I have two domains domain1.en (functional level 2016) and domain2.lan (functional level 2003)
I would like to make an approval relation between these domains (forest relation)
DC1.domain2 is the primary server in WS2003 and DC2.domain2 is in WS2016.
DCx.domain1 are in WS2016.
On DC1.domain1 I want to initiate the approval relationship with domain2.
I enter the domain name: domain2.lan and... Error DC rpc server: DC1.domain2.lan unavailable
In the opposite direction, it is the same thing (on DC1.domain2)
Do you have an idea of the problem?
Is it the versions (2003)?
Is it something else?
How to know on which domain /DC is the problem?
I specify that there is no DNS error (I put conditional redirectors)
Related
This is question is related to an earlier one I asked, but more specific and hopefully easier to answer.
Essentially, I can't connect to my RDS instance. I tried in my SQL editor (datagrips) and also by pinging the server on the console. Comments on my previous question led me to believe that my problem has to do with the security group. Upon investigation, however, everything seems to be in order--my security group has an inbound rule that should allow all inbound access.
Security Group:
Console Ping:
What is going on here?
EDIT:
It was pointed out that all inbound access does not mean what I thought it did. However I also tried allowing inbound access for my specific IP with still no luck.
Here is the inbound rule for My IP:
EDIT 2:
Not sure what this means but it's not timing out on the EC2...
See comments for context?
inbound rule that should allow all inbound access
It does not. It only allows inbound traffic from SG with id of sg-ea3.... This means that you can't connect to it from home, work etc. To allow all inbound access the source should be 0.0.0.0/0, but it would be better to have your exact home/work ip address <your-ip-address>/32.
Does anyone know of software that can redirect a TDS client request to an appropriate instance of Sql Server based on the database catalog that the client is attempting to connect to?
In other words, say I have 3 database catalogs (dbcat1, dbcat2, dbcat3) and they're all hosted on the same server (sqlServer). The client code would have connection strings like "server=sqlServer;database=dbcat1" and "server=sqlServer;database=dbcat2", for example.
I would like some sort of (reverse) proxy software that would allow me to move one or more database catalogs to different server instances, but allow the client configuration to remain unchanged. For example, I could put dbcat1 and dbcat3 on sqlA, and put dbcat2 on sqlB, and sqlServer would be the new proxy software. It would pass the connection through to the appropriate SqlServer instance based on its configuration, and the client would have no idea it wasn't talking directly to a SqlServer instance.
Does such a thing exist, or do I get the "joy" of having to write something if I really, really want it? And, yes, I know this is not HA (High Availability) or DR (Disaster Recovery).
SqlServer Failover Clustering does not do this; it's for HA. It redirects at the server instance level (guest clustering)
SqlServer Availability Groups does not do this; it's for DR. You still need to know the AG that hosts the database you want (if you move the dbcat to another AG, you have to update your client config).
Microsoft Proxy Server was replaced by ISA and likely didn't do it anyhow.
Microsoft ISA (Forefront) is just a "dumb" proxy as far as I could tell.
I am having issues with creating a failover cluster with an availabilty group.
I've made a windows failover cluster, and a sql availability group. I also have an azure load balancer with an IP address and a DNS name.
I am trying to follow this guide here
I get to the Configure the Listener, add Client access point, and things fail from there.
Is the name here supposed to be the DNS name in the load balancer? Same for the IP? Or is it supposed to be another object in Active directory.
Steps 5 and 6 seem to conflict, Is the dependency supposed to be a resource or an IP?
If anyone have any advice, I would be appreciative.
I have been using the above guide trying to get things to work in GUI before changing this over to powershell code.
I suspect either there is something I am missing, or this is all the same IP address and dns name used.
PowerShell Script
New-Cluster -Name "DI-XXX-YY-CLUSTER" -Node "di-XXX-YY-db1","di-XXX-YY-db2" -NoStorage -StaticAddress 172.17.XX.YYY
Set-ClusterQuorum -NodeAndFileShareMajority "\\DI-XXX-YY-WS1\ClusterQuorum"
Invoke-Command -ComputerName "DI-XXX-YY-WS1" -ScriptBlock { mkdir c:\Quorum}
Invoke-Command -ComputerName "DI-XXX-YY-WS1" -ScriptBlock { New-SmbShare -Name "Quorum" -Path "c:\Quorum" -FullAccess "didevtest.local\DI-XXX-YY-CLUSTE"}
Add-ClusterNode -Cluster "DI-XXX-YY-CLUSTER" -Name "di-XXX-YY-db2" -NoStorage
The Server manager on the second node (di-XXX-YY-db2) showing a warning.
Incomplete communication with DI-XXX-YY-CLUSTER. The following nodes
or cluster roles might be offline or have connectivity issues
Server Manager->All Servers
The Server Manager refresh fails on the second node (di-XXX-YY-db2)
Windows error log entries
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the
server di-XXX-XX-db1$. The target name used was
MSServerClusterMgmtAPI/DI-XXX-XX-CLUSTER.didevtest.local. This
indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name
(SPN) is registered on an account other than the account the target
service is using. Ensure that the target SPN is only registered on the
account used by the server. This error can also happen if the target
service account password is different than what is configured on the
Kerberos Key Distribution Center for that target service. Ensure that
the service on the server and the KDC are both configured to use the
same password. If the server name is not fully qualified, and the
target domain (DIDEVTEST.LOCAL) is different from the client domain
(DIDEVTEST.LOCAL), check if there are identically named server
accounts in these two domains, or use the fully-qualified name to
identify the server.
DCOM was unable to communicate with the computer
DI-XXX-XX-CLUSTER.didevtest.local using any of the configured
protocols; requested by PID 14d4
(C:\Windows\system32\ServerManager.exe).
You are creating a Windows Server Failover Cluster (WSFC), not an FCI. FCI is the clustered instance of SQL Server.
That said, check networking (including DNS), firewall, and most importantly, AD. If the WSFC is not coming online, it could be any of these things. Make sure that the CNO is precreated or the account creating the WSFC has rights to create objects in AD. If the object is there but not in DNS, similar issue - make sure DNS is right.
Also, why are you running Add-ClusterNode? The WSFC is being formed with both nodes in New-Cluster.
Check the logs and Event Viewer. They will give you a clue as to why things are messed up.
One NIC is fine if it's virtualized. There are cases where you would have two NICs (always in physical). Do you have two NICs in one server but not the other?
Also read all the text and not just go by the yellow/green/blue. Sometimes the problem is in the notes.
That said, again, go check SPNs and DNS. Look for things like duplicate or stale DNS records or duplicate SPNs.
You can search for "KRB_AP_ERR_MODIFIED cluster" on the web to see quite a few different solutions, but most are DNS related (including what I mentioned).
I have hosted my WebApp on server 1 and my database on server 2
But I'm getting following error
Communication with the underlying transaction manager has failed.
I googled and found a post which mentioned that it is the issue of DTC(Distributed Transaction)
I enabled DTC on server2(DB server) and made an exception of it in Firewall.
But still same error.
Here is the full stack trace
Message: System.Transactions.TransactionManagerCommunicationException: Communication with the underlying transaction manager has failed. ---> System.Runtime.InteropServices.COMException: The MSDTC transaction manager was unable to pull the transaction from the source transaction manager due to communication problems. Possible causes are: a firewall is present and it doesn't have an exception for the MSDTC process, the two machines cannot find each other by their NetBIOS names, or the support for network transactions is not enabled for one of the two transaction managers. (Exception from HRESULT: 0x8004D02B)
at System.Transactions.Oletx.IDtcProxyShimFactory.ReceiveTransaction(UInt32 propgationTokenSize, Byte[] propgationToken, IntPtr managedIdentifier, Guid& transactionIdentifier, OletxTransactionIsolationLevel& isolationLevel, ITransactionShim& transactionShim)
at System.Transactions.TransactionInterop.GetOletxTransactionFromTransmitterPropigationToken(Byte[] propagationToken)
Kindly advice
We had the exact same situation, and more than once. Each time, it was one of the following:
The IP address in the DNS for the server is outdated (as said in error message: "two machines cannot find each other by their NetBIOS names"). You can check if this is the case by trying ping servername from one server to another in the command prompt. If the ping by name fails and ping by IP succeeds (or ping by name returns the wrong IP), than you should talk to the System Admins to take a look at DNS/DHCP.
The servers are created as an image of preconfigured server (for example, if you are working with virtual machines, and instead of doing a fresh install for each of the servers, you simply clone the image). This is a problem because DTC has an internal "Identifier" - and in case of image cloning both your installations now have same DTC ID, and won't be able to communicate with each other. The solution is to simply uninstall and install the DTC again.
Hope it helps.
Things to check:
Have you done this configuration on both servers?
Are both servers members of the same domain?
Have you checked the event log?
I had the same problem while connecting to a remote SQl Server.
The solution in my case was to add "enlist=false" to the connection string.
I was missing quite a lot of things:
No authentication (as DB server and APP server and not within same AD domain)
Rule to Windows Firewall enabling msdtc.exe
Rule to firewall between DMZ and internal zone TCP 135,1024-65535 in both directions. The link tell you how to restrict the firewall policy to few ports only.
short / long server names to hosts or a shared DNS server. Eg. 192.168.1.1 app1 as well as 192.168.1.1 app1.domain.local
On the other hand based on this link my setup doesn't require:
Allow Remote Clients
Allow Remote Administration
Enable XA Transactions (required prior Windows Server 2003 SP1)
Solved after adding remote IP\machine name to files on server:
hosts, lmhosts
in folder
C:\Windows\System32\drivers\etc
One of our servers displayed this error after the Virtual Machine (VM) controlling our Domain Controller froze. Several related communication problems also started to pop up (like failed password resets). Resetting the frozen VM fixed the issue.
Lots of helpful answers already given.
One problem for me was the presence of invalid (cyrillic) characters in the computer name.
And there is also a way to validate the connection between two servers (or between a server and a computer) using a small tool from Microsoft called DTCPing.