複製錯誤 1753 年有的端點對應程式提供更多端點Replication error 1753 There are no more endpoints available from the endpoint mapper

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題解釋,包括症狀、原因,以及如何解析 Active Directory 複寫錯誤 8524 DSA 操作程式無法繼續因為 DNS 搜尋。This topic explains symptoms, causes and how to resolve Active Directory replication error 8524 The DSA operation is unable to proceed because of a DNS lookup failure. 症狀原因解析度更多資訊 Symptoms Cause Resolutions More information
症狀 此文章將描述包括症狀、原因和解析度步驟的 Active Directory 操作失敗 Win32 錯誤 1753 年:「有可用的更多端點端點對應程式。」 DCDIAG 報告可連接測試、Active Directory 複寫測試或 KnowsOfRoleHolders 測試失敗,錯誤 1753 年:「有可用的更多端點端點對應程式。」 Testing server: <site><DC Name> Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check [<DC Name>] DsBindWithSpnEx() failed with error 1753, There are no more endpoints available from the endpoint mapper.. Printing RPC Extended Error Info: Error Record 1, ProcessID is <process ID> (DcDiag) System Time is: <date> <time> Generating component is 2 (RPC runtime) Status is 1753: There are no more endpoints available from the endpoint mapper. Detection location is 500 NumberOfParameters is 4 Unicode string: ncacn_ip_tcp Unicode string: <source DC object GUID>._msdcs.contoso.com Long val: -481213899 Long val: 65537 Error Record 2, ProcessID is 700 (DcDiag) System Time is: <date> <time> Generating component is 2 (RPC runtime) Status is 1753: There are no more endpoints available from the endpoint mapper. NumberOfParameters is 1 Unicode string: 1025 [Replications Check,<DC Name>] A recent replication attempt failed: From <source DC> to <destination DC> Naming Context: <DN path of directory partition> The replication generated an error (1753): There are no more endpoints available from the endpoint mapper. The failure occurred at <date> <time>. The last success occurred at <date> <time>. 3 failures have occurred since the last success. The directory on <DC name> is in the process. of starting up or shutting down, and is not available. Verify machine is not hung during boot. REPADMIN。EXE 報告該︰ 複寫失敗 1753 年狀態。REPADMIN 命令通常引用 1753 年狀態,包括但不是限於: Symptoms This article describes symptoms, cause and resolution steps for Active Directory operations that fail with Win32 error 1753: "There are no more endpoints available from the endpoint mapper." DCDIAG reports that the Connectivity test, Active Directory Replications test or KnowsOfRoleHolders test has failed with error 1753: "There are no more endpoints available from the endpoint mapper." Testing server: <site><DC Name> Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check [<DC Name>] DsBindWithSpnEx() failed with error 1753, There are no more endpoints available from the endpoint mapper.. Printing RPC Extended Error Info: Error Record 1, ProcessID is <process ID> (DcDiag) System Time is: <date> <time> Generating component is 2 (RPC runtime) Status is 1753: There are no more endpoints available from the endpoint mapper. Detection location is 500 NumberOfParameters is 4 Unicode string: ncacn_ip_tcp Unicode string: <source DC object GUID>._msdcs.contoso.com Long val: -481213899 Long val: 65537 Error Record 2, ProcessID is 700 (DcDiag) System Time is: <date> <time> Generating component is 2 (RPC runtime) Status is 1753: There are no more endpoints available from the endpoint mapper. NumberOfParameters is 1 Unicode string: 1025 [Replications Check,<DC Name>] A recent replication attempt failed: From <source DC> to <destination DC> Naming Context: <DN path of directory partition> The replication generated an error (1753): There are no more endpoints available from the endpoint mapper. The failure occurred at <date> <time>. The last success occurred at <date> <time>. 3 failures have occurred since the last success. The directory on <DC name> is in the process. of starting up or shutting down, and is not available. Verify machine is not hung during boot. REPADMIN.EXE reports that replication attempt has failed with status 1753.REPADMIN commands that commonly cite the 1753 status include but are not limited to:
REPADMIN /REPLSUMREPADMIN /SHOWREPLREPADMIN /REPLSUMREPADMIN /SHOWREPLREPADMIN 進行REPADMIN /SYNCALLREPADMIN /SHOWREPSREPADMIN /SYNCALL
範例輸出從「REPADMIN 進行」描繪輸入的複寫 CONTOSO-DC2 從「複寫無此許可權」錯誤的 CONTOSO lax-dc1 失敗如下所示:Default-First-Site-NameCONTOSO-DC1 DSA Options: IS_GC Site Options: (none) DSA object GUID: b6dc8589-7e00-4a5d-b688-045aef63ec01 DSA invocationID: b6dc8589-7e00-4a5d-b688-045aef63ec01 ==== INBOUND NEIGHBORS ====================================== DC=contoso,DC=com Default-First-Site-NameCONTOSO-DC2 via RPC DSA object GUID: 74fbe06c-932c-46b5-831b-af9e31f496b2 Last attempt @ <date> <time> failed, result 1753 (0x6d9): There are no more endpoints available from the endpoint mapper. <#> consecutive failure(s). Last success @ <date> <time>. 中 Active Directory 網站和服務的命令傳回」有可用的更多端點端點對應程式從。」連接物件來源俠上按一下滑鼠右鍵,然後選擇會失敗,且「有可用的更多端點端點對應程式。」下方螢幕上顯示錯誤訊息:對話方塊的標題文字:個對話方塊的訊息文字:下列時發生嘗試連絡網域控制站:有更多端點端點對應程式可用。複製現在中 Active Directory 網站和服務的命令傳回」有可用的更多端點端點對應程式從。」連接物件來源俠上按一下滑鼠右鍵,然後選擇複製現在會失敗,且「有可用的更多端點端點對應程式。」螢幕上的錯誤訊息如下所示:對話方塊的標題文字:立即複寫對話方塊的訊息文字:下列時發生嘗試同步命名操作<directory 磁碟分割名稱 %>網域控制站的<來源俠>網域控制站<目的地俠>:Sample output from "REPADMIN /SHOWREPS" depicting inbound replication from CONTOSO-DC2 to CONTOSO-DC1 failing with the "replication access was denied" error is shown below:Default-First-Site-NameCONTOSO-DC1 DSA Options: IS_GC Site Options: (none) DSA object GUID: b6dc8589-7e00-4a5d-b688-045aef63ec01 DSA invocationID: b6dc8589-7e00-4a5d-b688-045aef63ec01 ==== INBOUND NEIGHBORS ====================================== DC=contoso,DC=com Default-First-Site-NameCONTOSO-DC2 via RPC DSA object GUID: 74fbe06c-932c-46b5-831b-af9e31f496b2 Last attempt @ <date> <time> failed, result 1753 (0x6d9): There are no more endpoints available from the endpoint mapper. <#> consecutive failure(s). Last success @ <date> <time>. The Check Replication Topology command in Active Directory Sites and Services returns "There are no more endpoints available from the endpoint mapper."Right-clicking on the connection object from a source DC and choosing Check Replication Topology fails with "There are no more endpoints available from the endpoint mapper." The on-screen error message is shown below:Dialog title text: Check Replication TopologyDialog message text: The following error occurred during the attempt to contact the domain controller: There are no more endpoints available from the endpoint mapper.The Replicate now command in Active Directory Sites and Services returns "there are no more endpoints available from the endpoint mapper."Right-clicking on the connection object from a source DC and choosing Replicate now fails with "There are no more endpoints available from the endpoint mapper." The on-screen error message is shown below:Dialog title text: Replicate NowDialog message text: The following error occurred during the attempt to synchronize naming context <%directory partition name%> from Domain Controller <Source DC> to Domain Controller <Destination DC>: 有更多端點端點對應程式可用。將不會繼續操作NTDS KCC、NTDS 一般或 Microsoft-Windows-ActiveDirectory_DomainService 事件-2146893022 狀態的登入 Directory 服務登入事件檢視器中。Active Directory 事件通常引用-2146893022 狀態,包括但不是限於:There are no more endpoints available from the endpoint mapper.The operation will not continueNTDS KCC, NTDS General or Microsoft-Windows-ActiveDirectory_DomainService events with the -2146893022 status are logged in the Directory Services log in Event Viewer.Active Directory events that commonly cite the -2146893022 status include but are not limited to:
事件編號Event ID事件來源Event Source事件字串Event String
16551655NTDS 一般NTDS GeneralActive Directory 嘗試使用下列的通用通訊,嘗試已失敗。Active Directory attempted to communicate with the following global catalog and the attempts were unsuccessful.
19251925NTDS KCCNTDS KCC建立下列寫入 directory 磁碟分割的連結︰ 複寫失敗。The attempt to establish a replication link for the following writable directory partition failed.
12651265NTDS KCCNTDS KCC嘗試知識一致性檢查程式 (KCC) 新增下列 directory 磁碟分割和來源網域控制站複寫合約失敗。An attempt by the Knowledge Consistency Checker (KCC) to add a replication agreement for the following directory partition and source domain controller failed.
原因 下圖顯示 client 中的應用程式執行「步驟 7 RPC 的開始登記 server 應用程式與 RPC Endpoint 對應 (EPM) 步驟 1 中的資料傳送 RPC 工作流程。 <ADDS_RPCWorkflow> 透過下列操作 7 對應步驟 1: 伺服器應用程式暫存的端點器 RPC Endpoint 對應 (EPM) 的 Client 呼叫 RPC(代表使用者、作業系統或應用程式車載機起始作業) Client 側邊 RPC 連絡人的目標電腦 EPM,才能完成 client 通話端點要求 伺服器電腦 EPM 回應端點 Client 側邊 RPC 連絡人伺服器應用程式 伺服器應用程式執行通話將結果傳回 client RPC Client 側邊 RPC 傳遞結果回 client 應用程式 失敗 1753 年由兩個步驟 #3 和 #4 失敗。具體而言,錯誤 1753 年表示 RPC client(目的地俠)就能透過連接埠 135 連絡 RPC 伺服器(來源俠),但 EPM RPC 伺服器(來源俠)上的找不到感興趣的領域 RPC 應用程式,並傳回伺服器端錯誤 1753 年。卡 1753 年錯誤的指示,RPC client(目的地俠)收到伺服器端錯誤回應 RPC 伺服器(廣告複寫來源俠)在網路上。 特定根本原因 1753 年錯誤,包括: 永遠不會開始伺服器應用程式(亦即永遠不會嘗試上方」的詳細資訊」圖表中的步驟 #1)。 開始伺服器應用程式,但期間,所以它無法登記 RPC Endpoint 對應程式(亦即步驟 #1「詳細資訊」上圖中已嘗試執行,但無法)的初始設定是一些失敗。 但後續死伺服器應用程式。(也就是步驟 #1「詳細資訊」上圖中已成功完成,但已復原稍後因為伺服器死)。 [伺服器] app 以手動方式註冊其結束(但刻意 3 類似。但不是可能包含的完整性。) RPC client(目的地俠)連絡不同 RPC 伺服器比預期因為 IP 對應錯誤 DNS、WINS 或主機日 Lmhosts 檔案名稱。 並不是藉由造成錯誤 1753 年: RPC client(目的地俠)和 RPC 伺服器(來源俠)之間的網路中斷連接埠 135 缺少 缺乏之間 RPC 伺服器(來源俠)網路連接到暫時的連接埠使用連接埠 135 和 RPC client(目的地俠)。 密碼不符或是來源俠解密 Kerberos 加密封包 Cause The diagram below shows the RPC workflow starting with the registration of the server application with the RPC Endpoint Mapper (EPM) in step 1 to the passing of data from the RPC client to the client application in step 7. <ADDS_RPCWorkflow> Steps 1 through 7 map to the following operations: Server app registers its endpoints with the RPC Endpoint Mapper (EPM) Client makes an RPC call (on behalf of a user, OS or application initiated operation) Client side RPC contacts the target computers EPM and ask for the endpoint to complete the client call Server Machine's EPM responds with an endpoint Client side RPC contacts the server app Server app executes the call, returns the result to the client RPC Client side RPC passes the result back to the client app Failure 1753 is generated by a failure between steps #3 and #4. Specifically, error 1753 means that the RPC client (destination DC) was able to contact the RPC Server (source DC) over port 135 but the EPM on the RPC Server (source DC) was unable to locate the RPC application of interest and returned server side error 1753. The presence of the 1753 error indicates that the RPC client (destination DC) received the server side error response from the RPC Server (AD replication source DC) over the network. Specific root causes for the 1753 error include: The server app never started (i.e. Step #1 in the "more information" diagram located above was never attempted). The server app started but there was some failure during initialization that prevented it from registering with the RPC Endpoint Mapper (i.e. Step #1 in the "more information" diagram above was attempted but failed). The server app started but subsequently died. (i.e. Step #1 in the "more information" diagram above was completed successfully, but was undone later because the server died). The server app manually unregistered its endpoints (similar to 3 but intentional. Not likely but included for completeness.) The RPC client (destination DC) contacted a different RPC server than the intended one due to a Name to IP mapping error in DNS, WINS or host/Lmhosts file. Error 1753 is NOT caused by: A lack of network connectivity between the RPC client (destination DC) and RPC Server (source DC) over port 135 A lack of network connectivity between the RPC server (source DC) using port 135 and the RPC client (destination DC) over the ephemeral port. A password mismatch or the inability by the source DC to decrypt a Kerberos encrypted packet
解析度 開始進行登記其服務端點對應程式與服務的驗證 Windows 2000 的和 Windows Server 2003 Dc:確保的來源 DC 開機進入標準模式。 Windows Server 2008 或 Windows Server 2008 R2:來源 DC 主機,從開始服務管理員 (services.msc) 並確認Active Directory Domain Services服務正在執行。 驗證連接至目標 RPC 伺服器(來源俠)該 RPC client(目的地俠) 所有網域控制站常見的 Active Directory 森林登記網域控制站 CNAME 錄製 _msdcs 中。<樹系根網域>無論何種網域樹系的位於 DNS 區域。俠 CNAME 記錄從objectguid 資訊針對每個網域控制站 NTDS 設定物件的屬性。 執行複寫為基礎的作業,目的地俠查詢 DNS 網域控制站 CNAME 記錄來源。CNAME 記錄包含用來衍生來源 Dc IP 位址來源 DC 完整的電腦名稱 DNS client 快取搜尋,透過裝載 / LMHost 檔案查詢主機 A / AAAA 錄製 DNS、WINS 中。 過時 NTDS 設定物件和不良名稱-TO-IP 對應 DNS、WINS、主機和 LMHOST 檔案可能會造成連接到錯誤 RPC 伺服器 (來源 DC) RPC client(目的地俠)。此外,不良名稱 TO-IP 對應可能會感興趣的領域(在本案例中 Active Directory 角色)安裝會造成連接到電腦不能有 RPC 伺服器應用程式 RPC client(目的地俠)。(範例:DC2 的過時主機記錄包含 DC3 或成員電腦的 IP 位址)。 確認符合 objectguid 來源 DC 在於目的地 Dc 複本 Active Directory 中的資訊儲存在 Active directory Dc 複製來源來源俠 objectguid 資訊。如果不一致,使用 repadmin /showobjmeta ntds 看到哪一個對應至最後一個促銷俠來源的設定物件 (提示:比較日期戳記 NTDS 設定物件建立的日期 /showobjmeta 針對來源 Dc dcpromo.log 檔案中的最後一個促銷日期。您可能必須使用上次修改 / 建立 DCPROMO.LOG 檔案本身。)物件 Guid 並不相同,如果目的 DC 可能會有一個過時的 NTDS 設定物件來源俠其 CNAME 記錄是指主機記錄不正確對應 IP 名稱。 俠目的地執行 IPCONFIG /ALL 判斷的 DNS 伺服器目的 DC 所使用的名稱解析: c:>ipconfig /all 俠目的地執行 NSLOOKUP 針對網域控制站完整俠 CNAME 記錄來源: c:>nslookup -type=cname <fully qualified cname of source DC> <destination DCs primary DNS Server IP > c:>nslookup -type=cname <fully qualified cname of source DC> <destination DCs secondary DNS Server IP> 驗證您的 IP 位址所 NSLOOKUP 傳回」擁有」主機名稱日的來源 DC 安全性身分: C:>NBTSTAT -A <IP address returned by NSLOOKUP in the step above> 登入的來源 DC 主機、從命令提示字元中執行「IPCONFIG」,並確認來源 DC 擁有傳回上述 NSLOOKUP 命令的 IP 位址 檢查過時 / 重複 dns IP 對應至主機 NSLOOKUP -type=hostname <single label hostname of source DC> <primary DNS Server IP on destination DC> NSLOOKUP -type=hostname <single label hostname of source DC> <secondary DNS Server IP on destination DC> NSLOOKUP -type=hostname <fully qualified computer name of source DC> <primary DNS Server IP on destination DC> NSLOOKUP -type=hostname <fully qualified computer name of source DC> <secondary DNS Server IP on dest. DC> 主機記錄存在於無效的 IP 位址,調查是否 DNS 清除支援並設定正確。如果上述的測試或網路追蹤不會顯示名稱查詢退貨不正確的 IP 位址,請考慮將過時 LMHOSTS 檔案和 WINS 伺服器、主機檔案中的項目。請注意,也可以執行 WINS 回溯名稱解析設定 DNS 伺服器。 (Active Directory 等 al) 伺服器應用程式已經登記完畢端點對應程式 RPC(來源俠)伺服器上的確認 Active Directory 會使用多種已知和動態且已連接埠。下表列出熟知連接埠和使用 Active Directory 網域控制站的通訊協定。 Resolutions Verify that the service registering its service with the endpoint mapper has started For Windows 2000 and Windows Server 2003 DCs: ensure that the source DC is booted into normal mode. For Windows Server 2008 or Windows Server 2008 R2: from the console of the source DC, start Services Manager (services.msc) and verify that the Active Directory Domain Services service is running. Verify that RPC client (destination DC) connected to the intended RPC Server (source DC) All DCs in a common Active Directory forest register a domain controller CNAME record in the _msdcs.<forest root domain> DNS zone regardless of what domain they reside in within the forest. The DC CNAME record is derived from the objectGUID attribute of the NTDS Settings object for each domain controller. When performing replication-based operations, a destination DC queries DNS for the source DCs CNAME record. The CNAME record contains the source DC fully qualified computer name which is used to derive the source DCs IP address via DNS client cache lookup, Host / LMHost file lookup, host A / AAAA record in DNS, or WINS. Stale NTDS Settings objects and bad name-to-IP mappings in DNS, WINS, Host and LMHOST files may cause the RPC client (destination DC) to connect to the wrong RPC Server (Source DC). Furthermore, the bad name-to-IP mapping may cause the RPC client (destination DC) to connect to a computer that does not even have the RPC Server Application of interest (the Active Directory role in this case) installed. (Example: a stale host record for DC2 contains the IP address of DC3 or a member computer). Verify that the objectGUID for the source DC that exists in the destination DCs copy of Active Directory matches the source DC objectGUID stored in the source DCs copy of Active Directory. If there is a discrepancy, use repadmin /showobjmeta on the ntds settings object to see which one corresponds to last promotion of the source DC (hint: compare date stamps for the NTDS Settings object create date from /showobjmeta against the last promotion date in the source DCs dcpromo.log file. You may have to use the last modify / create date of the DCPROMO.LOG file itself). If the object GUIDs are not identical, the destination DC likely has a stale NTDS Settings object for the source DC whose CNAME record refers to a host record with a bad name to IP mapping. On the destination DC, run IPCONFIG /ALL to determine which DNS Servers the destination DC is using for name resolution: c:>ipconfig /all On the destination DC, run NSLOOKUP against the source DCs fully qualified DC CNAME record: c:>nslookup -type=cname <fully qualified cname of source DC> <destination DCs primary DNS Server IP > c:>nslookup -type=cname <fully qualified cname of source DC> <destination DCs secondary DNS Server IP> Verify that the IP address returned by NSLOOKUP "owns" the host name / security identity of the source DC: C:>NBTSTAT -A <IP address returned by NSLOOKUP in the step above> or Log onto the console of the source DC, run "IPCONFIG" from the CMD prompt and verify that the source DC owns the IP address returned by the NSLOOKUP command above Check for stale / duplicate host to IP mappings in DNS NSLOOKUP -type=hostname <single label hostname of source DC> <primary DNS Server IP on destination DC> NSLOOKUP -type=hostname <single label hostname of source DC> <secondary DNS Server IP on destination DC> NSLOOKUP -type=hostname <fully qualified computer name of source DC> <primary DNS Server IP on destination DC> NSLOOKUP -type=hostname <fully qualified computer name of source DC> <secondary DNS Server IP on dest. DC> If invalid IP addresses exist in host records, investigate whether DNS scavenging is enabled and properly configured. If the tests above or a network trace doesn't show a name query returning an invalid IP address, consider stale entries in HOST files, LMHOSTS files and WINS Servers. Note that DNS Servers can also be configured to perform WINS fallback name resolution. Verify that the server application (Active Directory et al) has registered with the endpoint mapper on the RPC server (source DC) Active Directory uses a mix of well-known and dynamically registered ports. This table lists well known ports and protocols used by Active Directory domain controllers.
RPC 伺服器應用程式RPC Server Application 連接埠Port TCPTCP UDPUDP
DNS 伺服器DNS server 5353 XX XX
KerberosKerberos 8888 XX XX
LDAP 伺服器LDAP server 389389 XX XX
Microsoft-DSMicrosoft-DS 445445 XX XX
LDAP SSLLDAP SSL 636636 XX XX
通用伺服器Global Catalog Server 32683268 XX
通用伺服器Global Catalog Server 32693269 XX
已知的連接埠不是使用端點對應程式登記完畢。 Active Directory 和其他應用程式也登記收到動態指派連接埠 RPC 暫時連接埠有時候您附近的服務。這類 RPC 伺服器應用程式動態指派 1024 年和 Windows 2000 和 Windows Server 2003 電腦上的 5000 之間的 TCP 連接埠和 Windows Server 2008 和 Windows Server 2008 R2 上的 49152 與 65535 範圍之間的連接埠。使用複製的 RPC 連接埠可以固定的文件中的步驟知識庫文章 224196http://support.microsoft.com/kb/224196。Active Directory 持續登記與 EPM 設定時,使用硬連接埠。 確認 RPC 伺服器感興趣的應用程式已經登記本身 RPC 端點對應 RPC 伺服器(來源俠在 AD 複寫)上使用。 有許多方式完成這項工作,但其中一個是安裝及使用語法俠來源的主機上系統管理員權限命令提示字元執行 PORTQRY: c:&gt;portquery -n <source DC> -e 135 >file.txt 在 portqry 輸出中,請注意,「MS NT Directory DRS 介面「動態登記連接埠號碼 (UUID = 351...) 的ncacn_ip_tcp 通訊協定。下方的程式碼片段與 Windows Server 2008 R2 俠 UUID 顯示範例 portquery 輸出 / 通訊協定組,專門用 Active Directory 中反白顯示設定為粗體: UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_np:CONTOSO-DC01[\pipe\lsass] UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_np:CONTOSO-DC01[\PIPE\protected_storage] UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_ip_tcp:CONTOSO-DC01[49156] UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_http:CONTOSO-DC01[49157] UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_http:CONTOSO-DC01[6004] 其他解析這個錯誤可能方式: 確認標準模式中的開機來源 DC 來源 DC 的 OS 和俠角色完全已經開始進行。 執行 Active Directory Domain 服務的驗證。如果目前已停止或未設定開機的預設值的服務,預設開機值重設、重新開機修改的俠然後再試一。 確認開機值和服務狀態 RPC 服務和 RPC 定位是正確的 OS 版本的 RPC Client(目的地俠)和 RPC 伺服器(來源俠)。如果目前已停止或未設定開機的預設值的服務,預設開機值重設、重新開機修改的俠然後再試一。 ,確認服務操作符合預設設定,如下表所示。 Well-known ports are NOT registered with the endpoint mapper. Active Directory and other applications also register services that receive dynamically assigned ports in the RPC ephemeral port range. Such RPC server applications are dynamically assigned TCP ports between 1024 and 5000 on Windows 2000 and Windows Server 2003 computers and ports between 49152 and 65535 range on Windows Server 2008 and Windows Server 2008 R2 computers. The RPC port used by replication can be hard-coded in the registry using the steps documented in KB article 224196http://support.microsoft.com/kb/224196. Active Directory continues to register with the EPM when configured to use a hard coded port. Verify that the RPC Server application of interest has registered itself with the RPC endpoint mapper on the RPC Server (the source DC in the case of AD replication). There are a number of ways to accomplish this task but one is to install and run PORTQRY from an admin privileged CMD prompt on the console of the source DC using the syntax: c:&gt;portquery -n <source DC> -e 135 >file.txt In the portqry output, note the port numbers dynamically registered by the "MS NT Directory DRS Interface" (UUID = 351...) for the ncacn_ip_tcp protocol. The snippet below shows sample portquery output from a Windows Server 2008 R2 DC and the UUID / protocol pair specifically used by Active Directory highlighted in bold: UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_np:CONTOSO-DC01[\pipe\lsass] UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_np:CONTOSO-DC01[\PIPE\protected_storage] UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_ip_tcp:CONTOSO-DC01[49156] UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_http:CONTOSO-DC01[49157] UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_http:CONTOSO-DC01[6004] Other possible ways to resolve this error: Verify that the source DC is booted in normal mode and that the OS and DC role on the source DC have fully started. Verify that the Active Directory Domain Service is running. If the service is currently stopped or was not configured with default startup values, reset the default startup values, reboot the modified DC then retry the operation. Verify that the startup value and service status for RPC service and RPC Locator is correct for OS version of the RPC Client (destination DC) and RPC Server (source DC). If the service is currently stopped or was not configured with default startup values, reset the default startup values, reboot the modified DC then retry the operation. In addition, ensure that the service context matches default settings listed in the following table.
服務Service 預設狀態(開機類型)在 Windows Server 2003 及更新版本Default status (Startup type) in Windows Server 2003 and later 在 Windows Server 2000 預設狀態(開機鍵入)Default status (Startup type) in Windows Server 2000
遠端程序呼叫Remote Procedure Call 開始(自動)Started (Automatic) 開始(自動)Started (Automatic)
遠端程序呼叫定位器Remote Procedure Call Locator 空值或停止(手動)Null or Stopped (Manual) 開始(自動)Started (Automatic)
請確認連接埠動態範圍大小不受限制。Windows Server 2008 和 Windows Server 2008 R2 NETSH 語法列舉 RPC 連接埠範圍如下所示: >netsh int ipv4 show dynamicport tcp >netsh int ipv4 show dynamicport udp >netsh int ipv6 show dynamicport tcp >netsh int ipv6 show dynamicport udp 驗證,以 kb 為單位 224196 定義硬連接埠定義落連接埠動態範圍來源網域控制站 OS 版本。 檢視知識庫文章 224196http://support.microsoft.com/kb/224196,並確保硬連接埠瀑布暫時連接埠範圍來源 DC 的作業系統版本。 確認儲存的.reg 金鑰存在於 HKLM\Software\Microsoft\Rpc 在包含下列 5 預設值︰ Verify that the size of the dynamic port range has not been constrained. The Windows Server 2008 and Windows Server 2008 R2 NETSH syntax to enumerate the RPC port range is shown below: >netsh int ipv4 show dynamicport tcp >netsh int ipv4 show dynamicport udp >netsh int ipv6 show dynamicport tcp >netsh int ipv6 show dynamicport udp Verify that hard coded port definitions defined in KB 224196 fall within the dynamic port range for source DCs OS version. Review KB article 224196http://support.microsoft.com/kb/224196 and ensure that the hard coded port falls within the ephemeral port range for the source DC's operating system version. Verify that the ClientProtocols key exists under HKLM\Software\Microsoft\Rpc and contains the following 5 default values: ncacn_http REG_SZ rpcrt4.dll ncacn_ip_tcp REG_SZ rpcrt4.dll ncacn_nb_tcp REG_SZ rpcrt4.dll ncacn_np REG_SZ rpcrt4.dll ncacn_ip_udp REG_SZ rpcrt4.dll
更多的資訊 IP 對應造成 RPC 錯誤 1753 年與-2146893022 名稱錯誤範例:不正確的目標主體名稱 contoso.com 網域組成 DC1 及 DC2 ip 位址 x.x.1.1 和 x.x.1.2。主機"A"/」AAAA「記錄 DC2 正確登記上所有的設定 DC1 DNS 伺服器。此外,主機上的檔案 DC1 包含對應 IP 位址 x.x.1.2 主機 DC2s 完整名稱的項目。之後,DC2 的 IP 位址變更 X.X.1.2 X.X.1.3 和新的成員電腦已經加入網域的 IP 位址 x.x.1.2。廣告複寫觸發嘗試現在複製命令 Active Directory 網站和服務] 嵌入式管理單元失敗的錯誤 1753 年下列追蹤中所示: F# SRC DEST Operation 1 x.x.1.1 x.x.1.2 ARP:Request, x.x.1.1 asks for x.x.1.2 2 x.x.1.2 x.x.1.1 ARP:Response, x.x.1.2 at 00-13-72-28-C8-5E 3 x.x.1.1 x.x.1.2 TCP:Flags=......S., SrcPort=50206, DstPort=DCE endpoint resolution(135) 4 x.x.1.2 x.x.1.1 ARP:Request, x.x.1.2 asks for x.x.1.1 5 x.x.1.1 x.x.1.2 ARP:Response, x.x.1.1 at 00-15-5D-42-2E-00 6 x.x.1.2 x.x.1.1 TCP:Flags=...A..S., SrcPort=DCE endpoint resolution(135) 7 x.x.1.1 x.x.1.2 TCP:Flags=...A...., SrcPort=50206, DstPort=DCE endpoint resolution(135) 8 x.x.1.1 x.x.1.2 MSRPC:c/o Bind: UUID{E1AF8308-5D1F-11C9-91A4-08002B14A0FA} EPT(EPMP) 9 x.x.1.2 x.x.1.1 MSRPC:c/o Bind Ack: Call=0x2 Assoc Grp=0x5E68 Xmit=0x16D0 Recv=0x16D0 10 x.x.1.1 x.x.1.2 EPM:Request: ept_map: NDR, DRSR(DRSR) {E3514235-4B06-11D1-AB04-00C04FC2DCD2} [DCE endpoint resolution(135)] 11 x.x.1.2 x.x.1.1 EPM:Response: ept_map: 0x16C9A0D6 - EP_S_NOT_REGISTERED 在畫面10,目的 DC 查詢來源網域控制站終點對應的 Active Directory 複寫服務課程 UUID E351 135 連接到... 畫面中11,來源 DC,在這個案例不尚未主控俠的角色,因此不已經登記 E351 成員電腦...使用它本機 EPM 複寫服務 UUID 回應符號錯誤 EP_S_NOT_REGISTERED 地圖小數點錯誤 1753 年、十六進位錯誤 0x6d9 和易懂錯誤的「有可用的更多端點端點對應程式」。 之後,成員電腦的 IP 位址 x.x.1.2 取得升級為「MayberryDC「contoso.com 網域中的複本。再試一次,現在複製命令可用來觸發複寫,但在此階段失敗,並螢幕錯誤」目標主體名稱不正確。」電腦的網路介面卡指定 IP 位址 x.x.1.2網域控制站目前開機進入標準模式和已經登記完畢 E351...複寫服務 UUID 其本機 EPM,但它不擁有名稱或安全的身分 DC2 與無法解密 DC1 Kerberos 要求,因此要求現在失敗,錯誤」不正確的目標主體名稱]。錯誤地圖小數點錯誤-2146893022 / 十六進位 0x80090322 錯誤。 這類無效主機-TO-IP 對應可能會造成過時在主機中的項目 lmhost 檔案裝載 A / AAAA 登錄 DNS、WINS 中的。 摘要:此範例中,無法無效主機 TO-IP 對應(在本案例中的主機檔案)會造成目的地俠解析「來源「不含 Active Directory Domain Services 俠服務執行(或甚至該項目的安裝),不尚未登記 SPN 複寫和 DC 傳回錯誤 1753 年來源。在第二個案例中,不正確主機 TO-IP 對應(再試一次主機檔案)中的造成目的 DC 連接到...必須登記 E351 俠複寫 SPN,但該來源不同的主機名稱和安全性身分比預期的來源俠,嘗試失敗,錯誤-2146893022:目標主體名稱不正確。 More information Example of a bad name to IP mapping causing RPC error 1753 vs. -2146893022: the target principal name is incorrect The contoso.com domain consists of DC1 and DC2 with IP addresses x.x.1.1 and x.x.1.2. The host "A" / "AAAA" records for DC2 are correctly registered on all of the DNS Servers configured for DC1. In addition, the HOSTS file on DC1 contains an entry mapping DC2s fully qualified hostname to IP address x.x.1.2. Later, DC2's IP address changes from X.X.1.2 to X.X.1.3 and a new member computer is joined to the domain with IP address x.x.1.2. AD Replication attempts triggered by the Replicate now command in Active Directory Sites and Services snap-in fails with error 1753 as shown in the trace below: F# SRC DEST Operation 1 x.x.1.1 x.x.1.2 ARP:Request, x.x.1.1 asks for x.x.1.2 2 x.x.1.2 x.x.1.1 ARP:Response, x.x.1.2 at 00-13-72-28-C8-5E 3 x.x.1.1 x.x.1.2 TCP:Flags=......S., SrcPort=50206, DstPort=DCE endpoint resolution(135) 4 x.x.1.2 x.x.1.1 ARP:Request, x.x.1.2 asks for x.x.1.1 5 x.x.1.1 x.x.1.2 ARP:Response, x.x.1.1 at 00-15-5D-42-2E-00 6 x.x.1.2 x.x.1.1 TCP:Flags=...A..S., SrcPort=DCE endpoint resolution(135) 7 x.x.1.1 x.x.1.2 TCP:Flags=...A...., SrcPort=50206, DstPort=DCE endpoint resolution(135) 8 x.x.1.1 x.x.1.2 MSRPC:c/o Bind: UUID{E1AF8308-5D1F-11C9-91A4-08002B14A0FA} EPT(EPMP) 9 x.x.1.2 x.x.1.1 MSRPC:c/o Bind Ack: Call=0x2 Assoc Grp=0x5E68 Xmit=0x16D0 Recv=0x16D0 10 x.x.1.1 x.x.1.2 EPM:Request: ept_map: NDR, DRSR(DRSR) {E3514235-4B06-11D1-AB04-00C04FC2DCD2} [DCE endpoint resolution(135)] 11 x.x.1.2 x.x.1.1 EPM:Response: ept_map: 0x16C9A0D6 - EP_S_NOT_REGISTERED At frame 10, the destination DC queries the source DCs end point mapper over port 135 for the Active Directory replication service class UUID E351... In frame 11, the source DC, in this case a member computer that does not yet host the DC role and therefore has not registered the E351... UUID for the Replication service with its local EPM responds with symbolic error EP_S_NOT_REGISTERED which maps to decimal error 1753, hex error 0x6d9 and friendly error "there are no more endpoints available from the endpoint mapper". Later, the member computer with IP address x.x.1.2 gets promoted as a replica "MayberryDC" in the contoso.com domain. Again, the Replicate now command is used to trigger replication but this time fails with the on-screen error "The target principal name is incorrect." The computer whose network adapter is assigned the IP address x.x.1.2 is a domain controller, is currently booted into normal mode and has registered the E351... replication service UUID with its local EPM but it does not own the name or security identity of DC2 and cannot decrypt the Kerberos request from DC1 so the request now fails with error "The target principal name is incorrect." The error maps to decimal error -2146893022 / hex error 0x80090322. Such invalid host-to-IP mappings could be caused by stale entries in host / lmhost files, host A / AAAA registrations in DNS, or WINS. Summary: This example failed because an invalid host-to-IP mapping (in the HOST file in this case) caused the destination DC to resolve to a "source" DC that did not have the Active Directory Domain Services service running (or even installed for that matter) so the replication SPN was not yet registered and the source DC returned error 1753. In the second case, an invalid host-to-IP mapping (again in the HOST file) caused the destination DC to connect to a DC that had registered the E351... replication SPN but that source had a different hostname and security identity than the intended source DC so the attempts failed with error -2146893022: The target principal name is incorrect.
疑難排解 Active Directory 操作失敗的錯誤 1753 年:有更多端點端點對應程式可用。 http://support.microsoft.com/kb/2089874 KB 文章 839880 疑難排解 RPC Endpoint 對應錯誤使用或許從 Windows Server 2003 的支援工具http://support.microsoft.com/kb/839880 KB 文章 832017 服務概觀和網路上的 Windows Server 系統需求連接埠http://support.microsoft.com/kb/832017/ KB 文章 224196 限制 Active Directory 複寫流量和 client RPC 傳輸到特定的連接埠http://support.microsoft.com/kb/224196/ KB 文件 154596 如何設定以使用防火牆 RPC 動態連接埠配置http://support.microsoft.com/kb/154596RPC 的運作方式http://msdn.microsoft.com/library/aa373935(VS.85).aspx如何伺服器準備連接http://msdn.microsoft.com/library/aa373938(VS.85).aspx Client 如何建立連接http://msdn.microsoft.com/library/aa373937(VS.85).aspx登記介面http://msdn.microsoft.com/library/aa375357(VS.85).aspx推出伺服器網路上http://msdn.microsoft.com/library/aa373974(VS.85).aspx登記端點http://msdn.microsoft.com/library/aa375255(VS.85).aspx接聽電話 Clienthttp://msdn.microsoft.com/library/aa373966(VS.85).aspxClient 如何建立連接http://msdn.microsoft.com/library/aa373937(VS.85).aspx限制 Active Directory 複寫流量和 client RPC 特定的連接埠的流量http://support.microsoft.com/kb/224196中 AD DS 目標 dc SPNhttp://msdn.microsoft.com/library/dd207688(PROT.13).aspx Troubleshooting Active Directory operations that fail with error 1753: There are no more endpoints available from the endpoint mapper. http://support.microsoft.com/kb/2089874 KB article 839880 Troubleshooting RPC Endpoint Mapper errors using the Windows Server 2003 Support Tools from the product CDhttp://support.microsoft.com/kb/839880 KB article 832017 Service overview and network port requirements for the Windows Server systemhttp://support.microsoft.com/kb/832017/ KB article 224196 Restricting Active Directory replication traffic and client RPC traffic to a specific porthttp://support.microsoft.com/kb/224196/ KB article 154596 How to configure RPC dynamic port allocation to work with firewallshttp://support.microsoft.com/kb/154596How RPC Workshttp://msdn.microsoft.com/library/aa373935(VS.85).aspxHow the Server Prepares for a Connectionhttp://msdn.microsoft.com/library/aa373938(VS.85).aspx How the Client Establishes a Connectionhttp://msdn.microsoft.com/library/aa373937(VS.85).aspxRegistering the Interfacehttp://msdn.microsoft.com/library/aa375357(VS.85).aspxMaking the Server Available on the Networkhttp://msdn.microsoft.com/library/aa373974(VS.85).aspxRegistering Endpointshttp://msdn.microsoft.com/library/aa375255(VS.85).aspxListening for Client Callshttp://msdn.microsoft.com/library/aa373966(VS.85).aspxHow the Client Establishes a Connectionhttp://msdn.microsoft.com/library/aa373937(VS.85).aspxRestricting Active Directory replication traffic and client RPC traffic to a specific porthttp://support.microsoft.com/kb/224196SPN for a Target DC in AD DShttp://msdn.microsoft.com/library/dd207688(PROT.13).aspx