Re: Local authentication errors on Windows 2003 Server

To start I would run the support tool netdiag on that server looking to see
if there are any errors/warnings for dns, dc discovery, kerberos, or
trust/secure channel [computer account integrity check] . --- Steve


"PCSL" <neil@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1140688595.802221.281580@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi - or should I say HELP!!!

We have a problem with a domain server running Windows 2003.

For some inexplicable reason a significant range of authentication
tasks are failing on the server. All other domain member computers
appear to be authenticating ok.

The server is a domain server, and due to limited resources is also the
Exchange server and Terminal server. For the past 18 months it has been
operating ok, with only a few managable problems.

In the past few days the server has decided that a range of
authentication operation are to fail, including the Administrator and
all members of the various administrative groups.

Symptoms:

Many operations in Active Directory Users and Computers result in
"Permission is denied" - I have have had to deligate all tasks to the
administrator to do anything and still have some operations for which i
get refused.

Can not access licensing information.

Can not edit or view group policy settings (through GPMC, Domain
Security Policy, etc).

Logging onto the server is ok, although until it was rebooted we
couldn't log on through Terminal Services.

It is impossible to access any shares served by the server from the
server; including SYSVOL - this fails to authenticate or accept
passwords. Have found that enabling the guest account permits access
using the guest username and password.

The Exchange store stalls overnight with authentication related errors
during sheduled maintenance (see below) and the service can not be
restarted - we have to reboot the server to get it back.

The following events are frequetly logged (XXXXXXXX replaces
identifying information):

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 23/02/2006
Time: 09:11:19
User: XXXXXXXXXX\Julie
Computer: XXXXXXXXXX-SERVER
Description:
Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=XXXXXXXX,DC=local.
The file must be present at the location
<\\XXXXXXXX.local\sysvol\XXXXXXXX.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
(Access is denied. ). Group Policy processing aborted.



Event Type: Error
Event Source: MSExchangeSA
Event Category: RFR Interface
Event ID: 9074
Date: 23/02/2006
Time: 09:08:08
User: N/A
Computer: XXXXXXXXXX-SERVER
Description:
The Directory Service Referral interface failed to service a client
request. RFRI is returning the error code:[0x3f0].

Event Type: Error
Event Source: MSExchangeAL
Event Category: Service Control
Event ID: 8063
Date: 23/02/2006
Time: 09:07:11
User: N/A
Computer: XXXXXXXXXX-SERVER
Description:
Could not read the root entry on directory
'XXXXXXX-server.XXXXXXX.net'. Cannot access configuration information.
DC=XXXXXXXX,DC=local

Note regarding this last event: The server was originally configured as
domain "XXXXXXXX.net" but was demoted and changed to "XXXXXXXX.local".
The above event implies a problem harking back to the change from .net
to .local but I have been unable to locate why this has suddenly
happened after 18 months.


Event Type: Error
Event Source: MSExchangeSA
Event Category: RFR Interface
Event ID: 9143
Date: 23/02/2006
Time: 09:01:42
User: N/A
Computer: XXXXXXXXXX-SERVER
Description:
Referral Interface cannot contact any Global Catalog that supports the
NSPI Service. Clients making RFR requests will fail to connect until a
Global Catalog becomes available again. After a Domain Controller is
promoted to a Global Catalog, it must be rebooted to support MAPI
Clients.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1006
Date: 21/02/2006
Time: 23:54:43
User: NT AUTHORITY\SYSTEM
Computer: XXXXXXXXXX-SERVER
Description:
Windows cannot bind to XXXXXXXXXX.local domain. (Local Error). Group
Policy processing aborted.


For "emergency" use only there is Outlook 2003 installed - this fails
to authenticate or accept passwords but Outlook works fine from other
machines. However, Outlook Web Access works fine from the server...


Connection from any other machine is fine (so far!).


I suspect permissions on some object has changed, such as on the root
of the system drive or elsewhare but have been unable to locate or
apply an effective combination of ACLs.

I've been through dozens of support documents relating to
authentication and the events being seen, but to no avail...

Anyone got any suggestions???


TIA,

Neil



.

Relevant Pages

  • RE: HELP: Exchange is losing connectivity with PDC and DNS
    ... EMAIL and PDC1, BDC1 and WINS server. ... Event Type: Error ... Event Source: MSExchangeAL ... If this computer is a domain controller for the specified domain, ...
    (microsoft.public.windows.server.dns)
  • Re: SA hungs on starting
    ... Testing server: Corporate\MORPHEUS ... Event Type: Warning ... Event Source: MSExchangeMU ... An error occurred while starting the Microsoft Exchange POP3 Service: ...
    (microsoft.public.exchange2000.admin)
  • Re: Fresh sbs install needed?
    ... Event Type: Error ... Event Source: MSExchangeDSAccess ... Computer: HALBERT-SBS ... Microsoft SQL Server Desktop Engine -- Internal Error 2727. ...
    (microsoft.public.windows.server.sbs)
  • Re: SA hungs on starting
    ... Event Type: Warning ... The DNS server was unable to open the Active Directory. ... Event Source: MSExchangeMU ... An error occurred while starting the Microsoft Exchange POP3 Service: ...
    (microsoft.public.exchange2000.admin)
  • Re: Operation failed because of a non-security related error?
    ... server from a 2000 server then decommisioning the 2000 server. ... Event Type: Error ... Event Source: NTDS General ... Computer: DIGITALDATA2 ...
    (microsoft.public.windows.server.active_directory)