AD RPC Tools in troubleshooting Article 1

How to run tools for RPC error in AD server Nice document click here

when you run netdom query fsmo from a command line, you may receive an error message that is similar to the following: There are no more endpoints available from the endpoint mapper.

Other symptoms may include:

  • When you try to log on to the domain, you may receive an error message that is similar to the following: The system cannot log you on to this domain because the system’s computer account in its primary domain is missing or the password on that account is incorrect.
  • You cannot open Group Policy snap-ins.
  • When you try to open Active Directory Administrative Tools, such as Active Directory Users and Computers or Active Directory Sites and Services, you may receive the following error message: The specified domain either does not exist or could not be contacted.
  • You cannot browse the domain in Network Neighborhood.
  • You receive the following error message when you try to map drives or view resources on a remote server: Access denied.
  • File Replication Service (FRS) may be slow or fail completely. For example, the Sysvol folder may fail to replicate between domain controllers. When this occurs, you may receive a message similar to the following in the Ntfrs_000<x>.log files: RPC Unavailable
  • Microsoft Outlook may fail when connecting to a Microsoft Exchange server. When this occurs, you may receive username and password prompts when you open Outlook. When you enter valid credentials, you may receive an error message similar to the following: Your logon information is incorrect -OR- Outlook could not logon.
  • Also, when you click Check Name while creating a new mail account in Outlook, you may receive an error similar to the following: The name could not be resolved. The name could not be matched to a name in the address list.

Note If you use a network capture program, such as Network Monitor, to capture network traffic, the computer may not receive a response when it tries to establish an RPC session to another computer by using any port greater than 1024. The sending computer uses the Universal Unique Identifier (UUID) for the RPC Endpoint Mapper. The UUID for the RPC Endpoint Mapper is E1AF8308-5D1F-11C9-91A4-08002B14A0FA.

The Dcdiag tool

The Dcdiag tool analyzes the state of domain controllers in a forest or in an enterprise and reports any problems to help in troubleshooting. You can use the Dcdiag tool to help troubleshoot RPC Endpoint Mapper errors when you run the Dcdiag tool. To do this, follow these steps:

  1. Click Start, click Run, type cmd in the Open box, and then click OK.
  2. Type dcdiag, and then press ENTER.

If RPC Endpoint Mapper problems exist, the Dcdiag tool may respond with error messages that are similar to the following:The replication generated an error (1753): There are no more endpoints available from the endpoint mapper.

DsBindWithSpnEx() failed with error 1753, There are no more endpoints available from the endpoint mapper.

Directory Binding Error 1753: There are no more endpoints available from the endpoint mapper.

DsBind() failed with error 1753, There are no more endpoints available from the endpoint mapper.

DsBindWithSpnEx() failed with error 1722, The RPC server is unavailable.

DsBindWithCred() failed with error 1753. There are no more endpoints available from the endpoint mapper.

Status is 1722: The RPC server is unavailable

The Netdiag tool

You can use the Netdiag tool to help isolate networking and connectivity problems. You can use the Netdiag tool to help troubleshoot RPC Endpoint Mapper problems. To do this, follow these steps:

  1. Click Start, click Run, type cmd in the Open box, and then click OK.
  2. Type netdiag, and then press ENTER.

If RPC Endpoint Mapper problems exist, the Netdiag tool may respond with error messages that are similar to the following:
[WARNING] Failed to query SPN registration on DC domaincontroller.domainname.com.
Kerberos test. . . . . . . . . . . : Skipped Your logon domain isn’t running Kerberos. (<Domainname>\Administrator) Kerberos cannot be tested.

DC list test . . . . . . . . . . . : Failed [WARNING] Cannot call DsBind to domaincontroller.domainname.intranet (10.55.0.110). [EPT_S_NOT_REGISTERED]
Trust relationship test. . . . . . : Failed Test to ensure DomainSid of domain ‘<domainname>’ is correct. [FATAL] Secure channel to domain ‘<domainname>’ is broken. [ERROR_ACCESS_DENIED]

The Repadmin tool

You can use the Repadmin tool for Active Directory replication, for troubleshooting Active Directory replication problems, and for troubleshooting RPC Endpoint Mapper problems. To do this, follow these steps:

  1. Click Start, click Run, type cmd in the Open box, and then click OK.
  2. Type Repadmin /bind, and then press ENTER.

If RPC Endpoint Mapper problems exist, the Repadmin tool may respond with an error message that is similar to the following:DsBindWithCred to localhost failed with status 1753 (0x6d9): There are no more endpoints available from the endpoint mapper.

The Ntdsutil tool

Enterprise and domain administrators can use the Ntdsutil tool to manage and repair Active Directory, and to help troubleshoot RPC Endpoint Mapper problems. To help troubleshoot RPC Endpoint Mapper problems, follow these steps:

  1. Click Start, click Run, type cmd in the Open box, and then click OK.
  2. Type NTDSUtil ?, and then press ENTER.
  3. At the ntdsutil: prompt, type Metadata cleanup, and then press ENTER.
  4. At the metadata cleanup: prompt, type Connections, and then press ENTER.
  5. At the Connections: prompt, type Connect to server localhost, and then press ENTER.

If RPC Endpoint Mapper Problems exist, the Ntdsutil tool may respond with an error message that is similar to the following:DsBindW error 0x6d9 (There are no more endpoints available from the endpoint mapper.)

The Gpotool tool

You can use the Gpotool tool to check the consistency of Group Policy objects on domain controllers. The Gpotool tool is contained in the Windows Server 2003 Resource Kit. You can download the Windows Server 2003 Resource Kit by visiting the following Microsoft Web site:http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=enAfter you have installed the Resource kit, you can use the Gpotool tool to help troubleshoot RPC Endpoint Mapper problems. To do this, follow these steps:

  1. Click Start, point to Programs, click Windows Resource Kit Tools, and then click Command Shell.
  2. Type gpotool, and then press Enter.

If RPC Endpoint Mapper Problems exist, the Gpotool tool may respond with an error messages that are similar to the following:GPOTOOL: e ERROR: GetDCList; DsBindW; hr=800706d9; There are no more endpoints available from the endpoint mapper.
GPOTOOL: + File:d:\nt\private\ctpolprf\common\polutil\polutil.cxx; Line:728
GPOTOOL: e ERROR: GetDCList; GetDCList failed; hr=800706d9; There are no more endpoints available from the endpoint mapper.GPOTOOL: + File:d:\nt\private\ctpolprf\common\polutil\polutil.cxx; Line:644

Event Viewer

The following events may be logged on a domain client, on a member server, or on a domain controller when RPC does not function correctly:

On an enterprise certification authority server, or on a subordinate certification authority server, an event that is similar to the following may be logged:

Event ID: 20

Event Source: KDC

Description: The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain’s public key infrastructure. The chain status is in the error data.

The Dcpromo tool

The Active Directory Installation Wizard (Dcpromo.exe) promotes Windows Server-based computers to be domain controllers. When the Dcpromo tool fails because of RPC problems, error messages that are similar to the following may appear in the DCPromo.log file.

Note The Dcpromo.log file is located in the %windir%\Debug folder.
02/07 21:08:48 [INFO] Error – The Directory Service failed to create the object CN=Name,CN=Partitions,CN=Configuration,DC=domain,DC=com. Please check the event log for possible system errors. (1753) 02/07 21:08:49 [INFO] NtdsInstall for servername.domainname.com returned 1753 02/07 21:08:49 [INFO] DsRolepInstallDs returned 1753 02/07 21:08:49 [ERROR] Failed to install the directory service (1753)

10/03 10:13:17 [INFO] Error – The Directory Service failed to create the server object for CN=NTDS Settings,CN=name,CN=Servers,CN=name,CN=Sites,CN=Configuration,DC=domainname
,DC=com on server servername.domainname.com. Please ensure the network credentials provided have sufficient access to add a replica. (1753) 10/03 10:13:17 [INFO] NtdsInstall for servername.domainname.com. returned 1753 10/03 10:13:17 [INFO] DsRolepInstallDs returned 1753 10/03 10:13:17 [ERROR] Failed to install to Directory Service (1753)

06/20 16:41:27 [INFO] Error – The initial LDAP connection to server FQDNServerName failed. (58) 06/20 16:41:27 [INFO] NtdsInstall for servername.domainname.com. returned 58 06/20 16:41:27 [INFO] DsRolepInstallDs returned 58 06/20 16:41:27 [ERROR] Failed to install the directory service (58)

06/21 11:49:57 [INFO] Error – The Directory Service failed to replicate the partition CN=Schema,CN=Configuration,DC=… (1722) 06/21 11:49:59 [INFO] NtdsInstall for servername.domainname.com. returned 1722 06/21 11:49:59 [INFO] DsRolepInstallDs returned 1722 06/21 11:49:59 [ERROR] Failed to install the directory service (1722)

06/21 17:08:41 [INFO] NtdsInstall for servername.domainname.com. returned 1753 06/21 17:08:41 [INFO] DsRolepInstallDs returned 1753 06/21 17:08:41 [ERROR] Failed to install the directory service (1753)

  • Error code 58 represents “The specified server cannot perform the requested operation.”
  • Error code 1722 represents “The RPC server is unavailable.”
  • Error code 1753 represents”There are no more endpoints available from the endpoint mapper.”

Additionally, the DCPromoUI.log may report an error message that is similar to the following:

dcpromoui t:0x0C4 01335 Enter State::SetFailureMessage The operation failed because: The Directory Service failed to create the object CN=Name,CN=Partitions,CN=Configuration,DC=Domainname,DC=com.

The Active Directory Migration Tool

The Active Directory Migration Tool (ADMT) may generate events that are similar to the following in the Event Viewer on the computer where the ADMT is run:The log from Clonepr.vbs from %windir%\debug appears as follows:

clonepr t:0x5CC 00254        HRESULT = 0x800706D9 
 clonepr t:0x5CC 00255        Enter GetErrorMessage 800706D9 
 clonepr t:0x5CC 00256        Exit  GetErrorMessage 800706D9 
 clonepr t:0x5CC 00257        Enter SetComError Failed to add the source SID to the destination object's SID history. The error was: "There are no more endpoints available from the endpoint mapper. " 
 clonepr t:0x5CC 00258        Exit  SetComError Failed to add the source SID to the destination object's SID history. The error was: "There are no more endpoints available from the endpoint mapper. "