08-19-2016 10:52 AM
I am getting ERROR_RPC_NETLOGON_FAILED when authentication using MS-RPC against one domain controller. Kerberos test pass fine. If I use the other domain controller, both MS-RPC and Kerberos work. I built a new DC and only Kerberos works against it. I've read the bug id with AD and ISE related to this issue. Removed and Rejoined ISE to the domain but that only works if it goes to DC01. If it chooses DC02, MS-RPC fails.
Assuming this is a Microsoft Server issue but have not been able to find a fix. Anyone encountered this and found a resolution?
DC01 2012 Essentials Server - MS_RPC and Kerberos Pass
DC02 2012 Standard Server - MS_RPC Fails and Kerberos Pass
Active Directory Security log shows on the working DC a successful impersonation delegation and shows my username. On DC02 that is not working the impersonation delegation shows Null SID and not username.
MS_RPC Test from ISE
Error : Authentication encountered an error due to network, AD DNS misconfiguration. This may be a temporary error.
Processing Steps:
Resolving identity - username
Search for matching accounts at join point - domain.local
Single matching account found in forest - domain.local
Identity resolution detected single matching account
RPC Logon request failed - STATUS_ACCESS_DENIED,ERROR_RPC_NETLOGON_FAILED,username@domain.local
Communication with domain controller failed - dc02.domain.local,ERROR_RPC_NETLOGON_FAILED
RPC Logon request failed - STATUS_ACCESS_DENIED,ERROR_RPC_NETLOGON_FAILED,username@domain.local
Communication with domain controller failed - dc02.domain.local,ERROR_RPC_NETLOGON_FAILED
RPC Logon request failed - STATUS_ACCESS_DENIED,ERROR_RPC_NETLOGON_FAILED,username@domain.local
Communication with domain controller failed - dc02.domain.local,ERROR_RPC_NETLOGON_FAILED
Failover threshold has been exceeded
Solved! Go to Solution.
09-05-2016 10:54 AM
Great to hear you got it working.
10-10-2016 09:18 AM
hi guys, my apologies, i forgot to update my thread. I re-installed my AD as it was an upgraded directory from 2008r2 to 2012r2 over a couple of years. As i reviewed, I was actually having directory replication issues, so i decided to reload fresh on 2012r2. Everything is working as expected now. Thanks Goodness!!!
11-12-2017 10:26 PM
HI Guys,
I have the similar problem. But my case is a bit different. Both my PSN01 and PSN02 connected to same domain controller, DC01.
PSN01 --> DC01, RPC logon failed.
PSN02 --> DC01, RPC logon successful.
In this case, what could be the possibilities?
11-13-2017 06:41 AM
If your deployment has multiple domain controllers, please still investigate Active Directory health. For a single domain controller setup (e.g. in a lab), please wait for 5 minutes and see whether it recovers, as you might have hit CSCvf71029.
Please engage Cisco TAC for further troubleshoots.
11-13-2017 06:58 AM
It has nothing to do with the flapping. We have used 3 user IDs for troubleshooting.
User ID A
PSN01 --> DC01, RPC logon success
PSN02 --> DC01, RPC logon success
User ID B
PSN01 --> DC01, RPC logon success
PSN02 --> DC01, RPC logon failed
User ID C
PSN01 --> DC01, RPC logon failed
PSN02 --> DC01, RPC logon failed.
With these 3 User ID, we are stucked and unable to identify where would be the problem. I have reset the AD connector, and also restart the application services, still no luck. Anyway, we have lodge TAC case to investigate. Still waiting for the investigation results. Just incase anyone of you have the similar experience, which may help to solve the issue.
11-13-2017 06:54 AM
I just had this same issue. Both ISE Servers were joined to the domain, and one of them dropped off. I ran a diagnostics (same place you join to the domain) and it was failing on the two messages both related to Kerberos. AD was healthy. I can not remember what the exact fix was but it was something in ISE. I believe I failed it back to the primary server, rebooted it, checked NTP (Made some corrections to time sources I was syncing).
Run the diagnostic tool under External ID Sources/AD. This will give you the best direction to troubleshoot.
11-13-2017 07:03 AM
diagnostic tools had been run and all nodes are healthy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide