RPC Enforcement issues on DNS, Active Directory and Certification Authority.
we facing problem of dns service not getting started on domain controllers. below error see on domain controller when try start dns service.
dns server error in event viewer:
the dns server waiting active directory domain services (ad ds) signal initial synchronization of directory has been completed. dns server service cannot start until initial synchronization complete because critical dns data might not yet replicated onto domain controller. if events in ad ds event log indicate there problem dns name resolution, consider adding ip address of dns server domain dns server list in internet protocol properties of computer. event logged every 2 minutes until ad ds has signaled initial synchronization has completed.
directory service error in event viewer:
active directory domain services not use following rpc protocol sequence.
rpc protocol sequence:
ncacn_ip_tcp
although rpc protocol sequence appears installed, active directory domain services cannot use protocol sequence communication.
additional data
error value:
87 parameter incorrect.
we started observing problem after adding rpc enforcement registry entries on our certification authorities , domain controllers.
after change made registry, replication between dns servers down, active directory services not getting started , ca machines not able see templates.
below parameters have added in registry.
1. ports: 5000-5255
2. portsinternetavailable: y
3. useinternetports: y
after seeing problem, have deleted these registry entries , rebooted dc , working fine. wanted find out there relation between rpc settings , problem of dns service not getting started.
also not sure why rpc enforcement required. did per 1 of documents available me :)
can 1 throw light on role of these rpc registry entries ?
thanks
vittal
m.s.vittal techmahindra ltd
i have never configured such registry neither required because refrain myself in configure such keys on dc, becasue difficult restrict on specific ports. required in older os versions os coming more secure encryption aes , enhanced kerberos protocol v5. have seen large environments , never find recommendation create such keys till now.
http://forums.techarena.in/active-directory/1143476.htm
i haven't seen recommendation in of new os till now, better rid of these entries. below article might give overview.
http://blogs.technet.com/b/networking/archive/2008/10/24/rpc-to-go-v-1.aspx
http://www.ehow.com/list_6734312_microsoft-rpc-protocols.html
http://support.microsoft.com/kb/325930
regards
awinish vishwakarma
my blog: http://awinish.wordpress.com/
this posting provided as-is no warranties/guarantees , confers no rights.
Windows Server > Directory Services
Comments
Post a Comment