Cannot find domain controller

Discussion in 'Active Directory' started by Yakob, Nov 7, 2007.

  1. Yakob

    Yakob Guest

    I have error message in computer Application log that when user logon to the
    computer domain controller is unavailable and group policy processing
    aborted. However, I can ping DC by IP and by name so DNS is working. And
    later when user tries to open Outlook connected to Exchange, user gets error
    message "Outlook cannot start because connection to the server is
    unavailable" and there is warning message in System log that says about LSA
    errors. The server is SBS 2003, so it is single domain controller on the
    network and also is Exchange. I tried to run netdiag and some other Microsoft
    recomended tests and they all came out without errors.
    Any idea what can it be?
     
    Yakob, Nov 7, 2007
    #1
    1. Advertisements

  2. In
    We'll need more info to help such as:

    1. Unedited ipconfig /all
    2. Is a reverse zone created for your subnet?
    3. The name of the AD DNS domain name.
    4. Any other errors? Please post even if you feel they don't relate to this
    issue.

    Thanks,

    --
    Regards,
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
    MVP Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    Infinite Diversities in Infinite Combinations

    Having difficulty reading or finding responses to your post?
    Try using Outlook Express or any other newsreader, configure a news
    account, and point it to news.microsoft.com. Anonymous access. It's
    easy and it's free:

    How to Configure OEx for Internet News
    http://support.microsoft.com/?id=171164

    "Life isn't like a box of chocolates or a bowl of cherries or
    peaches... Life is more like a jar of jalapenos. What you do today
    may burn your butt tomorrow." - Garfield
     
    Ace Fekay [MVP], Nov 7, 2007
    #2
    1. Advertisements

  3. Yakob

    Yakob Guest

    Here we go:
    C:\Documents and Settings\gtg.PROGRESSIVE>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : ACER-2
    Primary Dns Suffix . . . . . . . : progressive.local
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : progressive.local

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast
    Eth
    ernet NIC
    Physical Address. . . . . . . . . : 00-14-85-4D-26-89
    Dhcp Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.1.25
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.1.1
    DNS Servers . . . . . . . . . . . : 192.168.1.2
    192.168.0.2
    Primary WINS Server . . . . . . . : 192.168.0.2

    C:\Documents and Settings\gtg.PROGRESSIVE>
    reverse DNS is created
    AD DNS progressive.local

    When try to open Outlook warnings in System log: source LsaSrv Event ID
    40960 and 40961 category: SPNEGO (Negotiator) ,repeatdly and source Kerberos
    Event ID 10 category none appears once.
    When user logs on in the Application log source Userenv, event id 1054.

    Hope we can find the answer.
     
    Yakob, Nov 7, 2007
    #3
  4. Hi Yakob,
    Can you also do an ipconfig for the DC? And run a DCdiag and check for
    errors.
    The Event logs indicate Kerberos issues which as you already probaly guessed
    is cause the client can't find a DC.

    Regards,

    Austin
     
    Austin Osuide, Nov 7, 2007
    #4
  5. Hello Yakob,

    You have configured a second DNS and a WINS server from a different network.
    192.168.0.2 Is it a typo in the posting or why do you use them? How are they
    connected?

    Best regards

    Meinolf Weber
    Disclaimer: This posting is provided "AS IS" with no warranties, and confers
    no rights.
    ** Please do NOT email, only reply to Newsgroups
    ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm
     
    Meinolf Weber, Nov 7, 2007
    #5
  6. In
    Thank you for posting the ipconfig /all. Same as Jorge is asking, is the
    192.168.0.2 servers on a different subnet? Are they different servers or is
    this a typo??

    Aslo, you said the reverse zone is created. Can you post what exactly the
    name of the zone is, such as 192.168.0.x or 192.168.1.x?
    And is there a PTR entry for the domain controller in this zone? If not, are
    updates allowed on the reverse zone?

    Do the SRV records in DNS exist under the progressive.local zone? They are
    the folders preceeded with an underscore such as _msdcs, _tcp, _udp, _sites.

    Thanks,
    Ace
     
    Ace Fekay [MVP], Nov 8, 2007
    #6
  7. Guys,
    PTR records have no effect on "name resolution".
    You do not need to setup or configure reverse lookup zones for forward
    lookups to work.

    Regards,

    Austin
     
    Austin Osuide, Nov 8, 2007
    #7
  8. In
    Austin,


    Wer're not talking about Forward Lookups. We're talking about a reverse PTR
    record in the reverse zone. The SPN record for the domain controlller is
    used by the SPNEgo and is based on the PTR for the DC. If this is missing,
    you will get SPNEGO and LSASRV errors, respectively 40960's and 40961's.

    Back to the original poster, Yakob:
    You also mentioned EventID 10, Source=Kerberos. That is usually due to some
    sort of firewall blocking traffic, specifically UDP port 88 Kerberos
    traffic. Is the firewall turned on? Is there an AV software present that may
    be blocking traffic?

    Ace
     
    Ace Fekay [MVP], Nov 9, 2007
    #8
  9. Hi Ace,
    For my edification and that of others, can you explain what you mean by:
    " The SPN record for the domain controlller is used by the SPNEgo and is
    based on the PTR for the DC" ?
    Any pointer to where SPENEGO is dependent on PTR records?
    SPNEGO is AFAIK, a (usually HTTP) Client/Server AUTHENTICATION NEGOTIATION
    Mechanism (i.e. what do you talk? NTLM or Kerberos).
    Even this KB says nothing of PTR records:
    http://support.microsoft.com/kb/824217


    Regards,


    Austin
     
    Austin Osuide, Nov 9, 2007
    #9
  10. In
    It's all about Kerberos. That article does not have enough info in it to
    help you, nor does http://support.microsoft.com/kb/823712. If you search
    back in these groups for 40960, 40961, SPNEGO, and/or LsaSrv you will find
    posts that discuss it and the fix, being that to fix an SPNEGO error, it
    needs a reverse zone wtih a PTR for the DC. Kerberos is purely DNS based.
    Kerberos uses the FQDN to identify itself as well as to confirm with the
    PTR, hence it's "ego." NTLM is not a factor here since Kerberos is what's
    being used. Also HTTP has nothing to do with AD authentication. I understand
    there are other uses for the SPN, but Kerberos is the key thing with this
    issue.

    See if this helps you out:
    http://eventid.net/display.asp?eventid=40961&eventno=1398&source=LsaSrv&phase=1

    I hope that helps.

    Ace
     
    Ace Fekay [MVP], Nov 9, 2007
    #10
  11. ACE!!
    An anonymous entry in eventid.net??
    C'mon!!!
    The original DNS RFCs do not even mention reverse lookup zones!
    Kerberos uses DNS to resolve host names to IP, yes. But that is a forward
    lookup activity.
    Nowhere in the Kerberos protocol does it mention reverse lookups!
    Also, the registration of SPNs or the reciept of a Ticket by a client for a
    service registered on a DC does not require revese lookups set.
    Try it out and see for yourself.
    If you look at the KB atricle for configuring DNS, you'll see Reverse zones
    are optional! See:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;300202

    If you can find a bona fide reference, we'll have a place to start from.


    Regards,


    Austin
     
    Austin Osuide, Nov 10, 2007
    #11
  12. Also Ace,
    What do you refer to when you say:
    "Kerberos uses the FQDN to identify itself as well as to confirm with the
    PTR, hence it's "ego." "?

    Can't be SPNEGO 'cause that stands for Simple and Protected GSSAPI
    Negotiation Mechanism.

    Regards,

    Austin
     
    Austin Osuide, Nov 10, 2007
    #12
  13. In
    AFA the SPNEGO RFC, it doesn't mention it, I do not have the specifics of
    how it works, however I know what will fix it, that is requiring a PTR. A
    few comments I have found in the past all point to Kerberos and SPNEGO
    requiring a matching PTR for the FQDN, pretty much what the article and
    comments at eventid.net imply.

    This link illustrates what I mentioned above with additional links supplied
    you can research concerning Kerberos, SPNEGO and matching FQDN PTR
    requirements.
    http://tp.its.yale.edu/pipermail/cas-dev/2006-March/001181.html

    Another implying a requirement for a macthing PTR to the FQDN:
    http://grolmsnet.de/kerbtut/

    Implementing SPNEGO TAI single sign-on for WebSphere applications with z/OS
    and Windows Kerberos trusted realms:
    http://www.ibm.com/developerworks/websphere/techjournal/0707_rogers/0707_rogers.html

    How a Service Composes its SPNs
    http://msdn2.microsoft.com/en-us/library/ms676921.aspx

    If you are arguing the fix, I can't help you with that. I would suggest to
    you can take that argument up with the folks who posted to eventid.net the
    fix and their comments, which I may add that I've found it works, as well as
    the articles mentioned above.

    Curious, did you find the comments and fixes mentioned in the eventid.net
    article helpful?

    And yes, I know SPNEGO stands for Simple and Protected Generic Security
    Service Application Program Interface (GSS-API) Negotiation Mechanism. As
    far as the SPNEGO and Kerberos, Kerberos is looking for the PTR, and if it
    does not exist, you will get those errors. It may have something to do with
    the uniqueness requirements in the forest, but I don't have anything else to
    offer beyond that, which I apologize.

    The SPNEGO "ego" was more of a joke, nothing else.

    Cheers!

    Ace
     
    Ace Fekay [MVP], Nov 14, 2007
    #13
  14. Hi Ace,
    Sorry about the delay in getting back.
    I think it might be best to respond inline:

    My point exactly! I know how it works, or have a very good idea and PTR
    records are not involved or required.
    If you read the text in the link, an FQDN is used. how this FQDN is derived
    is a diffrent issue and really hass nothing to do with aquiring a ticket for
    the service in question.
    Same point as above.
    Done tons of keytab files for websphere servers running on *nix boxes.
    Again, PTR not an issue. Trust me.

    No mention of PTR records there. Not even implied!

    Arguing the fix? There has to be some rationale behind a fix. none of this
    is magic. At least not supposed to be. So if it is a fix, there has to be a
    reasonable explanation. This is what I seek and thats how we all learn.

    Eventid.net can sometimes be missleading (sometimes)
    Your impression of how this works is all wrong. The text is avialable on the
    web.
    ROFL!!! :)
    Regards,

    Austin
     
    Austin Osuide, Nov 15, 2007
    #14
  15. In
    Your points are valid, and I am not discounting your experience in it, which
    you apparently have more than myself, and I agree those links do not
    indicate anything concerning a PTR and an SPNEGO relationship. However back
    to my original point, albeit your claim that EventID.net can be misleading
    or not, how can you explain providing a PTR fixes the issue?

    Ace
     
    Ace Fekay [MVP], Nov 16, 2007
    #15
  16. That's My point Ace!
    I can't. And things I can't explain worry me.
    Also, based on my understanding of how these things work, I can't see where
    PTRs or Reverse Lookups come into it.
    I was hoping I'd missed something but I've checked as well. I think we
    should decide how to repro this issue and try to understand a bit more if
    and why setting PTR records should fix it.
    I'm willing to assist if given the details but from what I know now, I don't
    see how PTRs or Reverse Lookups come into play. Regarding Eventid, it's
    never been mentioned to me anywhere as an authoritative source of answers to
    an issue. Sometimes (read: most times) it does help but if you don't know
    your basics, it can be misleading as well. In the case in point, you'll see
    that there are several entries regarding the same issue and surely one
    entered by an anon source should be regarded with less confidence than one
    from a source you e.g. know from the MVP community (just an example mind).
    So, even though PTRs are mentioned there, it does not add any weight to our
    deliberation.

    Regards,

    Regards,

    Austin
     
    Austin Osuide, Nov 16, 2007
    #16
  17. Yakob

    Jorge Silva Guest

    the explanation is in my post...
    :)

     
    Jorge Silva, Nov 16, 2007
    #17
  18. No Jorge,
    We left you ages ago.
    What you describe might be valid if you have misconfigured DNS so your
    clients try to reach Ext DNS servers.
    Your clients need not try to register PTR records. That's the point.
    Ace and I were discussing where PTR records come in in a Kerberos
    conversation where tickets for SPNs are requested.
    They do not and your Kerberos conv will succeed without Reverse DNS zones
    setup. Try it out.
    Apps may require Reverse zones for security (to check if the ip refers to a
    known name) but this is built into the app. Spam filters also use reverse
    lookups to verify ip adds and host names. Other than this, you don't really
    need them.

    Regards,

    Austin
     
    Austin Osuide, Nov 16, 2007
    #18
  19. In
    Eventid.net has helped me numerous times in the past. Of course there is
    usually additional or repetitive responses for a particular EventID, but at
    least it's there and Adrian Grigorof did the best he can to offer one of the
    only resource for Event ID resources out there until recently wtih Microsoft
    trying to improve searching EventIDs through Technet by offering the Events
    and Errors Message Center:
    http://www.microsoft.com/technet/support/ee/ee_advanced.aspx

    FYI, Here is Microsoft's take on the following, but no where do they mention
    PTRs, which I know works.

    40960:
    http://www.microsoft.com/technet/support/ee/SearchResults.aspx?Type=1&ID=40960&Language=1033

    40961:
    http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows
    Operating System&ProdVer=5.2&EvtID=40961&EvtSrc=lsasrv&LCID=1033
    which points to:
    http://support.microsoft.com/kb/891559/en-us

    So I try to use both.

    Ace
     
    Ace Fekay [MVP], Nov 17, 2007
    #19
  20. In
    Jorge,

    Good point, Jorge. This article also addresses it with pretty much what you
    mentioned:
    DNS request for prisoner.iana.org:
    http://support.microsoft.com/kb/259922

    But of course, the suggested "fix" is to create a reverse zone, as well as
    disable reverse registrations using the registry in 2000. But stopping
    reverse registrations is something I would NOT do.

    :)

    Ace
     
    Ace Fekay [MVP], Nov 17, 2007
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.