| Author |
Message |
Roger Abell
Guest
|
 Posted:
Sat Dec 25, 2004 2:20 am Post subject:
Re: netlogon error |
|
|
On the SBS first run
netdiag /fix
Verify that the zones supporting the AD are configured for
secured dynamic updates allowed. For this, run the DNS
mgmt UI and highlight each forward zone then rclick into
its properties. They should be AD integrated and allowing
secured dynamic updates.
On the failing W2k3 check that
- in tcp/ip settings the DNS server is the SBS machine
- in System properties (rclick my computer, properties)
the full computer name is correct, right domain
at cmd prompt run
net stop netlogon
net start netlogon
then rerun netdiag to see if it is clean.
Once clean, you will want to install DNS on the
second DC (if not already) and have it host the same
AD integrated zones as are on the other DNS service.
optional/advised:
After you have DNS fault tolerance, you could/should
configure each DC to point first to the other and then
to itself for DNS services in the Tcp/Ip config.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:OKNECGf6EHA.1204@TK2MSFTNGP10.phx.gbl...
| Quote: | OK, I ran dcdiag and netdiag on the 2K3 machine errors abound ----
First: dcdiag > "Although the Guid name <string of stuff here> couldn't
be
resolved, the server name (server02.domain.local) resolved to the IP
address
(192.168.1.98) and was pingable. Check that the IP address is registered
correctly with the DNS Server."
The other tests in dcdiag passed
Then: netdiag:> Domain membership test: Failed "[WARNING] The system
volumehas not been completely replicated to the local machine. This
machine is not working properly as a DC."
DC test: failed "[WARNING] The DNS entries for this DC are not registered
correctly on the DNS server '192.168.1.99'. Please wait for 30 minutes
for
DNS serfver replication. [FATAL] No DNS servers have the DNS records for
this DC registered."
DC list test: Failed [WARNING] Cannot call DsBind to main.domain.local
(192.168.1.99). [SEC_E_WRONG_PRINCIPAL]
Trust Relationship test: Failed ....
Kerberos test: Failed........
OK, HELP!! Where do I start??
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Oql3Ced6EHA.3124@TK2MSFTNGP11.phx.gbl...
and netdiag and dcdiag have told you . . . ?
--
Roger
"Brown" <fbrown@knology.net> wrote in message
news:OEn0igV6EHA.2568@TK2MSFTNGP11.phx.gbl...
The SBS machine has 2 NICs but only one is active. The Win2K3 has one
NIC.
DHCP is running on an external router.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uZpd85T6EHA.2192@TK2MSFTNGP14.phx.gbl...
For DC communications issues your first stop shop to
get hints of what may be amiss is by running on each DC
netdiag and dcdiag utilities (depending on versions, you
may need to install the optional support tools from the CD).
Which, if any, of these machines are multihomed (>1 nic)?
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O5OJURP6EHA.4008@TK2MSFTNGP15.phx.gbl...
I tried that, but since it is a DC (backup) it will not allow this.
Is
there any other way to get them to shake hands?
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23deks%23L6EHA.3124@TK2MSFTNGP11.phx.gbl...
did I actually forget to mention that you could try resetting
the machine account (in AD Users and Comps) . . .
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O2$c8m55EHA.2624@TK2MSFTNGP11.phx.gbl...
I am running SBS 2003 Pro (MAIN), with a Win2K3 Standard server
(SERVER02)
which is providing file server and AD Backup tasks.
I am getting an error messaage in the System Event Viewer,
source
Netlogon:
"The session setup from the computer SERVER02 failed to
authenticate.
The
name(s) of the account(s) referenced in the security database is
SERVER02$.
The following error occured: Access denied."
What do I need to do to correct this?
Brown
|
|
|
| Back to top |
|
 |
Steven L Umbach
Guest
|
| Posted:
Sat Dec 25, 2004 3:14 am Post subject:
Re: netlogon error |
|
|
It is my understanding that is usually not a good idea per KB article
below?? Netdom is usually easy enough to try. --- Steve
http://support.microsoft.com/kb/216393/EN-US/
Active Directory Users and Computers (DSA)
With Windows 2000 or Windows XP, you can also reset the machine account from
within the graphical user interface (GUI). In the Active Directory Users and
Computers MMC (DSA), you can right-click the computer object in the
Computers or appropriate container and then click Reset Account. This resets
the machine account. Resetting the password for domain controllers using
this method is not allowed. Resetting a computer account breaks that
computer's connection to the domain and requires it to rejoin the domain.
NOTE: This will prevent an established computer from connecting to the
domain and should only be used for a computer that has just been rebuilt
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23deks%23L6EHA.3124@TK2MSFTNGP11.phx.gbl...
| Quote: | did I actually forget to mention that you could try resetting
the machine account (in AD Users and Comps) . . .
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O2$c8m55EHA.2624@TK2MSFTNGP11.phx.gbl...
I am running SBS 2003 Pro (MAIN), with a Win2K3 Standard server
(SERVER02)
which is providing file server and AD Backup tasks.
I am getting an error messaage in the System Event Viewer, source
Netlogon:
"The session setup from the computer SERVER02 failed to authenticate.
The
name(s) of the account(s) referenced in the security database is
SERVER02$.
The following error occured: Access denied."
What do I need to do to correct this?
Brown
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Sat Dec 25, 2004 3:38 am Post subject:
Re: netlogon error |
|
|
In addition to Roger's fine advice see the link below on how to reset the
computer account for a W2003 domain controller if you still have difficulty
after making any changes to dns or such. Of course the other domain
controller [pdc fsmo] needs to be correctly configured for dns but if it
passed all netdiag and netdiag tests then it probably is but the second link
below explains how Active Directory dns MUST be configured noting that
having an ISP dns server in the preferred dns server list for tcp/ip
properties on any domain computer WILL cause problems within a domain. I
believe you mentioned that the router is your DHCP server which I do not
recommend in an Active Directory domain. It is easy to configure DHCP on one
of your servers and then disable DHCP on your router but using it as the
default gateway. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;325850
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23v0SqWf6EHA.1392@tk2msftngp13.phx.gbl...
| Quote: | On the SBS first run
netdiag /fix
Verify that the zones supporting the AD are configured for
secured dynamic updates allowed. For this, run the DNS
mgmt UI and highlight each forward zone then rclick into
its properties. They should be AD integrated and allowing
secured dynamic updates.
On the failing W2k3 check that
- in tcp/ip settings the DNS server is the SBS machine
- in System properties (rclick my computer, properties)
the full computer name is correct, right domain
at cmd prompt run
net stop netlogon
net start netlogon
then rerun netdiag to see if it is clean.
Once clean, you will want to install DNS on the
second DC (if not already) and have it host the same
AD integrated zones as are on the other DNS service.
optional/advised:
After you have DNS fault tolerance, you could/should
configure each DC to point first to the other and then
to itself for DNS services in the Tcp/Ip config.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:OKNECGf6EHA.1204@TK2MSFTNGP10.phx.gbl...
OK, I ran dcdiag and netdiag on the 2K3 machine errors abound ----
First: dcdiag > "Although the Guid name <string of stuff here> couldn't
be
resolved, the server name (server02.domain.local) resolved to the IP
address
(192.168.1.98) and was pingable. Check that the IP address is registered
correctly with the DNS Server."
The other tests in dcdiag passed
Then: netdiag:> Domain membership test: Failed "[WARNING] The system
volumehas not been completely replicated to the local machine. This
machine is not working properly as a DC."
DC test: failed "[WARNING] The DNS entries for this DC are not
registered
correctly on the DNS server '192.168.1.99'. Please wait for 30 minutes
for
DNS serfver replication. [FATAL] No DNS servers have the DNS records for
this DC registered."
DC list test: Failed [WARNING] Cannot call DsBind to main.domain.local
(192.168.1.99). [SEC_E_WRONG_PRINCIPAL]
Trust Relationship test: Failed ....
Kerberos test: Failed........
OK, HELP!! Where do I start??
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Oql3Ced6EHA.3124@TK2MSFTNGP11.phx.gbl...
and netdiag and dcdiag have told you . . . ?
--
Roger
"Brown" <fbrown@knology.net> wrote in message
news:OEn0igV6EHA.2568@TK2MSFTNGP11.phx.gbl...
The SBS machine has 2 NICs but only one is active. The Win2K3 has one
NIC.
DHCP is running on an external router.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uZpd85T6EHA.2192@TK2MSFTNGP14.phx.gbl...
For DC communications issues your first stop shop to
get hints of what may be amiss is by running on each DC
netdiag and dcdiag utilities (depending on versions, you
may need to install the optional support tools from the CD).
Which, if any, of these machines are multihomed (>1 nic)?
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O5OJURP6EHA.4008@TK2MSFTNGP15.phx.gbl...
I tried that, but since it is a DC (backup) it will not allow
this.
Is
there any other way to get them to shake hands?
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23deks%23L6EHA.3124@TK2MSFTNGP11.phx.gbl...
did I actually forget to mention that you could try resetting
the machine account (in AD Users and Comps) . . .
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O2$c8m55EHA.2624@TK2MSFTNGP11.phx.gbl...
I am running SBS 2003 Pro (MAIN), with a Win2K3 Standard server
(SERVER02)
which is providing file server and AD Backup tasks.
I am getting an error messaage in the System Event Viewer,
source
Netlogon:
"The session setup from the computer SERVER02 failed to
authenticate.
The
name(s) of the account(s) referenced in the security database
is
SERVER02$.
The following error occured: Access denied."
What do I need to do to correct this?
Brown
|
|
|
| Back to top |
|
|
Brown
Guest
|
| Posted:
Sat Dec 25, 2004 4:27 am Post subject:
Re: netlogon error |
|
|
Roger, Thanks for the help. I have run the netdiag /fix and it looks like
it has cleared up some of the problems. I am back home working via the SBS
remote access. The 2K3 machine is not available (part of the problem) so I
will have to try to get back in to the office to do it. I will be out of
touch for several days, and may not be able to get back to it until then. I
have your suggestions, and will see if that takes care of me when I can get
back on the machine.
I want to make sure you Steven know how much I appreciate your patience and
assistance.
Frank Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23v0SqWf6EHA.1392@tk2msftngp13.phx.gbl...
| Quote: | On the SBS first run
netdiag /fix
Verify that the zones supporting the AD are configured for
secured dynamic updates allowed. For this, run the DNS
mgmt UI and highlight each forward zone then rclick into
its properties. They should be AD integrated and allowing
secured dynamic updates.
On the failing W2k3 check that
- in tcp/ip settings the DNS server is the SBS machine
- in System properties (rclick my computer, properties)
the full computer name is correct, right domain
at cmd prompt run
net stop netlogon
net start netlogon
then rerun netdiag to see if it is clean.
Once clean, you will want to install DNS on the
second DC (if not already) and have it host the same
AD integrated zones as are on the other DNS service.
optional/advised:
After you have DNS fault tolerance, you could/should
configure each DC to point first to the other and then
to itself for DNS services in the Tcp/Ip config.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:OKNECGf6EHA.1204@TK2MSFTNGP10.phx.gbl...
OK, I ran dcdiag and netdiag on the 2K3 machine errors abound ----
First: dcdiag > "Although the Guid name <string of stuff here> couldn't
be
resolved, the server name (server02.domain.local) resolved to the IP
address
(192.168.1.98) and was pingable. Check that the IP address is registered
correctly with the DNS Server."
The other tests in dcdiag passed
Then: netdiag:> Domain membership test: Failed "[WARNING] The system
volumehas not been completely replicated to the local machine. This
machine is not working properly as a DC."
DC test: failed "[WARNING] The DNS entries for this DC are not
registered
correctly on the DNS server '192.168.1.99'. Please wait for 30 minutes
for
DNS serfver replication. [FATAL] No DNS servers have the DNS records for
this DC registered."
DC list test: Failed [WARNING] Cannot call DsBind to main.domain.local
(192.168.1.99). [SEC_E_WRONG_PRINCIPAL]
Trust Relationship test: Failed ....
Kerberos test: Failed........
OK, HELP!! Where do I start??
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Oql3Ced6EHA.3124@TK2MSFTNGP11.phx.gbl...
and netdiag and dcdiag have told you . . . ?
--
Roger
"Brown" <fbrown@knology.net> wrote in message
news:OEn0igV6EHA.2568@TK2MSFTNGP11.phx.gbl...
The SBS machine has 2 NICs but only one is active. The Win2K3 has one
NIC.
DHCP is running on an external router.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uZpd85T6EHA.2192@TK2MSFTNGP14.phx.gbl...
For DC communications issues your first stop shop to
get hints of what may be amiss is by running on each DC
netdiag and dcdiag utilities (depending on versions, you
may need to install the optional support tools from the CD).
Which, if any, of these machines are multihomed (>1 nic)?
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O5OJURP6EHA.4008@TK2MSFTNGP15.phx.gbl...
I tried that, but since it is a DC (backup) it will not allow
this.
Is
there any other way to get them to shake hands?
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23deks%23L6EHA.3124@TK2MSFTNGP11.phx.gbl...
did I actually forget to mention that you could try resetting
the machine account (in AD Users and Comps) . . .
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O2$c8m55EHA.2624@TK2MSFTNGP11.phx.gbl...
I am running SBS 2003 Pro (MAIN), with a Win2K3 Standard server
(SERVER02)
which is providing file server and AD Backup tasks.
I am getting an error messaage in the System Event Viewer,
source
Netlogon:
"The session setup from the computer SERVER02 failed to
authenticate.
The
name(s) of the account(s) referenced in the security database
is
SERVER02$.
The following error occured: Access denied."
What do I need to do to correct this?
Brown
|
|
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Sun Dec 26, 2004 11:47 am Post subject:
Re: netlogon error |
|
|
No problem Frank. Let us know if you did not get
fixed up by this.
BTW, if you can remote into the SBS then you should
be able to open a remote desktop to the W2k3 from
within the SBS. Double remote desktop can be a little
tedious but does work. Also, you can configure the
SBS to directly mediate remote desktop connection
to any internal machine should you so choose.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@knology.net> wrote in message
news:%23OB%23Mfg6EHA.2032@tk2msftngp13.phx.gbl...
| Quote: | Roger, Thanks for the help. I have run the netdiag /fix and it looks like
it has cleared up some of the problems. I am back home working via the
SBS
remote access. The 2K3 machine is not available (part of the problem) so
I
will have to try to get back in to the office to do it. I will be out of
touch for several days, and may not be able to get back to it until then.
I
have your suggestions, and will see if that takes care of me when I can
get
back on the machine.
I want to make sure you Steven know how much I appreciate your patience
and
assistance.
Frank Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23v0SqWf6EHA.1392@tk2msftngp13.phx.gbl...
On the SBS first run
netdiag /fix
Verify that the zones supporting the AD are configured for
secured dynamic updates allowed. For this, run the DNS
mgmt UI and highlight each forward zone then rclick into
its properties. They should be AD integrated and allowing
secured dynamic updates.
On the failing W2k3 check that
- in tcp/ip settings the DNS server is the SBS machine
- in System properties (rclick my computer, properties)
the full computer name is correct, right domain
at cmd prompt run
net stop netlogon
net start netlogon
then rerun netdiag to see if it is clean.
Once clean, you will want to install DNS on the
second DC (if not already) and have it host the same
AD integrated zones as are on the other DNS service.
optional/advised:
After you have DNS fault tolerance, you could/should
configure each DC to point first to the other and then
to itself for DNS services in the Tcp/Ip config.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:OKNECGf6EHA.1204@TK2MSFTNGP10.phx.gbl...
OK, I ran dcdiag and netdiag on the 2K3 machine errors abound ----
First: dcdiag > "Although the Guid name <string of stuff here
couldn't
be
resolved, the server name (server02.domain.local) resolved to the IP
address
(192.168.1.98) and was pingable. Check that the IP address is
registered
correctly with the DNS Server."
The other tests in dcdiag passed
Then: netdiag:> Domain membership test: Failed "[WARNING] The system
volumehas not been completely replicated to the local machine. This
machine is not working properly as a DC."
DC test: failed "[WARNING] The DNS entries for this DC are not
registered
correctly on the DNS server '192.168.1.99'. Please wait for 30 minutes
for
DNS serfver replication. [FATAL] No DNS servers have the DNS records
for
this DC registered."
DC list test: Failed [WARNING] Cannot call DsBind to main.domain.local
(192.168.1.99). [SEC_E_WRONG_PRINCIPAL]
Trust Relationship test: Failed ....
Kerberos test: Failed........
OK, HELP!! Where do I start??
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Oql3Ced6EHA.3124@TK2MSFTNGP11.phx.gbl...
and netdiag and dcdiag have told you . . . ?
--
Roger
"Brown" <fbrown@knology.net> wrote in message
news:OEn0igV6EHA.2568@TK2MSFTNGP11.phx.gbl...
The SBS machine has 2 NICs but only one is active. The Win2K3 has
one
NIC.
DHCP is running on an external router.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uZpd85T6EHA.2192@TK2MSFTNGP14.phx.gbl...
For DC communications issues your first stop shop to
get hints of what may be amiss is by running on each DC
netdiag and dcdiag utilities (depending on versions, you
may need to install the optional support tools from the CD).
Which, if any, of these machines are multihomed (>1 nic)?
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O5OJURP6EHA.4008@TK2MSFTNGP15.phx.gbl...
I tried that, but since it is a DC (backup) it will not allow
this.
Is
there any other way to get them to shake hands?
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23deks%23L6EHA.3124@TK2MSFTNGP11.phx.gbl...
did I actually forget to mention that you could try resetting
the machine account (in AD Users and Comps) . . .
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O2$c8m55EHA.2624@TK2MSFTNGP11.phx.gbl...
I am running SBS 2003 Pro (MAIN), with a Win2K3 Standard
server
(SERVER02)
which is providing file server and AD Backup tasks.
I am getting an error messaage in the System Event Viewer,
source
Netlogon:
"The session setup from the computer SERVER02 failed to
authenticate.
The
name(s) of the account(s) referenced in the security database
is
SERVER02$.
The following error occured: Access denied."
What do I need to do to correct this?
Brown
|
|
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Sun Dec 26, 2004 11:49 am Post subject:
Re: netlogon error |
|
|
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uFTf9zf6EHA.992@TK2MSFTNGP12.phx.gbl...
| Quote: | It is my understanding that is usually not a good idea per KB article
below?? Netdom is usually easy enough to try. --- Steve
I was being blind to fact it was a DC for some inexplicable |
reason when I sent the afterthough post.
It's not just not a good idea, not possible as Frank indicated.
--
Roger Abell
| Quote: | http://support.microsoft.com/kb/216393/EN-US/
Active Directory Users and Computers (DSA)
With Windows 2000 or Windows XP, you can also reset the machine account
from
within the graphical user interface (GUI). In the Active Directory Users
and
Computers MMC (DSA), you can right-click the computer object in the
Computers or appropriate container and then click Reset Account. This
resets
the machine account. Resetting the password for domain controllers using
this method is not allowed. Resetting a computer account breaks that
computer's connection to the domain and requires it to rejoin the domain.
NOTE: This will prevent an established computer from connecting to the
domain and should only be used for a computer that has just been rebuilt
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23deks%23L6EHA.3124@TK2MSFTNGP11.phx.gbl...
did I actually forget to mention that you could try resetting
the machine account (in AD Users and Comps) . . .
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O2$c8m55EHA.2624@TK2MSFTNGP11.phx.gbl...
I am running SBS 2003 Pro (MAIN), with a Win2K3 Standard server
(SERVER02)
which is providing file server and AD Backup tasks.
I am getting an error messaage in the System Event Viewer, source
Netlogon:
"The session setup from the computer SERVER02 failed to authenticate.
The
name(s) of the account(s) referenced in the security database is
SERVER02$.
The following error occured: Access denied."
What do I need to do to correct this?
Brown
|
|
|
| Back to top |
|
|
Brown
Guest
|
| Posted:
Wed Jan 05, 2005 1:57 am Post subject:
Re: netlogon error |
|
|
OK, I'm back - I have gone through the suggestions and am still at a loss.
Netdiag still shows problems on the Win2K3 server:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the local
machine. This machine is not working properly as a DC.
------
DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry MTA-inc.local. re-registeration on DNS
server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.MTA-inc.local. re-registeration on
DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.206600de-fb91-4786-8e91-7db1704af5a3.domains._msdcs.MTA-inc.local
.. re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
67f85d0b-43cd-47df-948d-1a165f5851d7._msdcs.MTA-inc.local. re-registeration
on DNS server '192.168.1.99' failed.DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.dc._msdcs.MTA-inc.local.re-registeration on DNS server
'192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kerberos._udp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kpasswd._udp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Fix Failed: netdiag failed to re-register missing DNS entries for
this DC on DNS server '192.168.1.99'.
[FATAL] No DNS servers have the DNS records for this DC registered.
------
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to mta-main.MTA-inc.local (192.168.1.99). [SEC_
E_WRONG_PRINCIPAL]
-------
Trust relationship test. . . . . . : Failed
[WARNING] Don't have access to test your domain sid for domain 'MTA-INC'.
[Test skipped]
[FATAL] Secure channel to domain 'MTA-INC' is broken.
[ERROR_NO_TRUST_SAM_ACCOUNT]
-----
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for host/mta-server02.MTA-inc.local.
-----
It appears that the name for the Win2K3 on the SBS2K3 server is not in sync
with the name on the Win2k3 server, but I cannot locate an occurence where
it is different.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eiCa33w6EHA.1408@TK2MSFTNGP10.phx.gbl...
| Quote: | No problem Frank. Let us know if you did not get
fixed up by this.
BTW, if you can remote into the SBS then you should
be able to open a remote desktop to the W2k3 from
within the SBS. Double remote desktop can be a little
tedious but does work. Also, you can configure the
SBS to directly mediate remote desktop connection
to any internal machine should you so choose.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@knology.net> wrote in message
news:%23OB%23Mfg6EHA.2032@tk2msftngp13.phx.gbl...
Roger, Thanks for the help. I have run the netdiag /fix and it looks
like
it has cleared up some of the problems. I am back home working via the
SBS
remote access. The 2K3 machine is not available (part of the problem)
so
I
will have to try to get back in to the office to do it. I will be out
of
touch for several days, and may not be able to get back to it until
then.
I
have your suggestions, and will see if that takes care of me when I can
get
back on the machine.
I want to make sure you Steven know how much I appreciate your patience
and
assistance.
Frank Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23v0SqWf6EHA.1392@tk2msftngp13.phx.gbl...
On the SBS first run
netdiag /fix
Verify that the zones supporting the AD are configured for
secured dynamic updates allowed. For this, run the DNS
mgmt UI and highlight each forward zone then rclick into
its properties. They should be AD integrated and allowing
secured dynamic updates.
On the failing W2k3 check that
- in tcp/ip settings the DNS server is the SBS machine
- in System properties (rclick my computer, properties)
the full computer name is correct, right domain
at cmd prompt run
net stop netlogon
net start netlogon
then rerun netdiag to see if it is clean.
Once clean, you will want to install DNS on the
second DC (if not already) and have it host the same
AD integrated zones as are on the other DNS service.
optional/advised:
After you have DNS fault tolerance, you could/should
configure each DC to point first to the other and then
to itself for DNS services in the Tcp/Ip config.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:OKNECGf6EHA.1204@TK2MSFTNGP10.phx.gbl...
OK, I ran dcdiag and netdiag on the 2K3 machine errors abound ----
First: dcdiag > "Although the Guid name <string of stuff here
couldn't
be
resolved, the server name (server02.domain.local) resolved to the IP
address
(192.168.1.98) and was pingable. Check that the IP address is
registered
correctly with the DNS Server."
The other tests in dcdiag passed
Then: netdiag:> Domain membership test: Failed "[WARNING] The system
volumehas not been completely replicated to the local machine. This
machine is not working properly as a DC."
DC test: failed "[WARNING] The DNS entries for this DC are not
registered
correctly on the DNS server '192.168.1.99'. Please wait for 30
minutes
for
DNS serfver replication. [FATAL] No DNS servers have the DNS records
for
this DC registered."
DC list test: Failed [WARNING] Cannot call DsBind to
main.domain.local
(192.168.1.99). [SEC_E_WRONG_PRINCIPAL]
Trust Relationship test: Failed ....
Kerberos test: Failed........
OK, HELP!! Where do I start??
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Oql3Ced6EHA.3124@TK2MSFTNGP11.phx.gbl...
and netdiag and dcdiag have told you . . . ?
--
Roger
"Brown" <fbrown@knology.net> wrote in message
news:OEn0igV6EHA.2568@TK2MSFTNGP11.phx.gbl...
The SBS machine has 2 NICs but only one is active. The Win2K3 has
one
NIC.
DHCP is running on an external router.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uZpd85T6EHA.2192@TK2MSFTNGP14.phx.gbl...
For DC communications issues your first stop shop to
get hints of what may be amiss is by running on each DC
netdiag and dcdiag utilities (depending on versions, you
may need to install the optional support tools from the CD).
Which, if any, of these machines are multihomed (>1 nic)?
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O5OJURP6EHA.4008@TK2MSFTNGP15.phx.gbl...
I tried that, but since it is a DC (backup) it will not allow
this.
Is
there any other way to get them to shake hands?
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23deks%23L6EHA.3124@TK2MSFTNGP11.phx.gbl...
did I actually forget to mention that you could try
resetting
the machine account (in AD Users and Comps) . . .
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O2$c8m55EHA.2624@TK2MSFTNGP11.phx.gbl...
I am running SBS 2003 Pro (MAIN), with a Win2K3 Standard
server
(SERVER02)
which is providing file server and AD Backup tasks.
I am getting an error messaage in the System Event Viewer,
source
Netlogon:
"The session setup from the computer SERVER02 failed to
authenticate.
The
name(s) of the account(s) referenced in the security
database
is
SERVER02$.
The following error occured: Access denied."
What do I need to do to correct this?
Brown
|
|
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Wed Jan 05, 2005 12:34 pm Post subject:
Re: netlogon error |
|
|
'192.168.1.99' is IP of the SBS ?
Can you clarify for me a little just what you meant by
| Quote: | It appears that the name for the Win2K3 on the SBS2K3 server is not in
sync
with the name on the Win2k3 server, but I cannot locate an occurence where
it is different.
Names as seen where ? |
Can you post output from running, on the failing W2k3 (nonSBS)
ipconfig /all
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:%23acMnep8EHA.2156@TK2MSFTNGP10.phx.gbl...
| Quote: | OK, I'm back - I have gone through the suggestions and am still at a loss.
Netdiag still shows problems on the Win2K3 server:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the
local
machine. This machine is not working properly as a DC.
------
DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry MTA-inc.local. re-registeration on DNS
server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.MTA-inc.local. re-registeration
on
DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.206600de-fb91-4786-8e91-7db1704af5a3.domains._msdcs.MTA-inc.local
. re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
67f85d0b-43cd-47df-948d-1a165f5851d7._msdcs.MTA-inc.local.
re-registeration
on DNS server '192.168.1.99' failed.DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.dc._msdcs.MTA-inc.local.re-registeration on DNS server
'192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kerberos._udp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kpasswd._udp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Fix Failed: netdiag failed to re-register missing DNS entries for
this DC on DNS server '192.168.1.99'.
[FATAL] No DNS servers have the DNS records for this DC registered.
------
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to mta-main.MTA-inc.local (192.168.1.99).
[SEC_
E_WRONG_PRINCIPAL]
-------
Trust relationship test. . . . . . : Failed
[WARNING] Don't have access to test your domain sid for domain 'MTA-INC'.
[Test skipped]
[FATAL] Secure channel to domain 'MTA-INC' is broken.
[ERROR_NO_TRUST_SAM_ACCOUNT]
-----
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/mta-server02.MTA-inc.local.
-----
It appears that the name for the Win2K3 on the SBS2K3 server is not in
sync
with the name on the Win2k3 server, but I cannot locate an occurence where
it is different.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eiCa33w6EHA.1408@TK2MSFTNGP10.phx.gbl...
No problem Frank. Let us know if you did not get
fixed up by this.
BTW, if you can remote into the SBS then you should
be able to open a remote desktop to the W2k3 from
within the SBS. Double remote desktop can be a little
tedious but does work. Also, you can configure the
SBS to directly mediate remote desktop connection
to any internal machine should you so choose.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@knology.net> wrote in message
news:%23OB%23Mfg6EHA.2032@tk2msftngp13.phx.gbl...
Roger, Thanks for the help. I have run the netdiag /fix and it looks
like
it has cleared up some of the problems. I am back home working via
the
SBS
remote access. The 2K3 machine is not available (part of the problem)
so
I
will have to try to get back in to the office to do it. I will be out
of
touch for several days, and may not be able to get back to it until
then.
I
have your suggestions, and will see if that takes care of me when I
can
get
back on the machine.
I want to make sure you Steven know how much I appreciate your
patience
and
assistance.
Frank Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23v0SqWf6EHA.1392@tk2msftngp13.phx.gbl...
On the SBS first run
netdiag /fix
Verify that the zones supporting the AD are configured for
secured dynamic updates allowed. For this, run the DNS
mgmt UI and highlight each forward zone then rclick into
its properties. They should be AD integrated and allowing
secured dynamic updates.
On the failing W2k3 check that
- in tcp/ip settings the DNS server is the SBS machine
- in System properties (rclick my computer, properties)
the full computer name is correct, right domain
at cmd prompt run
net stop netlogon
net start netlogon
then rerun netdiag to see if it is clean.
Once clean, you will want to install DNS on the
second DC (if not already) and have it host the same
AD integrated zones as are on the other DNS service.
optional/advised:
After you have DNS fault tolerance, you could/should
configure each DC to point first to the other and then
to itself for DNS services in the Tcp/Ip config.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:OKNECGf6EHA.1204@TK2MSFTNGP10.phx.gbl...
OK, I ran dcdiag and netdiag on the 2K3 machine errors abound ----
First: dcdiag > "Although the Guid name <string of stuff here
couldn't
be
resolved, the server name (server02.domain.local) resolved to the
IP
address
(192.168.1.98) and was pingable. Check that the IP address is
registered
correctly with the DNS Server."
The other tests in dcdiag passed
Then: netdiag:> Domain membership test: Failed "[WARNING] The
system
volumehas not been completely replicated to the local machine.
This
machine is not working properly as a DC."
DC test: failed "[WARNING] The DNS entries for this DC are not
registered
correctly on the DNS server '192.168.1.99'. Please wait for 30
minutes
for
DNS serfver replication. [FATAL] No DNS servers have the DNS
records
for
this DC registered."
DC list test: Failed [WARNING] Cannot call DsBind to
main.domain.local
(192.168.1.99). [SEC_E_WRONG_PRINCIPAL]
Trust Relationship test: Failed ....
Kerberos test: Failed........
OK, HELP!! Where do I start??
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Oql3Ced6EHA.3124@TK2MSFTNGP11.phx.gbl...
and netdiag and dcdiag have told you . . . ?
--
Roger
"Brown" <fbrown@knology.net> wrote in message
news:OEn0igV6EHA.2568@TK2MSFTNGP11.phx.gbl...
The SBS machine has 2 NICs but only one is active. The Win2K3
has
one
NIC.
DHCP is running on an external router.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uZpd85T6EHA.2192@TK2MSFTNGP14.phx.gbl...
For DC communications issues your first stop shop to
get hints of what may be amiss is by running on each DC
netdiag and dcdiag utilities (depending on versions, you
may need to install the optional support tools from the CD).
Which, if any, of these machines are multihomed (>1 nic)?
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O5OJURP6EHA.4008@TK2MSFTNGP15.phx.gbl...
I tried that, but since it is a DC (backup) it will not
allow
this.
Is
there any other way to get them to shake hands?
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23deks%23L6EHA.3124@TK2MSFTNGP11.phx.gbl...
did I actually forget to mention that you could try
resetting
the machine account (in AD Users and Comps) . . .
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O2$c8m55EHA.2624@TK2MSFTNGP11.phx.gbl...
I am running SBS 2003 Pro (MAIN), with a Win2K3 Standard
server
(SERVER02)
which is providing file server and AD Backup tasks.
I am getting an error messaage in the System Event
Viewer,
source
Netlogon:
"The session setup from the computer SERVER02 failed to
authenticate.
The
name(s) of the account(s) referenced in the security
database
is
SERVER02$.
The following error occured: Access denied."
What do I need to do to correct this?
Brown
|
|
|
| Back to top |
|
|
Brown
Guest
|
| Posted:
Wed Jan 05, 2005 8:37 pm Post subject:
Re: netlogon error |
|
|
In the Event Log I get the folloiwing message:
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 1/5/2005
Time: 7:18:18 AM
User: N/A
Computer: MTA-SERVER02
Description:
The Security System detected an authentication error for the server
cifs/mta-main.MTA-inc.local. The failure code from authentication protocol
Kerberos was "The attempted logon is invalid. This is either due to a bad
username or authentication information.
(0xc000006d)".
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À
----------------
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Ot5o7Av8EHA.4004@tk2msftngp13.phx.gbl...
| Quote: | '192.168.1.99' is IP of the SBS ?
Can you clarify for me a little just what you meant by
It appears that the name for the Win2K3 on the SBS2K3 server is not in
sync
with the name on the Win2k3 server, but I cannot locate an occurence
where
it is different.
Names as seen where ?
Can you post output from running, on the failing W2k3 (nonSBS)
ipconfig /all
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:%23acMnep8EHA.2156@TK2MSFTNGP10.phx.gbl...
OK, I'm back - I have gone through the suggestions and am still at a
loss.
Netdiag still shows problems on the Win2K3 server:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the
local
machine. This machine is not working properly as a DC.
------
DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry MTA-inc.local. re-registeration on
DNS
server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.MTA-inc.local.
re-registeration
on
DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.206600de-fb91-4786-8e91-7db1704af5a3.domains._msdcs.MTA-inc.local
. re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
67f85d0b-43cd-47df-948d-1a165f5851d7._msdcs.MTA-inc.local.
re-registeration
on DNS server '192.168.1.99' failed.DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.dc._msdcs.MTA-inc.local.re-registeration on DNS server
'192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kerberos._udp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kpasswd._udp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Fix Failed: netdiag failed to re-register missing DNS entries
for
this DC on DNS server '192.168.1.99'.
[FATAL] No DNS servers have the DNS records for this DC registered.
------
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to mta-main.MTA-inc.local (192.168.1.99).
[SEC_
E_WRONG_PRINCIPAL]
-------
Trust relationship test. . . . . . : Failed
[WARNING] Don't have access to test your domain sid for domain
'MTA-INC'.
[Test skipped]
[FATAL] Secure channel to domain 'MTA-INC' is broken.
[ERROR_NO_TRUST_SAM_ACCOUNT]
-----
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/mta-server02.MTA-inc.local.
-----
It appears that the name for the Win2K3 on the SBS2K3 server is not in
sync
with the name on the Win2k3 server, but I cannot locate an occurence
where
it is different.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eiCa33w6EHA.1408@TK2MSFTNGP10.phx.gbl...
No problem Frank. Let us know if you did not get
fixed up by this.
BTW, if you can remote into the SBS then you should
be able to open a remote desktop to the W2k3 from
within the SBS. Double remote desktop can be a little
tedious but does work. Also, you can configure the
SBS to directly mediate remote desktop connection
to any internal machine should you so choose.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@knology.net> wrote in message
news:%23OB%23Mfg6EHA.2032@tk2msftngp13.phx.gbl...
Roger, Thanks for the help. I have run the netdiag /fix and it
looks
like
it has cleared up some of the problems. I am back home working via
the
SBS
remote access. The 2K3 machine is not available (part of the
problem)
so
I
will have to try to get back in to the office to do it. I will be
out
of
touch for several days, and may not be able to get back to it until
then.
I
have your suggestions, and will see if that takes care of me when I
can
get
back on the machine.
I want to make sure you Steven know how much I appreciate your
patience
and
assistance.
Frank Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23v0SqWf6EHA.1392@tk2msftngp13.phx.gbl...
On the SBS first run
netdiag /fix
Verify that the zones supporting the AD are configured for
secured dynamic updates allowed. For this, run the DNS
mgmt UI and highlight each forward zone then rclick into
its properties. They should be AD integrated and allowing
secured dynamic updates.
On the failing W2k3 check that
- in tcp/ip settings the DNS server is the SBS machine
- in System properties (rclick my computer, properties)
the full computer name is correct, right domain
at cmd prompt run
net stop netlogon
net start netlogon
then rerun netdiag to see if it is clean.
Once clean, you will want to install DNS on the
second DC (if not already) and have it host the same
AD integrated zones as are on the other DNS service.
optional/advised:
After you have DNS fault tolerance, you could/should
configure each DC to point first to the other and then
to itself for DNS services in the Tcp/Ip config.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:OKNECGf6EHA.1204@TK2MSFTNGP10.phx.gbl...
OK, I ran dcdiag and netdiag on the 2K3 machine errors
abound ----
First: dcdiag > "Although the Guid name <string of stuff here
couldn't
be
resolved, the server name (server02.domain.local) resolved to the
IP
address
(192.168.1.98) and was pingable. Check that the IP address is
registered
correctly with the DNS Server."
The other tests in dcdiag passed
Then: netdiag:> Domain membership test: Failed "[WARNING] The
system
volumehas not been completely replicated to the local machine.
This
machine is not working properly as a DC."
DC test: failed "[WARNING] The DNS entries for this DC are not
registered
correctly on the DNS server '192.168.1.99'. Please wait for 30
minutes
for
DNS serfver replication. [FATAL] No DNS servers have the DNS
records
for
this DC registered."
DC list test: Failed [WARNING] Cannot call DsBind to
main.domain.local
(192.168.1.99). [SEC_E_WRONG_PRINCIPAL]
Trust Relationship test: Failed ....
Kerberos test: Failed........
OK, HELP!! Where do I start??
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Oql3Ced6EHA.3124@TK2MSFTNGP11.phx.gbl...
and netdiag and dcdiag have told you . . . ?
--
Roger
"Brown" <fbrown@knology.net> wrote in message
news:OEn0igV6EHA.2568@TK2MSFTNGP11.phx.gbl...
The SBS machine has 2 NICs but only one is active. The Win2K3
has
one
NIC.
DHCP is running on an external router.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uZpd85T6EHA.2192@TK2MSFTNGP14.phx.gbl...
For DC communications issues your first stop shop to
get hints of what may be amiss is by running on each DC
netdiag and dcdiag utilities (depending on versions, you
may need to install the optional support tools from the
CD).
Which, if any, of these machines are multihomed (>1 nic)?
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O5OJURP6EHA.4008@TK2MSFTNGP15.phx.gbl...
I tried that, but since it is a DC (backup) it will not
allow
this.
Is
there any other way to get them to shake hands?
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23deks%23L6EHA.3124@TK2MSFTNGP11.phx.gbl...
did I actually forget to mention that you could try
resetting
the machine account (in AD Users and Comps) . . .
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O2$c8m55EHA.2624@TK2MSFTNGP11.phx.gbl...
I am running SBS 2003 Pro (MAIN), with a Win2K3
Standard
server
(SERVER02)
which is providing file server and AD Backup tasks.
I am getting an error messaage in the System Event
Viewer,
source
Netlogon:
"The session setup from the computer SERVER02 failed to
authenticate.
The
name(s) of the account(s) referenced in the security
database
is
SERVER02$.
The following error occured: Access denied."
What do I need to do to correct this?
Brown
|
|
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Thu Jan 06, 2005 1:11 pm Post subject:
Re: netlogon error |
|
|
It is not unusual for a DC to fail to authenticate when it
has not yet completed becoming a DC.
The requested output from
ipconfig /all
when run on the failing machine would help greatly in
understanding from the previously provided netdiag output
if there is a simple route to get the initial replication to
complete so that the machine can complete its promotion.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:uY35RQz8EHA.2540@TK2MSFTNGP09.phx.gbl...
| Quote: | In the Event Log I get the folloiwing message:
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 1/5/2005
Time: 7:18:18 AM
User: N/A
Computer: MTA-SERVER02
Description:
The Security System detected an authentication error for the server
cifs/mta-main.MTA-inc.local. The failure code from authentication protocol
Kerberos was "The attempted logon is invalid. This is either due to a bad
username or authentication information.
(0xc000006d)".
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À
----------------
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Ot5o7Av8EHA.4004@tk2msftngp13.phx.gbl...
'192.168.1.99' is IP of the SBS ?
Can you clarify for me a little just what you meant by
It appears that the name for the Win2K3 on the SBS2K3 server is not in
sync
with the name on the Win2k3 server, but I cannot locate an occurence
where
it is different.
Names as seen where ?
Can you post output from running, on the failing W2k3 (nonSBS)
ipconfig /all
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:%23acMnep8EHA.2156@TK2MSFTNGP10.phx.gbl...
OK, I'm back - I have gone through the suggestions and am still at a
loss.
Netdiag still shows problems on the Win2K3 server:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the
local
machine. This machine is not working properly as a DC.
------
DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry MTA-inc.local. re-registeration on
DNS
server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.MTA-inc.local.
re-registeration
on
DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.206600de-fb91-4786-8e91-7db1704af5a3.domains._msdcs.MTA-inc.local
. re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
67f85d0b-43cd-47df-948d-1a165f5851d7._msdcs.MTA-inc.local.
re-registeration
on DNS server '192.168.1.99' failed.DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.dc._msdcs.MTA-inc.local.re-registeration on DNS server
'192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kerberos._udp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kpasswd._udp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Fix Failed: netdiag failed to re-register missing DNS entries
for
this DC on DNS server '192.168.1.99'.
[FATAL] No DNS servers have the DNS records for this DC registered.
------
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to mta-main.MTA-inc.local (192.168.1.99).
[SEC_
E_WRONG_PRINCIPAL]
-------
Trust relationship test. . . . . . : Failed
[WARNING] Don't have access to test your domain sid for domain
'MTA-INC'.
[Test skipped]
[FATAL] Secure channel to domain 'MTA-INC' is broken.
[ERROR_NO_TRUST_SAM_ACCOUNT]
-----
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/mta-server02.MTA-inc.local.
-----
It appears that the name for the Win2K3 on the SBS2K3 server is not in
sync
with the name on the Win2k3 server, but I cannot locate an occurence
where
it is different.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eiCa33w6EHA.1408@TK2MSFTNGP10.phx.gbl...
No problem Frank. Let us know if you did not get
fixed up by this.
BTW, if you can remote into the SBS then you should
be able to open a remote desktop to the W2k3 from
within the SBS. Double remote desktop can be a little
tedious but does work. Also, you can configure the
SBS to directly mediate remote desktop connection
to any internal machine should you so choose.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@knology.net> wrote in message
news:%23OB%23Mfg6EHA.2032@tk2msftngp13.phx.gbl...
Roger, Thanks for the help. I have run the netdiag /fix and it
looks
like
it has cleared up some of the problems. I am back home working
via
the
SBS
remote access. The 2K3 machine is not available (part of the
problem)
so
I
will have to try to get back in to the office to do it. I will be
out
of
touch for several days, and may not be able to get back to it
until
then.
I
have your suggestions, and will see if that takes care of me when
I
can
get
back on the machine.
I want to make sure you Steven know how much I appreciate your
patience
and
assistance.
Frank Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23v0SqWf6EHA.1392@tk2msftngp13.phx.gbl...
On the SBS first run
netdiag /fix
Verify that the zones supporting the AD are configured for
secured dynamic updates allowed. For this, run the DNS
mgmt UI and highlight each forward zone then rclick into
its properties. They should be AD integrated and allowing
secured dynamic updates.
On the failing W2k3 check that
- in tcp/ip settings the DNS server is the SBS machine
- in System properties (rclick my computer, properties)
the full computer name is correct, right domain
at cmd prompt run
net stop netlogon
net start netlogon
then rerun netdiag to see if it is clean.
Once clean, you will want to install DNS on the
second DC (if not already) and have it host the same
AD integrated zones as are on the other DNS service.
optional/advised:
After you have DNS fault tolerance, you could/should
configure each DC to point first to the other and then
to itself for DNS services in the Tcp/Ip config.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:OKNECGf6EHA.1204@TK2MSFTNGP10.phx.gbl...
OK, I ran dcdiag and netdiag on the 2K3 machine errors
abound ----
First: dcdiag > "Although the Guid name <string of stuff here
couldn't
be
resolved, the server name (server02.domain.local) resolved to
the
IP
address
(192.168.1.98) and was pingable. Check that the IP address is
registered
correctly with the DNS Server."
The other tests in dcdiag passed
Then: netdiag:> Domain membership test: Failed "[WARNING] The
system
volumehas not been completely replicated to the local machine.
This
machine is not working properly as a DC."
DC test: failed "[WARNING] The DNS entries for this DC are not
registered
correctly on the DNS server '192.168.1.99'. Please wait for 30
minutes
for
DNS serfver replication. [FATAL] No DNS servers have the DNS
records
for
this DC registered."
DC list test: Failed [WARNING] Cannot call DsBind to
main.domain.local
(192.168.1.99). [SEC_E_WRONG_PRINCIPAL]
Trust Relationship test: Failed ....
Kerberos test: Failed........
OK, HELP!! Where do I start??
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Oql3Ced6EHA.3124@TK2MSFTNGP11.phx.gbl...
and netdiag and dcdiag have told you . . . ?
--
Roger
"Brown" <fbrown@knology.net> wrote in message
news:OEn0igV6EHA.2568@TK2MSFTNGP11.phx.gbl...
The SBS machine has 2 NICs but only one is active. The
Win2K3
has
one
NIC.
DHCP is running on an external router.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uZpd85T6EHA.2192@TK2MSFTNGP14.phx.gbl...
For DC communications issues your first stop shop to
get hints of what may be amiss is by running on each DC
netdiag and dcdiag utilities (depending on versions, you
may need to install the optional support tools from the
CD).
Which, if any, of these machines are multihomed (>1 nic)?
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O5OJURP6EHA.4008@TK2MSFTNGP15.phx.gbl...
I tried that, but since it is a DC (backup) it will not
allow
this.
Is
there any other way to get them to shake hands?
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23deks%23L6EHA.3124@TK2MSFTNGP11.phx.gbl...
did I actually forget to mention that you could try
resetting
the machine account (in AD Users and Comps) . . .
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O2$c8m55EHA.2624@TK2MSFTNGP11.phx.gbl...
I am running SBS 2003 Pro (MAIN), with a Win2K3
Standard
server
(SERVER02)
which is providing file server and AD Backup tasks.
I am getting an error messaage in the System Event
Viewer,
source
Netlogon:
"The session setup from the computer SERVER02 failed
to
authenticate.
The
name(s) of the account(s) referenced in the security
database
is
SERVER02$.
The following error occured: Access denied."
What do I need to do to correct this?
Brown
|
|
|
| Back to top |
|
|
Brown
Guest
|
| Posted:
Thu Jan 06, 2005 7:56 pm Post subject:
Re: netlogon error |
|
|
Here is the ipconfig:
Windows IP Configuration
Host Name . . . . . . . . . . . . : mta-server02
Primary Dns Suffix . . . . . . . : MTA-inc.local
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : MTA-inc.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : SiS 900-Based PCI Fast Ethernet Adapter
Physical Address. . . . . . . . . : 00-0C-6E-AF-F9-6C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.98
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.98
192.168.1.99
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:#aebW678EHA.1188@tk2msftngp13.phx.gbl...
| Quote: | It is not unusual for a DC to fail to authenticate when it
has not yet completed becoming a DC.
The requested output from
ipconfig /all
when run on the failing machine would help greatly in
understanding from the previously provided netdiag output
if there is a simple route to get the initial replication to
complete so that the machine can complete its promotion.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:uY35RQz8EHA.2540@TK2MSFTNGP09.phx.gbl...
In the Event Log I get the folloiwing message:
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 1/5/2005
Time: 7:18:18 AM
User: N/A
Computer: MTA-SERVER02
Description:
The Security System detected an authentication error for the server
cifs/mta-main.MTA-inc.local. The failure code from authentication
protocol
Kerberos was "The attempted logon is invalid. This is either due to a
bad
username or authentication information.
(0xc000006d)".
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À
----------------
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Ot5o7Av8EHA.4004@tk2msftngp13.phx.gbl...
'192.168.1.99' is IP of the SBS ?
Can you clarify for me a little just what you meant by
It appears that the name for the Win2K3 on the SBS2K3 server is not
in
sync
with the name on the Win2k3 server, but I cannot locate an occurence
where
it is different.
Names as seen where ?
Can you post output from running, on the failing W2k3 (nonSBS)
ipconfig /all
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:%23acMnep8EHA.2156@TK2MSFTNGP10.phx.gbl...
OK, I'm back - I have gone through the suggestions and am still at a
loss.
Netdiag still shows problems on the Win2K3 server:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to
the
local
machine. This machine is not working properly as a DC.
------
DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry MTA-inc.local. re-registeration
on
DNS
server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.MTA-inc.local.
re-registeration
on
DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.206600de-fb91-4786-8e91-7db1704af5a3.domains._msdcs.MTA-inc.local
. re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
67f85d0b-43cd-47df-948d-1a165f5851d7._msdcs.MTA-inc.local.
re-registeration
on DNS server '192.168.1.99' failed.DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.dc._msdcs.MTA-inc.local.re-registeration on DNS
server
'192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kerberos._udp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry _kpasswd._udp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Fix Failed: netdiag failed to re-register missing DNS
entries
for
this DC on DNS server '192.168.1.99'.
[FATAL] No DNS servers have the DNS records for this DC registered.
------
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to mta-main.MTA-inc.local
(192.168.1.99).
[SEC_
E_WRONG_PRINCIPAL]
-------
Trust relationship test. . . . . . : Failed
[WARNING] Don't have access to test your domain sid for domain
'MTA-INC'.
[Test skipped]
[FATAL] Secure channel to domain 'MTA-INC' is broken.
[ERROR_NO_TRUST_SAM_ACCOUNT]
-----
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/mta-server02.MTA-inc.local.
-----
It appears that the name for the Win2K3 on the SBS2K3 server is not
in
sync
with the name on the Win2k3 server, but I cannot locate an occurence
where
it is different.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eiCa33w6EHA.1408@TK2MSFTNGP10.phx.gbl...
No problem Frank. Let us know if you did not get
fixed up by this.
BTW, if you can remote into the SBS then you should
be able to open a remote desktop to the W2k3 from
within the SBS. Double remote desktop can be a little
tedious but does work. Also, you can configure the
SBS to directly mediate remote desktop connection
to any internal machine should you so choose.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@knology.net> wrote in message
news:%23OB%23Mfg6EHA.2032@tk2msftngp13.phx.gbl...
Roger, Thanks for the help. I have run the netdiag /fix and it
looks
like
it has cleared up some of the problems. I am back home working
via
the
SBS
remote access. The 2K3 machine is not available (part of the
problem)
so
I
will have to try to get back in to the office to do it. I will
be
out
of
touch for several days, and may not be able to get back to it
until
then.
I
have your suggestions, and will see if that takes care of me
when
I
can
get
back on the machine.
I want to make sure you Steven know how much I appreciate your
patience
and
assistance.
Frank Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23v0SqWf6EHA.1392@tk2msftngp13.phx.gbl...
On the SBS first run
netdiag /fix
Verify that the zones supporting the AD are configured for
secured dynamic updates allowed. For this, run the DNS
mgmt UI and highlight each forward zone then rclick into
its properties. They should be AD integrated and allowing
secured dynamic updates.
On the failing W2k3 check that
- in tcp/ip settings the DNS server is the SBS machine
- in System properties (rclick my computer, properties)
the full computer name is correct, right domain
at cmd prompt run
net stop netlogon
net start netlogon
then rerun netdiag to see if it is clean.
Once clean, you will want to install DNS on the
second DC (if not already) and have it host the same
AD integrated zones as are on the other DNS service.
optional/advised:
After you have DNS fault tolerance, you could/should
configure each DC to point first to the other and then
to itself for DNS services in the Tcp/Ip config.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:OKNECGf6EHA.1204@TK2MSFTNGP10.phx.gbl...
OK, I ran dcdiag and netdiag on the 2K3 machine errors
|
| |
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in