Solved

Windows 2003 DC logon problem

Posted on 2004-03-22
7
1,096 Views
Last Modified: 2010-04-19
Hello Everyone:

Here is the scenario:

I used to have 1 domain controller running Windows 2000 in my Windows Network. The web server, running IIS and windows 2000, was using domain users to control the anonymous access to every configured virtual website (i.e. MyDomain\IUSR_site1; MyDomain\IUSR_site1). Everything was working fine until I decided to add a secondary domain controller.

I decided this second domain controller to run Windows 2003. Installing and promoting this new server to domain controller went real smoothly.

The problem started 2 days after promoting the new server. I happen to had to restart the web server to apply new updates from Microsoft. Suddenly all my web sites started to display the “500 Internal Server Error”. The problem was easy to identify: the web server was unable to authenticate the IIS anonymous users in the domain. Errors messages like this were written to the Web Server Event Viewer:

The server was unable to logon the Windows NT account 'MyDomain\IUSR_site1' due to the following error: The specified procedure could not be found.  The data is the error code.

After trying different things with no success I decided to restart the Windows 2003 DC and 2 seconds after clicking the restart button everything started working and continued OK when the Window 2003 DC was back online. Now every time I have to restart the Web Server, or even the IIS service, I’m forced to restart the Windows 2003 DC too in order to get the web sites working again.

Any ideas of what might be causing this problem?
0
Comment
Question by:callico
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 11

Expert Comment

by:infotrader
ID: 10655544
I had the same problem.  I think the problem can be related to the placement of the FSMO:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223346

If you move the Global Catalog server to the DC that is hosting the IIS, you shouldn't have any problems.

- Info
0
 

Author Comment

by:callico
ID: 10658930
Thanks for your answer.

The problem is that the server running IIS 5 is not a DC.

I've found an article from somebody with exactly the same problem:
http://www.derkeiler.com/Newsgroups/microsoft.public.inetserver.iis.security/2003-08/1037.html

...
The authentication works properly when the content is static, a directory listing or a .htm file, but fails if I link to an asp page. Could it have something to do with how the asp
authenticates? Specifically, I'm trying to get this working with the Certificate Authority webpages.
...

Not a valid solution so far....
0
 
LVL 11

Accepted Solution

by:
infotrader earned 500 total points
ID: 10658958
Ok...  same concept, different machine.

If you move the Global Catalog server role to a different DC, you shouldn't have any problems.

- Info
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:callico
ID: 10661494
All 5 FSMO Server roles have been transfered to the Windows 2000 DC.

I'm going to wait for a better time to stop and restart the IIS service and see if it works.

Quick question: Any idea why it wasn't working for the Windows 2003 server ?
0
 

Author Comment

by:callico
ID: 10664099
After moving all roles to the Windows 2000 DC the IIS is working the way it should even if it's restarted.

This is a good workaround but I'm still wondering why it was failing when the Windows 2003 was playing the FSMO roles.

Thanks a lot for for help.
0
 
LVL 11

Expert Comment

by:infotrader
ID: 10664449
It's actually NOT a good idea to load all of the FSMO on one computer.  Here's some light reading for you on ideal FSMO placement:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223346

The link below explains why you are having difficulty login on to resources when your GC is down.  To avoid this from happening (i.e. high-availability), you might want to consider having both DC to be your GC.  Here's some more reading for you:

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q216/9/70.ASP&NoWebContent=1

- Info
0
 

Author Comment

by:callico
ID: 10667977
NONE of my servers were down and this is exactly the problem and the original question:

Why the webserver running IIS 5 under windows 2000 was unable to negotiate logon users with the Windows 2003 DC ?
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question