:38:11 PM3/8/09
to
Ace
So what you are suggesting is that I do not start the windows firewall
service on both my dcs.
I have a linksys broadband router that gets everyone on the internet use it
firewall instead?
Cause currently thats how I am running but I thougt I would be able to open
the port neccessary for AD to work but I think the dynamic ports is the
issue even when I hard code the ports in the registry it seems not to work
right now on DC2 it takes about 6 minutes for the server to start at the
point of network services thats seems to be a long time
also I am getting event 3096 netlogon and event 40960 lsasrv at startup
when I issue nltest /query
1311 ERROR_NO_LOGON_SERVERS
not sure what that is at this point but that happend last night and after a
while it went away. very starange something is still not setup right
any ideas or help
Thanks
tom
«Ace Fekay [Microsoft Certified Trainer]» <firstnam…@hotmail.com>
wrote in message news:%23$XUR%237nJH…@TK2MSFTNGP03.phx.gbl…
Ace Fekay [Microsoft Certified Trainer]
unread,
Mar 9, 2009, 10:50:59 AM3/9/09
to
In news:uaXaCu$nJHA…@TK2MSFTNGP06.phx.gbl,
> Ace
>
> So what you are suggesting is that I do not start the windows firewall
> service on both my dcs.
>
> I have a linksys broadband router that gets everyone on the internet
> use it firewall instead?
>
> Cause currently thats how I am running but I thougt I would be able
> to open the port neccessary for AD to work but I think the dynamic
> ports is the issue even when I hard code the ports in the registry it
> seems not to work
> right now on DC2 it takes about 6 minutes for the server to start at
> the point of network services thats seems to be a long time
>
> also I am getting event 3096 netlogon and event 40960 lsasrv at
> startup
> when I issue nltest /query
> 1311 ERROR_NO_LOGON_SERVERS
>
>
> not sure what that is at this point but that happend last night and
> after a while it went away. very starange something is still not
> setup right
> any ideas or help
>
> Thanks
>
> tom
Tom, this appears to be a continuation of your previous threads. Try to
stick to one thread for a problem, please. It’s starting to get confusing
keeping track.
Yes, do not use any firewall on a DC.
I still think this has to do with the VLAN subnet definitions. But then
again, at this point it may be best for you to call Microsoft PSS for this
issue, especially if these are production machines. This has been going on
some time, and without a hands-on, remoted in look by myself or a competent
engineer, it is getting difficult to diagnose. The longer this goes on, a DC
may pass the 60 day AD object lifetime point and the DC will be pretty much
useless. There is a way to force it past the 60 day point, however because
replication is not working, it would be a moot point.
Ace
If you are getting the following event id 13508 in your event logs and no 13509 afterward, then this is most likely that the File Replication between domain controllers isn’t working correctly.
File Replication Service Error
Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13508
Date:
Time:
User: N/A
Computer: DC1
Description:
The File Replication Service is having trouble enabling replication from
DC2 to DC1 for c:windowssysvoldomain using the DNS name
dc2 FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name dc2 from
this computer.
[2] FRS is not running on dc2.
[3] The topology information in the Active Directory for this replica has
not yet replicated to all the Domain Controllers.
NTFRSUTL.EXE error
ERROR – Cannot bind w/authentication to computer, (null); 000006d9
(1753)
ERROR – Cannot bind w/o authentication to computer, (null); 000006d9
(1753)
ERROR – Cannot RPC to computer, (null); 000006d9 (1753)
1. Check your network settings and make sure everything looks correct
2. Check your firewall and make sure RPC ports are open between domain controllers
3. Check your registry and make sure RPC ports are different between AD and FRS
Good Reference for troubleshooting RPC Endpoint Mapper errors:
http://support.microsoft.com/kb/839880
- cannot rpc to computer
- event id 13508
- File Replication Service error
- ntfrs error
- RPC Endpoint Mapper error