Error dc exec

error dc exec

Experts estimate that as many as 98000 people die in any given year from medical errors that occur in hospitals. That's more than die from motor vehicle. [2021-03-10T09:24:46.965Z] [ERROR] http-nio-5090-exec-4 70000005 100004 example - C=US,CN=ssoserverSign\,dc\=vsphere\,dc\=local>. nxlog.co › question › nxlog-config-error-dc-events.

Error dc exec - consider

Troubleshoot domain controller replication error 1727-The remote procedure call failed and did not execute

  • Article
  • 3 minutes to read

This article solves the error message "The remote procedure call failed and did not execute". This error occurs during domain controller (DC) replication on Windows Server.

Applies to:   Windows 10, version 2004, Windows 10, version 1909, Windows Server 2019, Windows Server 2012 R2, Windows Server 2016
Original KB number:   4019721

Symptoms

This Active Directory (AD) replication error appears in one or more of the following forms:

  • Decimal: 1727
  • Hex: 0x6bf
  • Symbolic: RPC_S_CALL_FAILED_DNE
  • Error message: The remote procedure call failed and did not execute.

Cause

This problem occurs because of one of the following reasons:

  • A network connectivity issue between the two domain controllers (DCs). See the following sections for details.
  • A load-induced performance issue on the replication partner. This issue is less common and is often transient in nature. See the following sections for details.

About the network connectivity issue

This problem occurs when the DC's replication partner can't complete the RPC connection to AD Replication's RPC Service (DRSR UUID E3514235-4B06-11D1-AB04-00C04FC2DCD2). More specifically, the replication partner can bind to the RPC endpoint mapper, but can't complete the DRSR RPC bind.

Possible root causes include:

  • firewalls
  • routers
  • WAN optimizers
  • other intermediate network devices
  • network filter drivers

About the performance issue

This problem occurs when one of the following conditions is true:

  • The server is backlogged and doesn't respond to the TCP ACK or the response message. So, the sender abandons the TCP session.
  • The network is too slow or unreliable. It can't deliver the TCP ACK or the response message.

Resolution

To resolve this problem, determine any recent changes that would affect the network between the two DCs and undo those changes if possible. If there are no recent changes, you must fully examine the RPC network connectivity between the two DCs. To do so, follow either the high-level troubleshooting steps or the detailed troubleshooting steps.

High-level troubleshooting steps

  1. Take a double-sided network capture while you reproduce the problem. To do so, follow these steps:

    1. Start a network capture on both DCs.
    2. Manually start replication between the two DCs.
    3. Stop both sides of the trace when you receive the error.
  2. Examine the RPC conversation between the two DCs. Determine whether there's ever a case in which the message that's sent from the requestor DC doesn't incur a response from the replication partner.

Note

Occasionally, there is a partial response that includes the piggy-back TCP ACK for the request message. But the traffic has been modified or the response doesn't actually arrive at the requester DC. Therefore, the TCP stack doesn't receive an ACK.

Detailed troubleshooting steps

Start a network capture on both DCs before you take the following steps to test DC connectivity.

Test the source DC connectivity from the destination DC

Follow these steps on the destination DC:

  1. Verify whether the source DC is listening on TCP port 135. To do so, run the command.

    If the port status is FILTERED, the AD replication failure is likely to fail and return error 1722 instead. Try resolving error 1722, and then check whether the AD replication succeeds. If the problem persists, restart the detailed troubleshooting steps.

    If the status isn't FILTERED, the commands return the RPC endpoint mapper database. Search for MS NT Directory DRS Interface to find the upper-range port in the endpoint mapper database that the source DC is listening on for AD replication. You may get one or more entries. Make a note of the ports for ncacn_ip_tcp.

    For example, you get something that resembles the following example, which presents two upper-range ports 49159 and 49160:

    UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_ip_tcp:2012dc[49159] UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_ip_tcp:2012dc[49160]

    Note

    The upper-range ports are DC specific and are dynamically assigned. However, an administrator can hard-code the port that is used for AD replication by using the following registry value.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
    Registry value: TCP/IP Port
    Value type: REG_DWORD
    Value data: (available port)

  2. Test TCP port connectivity to the upper-range ports that you note. To do so, run the following command:

    For example, you run the following commands:

    If port status is FILTERED, review the network trace that you've captured to determine where the packet is blocked.

  3. Test DNS. Verify that the destination DC can resolve the CNAME and HOST records of the source DC. And verify that the resolved IP address is the actual IP address of the source DC. If DNS points to an old or invalid IP address, then RPC connection attempt is made to an incorrect source DC.

Test the destination DC connectivity from the source DC

Repeat step 1 through 3 on the source DC.

Hi all,

I recently had a similar problem (Veeam case #05377961) and wanted to add my solution here in case Googling brought anyone else this way.

My error was: Error: Failed to disable DC SafeBoot mode Cannot get [BcdObject.Id="{9dea862c-5cdd-4e70-acc1-f32b344d4795}",StoreFilePath=""] object. COM error: Code: 0x80041010

We do not use SentinelOne, however.

The agent log on the server contained the lines below:

Code: Select all

After various troubleshooting steps, I used a tool called WMI Explorer to compare WMI entries between the problem server (below, right) to another machine. Notice how the "BCD" entries were simply gone from the server when comparing a search side-by-side.

Image

To fix it, I opened an Administrator command prompt and CD'd to c:\windows\system32\wbem. Running the command "mofcomp bcd.mof" fixed the issue. Re-running the search in WMI Explorer found the BCD entries just like it did on the comparison machine. The Veeam job then successfully ran.

I have no idea how the BCD entries disappeared from WMI in the first place, but I hope this helps someone.
/bin/true

Aborting a play on all hosts

Sometimes you want a failure on a single host, or failures on a certain percentage of hosts, to abort the entire play on all hosts. You can stop play execution after the first failure happens with . For finer-grained control, you can use to abort the run after a given percentage of hosts has failed.

Aborting on the first error: any_errors_fatal

If you set and a task returns an error, Ansible finishes the fatal task on all hosts in the current batch, then stops executing the play on all hosts. Subsequent tasks and plays are not executed. You can recover from fatal errors by adding a rescue section to the block. You can set at the play or block level.

-hosts:somehostsany_errors_fatal:trueroles:-myrole-hosts:somehoststasks:-block:-include_tasks:mytasks.ymlany_errors_fatal:true

You can use this feature when all tasks must be 100% successful to continue playbook execution. For example, if you run a service on machines in multiple data centers with load balancers to pass traffic from users to the service, you want all load balancers to be disabled before you stop the service for maintenance. To ensure that any failure in the task that disables the load balancers will stop all other tasks:

----hosts:load_balancers_dc_aany_errors_fatal:truetasks:-name:Shut down datacenter 'A'ansible.builtin.command:/usr/bin/disable-dc-hosts:frontends_dc_atasks:-name:Stop serviceansible.builtin.command:/usr/bin/stop-software-name:Update softwareansible.builtin.command:/usr/bin/upgrade-software-hosts:load_balancers_dc_atasks:-name:Start datacenter 'A'ansible.builtin.command:/usr/bin/enable-dc

In this example Ansible starts the software upgrade on the front ends only if all of the load balancers are successfully disabled.

Setting a maximum failure percentage

By default, Ansible continues to execute tasks as long as there are hosts that have not yet failed. In some situations, such as when executing a rolling update, you may want to abort the play when a certain threshold of failures has been reached. To achieve this, you can set a maximum failure percentage on a play:

----hosts:webserversmax_fail_percentage:30serial:10

The setting applies to each batch when you use it with serial. In the example above, if more than 3 of the 10 servers in the first (or any) batch of servers failed, the rest of the play would be aborted.

Note

The percentage set must be exceeded, not equaled. For example, if serial were set to 4 and you wanted the task to abort the play when 2 of the systems failed, set the max_fail_percentage at 49 rather than 50.

Controlling errors in blocks

You can also use blocks to define responses to task errors. This approach is similar to exception handling in many programming languages. See Handling errors with blocks for details and examples.