Re: netlogon error

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 01/07/05


Date: Fri, 7 Jan 2005 07:44:23 -0700

Those messages when launching those tools on the nonSBS
seems to indicate that the AD initial replication into it still
has not happened.

There is no software firewall configured on the SBS, right?

You have not yet mentioned whether after yesterday morning
when the DNS config of the nonSBS was changed, is the nonSBS
now showing in the forward lookup zones when viewed in the
SBS DNS mgmt UI. There is a netlogon.dns file deposited in
the config folder in system32 on DCs, and these are unique to
each DC. The records that are recorded there in the nonSBS
are what should now exist in the DNS on the SBS machine.

If you run Sites and Services on the SBS and drill in do you
also see the nonSBS there? If so, do you see under its NTDS
settings that there are replication links defined to it?

-- 
Roger
"Brown" <fbrown@mta-inc.com> wrote in message
news:ezfFk2L9EHA.1524@TK2MSFTNGP09.phx.gbl...
> The non-SBS does appear in the Domain Controllers OU on the SBS box.  With
> the changes I have made in the last couple of days, when I launch AD Users
&
> Computers on the non-SBS I get an error that states
> "Naming information cannot be located becuase:
> The target principal name is incorrect.
> Contact your system administrator to verify that your domain is properly
> configured and is currently online."
> Same message for AD Site & Services.
> AD Domains & Trust gives the message
> "The configuration information describing this enterprise is not
available.
> The target principal name is incorrect."
>
> It looks like something is not pointing to the right place, but I have no
> clue.
>
> Brown
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:Ow#phqF9EHA.3504@TK2MSFTNGP12.phx.gbl...
> > After the reboot, or also after waiting a while ?
> > The replication does not complete instantly.
> >
> > When you use AD Users and Computers on the SBS do
> > you see the W2k3 listed in the Domain Controllers OU ?
> > It is starting to sound like it is not going to be there (meaning
> > that the W2k3 believes it is supposed to be a DC but the SBS
> > does not - something I can't understand happening except maybe
> > if during dcpromo NetBios based RPC communications is
> > interrupted early in the promo but is OK at the very start)
> >
> > -- 
> > Roger
> > "Brown" <fbrown@knology.net> wrote in message
> > news:%234PIOJF9EHA.3676@TK2MSFTNGP10.phx.gbl...
> > > After the restart on the nonSBS machine this morning, when I open
Active
> > > Directory Users and Computers I indicates that AD is not running.
> > >
> > > Brown
> > >
> > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> > > news:%234oS7IE9EHA.3012@TK2MSFTNGP09.phx.gbl...
> > > > Those message are not unexpected the first time around, because
> > > > the new DC has not yet completed its initial sync with the existing
> AD,
> > > > and so does not have its own copy (which it was trying to access).
> > > > One would expect those to go away in the future as when the DNS
> > > > server code fires up it then will find the AD content it is
> complaining
> > > > about not finding now.
> > > >
> > > > The issue is, do we have a functioning DC that does have replication
> > > > established with the SBS DC ?
> > > >
> > > > At a cmd prompt run replmon and connect to the two DCs and drill
> > > > into the defined replications to see if things seem to be happening.
> > > > Alternatively, on the nonSBS run AD Users and Computers, use the
> > > > properties to make sure that you are focused on the nonSBS machine
> > > > and the domain controller the tool is speaking with, and then click
> > > > around and see if it looks the same as when the tool is connected
> > > > to AD on the SBS machine.
> > > >
> > > > -- 
> > > > Roger Abell
> > > > Microsoft MVP (Windows Server System: Security)
> > > > MCDBA,  MCSE W2k3+W2k+Nt4
> > > > "Brown" <fbrown@mta-inc.com> wrote in message
> > > > news:%23P7OoiA9EHA.3944@TK2MSFTNGP12.phx.gbl...
> > > >> OK, Got through the steps and restarted. In the dnsmgmt console on
> the
> > > >> Win2K3, got a warning:
> > > >> Event Type: Warning
> > > >> Event Source: DNS
> > > >> Event Category: None
> > > >> Event ID: 4013
> > > >> Date:  1/6/2005
> > > >> Time:  9:40:16 AM
> > > >> User:  N/A
> > > >> Computer: MTA-SERVER02
> > > >> Description:
> > > >> The DNS server was unable to open the Active Directory.  This DNS
> > server
> > > >> is
> > > >> configured to use directory service information and can not operate
> > > >> without
> > > >> access to the directory.  The DNS server will wait for the
directory
> to
> > > >> start.  If the DNS server is started but the appropriate event has
> not
> > > >> been
> > > >> logged, then the DNS server is still waiting for the directory to
> > start.
> > > >>
> > > >> For more information, see Help and Support Center at
> > > >> http://go.microsoft.com/fwlink/events.asp.
> > > >> Data:
> > > >> 0000: 2d 23 00 00               -#..
> > > >> -------
> > > >> Then got an error:
> > > >> Event Type: Error
> > > >> Event Source: DNS
> > > >> Event Category: None
> > > >> Event ID: 4000
> > > >> Date:  1/6/2005
> > > >> Time:  9:40:16 AM
> > > >> User:  N/A
> > > >> Computer: MTA-SERVER02
> > > >> Description:
> > > >> The DNS server was unable to open Active Directory.  This DNS
server
> is
> > > >> configured to obtain and use information from the directory for
this
> > zone
> > > >> and is unable to load the zone without it.  Check that the Active
> > > >> Directory
> > > >> is functioning properly and reload the zone. The event data is the
> > error
> > > >> code.
> > > >>
> > > >> For more information, see Help and Support Center at
> > > >> http://go.microsoft.com/fwlink/events.asp.
> > > >> Data:
> > > >> 0000: 2d 23 00 00               -#..
> > > >>
> > > >> Brown
> > > >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > >> news:#9C#vFA9EHA.3504@TK2MSFTNGP12.phx.gbl...
> > > >>> On the nonSBS mta-server02 try reversing these DNS
> > > >>> server settings in its Tcp/Ip properties
> > > >>> DNS Servers . . . . . . . . . . . : 192.168.1.98
> > > >>>                                                192.168.1.99
> > > >>> so that 1.99 is the first listed DNS server IP
> > > >>> (assuming 1.99 is the SBS)
> > > >>>
> > > >>> Then on the SBS temporarily change the DNS
> > > >>> forward zone for MTA-inc.local so that it will
> > > >>> allow unsecured dynamic updates instead of only
> > > >>> secured dynamic updates. (This is found in the
> > > >>> r-click properties of the MTA-inc.local forward
> > > >>> zone node - first set focus on the node by clicking
> > > >>> and then r-click into its context menu.)
> > > >>>
> > > >>> Next, on the nonSBS at cmd prompt run these three:
> > > >>> ipconfig /registerdns
> > > >>> net stop netlogon
> > > >>> net start netlogon
> > > >>>
> > > >>> Take a look into the forward zone for MTA-inc.local
> > > >>> in the DNS server on SBS to see if the there are now
> > > >>> DNS records for mta-server02 indicating its 1.98 addy,
> > > >>>
> > > >>> If so, try a reboot of the nonSBS.
> > > >>>
> > > >>> You will need to remember to set the forward zone
> > > >>> back to allowing only secured dynamic updates after
> > > >>> you are done.  It would be good to leave both DCs
> > > >>> set with their DNS servers in Tcp/Ip config set so
> > > >>> that they first reference the other and next reference
> > > >>> themselves - however, if doing this then both would
> > > >>> need to be able to get out to the internet DNS servers.
> > > >>>
> > > >>>
> > > >>> -- 
> > > >>> Roger Abell
> > > >>> Microsoft MVP (Windows  Security)
> > > >>> MCSE (W2k3,W2k,Nt4)  MCDBA
> > > >>> "Brown" <fbrown@mta-inc.com> wrote in message
> > > >>> news:erOKNe$8EHA.2600@TK2MSFTNGP09.phx.gbl...
> > > >>> > Here is the ipconfig:
> > > >>> > Windows IP Configuration
> > > >>> >
> > > >>> > Host Name . . . . . . . . . . . . : mta-server02
> > > >>> >
> > > >>> > Primary Dns Suffix . . . . . . . : MTA-inc.local
> > > >>> >
> > > >>> > Node Type . . . . . . . . . . . . : Broadcast
> > > >>> >
> > > >>> > IP Routing Enabled. . . . . . . . : Yes
> > > >>> >
> > > >>> > WINS Proxy Enabled. . . . . . . . : Yes
> > > >>> >
> > > >>> > DNS Suffix Search List. . . . . . : MTA-inc.local
> > > >>> >
> > > >>> > Ethernet adapter Local Area Connection:
> > > >>> >
> > > >>> > Connection-specific DNS Suffix . :
> > > >>> >
> > > >>> > Description . . . . . . . . . . . : SiS 900-Based PCI Fast
> Ethernet
> > > >>> Adapter
> > > >>> >
> > > >>> > Physical Address. . . . . . . . . : 00-0C-6E-AF-F9-6C
> > > >>> >
> > > >>> > DHCP Enabled. . . . . . . . . . . : No
> > > >>> >
> > > >>> > IP Address. . . . . . . . . . . . : 192.168.1.98
> > > >>> >
> > > >>> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > > >>> >
> > > >>> > Default Gateway . . . . . . . . . : 192.168.1.1
> > > >>> >
> > > >>> > DNS Servers . . . . . . . . . . . : 192.168.1.98
> > > >>> >
> > > >>> >                                                192.168.1.99
> > > >>> >
> > > >>> > Brown
> > > >>> >
> > > >>> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > >>> > news:#aebW678EHA.1188@tk2msftngp13.phx.gbl...
> > > >>> > > It is not unusual for a DC to fail to authenticate when it
> > > >>> > > has not yet completed becoming a DC.
> > > >>> > > The requested output from
> > > >>> > > ipconfig /all
> > > >>> > > when run on the failing machine would help greatly in
> > > >>> > > understanding from the previously provided netdiag output
> > > >>> > > if there is a simple route to get the initial replication to
> > > >>> > > complete so that the machine can complete its promotion.
> > > >>> > >
> > > >>> > > -- 
> > > >>> > > Roger Abell
> > > >>> > > Microsoft MVP (Windows  Security)
> > > >>> > > MCSE (W2k3,W2k,Nt4)  MCDBA
> > > >>> > > "Brown" <fbrown@mta-inc.com> wrote in message
> > > >>> > > news:uY35RQz8EHA.2540@TK2MSFTNGP09.phx.gbl...
> > > >>> > > > In the Event Log I get the folloiwing message:
> > > >>> > > >
> > > >>> > > > Event Type: Warning
> > > >>> > > >
> > > >>> > > > Event Source: LSASRV
> > > >>> > > >
> > > >>> > > > Event Category: SPNEGO (Negotiator)
> > > >>> > > >
> > > >>> > > > Event ID: 40960
> > > >>> > > >
> > > >>> > > > Date: 1/5/2005
> > > >>> > > >
> > > >>> > > > Time: 7:18:18 AM
> > > >>> > > >
> > > >>> > > > User: N/A
> > > >>> > > >
> > > >>> > > > Computer: MTA-SERVER02
> > > >>> > > >
> > > >>> > > > Description:
> > > >>> > > >
> > > >>> > > > The Security System detected an authentication error for the
> > > >>> > > > server
> > > >>> > > > cifs/mta-main.MTA-inc.local. The failure code from
> > authentication
> > > >>> > protocol
> > > >>> > > > Kerberos was "The attempted logon is invalid. This is either
> due
> > > >>> > > > to
> > > >> a
> > > >>> > bad
> > > >>> > > > username or authentication information.
> > > >>> > > >
> > > >>> > > > (0xc000006d)".
> > > >>> > > >
> > > >>> > > > For more information, see Help and Support Center at
> > > >>> > > > http://go.microsoft.com/fwlink/events.asp.
> > > >>> > > >
> > > >>> > > > Data:
> > > >>> > > >
> > > >>> > > > 0000: 6d 00 00 c0 m..
> > > >>> > > >
> > > >>> > > > ----------------
> > > >>> > > > Brown
> > > >>> > > >
> > > >>> > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > >>> > > > news:Ot5o7Av8EHA.4004@tk2msftngp13.phx.gbl...
> > > >>> > > > > '192.168.1.99' is IP of the SBS ?
> > > >>> > > > > Can you clarify for me a little just what you meant by
> > > >>> > > > > > It appears that the name for the Win2K3 on the SBS2K3
> server
> > > >>> > > > > > is
> > > >>> not
> > > >>> > in
> > > >>> > > > > sync
> > > >>> > > > > > with the name on the Win2k3 server, but I cannot locate
an
> > > >>> occurence
> > > >>> > > > where
> > > >>> > > > > > it is different.
> > > >>> > > > > Names as seen where ?
> > > >>> > > > > Can you post output from running, on the failing W2k3
> (nonSBS)
> > > >>> > > > > ipconfig /all
> > > >>> > > > >
> > > >>> > > > > -- 
> > > >>> > > > > Roger Abell
> > > >>> > > > > Microsoft MVP (Windows  Security)
> > > >>> > > > > MCSE (W2k3,W2k,Nt4)  MCDBA
> > > >>> > > > > "Brown" <fbrown@mta-inc.com> wrote in message
> > > >>> > > > > news:%23acMnep8EHA.2156@TK2MSFTNGP10.phx.gbl...
> > > >>> > > > > > OK, I'm back - I have gone through the suggestions and
am
> > > >>> > > > > > still
> > > >> at
> > > >>> a
> > > >>> > > > loss.
> > > >>> > > > > > Netdiag still shows problems on the Win2K3 server:
> > > >>> > > > > >
> > > >>> > > > > > Domain membership test . . . . . . : Failed
> > > >>> > > > > > [WARNING] Ths system volume has not been completely
> > replicated
> > > >> to
> > > >>> > the
> > > >>> > > > > local
> > > >>> > > > > > machine. This machine is not working properly as a DC.
> > > >>> > > > > > ------
> > > >>> > > > > > DNS test . . . . . . . . . . . . . : Failed
> > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry MTA-inc.local.
> > > >>> re-registeration
> > > >>> > on
> > > >>> > > > DNS
> > > >>> > > > > > server '192.168.1.99' failed.
> > > >>> > > > > >
> > > >>> > > > > > DNS Error code: 0x00002339
> > > >>> > > > > >
> > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> > _ldap._tcp.MTA-inc.local.
> > > >>> > > > > > re-registeration on DNS server '192.168.1.99' failed.
> > > >>> > > > > >
> > > >>> > > > > > DNS Error code: 0x00002339
> > > >>> > > > > >
> > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> > > >>> > > > > > _ldap._tcp.Default-First-Site-Name._sites.MTA-inc.local.
> > > >>> > > > re-registeration
> > > >>> > > > > on
> > > >>> > > > > > DNS server '192.168.1.99' failed.
> > > >>> > > > > >
> > > >>> > > > > > DNS Error code: 0x00002339
> > > >>> > > > > >
> > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> > > >>> > > > > >
> > > >>> > > > >
> > > >>> > > >
> > > >>> > >
> > > >>> >
> > > >>>
> > > >>
> >
>
_ldap._tcp.206600de-fb91-4786-8e91-7db1704af5a3.domains._msdcs.MTA-inc.local
> > > >>> > > > > > . re-registeration on DNS server '192.168.1.99' failed.
> > > >>> > > > > >
> > > >>> > > > > > DNS Error code: 0x00002339
> > > >>> > > > > >
> > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> > > >>> > > > > >
67f85d0b-43cd-47df-948d-1a165f5851d7._msdcs.MTA-inc.local.
> > > >>> > > > > re-registeration
> > > >>> > > > > > on DNS server '192.168.1.99' failed.DNS Error code:
> > 0x00002339
> > > >>> > > > > >
> > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> > > >>> > > > > > _kerberos._tcp.dc._msdcs.MTA-inc.local.re-registeration
on
> > DNS
> > > >>> > server
> > > >>> > > > > > '192.168.1.99' failed.
> > > >>> > > > > >
> > > >>> > > > > > DNS Error code: 0x00002339
> > > >>> > > > > >
> > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> > > >>> > > > > >
> > > >>> >
> > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
> > > >>> > > > > > re-registeration on DNS server '192.168.1.99' failed.
> > > >>> > > > > >
> > > >>> > > > > > DNS Error code: 0x00002339
> > > >>> > > > > >
> > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> > > >>> > > _ldap._tcp.dc._msdcs.MTA-inc.local.
> > > >>> > > > > > re-registeration on DNS server '192.168.1.99' failed.
> > > >>> > > > > >
> > > >>> > > > > > DNS Error code: 0x00002339
> > > >>> > > > > >
> > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> > > >>> > > > > >
> > > >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
> > > >>> > > > > > re-registeration on DNS server '192.168.1.99' failed.
> > > >>> > > > > >
> > > >>> > > > > > DNS Error code: 0x00002339
> > > >>> > > > > >
> > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> > > >> _kerberos._tcp.MTA-inc.local.
> > > >>> > > > > > re-registeration on DNS server '192.168.1.99' failed.
> > > >>> > > > > >
> > > >>> > > > > > DNS Error code: 0x00002339
> > > >>> > > > > >
> > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> > > >>> > > > > >
> _kerberos._tcp.Default-First-Site-Name._sites.MTA-inc.local.
> > > >>> > > > > > re-registeration on DNS server '192.168.1.99' failed.
> > > >>> > > > > >
> > > >>> > > > > > DNS Error code: 0x00002339
> > > >>> > > > > >
> > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> > > >> _kerberos._udp.MTA-inc.local.
> > > >>> > > > > > re-registeration on DNS server '192.168.1.99' failed.
> > > >>> > > > > >
> > > >>> > > > > > DNS Error code: 0x00002339
> > > >>> > > > > >
> > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> > > >>> > > > > > _kpasswd._tcp.MTA-inc.local.
> > > >>> > > > > > re-registeration on DNS server '192.168.1.99' failed.
> > > >>> > > > > >
> > > >>> > > > > > DNS Error code: 0x00002339
> > > >>> > > > > >
> > > >>> > > > > > [FATAL] Failed to fix: DC DNS entry
> > > >>> > > > > > _kpasswd._udp.MTA-inc.local.
> > > >>> > > > > > re-registeration on DNS server '192.168.1.99' failed.
> > > >>> > > > > >
> > > >>> > > > > > DNS Error code: 0x00002339
> > > >>> > > > > >
> > > >>> > > > > > [FATAL] Fix Failed: netdiag failed to re-register
missing
> > DNS
> > > >>> > entries
> > > >>> > > > for
> > > >>> > > > > > this DC on DNS server '192.168.1.99'.
> > > >>> > > > > >
> > > >>> > > > > > [FATAL] No DNS servers have the DNS records for this DC
> > > >>> registered.
> > > >>> > > > > >
> > > >>> > > > > > ------
> > > >>> > > > > > DC list test . . . . . . . . . . . : Failed
> > > >>> > > > > > [WARNING] Cannot call DsBind to mta-main.MTA-inc.local
> > > >>> > (192.168.1.99).
> > > >>> > > > > [SEC_
> > > >>> > > > > > E_WRONG_PRINCIPAL]
> > > >>> > > > > > -------
> > > >>> > > > > > Trust relationship test. . . . . . : Failed
> > > >>> > > > > > [WARNING] Don't have access to test your domain sid for
> > domain
> > > >>> > > > 'MTA-INC'.
> > > >>> > > > > > [Test skipped]
> > > >>> > > > > > [FATAL] Secure channel to domain 'MTA-INC' is broken.
> > > >>> > > > > > [ERROR_NO_TRUST_SAM_ACCOUNT]
> > > >>> > > > > > -----
> > > >>> > > > > > Kerberos test. . . . . . . . . . . : Failed
> > > >>> > > > > > [FATAL] Kerberos does not have a ticket for
> > > >>> > > > > host/mta-server02.MTA-inc.local.
> > > >>> > > > > > -----
> > > >>> > > > > >
> > > >>> > > > > > It appears that the name for the Win2K3 on the SBS2K3
> server
> > > >>> > > > > > is
> > > >>> not
> > > >>> > in
> > > >>> > > > > sync
> > > >>> > > > > > with the name on the Win2k3 server, but I cannot locate
an
> > > >>> occurence
> > > >>> > > > where
> > > >>> > > > > > it is different.
> > > >>> > > > > >
> > > >>> > > > > > Brown
> > > >>> > > > > >
> > > >>> > > > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > >>> > > > > > news:eiCa33w6EHA.1408@TK2MSFTNGP10.phx.gbl...
> > > >>> > > > > > > No problem Frank.  Let us know if you did not get
> > > >>> > > > > > > fixed up by this.
> > > >>> > > > > > > BTW, if you can remote into the SBS then you should
> > > >>> > > > > > > be able to open a remote desktop to the W2k3 from
> > > >>> > > > > > > within the SBS.  Double remote desktop can be a little
> > > >>> > > > > > > tedious but does work.  Also, you can configure the
> > > >>> > > > > > > SBS to directly mediate remote desktop connection
> > > >>> > > > > > > to any internal machine should you so choose.
> > > >>> > > > > > >
> > > >>> > > > > > > -- 
> > > >>> > > > > > > Roger Abell
> > > >>> > > > > > > Microsoft MVP (Windows  Security)
> > > >>> > > > > > > MCSE (W2k3,W2k,Nt4)  MCDBA
> > > >>> > > > > > > "Brown" <fbrown@knology.net> wrote in message
> > > >>> > > > > > > news:%23OB%23Mfg6EHA.2032@tk2msftngp13.phx.gbl...
> > > >>> > > > > > > > Roger, Thanks for the help.  I have run the netdiag
> /fix
> > > >>> > > > > > > > and
> > > >>> it
> > > >>> > > > looks
> > > >>> > > > > > like
> > > >>> > > > > > > > it has cleared up some of the problems.  I am back
> home
> > > >>> working
> > > >>> > > via
> > > >>> > > > > the
> > > >>> > > > > > > SBS
> > > >>> > > > > > > > remote access.  The 2K3 machine is not available
(part
> > of
> > > >> the
> > > >>> > > > problem)
> > > >>> > > > > > so
> > > >>> > > > > > > I
> > > >>> > > > > > > > will have to try to get back in to the office to do
> it.
> > I
> > > >>> will
> > > >>> > be
> > > >>> > > > out
> > > >>> > > > > > of
> > > >>> > > > > > > > touch for several days, and may not be able to get
> back
> > to
> > > >> it
> > > >>> > > until
> > > >>> > > > > > then.
> > > >>> > > > > > > I
> > > >>> > > > > > > > have your suggestions, and will see if that takes
care
> > of
> > > >>> > > > > > > > me
> > > >>> > when
> > > >>> > > I
> > > >>> > > > > can
> > > >>> > > > > > > get
> > > >>> > > > > > > > back on the machine.
> > > >>> > > > > > > >
> > > >>> > > > > > > > I want to make sure you Steven know how much I
> > appreciate
> > > >> your
> > > >>> > > > > patience
> > > >>> > > > > > > and
> > > >>> > > > > > > > assistance.
> > > >>> > > > > > > >
> > > >>> > > > > > > > Frank Brown
> > > >>> > > > > > > >
> > > >>> > > > > > > >
> > > >>> > > > > > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > >>> > > > > > > > news:%23v0SqWf6EHA.1392@tk2msftngp13.phx.gbl...
> > > >>> > > > > > > > > On the SBS first run
> > > >>> > > > > > > > > netdiag /fix
> > > >>> > > > > > > > > Verify that the zones supporting the AD are
> configured
> > > >>> > > > > > > > > for
> > > >>> > > > > > > > > secured dynamic updates allowed.  For this, run
the
> > DNS
> > > >>> > > > > > > > > mgmt UI and highlight each forward zone then
rclick
> > into
> > > >>> > > > > > > > > its properties.  They should be AD integrated and
> > > >>> > > > > > > > > allowing
> > > >>> > > > > > > > > secured dynamic updates.
> > > >>> > > > > > > > >
> > > >>> > > > > > > > > On the failing W2k3 check that
> > > >>> > > > > > > > > - in tcp/ip settings the DNS server is the SBS
> machine
> > > >>> > > > > > > > > - in System properties (rclick my computer,
> > properties)
> > > >>> > > > > > > > >   the full computer name is correct, right domain
> > > >>> > > > > > > > > at cmd prompt run
> > > >>> > > > > > > > > net stop netlogon
> > > >>> > > > > > > > > net start netlogon
> > > >>> > > > > > > > > then rerun netdiag to see if it is clean.
> > > >>> > > > > > > > >
> > > >>> > > > > > > > > Once clean, you will want to install DNS on the
> > > >>> > > > > > > > > second DC (if not already) and have it host the
same
> > > >>> > > > > > > > > AD integrated zones as are on the other DNS
service.
> > > >>> > > > > > > > >
> > > >>> > > > > > > > > optional/advised:
> > > >>> > > > > > > > > After you have DNS fault tolerance, you
could/should
> > > >>> > > > > > > > > configure each DC to point first to the other and
> then
> > > >>> > > > > > > > > to itself for DNS services in the Tcp/Ip config.
> > > >>> > > > > > > > >
> > > >>> > > > > > > > > -- 
> > > >>> > > > > > > > > Roger Abell
> > > >>> > > > > > > > > Microsoft MVP (Windows  Security)
> > > >>> > > > > > > > > MCSE (W2k3,W2k,Nt4)  MCDBA
> > > >>> > > > > > > > > "Brown" <fbrown@mta-inc.com> wrote in message
> > > >>> > > > > > > > > news:OKNECGf6EHA.1204@TK2MSFTNGP10.phx.gbl...
> > > >>> > > > > > > > >> OK, I ran dcdiag and netdiag on the 2K3 machine
> > errors
> > > >>> > > > abound ----
> > > >>> > > > > > > > >> First: dcdiag >  "Although the Guid name <string
of
> > > >>> > > > > > > > >> stuff
> > > >>> > here>
> > > >>> > > > > > > couldn't
> > > >>> > > > > > > > > be
> > > >>> > > > > > > > >> resolved, the server name (server02.domain.local)
> > > >> resolved
> > > >>> to
> > > >>> > > the
> > > >>> > > > > IP
> > > >>> > > > > > > > > address
> > > >>> > > > > > > > >> (192.168.1.98) and was pingable.  Check that the
IP
> > > >> address
> > > >>> > is
> > > >>> > > > > > > registered
> > > >>> > > > > > > > >> correctly with the DNS Server."
> > > >>> > > > > > > > >> The other tests in dcdiag passed
> > > >>> > > > > > > > >> Then: netdiag:> Domain membership test: Failed
> > > >>> > > > > > > > >> "[WARNING]
> > > >>> The
> > > >>> > > > > system
> > > >>> > > > > > > > >> volumehas not been  completely replicated to the
> > local
> > > >>> > machine.
> > > >>> > > > > This
> > > >>> > > > > > > > >> machine is not working properly as a DC."
> > > >>> > > > > > > > >> DC test: failed  "[WARNING] The DNS entries for
> this
> > DC
> > > >> are
> > > >>> > not
> > > >>> > > > > > > > >> registered
> > > >>> > > > > > > > >> correctly on the DNS server '192.168.1.99'.
Please
> > > >>> > > > > > > > >> wait
> > > >>> for
> > > >>> > 30
> > > >>> > > > > > minutes
> > > >>> > > > > > > > > for
> > > >>> > > > > > > > >> DNS serfver replication.  [FATAL] No DNS servers
> have
> > > >>> > > > > > > > >> the
> > > >>> DNS
> > > >>> > > > > records
> > > >>> > > > > > > for
> > > >>> > > > > > > > >> this DC registered."
> > > >>> > > > > > > > >> DC list test: Failed [WARNING] Cannot call DsBind
> to
> > > >>> > > > > > main.domain.local
> > > >>> > > > > > > > >> (192.168.1.99).  [SEC_E_WRONG_PRINCIPAL]
> > > >>> > > > > > > > >> Trust Relationship test: Failed ....
> > > >>> > > > > > > > >> Kerberos test: Failed........
> > > >>> > > > > > > > >>
> > > >>> > > > > > > > >> OK, HELP!! Where do I start??
> > > >>> > > > > > > > >>
> > > >>> > > > > > > > >> Brown
> > > >>> > > > > > > > >>
> > > >>> > > > > > > > >>
> > > >>> > > > > > > > >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in
message
> > > >>> > > > > > > > >> news:Oql3Ced6EHA.3124@TK2MSFTNGP11.phx.gbl...
> > > >>> > > > > > > > >> > and netdiag and dcdiag have told you  . . .  ?
> > > >>> > > > > > > > >> >
> > > >>> > > > > > > > >> > -- 
> > > >>> > > > > > > > >> > Roger
> > > >>> > > > > > > > >> > "Brown" <fbrown@knology.net> wrote in message
> > > >>> > > > > > > > >> > news:OEn0igV6EHA.2568@TK2MSFTNGP11.phx.gbl...
> > > >>> > > > > > > > >> > > The SBS machine has 2 NICs but only one is
> > active.
> > > >> The
> > > >>> > > Win2K3
> > > >>> > > > > has
> > > >>> > > > > > > one
> > > >>> > > > > > > > >> NIC.
> > > >>> > > > > > > > >> > > DHCP is running on an external router.
> > > >>> > > > > > > > >> > >
> > > >>> > > > > > > > >> > > Brown
> > > >>> > > > > > > > >> > >
> > > >>> > > > > > > > >> > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in
> > message
> > > >>> > > > > > > > >> > > news:uZpd85T6EHA.2192@TK2MSFTNGP14.phx.gbl...
> > > >>> > > > > > > > >> > > > For DC communications issues your first
stop
> > shop
> > > >> to
> > > >>> > > > > > > > >> > > > get hints of what may be amiss is by
running
> on
> > > >> each
> > > >>> DC
> > > >>> > > > > > > > >> > > > netdiag and dcdiag utilities (depending on
> > > >> versions,
> > > >>> > you
> > > >>> > > > > > > > >> > > > may need to install the optional support
> tools
> > > >>> > > > > > > > >> > > > from
> > > >>
> > > >>> the
> > > >>> > > > CD).
> > > >>> > > > > > > > >> > > >
> > > >>> > > > > > > > >> > > > Which, if any, of these machines are
> multihomed
> > > >>> > > > > > > > >> > > > (>1
> > > >>> > nic)?
> > > >>> > > > > > > > >> > > >
> > > >>> > > > > > > > >> > > > -- 
> > > >>> > > > > > > > >> > > > Roger Abell
> > > >>> > > > > > > > >> > > >
> > > >>> > > > > > > > >> > > > "Brown" <fbrown@mta-inc.com> wrote in
message
> > > >>> > > > > > > > >> > > >
news:O5OJURP6EHA.4008@TK2MSFTNGP15.phx.gbl...
> > > >>> > > > > > > > >> > > >> I tried that, but since it is a DC
(backup)
> it
> > > >> will
> > > >>> > not
> > > >>> > > > > allow
> > > >>> > > > > > > > >> > > >> this.
> > > >>> > > > > > > > >> Is
> > > >>> > > > > > > > >> > > >> there any other way to get them to shake
> > hands?
> > > >>> > > > > > > > >> > > >> Brown
> > > >>> > > > > > > > >> > > >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in
> > > >>> > > > > > > > >> > > >> message
> > > >>> > > > > > > > >> > > >>
> > news:%23deks%23L6EHA.3124@TK2MSFTNGP11.phx.gbl...
> > > >>> > > > > > > > >> > > >> > did I actually forget to mention that
you
> > > >>> > > > > > > > >> > > >> > could
> > > >>> try
> > > >>> > > > > > resetting
> > > >>> > > > > > > > >> > > >> > the machine account (in AD Users and
> Comps)
> > .
> > > >>> > > > > > > > >> > > >> > .
> > > >> .
> > > >>> > > > > > > > >> > > >> >
> > > >>> > > > > > > > >> > > >> > -- 
> > > >>> > > > > > > > >> > > >> > Roger Abell
> > > >>> > > > > > > > >> > > >> >
> > > >>> > > > > > > > >> > > >> > "Brown" <fbrown@mta-inc.com> wrote in
> > message
> > > >>> > > > > > > > >> > > >> >
> > news:O2$c8m55EHA.2624@TK2MSFTNGP11.phx.gbl...
> > > >>> > > > > > > > >> > > >> >> I am running SBS 2003 Pro (MAIN), with
a
> > > >>> > > > > > > > >> > > >> >> Win2K3
> > > >>> > > > Standard
> > > >>> > > > > > > server
> > > >>> > > > > > > > >> > > >> >> (SERVER02)
> > > >>> > > > > > > > >> > > >> >> which is providing file server and AD
> > Backup
> > > >>> tasks.
> > > >>> > > > > > > > >> > > >> >> I am getting an error messaage in the
> > System
> > > >>> Event
> > > >>> > > > > Viewer,
> > > >>> > > > > > > > > source
> > > >>> > > > > > > > >> > > >> > Netlogon:
> > > >>> > > > > > > > >> > > >> >> "The session setup from the computer
> > SERVER02
> > > >>> > failed
> > > >>> > > to
> > > >>> > > > > > > > >> > authenticate.
> > > >>> > > > > > > > >> > > >> >> The
> > > >>> > > > > > > > >> > > >> >> name(s) of the account(s) referenced in
> the
> > > >>> > security
> > > >>> > > > > > database
> > > >>> > > > > > > > >> > > >> >> is
> > > >>> > > > > > > > >> > > >> > SERVER02$.
> > > >>> > > > > > > > >> > > >> >> The following error occured:  Access
> > denied."
> > > >>> > > > > > > > >> > > >> >>
> > > >>> > > > > > > > >> > > >> >> What do I need to do to correct this?
> > > >>> > > > > > > > >> > > >> >>
> > > >>> > > > > > > > >> > > >> >> Brown
> > > >>> > > > > > > > >> > > >> >>
> > > >>> > > > > > > > >> > > >> >>
> > > >>> > > > > > > > >> > > >> >
> > > >>> > > > > > > > >> > > >> >
> > > >>> > > > > > > > >> > > >>
> > > >>> > > > > > > > >> > > >>
> > > >>> > > > > > > > >> > > >
> > > >>> > > > > > > > >> > > >
> > > >>> > > > > > > > >> > >
> > > >>> > > > > > > > >> > >
> > > >>> > > > > > > > >> >
> > > >>> > > > > > > > >> >
> > > >>> > > > > > > > >>
> > > >>> > > > > > > > >>
> > > >>> > > > > > > > >
> > > >>> > > > > > > > >
> > > >>> > > > > > > >
> > > >>> > > > > > > >
> > > >>> > > > > > >
> > > >>> > > > > > >
> > > >>> > > > > >
> > > >>> > > > > >
> > > >>> > > > >
> > > >>> > > > >
> > > >>> > > >
> > > >>> > > >
> > > >>> > >
> > > >>> > >
> > > >>> >
> > > >>> >
> > > >>>
> > > >>>
> > > >>
> > > >>
> > > >
> > > >
> > >
> > >
> >
> >
>
>


Relevant Pages

  • Re: netlogon error
    ... It may be time to do a fresh reboot of the nonSBS and then ... not in DNS and hence not visible in results of the KCC ... > zone on the SBS box. ... >> then the KCC (algoritm that generates the replication paths) ...
    (microsoft.public.windows.server.security)
  • Re: netlogon error
    ... If those records do not exist in the SBS DNS forward zones ... that NTDS settings for the nonSBS does have replication links ... >> when the DNS config of the nonSBS was changed, ...
    (microsoft.public.windows.server.security)
  • Re: Swing migration Q?: problem joining new DC to temp domain
    ... NOT get replication and need to start over by rejoining the TEMPDC to the old ... I dig all old source server names out of dns. ... Check your SBS with the SBS Best Practices Analyzer ...
    (microsoft.public.windows.server.sbs)
  • RE: DNS Replication: Added Server 2003 to my WLAN
    ... I am new to DNS and appreciate the help. ... If I select run and typ the IP address of the PC's at HQ from Remote Site it ... > a DNS and configure a Secondary Lookup zone pointing to your SBS. ... >> to the domain and now want to implement the DNS and WINS replication. ...
    (microsoft.public.windows.server.sbs)
  • Re: netlogon error
    ... On the nonSBS mta-server02 try reversing these DNS ... so that 1.99 is the first listed DNS server IP ... >> Microsoft MVP (Windows Security) ...
    (microsoft.public.windows.server.security)