Re: netlogon error

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 12/24/04 

Date: Fri, 24 Dec 2004 13:20:52 -0700

On the SBS first run
netdiag /fix
Verify that the zones supporting the AD are configured for
secured dynamic updates allowed. For this, run the DNS
mgmt UI and highlight each forward zone then rclick into
its properties. They should be AD integrated and allowing
secured dynamic updates.

On the failing W2k3 check that
- in tcp/ip settings the DNS server is the SBS machine
- in System properties (rclick my computer, properties)
   the full computer name is correct, right domain
at cmd prompt run
net stop netlogon
net start netlogon
then rerun netdiag to see if it is clean.

Once clean, you will want to install DNS on the
second DC (if not already) and have it host the same
AD integrated zones as are on the other DNS service.

optional/advised:
After you have DNS fault tolerance, you could/should
configure each DC to point first to the other and then
to itself for DNS services in the Tcp/Ip config. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Brown" <fbrown@mta-inc.com> wrote in message
news:OKNECGf6EHA.1204@TK2MSFTNGP10.phx.gbl...
> OK, I ran dcdiag and netdiag on the 2K3 machine errors abound ----
> First: dcdiag >  "Although the Guid name <string of stuff here> couldn't
be
> resolved, the server name (server02.domain.local) resolved to the IP
address
> (192.168.1.98) and was pingable.  Check that the IP address is registered
> correctly with the DNS Server."
> The other tests in dcdiag passed
> Then: netdiag:> Domain membership test: Failed "[WARNING] The system
> volumehas not been  completely replicated to the local machine.  This
> machine is not working properly as a DC."
> DC test: failed  "[WARNING] The DNS entries for this DC are not registered
> correctly on the DNS server '192.168.1.99'.  Please wait for 30 minutes
for
> DNS serfver replication.  [FATAL] No DNS servers have the DNS records for
> this DC registered."
> DC list test: Failed [WARNING] Cannot call DsBind to main.domain.local
> (192.168.1.99).  [SEC_E_WRONG_PRINCIPAL]
> Trust Relationship test: Failed ....
> Kerberos test: Failed........
>
> OK, HELP!! Where do I start??
>
> Brown
>
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:Oql3Ced6EHA.3124@TK2MSFTNGP11.phx.gbl...
> > and netdiag and dcdiag have told you  . . .  ?
> >
> > -- 
> > Roger
> > "Brown" <fbrown@knology.net> wrote in message
> > news:OEn0igV6EHA.2568@TK2MSFTNGP11.phx.gbl...
> > > The SBS machine has 2 NICs but only one is active. The Win2K3 has one
> NIC.
> > > DHCP is running on an external router.
> > >
> > > Brown
> > >
> > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > news:uZpd85T6EHA.2192@TK2MSFTNGP14.phx.gbl...
> > > > For DC communications issues your first stop shop to
> > > > get hints of what may be amiss is by running on each DC
> > > > netdiag and dcdiag utilities (depending on versions, you
> > > > may need to install the optional support tools from the CD).
> > > >
> > > > Which, if any, of these machines are multihomed (>1 nic)?
> > > >
> > > > -- 
> > > > Roger Abell
> > > >
> > > > "Brown" <fbrown@mta-inc.com> wrote in message
> > > > news:O5OJURP6EHA.4008@TK2MSFTNGP15.phx.gbl...
> > > >> I tried that, but since it is a DC (backup) it will not allow this.
> Is
> > > >> there any other way to get them to shake hands?
> > > >> Brown
> > > >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > >> news:%23deks%23L6EHA.3124@TK2MSFTNGP11.phx.gbl...
> > > >> > did I actually forget to mention that you could try resetting
> > > >> > the machine account (in AD Users and Comps) . . .
> > > >> >
> > > >> > -- 
> > > >> > Roger Abell
> > > >> >
> > > >> > "Brown" <fbrown@mta-inc.com> wrote in message
> > > >> > news:O2$c8m55EHA.2624@TK2MSFTNGP11.phx.gbl...
> > > >> >> I am running SBS 2003 Pro (MAIN), with a Win2K3 Standard server
> > > >> >> (SERVER02)
> > > >> >> which is providing file server and AD Backup tasks.
> > > >> >> I am getting an error messaage in the System Event Viewer,
source
> > > >> > Netlogon:
> > > >> >> "The session setup from the computer SERVER02 failed to
> > authenticate.
> > > >> >> The
> > > >> >> name(s) of the account(s) referenced in the security database is
> > > >> > SERVER02$.
> > > >> >> The following error occured:  Access denied."
> > > >> >>
> > > >> >> What do I need to do to correct this?
> > > >> >>
> > > >> >> Brown
> > > >> >>
> > > >> >>
> > > >> >
> > > >> >
> > > >>
> > > >>
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: DCDIAG DNS Failure
    ... so the sddcsrv03 is a DC and DNS server right? ... My Forward zones are as follows: ... Without advance view I have 4 forward lookup zones and 7 ...
    (microsoft.public.windows.server.dns)
  • Re: DNS Zone merge
    ... > I understand how to migrate over the DNS zones. ... >> hosting the transferred zones so DNS server on W2k machine would be ... If your child zones are being hosted by the child domain's respective DNS ...
    (microsoft.public.win2000.dns)
  • Re: DNS Recommendations w/ Active Directory & (2) DNS Servers
    ... DNS, and others stating better to use Second Server with Secondary ... while another post specifies that Stub Zones ... and the need for backup 2nd DNS server in the event our Primary Domain ... Unnecessary if you have no Secondaries -- these settings only affect ...
    (microsoft.public.windows.server.dns)
  • Re: DCDIAG DNS Failure
    ... Without advance view I have 4 forward lookup zones and 7 reverse ... My DNS server is not multihomed. ...
    (microsoft.public.windows.server.dns)
  • Re: netlogon error
    ... Roger, Thanks for the help. ... I have run the netdiag /fix and it looks like ... For this, run the DNS ... > AD integrated zones as are on the other DNS service. ...
    (microsoft.public.windows.server.security)