Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, March 3, 2014 9:16 PM
Im having an odd problem with DFSR group we created to replicate web content between two of our web servers.
In event viewer we have this event 1202 for DFSR.
"The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
Additional Information:
Error: 160 (One or more arguments are not correct.)"
In the DFSR logs I see this.
20140303 12:18:27.874 1404 CFAD 8300 Config::AdConfig::GetLocalComputerNameWithDns Computer's fully-qualified DNS name: DFSRSERVER.domain.tld
20140303 12:18:27.920 1404 CFAD 311 Config::AdConnection::Connect Binding to dcAddr:\\1.1.1.1 dcDnsName:\\MYDC.domain.tld
20140303 12:18:27.936 1404 CFAD 143 Config::AdConnection::BindToAd Trying to connect. hostName:MYDC.domain.tld
20140303 12:18:28.467 1404 CFAD 162 Config::AdConnection::BindToAd Bound. hostName:MYDC.domain.tld
20140303 12:18:28.467 1404 CFAD 199 Config::AdConnection::BindToDc Try to bind. hostName:\\MYDC.domain.tld domainName:<null>
20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\MYDC.domain.tld domainName:<null> Error:5
20140303 12:18:28.514 1404 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\MYDC.domain.tld domainName:<null> Error:[Error:5(0x5) Config::DsSession::Bind ad.cpp:3380 1404 W Access is denied.]
20140303 12:18:28.514 1404 CFAD 199 Config::AdConnection::BindToDc Try to bind. hostName:\\1.1.1.1 domainName:<null>
20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\1.1.1.1 domainName:<null> Error:87
20140303 12:18:28.514 1404 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\1.1.1.1 domainName:<null> Error:[Error:87(0x57) Config::DsSession::Bind ad.cpp:3380 1404 W The parameter is incorrect.]
20140303 12:18:28.514 1404 SCFS 150 [WARN] ServiceConfig::DsPollIsDue Failed to enable lightweight polling. Error:
+ [Error:160(0xa0) Config::AdConfig::ConnectToLocalDc ad.cpp:8365 1404 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConfig::Connect ad.cpp:8113 1404 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConnection::Connect adconnection.cpp:377 1404 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConnection::BindToDc adconnection.cpp:226 1404 W One or more arguments are not correct.]
20140303 12:18:28.514 1404 CREG 1419 Config::RegReader::IsSysVolCommitFlagSet key: System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Demoting SysVols valueName:'SysVol Information is Committed' result:0
20140303 12:18:28.514 1404 W2CH 266 ConfigurationHelper::PollAdConfigNow Trying to connect to AD
20140303 12:18:28.514 1404 CFAD 311 Config::AdConnection::Connect Binding to dcAddr:\\1.1.1.1 dcDnsName:\\MYDC.domain.tld
20140303 12:18:28.514 1404 CFAD 143 Config::AdConnection::BindToAd Trying to connect. hostName:MYDC.domain.tld
20140303 12:18:28.514 1404 CFAD 162 Config::AdConnection::BindToAd Bound. hostName:MYDC.domain.tld
20140303 12:18:28.514 1404 CFAD 199 Config::AdConnection::BindToDc Try to bind. hostName:\\MYDC.domain.tld domainName:<null>
20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\MYDC.domain.tld domainName:<null> Error:5
20140303 12:18:28.514 1404 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\MYDC.domain.tld domainName:<null> Error:[Error:5(0x5) Config::DsSession::Bind ad.cpp:3380 1404 W Access is denied.]
20140303 12:18:28.514 1404 CFAD 199 Config::AdConnection::BindToDc Try to bind. hostName:\\1.1.1.1 domainName:<null>
20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\1.1.1.1 domainName:<null> Error:87
20140303 12:18:28.514 1404 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\1.1.1.1 domainName:<null> Error:[Error:87(0x57) Config::DsSession::Bind ad.cpp:3380 1404 W The parameter is incorrect.]
20140303 12:18:28.514 1404 EVNT 1194 EventLog::Report Logging eventId:1202 parameterCount:4
20140303 12:18:28.514 1404 EVNT 1214 EventLog::Report eventId:1202 parameter1:
20140303 12:18:28.514 1404 EVNT 1214 EventLog::Report eventId:1202 parameter2:60
20140303 12:18:28.514 1404 EVNT 1214 EventLog::Report eventId:1202 parameter3:160
20140303 12:18:28.514 1404 EVNT 1214 EventLog::Report eventId:1202 parameter4:One or more arguments are not correct.
20140303 12:18:28.530 1404 W2CH 318 [ERROR] ConfigurationHelper::PollAdConfigNow (Ignored) Failed to connect to AD. Error:
+ [Error:160(0xa0) Config::AdConfig::ConnectToLocalDc ad.cpp:8365 1404 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConfig::Connect ad.cpp:8113 1404 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConnection::Connect adconnection.cpp:377 1404 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConnection::BindToDc adconnection.cpp:226 1404 W One or more arguments are not correct.]
When I run "dfsrdiag pollad":
[ERROR] PollDsNow method executed unsuccessfully. ReturnValue: 12 (0xc)
[ERROR] Failed to execute PollAD command Err: -2147217407 (0x80041001)
However I can run "dfsrdiag dumpadcfg" and it outputs everything fine.
We don't have any other problems with AD. It seems like this started after we installed KB2467173 & KB2538242. We are going to uninstall those and see if it works.
All replies (10)
Saturday, March 8, 2014 3:47 PM âś…Answered | 1 vote
I dumped the firewall state "NetSh.exe WFP Show State" and searched through its 36000+ lines to review all the DFSR items. I found the one thats causing my problems.
<item>
<filterKey>{e52515e6-8466-42ce-88a5-618453be67dc}</filterKey>
<displayData>
<name>Allow outgoing RPC traffic from DFSR</name>
<description/>
</displayData>
<flags numItems="1">
<item>FWPM_FILTER_FLAG_INDEXED</item>
</flags>
<providerKey>{4b153735-1049-4480-aab4-d1b9bdc03710}</providerKey>
<providerData>
<data>a500000000000000</data>
<asString>........</asString>
</providerData>
<layerKey>FWPM_LAYER_ALE_AUTH_CONNECT_V4</layerKey>
<subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2300}</subLayerKey>
<weight>
<type>FWP_EMPTY</type>
</weight>
<filterCondition numItems="4">
<item>
<fieldKey>FWPM_CONDITION_ALE_APP_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_BYTE_BLOB_TYPE</type>
<byteBlob>
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650032005c00770069006e0064006f00770073005c00730079007300740065006d00330032005c00640066007300720073002e006500780065000000</data>
<asString>\device\harddiskvolume2\windows\system32\dfsrs.exe</asString>
</byteBlob>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_SECURITY_DESCRIPTOR_TYPE</type>
<sd>O:SYG:SYD:(A;;CCRC;;;S-1-5-80-1267473060-1890374259-1137250836-544356534-2546457154)</sd>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_IP_PROTOCOL</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT8</type>
<uint8>6</uint8>
</conditionValue>
</item>
<item>
<fieldKey>FWPM_CONDITION_IP_REMOTE_PORT</fieldKey>
<matchType>FWP_MATCH_RANGE</matchType>
<conditionValue>
<type>FWP_RANGE_TYPE</type>
<rangeValue>
<valueLow>
<type>FWP_UINT16</type>
<uint16>1024</uint16>
</valueLow>
<valueHigh>
<type>FWP_UINT16</type>
<uint16>65535</uint16>
</valueHigh>
</rangeValue>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_PERMIT</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>69242</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>844905966469120</uint64>
</effectiveWeight>
</item>
Because the port we used for NTDS is 1001 it falls outside the scope of the base filtering rule and cannot be fixed without changing the static RPC port we are using.
http://support.microsoft.com/kb/224196/en-us
Tuesday, March 4, 2014 9:41 AM
Please first check the network connectivity from servers to DC. Try to Ping DC and access a shared folder on DC to see the result.
Also try to disable Windows Firewall incase it is caused by blocked ports.
If you have any feedback on our support, please send to [email protected].
Tuesday, March 4, 2014 3:29 PM
I can ping & browse all the domain controllers without any problems. My other DFSR groups on server 2008 are working fine. My firewall does not report any additional ports being blocked.
There are a few articles on how to debug DFS that I found.
http://blogs.technet.com/b/askds/archive/2008/04/02/directory-services-debug-logging-primer.aspx
http://blogs.technet.com/b/askds/archive/2009/04/08/understanding-dfsr-debug-logging-part-18-ldap-queries-failing-due-to-network-uses-debug-severity-5.aspx
Just to make sure I also disabled the firewall on the domain controller but it made no difference. There is not much about DsBind Error:5 or Error:87.
All my GPO's are working correctly too.
Tuesday, March 4, 2014 6:52 PM
I think the main problem is when DFSR tries to bind to AD its getting "Access is denied." for some reason.
20140304 07:08:16.220 2200 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\MYDC.domain.tld domainName:<null> Error:5
20140304 07:08:16.220 2200 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\MYDC.domain.tld domainName:<null> Error:[Error:5(0x5) Config::DsSession::Bind ad.cpp:3380 2200 W Access is denied.]
20140304 07:08:16.220 2200 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\1.1.1.1 domainName:<null> Error:87
20140304 07:08:16.220 2200 CFAD 215 Config::AdConnection::BindToDc (Ignored) Failed to bind. hostName:\\1.1.1.1 domainName:<null> Error:[Error:87(0x57) Config::DsSession::Bind ad.cpp:3380 2200 W The parameter is incorrect.]
20140304 07:08:16.220 2200 SCFS 150 [WARN] ServiceConfig::DsPollIsDue Failed to enable lightweight polling. Error:
+ [Error:160(0xa0) Config::AdConfig::ConnectToLocalDc ad.cpp:8365 2200 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConfig::Connect ad.cpp:8113 2200 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConnection::Connect adconnection.cpp:377 2200 W One or more arguments are not correct.]
+ [Error:160(0xa0) Config::AdConnection::BindToDc adconnection.cpp:226 2200 W One or more arguments are not correct.]
Thursday, March 6, 2014 2:23 PM
Well I used adsiedit.msc to remove the DFSR configuration from the servers computer accounts.
Then uninstalled & reinstalled DFSR.
Uninstall-WindowsFeature FS-DFS-Replication
<reboot>
Install-WindowsFeature FS-DFS-Replication
When the DFSR service started I get a different message.
The DFS Replication service successfully contacted domain controller \\MYDC.domain.tld to access configuration information.
Initial replication of my content has finished and everything looks good.
Then I rebooted the machine and its broken again.
Thursday, March 6, 2014 2:45 PM
I can successfully run "dfsrdiag.exe dumpadcfg" and it outputs the entire config. Why does "dfsrdiag pollad" fail then if the config can be read.
Why did it work before I rebooted the server? In both cases it broke after rebooting.
PS C:\Windows\system32> dfsrdiag dumpadcfg
LDAP Bind : mydc.domain.tld
SitesDn : cn=sites,cn=configuration,dc=domain,dc=tld
ServicesDn : cn=services,cn=configuration,dc=domain,dc=tld
SystemDn : cn=system,dc=domain,dc=tld
DefaultNcDn : dc=domain,dc=tld
ComputersDn : cn=computers,dc=domain,dc=tld
DomainCtlDn : ou=domain controllers,dc=domain,dc=tld
SchemaDn : CN=Schema,CN=Configuration,dc=domain,dc=tld
COMPUTER: web1
DN : cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
GUID : 152E849C-4D7B-4AE8-B034-83747DBC1E89
DNS : web1.domain.tld
Server Ref : (null)
USN Changed : 10862129
When Created : Friday, January 31, 2014 8:41:06 PM
When Changed : Tuesday, March 4, 2014 2:54:36 PM
LOCAL SETTINGS: DFSR-LOCALSETTINGS
DN : cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
GUID : 3FD696E7-6598-4CDB-B2AB-98F148C0D2F7
Version : 1.0.0.0
USN Changed : 10932017
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:15:25 PM
SUBSCRIBER: FF88A312-A0EB-44CC-A614-7A3D06DCC0AB
DN : cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
GUID : 1119B663-F02A-4F1F-A904-23A87CFC93C3
Member Ref : cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
USN Changed : 10931931
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
SUBSCRIPTION: 6783DDE1-C795-4E8B-B07D-4EA8D7D0317F
DN : cn=6783dde1-c795-4e8b-b07d-4ea8d7d0317f,cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
GUID : 3737B1F2-7E38-47E2-90E7-E57D82B145F1
ContentSetGuid: 6783DDE1-C795-4E8B-B07D-4EA8D7D0317F
Root Path : c:\inetpub\internetsites
Root Size : 10240 (MB)
Staging Path : c:\inetpub\internetsites\dfsrprivate\staging
Staging Size : 4096 (MB)
Conflict Path : c:\inetpub\internetsites\dfsrprivate\conflictanddeleted
Conflict Size : 4096 (MB)
USN Changed : 10931919
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
SUBSCRIPTION: F2F1F3A2-B36F-4170-B371-8E8043DF73F4
DN : cn=f2f1f3a2-b36f-4170-b371-8e8043df73f4,cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
GUID : 57E7F8D7-1121-4334-BC81-74226ADF8969
ContentSetGuid: F2F1F3A2-B36F-4170-B371-8E8043DF73F4
Root Path : c:\internet_data
Root Size : 10240 (MB)
Staging Path : c:\internet_data\dfsrprivate\staging
Staging Size : 4096 (MB)
Conflict Path : c:\internet_data\dfsrprivate\conflictanddeleted
Conflict Size : 4096 (MB)
USN Changed : 10931921
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
SUBSCRIPTION: D0438B52-B706-4E40-B4C3-FE7A1ACA5FCF
DN : cn=d0438b52-b706-4e40-b4c3-fe7a1aca5fcf,cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=dfsr-localsettings,cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
GUID : F8217091-F71A-4D4A-A676-097583171A63
ContentSetGuid: D0438B52-B706-4E40-B4C3-FE7A1ACA5FCF
Root Path : c:\php\phpsites
Root Size : 10240 (MB)
Staging Path : c:\php\phpsites\dfsrprivate\staging
Staging Size : 4096 (MB)
Conflict Path : c:\php\phpsites\dfsrprivate\conflictanddeleted
Conflict Size : 4096 (MB)
USN Changed : 10931923
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
GLOBAL SETTINGS: DFSR-GLOBALSETTINGS
DN : cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 2E98CE5E-5CC7-4322-B5EA-2B6B340C689F
USN Changed : 12525
When Created : Saturday, October 22, 2011 1:56:38 AM
When Changed : Saturday, October 22, 2011 1:56:38 AM
REPLICATION GROUP: WEB CONTENT
DN : cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 9C94A417-6F6C-4F6C-BBFA-B8F52854C4DF
Type : 0 (UNKNOWN REPLICATION GROUP TYPE)
Options : 0x1 [Local Time Schedule]
USN Changed : 10931906
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
CONTENT: CONTENT
DN : cn=content,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 6714C533-E631-4E71-930D-E4934FB7BD7E
USN Changed : 10931908
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
CONTENT SET: INTERNET_DATA
DN : cn=internet_data,cn=content,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : F2F1F3A2-B36F-4170-B371-8E8043DF73F4
File Filter : ~*, *.bak, *.tmp
Compression Excl : (null)
Dir Filter : (null)
USN Changed : 10931916
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
CONTENT SET: INTERNETSITES
DN : cn=internetsites,cn=content,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 6783DDE1-C795-4E8B-B07D-4EA8D7D0317F
File Filter : ~*, *.bak, *.tmp
Compression Excl : (null)
Dir Filter : (null)
USN Changed : 10931915
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
CONTENT SET: PHPSITES
DN : cn=phpsites,cn=content,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : D0438B52-B706-4E40-B4C3-FE7A1ACA5FCF
File Filter : ~*, *.bak, *.tmp
Compression Excl : (null)
Dir Filter : (null)
USN Changed : 10931917
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
TOPOLOGY: TOPOLOGY
DN : cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 16053002-7B99-4DA7-BFE5-2A6418040640
USN Changed : 10931907
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
MEMBER: FF88A312-A0EB-44CC-A614-7A3D06DCC0AB
DN : cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 75A99277-C401-409F-A32D-6D8EE18E5D0C
Server Ref : (null)
Computer Ref : cn=web1,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
Keywords : (null)
Computer DNS : web1.domain.tld
USN Changed : 10931933
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
CXTION: 9ECE3EB7-FE97-4A1B-8DE3-47A77B2C625B
DN : cn=9ece3eb7-fe97-4a1b-8de3-47a77b2c625b,cn=ff88a312-a0eb-44cc-a614-7a3d06dcc0ab,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 1D26B348-3875-4BD1-9473-E72506AFA222
Inbound : true
Partner DN : cn=46f913db-8509-4581-a66d-d37e4ea3ef29,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
Enabled : TRUE
Options : 0x1 [Local Time Schedule]
USN Changed : 10931924
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
CXTION: 2BFA8BE2-0444-4AAF-8293-A5486CF8D7A3
DN : cn=2bfa8be2-0444-4aaf-8293-a5486cf8d7a3,cn=46f913db-8509-4581-a66d-d37e4ea3ef29,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : A7203451-D95F-44D5-AC04-13056DCE5A89
Inbound : false
Partner DN : cn=46f913db-8509-4581-a66d-d37e4ea3ef29,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
Enabled : TRUE
Options : 0x1 [Local Time Schedule]
USN Changed : 10931925
When Created : Thursday, March 6, 2014 2:11:13 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
MEMBER: 46F913DB-8509-4581-A66D-D37E4EA3EF29
DN : cn=46f913db-8509-4581-a66d-d37e4ea3ef29,cn=topology,cn=web content,cn=dfsr-globalsettings,cn=system,dc=domain,dc=tld
GUID : 1BA26D07-45F5-44A0-8450-9274AFD99B1C
Server Ref : (null)
Computer Ref : cn=fccu01web,ou=web,ou=virtual servers,ou=servers,dc=domain,dc=tld
Keywords : (null)
Computer DNS : fccu01web.domain.tld
USN Changed : 10931927
When Created : Thursday, March 6, 2014 2:11:12 PM
When Changed : Thursday, March 6, 2014 2:11:27 PM
Operation Succeeded
Friday, March 7, 2014 2:26 AM
I found that 2012 R2 had Schema updates. Not sure if they were required just to use the 2012 DFSR but I installed them anyway.
Requirements (Update Schema)
http://technet.microsoft.com/en-us/library/jj127250.aspx
It did not fix my problem. I still get "Access is denied." in the debug logs and Event Viewer message
The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
Additional Information:
Error: 160 (One or more arguments are not correct.)
Friday, March 7, 2014 9:49 PM
Its a wild guess but could "Error: 5" indicate "RPC_S_ACCESS_DENIED"?
http://msdn.microsoft.com/en-us/library/aa378645%28VS.85%29.aspx
20140303 12:18:28.514 1404 CFAD 3373 [ERROR] Config::DsSession::Bind Failed to DsBind(). dc:\\MYDC.domain.tld domainName:<null> Error:5
Saturday, March 8, 2014 12:42 AM
After looking forever I happen to spot a Audit Failure in the Security Event Viewer.
So that explains why I never saw anything blocked at my firewall because its not even leaving the hosts! So what in the world would prevent DFSR from making a outbound connection? Btw turning the firewall to "Off" did not prevent this from being blocked. Something must be screwy.
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: 5644
Application Name: \device\harddiskvolume2\windows\system32\dfsrs.exe
Network Information:
Direction: Outbound
Source Address: 127.0.0.1
Source Port: 57709
Destination Address: 1.1.1.1
Destination Port: 1001
Protocol: 6
Filter Information:
Filter Run-Time ID: 69249
Layer Name: Connect
Layer Run-Time ID: 48
and
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID: 5644
Application Name: \device\harddiskvolume2\windows\system32\dfsrs.exe
Network Information:
Direction: Outbound
Source Address: 127.0.0.1
Source Port: 57709
Destination Address: 1.1.1.1
Destination Port: 1001
Protocol: 6
Filter Information:
Filter Run-Time ID: 69249
Layer Name: Connect
Layer Run-Time ID: 48
Saturday, March 8, 2014 2:44 PM
On our domain controllers we have static RPC ports configured so we can use Network Access Protection with 802.1x and any un-authorized systems get put into a restricted VLAN.
The static RPC port allows us to use an ACL and still join un-authorized systems to our domain.
http://support.microsoft.com/kb/224196/en-us
On all the domain controllers we have:
HKEY_LOCAL_MACHINE\CurrentControlSet\Services\NTDS\Parameters
TCP/IP Port = 1001
HKEY_LOCAL_MACHINE\CurrentControlSet\Services\Netlogon\Parameters
DCTcpipPort = 1002
So I am guessing that the Base Filtering engine does not recognize this as NTDS traffic on port 1001 and its being blocked.
Creating a outbound firewall rule to allow the DFSR service full outbound access does not fix the problem either.