big trouble with Server - as KB933994

Discussion in 'Server Migration' started by Trapulo, Jul 18, 2008.

  1. Trapulo

    Trapulo Guest

    Hello,
    I added a Windows 2003 Server to an existing 2000 domain, and made it an
    additional domain controller. All ok, I restarted, I made GC, all worked
    fine.

    Then I restarted an other time... boom. Every crytical windows services
    don't start more. Only RPC works: others (COM+, network connections, shell
    hardware detection, etc) don't start.
    It seems as KB933994 describes: the old group policy didn't assign
    "impersonate a client after authentication" to Service and Network accounts,
    so I think that the replicated policy has blocked the 2003 system.

    Now? I've tried to update policy on the W2003 server, but it doesn't apply
    it. When I run a gpupdate, it reports that "there are no more available
    endpoints" and it doesn't load changed policy.

    Any idea? Please help.

    thanks
     
    Trapulo, Jul 18, 2008
    #1
    1. Advertisements

  2. Hello Trapulo,

    Please post the complete error message. Additional post an unedited ipconfig
    /all from both DC's. Did you run dcdiag, netdiag and repadmin /showrepl from
    the support tools?

    Best regards

    Meinolf Weber
     
    Meinolf Weber, Jul 18, 2008
    #2
    1. Advertisements

  3. Trapulo

    Morgan che Guest

    Hi,

    Based on my research, logon account for the Remote Procedure Call (RPC)
    service is changed from the Local System account to the NetworkService
    account in Windows Server 2003 with SP1.

    When the RPC service runs under the NetworkService account, the Impersonate
    a client after authentication policy must include the Administrators group
    account and the SERVICE group account. Otherwise, the error message "there
    are no more available endpoints" may come out.

    So, please check 'Impersonate a client after authentication policy' under
    Computer Configuration\Windows Settings\Security Settings\Local
    Policies\User Rights Assignment firstly. By default, Administrators and
    service has been assigned this privilege to impersonate a client. If this
    has been modified, please refer to the following KB to revert it:

    Error message when you modify the "Impersonate a client after
    authentication" policy setting in Windows Server 2003 with Service Pack 1:
    "There are no more endpoints available from the endpoint mapper"
    http://support.microsoft.com/kb/930220/en-us

    If this issue still remains, please provide me the following information:

    1. Is there any error message in event log?
    2. Please check if RPC service is normal as the steps below:

    Please use portqry to check if RPC 135 port is listening .

    For example:

    The following command tries to resolve my server to an IP address and then
    queries the specified range of UDP ports (135-139) in sequential order on
    the corresponding host. This command also creates a log file
    (my_server.txt) that contains a log of its output.

    portqry -n DC_server -p udp -r 135:139 -l my_server.txt

    Below is an article about the PORTTQRY tool
    http://support.microsoft.com/?kbid=310099

    Below is a link to download the PORTQRY tool
    http://www.microsoft.com/downloads/details.aspx?familyid=89811747-C74B-4638-
    A2D5-AC828BDC6983&displaylang=en

    Please also 'netstat' command on the problematic DC to check the port
    usage? Is it exhausted?

    If it's port depletion, you may adjust the MaxUserPort value to add more
    ports on both servers.

    1. Start Registry Editor.
    2. Locate the following subkey in the registry, and then click Parameters:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    3. On the Edit menu, click New, and then add the following registry entry:

    Value Name: MaxUserPort
    Value Type: DWORD
    Value data: 65000 (decimal)

    4. Quit Registry Editor.
    5. Reboot the server to test again.

    Description: This parameter controls the maximum port number that is used
    when a program requests any available user port from the system. Typically,
    ephemeral (short-lived) ports are allocated between the values of 1024 and
    5000 inclusive.
    3. If there is still no headway, for further assistance on this issue,
    please help me collect MPSRPT log file.

    You can get this tool from the link:

    Microsoft Product Support's Reporting Tools (MPSRPT_DirSvc.EXE)
    http://www.microsoft.com/downloads/details.aspx?FamilyID=CEBF3C7C-7CA5-408F-
    88B7-F9C79B7306C0&displaylang=en

    ---------------------------------------
    Please send the MPS report CAB file to

    Note:

    a. Please include the following lines for this issue in the email body:

    big trouble with Server - as KB933994
    ===========================
    Morgan Che - MSFT

    b. We will continue to discuss the issue here in newsgroup and will NOT
    reply via emails.

    c. Pease post a quick note in the current thread to inform me after sending
    the email.

    Thanks.


    Sincerely
    Morgan Che
    Microsoft Online Support
    Microsoft Global Technical Support Center

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.


    --------------------
    --->From: "Trapulo" <>
    --->Subject: big trouble with Server - as KB933994
    --->Date: Fri, 18 Jul 2008 15:45:52 +0200
    --->Lines: 20
    --->MIME-Version: 1.0
    --->Content-Type: text/plain;
    ---> format=flowed;
    ---> charset="iso-8859-1";
    ---> reply-type=original
    --->Content-Transfer-Encoding: 7bit
    --->X-Priority: 3
    --->X-MSMail-Priority: Normal
    --->X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
    --->X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18000
    --->Message-ID: <Ow8A$>
    --->Newsgroups:
    microsoft.public.windows.server.active_directory,microsoft.public.windows.se
    rver.general,microsoft.public.windows.server.migration
    --->NNTP-Posting-Host: 88-149-224-136.dynamic.ngi.it 88.149.224.136
    --->Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
    --->Xref: TK2MSFTNGHUB02.phx.gbl
    microsoft.public.windows.server.general:41715
    microsoft.public.windows.server.migration:4051
    microsoft.public.windows.server.active_directory:46044
    --->X-Tomcat-NG: microsoft.public.windows.server.migration
    --->
    --->Hello,
    --->I added a Windows 2003 Server to an existing 2000 domain, and made it
    an
    --->additional domain controller. All ok, I restarted, I made GC, all
    worked
    --->fine.
    --->
    --->Then I restarted an other time... boom. Every crytical windows services
    --->don't start more. Only RPC works: others (COM+, network connections,
    shell
    --->hardware detection, etc) don't start.
    --->It seems as KB933994 describes: the old group policy didn't assign
    --->"impersonate a client after authentication" to Service and Network
    accounts,
    --->so I think that the replicated policy has blocked the 2003 system.
    --->
    --->Now? I've tried to update policy on the W2003 server, but it doesn't
    apply
    --->it. When I run a gpupdate, it reports that "there are no more available
    --->endpoints" and it doesn't load changed policy.
    --->
    --->Any idea? Please help.
    --->
    --->thanks
    --->
    --->
     
    Morgan che, Jul 21, 2008
    #3
  4. Trapulo

    Trapulo Guest

    This is the error when I try to run gpupdate:
    1053
    Windows cannot determine the user or computer name. (There are no more
    endpoints available from the endpoint mapper. ). Group Policy processing
    aborted.

    This is from the old Win2K controller:



    Windows 2000 IP Configuration

    Host Name . . . . . . . . . . . . : server01
    Primary DNS Suffix . . . . . . . : mydomain.com
    Node Type . . . . . . . . . . . . : Broadcast

    IP Routing Enabled. . . . . . . . : No

    WINS Proxy Enabled. . . . . . . . : No

    DNS Suffix Search List. . . . . . : mydomain.com

    Ethernet adapter Intel 82544GC Based Network Connection - onboard:



    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel 82544GC-based XT Eval Gigabit
    Adapter
    Physical Address. . . . . . . . . : 00-06-5B-8F-99-78

    DHCP Enabled. . . . . . . . . . . : No

    IP Address. . . . . . . . . . . . : 192.168.18.20

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 192.168.18.6

    DNS Servers . . . . . . . . . . . : 192.168.18.20
    192.168.18.21


    (18.21 is the other W2K domain controller, with same output)



    This is from the new W2K3 controller that doesn't run:

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : server08

    Primary Dns Suffix . . . . . . . : mydomain.com

    Node Type . . . . . . . . . . . . : Unknown

    IP Routing Enabled. . . . . . . . : No

    WINS Proxy Enabled. . . . . . . . : No

    DNS Suffix Search List. . . . . . : mydomain.com



    Ethernet adapter {2C970B77-5941-42EE-AC30-0BDD2475466F}:



    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : Microsoft Loopback Adapter

    Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50

    DHCP Enabled. . . . . . . . . . . : Yes

    Autoconfiguration Enabled . . . . : Yes

    Autoconfiguration IP Address. . . : 169.254.25.129

    Subnet Mask . . . . . . . . . . . : 255.255.0.0

    Default Gateway . . . . . . . . . :



    Ethernet adapter {51D91C03-047A-4BFF-881A-88291CAA6518}:



    Connection-specific DNS Suffix . : mydomain.com

    Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet

    Physical Address. . . . . . . . . : 00-10-18-33-9A-E4

    DHCP Enabled. . . . . . . . . . . : Yes

    Autoconfiguration Enabled . . . . : Yes

    IP Address. . . . . . . . . . . . : 192.168.18.140

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 192.168.18.6

    DHCP Server . . . . . . . . . . . : 192.168.18.20

    DNS Servers . . . . . . . . . . . : 192.168.18.20

    192.168.18.21

    Lease Obtained. . . . . . . . . . : lunedì 21 luglio 2008 9.28.20

    Lease Expires . . . . . . . . . . : martedì 29 luglio 2008 9.28.20



    Ethernet adapter {EC441192-2E5D-44DB-B2C6-F3405F52D5E6}:



    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE
    (NDIS VBD Client)

    Physical Address. . . . . . . . . : 00-1E-4F-3D-A1-CB

    DHCP Enabled. . . . . . . . . . . : Yes

    Autoconfiguration Enabled . . . . : Yes

    Autoconfiguration IP Address. . . : 169.254.73.29

    Subnet Mask . . . . . . . . . . . : 255.255.0.0

    Default Gateway . . . . . . . . . :



    Ethernet adapter {C68EEF3A-3405-4197-997D-7ACA3409BE38}:



    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE
    (NDIS VBD Client) #2

    Physical Address. . . . . . . . . : 00-1E-4F-3D-A1-CD

    DHCP Enabled. . . . . . . . . . . : Yes

    Autoconfiguration Enabled . . . . : Yes

    Autoconfiguration IP Address. . . : 169.254.113.88

    Subnet Mask . . . . . . . . . . . : 255.255.0.0

    Default Gateway . . . . . . . . . :

    --------------------------------------------------------
    Domain Controller Diagnosis

    Performing initial setup:
    [server08] Directory Binding Error 1753:
    Win32 Error 1753
    This may limit some of the tests that can be performed.
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-Site-Name\SERVER08
    Starting test: Connectivity
    The host 7dca8c5b-84c8-4def-ae51-f1bf57dc0005._msdcs.com.mydomain
    could not be resolved to an
    IP address. Check the DNS server, DHCP, server name, etc
    Although the Guid DNS name

    (7dca8c5b-84c8-4def-ae51-f1bf57dc0005._msdcs.com.mydomain) couldn't

    be resolved, the server name (server08.mydomain.com) resolved to
    the

    IP address (192.168.18.140) and was pingable. Check that the IP

    address is registered correctly with the DNS server.
    ......................... SERVER08 failed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site-Name\SERVER08
    Skipping all tests, because server SERVER08 is
    not responding to directory service requests

    Running partition tests on : Schema
    Starting test: CrossRefValidation
    ......................... Schema passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Schema passed test CheckSDRefDom

    Running partition tests on : Configuration
    Starting test: CrossRefValidation
    ......................... Configuration passed test
    CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Configuration passed test CheckSDRefDom

    Running partition tests on : it
    Starting test: CrossRefValidation
    ......................... it passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... it passed test CheckSDRefDom

    Running enterprise tests on : mydomain.com
    Starting test: Intersite
    ......................... mydomain.com passed test Intersite
    Starting test: FsmoCheck
    Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 2138
    A Global Catalog Server could not be located - All GC's are down.
    Warning: DcGetDcName(PDC_REQUIRED) call failed, error 2138
    A Primary Domain Controller could not be located.
    The server holding the PDC role is down.
    Warning: DcGetDcName(TIME_SERVER) call failed, error 2138
    A Time Server could not be located.
    The server holding the PDC role is down.
    Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
    2138
    A Good Time Server could not be located.
    Warning: DcGetDcName(KDC_REQUIRED) call failed, error 2138
    A KDC could not be located - All the KDCs are down.
    ......................... mydomain.com failed test FsmoCheck

    -----------------------------------------------------
    this is very long: I attach only the interesting part:

    Global results:


    Domain membership test . . . . . . : Passed


    NetBT transports test. . . . . . . : Failed
    List of NetBt transports currently configured:
    [FATAL] Unable to retrieve transport list from Redir.
    [NERR_WkstaNotStarted]


    Autonet address test . . . . . . . : Passed


    IP loopback ping test. . . . . . . : Passed


    Default gateway test . . . . . . . : Failed

    [FATAL] NO GATEWAYS ARE REACHABLE.
    You have no connectivity to other network segments.
    If you configured the IP protocol manually then
    you need to add at least one valid gateway.


    NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation
    Service', <03> 'Messenger Service', <20> 'WINS' names defined.


    Winsock test . . . . . . . . . . . : Passed


    DNS test . . . . . . . . . . . . . : Failed
    [WARNING] Cannot find a primary authoritative DNS server for the
    name
    'server08.mydomain.com.'. [ERROR_TIMEOUT]
    The name 'server08.mydomain.com.' may not be registered in DNS.
    [WARNING] Cannot find a primary authoritative DNS server for the
    name
    'server08.mydomain.com.'. [ERROR_TIMEOUT]
    The name 'server08.mydomain.com.' may not be registered in DNS.
    [WARNING] Cannot find a primary authoritative DNS server for the
    name
    'server08.mydomain.com.'. [ERROR_TIMEOUT]
    The name 'server08mydomain.com.' may not be registered in DNS.
    [WARNING] Cannot find a primary authoritative DNS server for the
    name
    'server08.mydomain.com.'. [ERROR_TIMEOUT]
    The name 'server08.mydomain.com.' may not be registered in DNS.
    [WARNING] The DNS entries for this DC cannot be verified right now on
    DNS server 192.168.18.20, ERROR_TIMEOUT.
    [WARNING] The DNS entries for this DC cannot be verified right now on
    DNS server 192.168.18.21, ERROR_TIMEOUT.
    [FATAL] No DNS servers have the DNS records for this DC registered.


    Redir and Browser test . . . . . . : Passed
    [FATAL] Workstation service is not running. [FFFFFFFF]


    DC discovery test. . . . . . . . . : Failed
    [FATAL] Cannot find DC in domain 'MYDOMAIN'. [NERR_NetNotStarted]


    DC list test . . . . . . . . . . . : Failed
    'MYDOMAIN': Cannot find DC to get DC list from [test skipped].


    Trust relationship test. . . . . . : Skipped


    Kerberos test. . . . . . . . . . . : Skipped
    'MYDOMAIN': Cannot find DC to get DC list from [test skipped].


    LDAP test. . . . . . . . . . . . . : Failed
    Cannot find DC to run LDAP tests on. The error occurred was: The
    workstation driver is not installed.


    [WARNING] Cannot find DC in domain MYDOMAIN. [NERR_NetNotStarted]


    Bindings test. . . . . . . . . . . : Passed


    WAN configuration test . . . . . . : Skipped
    No active remote access connections.


    Modem diagnostics test . . . . . . : Failed
    [FATAL] Cannot initialize TAPI. Failed with error(0x80000048).

    IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


    The command completed successfully

    ------------------------------------------------------
    repadmin /showrepl from

    repadmin running command /showrepl against server localhost


    Default-First-Site-Name\SERVER08

    DC Options: IS_GC

    Site Options: (none)

    DC object GUID: 7dca8c5b-84c8-4def-ae51-f1bf57dc0005

    DC invocationID: 4c4b35f2-9dc3-45e5-8694-a5c05734319a



    DsBindWithCred to localhost failed with status 1753 (0x6d9):

    Can't retrieve message string 1753 (0x6d9), error 1815.


    ---------------------------------------


    reports seem right, if we think that all core services are down :(



    thanks
     
    Trapulo, Jul 21, 2008
    #4
  5. Hello Trapulo,

    On the 2003 disable DHCP and give it a fixed ip address. Additional disable
    the not used NIC's. Then reboot the server. After that check in all DNS servers
    that the 2003 server, also all other servers, is listed with the correct
    ip. Then ping one of the running DC's with ip address, computer name and
    FQDN(computername.mydomain.com).

    Best regards

    Meinolf Weber

     
    Meinolf Weber, Jul 21, 2008
    #5
  6. Trapulo

    Trapulo Guest


    The point 2 was what I tried last days, but it seems not loading new policy
    so it didn't work.
    However, point 3 solved! I was able to start core services, and load all
    environment. Now gpupdate works, and I restored controller functionality
    without any other problem.

    thanks a lot!
     
    Trapulo, Jul 21, 2008
    #6
  7. Trapulo

    Trapulo Guest

    I solved with Morgan's suggestion.

    Thanks anyway!


     
    Trapulo, Jul 21, 2008
    #7
  8. Hello Trapulo,

    Thanks for the feedback.

    Best regards

    Meinolf Weber

     
    Meinolf Weber, Jul 21, 2008
    #8
  9. Trapulo

    Morgan che Guest

    Hi,

    Thanks for letting us know my suggestion works. I believe it will benefit
    others who may experience the similar problem. If you encounter any other
    issue, please be free to post here.

    Have a nice day.

    Sincerely
    Morgan Che
    Microsoft Online Support
    Microsoft Global Technical Support Center

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.


    --------------------
    --->From: "Trapulo" <>
    --->References: <Ow8A$>
    <>
    --->In-Reply-To: <>
    --->Subject: Re: big trouble with Server - as KB933994
    --->Date: Mon, 21 Jul 2008 20:11:11 +0200
    --->Lines: 26
    --->MIME-Version: 1.0
    --->Content-Type: text/plain;
    ---> format=flowed;
    ---> charset="iso-8859-1";
    ---> reply-type=original
    --->Content-Transfer-Encoding: 7bit
    --->X-Priority: 3
    --->X-MSMail-Priority: Normal
    --->X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
    --->X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18000
    --->Message-ID: <>
    --->Newsgroups: microsoft.public.windows.server.migration
    --->NNTP-Posting-Host: 88-149-224-136.dynamic.ngi.it 88.149.224.136
    --->Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP06.phx.gbl
    --->Xref: TK2MSFTNGHUB02.phx.gbl
    microsoft.public.windows.server.migration:4063
    --->X-Tomcat-NG: microsoft.public.windows.server.migration
    --->
    --->
    --->--->> So, please check 'Impersonate a client after authentication policy'
    under
    --->> Computer Configuration\Windows Settings\Security Settings\Local
    --->> Policies\User Rights Assignment firstly. By default, Administrators
    and
    --->> service has been assigned this privilege to impersonate a client. If
    this
    --->> has been modified, please refer to the following KB to revert it:
    --->>
    --->> Error message when you modify the "Impersonate a client after
    --->> authentication" policy setting in Windows Server 2003 with Service
    Pack 1:
    --->> "There are no more endpoints available from the endpoint mapper"
    --->> http://support.microsoft.com/kb/930220/en-us
    --->
    --->
    --->The point 2 was what I tried last days, but it seems not loading new
    policy
    --->so it didn't work.
    --->However, point 3 solved! I was able to start core services, and load
    all
    --->environment. Now gpupdate works, and I restored controller
    functionality
    --->without any other problem.
    --->
    --->thanks a lot!
    --->
    --->
    --->
    --->
    --->
     
    Morgan che, Jul 22, 2008
    #9
  10. Who is Morgan and what was his "fix"? I don't see any posting in the
    thread from him. Were you talking about Meinolf?

    --

    Regards,
    Hank Arnold
    Microsoft MVP
    Windows Server - Directory Services
     
    Hank Arnold (MVP), Jul 22, 2008
    #10
  11. Hello Hank,

    Morgane has answered to another NG. This doesn't pop up here, i don't know
    why because the poster used crossposting. But maybe Morgan not.

    Best regards

    Meinolf Weber

     
    Meinolf Weber, Jul 22, 2008
    #11

  12. Cool......

    --

    Regards,
    Hank Arnold
    Microsoft MVP
    Windows Server - Directory Services
     
    Hank Arnold (MVP), Jul 22, 2008
    #12
  13. Trapulo

    Trapulo Guest

    yes: you can see it in microsoft.public.windows.server.migration


     
    Trapulo, Jul 22, 2008
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.