Skip to main content

WINS errors

I've spent a bit of time the last few days struggling with WINS.

My topology consists of three WINS servers, one for each location, with one functioning as a hub, the other two as spokes (as per Technet's recommendation). The hub is configured with the two spoke servers as push/pull replication partners. The spokes each have the hub as their push/pull replication partner. (as per Technet's recommendation)

So everything is set how Microsoft wants it to be. There are no firewall restrictions between the WINS hosts (who are also DCs). They are running Server 2008.


All my configuration seems correct, yet I get these errors in the System event log: EventID 4102 'connection aborted by remote WINS'. When you turn on advanced logging, you see more detailed errors: EventID 4149 'Winsock Send could not send all the bytes.'

Another server returned the following: EventID 4343 'WINS server noticed chance of duplicate name registration...' These are just warnings and are now showing because I turned on the advanced logging.

On the hub server, I restart the WINS service and get this: EventID 4224 'WINS encountered a database error. This may or may not be a serious error. WINS will try to recover from it.' It mentions checking the application log for more details about database errors.
NOTE: According to this, the error is deprecated.


The ESENT eventID 103 (wins (2752) The database engine stopped the instance (0).) in the application log also has a DWORD for the error code '2752' and an EventRecordID of '5932'. There is another event immediately following: EventID 102 (wins (6956) The database engine (6.00.6002.0000) started a new instance (0).)

I restarted WINS on all servers.

Now I see this: EventID 4141 (WINS pulled records from a WINS while doing Pull replication. The partner's address and the owner's address whose records were pulled are given in the data section (second and third DWORD respectively). The number of records pulled is the fourth DWORD.) DWORD info referenced is not clear, just hex codes.

On Spoke1, I see this: EventID 4283 (WINS encountered an error while processing a push trigger or update notification. The error code is given in the data section. If it indicates a communication failure, check to see if the remote WINS that sent the trigger went down. If the remote WINS is on a different subnet, then maybe the router is down.) It is immediately followed by EventID 4149.


On Spoke1, I force a 'pull replication' and see this: EventID 4141
On Spoke2, I force a 'pull replication' and see this: EventID 4141

On Hub, I see this twice: EventID 4121 (WINS's Replicator could not find any records in the WINS database. This means there are no active or tombstone records in the database. It could be that the records being requested by a remote WINS server have either been released or do not exist.)

On Hub, I force a 'push replication' to each spoke: EventID 4121
On Hub, I check 'Active Registrations'. All three servers are listed as 'owners' for active records.

On Spoke1, I force a 'push' to Hub: EventID 4141 on Hub.
On Spoke2, I force a 'push' to Hub: EventID 4141 on Hub.

Back to basics...if they are replicating properly, the DB should be the same across all servers. Checked that, and they are not. The two spoke servers look similar, but the hub is very different.

Deleted old owners off the hub, then repeated on each spoke.

Restarted WINS on each spoke, then the hub. Each server seemed to start ok, barring the 4224 error on all servers.

Checked the 'Active Registrations' on each server again. Spokes are nearly identical, hub appears to be missing a huge amount of new records. I sorted them by expiry date (in this case the latest is 3/6/2011). The spokes have many pages of 3/6/2011 records, the hub has only a handful.



At this point I've wasted enough time on this...it should work, but doesn't, and nobody is complaining. Squeaky wheel gets the grease and all that.

Comments

Popular posts from this blog

DFSR - eventid 4312 - replication just won't work

This warning isn't documented that well on the googles, so here's some google fodder:


You are trying to set up replication for a DFS folder (no existing replication)Source server is 2008R2, 'branch office' server is 2012R2 (I'm moving all our infra to 2012R2)You have no issues getting replication configuredYou see the DFSR folders get created on the other end, but nothing stagesFinally you get EventID 4312:
The DFS Replication service failed to get folder information when walking the file system on a journal wrap or loss recovery due to repeated sharing violations encountered on a folder. The service cannot replicate the folder and files in that folder until the sharing violation is resolved.  Additional Information:  Folder: F:\Users$\user.name\Desktop\Random Folder Name\  Replicated Folder Root: F:\Users$  File ID: {00000000-0000-0000-0000-000000000000}-v0  Replicated Folder Name: Users  Replicated Folder ID: 33F0449D-5E67-4DA1-99AC-681B5BACC7E5  Replication Group…

Fixing duplicate SPNs (service principal name)

This is a pretty handy thing to know:

SPNs are used when a specific service/daemon uses Kerberos to authenticate against AD. They map a specific service, port, and object together with this convention: class/host:port/name

If you use a computer object to auth (such as local service):
MSSQLSVC/tor-sql-01.domain.local:1433

If you use a user object to auth (such as a service account, or admin account):
MSSQLSVC/username:1433

Why do we care about duplicate SPNs? If you have two entries trying to auth using the same Kerberos ticket (I think that's right...), they will conflict, and cause errors and service failures.

To check for duplicate SPNs:
The command "setspn.exe -X

C:\Windows\system32>setspn -X
Processing entry 7
MSSQLSvc/server1.company.local:1433 is registered on these accounts:
CN=SERVER1,OU=servers,OU=resources,DC=company,DC=local
CN=SQL Admin,OU=service accounts,OU=resources,DC=company,DC=local

found 1 groups of duplicate SPNs. (truncated/sanitized)

Note that y…

Logstash to Nagios - alerting based on Windows Event ID

This took way longer than it should have to get going...so here's a config and brain dump...

Why?
You want to have a central place to analyze Windows Event/IIS/local application logs, alert off specific events, alert off specific situations.  You don't have the budget for a boxed solution.  You want pretty graphs.  You don't particularly care about individual server states.  (see rationale below - although you certainly have all the tools here to care, I haven't provided that configuration)

How?
ELK stack, OMD, NXlog agent, and Rsyslog.  The premise here is as follows:

Event generated on server into EventLogNXlog ships to Logstash inputLogstash filter adds fields and tags to specified eventsLogstash output sends to a passive Nagios service via the Nagios NSCA outputThe passive service on Nagios (Check_MK c/o OMD) does its thing w. alerting
OMD
Open Monitoring Distribution, but the real point here is Check_MK (IIRC Icinga uses this...).  It makes Nagios easy to use and main…