This section provides help in resolving Lightweight Directory Access Protocol (LDAP) error messages.

Cannot Open LDAP Connection to Local Host or Run Admin Tools Error

The "Cannot open LDAP connection to local host or run admin tools" error message occurs because the administration tool could not contact Active Directory. This error may also be caused by DNS problems.

  • Verify DNS for local, problem, or replica domain controllers.

LDAP Error 49

The LDAP error 49 occurs when the domain controller computer account may not be synchronized with the Key Distribution Center (KDC). Perform the following steps to resolve this error.

  1. Verify DNS for local, problem, or replica domain controllers.
  2. Stop or disable KDC.
  3. Purge Kerberos Tickets, Kerbtray, and Klist.
  4. Reset the computer password on the primary domain controller (PDC) emulator by using the following command:
      Copy Code
    Netdom resetpwd /server:PDCE /userd:ms\admin /passwordd:*
  5. Synchronize Domain NC (from PDC emulator), Schema NC, and Configuration NC.
  6. Restart KDC.
  7. Create replication links NC (if required) and replicate inbound by using the following:
      Copy Code
    Repadmin /add CN=Configuration,DC=ms,DC=com 
    /u:ms\administrator /pw:*
  8. Restart KDC.
  9. Check userAcountControl Flag = 532480.
  10. Determine consistency of unicodePwd

Time Difference/LDAP Error 82

The time difference/LDAP error 82 occurs when the KDC Skew is five minutes.

  1. Sync time by using the following command:
      Copy Code
    Net Time \\Server /SET.
  2. Replicate inbound.


RPC Server Not Available Error

You may receive an error that says the RPC server is unavailable when you perform any of the following server-based tasks:

  • Replication
  • Winlogon service
  • Enable trusted relationships
  • Connect to domain controllers
  • Connect to trusted domains
  • User authentication

The RPC server unavailable error can occur for the following reasons:

  • DNS problems
  • Time synchronization problem
  • RPC service is not running
  • Network connectivity problem
  1. Check if the target is functioning.
  2. Verify DNS for local, problem, or replica domain controllers.
  3. Resolve DNS - DSA GUID by using the DNSLINT report.
  4. Ensure that HKLM/SYSTEM/CCS/Services/Dnscache/Parameters/NegativeCacheTime:
    • Is set to (300 seconds) = (5 minutes).
    • High value prevents a domain controller from going to the DNS server.
  5. Stop and then start the DNS client.
  6. Ping DSA-GUID of the problem domain controller.

If the RPC service is not running, start the RPC service. If the RPC service is running, stop and start the RPC service. Also, verify network connectivity and resolve any issues.