DNS CORRUPT AND ALL SYSTEMS DOWN

Discussion in 'DNS Server' started by Tony, Jul 21, 2005.

  1. Tony

    Tony Guest

    We have two Windows 2003 servers, 1 2000 server, and approx 20 nodes. Every
    time we try to login we get the following error:

    'unable to log you in because of an account restriction'

    We are also seeing the following errors:

    1. Active directory was unable to establish a connection with the global
    catalog.
    2. Attemps to establish replication link(s) failures
    3. Every attempt to force a DNS replication resulted in 'RPC' errors.
    4. When we try to create new account we get the following:
    "Windows cannot verify that the following username is unique because the
    following error occurred while contacting the Global Catalog: THE SERVER IS
    NOT OPERATIONAL"

    The Global catalog is the main server and is online.

    5. Our two websites began demanding Username and Passwords but not
    authenticate any accout (including administrator) when accessing via http.

    We assigned another server as the global catalog and experienced problems.
    We removed the DNS Server off the Webserver to avoid any unnecessary
    conflicts.
    Finally we reassigned the Global Catalog to the main server and set the
    proper DNS settings. We are now able to replicate between all the servers.

    We still cannot create accounts and non of the existing accounts are allowed
    to log in as we still receive:

    'unable to log you in because of an account restriction'

    Thank you in advanced for your help
     
    Tony, Jul 21, 2005
    #1
    1. Advertisements

  2. Tony

    Todd J Heron Guest

    This error can occur because of a common DNS misconfiguration. We need more
    details on your setup. Can you please provide the following information:

    1) Domain name from Active Directory Users & Computers MMC
    2) List of all Forward Lookup Zones in the DNS MMC
    3) Output of ipconfig /all from the problem machine(s) (an unedited
    version - please do not make any changes)

    Check the Event Viewer logs for any pertinent errors and run first the
    support tools netdiag & dcdiag on your domain controllers to see if any
    problems exist such as DNS, network connectivity, and/or replication issues.
    Also make sure you are not using blank passwords.

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;q303846
     
    Todd J Heron, Jul 21, 2005
    #2
    1. Advertisements

  3. Tony

    Tony Guest

    The requested info is below. We deleted and created accounts and still
    receive the "unable to log you on due to an account restriction" error.


    level1:
    Name Type Status
    _msdcs.compuexec.com Active Directory-Integrated Primary Running
    compuexec.com Active Directory-Integrated Primary Running

    level2: _sdcs.compuexec.com
    Name Type Data dc domains pdc
    (same as parent folder) Start of Authority (SOA) [96],
    ceisvr.compuexec.com., hostmaster.
    (same as parent folder) WINS Lookup [192.168.50.5]
    (same as parent folder) Name Server (NS) ceisvr.compuexec.com.
    (same as parent folder) Name Server (NS) expedition.compuexec.com.
    1132ce66-2c5b-49c7-891a-128c8e813b90 Alias (CNAME) expedition.compuexec.com.
    4a1283d2-4afd-4083-94c0-79adb6426592 Alias (CNAME) orion.compuexec.com.
    f4f3e0bd-db9c-46fc-a762-18c37cdf9c28 Alias (CNAME) ceisvr.compuexec.com.

    \dc \sites \default first site\ tcp:
    Name Type Data
    _kerberos Service Location (SRV) [0][100][88] orion.compuexec.com.
    _kerberos Service Location (SRV) [0][100][88] ceisvr.compuexec.com.
    _kerberos Service Location (SRV) [0][100][88] expedition.compuexec.com.
    _ldap Service Location (SRV) [0][100][389] ceisvr.compuexec.com.
    _ldap Service Location (SRV) [0][100][389] expedition.compuexec.com.
    _ldap Service Location (SRV) [0][100][389] orion.compuexec.com.

    LEVEL2: COMPUEXEC.COM
    Name Type Data
    _msdcs
    _sites
    _tcp
    _udp
    DomainDnsZones
    ForestDnsZones
    TAPI3Directory
    (same as parent folder) Start of Authority (SOA) [1691],
    ceisvr.compuexec.com., hostmaster.
    (same as parent folder) WINS Lookup [192.168.50.5]
    (same as parent folder) Name Server (NS) ceisvr.compuexec.com.
    (same as parent folder) Name Server (NS) expedition.compuexec.com.
    (same as parent folder) Host (A) 192.168.50.5
    (same as parent folder) Host (A) 192.168.50.10
    (same as parent folder) Host (A) 192.168.50.11
    (same as parent folder) Host (A) 192.168.50.4
    (same as parent folder) Host (A) 192.168.50.6
    (same as parent folder) Host (A) 192.168.50.45
    appstation1 Host (A) 192.168.50.64
    ceisvr Host (A) 192.168.50.45
    ceisvr Host (A) 192.168.50.4
    ceisvr Host (A) 192.168.50.5
    counter Host (A) 192.168.50.9
    cubesta3 Host (A) 192.168.50.86
    customer-gfnfrm Host (A) 192.168.50.78
    expedition Host (A) 192.168.50.10
    expedition Host (A) 192.168.50.11
    orion Host (A) 192.168.50.6
    Sta3 Host (A) 192.168.50.71
    tonyp4 Host (A) 192.168.50.46
    UPShipping Host (A) 192.168.50.12

    COMPUEXEC.COM
    /TCP
    Name Type Data
    _kerberos Service Location (SRV) [0][100][88] ceisvr.compuexec.com.
    _kerberos Service Location (SRV) [0][100][88] expedition.compuexec.com.
    _kerberos Service Location (SRV) [0][100][88] orion.compuexec.com.
    _ldap Service Location (SRV) [0][100][389] orion.compuexec.com.
    _ldap Service Location (SRV) [0][100][389] expedition.compuexec.com.
    _ldap Service Location (SRV) [0][100][389] ceisvr.compuexec.com.

    /DOMAINDNSZONES
    Name Type Data _sites _tcp
    (same as parent folder) Host (A) 192.168.50.4
    (same as parent folder) Host (A) 192.168.50.10
    (same as parent folder) Host (A) 192.168.50.11
    (same as parent folder) Host (A) 192.168.50.5
    (same as parent folder) Host (A) 192.168.50.45

    /DOMAINDNSZONES /TCP
    Name Type Data
    _ldap Service Location (SRV) [0][100][389] expedition.compuexec.com.
    _ldap Service Location (SRV) [0][100][389] ceisvr.compuexec.com.


    /FORESTDNSZONES
    Name Type Data _sites _tcp
    (same as parent folder) Host (A) 192.168.50.4
    (same as parent folder) Host (A) 192.168.50.10
    (same as parent folder) Host (A) 192.168.50.11
    (same as parent folder) Host (A) 192.168.50.5
    (same as parent folder) Host (A) 192.168.50.45

    /FORESTDNSZONES /TCP
    Name Type Data
    _ldap Service Location (SRV) [0][100][389] expedition.compuexec.com.
    _ldap Service Location (SRV) [0][100][389] ceisvr.compuexec.com.


    CEISVR IPCONFIG /ALL


    Windows IP Configuration



    Host Name . . . . . . . . . . . . : ceisvr

    Primary Dns Suffix . . . . . . . : compuexec.com

    Node Type . . . . . . . . . . . . : Unknown

    IP Routing Enabled. . . . . . . . : Yes

    WINS Proxy Enabled. . . . . . . . : Yes

    DNS Suffix Search List. . . . . . : compuexec.com



    Ethernet adapter Local Area Connection:



    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : Intel(R) PRO/100+ PCI Adapter

    Physical Address. . . . . . . . . : 00-A0-C9-E1-15-41

    DHCP Enabled. . . . . . . . . . . : No

    IP Address. . . . . . . . . . . . : 192.168.50.4

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 192.168.50.1

    DNS Servers . . . . . . . . . . . : 192.168.50.5

    207.191.50.10

    207.191.1.10

    Primary WINS Server . . . . . . . : 192.168.50.5



    Ethernet adapter Local Area Connection 3:



    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet
    Adapter (10/100)

    Physical Address. . . . . . . . . : 00-B0-D0-D0-A5-43

    DHCP Enabled. . . . . . . . . . . : No

    IP Address. . . . . . . . . . . . : 192.168.50.45

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 192.168.50.1

    DNS Servers . . . . . . . . . . . : 192.168.50.5

    207.191.50.10

    207.191.1.10

    Primary WINS Server . . . . . . . : 192.168.50.5



    Ethernet adapter Local Area Connection 2:



    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : Intel(R) PRO/100 S Desktop Adapter

    Physical Address. . . . . . . . . : 00-02-B3-4A-A1-0E

    DHCP Enabled. . . . . . . . . . . : No

    IP Address. . . . . . . . . . . . : 192.168.50.5

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 192.168.50.1

    DNS Servers . . . . . . . . . . . : 207.191.50.10

    207.191.1.10

    192.168.50.5

    EXPEDITION IPCONFIG /ALL


    Windows IP Configuration



    Host Name . . . . . . . . . . . . : expedition

    Primary Dns Suffix . . . . . . . : compuexec.com

    Node Type . . . . . . . . . . . . : Hybrid

    IP Routing Enabled. . . . . . . . : No

    WINS Proxy Enabled. . . . . . . . : No

    DNS Suffix Search List. . . . . . : compuexec.com



    Ethernet adapter Local Area Connection 2:



    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : Compaq NC3120 Fast Ethernet NIC

    Physical Address. . . . . . . . . : 00-50-8B-63-73-43

    DHCP Enabled. . . . . . . . . . . : No

    IP Address. . . . . . . . . . . . : 192.168.50.11

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 192.168.50.1

    DNS Servers . . . . . . . . . . . : 192.168.50.5

    Primary WINS Server . . . . . . . : 192.168.50.5



    Ethernet adapter Local Area Connection:



    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : Intel(R) PRO/100+ Management Adapter

    Physical Address. . . . . . . . . : 00-D0-B7-3C-AE-BB

    DHCP Enabled. . . . . . . . . . . : No

    IP Address. . . . . . . . . . . . : 192.168.50.10

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 192.168.50.1

    DNS Servers . . . . . . . . . . . : 192.168.50.5

    Primary WINS Server . . . . . . . : 192.168.50.5

    ORION IPCONFIG /ALL


    Windows 2000 IP Configuration



    Host Name . . . . . . . . . . . . : orion
    Primary DNS Suffix . . . . . . . : compuexec.com
    Node Type . . . . . . . . . . . . : Hybrid

    IP Routing Enabled. . . . . . . . : Yes

    WINS Proxy Enabled. . . . . . . . : No

    DNS Suffix Search List. . . . . . : compuexec.com

    Ethernet adapter Local Area Connection:



    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Realtek RTL8029(AS)-based PCI Ethernet
    Adapter
    Physical Address. . . . . . . . . : 00-4F-49-0C-DF-E1

    DHCP Enabled. . . . . . . . . . . : No

    IP Address. . . . . . . . . . . . : 192.168.50.6

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 192.168.50.1

    DNS Servers . . . . . . . . . . . : 192.168.50.5
    Primary WINS Server . . . . . . . : 192.168.50.5

    EVENT VIEWER CEISVR:

    CEISVR
    DIRECTORY SERVICE EVENT VIEWER

    source ntds general
    Active Directory was unable to establish a connection with the global
    catalog.

    Additional Data
    Error value:
    1355 The specified domain either does not exist or could not be contacted.
    Internal ID:
    3200caf

    SOURCE NTDS KCC (NEW SERVER NAME: TRIHOUS Domain: apps.compuexec.com
    Directory partition:
    DC=apps,DC=compuexec,DC=com
    Source domain controller:
    CN=NTDS
    Settings,CN=TRIHOUS,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=compuexec,DC=com
    Source domain controller address:
    ce58af63-6853-47ee-8a2d-43dbe87628ad._msdcs.compuexec.com
    Intersite transport (if any):


    source ntds replication
    Additional Data
    Error value:
    8524 The DSA operation is unable to proceed because of a DNS lookup failure.

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.

    Promotion of this domain controller to a global catalog will be delayed for
    the following interval.

    Interval (minutes):
    30

    This delay is necessary so that the required directory partitions can be
    prepared before the global catalog is advertised. In the registry, you can
    specify the number of seconds that the directory system agent will wait
    before promoting the local domain controller to a global catalog. For more
    information about the Global Catalog Delay Advertisement registry value, see
    the Resource Kit Distributed Systems Guide.

    For more information, see Help and Support Center at


    FILE REPLICATION:
    The File Replication Service is having trouble enabling replication from
    EXPEDITION to CEISVR for e:\windows\sysvol\domain using the DNS name
    expedition.compuexec.com. FRS will keep retrying.
    Following are some of the reasons you would see this warning.

    [1] FRS can not correctly resolve the DNS name expedition.compuexec.com
    from this computer.
    [2] FRS is not running on expedition.compuexec.com.
    [3] The topology information in the Active Directory for this replica has
    not yet replicated to all the Domain Controllers.

    This event log message will appear once per connection, After the problem
    is fixed you will see another event log message indicating that the
    connection has been established.

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.



    netdiag results:
    Computer Name: CEISVR
    DNS Host Name: ceisvr.compuexec.com
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 6 Model 8 Stepping 6, GenuineIntel
    List of installed hotfixes :
    KB819696
    KB823182
    KB823353
    KB823559
    KB824105
    KB824141
    KB824145
    KB824146
    KB824151
    KB825119
    KB828035
    KB828741
    KB830352
    KB833987
    KB834707
    KB835732
    KB837001
    KB839643
    KB839645
    KB840315
    KB840374
    KB840987
    KB841356
    KB841533
    KB842773
    KB867282
    KB867460
    KB867801
    KB870763
    KB871250
    KB873333
    KB873339
    KB873376
    KB883935
    KB883939
    KB885250
    KB885834
    KB885835
    KB885836
    KB885881
    KB886903
    KB888113
    KB890046
    KB890047
    KB890175
    KB890859
    KB890923
    KB891711
    KB891781
    KB893066
    KB893086
    KB893803v2
    KB896358
    KB896422
    KB896426
    KB896428
    KB897715
    Q147222
    Q828026


    Netcard queries test . . . . . . . : Passed
    [WARNING] The net card 'Intel(R) PRO/100+ PCI Adapter' may not be working.



    Per interface results:

    Adapter : Local Area Connection 3

    Netcard queries test . . . : Passed

    Host Name. . . . . . . . . : ceisvr
    IP Address . . . . . . . . : 192.168.50.45
    Subnet Mask. . . . . . . . : 255.255.255.0
    Default Gateway. . . . . . : 192.168.50.1
    Primary WINS Server. . . . : 192.168.50.5
    Dns Servers. . . . . . . . : 192.168.50.5
    207.191.50.10
    207.191.1.10


    AutoConfiguration results. . . . . . : Passed

    Default gateway test . . . : Passed

    NetBT name test. . . . . . : Passed
    [WARNING] At least one of the <00> 'WorkStation Service', <03>
    'Messenger Service', <20> 'WINS' names is missing.
    No remote names have been found.

    WINS service test. . . . . : Passed

    Ipx configration
    Network Number . . . . : 00000000
    Node . . . . . . . . . : 00b0d0d0a543
    Frame type . . . . . . : 802.2



    Adapter : Local Area Connection 2

    Netcard queries test . . . : Passed

    Host Name. . . . . . . . . : ceisvr
    IP Address . . . . . . . . : 192.168.50.5
    Subnet Mask. . . . . . . . : 255.255.255.0
    Default Gateway. . . . . . : 192.168.50.1
    Dns Servers. . . . . . . . : 207.191.50.10
    207.191.1.10
    192.168.50.5


    AutoConfiguration results. . . . . . : Passed

    Default gateway test . . . : Passed

    NetBT name test. . . . . . : Passed
    [WARNING] At least one of the <00> 'WorkStation Service', <03>
    'Messenger Service', <20> 'WINS' names is missing.

    WINS service test. . . . . : Skipped
    There are no WINS servers configured for this interface.

    Ipx configration
    Network Number . . . . : 00000000
    Node . . . . . . . . . : 0002b34aa10e
    Frame type . . . . . . : 802.2



    Adapter : Local Area Connection

    Netcard queries test . . . : Failed
    NetCard Status: DISCONNECTED
    Some tests will be skipped on this interface.

    Host Name. . . . . . . . . : ceisvr
    IP Address . . . . . . . . : 192.168.50.4
    Subnet Mask. . . . . . . . : 255.255.255.0
    Default Gateway. . . . . . : 192.168.50.1
    Primary WINS Server. . . . : 192.168.50.5
    Dns Servers. . . . . . . . : 192.168.50.5
    207.191.50.10
    207.191.1.10



    Ipx configration
    Network Number . . . . : 00000000
    Node . . . . . . . . . : 00a0c9e11541
    Frame type . . . . . . : 802.2



    Adapter : IPX Internal Interface

    Netcard queries test . . . : Passed

    Ipx configration
    Network Number . . . . : 00000000
    Node . . . . . . . . . : 000000000001
    Frame type . . . . . . : Ethernet II



    Adapter : IpxLoopbackAdapter

    Netcard queries test . . . : Passed

    Ipx configration
    Network Number . . . . : 1234cdef
    Node . . . . . . . . . : 000000000002
    Frame type . . . . . . : 802.2



    Adapter : NDISWANIPX

    Netcard queries test . . . : Passed

    Ipx configration
    Network Number . . . . : 00000000
    Node . . . . . . . . . : a48120524153
    Frame type . . . . . . : Ethernet II




    Global results:


    Domain membership test . . . . . . : Passed


    NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
    NetBT_Tcpip_{AC447D3F-8A05-42BC-AA37-921E416A61A7}
    NetBT_Tcpip_{6FEA4420-6069-448A-8B4F-737F343898FE}
    NetBT_Tcpip_{8877868D-F63D-4101-92A3-FD2570C222F8}
    3 NetBt transports currently configured.


    Autonet address test . . . . . . . : Passed


    IP loopback ping test. . . . . . . : Passed


    Default gateway test . . . . . . . : Passed


    NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation
    Service', <03> 'Messenger Service', <20> 'WINS' names defined.


    Winsock test . . . . . . . . . . . : Passed


    DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server
    '192.168.50.5' and other DCs also have some of the names registered.
    [WARNING] The DNS entries for this DC are not registered correctly on
    DNS server '207.191.50.10'. Please wait for 30 minutes for DNS server
    replication.
    [WARNING] The DNS entries for this DC are not registered correctly on
    DNS server '207.191.1.10'. Please wait for 30 minutes for DNS server
    replication.


    Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
    NetBT_Tcpip_{AC447D3F-8A05-42BC-AA37-921E416A61A7}
    NetBT_Tcpip_{6FEA4420-6069-448A-8B4F-737F343898FE}
    NetBT_Tcpip_{8877868D-F63D-4101-92A3-FD2570C222F8}
    The redir is bound to 3 NetBt transports.

    List of NetBt transports currently bound to the browser
    NetBT_Tcpip_{8877868D-F63D-4101-92A3-FD2570C222F8}
    NetBT_Tcpip_{AC447D3F-8A05-42BC-AA37-921E416A61A7}
    NetBT_Tcpip_{6FEA4420-6069-448A-8B4F-737F343898FE}
    The browser is bound to 3 NetBt transports.


    DC discovery test. . . . . . . . . : Passed


    DC list test . . . . . . . . . . . : Passed


    Trust relationship test. . . . . . : Skipped


    Kerberos test. . . . . . . . . . . : Passed


    LDAP test. . . . . . . . . . . . . : Passed


    Bindings test. . . . . . . . . . . : Passed


    WAN configuration test . . . . . . : Skipped
    No active remote access connections.


    Modem diagnostics test . . . . . . : Passed


    Netware configuration
    You are not logged in to your preferred server .
    Netware User Name. . . . . . . :
    Netware Server Name. . . . . . :
    Netware Tree Name. . . . . . . :
    Netware Workstation Context. . :

    IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


    The command completed successfully



    dcdiag results:

    Domain Controller Diagnosis

    Performing initial setup:
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-Site\CEISVR
    Starting test: Connectivity
    ......................... CEISVR passed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site\CEISVR
    Starting test: Replications
    ......................... CEISVR passed test Replications
    Starting test: NCSecDesc
    ......................... CEISVR passed test NCSecDesc
    Starting test: NetLogons
    ......................... CEISVR passed test NetLogons
    Starting test: Advertising
    Warning: CEISVR has not finished promoting to be a GC.
    Check the event log for domains that cannot be replicated.
    Warning: CEISVR is not advertising as a global catalog.
    Check that server finished GC promotion.
    Check the event log on server that enough source replicas for the
    GC are available.
    ......................... CEISVR failed test Advertising
    Starting test: KnowsOfRoleHolders
    ......................... CEISVR passed test KnowsOfRoleHolders
    Starting test: RidManager
    ......................... CEISVR passed test RidManager
    Starting test: MachineAccount
    ......................... CEISVR passed test MachineAccount
    Starting test: Services
    ......................... CEISVR passed test Services
    Starting test: ObjectsReplicated
    ......................... CEISVR passed test ObjectsReplicated
    Starting test: frssysvol
    ......................... CEISVR passed test frssysvol
    Starting test: frsevent
    ......................... CEISVR passed test frsevent
    Starting test: kccevent
    An Information Event occured. EventID: 0x40000617
    Time Generated: 07/22/2005 12:28:13
    Event String: The local domain controller has been selected to

    An Information Event occured. EventID: 0x40000617
    Time Generated: 07/22/2005 12:28:13
    Event String: The local domain controller has been selected to

    An Information Event occured. EventID: 0x4000062A
    Time Generated: 07/22/2005 12:28:13
    Event String: Promotion of the local domain controller to a

    An Information Event occured. EventID: 0x40000456
    Time Generated: 07/22/2005 12:28:13
    Event String: Promotion of this domain controller to a global

    An Error Event occured. EventID: 0xC0000466
    Time Generated: 07/22/2005 12:30:12
    Event String: Active Directory was unable to establish a

    ......................... CEISVR failed test kccevent
    Starting test: systemlog
    ......................... CEISVR passed test systemlog
    Starting test: VerifyReferences
    ......................... CEISVR passed test VerifyReferences

    Running partition tests on : TAPI3Directory
    Starting test: CrossRefValidation
    ......................... TAPI3Directory passed test
    CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... TAPI3Directory passed test CheckSDRefDom

    Running partition tests on : ForestDnsZones
    Starting test: CrossRefValidation
    ......................... ForestDnsZones passed test
    CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... ForestDnsZones passed test CheckSDRefDom

    Running partition tests on : DomainDnsZones
    Starting test: CrossRefValidation
    ......................... DomainDnsZones passed test
    CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... DomainDnsZones passed test CheckSDRefDom

    Running partition tests on : Schema
    Starting test: CrossRefValidation
    ......................... Schema passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Schema passed test CheckSDRefDom

    Running partition tests on : Configuration
    Starting test: CrossRefValidation
    ......................... Configuration passed test
    CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Configuration passed test CheckSDRefDom

    Running partition tests on : compuexec
    Starting test: CrossRefValidation
    ......................... compuexec passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... compuexec passed test CheckSDRefDom

    Running enterprise tests on : compuexec.com
    Starting test: Intersite
    ......................... compuexec.com passed test Intersite
    Starting test: FsmoCheck
    Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
    A Global Catalog Server could not be located - All GC's are down.
    ......................... compuexec.com failed test FsmoCheck
     
    Tony, Jul 22, 2005
    #3
  4. Tony

    Tony Guest

    btw, the CEISVR server is also the GC. I don't understand why we are
    receiving errors that it can not find the GC?

     
    Tony, Jul 22, 2005
    #4
  5. In
    There are multiple issues involved here. Let's go over some basics. I posted
    something in the past, so I'll repost it for you so you'll fully understand
    what I am going to mention and the reason for the changes you'll need to do
    to fix it.

    /begin repost:
    _____________________________
    Just a little background: AD uses DNS. DNS stores AD's resource and service
    locations in the form of SRV records, hence how everything that is part of
    the domain will find resources in the domain. If the ISP's DNS is configured
    in the any of the internal AD member machines' IP properties, (including all
    client machines and DCs), the machines will be asking the ISP's DNS 'where
    is the domain controller for my domain?", whenever it needs to perform a
    function, (such as a logon request, replication request, querying and
    applying GPOs, etc). Unfortunately, the ISP's DNS does not have that info
    and they reply with an "I dunno know", and things just fail.

    So you cannot use your ISP's DNS addresses anymore in your client or any
    other machines. You cannot use your router as a DNS or DHCP server either.
    If you are using your NT4 as a DNS server, that all needs to be changed over
    to Win2003 DNS. Same with DHCP. NT4 DNS cannot support AD's SRV requirements
    and dynamic updates.

    If your current scenario is using your NT4 DNS, your ISP's DNS or your
    router's DNS, it is strongly suggested and recommended to only use the
    internal DNS servers on the network that is hosting the AD zone name. This
    applies to all machines, (DCs and clients). Believe me, Internet resolution
    will still work with the use of the Root hints (as long as the root zone
    doesn't exist).

    However, for more effcient Internet resolution, it's HIGHLY recommended to
    configure a forwarder. If the forwarding option is grayed out, delete the
    Root zone (looks like a period). If not sure how to preform these two tasks,
    please follow one of the two articles listed below, depending on your
    operating system. They show a step by step on how to perform these tasks:

    323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003 :
    http://support.microsoft.com/?id=323380
    __________________________________
    /end repost

    So you see, you MUST ALWAYS ONLY use the internal DNS server that is hosting
    your AD zone. I see in the CEISVR ipconfig, there are external servers
    entered:
    207.191.50.10
    207.191.1.10

    (1) For starters, these are your ISP's DNS server. They can't be used.
    Please remove any reference to these servers on all NICs. ONLY show
    192.168.50.5. If I understand your infrastructure, Ceisvr, Expedition and
    Orion are your DCs. You can use these in your config since they reference
    your AD zone and your AD's service locations. If your server is trying to
    register into your ISP's DNS server, they will be blocking the attempt for
    two reasons, they don't have your zone on their machine, and if they did,
    they won't allow dynamic updates unless you signed some sort of an agreement
    with them to host your AD zone data.

    (2) It is Highly NOT RECOMMENDED to multihome a DC/DNS server, especially
    with 3 NIC because of the service location records AD registers into DNS.So
    this complicates matters. There are now multiple entries in DNS and
    depending on what subnet they are on, can cause issues. But these are all on
    the same subnet, which can cause issues with Windows itself. This wouldn't
    matter if the NICs are Teamed.

    Why are there 3 NICs in it?
    Is NIC Teaming enabled?
    Is this a webserver too?
    If not, I would suggest to actually remove the extra two NICs unless you
    want to make multiple registry changes to *force* this server to work. If
    this server is hosting a website, I would highly suggest to let a member
    server to handle that.

    So to fix it?
    1. Remove the extra NICs
    2. Remove the external DNS addresses
    3. Configure a forwarder.
    4. If this is a webserver, move that stuff to a member server

    Unless you want to start digging into the registry. I can provide a complete
    how-to, but I think once you;ve seen it, you'll probably wouldn't want to
    alter a DC's default behavior. Let a DC be a DC and nothing else. Leave
    other applications and services to run on member servers. Believe me, you'll
    sleep better and it won't cut into your drinking time.

    Hope that explains what is going on and what to do to fix it.

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services
    Infinite Diversities in Infinite Combinations.
    =================================
     
    Ace Fekay [MVP], Jul 23, 2005
    #5
  6. Tony

    Todd J Heron Guest

    It is trying to become a GC, but can't because of the TCP/IP problem you are
    generating with multiple LAN interfaces in the same subnet and it's using
    external DNS servers.


    1) Why is CEISVR multi-homed with three LAN interfaces? Never multi-home
    DCs unless it is an SBS (Small Business Server) coinnected to the Internet
    and you need RRAS (or ISA) running on it. The 192.168.50.45 and
    192.168.50.4 interfaces on it appear to be redundant (they are in the same
    subnet - a major no-no). Disable the interfaces 192.168.50.45, 192.168.50.4
    and only use 192.168.50.5 (Ethernet adapter Local Area Connection 2).

    2) Now that you are down to just using the Ethernet adapter Local Area
    Connection 2 on CEISVR (the 192.168.50.5 interface), this entry is
    incorrect:

    DNS Servers . . . . . . . . . . . : 192.168.50.5 <----- OK

    207.191.50.10 <---- remove

    207.191.1.10 <---- remove

    Remove 207.191.50.10 and 207.191.1.10 then restart the server. It should
    then register itself as a GC in the Forest DNS zone.

    3) On EXPEDITION, disable the Ethernet adapter Local Area Connection 2
    (interface for 192.168.50.11) to use only the 192.168.50.10 interface, then
    restart that server.
     
    Todd J Heron, Jul 23, 2005
    #6
  7. In Todd J Heron <> stated, which I then commented
    Expedition is multihomed too? Boy, I missed that one! I must have been too
    involved with wondering why Ceisvr has 3 of them in it!

    Cheers!

    Ace
     
    Ace Fekay [MVP], Jul 23, 2005
    #7
  8. Tony

    Todd J Heron Guest

    By the time I got back to this thread, and finished reading all of his logs,
    my newsreader did not yet show your reply. All in all, ours were pretty
    close though. The information about Expedition is buried in the middle of
    his post. At least he gave us all the information, as some posters do not,
    or even worse, make edits which make troubleshooting needlessly lentghy.
     
    Todd J Heron, Jul 23, 2005
    #8
  9. In Todd J Heron <> stated, which I then commented
    Yes, it was good he gave us specific info. Some others are reluctant to post
    the info citing "security risks" or "security policy". But if they're using
    all private IPs behind a NAT and the AD name has nothing to do with anything
    identifiable on the Internet, the I don't see the problem.

    I hope our replies helped out Tony!

    Ace
     
    Ace Fekay [MVP], Jul 23, 2005
    #9
  10. Tony

    Tony Guest

    Thank you both for all your help. All of the test pass and 'replicate now'
    connects with no problems. we can ping all servers by name and ip.
    Unforturnately we are still unable to create user accounts or authenticate
    into the network. We still receive the following error:

    "Active Directory was unable to establish a connection with the global
    catalog."

    Additional Data
    Error value:
    1355 The specified domain either does not exist or could not be contacted.
    Internal ID:
    3200caf

    User Action:
    Make sure a global catalog is available in the forest, and is reachable from
    this domain controller. You may use the nltest utility to diagnose this
    problem.

    For more information, see Help and Support Center at

    I've taken the following actions to no avail:

    1. physically removed the extra NICs from both CEISVR and Expedition
    2. manually checked every key in the 'active directory sites and services'
    mmc
    3. manually deleted any referance to 92.168.50.45; 50.4; & 50.11 that did
    not dymanically update.
    4. Performed Net diag:

    .......................................

    Computer Name: CEISVR
    DNS Host Name: ceisvr.compuexec.com
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 6 Model 8 Stepping 6, GenuineIntel
    List of installed hotfixes :
    KB819696
    KB823182
    KB823353
    KB823559
    KB824105
    KB824141
    KB824145
    KB824146
    KB824151
    KB825119
    KB828035
    KB828741
    KB830352
    KB833987
    KB834707
    KB835732
    KB837001
    KB839643
    KB839645
    KB840315
    KB840374
    KB840987
    KB841356
    KB841533
    KB842773
    KB867282
    KB867460
    KB867801
    KB870763
    KB871250
    KB873333
    KB873339
    KB873376
    KB883935
    KB883939
    KB885250
    KB885834
    KB885835
    KB885836
    KB885881
    KB886903
    KB888113
    KB890046
    KB890047
    KB890175
    KB890859
    KB890923
    KB891711
    KB891781
    KB893066
    KB893086
    KB893803v2
    KB896358
    KB896422
    KB896426
    KB896428
    KB897715
    Q147222
    Q828026


    Netcard queries test . . . . . . . : Passed



    Per interface results:

    Adapter : Local Area Connection 3

    Netcard queries test . . . : Passed

    Host Name. . . . . . . . . : ceisvr
    IP Address . . . . . . . . : 192.168.50.5
    Subnet Mask. . . . . . . . : 255.255.255.0
    Default Gateway. . . . . . : 192.168.50.1
    Primary WINS Server. . . . : 192.168.50.5
    Dns Servers. . . . . . . . : 192.168.50.5


    AutoConfiguration results. . . . . . : Passed

    Default gateway test . . . : Passed

    NetBT name test. . . . . . : Passed
    [WARNING] At least one of the <00> 'WorkStation Service', <03>
    'Messenger Service', <20> 'WINS' names is missing.

    WINS service test. . . . . : Passed


    Global results:


    Domain membership test . . . . . . : Passed


    NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
    NetBT_Tcpip_{AC447D3F-8A05-42BC-AA37-921E416A61A7}
    1 NetBt transport currently configured.


    Autonet address test . . . . . . . : Passed


    IP loopback ping test. . . . . . . : Passed


    Default gateway test . . . . . . . : Passed


    NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation
    Service', <03> 'Messenger Service', <20> 'WINS' names defined.


    Winsock test . . . . . . . . . . . : Passed


    DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server
    '192.168.50.5' and other DCs also have some of the names registered.


    Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
    NetBT_Tcpip_{AC447D3F-8A05-42BC-AA37-921E416A61A7}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
    NetBT_Tcpip_{AC447D3F-8A05-42BC-AA37-921E416A61A7}
    The browser is bound to 1 NetBt transport.


    DC discovery test. . . . . . . . . : Passed


    DC list test . . . . . . . . . . . : Passed


    Trust relationship test. . . . . . : Skipped


    Kerberos test. . . . . . . . . . . : Passed


    LDAP test. . . . . . . . . . . . . : Passed


    Bindings test. . . . . . . . . . . : Passed


    WAN configuration test . . . . . . : Skipped
    No active remote access connections.


    Modem diagnostics test . . . . . . : Passed

    IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


    The command completed successfully

    5. dcdiag:

    Domain Controller Diagnosis

    Performing initial setup:
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-Site\CEISVR
    Starting test: Connectivity
    ......................... CEISVR passed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site\CEISVR
    Starting test: Replications
    ......................... CEISVR passed test Replications
    Starting test: NCSecDesc
    ......................... CEISVR passed test NCSecDesc
    Starting test: NetLogons
    ......................... CEISVR passed test NetLogons
    Starting test: Advertising
    ......................... CEISVR passed test Advertising
    Starting test: KnowsOfRoleHolders
    ......................... CEISVR passed test KnowsOfRoleHolders
    Starting test: RidManager
    ......................... CEISVR passed test RidManager
    Starting test: MachineAccount
    ......................... CEISVR passed test MachineAccount
    Starting test: Services
    ......................... CEISVR passed test Services
    Starting test: ObjectsReplicated
    ......................... CEISVR passed test ObjectsReplicated
    Starting test: frssysvol
    ......................... CEISVR passed test frssysvol
    Starting test: frsevent
    ......................... CEISVR passed test frsevent
    Starting test: kccevent
    ......................... CEISVR passed test kccevent
    Starting test: systemlog
    An Error Event occured. EventID: 0x00000457
    Time Generated: 07/23/2005 14:09:46
    Event String: Driver Amyuni Document Converter 2.10 required

    An Error Event occured. EventID: 0x00000457
    Time Generated: 07/23/2005 14:09:47
    Event String: Driver hp photosmart 7600 series required for

    An Error Event occured. EventID: 0x00000457
    Time Generated: 07/23/2005 14:09:51
    Event String: Driver Amyuni Document Converter 2.10 required

    ......................... CEISVR failed test systemlog
    Starting test: VerifyReferences
    ......................... CEISVR passed test VerifyReferences

    Running partition tests on : TAPI3Directory
    Starting test: CrossRefValidation
    ......................... TAPI3Directory passed test
    CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... TAPI3Directory passed test CheckSDRefDom

    Running partition tests on : ForestDnsZones
    Starting test: CrossRefValidation
    ......................... ForestDnsZones passed test
    CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... ForestDnsZones passed test CheckSDRefDom

    Running partition tests on : DomainDnsZones
    Starting test: CrossRefValidation
    ......................... DomainDnsZones passed test
    CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... DomainDnsZones passed test CheckSDRefDom

    Running partition tests on : Schema
    Starting test: CrossRefValidation
    ......................... Schema passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Schema passed test CheckSDRefDom

    Running partition tests on : Configuration
    Starting test: CrossRefValidation
    ......................... Configuration passed test
    CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Configuration passed test CheckSDRefDom

    Running partition tests on : compuexec
    Starting test: CrossRefValidation
    ......................... compuexec passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... compuexec passed test CheckSDRefDom

    Running enterprise tests on : compuexec.com
    Starting test: Intersite
    ......................... compuexec.com passed test Intersite
    Starting test: FsmoCheck
    Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
    A Global Catalog Server could not be located - All GC's are down.
    ......................... compuexec.com failed test FsmoCheck

    6. IPCONFIG /All
    CEISVR


    Windows IP Configuration



    Host Name . . . . . . . . . . . . : ceisvr

    Primary Dns Suffix . . . . . . . : compuexec.com

    Node Type . . . . . . . . . . . . : Unknown

    IP Routing Enabled. . . . . . . . : Yes

    WINS Proxy Enabled. . . . . . . . : Yes

    DNS Suffix Search List. . . . . . : compuexec.com



    Ethernet adapter Local Area Connection 3:



    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet
    Adapter (10/100)

    Physical Address. . . . . . . . . : 00-B0-D0-D0-A5-43

    DHCP Enabled. . . . . . . . . . . : No

    IP Address. . . . . . . . . . . . : 192.168.50.5

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 192.168.50.1

    DNS Servers . . . . . . . . . . . : 192.168.50.5

    Primary WINS Server . . . . . . . : 192.168.50.5

    Expedition:


    Windows IP Configuration



    Host Name . . . . . . . . . . . . : expedition

    Primary Dns Suffix . . . . . . . : compuexec.com

    Node Type . . . . . . . . . . . . : Hybrid

    IP Routing Enabled. . . . . . . . : No

    WINS Proxy Enabled. . . . . . . . : No

    DNS Suffix Search List. . . . . . : compuexec.com



    Ethernet adapter Local Area Connection 2:



    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : Compaq NC3120 Fast Ethernet NIC

    Physical Address. . . . . . . . . : 00-50-8B-63-73-43

    DHCP Enabled. . . . . . . . . . . : No

    IP Address. . . . . . . . . . . . : 192.168.50.10

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 192.168.50.5

    DNS Servers . . . . . . . . . . . : 192.168.50.5

    Primary WINS Server . . . . . . . : 192.168.50.5




    Orion:


    Windows 2000 IP Configuration



    Host Name . . . . . . . . . . . . : orion
    Primary DNS Suffix . . . . . . . : compuexec.com
    Node Type . . . . . . . . . . . . : Hybrid

    IP Routing Enabled. . . . . . . . : Yes

    WINS Proxy Enabled. . . . . . . . : No

    DNS Suffix Search List. . . . . . : compuexec.com

    Ethernet adapter Local Area Connection:



    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Realtek RTL8029(AS)-based PCI Ethernet
    Adapter
    Physical Address. . . . . . . . . : 00-4F-49-0C-DF-E1

    DHCP Enabled. . . . . . . . . . . : No

    IP Address. . . . . . . . . . . . : 192.168.50.6

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 192.168.50.1

    DNS Servers . . . . . . . . . . . : 192.168.50.5
    Primary WINS Server . . . . . . . : 192.168.50.5


    7. I manually replicated changes between the servers - no errors received

    8. Installed DNS on Expedition and made it the GC - still receiving the
    same error.

    9. performed Netdiag /fix

    10. performed dcdiag /fix

    11. performed nltest /dsgetdc:compuexec.com

    DC: \\ceisvr.compuexec.com
    Address: \\192.168.50.5
    Dom Guid: f3cc2835-daf3-445e-b8f6-3d85ccc02d24
    Dom Name: compuexec.com
    Forest Name: compuexec.com
    Dc Site Name: Default-First-Site
    Our Site Name: Default-First-Site
    Flags: PDC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
    DNS_FOREST CLOSE_SITE
    The command completed successfully

    we're going on three days now without profile access and it is hurting. Any
    additonal help will greatly appreciated.
     
    Tony, Jul 23, 2005
    #10
  11. Tony

    Todd J Heron Guest

    Todd J Heron, Jul 24, 2005
    #11
  12. Tony

    Todd J Heron Guest

    Also, try running a netdiag /fix on all DCs.
     
    Todd J Heron, Jul 24, 2005
    #12
  13. In
    <snip>


    No GC? That's not good.

    Disable IP Routing on Orion and Ceisvr. If RRAS is installed, and not
    needed, disable it on both machines.

    Change the default gateway on Expedition to 192.168.50.1.

    Curious, run this command on all 3 machines and paste the results for us
    please:
    net start

    1. Then delete the netlogon.dns and netlogon.bak files from system32\config
    folder.
    2. Then run an ipconfig /registerdns on all three DCs.
    3. Then restart the netlogon service on all three DCs. You can do this at
    the command prompt:
    net stop netlogon
    net start netlogon
    4. Then run and paste the results for this command from your DNS server
    please:
    dnscmd /enumzones



    Thanks,
    Ace
     
    Ace Fekay [MVP], Jul 25, 2005
    #13
  14. Tony

    Tony Guest

    ceisvr net start:
    These Windows services are started:

    Application Layer Gateway Service
    Automatic Updates
    Certificate Services
    COM+ Event System
    Computer Browser
    Cryptographic Services
    DHCP Client
    DHCP Server
    Distributed File System
    Distributed Transaction Coordinator
    DNS Client
    DNS Server
    Error Reporting Service
    Event Log
    File Replication Service
    Help and Support
    HP Web Jetadmin
    Indexing Service
    Intersite Messaging
    IPSEC Services
    Kerberos Key Distribution Center
    License Logging
    Logical Disk Manager
    Microsoft Search
    MSSQL$ACT7
    Net Logon
    Network Connections
    Network DDE
    Network DDE DSDM
    Network Location Awareness (NLA)
    NT LM Security Support Provider
    Plug and Play
    Print Spooler
    Protected Storage
    Remote Access Connection Manager
    Remote Procedure Call (RPC)
    Remote Registry
    Routing and Remote Access
    Secondary Logon
    Security Accounts Manager
    Server
    Shell Hardware Detection
    SNMP Service
    System Event Notification
    Task Scheduler
    TCP/IP NetBIOS Helper
    Telephony
    Terminal Services
    Windows Internet Name Service (WINS)
    Windows Management Instrumentation
    Windows Time
    Wireless Configuration
    Workstation

    The command completed successfully.

    Expedition Net Start:
    These Windows services are started:

    Application Experience Lookup Service
    Application Management
    Automatic Updates
    COM+ Event System
    Cryptographic Services
    DCOM Server Process Launcher
    Distributed File System
    Distributed Transaction Coordinator
    DNS Client
    DNS Server
    Error Reporting Service
    Event Log
    FTP Publishing Service
    Help and Support
    HTTP SSL
    IIS Admin Service
    Indexing Service
    Intersite Messaging
    IPSEC Services
    Kerberos Key Distribution Center
    Logical Disk Manager
    Message Queuing
    Message Queuing Triggers
    Microsoft POP3 Service
    MySQL
    Net Logon
    Network Connections
    Network Location Awareness (NLA)
    NT LM Security Support Provider
    Plug and Play
    Print Spooler
    Protected Storage
    Remote Administration Service
    Remote Procedure Call (RPC)
    Remote Registry
    Remote Server Manager
    Secondary Logon
    Security Accounts Manager
    Server
    Shell Hardware Detection
    Simple Mail Transfer Protocol (SMTP)
    Simple TCP/IP Services
    SNMP Service
    System Event Notification
    Task Scheduler
    TCP/IP NetBIOS Helper
    Terminal Services
    Web Element Manager
    WebTool
    Windows Management Instrumentation
    Windows Time
    Wireless Configuration
    Workstation
    World Wide Web Publishing Service

    The command completed successfully.

    Orion Net Start:
    These Windows 2000 services are started:


    Alerter
    Automatic Updates
    ColdFusion MX Application Server
    ColdFusion MX ODBC Agent
    ColdFusion MX ODBC Server
    COM+ Event System
    Computer Browser
    DHCP Client
    DHCP Server
    Distributed File System
    Distributed Link Tracking Client
    Distributed Link Tracking Server
    Distributed Transaction Coordinator
    DNS Client
    DNS Server
    Event Log
    File Replication Service
    Indexing Service
    Internet Authentication Service
    Intersite Messaging
    Kerberos Key Distribution Center
    License Logging Service
    Logical Disk Manager
    Machine Debug Manager
    Message Queuing
    Microsoft Search
    MSSQL$ACT7
    MSSQLSERVER
    Net Logon
    Network Connections
    NT LM Security Support Provider
    NVIDIA Driver Helper Service
    Plug and Play
    Print Spooler
    Protected Storage
    Remote Access Connection Manager
    Remote Procedure Call (RPC)
    Remote Procedure Call (RPC) Locator
    Remote Registry Service
    Removable Storage
    Routing and Remote Access
    RunAs Service
    Security Accounts Manager
    Server
    Simple TCP/IP Services
    SNMP Service
    System Event Notification
    Task Scheduler
    TCP/IP NetBIOS Helper Service
    Telephony
    Terminal Services
    WebTool
    Windows Internet Name Service (WINS)
    Windows Management Instrumentation
    Windows Management Instrumentation Driver Extensions
    Windows Time
    Workstation

    The command completed successfully.

    ndscmd /enumzones results:
    ceisvr:
    Enumerated zone list:

    Zone count = 4

    Zone name Type Storage Properties

    . Cache AD-Legacy
    _msdcs.compuexec.com Primary AD-Forest Secure Aging
    50.168.192.in-addr.arpa Primary AD-Legacy Update Rev Aging
    compuexec.com Primary AD-Domain Secure Aging

    Command completed successfully.


    Orion:
    Enumerated zone list:

    Zone Count = 6.

    . 0 DS Up=0

    0.in-addr.arpa 1 file Rev Auto Up=0

    127.in-addr.arpa 1 file Rev Auto Up=0

    255.in-addr.arpa 1 file Rev Auto Up=0

    50.168.192.in-addr.arpa 1 DS Rev Up=1 Aging

    compuexec.com 2 file Up=0

    Command completed successfully.


    expedition:
    Enumerated zone list:

    Zone count = 4

    Zone name Type Storage Properties

    . Cache AD-Legacy
    _msdcs.compuexec.com Primary AD-Forest Secure Aging
    50.168.192.in-addr.arpa Primary AD-Legacy Update Rev Aging
    compuexec.com Primary AD-Domain Secure Aging

    Command completed successfully.

    Thanks again for your (and Todd's) continued support.

    At this point I am extremely frustrated. Is there an easy way to just
    delete all of the DNS services and start over? Would we be able to recreate
    all the user accounts and thereby able to again access our local profiles at
    the desktop?
     
    Tony, Jul 25, 2005
    #14
  15. In
    The DHCP Client service on Expedition is not started. I understand that
    Expedition is not a DHCP client, but this services is actually a REQUIREMENT
    for dynamic registration. Please turn it on.

    Going thru the other services running, they seem fine.I am wondering, in
    case I missed anything, did you disable any other services?

    Also, what worries me is Cold Fusion on Orion:
    The reason, if I understand ColdFusion, is ColdFusion is an X.500 Directory
    service (which is exactly what Active Directory is). If it is using it's
    directory service, it also uses port 389. This can be a cause of confusion
    and conflict with a domain controller. Can you look into that please?

    The zone look good too. What I need to see is a list of the records under
    the _msdcs folder, specifically what exactly does it show for the _msdcs.gc
    records? They indicate what the GCs are for the forest.

    And yes, you can delete the records and start over. Easy:
    1. Delete the records in the zone (you don't have to delete the zone itself)
    2. Delete the netlogon.dns and netlogon.bak files in the system32\config
    folder on each DC
    3. Run ipconfig /registerdns on each DC
    4. Restart the netlogon service on each DC. You can do that in a CMD prompt:
    net stop netlogon
    net start netlogon
    5. Check the zone to see if the data for each DC gets registered correctly.

    Ace

    Ace
     
    Ace Fekay [MVP], Jul 25, 2005
    #15
  16. Tony

    Tony Guest

    Ace, ColdFusion was loaded years ago and since removed but the services
    stayed for some reason. I have disabled (and stopped) all three of the
    services.

    My apology but I deleted the zone prior to capturing the _msdcs information.
    However it was posted earlier in this thred (my second post from the top).

    I followed the steps below but the problem still persists.
    User's are still unable to log in under their profiles, web sites are still
    down (up but require administrator credentials to access, because of the
    authentication problems), and I'm not making any progress. Please tell me
    there is a way to wipe the DNS completely clean and start all over. Even if
    we need to remove AD from the other servers. Here is our set up:

    CEISVR: the main DC, also experiencing problems with reboots since we loaded
    SP1. Houses a lot of internal data.

    Orion: Serves as an application server only. Houses the Microsoft Retail
    Managment Server POS application.

    Expedition: New Webserver. houses internal internet sites.

    Another server is planned to control Internet Access Users, and Computer
    rental stations.

    Regardless of the amount of additonal work it may cause I really need to get
    the users logged in so that they can complete their work.

    sincerely,
    'in an desparate state'
    Tony
     
    Tony, Jul 25, 2005
    #16
  17. In
    Hi Tony,

    I didn't see the _msdcs.gc reference in your second post. I saw other data,
    but not that specific data. When you ran thos steps, did the GCs get
    populated under the _msdcs.gc section?

    Did you also start the DHCP Client service on Expedition?

    Is the Windows Firewall enabled on the DCs? This is a cause of major
    concerns and should be disabled on all Windows 2003 DCs.

    Do you have remote TS or RDP connectivity to your machines? maybe I can
    remote in and take a peak?

    Ace
     
    Ace Fekay [MVP], Jul 25, 2005
    #17
  18. Tony

    Tony Guest

    Ace, you are correct, I looked for the _msdcs but not the msdcs.gc entry and
    it does not exist. This very well could be the problem. Should this be a
    host a record?
    I did start the DHCP Client on Expedition and the windows firewall is not
    enabled.
    Please send the type of entry the _msdcs.gc should be. We do have RDC
    installed and I can be reached at 866-488-8810 (toll free) if need be.

    Thanks again.
     
    Tony, Jul 25, 2005
    #18
  19. Tony

    Tony Guest

    I tried to add the _msdcs.gc entry (Host A) and received the following error:

    warning: The associated pointer (PTR) record cannot be created, probable
    because the referenced reverse lookup zone cannot be found.
     
    Tony, Jul 25, 2005
    #19
  20. In Tony <> stated, which I then commented on
    below:

    Tony,

    After remoting in and fixing it up, you should be good to go now. Please,
    don't mess with it! If you have any other concerns, post back.

    The wheels on the bus go round and round... got to get that song out of my
    head!

    Ace
     
    Ace Fekay [MVP], Jul 25, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.