不是可用複寫錯誤 1722 RPC 伺服器Replication error 1722 The RPC server is unavailable

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題解釋,包括症狀、原因,以及如何解析 Active Directory 複寫錯誤 1722 年: RPC 伺服器不提供。This topic explains symptoms, causes and how to resolve Active Directory replication error 1722: The RPC server is unavailable. 症狀造成解析度 Symptoms Causes Resolutions
症狀 的症狀、原因和解析度解析 Active Directory 複寫失敗 Win32 錯誤 1722 年此文章將描述:RPC 伺服器不提供。 的複本俠帶領促銷無法建立授與協助者俠 1722 年發生錯誤物件 NTDS 設定。 對話方塊的標題文字: Active Directory Domain Services 安裝精靈 對話方塊訊息文字: 操作失敗:Active Directory Domain Services 無法為此 Active Directory 網域控制站 DATA-CN 建立 NTDS 設定物件 = NTDS 設定 DATA-CN =<名稱的俠,升級),DATA-CN = 伺服器,DATA-CN =<網站名稱>,DATA-CN = DATA-CN 的網站,= DC 的設定,=<樹系根網域>在遠端 AD 網域控制站<俠授與協助者>。<的網域名稱>。<層級的網域頂端>。確保所提供的網路憑證具有不足的權限。「RPC 伺服器無法使用。」 ,測試 Active Directory 複寫失敗,錯誤 1722 DCDIAG 報告:「RPC 伺服器不是可用][Replications Check,<DC Name>] A recent replication attempt failed: From <source DC> to <destination DC> Naming Context: <DN path of directory partition> The replication generated an error (1722): The RPC server is unavailable. The failure occurred at <date> <time>. The last success occurred at <date> <time>. <X> failures have occurred since the last success. [<dc name>] DsBindWithSpnEx()failed with error 1722, The RPC server is unavailable.. Printing RPC Extended Error Info: <snip>REPADMIN。EXE 報告的最後一個︰ 複寫失敗的狀態 1722 (0x6ba)。REPADMIN 命令通常引用 1722 (0x6ba) 狀態,包括但不是限於: Symptoms This article describes the symptoms, cause and resolution for resolving Active Directory replication failing with Win32 error 1722: The RPC server is unavailable. DCPROMO promotion of a replica DC fails to create an NTDS Settings object on the helper DC with error 1722. Dialog Title Text: Active Directory Domain Services Installation Wizard Dialog Message text: The operation failed because: Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller CN=NTDS Settings,CN=<Name of DC being promoted),CN=Servers,CN=<site name>,CN=Sites,CN=Configuration,DC=<forest root domain> on the remote AD DC <helper DC>.<domain name>.<top level domain>. Ensure the provided network credentials have sufficient permissions. "The RPC server is unavailable." DCDIAG reports that the Active Directory Replications test has failed with error 1722: "The RPC Server is unavailable"[Replications Check,<DC Name>] A recent replication attempt failed: From <source DC> to <destination DC> Naming Context: <DN path of directory partition> The replication generated an error (1722): The RPC server is unavailable. The failure occurred at <date> <time>. The last success occurred at <date> <time>. <X> failures have occurred since the last success. [<dc name>] DsBindWithSpnEx()failed with error 1722, The RPC server is unavailable.. Printing RPC Extended Error Info: <snip>REPADMIN.EXE reports that the last replication attempt has failed with status 1722 (0x6ba).REPADMIN commands that commonly cite the 1722 (0x6ba) status include but are not limited to:
REPADMIN /REPLSUMREPADMIN /SHOWREPLREPADMIN /REPLSUMREPADMIN /SHOWREPLREPADMIN 進行REPADMIN /SYNCALLREPADMIN /SHOWREPSREPADMIN /SYNCALL
Sample output from "REPADMIN /SHOWREPS" and REPADMIN /SYNCALL depicting "The RPC server is unavailable" error is shown below:c:> repadmin /showreps <site name><destination DC> DC Options: <list of flags> Site Options: (none) DC object GUID: <NTDS settings object object GUID> DC invocationID: <invocation ID string> ==== INBOUND NEIGHBORS ====================================== DC=<DN path for directory partition> <site name><source DC via RPC DC object GUID: <source DCs ntds settings object object guid> Last attempt @ <date> <time> failed, result 1722 (0x6ba): The RPC server is unavailable. <X #> consecutive failure(s). Last success @ <date> <time> Sample output of "REPADMIN /SYNCALL" depicting "The RPC server is unavailable" error is shown below:C:>repadmin /syncall CALLBACK MESSAGE: Error contacting server <object guid of NTDS Settings object>.msdcs.<forest root domain>.<top level domain> (network error): 1722 (0x6ba): The RPC server is unavailable. The "replicate now" command in Active Directory Sites and Services returns "The RPC server is unavailable."Right-clicking on the connection object from a source DC and choosing Replicate now fails with "The RPC server is unavailable." The on-screen error message is shown below:Dialog title text:Replicate NowDialog message text: The following error occurred during the attempt to synchronize naming context <DNS name of directory partition> from domain controller <source Dc host name> to domain controller <destination DC hostname>:The RPC server is unavailable. This operation will not continue. This condition may be caused by a DNS lookup problem. For information about troubleshooting common DNS lookup problems, please see the following Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=5171. NTDS KCC, NTDS General or Microsoft-Windows-ActiveDirectory_DomainService events with the 1722 status are logged in the Directory Services log in Event Viewer.Active Directory events that commonly cite the 1722 status include but are not limited to:Sample output from "REPADMIN /SHOWREPS" and REPADMIN /SYNCALL depicting "The RPC server is unavailable" error is shown below:c:> repadmin /showreps <site name><destination DC> DC Options: <list of flags> Site Options: (none) DC object GUID: <NTDS settings object object GUID> DC invocationID: <invocation ID string> ==== INBOUND NEIGHBORS ====================================== DC=<DN path for directory partition> <site name><source DC via RPC DC object GUID: <source DCs ntds settings object object guid> Last attempt @ <date> <time> failed, result 1722 (0x6ba): The RPC server is unavailable. <X #> consecutive failure(s). Last success @ <date> <time> Sample output of "REPADMIN /SYNCALL" depicting "The RPC server is unavailable" error is shown below:C:>repadmin /syncall CALLBACK MESSAGE: Error contacting server <object guid of NTDS Settings object>.msdcs.<forest root domain>.<top level domain> (network error): 1722 (0x6ba): The RPC server is unavailable. The "replicate now" command in Active Directory Sites and Services returns "The RPC server is unavailable."Right-clicking on the connection object from a source DC and choosing Replicate now fails with "The RPC server is unavailable." The on-screen error message is shown below:Dialog title text:Replicate NowDialog message text: The following error occurred during the attempt to synchronize naming context <DNS name of directory partition> from domain controller <source Dc host name> to domain controller <destination DC hostname>:The RPC server is unavailable. This operation will not continue. This condition may be caused by a DNS lookup problem. For information about troubleshooting common DNS lookup problems, please see the following Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=5171. NTDS KCC, NTDS General or Microsoft-Windows-ActiveDirectory_DomainService events with the 1722 status are logged in the Directory Services log in Event Viewer.Active Directory events that commonly cite the 1722 status include but are not limited to:
事件編號Event ID事件來源Event Source事件字串Event String
11251125Microsoft-Windows-ActiveDirectory_DomainServiceMicrosoft-Windows-ActiveDirectory_DomainServiceActive Directory Domain Services 安裝精靈(帶領)無法使用下列的網域控制站連接。The Active Directory Domain Services Installation Wizard (Dcpromo) was unable to establish connection with the following domain controller.
13111311NTDS KCCNTDS KCC知識一致性檢查程式 (KCC) 偵測下列 directory 磁碟分割中的問題。The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
18651865NTDS KCCNTDS KCC以完成跨越樹網路拓撲無法知識一致性檢查程式 (KCC)。The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. 如此一來,無法從本機網站到達下列清單的網站。As a result, the following list of sites cannot be reached from the local site.
19251925NTDS KCCNTDS KCC建立下列寫入 directory 磁碟分割的連結︰ 複寫失敗。The attempt to establish a replication link for the following writable directory partition failed.
19601960NTDS 複寫NTDS Replication事件內部:下列網域控制站例外收到連接遠端程序呼叫 (RPC)。Internal event: The following domain controller received an exception from a remote procedure call (RPC) connection. 操作可能會失敗。The operation may have failed.
Causes RPC is an intermediate layer between the network transport and the application protocol. RPC itself has no special insight into failures but attempts to map lower layer protocol failures into an error at the RPC layer. RPC error 1722 / 0x6ba / RPC_S_SERVER_UNAVAILABLE is logged when a lower layer protocol reports a connectivity failure. The common case is that the abstract TCP CONNECT operation failed. In the context of Active Directory replication, the RPC client on the destination DC was not able to successfully connect to the RPC server on the source DC. Common causes for this are: Link local failure DHCP failure DNS failure WINS failure Routing failure (including blocked ports on firewalls) IPSec / Network authentication failures UDP formatted Kerberos packets are being fragmented by network infrastructure devices like routers and switches. Resource limitations Higher layer protocol not running Higher layer protocol is returning this error Causes RPC is an intermediate layer between the network transport and the application protocol. RPC itself has no special insight into failures but attempts to map lower layer protocol failures into an error at the RPC layer. RPC error 1722 / 0x6ba / RPC_S_SERVER_UNAVAILABLE is logged when a lower layer protocol reports a connectivity failure. The common case is that the abstract TCP CONNECT operation failed. In the context of Active Directory replication, the RPC client on the destination DC was not able to successfully connect to the RPC server on the source DC. Common causes for this are: Link local failure DHCP failure DNS failure WINS failure Routing failure (including blocked ports on firewalls) IPSec / Network authentication failures UDP formatted Kerberos packets are being fragmented by network infrastructure devices like routers and switches. Resource limitations Higher layer protocol not running Higher layer protocol is returning this error
Resolutions Basic Troubleshooting Steps to identify the problem: Verify the startup value and service status is correct for the Remote Procedure Call (RPC), Remote Procedure Call (RPC) Locator and Kerberos Key Distribution Center. The operating system version will determine the correct values for the source and destination system that is logging the replication error. Use the following table to help validate the settings. Resolutions Basic Troubleshooting Steps to identify the problem: Verify the startup value and service status is correct for the Remote Procedure Call (RPC), Remote Procedure Call (RPC) Locator and Kerberos Key Distribution Center. The operating system version will determine the correct values for the source and destination system that is logging the replication error. Use the following table to help validate the settings.
服務名稱Service Name Windows 2000Windows 2000 Windows Server 2003 R2Windows Server 2003/R2 Windows Server 2008Windows Server 2008 Windows Server 2008 R2Windows Server 2008 R2
遠端程序呼叫 (RPC)Remote Procedure Call (RPC) 開始/自動Started / Automatic 開始/自動Started / Automatic 開始/自動Started / Automatic 開始/自動Started / Automatic
遠端程序呼叫 (RPC) 定位器Remote Procedure Call (RPC) Locator 開始 / 自動(網域控制站) 不開始 / 手動(成員伺服器) Started / Automatic (Domain Controllers) Not started / Manual (Member Servers) 不開始/手動Not started / Manual 不開始/手動Not started / Manual 不開始/手動Not started / Manual
Kerberos 金鑰 Distribution 中心 (KDC)Kerberos Key Distribution Center (KDC) 開始 / 自動(網域控制站) 不開始 / 停用(成員伺服器) Started / Automatic (Domain Controllers) Not started / Disabled(Member Servers) 開始 / 自動(網域控制站) 不開始 / 停用(成員伺服器) Started / Automatic (Domain Controllers) Not started / Disabled(Member Servers) 開始 / 自動(網域控制站) 不開始 / 停用(成員伺服器) Started / Automatic (Domain Controllers) Not started / Disabled(Member Servers) 開始 / 自動(網域控制站) 不開始 / 停用(成員伺服器) Started / Automatic (Domain Controllers) Not started / Disabled(Member Servers)
如果您符合的任何變更的設定,請將電腦重新開機,並確認開機值,服務狀態符合上表中列出的值。 驗證儲存的.reg下方的金鑰存在於HKLMSoftwareMicrosoftRpc,並且包含正確的預設通訊協定。 If you make any changes to match the settings above, reboot the machine and verify both the startup value and service status match the values documented in the previous table. Verify the ClientProtocols key exists under HKLMSoftwareMicrosoftRpc, and that it contains the correct default protocols.
通訊協定名稱Protocol Name 輸入Type 資料值。Data Value
ncacn_httpncacn_http REG_SZREG_SZ rpcrt4.dllrpcrt4.dll
ncacn_ip_tcpncacn_ip_tcp REG_SZREG_SZ rpcrt4.dllrpcrt4.dll
連線ncacn_np REG_SZREG_SZ rpcrt4.dllrpcrt4.dll
ncacn_ip_udpncacn_ip_udp REG_SZREG_SZ rpcrt4.dllrpcrt4.dll
如果缺少儲存的.reg 金鑰,或任何四個預設值,匯入的金鑰,從 [已知的好伺服器。 驗證 DNS 是否正常運作。DNS 查詢失敗的原因大量 1722 年時複寫 RPC 錯誤。有幾個可協助找出 DNS 錯誤使用工具: DCDIAG//TEST: DNS /V /E /F:<filename.log> DCDIAG//TEST: DNS命令驗證 DNS 網域控制站執行 Windows 2000 Server 健康 (SP3 或更新版本)、Windows Server 2003、Windows Server 2008 和 Windows Server 2008 R2。Windows Server 2003 Service Pack 1 與首次引入這項測試。 有 7 測試此命令的群組: 驗證(驗證) (Basc) 基本 記錄登記 (RReg) 動態更新(動態) 委派 (Del) 轉送程式日根提示 (Forw) 範例輸出 TEST: Authentication (Auth) Authentication test: Successfully completed TEST: Basic (Basc) Microsoft(R) Windows(R) Server 2003, Enterprise Edition (Service Pack level: 2.0) is supported NETLOGON service is running kdc service is running DNSCACHE service is running DNS service is running DC is a DNS server Network adapters information: Adapter [00000009] Microsoft Virtual Machine Bus Network Adapter: MAC address is 00:15:5D:40:CF:92 IP address is static IP address: <IP Address DNS servers: <DNS IP Address> (DC.domain.com.) [Valid] The A record for this DC was found The SOA record for the Active Directory zone was found The Active Directory zone on this DC/DNS server was found (primary) Root zone on this DC/DNS server was not found <omitted other tests for readability> Summary of DNS test results: Auth Basc Forw Del Dyn RReg Ext __ Domain: Ca.fragale DC1 PASS PASS FAIL PASS PASS PASS n/a Domain: child.Ca.fragale DC2 PASS PASS n/a n/a n/a PASS n/a Enterprise DNS infrastructure test results: For parent domain domain.com and subordinate domain child: Forwarders or root hints are not misconfigured from parent domain to subordinate domain Error: Forwarders are configured from subordinate to parent domain but some of them failed DNS server tests (See DNS servers section for error details) Delegation is configured properly from parent to subordinate domain ......................... domain.com failed test DNS The summary provides remediation steps for the more common 摘要提供這項測試來自常見的失敗補救步驟。解釋與其他選項,這項測試位於網域控制站診斷工具 (dcdiag.exe)http://technet.microsoft.com/library/cc776854(WS.10).aspx NLTEST /DSGETDC:<netbios DNS 網域名稱或> Nltest /dsgetdc:用於運動俠定位器程序。因此 /dsgetdc:<的網域名稱>會嘗試尋找網域控制站的網域。使用推動旗標強制網域控制站的位置,而不要使用快取。您也可以如指定選項/gc/pdc來尋找通用或主要網域控制站模擬器。尋找通用,您必須指定「樹名稱,」根網域 DNS 網域名稱。 範例輸出: DC: \DC.Domain.com Address: \<IP Address> Dom Guid: 5499c0e6-2d33-429d-aab3-f45f6a06922b Dom Name: Domain.com Forest Name: Domain.com Dc Site Name: Default-First-Site-Name Our Site Name: Default-First-Site-Name Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE The command completed successfully Netdiag hyper-v 這個命令可用於較舊版本與 Windows Server 2003 收集特定資訊的網路設定和錯誤。這項工具需要一些時間來執行 hyper-v 開關切換至時執行。 DNS 測驗的範例輸出: DNS test . . . . . . . . . . . . . : Passed Interface {34FDC272-55DC-4103-B4B7-89234BC30C4A} DNS Domain: DNS Servers: <DNS Server Ip address > IP Address: Expected registration with PDN (primary DNS domain name): Hostname: DC.domain.com. Authoritative zone: domain.com. Primary DNS server: DC.domain.com <Ip Adress> Authoritative NS:<Ip Adress> Check the DNS registration for DCs entries on DNS server <DNS Server Ip address > The Record is correct on DNS server '<DNS Server Ip address >'. (You will see this line repeated several times for every entry for this DC. Including srv records.) The Record is correct on DNS server '<DNS Server Ip address >'. PASS - All the DNS entries for DC are registered on DNS server '<DNS Server Ip address >'. -ping <IP_of_problem_server> 來驗證主機記錄網域控制站簡單快速的測試解析正確電腦這。 dnslint /s IP /ad IP DNSLint 是 Microsoft Windows 的公用程式,可協助您診斷常見 DNS 名稱解析的問題。輸出,這是.htm 檔案的資訊包括: DNS server: localhost IP Address: 127.0.0.1 UDP port 53 responding to queries: YES TCP port 53 responding to queries: Not tested Answering authoritatively for domain: NO SOA record data from server: Authoritative name server: DC.domain.com Hostmaster: hostmaster Zone serial number: 14 Zone expires in: 1.00 day(s) Refresh period: 900 seconds Retry delay: 600 seconds Default (minimum) TTL: 3600 seconds 來自伺服器的其他授權(奈秒)資訊:DC2.domain.com<的 IP 位址> Alias (CNAME) and glue (A) records for forest GUIDs from server: CNAME: 98d4aa0c-d8e2-499a-8f90-9730b0440d9b.msdcs.domain.com Alias: DC.domain.com Glue: <IP Adress> CNAME: a2c5007f-7082-4adb-ba7d-a9c47db1efc3.msdcs.domain.com Alias: dc2.child.domain.com Glue: <IP Address> 如需詳細資訊,DNSLint 公用程式的描述http://support.microsoft.com/kb/321045 防火牆或 3 派對應用程式所需的連接埠接聽未封鎖驗證網路連接埠。 (聆聽 135 連接埠)端點對應工具可將您的位置告知 client 接聽服務(FRS、AD 複寫、MAPI,以及等)的隨機指定連接埠。 If the ClientProtocols key or any of the four default values are missing, import the key from a known good server. Verify DNS is working. DNS lookup failures are the cause of a large amount of 1722 RPC errors when it comes to replication. There are a few tools to use to help identify DNS errors: DCDIAG /TEST:DNS /V /E /F:<filename.log> The DCDIAG /TEST:DNS command can validate DNS health of domain controllers that run Windows 2000 Server (SP3 or later), Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2. This test was first introduced with Windows Server 2003 Service Pack 1. There are seven test groups for this command: Authentication (Auth) Basic (Basc) Records registration (RReg) Dynamic update (Dyn) Delegations (Del) Forwarders/Root hints (Forw) Sample Output TEST: Authentication (Auth) Authentication test: Successfully completed TEST: Basic (Basc) Microsoft(R) Windows(R) Server 2003, Enterprise Edition (Service Pack level: 2.0) is supported NETLOGON service is running kdc service is running DNSCACHE service is running DNS service is running DC is a DNS server Network adapters information: Adapter [00000009] Microsoft Virtual Machine Bus Network Adapter: MAC address is 00:15:5D:40:CF:92 IP address is static IP address: <IP Address DNS servers: <DNS IP Address> (DC.domain.com.) [Valid] The A record for this DC was found The SOA record for the Active Directory zone was found The Active Directory zone on this DC/DNS server was found (primary) Root zone on this DC/DNS server was not found <omitted other tests for readability> Summary of DNS test results: Auth Basc Forw Del Dyn RReg Ext __ Domain: Ca.fragale DC1 PASS PASS FAIL PASS PASS PASS n/a Domain: child.Ca.fragale DC2 PASS PASS n/a n/a n/a PASS n/a Enterprise DNS infrastructure test results: For parent domain domain.com and subordinate domain child: Forwarders or root hints are not misconfigured from parent domain to subordinate domain Error: Forwarders are configured from subordinate to parent domain but some of them failed DNS server tests (See DNS servers section for error details) Delegation is configured properly from parent to subordinate domain ......................... domain.com failed test DNS The summary provides remediation steps for the more common The summary provides remediation steps for the more common failures from this test. Explanation and additional options for this test can be found at Domain Controller Diagnostics Tool (dcdiag.exe)http://technet.microsoft.com/library/cc776854(WS.10).aspx. NLTEST /DSGETDC:<netbios or DNS domain name> Nltest /dsgetdc: is used to exercise the dc locator process. Thus /dsgetdc:< domain name > tries to find the domain controller for the domain. Using the force flag forces domain controller location rather than using the cache. You can also specify options such as /gc or /pdc to locate a Global Catalog or a Primary Domain Controller emulator. For finding the Global Catalog, you must specify a "tree name," which is the DNS domain name of the root domain. Sample Output: DC: \DC.Domain.com Address: \<IP Address> Dom Guid: 5499c0e6-2d33-429d-aab3-f45f6a06922b Dom Name: Domain.com Forest Name: Domain.com Dc Site Name: Default-First-Site-Name Our Site Name: Default-First-Site-Name Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE The command completed successfully Netdiag -v This command can be used with Windows Server 2003 and earlier versions to gather specific information for networking configuration and error. This tool takes some time to run when executing the -v switch. Sample Output for the DNS test: DNS test . . . . . . . . . . . . . : Passed Interface {34FDC272-55DC-4103-B4B7-89234BC30C4A} DNS Domain: DNS Servers: <DNS Server Ip address > IP Address: Expected registration with PDN (primary DNS domain name): Hostname: DC.domain.com. Authoritative zone: domain.com. Primary DNS server: DC.domain.com <Ip Adress> Authoritative NS:<Ip Adress> Check the DNS registration for DCs entries on DNS server <DNS Server Ip address > The Record is correct on DNS server '<DNS Server Ip address >'. (You will see this line repeated several times for every entry for this DC. Including srv records.) The Record is correct on DNS server '<DNS Server Ip address >'. PASS - All the DNS entries for DC are registered on DNS server '<DNS Server Ip address >'. ping -a <IP_of_problem_server> This a simple quick test to validate the host record for a domain controller is resolving to the correct machine. dnslint /s IP /ad IP DNSLint is a Microsoft Windows utility that helps you to diagnose common DNS name resolution issues. The output for this is an .htm file with a lot of information including: DNS server: localhost IP Address: 127.0.0.1 UDP port 53 responding to queries: YES TCP port 53 responding to queries: Not tested Answering authoritatively for domain: NO SOA record data from server: Authoritative name server: DC.domain.com Hostmaster: hostmaster Zone serial number: 14 Zone expires in: 1.00 day(s) Refresh period: 900 seconds Retry delay: 600 seconds Default (minimum) TTL: 3600 seconds Additional authoritative (NS) records from server: DC2.domain.com <IP Address> Alias (CNAME) and glue (A) records for forest GUIDs from server: CNAME: 98d4aa0c-d8e2-499a-8f90-9730b0440d9b._msdcs.domain.com Alias: DC.domain.com Glue: <IP Adress> CNAME: a2c5007f-7082-4adb-ba7d-a9c47db1efc3._msdcs.domain.com Alias: dc2.child.domain.com Glue: <IP Address> For more information, see Description of the DNSLint utilityhttp://support.microsoft.com/kb/321045. Verify network ports are not blocked by a firewall or 3rd party application listening on the required ports. The endpoint mapper (listening on port 135) tells the client which randomly assigned port a service (FRS, AD replication, MAPI, and so on) is listening on.
應用程式通訊協定Application protocol 通訊協定Protocol 連接埠Ports
通用伺服器Global Catalog Server TCPTCP 32693269
通用伺服器Global Catalog Server TCPTCP 32683268
LDAP 伺服器LDAP Server TCPTCP 389389
LDAP 伺服器LDAP Server UDPUDP 389389
LDAP SSLLDAP SSL TCPTCP 636636
LDAP SSLLDAP SSL UDPUDP 636636
IPsec ISAKMPIPsec ISAKMP UDPUDP 500500
NAT-TNAT-T UDPUDP 45004500
RPCRPC TCPTCP 135135
RPC 隨機配置高的 TCP 連接埠RPC randomly allocated high TCP ports TCPTCP 1024-5000 49152-65535 This is the range in Windows Server 2008, Windows Vista, Windows 7, and Windows 2008 R2. 1024-5000 49152-65535 This is the range in Windows Server 2008, Windows Vista, Windows 7, and Windows 2008 R2.
Portqry can be used to identify if a port is blocked from a Dc when targeting another DC. It can be downloaded at PortQry Command Line Port Scanner Version 2.0http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17148. Example syntax: portqry -n <problem_server> -e 135 portqry -n <problem_server> -r 1024-5000 A graphical version of portqry, called Portqryui can be found at PortQryUI - User Interface for the PortQry Command Line Port ScannerPortQryUI - User Interface for the PortQry Command Line Port Scannerhttp://www.microsoft.com/download/en/details.aspx?displaylang=en&id=24009. If the Dynamic Port range has ports being blocked, please use the below links to configure a port range that manageable: How to configure RPC dynamic port allocation to work with firewalls http://support.microsoft.com/?id=154596 Restricting Active Directory replication traffic and client RPC traffic to a specific port http://support.microsoft.com/?id=224196 How to restrict FRS replication traffic to a specific static port http://support.microsoft.com/?id=319553 How to configure a firewall for domains and trusts http://support.microsoft.com/?id=179442 Service overview and network port requirements for the Windows Server system http://support.microsoft.com/?id=832017 Bad NIC drivers - See network card vendors or OEMs for the latest drivers. UDP fragmentation can cause replication errors that appear to have a source of RPC server is unavailable. Event ID 40960 & 40961 errors with a source of LSASRV are very common for this particular cause. SMB signing mismatches between DCs. Using Default Domain Controllers Policy to configure consistent settings for SMB Signing under the following section will help address this cause: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Microsoft network client: Digitally sign communications (always) Disabled. Microsoft network client: Digitally sign communications (if server agrees) Enabled. Microsoft network server: Digitally sign communications (always) Disabled. Microsoft network server: Digitally sign communications (if client agrees) Enabled. The settings can be found under the following registry keys: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters RequireSecuritySignature=always (0 disable, 1 enable). EnableSecuritySignature=is server agrees (0 disable, 1 enable). Additional Troubleshooting: If the above do not provide a solution to the 1722, then you can use the following Diagnostic logging to gather more information: Windows Server 2003 SP2 computers logs extended RPC Server info in NTDS Replication events 1960, 1961, 1962 and 1963. Crank up NTDS Diagnostic logging. 1 = basic, 2 and 3 add verbosity, and 5 logs extended info. Portqry can be used to identify if a port is blocked from a Dc when targeting another DC. It can be downloaded at PortQry Command Line Port Scanner Version 2.0http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17148. Example syntax: portqry -n <problem_server> -e 135 portqry -n <problem_server> -r 1024-5000 A graphical version of portqry, called Portqryui can be found at PortQryUI - User Interface for the PortQry Command Line Port ScannerPortQryUI - User Interface for the PortQry Command Line Port Scannerhttp://www.microsoft.com/download/en/details.aspx?displaylang=en&id=24009. If the Dynamic Port range has ports being blocked, please use the below links to configure a port range that manageable: How to configure RPC dynamic port allocation to work with firewalls http://support.microsoft.com/?id=154596 Restricting Active Directory replication traffic and client RPC traffic to a specific port http://support.microsoft.com/?id=224196 How to restrict FRS replication traffic to a specific static port http://support.microsoft.com/?id=319553 How to configure a firewall for domains and trusts http://support.microsoft.com/?id=179442 Service overview and network port requirements for the Windows Server system http://support.microsoft.com/?id=832017 Bad NIC drivers - See network card vendors or OEMs for the latest drivers. UDP fragmentation can cause replication errors that appear to have a source of RPC server is unavailable. Event ID 40960 & 40961 errors with a source of LSASRV are very common for this particular cause. SMB signing mismatches between DCs. Using Default Domain Controllers Policy to configure consistent settings for SMB Signing under the following section will help address this cause: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Microsoft network client: Digitally sign communications (always) Disabled. Microsoft network client: Digitally sign communications (if server agrees) Enabled. Microsoft network server: Digitally sign communications (always) Disabled. Microsoft network server: Digitally sign communications (if client agrees) Enabled. The settings can be found under the following registry keys: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters RequireSecuritySignature=always (0 disable, 1 enable). EnableSecuritySignature=is server agrees (0 disable, 1 enable). Additional Troubleshooting: If the above do not provide a solution to the 1722, then you can use the following Diagnostic logging to gather more information: Windows Server 2003 SP2 computers logs extended RPC Server info in NTDS Replication events 1960, 1961, 1962 and 1963. Crank up NTDS Diagnostic logging. 1 = basic, 2 and 3 add verbosity, and 5 logs extended info.
疑難排解 Active Directory 操作失敗,錯誤 1722 年: RPC 伺服器未提供 http://support.microsoft.com/kb/2102154 RPC 返回值 http://msdn.microsoft.com/library/aa378645(VS.85).aspx 了解延伸資訊時發生錯誤 http://msdn.microsoft.com/library/aa379109(VS.85).aspx 延伸錯誤資訊偵測位置 http://msdn.microsoft.com/library/aa373838(VS.85).aspx 讓延伸資訊時發生錯誤 http://msdn.microsoft.com/library/aa373803(VS.85).aspx 網路連接 http://technet.microsoft.com/library/cc961803.aspx Troubleshooting Active Directory operations that fail with error 1722: The RPC server is unavailable http://support.microsoft.com/kb/2102154 RPC Return Values http://msdn.microsoft.com/library/aa378645(VS.85).aspx Understanding Extended Error Information http://msdn.microsoft.com/library/aa379109(VS.85).aspx Extended Error Information Detection Locations http://msdn.microsoft.com/library/aa373838(VS.85).aspx Enabling Extended Error Information http://msdn.microsoft.com/library/aa373803(VS.85).aspx Network Connectivity http://technet.microsoft.com/library/cc961803.aspx