Solved

Cannot add user

Posted on 2001-08-10
17
458 Views
Last Modified: 2012-05-04
Hi all,

When I try to add a user in the active directory, after I click finish, I get the following error:

"cannot set password for user.  The network location cannot be found".

Is this a DNS related problem?
If so, are there any good resources on the web for setting up DNS in Win2K (you can always provide these offcourse, even if my prob is not DNS related, I would like to learn more ;-) ).

Is it related to something else?

All help is welcome!

Best regards,

Robby
0
Comment
Question by:IlRoberto
  • 7
  • 6
  • 4
17 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 6374073
DNS is crtical in a DC.

Search the MS site for the error you got ,
and

these may help !!

http://www.microsoft.com/windows2000/library/planning/pds-cnwsdtoc.asp
http://www.microsoft.com/ISN/deployment.asp

This pages covers everything needed to deploy win2k.
http://dsg.rte.microsoft.com/  - diagnostic guide for win2k
There is also a kit you can download to test to see if your hardware is compatible in case it does not show up in the hardware compatibility list.
I hope this helps.
http://www.microsoft.com/windows2000/upgrade/compat/default.asp

 These links will you perform the upgrade from NT to win2k
                   http://www.microsoft.com/TechNet/win2000/w2ksrupg.asp
                   http://www.microsoft.com/TechNet/win2000/dguide/home.asp


http://www.microsoft.com/windows2000/techinfo/planning/walkthroughs/default.asp

 While searching for a generic document describing Win2K security
services (which I found at
http://www.microsoft.com/windows2000/library/howitworks/security/sectech.asp

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/howto/default.asp
How to information for IT people IT solutions

---------------

I hope this helps !
0
 
LVL 25

Expert Comment

by:dew_associates
ID: 6374733
IIRoberto, is this a new server to the domain or domain forest? Was this a BDC recently promoted to a PDC? If yes, have you run Dcpromo.exe to finish the installation?

Dennis
0
 

Author Comment

by:IlRoberto
ID: 6375211
Hi all,

No this is an existing PDC...
Everything works (got two other servers connected in the same domain) and they can communicate, logon, etc.

Best regards,

Robby
0
 
LVL 25

Expert Comment

by:dew_associates
ID: 6375486
Robby,

This may help as a point of reference.

http://www.microsoft.com/windows2000/techinfo/reskit/default.asp

http://www.windows2000faq.com/

Is the only server with this problem?

Is AD setup correctly?

0
 
LVL 63

Expert Comment

by:SysExpert
ID: 6375621
Did you check all the event logs ?

Is there anything unusual there ?

Did you change any permissions or policies recently ?

I hope this helps !
0
 

Author Comment

by:IlRoberto
ID: 6375716
Hi all,

Allready, thanks or the support!

AD is setup correctly (I think).  I log on on another computer, member of this domain, I have no problem.  I dowloaded the dc diagnostic tool of the MS site to see if the PDC (and DNS) meet all the requirements ans it passes all test but one.  Apparantly the netlogon test did not work, allthough the service is up and running and right is given to the administrator...

The error the diagnostic tool gives is this:

Starting test : NetLogons
WARNING: BUILTIN\Administrators did not have the "Access this computer from network" right.
An net use LSAPolicy operation failed  with error 1, incorrect function.
Failed test NetLogons

This could explain the error I had when I tried to add a user:
"cannot set password for user.  The network location cannot be found".

Hope this helps you to tackle my problem.

Thanks!

Best regards

0
 
LVL 63

Expert Comment

by:SysExpert
ID: 6375780
Can you add a user from the win2k Server console itself ( not over the network ! ).

If yes then you need to add the permission that allows the administrator to log on from the network as mentioed above.

I would check the policies, and the MS site for this type of access and error message.
I hope this helps !
0
 
LVL 25

Expert Comment

by:dew_associates
ID: 6375887
Robby,

You need to set the local security authority on that server. Now keep in mind, that if this server is an upgrade from NT4, you'll need to be careful.

See Q279664 in the Microsoft Knowledge Base for setting up admin and user rights in Win2k. Remember, unlike NT4, Wi2k uses Kerbos for authentication.

Dennis
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:IlRoberto
ID: 6376235
Hi all,

I have verified my security templates and there at local policies - user rights, the administrators group has this right (database setting is checked).

I am very puzzled...

Could this have something to do with DNS, as I am not a DNS expert... (network location not found error as stated above and I know W2K uses DNS to find computers etc.)
I am trying to add the user on the PDC machine.

In DNS I have under foward lookup zones:
.
6BountyHuntersForVader (this is my domain).

In this zone I can see my computername appearing twice as host for the 2 IP's assigned to my 2 NIC's

I added to the reverse lookup zoned these IP's, so I have there:

192.168.0.x subnet
212.123.230.x subnet

I think this is enough?

All help is again welcome!

Best regards,

Robby

0
 
LVL 25

Expert Comment

by:dew_associates
ID: 6376538
Robby, it's not authenticating your users. This has nothing to do with DNS.

Use the references I gave you above and sort out your user authentication.
0
 

Author Comment

by:IlRoberto
ID: 6376923
Hi Dennis,

If it is not authenticating the users, why is it then possible to logon?

Best regards,

Robby
0
 

Author Comment

by:IlRoberto
ID: 6376933
Aha, some etra info.

I have been going overthe logs and found these entries 'repeatedly' in the application log:

"The Group Policy client-side extension security was passed flags (17) and returned a failure."

"Secutity Policy cannot be propagated.  Cannot access the template.  Error code=3."

Best regards,

Robby
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 6377186
0
 
LVL 25

Accepted Solution

by:
dew_associates earned 150 total points
ID: 6377613
Robby, check these knowledge base articles:

Q279324; Q247482; Q256000; Q259398; Q260715; Q271213; Q278316; Q285903; Q285923; Q290647
0
 
LVL 25

Expert Comment

by:dew_associates
ID: 6424202
Robby, how are you doing with this?
0
 
LVL 25

Expert Comment

by:dew_associates
ID: 6468573
Robby?
0
 

Author Comment

by:IlRoberto
ID: 6841246
Hi all,

Sorry for getting back so late on this.  I have been testing and tweaking and now when I run dcdiag /v I get this:


Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine bobafett, is a DC.
   * Connecting to directory service on server bobafett.
   * Collecting site info.
   * Identifying all servers.
   * Found 1 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: SG6-RDAM\BOBAFETT
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... BOBAFETT passed test Connectivity

Doing primary tests
   
   Testing server: SG6-RDAM\BOBAFETT
      Starting test: Replications
         * Replications Check
         ......................... BOBAFETT passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=6BountyHuntersForVader
         * Security Permissions Check for
           CN=Configuration,DC=6BountyHuntersForVader
         * Security Permissions Check for
           DC=6BountyHuntersForVader
         ......................... BOBAFETT passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         * Warning BUILTIN\Administrators did not have the "Access this computer
         *   from network" right.
         [BOBAFETT] An net use or LsaPolicy operation failed with error 1, Incorrect function..
         ......................... BOBAFETT failed test NetLogons
      Starting test: Advertising
         The DC BOBAFETT is advertising itself as a DC and having a DS.
         The DC BOBAFETT is advertising as an LDAP server
         The DC BOBAFETT is advertising as having a writeable directory
         The DC BOBAFETT is advertising as a Key Distribution Center
         The DC BOBAFETT is advertising as a time server
         The DS BOBAFETT is advertising as a GC.
         ......................... BOBAFETT passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=BOBAFETT,CN=Servers,CN=SG6-RDAM,CN=Sites,CN=Configuration,DC=6BountyHuntersForVader
         Role Domain Owner = CN=NTDS Settings,CN=BOBAFETT,CN=Servers,CN=SG6-RDAM,CN=Sites,CN=Configuration,DC=6BountyHuntersForVader
         Role PDC Owner = CN=NTDS Settings,CN=BOBAFETT,CN=Servers,CN=SG6-RDAM,CN=Sites,CN=Configuration,DC=6BountyHuntersForVader
         Role Rid Owner = CN=NTDS Settings,CN=BOBAFETT,CN=Servers,CN=SG6-RDAM,CN=Sites,CN=Configuration,DC=6BountyHuntersForVader
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=BOBAFETT,CN=Servers,CN=SG6-RDAM,CN=Sites,CN=Configuration,DC=6BountyHuntersForVader
         ......................... BOBAFETT passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 1604 to 1073741823
         * bobafett.6BountyHuntersForVader is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1104 to 1603
         * rIDNextRID: 1161
         * rIDPreviousAllocationPool is 1104 to 1603
         ......................... BOBAFETT passed test RidManager
      Starting test: MachineAccount
         * SPN found :LDAP/bobafett.6BountyHuntersForVader/6BountyHuntersForVader
         * SPN found :LDAP/bobafett.6BountyHuntersForVader
         * SPN found :LDAP/BOBAFETT
         * SPN found :LDAP/bobafett.6BountyHuntersForVader/6BOUNTYHUNTERSF
         * SPN found :LDAP/97209c82-5a63-4b17-85e8-e6ba2fd68e79._msdcs.6BountyHuntersForVader
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/97209c82-5a63-4b17-85e8-e6ba2fd68e79/6BountyHuntersForVader
         * SPN found :HOST/bobafett.6BountyHuntersForVader/6BountyHuntersForVader
         * SPN found :HOST/bobafett.6BountyHuntersForVader
         * SPN found :HOST/BOBAFETT
         * SPN found :HOST/bobafett.6BountyHuntersForVader/6BOUNTYHUNTERSF
         * SPN found :GC/bobafett.6BountyHuntersForVader/6BountyHuntersForVader
         ......................... BOBAFETT passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
            Dnscache Service is stopped on [BOBAFETT]
         * Checking Service: NtFrs
            NtFrs Service is stopped on [BOBAFETT]
         * Checking Service: IsmServ
            IsmServ Service is stopped on [BOBAFETT]
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: RPCLOCATOR
            RPCLOCATOR Service is stopped on [BOBAFETT]
         * Checking Service: w32time
         * Checking Service: TrkWks
            TrkWks Service is stopped on [BOBAFETT]
         * Checking Service: TrkSvr
            TrkSvr Service is stopped on [BOBAFETT]
         * Checking Service: NETLOGON
         * Checking Service: Dnscache
         * Checking Service: NtFrs
            SMTPSVC Service is stopped on [BOBAFETT]
         ......................... BOBAFETT failed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         BOBAFETT is in domain DC=6BountyHuntersForVader
         Checking for CN=BOBAFETT,OU=Domain Controllers,DC=6BountyHuntersForVader in domain DC=6BountyHuntersForVader on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=BOBAFETT,CN=Servers,CN=SG6-RDAM,CN=Sites,CN=Configuration,DC=6BountyHuntersForVader in domain CN=Configuration,DC=6BountyHuntersForVader on 1 servers
            Object is up-to-date on all servers.
         ......................... BOBAFETT passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service Event log test
         The SYSVOL has been shared, and the AD is no longer
         prevented from starting by the File Replication Service.
         ......................... BOBAFETT passed test frssysvol
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minutes.
         ......................... BOBAFETT passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x0000044C
            Time Generated: 03/05/2002   11:51:09
            Event String: Initialization of Notify Failed.
         An Error Event occured.  EventID: 0x8000003E
            Time Generated: 03/05/2002   11:51:46
            Event String: This Machine is a PDC of the domain at the root

of the forest. Configure to sync from External

time source using the net command,  'net time

/setsntp:<server name>'.
         ......................... BOBAFETT failed test systemlog
   
   Running enterprise tests on : 6BountyHuntersForVader
      Starting test: Intersite
         Skipping site SG6-RDAM, this site is outside the scope provided by the

         command line arguments provided.
         ......................... 6BountyHuntersForVader passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\bobafett.6BountyHuntersForVader
         Locator Flags: 0xe00001fd
         PDC Name: \\bobafett.6BountyHuntersForVader
         Locator Flags: 0xe00001fd
         Time Server Name: \\bobafett.6BountyHuntersForVader
         Locator Flags: 0xe00001fd
         Preferred Time Server Name: \\bobafett.6BountyHuntersForVader
         Locator Flags: 0xe00001fd
         KDC Name: \\bobafett.6BountyHuntersForVader
         Locator Flags: 0xe00001fd
         ......................... 6BountyHuntersForVader passed test FsmoCheck

As you can see, I have executed this on the DC machine.  All is configured correctly (AD, DNS, ...).
The error at the netlogons section is still appearing:
Warning BUILTIN\Administrators did not have the "Access this computer
         *   from network" right.
I am at the end now,... I do not know how to continue with this...

Best regards,

Robby
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Hyena v12.2 is now available for downloading and is available in English, French, German and Spanish versions.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now