Windows Server 2008 Domain Controllers unable to authenticate login requests.

Recently I was faced with a problem. My Window Server 2003 DCs could authenticate logins fine, but my Windows Server 2008 DCs didn’t work at all.

Naturally, in this situation you run good old DCDIAG against the servers in question.
In my case, it came back with:

“dsbindwithspnex() failed with error 1753”

Which, with a brief google, leads you to Troubleshooting RPC Endpoint Mapper errors (KB839880).

As two servers worked (2k3) and two didn’t (2k8), it seemed likely to be a simple firewall misconfiguration. So I asked for our firewall config from our firewall crew, and it all came back identical. The functioning servers had exactly the same ports open as did our non-functioning servers.

I was perplexed. Eventually a bit of “endpoint mapping troubleshooting” Googling led me to How to configure RPC to use certain ports (KB908472).

Which, eventually lead me to the realisation that Windows Server 2003 and Windows Server 2008 use different dynamic port ranges for RPC.

Enable these extra ports on the firewall (49152 to 65535) or redefine them (using netsh), and bob’s your uncle.

Good luck diagnosing this as the issue though! The 2k3, 2k8 association isn’t necessarily the first thing that springs to mind.

Advertisements

Tagged: , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: