| Author |
Message |
Roger Abell
Guest
|
 Posted:
Fri Jan 07, 2005 7:48 am Post subject:
Re: netlogon error |
|
|
After the reboot, or also after waiting a while ?
The replication does not complete instantly.
When you use AD Users and Computers on the SBS do
you see the W2k3 listed in the Domain Controllers OU ?
It is starting to sound like it is not going to be there (meaning
that the W2k3 believes it is supposed to be a DC but the SBS
does not - something I can't understand happening except maybe
if during dcpromo NetBios based RPC communications is
interrupted early in the promo but is OK at the very start)
--
Roger
"Brown" <fbrown@knology.net> wrote in message
news:%234PIOJF9EHA.3676@TK2MSFTNGP10.phx.gbl...
| Quote: | After the restart on the nonSBS machine this morning, when I open Active
Directory Users and Computers I indicates that AD is not running.
Brown
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:%234oS7IE9EHA.3012@TK2MSFTNGP09.phx.gbl...
Those message are not unexpected the first time around, because
the new DC has not yet completed its initial sync with the existing AD,
and so does not have its own copy (which it was trying to access).
One would expect those to go away in the future as when the DNS
server code fires up it then will find the AD content it is complaining
about not finding now.
The issue is, do we have a functioning DC that does have replication
established with the SBS DC ?
At a cmd prompt run replmon and connect to the two DCs and drill
into the defined replications to see if things seem to be happening.
Alternatively, on the nonSBS run AD Users and Computers, use the
properties to make sure that you are focused on the nonSBS machine
and the domain controller the tool is speaking with, and then click
around and see if it looks the same as when the tool is connected
to AD on the SBS machine.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Brown" <fbrown@mta-inc.com> wrote in message
news:%23P7OoiA9EHA.3944@TK2MSFTNGP12.phx.gbl...
OK, Got through the steps and restarted. In the dnsmgmt console on the
Win2K3, got a warning:
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4013
Date: 1/6/2005
Time: 9:40:16 AM
User: N/A
Computer: MTA-SERVER02
Description:
The DNS server was unable to open the Active Directory. This DNS
server
is
configured to use directory service information and can not operate
without
access to the directory. The DNS server will wait for the directory to
start. If the DNS server is started but the appropriate event has not
been
logged, then the DNS server is still waiting for the directory to
start.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00 -#..
-------
Then got an error:
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4000
Date: 1/6/2005
Time: 9:40:16 AM
User: N/A
Computer: MTA-SERVER02
Description:
The DNS server was unable to open Active Directory. This DNS server is
configured to obtain and use information from the directory for this
zone
and is unable to load the zone without it. Check that the Active
Directory
is functioning properly and reload the zone. The event data is the
error
code.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00 -#..
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:#9C#vFA9EHA.3504@TK2MSFTNGP12.phx.gbl...
On the nonSBS mta-server02 try reversing these DNS
server settings in its Tcp/Ip properties
DNS Servers . . . . . . . . . . . : 192.168.1.98
192.168.1.99
so that 1.99 is the first listed DNS server IP
(assuming 1.99 is the SBS)
Then on the SBS temporarily change the DNS
forward zone for MTA-inc.local so that it will
allow unsecured dynamic updates instead of only
secured dynamic updates. (This is found in the
r-click properties of the MTA-inc.local forward
zone node - first set focus on the node by clicking
and then r-click into its context menu.)
Next, on the nonSBS at cmd prompt run these three:
ipconfig /registerdns
net stop netlogon
net start netlogon
Take a look into the forward zone for MTA-inc.local
in the DNS server on SBS to see if the there are now
DNS records for mta-server02 indicating its 1.98 addy,
If so, try a reboot of the nonSBS.
You will need to remember to set the forward zone
back to allowing only secured dynamic updates after
you are done. It would be good to leave both DCs
set with their DNS servers in Tcp/Ip config set so
that they first reference the other and next reference
themselves - however, if doing this then both would
need to be able to get out to the internet DNS servers.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:erOKNe$8EHA.2600@TK2MSFTNGP09.phx.gbl...
Here is the ipconfig:
Windows IP Configuration
Host Name . . . . . . . . . . . . : mta-server02
Primary Dns Suffix . . . . . . . : MTA-inc.local
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : MTA-inc.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : SiS 900-Based PCI Fast Ethernet
Adapter
Physical Address. . . . . . . . . : 00-0C-6E-AF-F9-6C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.98
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.98
192.168.1.99
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:#aebW678EHA.1188@tk2msftngp13.phx.gbl...
It is not unusual for a DC to fail to authenticate when it
has not yet completed becoming a DC.
The requested output from
ipconfig /all
when run on the failing machine would help greatly in
understanding from the previously provided netdiag output
if there is a simple route to get the initial replication to
complete so that the machine can complete its promotion.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:uY35RQz8EHA.2540@TK2MSFTNGP09.phx.gbl...
In the Event Log I get the folloiwing message:
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 1/5/2005
Time: 7:18:18 AM
User: N/A
Computer: MTA-SERVER02
Description:
The Security System detected an authentication error for the
server
cifs/mta-main.MTA-inc.local. The failure code from
authentication
protocol
Kerberos was "The attempted logon is invalid. This is either due
to
a
bad
username or authentication information.
(0xc000006d)".
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À
----------------
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Ot5o7Av8EHA.4004@tk2msftngp13.phx.gbl...
'192.168.1.99' is IP of the SBS ?
Can you clarify for me a little just what you meant by
It appears that the name for the Win2K3 on the SBS2K3 server
is
not
in
sync
with the name on the Win2k3 server, but I cannot locate an
occurence
where
it is different.
Names as seen where ?
Can you post output from running, on the failing W2k3 (nonSBS)
ipconfig /all
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:%23acMnep8EHA.2156@TK2MSFTNGP10.phx.gbl...
OK, I'm back - I have gone through the suggestions and am
still
at
a
loss.
Netdiag still shows problems on the Win2K3 server:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely
replicated
to
the
local
machine. This machine is not working properly as a DC.
------
DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry MTA-inc.local.
re-registeration
on
DNS
server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.MTA-inc.local.
re-registeration
on
DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.206600de-fb91-4786-8e91-7db1704af5a3.domains._msdcs.MTA-inc.local
. re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
67f85d0b-43cd-47df-948d-1a165f5851d7._msdcs.MTA-inc.local.
re-registeration
on DNS server '192.168.1.99' failed.DNS Error code:
0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.dc._msdcs.MTA-inc.local.re-registeration on
DNS
server
'192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._udp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kpasswd._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kpasswd._udp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Fix Failed: netdiag failed to re-register missing
DNS
entries
for
this DC on DNS server '192.168.1.99'.
[FATAL] No DNS servers have the DNS records for this DC
registered.
------
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to mta-main.MTA-inc.local
(192.168.1.99).
[SEC_
E_WRONG_PRINCIPAL]
-------
Trust relationship test. . . . . . : Failed
[WARNING] Don't have access to test your domain sid for
domain
'MTA-INC'.
[Test skipped]
[FATAL] Secure channel to domain 'MTA-INC' is broken.
[ERROR_NO_TRUST_SAM_ACCOUNT]
-----
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/mta-server02.MTA-inc.local.
-----
It appears that the name for the Win2K3 on the SBS2K3 server
is
not
in
sync
with the name on the Win2k3 server, but I cannot locate an
occurence
where
it is different.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eiCa33w6EHA.1408@TK2MSFTNGP10.phx.gbl...
No problem Frank. Let us know if you did not get
fixed up by this.
BTW, if you can remote into the SBS then you should
be able to open a remote desktop to the W2k3 from
within the SBS. Double remote desktop can be a little
tedious but does work. Also, you can configure the
SBS to directly mediate remote desktop connection
to any internal machine should you so choose.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@knology.net> wrote in message
news:%23OB%23Mfg6EHA.2032@tk2msftngp13.phx.gbl...
Roger, Thanks for the help. I have run the netdiag /fix
and
it
looks
like
it has cleared up some of the problems. I am back home
working
via
the
SBS
remote access. The 2K3 machine is not available (part
of
the
problem)
so
I
will have to try to get back in to the office to do it.
I
will
be
out
of
touch for several days, and may not be able to get back
to
it
until
then.
I
have your suggestions, and will see if that takes care
of
me
when
I
can
get
back on the machine.
I want to make sure you Steven know how much I
appreciate
your
patience
and
assistance.
Frank Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23v0SqWf6EHA.1392@tk2msftngp13.phx.gbl...
On the SBS first run
netdiag /fix
Verify that the zones supporting the AD are configured
for
secured dynamic updates allowed. For this, run the
DNS
mgmt UI and highlight each forward zone then rclick
into
its properties. They should be AD integrated and
allowing
secured dynamic updates.
On the failing W2k3 check that
- in tcp/ip settings the DNS server is the SBS machine
- in System properties (rclick my computer,
properties)
the full computer name is correct, right domain
at cmd prompt run
net stop netlogon
net start netlogon
then rerun netdiag to see if it is clean.
Once clean, you will want to install DNS on the
second DC (if not already) and have it host the same
AD integrated zones as are on the other DNS service.
optional/advised:
After you have DNS fault tolerance, you could/should
configure each DC to point first to the other and then
to itself for DNS services in the Tcp/Ip config.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:OKNECGf6EHA.1204@TK2MSFTNGP10.phx.gbl...
OK, I ran dcdiag and netdiag on the 2K3 machine
errors
abound ----
First: dcdiag > "Although the Guid name <string of
stuff
here
couldn't
be
resolved, the server name (server02.domain.local)
resolved
to
the
IP
address
(192.168.1.98) and was pingable. Check that the IP
address
is
registered
correctly with the DNS Server."
The other tests in dcdiag passed
Then: netdiag:> Domain membership test: Failed
"[WARNING]
The
system
volumehas not been completely replicated to the
local
machine.
This
machine is not working properly as a DC."
DC test: failed "[WARNING] The DNS entries for this
DC
are
not
registered
correctly on the DNS server '192.168.1.99'. Please
wait
for
30
minutes
for
DNS serfver replication. [FATAL] No DNS servers have
the
DNS
records
for
this DC registered."
DC list test: Failed [WARNING] Cannot call DsBind to
main.domain.local
(192.168.1.99). [SEC_E_WRONG_PRINCIPAL]
Trust Relationship test: Failed ....
Kerberos test: Failed........
OK, HELP!! Where do I start??
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Oql3Ced6EHA.3124@TK2MSFTNGP11.phx.gbl...
and netdiag and dcdiag have told you . . . ?
--
Roger
"Brown" <fbrown@knology.net> wrote in message
news:OEn0igV6EHA.2568@TK2MSFTNGP11.phx.gbl...
The SBS machine has 2 NICs but only one is
active.
The
Win2K3
has
one
NIC.
DHCP is running on an external router.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in
message
news:uZpd85T6EHA.2192@TK2MSFTNGP14.phx.gbl...
For DC communications issues your first stop
shop
to
get hints of what may be amiss is by running on
each
DC
netdiag and dcdiag utilities (depending on
versions,
you
may need to install the optional support tools
from
the
CD).
Which, if any, of these machines are multihomed
(>1
nic)?
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O5OJURP6EHA.4008@TK2MSFTNGP15.phx.gbl...
I tried that, but since it is a DC (backup) it
will
not
allow
this.
Is
there any other way to get them to shake
hands?
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in
message
news:%23deks%23L6EHA.3124@TK2MSFTNGP11.phx.gbl...
did I actually forget to mention that you
could
try
resetting
the machine account (in AD Users and Comps)
..
.
.
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in
message
news:O2$c8m55EHA.2624@TK2MSFTNGP11.phx.gbl...
I am running SBS 2003 Pro (MAIN), with a
Win2K3
Standard
server
(SERVER02)
which is providing file server and AD
Backup
tasks.
I am getting an error messaage in the
System
Event
Viewer,
source
Netlogon:
"The session setup from the computer
SERVER02
failed
to
authenticate.
The
name(s) of the account(s) referenced in the
security
database
is
SERVER02$.
The following error occured: Access
denied."
What do I need to do to correct this?
Brown
|
|
|
| Back to top |
|
 |
Steven L Umbach
Guest
|
| Posted:
Fri Jan 07, 2005 9:48 am Post subject:
Re: netlogon error |
|
|
At this point maybe he should verify the health of the original domain
controller with netdiag and dcdiag? If that all looks well, including it
having the 5 fsmo roles, it might be worth a try to dcpromo the problem
server and start over being sure to have it point to the other dc as it's
preferred dns server and making sure the ICF firewall is disabled. Of course
that method may end up with a need to force a demotion via dcpromo and
cleaning up of the metadata with ntdisutil. --- Steve
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Ow%23phqF9EHA.3504@TK2MSFTNGP12.phx.gbl...
| Quote: | After the reboot, or also after waiting a while ?
The replication does not complete instantly.
When you use AD Users and Computers on the SBS do
you see the W2k3 listed in the Domain Controllers OU ?
It is starting to sound like it is not going to be there (meaning
that the W2k3 believes it is supposed to be a DC but the SBS
does not - something I can't understand happening except maybe
if during dcpromo NetBios based RPC communications is
interrupted early in the promo but is OK at the very start)
--
Roger
"Brown" <fbrown@knology.net> wrote in message
news:%234PIOJF9EHA.3676@TK2MSFTNGP10.phx.gbl...
After the restart on the nonSBS machine this morning, when I open Active
Directory Users and Computers I indicates that AD is not running.
Brown
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:%234oS7IE9EHA.3012@TK2MSFTNGP09.phx.gbl...
Those message are not unexpected the first time around, because
the new DC has not yet completed its initial sync with the existing AD,
and so does not have its own copy (which it was trying to access).
One would expect those to go away in the future as when the DNS
server code fires up it then will find the AD content it is complaining
about not finding now.
The issue is, do we have a functioning DC that does have replication
established with the SBS DC ?
At a cmd prompt run replmon and connect to the two DCs and drill
into the defined replications to see if things seem to be happening.
Alternatively, on the nonSBS run AD Users and Computers, use the
properties to make sure that you are focused on the nonSBS machine
and the domain controller the tool is speaking with, and then click
around and see if it looks the same as when the tool is connected
to AD on the SBS machine.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Brown" <fbrown@mta-inc.com> wrote in message
news:%23P7OoiA9EHA.3944@TK2MSFTNGP12.phx.gbl...
OK, Got through the steps and restarted. In the dnsmgmt console on the
Win2K3, got a warning:
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4013
Date: 1/6/2005
Time: 9:40:16 AM
User: N/A
Computer: MTA-SERVER02
Description:
The DNS server was unable to open the Active Directory. This DNS
server
is
configured to use directory service information and can not operate
without
access to the directory. The DNS server will wait for the directory
to
start. If the DNS server is started but the appropriate event has not
been
logged, then the DNS server is still waiting for the directory to
start.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00 -#..
-------
Then got an error:
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4000
Date: 1/6/2005
Time: 9:40:16 AM
User: N/A
Computer: MTA-SERVER02
Description:
The DNS server was unable to open Active Directory. This DNS server
is
configured to obtain and use information from the directory for this
zone
and is unable to load the zone without it. Check that the Active
Directory
is functioning properly and reload the zone. The event data is the
error
code.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00 -#..
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:#9C#vFA9EHA.3504@TK2MSFTNGP12.phx.gbl...
On the nonSBS mta-server02 try reversing these DNS
server settings in its Tcp/Ip properties
DNS Servers . . . . . . . . . . . : 192.168.1.98
192.168.1.99
so that 1.99 is the first listed DNS server IP
(assuming 1.99 is the SBS)
Then on the SBS temporarily change the DNS
forward zone for MTA-inc.local so that it will
allow unsecured dynamic updates instead of only
secured dynamic updates. (This is found in the
r-click properties of the MTA-inc.local forward
zone node - first set focus on the node by clicking
and then r-click into its context menu.)
Next, on the nonSBS at cmd prompt run these three:
ipconfig /registerdns
net stop netlogon
net start netlogon
Take a look into the forward zone for MTA-inc.local
in the DNS server on SBS to see if the there are now
DNS records for mta-server02 indicating its 1.98 addy,
If so, try a reboot of the nonSBS.
You will need to remember to set the forward zone
back to allowing only secured dynamic updates after
you are done. It would be good to leave both DCs
set with their DNS servers in Tcp/Ip config set so
that they first reference the other and next reference
themselves - however, if doing this then both would
need to be able to get out to the internet DNS servers.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:erOKNe$8EHA.2600@TK2MSFTNGP09.phx.gbl...
Here is the ipconfig:
Windows IP Configuration
Host Name . . . . . . . . . . . . : mta-server02
Primary Dns Suffix . . . . . . . : MTA-inc.local
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : MTA-inc.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : SiS 900-Based PCI Fast Ethernet
Adapter
Physical Address. . . . . . . . . : 00-0C-6E-AF-F9-6C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.98
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.98
192.168.1.99
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:#aebW678EHA.1188@tk2msftngp13.phx.gbl...
It is not unusual for a DC to fail to authenticate when it
has not yet completed becoming a DC.
The requested output from
ipconfig /all
when run on the failing machine would help greatly in
understanding from the previously provided netdiag output
if there is a simple route to get the initial replication to
complete so that the machine can complete its promotion.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:uY35RQz8EHA.2540@TK2MSFTNGP09.phx.gbl...
In the Event Log I get the folloiwing message:
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 1/5/2005
Time: 7:18:18 AM
User: N/A
Computer: MTA-SERVER02
Description:
The Security System detected an authentication error for the
server
cifs/mta-main.MTA-inc.local. The failure code from
authentication
protocol
Kerberos was "The attempted logon is invalid. This is either
due
to
a
bad
username or authentication information.
(0xc000006d)".
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À
----------------
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Ot5o7Av8EHA.4004@tk2msftngp13.phx.gbl...
'192.168.1.99' is IP of the SBS ?
Can you clarify for me a little just what you meant by
It appears that the name for the Win2K3 on the SBS2K3
server
is
not
in
sync
with the name on the Win2k3 server, but I cannot locate an
occurence
where
it is different.
Names as seen where ?
Can you post output from running, on the failing W2k3
(nonSBS)
ipconfig /all
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:%23acMnep8EHA.2156@TK2MSFTNGP10.phx.gbl...
OK, I'm back - I have gone through the suggestions and am
still
at
a
loss.
Netdiag still shows problems on the Win2K3 server:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely
replicated
to
the
local
machine. This machine is not working properly as a DC.
------
DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry MTA-inc.local.
re-registeration
on
DNS
server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.MTA-inc.local.
re-registeration
on
DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.206600de-fb91-4786-8e91-7db1704af5a3.domains._msdcs.MTA-inc.local
. re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
67f85d0b-43cd-47df-948d-1a165f5851d7._msdcs.MTA-inc.local.
re-registeration
on DNS server '192.168.1.99' failed.DNS Error code:
0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.dc._msdcs.MTA-inc.local.re-registeration on
DNS
server
'192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._udp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kpasswd._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kpasswd._udp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Fix Failed: netdiag failed to re-register missing
DNS
entries
for
this DC on DNS server '192.168.1.99'.
[FATAL] No DNS servers have the DNS records for this DC
registered.
------
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to mta-main.MTA-inc.local
(192.168.1.99).
[SEC_
E_WRONG_PRINCIPAL]
-------
Trust relationship test. . . . . . : Failed
[WARNING] Don't have access to test your domain sid for
domain
'MTA-INC'.
[Test skipped]
[FATAL] Secure channel to domain 'MTA-INC' is broken.
[ERROR_NO_TRUST_SAM_ACCOUNT]
-----
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/mta-server02.MTA-inc.local.
-----
It appears that the name for the Win2K3 on the SBS2K3
server
is
not
in
sync
with the name on the Win2k3 server, but I cannot locate an
occurence
where
it is different.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eiCa33w6EHA.1408@TK2MSFTNGP10.phx.gbl...
No problem Frank. Let us know if you did not get
fixed up by this.
BTW, if you can remote into the SBS then you should
be able to open a remote desktop to the W2k3 from
within the SBS. Double remote desktop can be a little
tedious but does work. Also, you can configure the
SBS to directly mediate remote desktop connection
to any internal machine should you so choose.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@knology.net> wrote in message
news:%23OB%23Mfg6EHA.2032@tk2msftngp13.phx.gbl...
Roger, Thanks for the help. I have run the netdiag
/fix
and
it
looks
like
it has cleared up some of the problems. I am back home
working
via
the
SBS
remote access. The 2K3 machine is not available (part
of
the
problem)
so
I
will have to try to get back in to the office to do it.
I
will
be
out
of
touch for several days, and may not be able to get back
to
it
until
then.
I
have your suggestions, and will see if that takes care
of
me
when
I
can
get
back on the machine.
I want to make sure you Steven know how much I
appreciate
your
patience
and
assistance.
Frank Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23v0SqWf6EHA.1392@tk2msftngp13.phx.gbl...
On the SBS first run
netdiag /fix
Verify that the zones supporting the AD are
configured
for
secured dynamic updates allowed. For this, run the
DNS
mgmt UI and highlight each forward zone then rclick
into
its properties. They should be AD integrated and
allowing
secured dynamic updates.
On the failing W2k3 check that
- in tcp/ip settings the DNS server is the SBS
machine
- in System properties (rclick my computer,
properties)
the full computer name is correct, right domain
at cmd prompt run
net stop netlogon
net start netlogon
then rerun netdiag to see if it is clean.
Once clean, you will want to install DNS on the
second DC (if not already) and have it host the same
AD integrated zones as are on the other DNS service.
optional/advised:
After you have DNS fault tolerance, you could/should
configure each DC to point first to the other and
then
to itself for DNS services in the Tcp/Ip config.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:OKNECGf6EHA.1204@TK2MSFTNGP10.phx.gbl...
OK, I ran dcdiag and netdiag on the 2K3 machine
errors
abound ----
First: dcdiag > "Although the Guid name <string of
stuff
here
couldn't
be
resolved, the server name (server02.domain.local)
resolved
to
the
IP
address
(192.168.1.98) and was pingable. Check that the IP
address
is
registered
correctly with the DNS Server."
The other tests in dcdiag passed
Then: netdiag:> Domain membership test: Failed
"[WARNING]
The
system
volumehas not been completely replicated to the
local
machine.
This
machine is not working properly as a DC."
DC test: failed "[WARNING] The DNS entries for this
DC
are
not
registered
correctly on the DNS server '192.168.1.99'. Please
wait
for
30
minutes
for
DNS serfver replication. [FATAL] No DNS servers
have
the
DNS
records
for
this DC registered."
DC list test: Failed [WARNING] Cannot call DsBind to
main.domain.local
(192.168.1.99). [SEC_E_WRONG_PRINCIPAL]
Trust Relationship test: Failed ....
Kerberos test: Failed........
OK, HELP!! Where do I start??
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Oql3Ced6EHA.3124@TK2MSFTNGP11.phx.gbl...
and netdiag and dcdiag have told you . . . ?
--
Roger
"Brown" <fbrown@knology.net> wrote in message
news:OEn0igV6EHA.2568@TK2MSFTNGP11.phx.gbl...
The SBS machine has 2 NICs but only one is
active.
The
Win2K3
has
one
NIC.
DHCP is running on an external router.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in
message
news:uZpd85T6EHA.2192@TK2MSFTNGP14.phx.gbl...
For DC communications issues your first stop
shop
to
get hints of what may be amiss is by running
on
each
DC
netdiag and dcdiag utilities (depending on
versions,
you
may need to install the optional support tools
from
the
CD).
Which, if any, of these machines are
multihomed
(>1
nic)?
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O5OJURP6EHA.4008@TK2MSFTNGP15.phx.gbl...
I tried that, but since it is a DC (backup)
it
will
not
allow
this.
Is
there any other way to get them to shake
hands?
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in
message
news:%23deks%23L6EHA.3124@TK2MSFTNGP11.phx.gbl...
did I actually forget to mention that you
could
try
resetting
the machine account (in AD Users and Comps)
.
.
.
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in
message
news:O2$c8m55EHA.2624@TK2MSFTNGP11.phx.gbl...
I am running SBS 2003 Pro (MAIN), with a
Win2K3
Standard
server
(SERVER02)
which is providing file server and AD
Backup
tasks.
I am getting an error messaage in the
System
Event
Viewer,
source
Netlogon:
"The session setup from the computer
SERVER02
failed
to
authenticate.
The
name(s) of the account(s) referenced in
the
security
database
is
SERVER02$.
The following error occured: Access
denied."
What do I need to do to correct this?
Brown
|
|
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Fri Jan 07, 2005 3:36 pm Post subject:
Re: netlogon error |
|
|
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:eiVwFvG9EHA.2804@TK2MSFTNGP15.phx.gbl...
| Quote: | At this point maybe he should verify the health of the original domain
controller with netdiag and dcdiag?
|
That he did, way at the start of this thread.
| Quote: | If that all looks well, including it
having the 5 fsmo roles, it might be worth a try to dcpromo the problem
server and start over being sure to have it point to the other dc as it's
preferred dns server and making sure the ICF firewall is disabled. Of
course
that method may end up with a need to force a demotion via dcpromo and
cleaning up of the metadata with ntdisutil. --- Steve
|
Yep - dcpromo unforced is not going to do anything with it
stuck half/half.
When I saw the netdiag data from the problem box, and then the
net config looking fine on all counts, primary suffix, gateway, etc.
except for the DNS server in use it sure looked like an island
effect failure to feed enough into to the KCC so that inital
replication could complete.
| Quote: |
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Ow%23phqF9EHA.3504@TK2MSFTNGP12.phx.gbl...
After the reboot, or also after waiting a while ?
The replication does not complete instantly.
When you use AD Users and Computers on the SBS do
you see the W2k3 listed in the Domain Controllers OU ?
It is starting to sound like it is not going to be there (meaning
that the W2k3 believes it is supposed to be a DC but the SBS
does not - something I can't understand happening except maybe
if during dcpromo NetBios based RPC communications is
interrupted early in the promo but is OK at the very start)
--
Roger
"Brown" <fbrown@knology.net> wrote in message
news:%234PIOJF9EHA.3676@TK2MSFTNGP10.phx.gbl...
After the restart on the nonSBS machine this morning, when I open
Active
Directory Users and Computers I indicates that AD is not running.
Brown
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:%234oS7IE9EHA.3012@TK2MSFTNGP09.phx.gbl...
Those message are not unexpected the first time around, because
the new DC has not yet completed its initial sync with the existing
AD,
and so does not have its own copy (which it was trying to access).
One would expect those to go away in the future as when the DNS
server code fires up it then will find the AD content it is
complaining
about not finding now.
The issue is, do we have a functioning DC that does have replication
established with the SBS DC ?
At a cmd prompt run replmon and connect to the two DCs and drill
into the defined replications to see if things seem to be happening.
Alternatively, on the nonSBS run AD Users and Computers, use the
properties to make sure that you are focused on the nonSBS machine
and the domain controller the tool is speaking with, and then click
around and see if it looks the same as when the tool is connected
to AD on the SBS machine.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Brown" <fbrown@mta-inc.com> wrote in message
news:%23P7OoiA9EHA.3944@TK2MSFTNGP12.phx.gbl...
OK, Got through the steps and restarted. In the dnsmgmt console on
the
Win2K3, got a warning:
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4013
Date: 1/6/2005
Time: 9:40:16 AM
User: N/A
Computer: MTA-SERVER02
Description:
The DNS server was unable to open the Active Directory. This DNS
server
is
configured to use directory service information and can not operate
without
access to the directory. The DNS server will wait for the directory
to
start. If the DNS server is started but the appropriate event has
not
been
logged, then the DNS server is still waiting for the directory to
start.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00 -#..
-------
Then got an error:
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4000
Date: 1/6/2005
Time: 9:40:16 AM
User: N/A
Computer: MTA-SERVER02
Description:
The DNS server was unable to open Active Directory. This DNS server
is
configured to obtain and use information from the directory for this
zone
and is unable to load the zone without it. Check that the Active
Directory
is functioning properly and reload the zone. The event data is the
error
code.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00 -#..
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:#9C#vFA9EHA.3504@TK2MSFTNGP12.phx.gbl...
On the nonSBS mta-server02 try reversing these DNS
server settings in its Tcp/Ip properties
DNS Servers . . . . . . . . . . . : 192.168.1.98
192.168.1.99
so that 1.99 is the first listed DNS server IP
(assuming 1.99 is the SBS)
Then on the SBS temporarily change the DNS
forward zone for MTA-inc.local so that it will
allow unsecured dynamic updates instead of only
secured dynamic updates. (This is found in the
r-click properties of the MTA-inc.local forward
zone node - first set focus on the node by clicking
and then r-click into its context menu.)
Next, on the nonSBS at cmd prompt run these three:
ipconfig /registerdns
net stop netlogon
net start netlogon
Take a look into the forward zone for MTA-inc.local
in the DNS server on SBS to see if the there are now
DNS records for mta-server02 indicating its 1.98 addy,
If so, try a reboot of the nonSBS.
You will need to remember to set the forward zone
back to allowing only secured dynamic updates after
you are done. It would be good to leave both DCs
set with their DNS servers in Tcp/Ip config set so
that they first reference the other and next reference
themselves - however, if doing this then both would
need to be able to get out to the internet DNS servers.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:erOKNe$8EHA.2600@TK2MSFTNGP09.phx.gbl...
Here is the ipconfig:
Windows IP Configuration
Host Name . . . . . . . . . . . . : mta-server02
Primary Dns Suffix . . . . . . . : MTA-inc.local
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : MTA-inc.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : SiS 900-Based PCI Fast
Ethernet
Adapter
Physical Address. . . . . . . . . : 00-0C-6E-AF-F9-6C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.98
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.98
192.168.1.99
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:#aebW678EHA.1188@tk2msftngp13.phx.gbl...
It is not unusual for a DC to fail to authenticate when it
has not yet completed becoming a DC.
The requested output from
ipconfig /all
when run on the failing machine would help greatly in
understanding from the previously provided netdiag output
if there is a simple route to get the initial replication to
complete so that the machine can complete its promotion.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:uY35RQz8EHA.2540@TK2MSFTNGP09.phx.gbl...
In the Event Log I get the folloiwing message:
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 1/5/2005
Time: 7:18:18 AM
User: N/A
Computer: MTA-SERVER02
Description:
The Security System detected an authentication error for the
server
cifs/mta-main.MTA-inc.local. The failure code from
authentication
protocol
Kerberos was "The attempted logon is invalid. This is either
due
to
a
bad
username or authentication information.
(0xc000006d)".
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À
----------------
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Ot5o7Av8EHA.4004@tk2msftngp13.phx.gbl...
'192.168.1.99' is IP of the SBS ?
Can you clarify for me a little just what you meant by
It appears that the name for the Win2K3 on the SBS2K3
server
is
not
in
sync
with the name on the Win2k3 server, but I cannot locate
an
occurence
where
it is different.
Names as seen where ?
Can you post output from running, on the failing W2k3
(nonSBS)
ipconfig /all
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:%23acMnep8EHA.2156@TK2MSFTNGP10.phx.gbl...
OK, I'm back - I have gone through the suggestions and am
still
at
a
loss.
Netdiag still shows problems on the Win2K3 server:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely
replicated
to
the
local
machine. This machine is not working properly as a DC.
------
DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry MTA-inc.local.
re-registeration
on
DNS
server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.MTA-inc.local.
re-registeration
on
DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.206600de-fb91-4786-8e91-7db1704af5a3.domains._msdcs.MTA-inc.local
. re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
67f85d0b-43cd-47df-948d-1a165f5851d7._msdcs.MTA-inc.local.
re-registeration
on DNS server '192.168.1.99' failed.DNS Error code:
0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.dc._msdcs.MTA-inc.local.re-registeration
on
DNS
server
'192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._udp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kpasswd._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kpasswd._udp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Fix Failed: netdiag failed to re-register missing
DNS
entries
for
this DC on DNS server '192.168.1.99'.
[FATAL] No DNS servers have the DNS records for this DC
registered.
------
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to mta-main.MTA-inc.local
(192.168.1.99).
[SEC_
E_WRONG_PRINCIPAL]
-------
Trust relationship test. . . . . . : Failed
[WARNING] Don't have access to test your domain sid for
domain
'MTA-INC'.
[Test skipped]
[FATAL] Secure channel to domain 'MTA-INC' is broken.
[ERROR_NO_TRUST_SAM_ACCOUNT]
-----
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/mta-server02.MTA-inc.local.
-----
It appears that the name for the Win2K3 on the SBS2K3
server
is
not
in
sync
with the name on the Win2k3 server, but I cannot locate
an
occurence
where
it is different.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eiCa33w6EHA.1408@TK2MSFTNGP10.phx.gbl...
No problem Frank. Let us know if you did not get
fixed up by this.
BTW, if you can remote into the SBS then you should
be able to open a remote desktop to the W2k3 from
within the SBS. Double remote desktop can be a little
tedious but does work. Also, you can configure the
SBS to directly mediate remote desktop connection
to any internal machine should you so choose.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@knology.net> wrote in message
news:%23OB%23Mfg6EHA.2032@tk2msftngp13.phx.gbl...
Roger, Thanks for the help. I have run the netdiag
/fix
and
it
looks
like
it has cleared up some of the problems. I am back
home
working
via
the
SBS
remote access. The 2K3 machine is not available
(part
of
the
problem)
so
I
will have to try to get back in to the office to do
it.
I
will
be
out
of
touch for several days, and may not be able to get
back
to
it
until
then.
I
have your suggestions, and will see if that takes
care
of
me
when
I
can
get
back on the machine.
I want to make sure you Steven know how much I
appreciate
your
patience
and
assistance.
Frank Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23v0SqWf6EHA.1392@tk2msftngp13.phx.gbl...
On the SBS first run
netdiag /fix
Verify that the zones supporting the AD are
configured
for
secured dynamic updates allowed. For this, run the
DNS
mgmt UI and highlight each forward zone then rclick
into
its properties. They should be AD integrated and
allowing
secured dynamic updates.
On the failing W2k3 check that
- in tcp/ip settings the DNS server is the SBS
machine
- in System properties (rclick my computer,
properties)
the full computer name is correct, right domain
at cmd prompt run
net stop netlogon
net start netlogon
then rerun netdiag to see if it is clean.
Once clean, you will want to install DNS on the
second DC (if not already) and have it host the
same
AD integrated zones as are on the other DNS
service.
optional/advised:
After you have DNS fault tolerance, you
could/should
configure each DC to point first to the other and
then
to itself for DNS services in the Tcp/Ip config.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:OKNECGf6EHA.1204@TK2MSFTNGP10.phx.gbl...
OK, I ran dcdiag and netdiag on the 2K3 machine
errors
abound ----
First: dcdiag > "Although the Guid name <string
of
stuff
here
couldn't
be
resolved, the server name (server02.domain.local)
resolved
to
the
IP
address
(192.168.1.98) and was pingable. Check that the
IP
address
is
registered
correctly with the DNS Server."
The other tests in dcdiag passed
Then: netdiag:> Domain membership test: Failed
"[WARNING]
The
system
volumehas not been completely replicated to the
local
machine.
This
machine is not working properly as a DC."
DC test: failed "[WARNING] The DNS entries for
this
DC
are
not
registered
correctly on the DNS server '192.168.1.99'.
Please
wait
for
30
minutes
for
DNS serfver replication. [FATAL] No DNS servers
have
the
DNS
records
for
this DC registered."
DC list test: Failed [WARNING] Cannot call DsBind
to
main.domain.local
(192.168.1.99). [SEC_E_WRONG_PRINCIPAL]
Trust Relationship test: Failed ....
Kerberos test: Failed........
OK, HELP!! Where do I start??
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Oql3Ced6EHA.3124@TK2MSFTNGP11.phx.gbl...
and netdiag and dcdiag have told you . . . ?
--
Roger
"Brown" <fbrown@knology.net> wrote in message
news:OEn0igV6EHA.2568@TK2MSFTNGP11.phx.gbl...
The SBS machine has 2 NICs but only one is
active.
The
Win2K3
has
one
NIC.
DHCP is running on an external router.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in
message
news:uZpd85T6EHA.2192@TK2MSFTNGP14.phx.gbl...
For DC communications issues your first stop
shop
to
get hints of what may be amiss is by running
on
each
DC
netdiag and dcdiag utilities (depending on
versions,
you
may need to install the optional support
tools
from
the
CD).
Which, if any, of these machines are
multihomed
(>1
nic)?
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in
message
news:O5OJURP6EHA.4008@TK2MSFTNGP15.phx.gbl...
I tried that, but since it is a DC (backup)
it
will
not
allow
this.
Is
there any other way to get them to shake
hands?
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in
message
news:%23deks%23L6EHA.3124@TK2MSFTNGP11.phx.gbl...
did I actually forget to mention that you
could
try
resetting
the machine account (in AD Users and
Comps)
.
.
.
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in
message
news:O2$c8m55EHA.2624@TK2MSFTNGP11.phx.gbl...
I am running SBS 2003 Pro (MAIN), with a
Win2K3
Standard
server
(SERVER02)
which is providing file server and AD
Backup
tasks.
I am getting an error messaage in the
System
Event
Viewer,
source
Netlogon:
"The session setup from the computer
SERVER02
failed
to
authenticate.
The
name(s) of the account(s) referenced in
the
security
database
is
SERVER02$.
The following error occured: Access
denied."
What do I need to do to correct this?
Brown
|
|
|
| Back to top |
|
|
Brown
Guest
|
| Posted:
Fri Jan 07, 2005 7:34 pm Post subject:
Re: netlogon error |
|
|
The non-SBS does appear in the Domain Controllers OU on the SBS box. With
the changes I have made in the last couple of days, when I launch AD Users &
Computers on the non-SBS I get an error that states
"Naming information cannot be located becuase:
The target principal name is incorrect.
Contact your system administrator to verify that your domain is properly
configured and is currently online."
Same message for AD Site & Services.
AD Domains & Trust gives the message
"The configuration information describing this enterprise is not available.
The target principal name is incorrect."
It looks like something is not pointing to the right place, but I have no
clue.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Ow#phqF9EHA.3504@TK2MSFTNGP12.phx.gbl...
| Quote: | After the reboot, or also after waiting a while ?
The replication does not complete instantly.
When you use AD Users and Computers on the SBS do
you see the W2k3 listed in the Domain Controllers OU ?
It is starting to sound like it is not going to be there (meaning
that the W2k3 believes it is supposed to be a DC but the SBS
does not - something I can't understand happening except maybe
if during dcpromo NetBios based RPC communications is
interrupted early in the promo but is OK at the very start)
--
Roger
"Brown" <fbrown@knology.net> wrote in message
news:%234PIOJF9EHA.3676@TK2MSFTNGP10.phx.gbl...
After the restart on the nonSBS machine this morning, when I open Active
Directory Users and Computers I indicates that AD is not running.
Brown
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:%234oS7IE9EHA.3012@TK2MSFTNGP09.phx.gbl...
Those message are not unexpected the first time around, because
the new DC has not yet completed its initial sync with the existing
AD,
and so does not have its own copy (which it was trying to access).
One would expect those to go away in the future as when the DNS
server code fires up it then will find the AD content it is
complaining
about not finding now.
The issue is, do we have a functioning DC that does have replication
established with the SBS DC ?
At a cmd prompt run replmon and connect to the two DCs and drill
into the defined replications to see if things seem to be happening.
Alternatively, on the nonSBS run AD Users and Computers, use the
properties to make sure that you are focused on the nonSBS machine
and the domain controller the tool is speaking with, and then click
around and see if it looks the same as when the tool is connected
to AD on the SBS machine.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Brown" <fbrown@mta-inc.com> wrote in message
news:%23P7OoiA9EHA.3944@TK2MSFTNGP12.phx.gbl...
OK, Got through the steps and restarted. In the dnsmgmt console on
the
Win2K3, got a warning:
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4013
Date: 1/6/2005
Time: 9:40:16 AM
User: N/A
Computer: MTA-SERVER02
Description:
The DNS server was unable to open the Active Directory. This DNS
server
is
configured to use directory service information and can not operate
without
access to the directory. The DNS server will wait for the directory
to
start. If the DNS server is started but the appropriate event has
not
been
logged, then the DNS server is still waiting for the directory to
start.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00 -#..
-------
Then got an error:
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4000
Date: 1/6/2005
Time: 9:40:16 AM
User: N/A
Computer: MTA-SERVER02
Description:
The DNS server was unable to open Active Directory. This DNS server
is
configured to obtain and use information from the directory for this
zone
and is unable to load the zone without it. Check that the Active
Directory
is functioning properly and reload the zone. The event data is the
error
code.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00 -#..
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:#9C#vFA9EHA.3504@TK2MSFTNGP12.phx.gbl...
On the nonSBS mta-server02 try reversing these DNS
server settings in its Tcp/Ip properties
DNS Servers . . . . . . . . . . . : 192.168.1.98
192.168.1.99
so that 1.99 is the first listed DNS server IP
(assuming 1.99 is the SBS)
Then on the SBS temporarily change the DNS
forward zone for MTA-inc.local so that it will
allow unsecured dynamic updates instead of only
secured dynamic updates. (This is found in the
r-click properties of the MTA-inc.local forward
zone node - first set focus on the node by clicking
and then r-click into its context menu.)
Next, on the nonSBS at cmd prompt run these three:
ipconfig /registerdns
net stop netlogon
net start netlogon
Take a look into the forward zone for MTA-inc.local
in the DNS server on SBS to see if the there are now
DNS records for mta-server02 indicating its 1.98 addy,
If so, try a reboot of the nonSBS.
You will need to remember to set the forward zone
back to allowing only secured dynamic updates after
you are done. It would be good to leave both DCs
set with their DNS servers in Tcp/Ip config set so
that they first reference the other and next reference
themselves - however, if doing this then both would
need to be able to get out to the internet DNS servers.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:erOKNe$8EHA.2600@TK2MSFTNGP09.phx.gbl...
Here is the ipconfig:
Windows IP Configuration
Host Name . . . . . . . . . . . . : mta-server02
Primary Dns Suffix . . . . . . . : MTA-inc.local
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : MTA-inc.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : SiS 900-Based PCI Fast
Ethernet
Adapter
Physical Address. . . . . . . . . : 00-0C-6E-AF-F9-6C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.98
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.98
192.168.1.99
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:#aebW678EHA.1188@tk2msftngp13.phx.gbl...
It is not unusual for a DC to fail to authenticate when it
has not yet completed becoming a DC.
The requested output from
ipconfig /all
when run on the failing machine would help greatly in
understanding from the previously provided netdiag output
if there is a simple route to get the initial replication to
complete so that the machine can complete its promotion.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:uY35RQz8EHA.2540@TK2MSFTNGP09.phx.gbl...
In the Event Log I get the folloiwing message:
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 1/5/2005
Time: 7:18:18 AM
User: N/A
Computer: MTA-SERVER02
Description:
The Security System detected an authentication error for the
server
cifs/mta-main.MTA-inc.local. The failure code from
authentication
protocol
Kerberos was "The attempted logon is invalid. This is either
due
to
a
bad
username or authentication information.
(0xc000006d)".
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À
----------------
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Ot5o7Av8EHA.4004@tk2msftngp13.phx.gbl...
'192.168.1.99' is IP of the SBS ?
Can you clarify for me a little just what you meant by
It appears that the name for the Win2K3 on the SBS2K3
server
is
not
in
sync
with the name on the Win2k3 server, but I cannot locate an
occurence
where
it is different.
Names as seen where ?
Can you post output from running, on the failing W2k3
(nonSBS)
ipconfig /all
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:%23acMnep8EHA.2156@TK2MSFTNGP10.phx.gbl...
OK, I'm back - I have gone through the suggestions and am
still
at
a
loss.
Netdiag still shows problems on the Win2K3 server:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely
replicated
to
the
local
machine. This machine is not working properly as a DC.
------
DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry MTA-inc.local.
re-registeration
on
DNS
server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.MTA-inc.local.
re-registeration
on
DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.206600de-fb91-4786-8e91-7db1704af5a3.domains._msdcs.MTA-inc.local
. re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
67f85d0b-43cd-47df-948d-1a165f5851d7._msdcs.MTA-inc.local.
re-registeration
on DNS server '192.168.1.99' failed.DNS Error code:
0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.dc._msdcs.MTA-inc.local.re-registeration on
DNS
server
'192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._sites.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kerberos._udp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kpasswd._tcp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Failed to fix: DC DNS entry
_kpasswd._udp.MTA-inc.local.
re-registeration on DNS server '192.168.1.99' failed.
DNS Error code: 0x00002339
[FATAL] Fix Failed: netdiag failed to re-register missing
DNS
entries
for
this DC on DNS server '192.168.1.99'.
[FATAL] No DNS servers have the DNS records for this DC
registered.
------
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to mta-main.MTA-inc.local
(192.168.1.99).
[SEC_
E_WRONG_PRINCIPAL]
-------
Trust relationship test. . . . . . : Failed
[WARNING] Don't have access to test your domain sid for
domain
'MTA-INC'.
[Test skipped]
[FATAL] Secure channel to domain 'MTA-INC' is broken.
[ERROR_NO_TRUST_SAM_ACCOUNT]
-----
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/mta-server02.MTA-inc.local.
-----
It appears that the name for the Win2K3 on the SBS2K3
server
is
not
in
sync
with the name on the Win2k3 server, but I cannot locate an
occurence
where
it is different.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eiCa33w6EHA.1408@TK2MSFTNGP10.phx.gbl...
No problem Frank. Let us know if you did not get
fixed up by this.
BTW, if you can remote into the SBS then you should
be able to open a remote desktop to the W2k3 from
within the SBS. Double remote desktop can be a little
tedious but does work. Also, you can configure the
SBS to directly mediate remote desktop connection
to any internal machine should you so choose.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@knology.net> wrote in message
news:%23OB%23Mfg6EHA.2032@tk2msftngp13.phx.gbl...
Roger, Thanks for the help. I have run the netdiag
/fix
and
it
looks
like
it has cleared up some of the problems. I am back
home
working
via
the
SBS
remote access. The 2K3 machine is not available (part
of
the
problem)
so
I
will have to try to get back in to the office to do
it.
I
will
be
out
of
touch for several days, and may not be able to get
back
to
it
until
then.
I
have your suggestions, and will see if that takes care
of
me
when
I
can
get
back on the machine.
I want to make sure you Steven know how much I
appreciate
your
patience
and
assistance.
Frank Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23v0SqWf6EHA.1392@tk2msftngp13.phx.gbl...
On the SBS first run
netdiag /fix
Verify that the zones supporting the AD are
configured
for
secured dynamic updates allowed. For this, run the
DNS
mgmt UI and highlight each forward zone then rclick
into
its properties. They should be AD integrated and
allowing
secured dynamic updates.
On the failing W2k3 check that
- in tcp/ip settings the DNS server is the SBS
machine
- in System properties (rclick my computer,
properties)
the full computer name is correct, right domain
at cmd prompt run
net stop netlogon
net start netlogon
then rerun netdiag to see if it is clean.
Once clean, you will want to install DNS on the
second DC (if not already) and have it host the same
AD integrated zones as are on the other DNS service.
optional/advised:
After you have DNS fault tolerance, you could/should
configure each DC to point first to the other and
then
to itself for DNS services in the Tcp/Ip config.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:OKNECGf6EHA.1204@TK2MSFTNGP10.phx.gbl...
OK, I ran dcdiag and netdiag on the 2K3 machine
errors
abound ----
First: dcdiag > "Although the Guid name <string of
stuff
here
couldn't
be
resolved, the server name (server02.domain.local)
resolved
to
the
IP
address
(192.168.1.98) and was pingable. Check that the IP
address
is
registered
correctly with the DNS Server."
The other tests in dcdiag passed
Then: netdiag:> Domain membership test: Failed
"[WARNING]
The
system
volumehas not been completely replicated to the
local
machine.
This
machine is not working properly as a DC."
DC test: failed "[WARNING] The DNS entries for
this
DC
are
not
registered
correctly on the DNS server '192.168.1.99'. Please
wait
for
30
minutes
for
DNS serfver replication. [FATAL] No DNS servers
have
the
DNS
records
for
this DC registered."
DC list test: Failed [WARNING] Cannot call DsBind
to
main.domain.local
(192.168.1.99). [SEC_E_WRONG_PRINCIPAL]
Trust Relationship test: Failed ....
Kerberos test: Failed........
OK, HELP!! Where do I start??
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Oql3Ced6EHA.3124@TK2MSFTNGP11.phx.gbl...
and netdiag and dcdiag have told you . . . ?
--
Roger
"Brown" <fbrown@knology.net> wrote in message
news:OEn0igV6EHA.2568@TK2MSFTNGP11.phx.gbl...
The SBS machine has 2 NICs but only one is
active.
The
Win2K3
has
one
NIC.
DHCP is running on an external router.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in
message
news:uZpd85T6EHA.2192@TK2MSFTNGP14.phx.gbl...
For DC communications issues your first stop
shop
to
get hints of what may be amiss is by running
on
each
DC
netdiag and dcdiag utilities (depending on
versions,
you
may need to install the optional support
tools
from
the
CD).
Which, if any, of these machines are
multihomed
(>1
nic)?
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in message
news:O5OJURP6EHA.4008@TK2MSFTNGP15.phx.gbl...
I tried that, but since it is a DC (backup)
it
will
not
allow
this.
Is
there any other way to get them to shake
hands?
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in
message
news:%23deks%23L6EHA.3124@TK2MSFTNGP11.phx.gbl...
did I actually forget to mention that you
could
try
resetting
the machine account (in AD Users and
Comps)
.
.
.
--
Roger Abell
"Brown" <fbrown@mta-inc.com> wrote in
message
news:O2$c8m55EHA.2624@TK2MSFTNGP11.phx.gbl...
I am running SBS 2003 Pro (MAIN), with a
Win2K3
Standard
server
(SERVER02)
which is providing file server and AD
Backup
tasks.
I am getting an error messaage in the
System
Event
Viewer,
source
Netlogon:
"The session setup from the computer
SERVER02
failed
to
authenticate.
The
name(s) of the account(s) referenced in
the
security
database
is
SERVER02$.
The following error occured: Access
denied."
What do I need to do to correct this?
Brown
|
|
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Fri Jan 07, 2005 8:44 pm Post subject:
Re: netlogon error |
|
|
Those messages when launching those tools on the nonSBS
seems to indicate that the AD initial replication into it still
has not happened.
There is no software firewall configured on the SBS, right?
You have not yet mentioned whether after yesterday morning
when the DNS config of the nonSBS was changed, is the nonSBS
now showing in the forward lookup zones when viewed in the
SBS DNS mgmt UI. There is a netlogon.dns file deposited in
the config folder in system32 on DCs, and these are unique to
each DC. The records that are recorded there in the nonSBS
are what should now exist in the DNS on the SBS machine.
If you run Sites and Services on the SBS and drill in do you
also see the nonSBS there? If so, do you see under its NTDS
settings that there are replication links defined to it?
--
Roger
"Brown" <fbrown@mta-inc.com> wrote in message
news:ezfFk2L9EHA.1524@TK2MSFTNGP09.phx.gbl...
| Quote: | The non-SBS does appear in the Domain Controllers OU on the SBS box. With
the changes I have made in the last couple of days, when I launch AD Users
&
Computers on the non-SBS I get an error that states
"Naming information cannot be located becuase:
The target principal name is incorrect.
Contact your system administrator to verify that your domain is properly
configured and is currently online."
Same message for AD Site & Services.
AD Domains & Trust gives the message
"The configuration information describing this enterprise is not
available.
The target principal name is incorrect."
It looks like something is not pointing to the right place, but I have no
clue.
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Ow#phqF9EHA.3504@TK2MSFTNGP12.phx.gbl...
After the reboot, or also after waiting a while ?
The replication does not complete instantly.
When you use AD Users and Computers on the SBS do
you see the W2k3 listed in the Domain Controllers OU ?
It is starting to sound like it is not going to be there (meaning
that the W2k3 believes it is supposed to be a DC but the SBS
does not - something I can't understand happening except maybe
if during dcpromo NetBios based RPC communications is
interrupted early in the promo but is OK at the very start)
--
Roger
"Brown" <fbrown@knology.net> wrote in message
news:%234PIOJF9EHA.3676@TK2MSFTNGP10.phx.gbl...
After the restart on the nonSBS machine this morning, when I open
Active
Directory Users and Computers I indicates that AD is not running.
Brown
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:%234oS7IE9EHA.3012@TK2MSFTNGP09.phx.gbl...
Those message are not unexpected the first time around, because
the new DC has not yet completed its initial sync with the existing
AD,
and so does not have its own copy (which it was trying to access).
One would expect those to go away in the future as when the DNS
server code fires up it then will find the AD content it is
complaining
about not finding now.
The issue is, do we have a functioning DC that does have replication
established with the SBS DC ?
At a cmd prompt run replmon and connect to the two DCs and drill
into the defined replications to see if things seem to be happening.
Alternatively, on the nonSBS run AD Users and Computers, use the
properties to make sure that you are focused on the nonSBS machine
and the domain controller the tool is speaking with, and then click
around and see if it looks the same as when the tool is connected
to AD on the SBS machine.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Brown" <fbrown@mta-inc.com> wrote in message
news:%23P7OoiA9EHA.3944@TK2MSFTNGP12.phx.gbl...
OK, Got through the steps and restarted. In the dnsmgmt console on
the
Win2K3, got a warning:
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4013
Date: 1/6/2005
Time: 9:40:16 AM
User: N/A
Computer: MTA-SERVER02
Description:
The DNS server was unable to open the Active Directory. This DNS
server
is
configured to use directory service information and can not operate
without
access to the directory. The DNS server will wait for the
directory
to
start. If the DNS server is started but the appropriate event has
not
been
logged, then the DNS server is still waiting for the directory to
start.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00 -#..
-------
Then got an error:
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4000
Date: 1/6/2005
Time: 9:40:16 AM
User: N/A
Computer: MTA-SERVER02
Description:
The DNS server was unable to open Active Directory. This DNS
server
is
configured to obtain and use information from the directory for
this
zone
and is unable to load the zone without it. Check that the Active
Directory
is functioning properly and reload the zone. The event data is the
error
code.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00 -#..
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:#9C#vFA9EHA.3504@TK2MSFTNGP12.phx.gbl...
On the nonSBS mta-server02 try reversing these DNS
server settings in its Tcp/Ip properties
DNS Servers . . . . . . . . . . . : 192.168.1.98
192.168.1.99
so that 1.99 is the first listed DNS server IP
(assuming 1.99 is the SBS)
Then on the SBS temporarily change the DNS
forward zone for MTA-inc.local so that it will
allow unsecured dynamic updates instead of only
secured dynamic updates. (This is found in the
r-click properties of the MTA-inc.local forward
zone node - first set focus on the node by clicking
and then r-click into its context menu.)
Next, on the nonSBS at cmd prompt run these three:
ipconfig /registerdns
net stop netlogon
net start netlogon
Take a look into the forward zone for MTA-inc.local
in the DNS server on SBS to see if the there are now
DNS records for mta-server02 indicating its 1.98 addy,
If so, try a reboot of the nonSBS.
You will need to remember to set the forward zone
back to allowing only secured dynamic updates after
you are done. It would be good to leave both DCs
set with their DNS servers in Tcp/Ip config set so
that they first reference the other and next reference
themselves - however, if doing this then both would
need to be able to get out to the internet DNS servers.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:erOKNe$8EHA.2600@TK2MSFTNGP09.phx.gbl...
Here is the ipconfig:
Windows IP Configuration
Host Name . . . . . . . . . . . . : mta-server02
Primary Dns Suffix . . . . . . . : MTA-inc.local
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : MTA-inc.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : SiS 900-Based PCI Fast
Ethernet
Adapter
Physical Address. . . . . . . . . : 00-0C-6E-AF-F9-6C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.98
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.98
192.168.1.99
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:#aebW678EHA.1188@tk2msftngp13.phx.gbl...
It is not unusual for a DC to fail to authenticate when it
has not yet completed becoming a DC.
The requested output from
ipconfig /all
when run on the failing machine would help greatly in
understanding from the previously provided netdiag output
if there is a simple route to get the initial replication to
complete so that the machine can complete its promotion.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:uY35RQz8EHA.2540@TK2MSFTNGP09.phx.gbl...
In the Event Log I get the folloiwing message:
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 1/5/2005
Time: 7:18:18 AM
User: N/A
Computer: MTA-SERVER02
Description:
The Security System detected an authentication error for the
server
cifs/mta-main.MTA-inc.local. The failure code from
authentication
protocol
Kerberos was "The attempted logon is invalid. This is either
due
to
a
bad
username or authentication information.
(0xc000006d)".
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À
----------------
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Ot5o7Av8EHA.4004@tk2msftngp13.phx.gbl...
'192.168.1.99' is IP of the SBS ?
Can you clarify for me a little just what you meant by
It appears that the name for the Win2K3 on the SBS2K3
server
is
not
in
sync
with the name on the Win2k3 server, but I cannot locate
an
occurence
where
it is different.
Names as seen where ?
Can you post output from running, on the failing W2k3
(nonSBS)
ipconfig /all
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:%23acMnep8EHA.2156@TK2MSFTNGP10.phx.gbl...
OK, I'm back - I have gone through the suggestions and
am
still
at
a
loss.
Netdiag still shows problems on the Win2K3 server:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely
|
| |
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in