Re: netlogon error
From: Brown (fbrown_at_mta-inc.com)
Date: 01/06/05
- Next message: Rob McShinsky: "Changing Global Group to Domain Local Group."
- Previous message: Steven L Umbach: "Re: Can't logon to domain from WinXP"
- In reply to: Roger Abell: "Re: netlogon error"
- Next in thread: Roger Abell: "Re: netlogon error"
- Reply: Roger Abell: "Re: netlogon error"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 6 Jan 2005 07:56:38 -0600
Here is the ipconfig:
Windows IP Configuration
Host Name . . . . . . . . . . . . : mta-server02
Primary Dns Suffix . . . . . . . : MTA-inc.local
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : MTA-inc.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : SiS 900-Based PCI Fast Ethernet Adapter
Physical Address. . . . . . . . . : 00-0C-6E-AF-F9-6C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.98
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.98
192.168.1.99
Brown
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:#aebW678EHA.1188@tk2msftngp13.phx.gbl...
> It is not unusual for a DC to fail to authenticate when it
> has not yet completed becoming a DC.
> The requested output from
> ipconfig /all
> when run on the failing machine would help greatly in
> understanding from the previously provided netdiag output
> if there is a simple route to get the initial replication to
> complete so that the machine can complete its promotion.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Brown" <fbrown@mta-inc.com> wrote in message
> news:uY35RQz8EHA.2540@TK2MSFTNGP09.phx.gbl...
> > In the Event Log I get the folloiwing message:
> >
> > Event Type: Warning
> >
> > Event Source: LSASRV
> >
> > Event Category: SPNEGO (Negotiator)
> >
> > Event ID: 40960
> >
> > Date: 1/5/2005
> >
> > Time: 7:18:18 AM
> >
> > User: N/A
> >
> > Computer: MTA-SERVER02
> >
> > Description:
> >
> > The Security System detected an authentication error for the server
> > cifs/mta-main.MTA-inc.local. The failure code from authentication
protocol
> > Kerberos was "The attempted logon is invalid. This is either due to a
bad
> > username or authentication information.
> >
> > (0xc000006d)".
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> >
> > Data:
> >
> > 0000: 6d 00 00 c0 m..À
> >
> > ----------------
> > Brown
> >
> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > news:Ot5o7Av8EHA.4004@tk2msftngp13.phx.gbl...
> > > '192.168.1.99' is IP of the SBS ?
> > > Can you clarify for me a little just what you meant by
> > > > It appears that the name for the Win2K3 on the SBS2K3 server is not
in
> > > sync
> > > > with the name on the Win2k3 server, but I cannot locate an occurence
> > where
> > > > it is different.
> > > Names as seen where ?
> > > Can you post output from running, on the failing W2k3 (nonSBS)
> > > ipconfig /all
> > >
> > > --
> > > Roger Abell
> > > Microsoft MVP (Windows Security)
> > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > "Brown" <fbrown@mta-inc.com> wrote in message
> > > news:%23acMnep8EHA.2156@TK2MSFTNGP10.phx.gbl...
> > > > OK, I'm back - I have gone through the suggestions and am still at a
> > loss.
> > > > Netdiag still shows problems on the Win2K3 server:
> > > >
> > > > Domain membership test . . . . . . : Failed
> > > > [WARNING] Ths system volume has not been completely replicated to
the
> > > local
> > > > machine. This machine is not working properly as a DC.
> > > > ------
> > > > DNS test . . . . . . . . . . . . . : Failed
> > > > [FATAL] Failed to fix: DC DNS entry MTA-inc.local. re-registeration
on
> > DNS
> > > > server '192.168.1.99' failed.
> > > >
> > > > DNS Error code: 0x00002339
> > > >
> > > > [FATAL] Failed to fix: DC DNS entry _ldap._tcp.MTA-inc.local.
> > > > re-registeration on DNS server '192.168.1.99' failed.
> > > >
> > > > DNS Error code: 0x00002339
> > > >
> > > > [FATAL] Failed to fix: DC DNS entry
> > > > _ldap._tcp.Default-First-Site-Name._sites.MTA-inc.local.
> > re-registeration
> > > on
> > > > DNS server '192.168.1.99' failed.
> > > >
> > > > DNS Error code: 0x00002339
> > > >
> > > > [FATAL] Failed to fix: DC DNS entry
> > > >
> > >
> >
>
_ldap._tcp.206600de-fb91-4786-8e91-7db1704af5a3.domains._msdcs.MTA-inc.local
> > > > . re-registeration on DNS server '192.168.1.99' failed.
> > > >
> > > > DNS Error code: 0x00002339
> > > >
> > > > [FATAL] Failed to fix: DC DNS entry
> > > > 67f85d0b-43cd-47df-948d-1a165f5851d7._msdcs.MTA-inc.local.
> > > re-registeration
> > > > on DNS server '192.168.1.99' failed.DNS Error code: 0x00002339
> > > >
> > > > [FATAL] Failed to fix: DC DNS entry
> > > > _kerberos._tcp.dc._msdcs.MTA-inc.local.re-registeration on DNS
server
> > > > '192.168.1.99' failed.
> > > >
> > > > DNS Error code: 0x00002339
> > > >
> > > > [FATAL] Failed to fix: DC DNS entry
> > > >
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
> > > > re-registeration on DNS server '192.168.1.99' failed.
> > > >
> > > > DNS Error code: 0x00002339
> > > >
> > > > [FATAL] Failed to fix: DC DNS entry
> _ldap._tcp.dc._msdcs.MTA-inc.local.
> > > > re-registeration on DNS server '192.168.1.99' failed.
> > > >
> > > > DNS Error code: 0x00002339
> > > >
> > > > [FATAL] Failed to fix: DC DNS entry
> > > > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
> > > > re-registeration on DNS server '192.168.1.99' failed.
> > > >
> > > > DNS Error code: 0x00002339
> > > >
> > > > [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.MTA-inc.local.
> > > > re-registeration on DNS server '192.168.1.99' failed.
> > > >
> > > > DNS Error code: 0x00002339
> > > >
> > > > [FATAL] Failed to fix: DC DNS entry
> > > > _kerberos._tcp.Default-First-Site-Name._sites.MTA-inc.local.
> > > > re-registeration on DNS server '192.168.1.99' failed.
> > > >
> > > > DNS Error code: 0x00002339
> > > >
> > > > [FATAL] Failed to fix: DC DNS entry _kerberos._udp.MTA-inc.local.
> > > > re-registeration on DNS server '192.168.1.99' failed.
> > > >
> > > > DNS Error code: 0x00002339
> > > >
> > > > [FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.MTA-inc.local.
> > > > re-registeration on DNS server '192.168.1.99' failed.
> > > >
> > > > DNS Error code: 0x00002339
> > > >
> > > > [FATAL] Failed to fix: DC DNS entry _kpasswd._udp.MTA-inc.local.
> > > > re-registeration on DNS server '192.168.1.99' failed.
> > > >
> > > > DNS Error code: 0x00002339
> > > >
> > > > [FATAL] Fix Failed: netdiag failed to re-register missing DNS
entries
> > for
> > > > this DC on DNS server '192.168.1.99'.
> > > >
> > > > [FATAL] No DNS servers have the DNS records for this DC registered.
> > > >
> > > > ------
> > > > DC list test . . . . . . . . . . . : Failed
> > > > [WARNING] Cannot call DsBind to mta-main.MTA-inc.local
(192.168.1.99).
> > > [SEC_
> > > > E_WRONG_PRINCIPAL]
> > > > -------
> > > > Trust relationship test. . . . . . : Failed
> > > > [WARNING] Don't have access to test your domain sid for domain
> > 'MTA-INC'.
> > > > [Test skipped]
> > > > [FATAL] Secure channel to domain 'MTA-INC' is broken.
> > > > [ERROR_NO_TRUST_SAM_ACCOUNT]
> > > > -----
> > > > Kerberos test. . . . . . . . . . . : Failed
> > > > [FATAL] Kerberos does not have a ticket for
> > > host/mta-server02.MTA-inc.local.
> > > > -----
> > > >
> > > > It appears that the name for the Win2K3 on the SBS2K3 server is not
in
> > > sync
> > > > with the name on the Win2k3 server, but I cannot locate an occurence
> > where
> > > > it is different.
> > > >
> > > > Brown
> > > >
> > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > > news:eiCa33w6EHA.1408@TK2MSFTNGP10.phx.gbl...
> > > > > No problem Frank. Let us know if you did not get
> > > > > fixed up by this.
> > > > > BTW, if you can remote into the SBS then you should
> > > > > be able to open a remote desktop to the W2k3 from
> > > > > within the SBS. Double remote desktop can be a little
> > > > > tedious but does work. Also, you can configure the
> > > > > SBS to directly mediate remote desktop connection
> > > > > to any internal machine should you so choose.
> > > > >
> > > > > --
> > > > > Roger Abell
> > > > > Microsoft MVP (Windows Security)
> > > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > > "Brown" <fbrown@knology.net> wrote in message
> > > > > news:%23OB%23Mfg6EHA.2032@tk2msftngp13.phx.gbl...
> > > > > > Roger, Thanks for the help. I have run the netdiag /fix and it
> > looks
> > > > like
> > > > > > it has cleared up some of the problems. I am back home working
> via
> > > the
> > > > > SBS
> > > > > > remote access. The 2K3 machine is not available (part of the
> > problem)
> > > > so
> > > > > I
> > > > > > will have to try to get back in to the office to do it. I will
be
> > out
> > > > of
> > > > > > touch for several days, and may not be able to get back to it
> until
> > > > then.
> > > > > I
> > > > > > have your suggestions, and will see if that takes care of me
when
> I
> > > can
> > > > > get
> > > > > > back on the machine.
> > > > > >
> > > > > > I want to make sure you Steven know how much I appreciate your
> > > patience
> > > > > and
> > > > > > assistance.
> > > > > >
> > > > > > Frank Brown
> > > > > >
> > > > > >
> > > > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > > > > news:%23v0SqWf6EHA.1392@tk2msftngp13.phx.gbl...
> > > > > > > On the SBS first run
> > > > > > > netdiag /fix
> > > > > > > Verify that the zones supporting the AD are configured for
> > > > > > > secured dynamic updates allowed. For this, run the DNS
> > > > > > > mgmt UI and highlight each forward zone then rclick into
> > > > > > > its properties. They should be AD integrated and allowing
> > > > > > > secured dynamic updates.
> > > > > > >
> > > > > > > On the failing W2k3 check that
> > > > > > > - in tcp/ip settings the DNS server is the SBS machine
> > > > > > > - in System properties (rclick my computer, properties)
> > > > > > > the full computer name is correct, right domain
> > > > > > > at cmd prompt run
> > > > > > > net stop netlogon
> > > > > > > net start netlogon
> > > > > > > then rerun netdiag to see if it is clean.
> > > > > > >
> > > > > > > Once clean, you will want to install DNS on the
> > > > > > > second DC (if not already) and have it host the same
> > > > > > > AD integrated zones as are on the other DNS service.
> > > > > > >
> > > > > > > optional/advised:
> > > > > > > After you have DNS fault tolerance, you could/should
> > > > > > > configure each DC to point first to the other and then
> > > > > > > to itself for DNS services in the Tcp/Ip config.
> > > > > > >
> > > > > > > --
> > > > > > > Roger Abell
> > > > > > > Microsoft MVP (Windows Security)
> > > > > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > > > > "Brown" <fbrown@mta-inc.com> wrote in message
> > > > > > > news:OKNECGf6EHA.1204@TK2MSFTNGP10.phx.gbl...
> > > > > > >> OK, I ran dcdiag and netdiag on the 2K3 machine errors
> > abound ----
> > > > > > >> First: dcdiag > "Although the Guid name <string of stuff
here>
> > > > > couldn't
> > > > > > > be
> > > > > > >> resolved, the server name (server02.domain.local) resolved to
> the
> > > IP
> > > > > > > address
> > > > > > >> (192.168.1.98) and was pingable. Check that the IP address
is
> > > > > registered
> > > > > > >> correctly with the DNS Server."
> > > > > > >> The other tests in dcdiag passed
> > > > > > >> Then: netdiag:> Domain membership test: Failed "[WARNING] The
> > > system
> > > > > > >> volumehas not been completely replicated to the local
machine.
> > > This
> > > > > > >> machine is not working properly as a DC."
> > > > > > >> DC test: failed "[WARNING] The DNS entries for this DC are
not
> > > > > > >> registered
> > > > > > >> correctly on the DNS server '192.168.1.99'. Please wait for
30
> > > > minutes
> > > > > > > for
> > > > > > >> DNS serfver replication. [FATAL] No DNS servers have the DNS
> > > records
> > > > > for
> > > > > > >> this DC registered."
> > > > > > >> DC list test: Failed [WARNING] Cannot call DsBind to
> > > > main.domain.local
> > > > > > >> (192.168.1.99). [SEC_E_WRONG_PRINCIPAL]
> > > > > > >> Trust Relationship test: Failed ....
> > > > > > >> Kerberos test: Failed........
> > > > > > >>
> > > > > > >> OK, HELP!! Where do I start??
> > > > > > >>
> > > > > > >> Brown
> > > > > > >>
> > > > > > >>
> > > > > > >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > > > > >> news:Oql3Ced6EHA.3124@TK2MSFTNGP11.phx.gbl...
> > > > > > >> > and netdiag and dcdiag have told you . . . ?
> > > > > > >> >
> > > > > > >> > --
> > > > > > >> > Roger
> > > > > > >> > "Brown" <fbrown@knology.net> wrote in message
> > > > > > >> > news:OEn0igV6EHA.2568@TK2MSFTNGP11.phx.gbl...
> > > > > > >> > > The SBS machine has 2 NICs but only one is active. The
> Win2K3
> > > has
> > > > > one
> > > > > > >> NIC.
> > > > > > >> > > DHCP is running on an external router.
> > > > > > >> > >
> > > > > > >> > > Brown
> > > > > > >> > >
> > > > > > >> > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > > > > >> > > news:uZpd85T6EHA.2192@TK2MSFTNGP14.phx.gbl...
> > > > > > >> > > > For DC communications issues your first stop shop to
> > > > > > >> > > > get hints of what may be amiss is by running on each DC
> > > > > > >> > > > netdiag and dcdiag utilities (depending on versions,
you
> > > > > > >> > > > may need to install the optional support tools from the
> > CD).
> > > > > > >> > > >
> > > > > > >> > > > Which, if any, of these machines are multihomed (>1
nic)?
> > > > > > >> > > >
> > > > > > >> > > > --
> > > > > > >> > > > Roger Abell
> > > > > > >> > > >
> > > > > > >> > > > "Brown" <fbrown@mta-inc.com> wrote in message
> > > > > > >> > > > news:O5OJURP6EHA.4008@TK2MSFTNGP15.phx.gbl...
> > > > > > >> > > >> I tried that, but since it is a DC (backup) it will
not
> > > allow
> > > > > > >> > > >> this.
> > > > > > >> Is
> > > > > > >> > > >> there any other way to get them to shake hands?
> > > > > > >> > > >> Brown
> > > > > > >> > > >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > > > > >> > > >> news:%23deks%23L6EHA.3124@TK2MSFTNGP11.phx.gbl...
> > > > > > >> > > >> > did I actually forget to mention that you could try
> > > > resetting
> > > > > > >> > > >> > the machine account (in AD Users and Comps) . . .
> > > > > > >> > > >> >
> > > > > > >> > > >> > --
> > > > > > >> > > >> > Roger Abell
> > > > > > >> > > >> >
> > > > > > >> > > >> > "Brown" <fbrown@mta-inc.com> wrote in message
> > > > > > >> > > >> > news:O2$c8m55EHA.2624@TK2MSFTNGP11.phx.gbl...
> > > > > > >> > > >> >> I am running SBS 2003 Pro (MAIN), with a Win2K3
> > Standard
> > > > > server
> > > > > > >> > > >> >> (SERVER02)
> > > > > > >> > > >> >> which is providing file server and AD Backup tasks.
> > > > > > >> > > >> >> I am getting an error messaage in the System Event
> > > Viewer,
> > > > > > > source
> > > > > > >> > > >> > Netlogon:
> > > > > > >> > > >> >> "The session setup from the computer SERVER02
failed
> to
> > > > > > >> > authenticate.
> > > > > > >> > > >> >> The
> > > > > > >> > > >> >> name(s) of the account(s) referenced in the
security
> > > > database
> > > > > > >> > > >> >> is
> > > > > > >> > > >> > SERVER02$.
> > > > > > >> > > >> >> The following error occured: Access denied."
> > > > > > >> > > >> >>
> > > > > > >> > > >> >> What do I need to do to correct this?
> > > > > > >> > > >> >>
> > > > > > >> > > >> >> Brown
> > > > > > >> > > >> >>
> > > > > > >> > > >> >>
> > > > > > >> > > >> >
> > > > > > >> > > >> >
> > > > > > >> > > >>
> > > > > > >> > > >>
> > > > > > >> > > >
> > > > > > >> > > >
> > > > > > >> > >
> > > > > > >> > >
> > > > > > >> >
> > > > > > >> >
> > > > > > >>
> > > > > > >>
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Rob McShinsky: "Changing Global Group to Domain Local Group."
- Previous message: Steven L Umbach: "Re: Can't logon to domain from WinXP"
- In reply to: Roger Abell: "Re: netlogon error"
- Next in thread: Roger Abell: "Re: netlogon error"
- Reply: Roger Abell: "Re: netlogon error"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
