Re: netlogon error

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 12/24/04


Date: Fri, 24 Dec 2004 15:38:40 -0600

In addition to Roger's fine advice see the link below on how to reset the
computer account for a W2003 domain controller if you still have difficulty
after making any changes to dns or such. Of course the other domain
controller [pdc fsmo] needs to be correctly configured for dns but if it
passed all netdiag and netdiag tests then it probably is but the second link
below explains how Active Directory dns MUST be configured noting that
having an ISP dns server in the preferred dns server list for tcp/ip
properties on any domain computer WILL cause problems within a domain. I
believe you mentioned that the router is your DHCP server which I do not
recommend in an Active Directory domain. It is easy to configure DHCP on one
of your servers and then disable DHCP on your router but using it as the
default gateway. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;325850
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23v0SqWf6EHA.1392@tk2msftngp13.phx.gbl...
> On the SBS first run
> netdiag /fix
> Verify that the zones supporting the AD are configured for
> secured dynamic updates allowed. For this, run the DNS
> mgmt UI and highlight each forward zone then rclick into
> its properties. They should be AD integrated and allowing
> secured dynamic updates.
>
> On the failing W2k3 check that
> - in tcp/ip settings the DNS server is the SBS machine
> - in System properties (rclick my computer, properties)
> the full computer name is correct, right domain
> at cmd prompt run
> net stop netlogon
> net start netlogon
> then rerun netdiag to see if it is clean.
>
> Once clean, you will want to install DNS on the
> second DC (if not already) and have it host the same
> AD integrated zones as are on the other DNS service.
>
> optional/advised:
> After you have DNS fault tolerance, you could/should
> configure each DC to point first to the other and then
> to itself for DNS services in the Tcp/Ip config.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Brown" <fbrown@mta-inc.com> wrote in message
> news:OKNECGf6EHA.1204@TK2MSFTNGP10.phx.gbl...
>> OK, I ran dcdiag and netdiag on the 2K3 machine errors abound ----
>> First: dcdiag > "Although the Guid name <string of stuff here> couldn't
> be
>> resolved, the server name (server02.domain.local) resolved to the IP
> address
>> (192.168.1.98) and was pingable. Check that the IP address is registered
>> correctly with the DNS Server."
>> The other tests in dcdiag passed
>> Then: netdiag:> Domain membership test: Failed "[WARNING] The system
>> volumehas not been completely replicated to the local machine. This
>> machine is not working properly as a DC."
>> DC test: failed "[WARNING] The DNS entries for this DC are not
>> registered
>> correctly on the DNS server '192.168.1.99'. Please wait for 30 minutes
> for
>> DNS serfver replication. [FATAL] No DNS servers have the DNS records for
>> this DC registered."
>> DC list test: Failed [WARNING] Cannot call DsBind to main.domain.local
>> (192.168.1.99). [SEC_E_WRONG_PRINCIPAL]
>> Trust Relationship test: Failed ....
>> Kerberos test: Failed........
>>
>> OK, HELP!! Where do I start??
>>
>> Brown
>>
>>
>> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> news:Oql3Ced6EHA.3124@TK2MSFTNGP11.phx.gbl...
>> > and netdiag and dcdiag have told you . . . ?
>> >
>> > --
>> > Roger
>> > "Brown" <fbrown@knology.net> wrote in message
>> > news:OEn0igV6EHA.2568@TK2MSFTNGP11.phx.gbl...
>> > > The SBS machine has 2 NICs but only one is active. The Win2K3 has one
>> NIC.
>> > > DHCP is running on an external router.
>> > >
>> > > Brown
>> > >
>> > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> > > news:uZpd85T6EHA.2192@TK2MSFTNGP14.phx.gbl...
>> > > > For DC communications issues your first stop shop to
>> > > > get hints of what may be amiss is by running on each DC
>> > > > netdiag and dcdiag utilities (depending on versions, you
>> > > > may need to install the optional support tools from the CD).
>> > > >
>> > > > Which, if any, of these machines are multihomed (>1 nic)?
>> > > >
>> > > > --
>> > > > Roger Abell
>> > > >
>> > > > "Brown" <fbrown@mta-inc.com> wrote in message
>> > > > news:O5OJURP6EHA.4008@TK2MSFTNGP15.phx.gbl...
>> > > >> I tried that, but since it is a DC (backup) it will not allow
>> > > >> this.
>> Is
>> > > >> there any other way to get them to shake hands?
>> > > >> Brown
>> > > >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> > > >> news:%23deks%23L6EHA.3124@TK2MSFTNGP11.phx.gbl...
>> > > >> > did I actually forget to mention that you could try resetting
>> > > >> > the machine account (in AD Users and Comps) . . .
>> > > >> >
>> > > >> > --
>> > > >> > Roger Abell
>> > > >> >
>> > > >> > "Brown" <fbrown@mta-inc.com> wrote in message
>> > > >> > news:O2$c8m55EHA.2624@TK2MSFTNGP11.phx.gbl...
>> > > >> >> I am running SBS 2003 Pro (MAIN), with a Win2K3 Standard server
>> > > >> >> (SERVER02)
>> > > >> >> which is providing file server and AD Backup tasks.
>> > > >> >> I am getting an error messaage in the System Event Viewer,
> source
>> > > >> > Netlogon:
>> > > >> >> "The session setup from the computer SERVER02 failed to
>> > authenticate.
>> > > >> >> The
>> > > >> >> name(s) of the account(s) referenced in the security database
>> > > >> >> is
>> > > >> > SERVER02$.
>> > > >> >> The following error occured: Access denied."
>> > > >> >>
>> > > >> >> What do I need to do to correct this?
>> > > >> >>
>> > > >> >> Brown
>> > > >> >>
>> > > >> >>
>> > > >> >
>> > > >> >
>> > > >>
>> > > >>
>> > > >
>> > > >
>> > >
>> > >
>> >
>> >
>>
>>
>
>



Relevant Pages