Domain Controllers replicate error code 110

Russell Ang 66 Reputation points
2021-07-15T07:04:24.537+00:00

Hello,

I need some advice here, as the current environment contain Parent domain & 2 child domains. Due to some security policy RC4 has been disabled for all domain controllers. I noticed while doing health check or manual repadmin /replsum etc.

Seem to getting AD health check is unhealthy.
[DC2] DsBindWithSpnEx() failed with error 5,
Access is denied..
Warning: DC2 is the Schema Owner, but is not responding to DS RPC Bind.

[DC1] DsBindWithSpnEx() failed with error 5,
Access is denied..
Warning: DC1 is the PDC Owner, but is not responding to DS RPC Bind

Does it necessary to enable AES Encryption?114879-properties-of-a-child-domain.png

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,843 questions
{count} votes

7 answers

Sort by: Most helpful
  1. Daisy Zhou 18,701 Reputation points Microsoft Vendor
    2021-07-16T01:36:11.41+00:00

    Hello @RussellAng-0425,

    Thank you for posting here.

    To better understand your question, please confirm the following information at your convenience.

    1.Based on the description "Due to some security policy RC4 has been disabled for all domain controllers.
    ", how did you disable RC4 for all DCs?

    2.Did you mean AD replication works fine before disabling RC4 for all DCs?

    3.Where did you see "Domain Controllers replicate error code 110", please provide the screenshot if possible.

    You can enable RC4 for all DCs if possible and then check if AD replication will become healthy again.

    Hope the information above is helpful to you.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================
    If the Answer is helpful, please click "Accept Answer" and upvote it.


  2. Daisy Zhou 18,701 Reputation points Microsoft Vendor
    2021-07-19T08:28:50.987+00:00

    Hello @RussellAng-0425,

    Thank you for your confirmation.

    Does it necessary to enable AES Encryption?
    A: Because DC supports RC4, AES 128 and AES 256, if you disable RC4, please enable AES Encryption, then check if AD replication will work fine.
    116109-pro1.png

    Hope the information above is helpful to you.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  3. Russell Ang 66 Reputation points
    2021-07-21T03:42:11.75+00:00

    Hello @Daisy Zhou

    Below is the setting, does it mean RC4 & AES is enabled?

    116611-image.png


  4. Russell Ang 66 Reputation points
    2021-07-21T09:48:44.967+00:00

    Hello @Daisy Zhou

    Seem to be permission issues. Even with enterprise admin run cmd as administraor will show replicate 110 error same for above screenshot.

    If i launch those application, dsa.msc, cmd or domain trust etc - without prompt for authentication will get access denied.

    Some sort of permission issues.


  5. Russell Ang 66 Reputation points
    2021-07-23T15:00:28.747+00:00

    Hello @Daisy Zhou ,

    I read up some of the blog related to RC4 disabled.

    1. RC4 is disabled in registry & GPO is set to not defined. Necessary to enable AES in GPO?
    2. I noticed enterprise admin accounts, login to server need to run as different users to authenticate. In order to access dsa.msc or even
      run cmd or powershell with privileges' access to perfrom repadmin /replsum
    3. RC4 is disabled. Does domain or service account need to enable AES?
    4. How to check on the logs if there is error on RC4 Kerberos or KDC ticket is expired?

    https://learn.microsoft.com/en-us/answers/questions/377020/if-we-disable-rc4-encryption-in-gpo-domain-level-i.html