Solved

Domain server not operational  windows 2000 server

Posted on 2004-04-01
27
208 Views
Last Modified: 2010-04-12
I am running two domains in a school environment named BTL and MCS.  The BTL domain has been experiencing some issues, but the main problem to date is that when I try to add users to a mcs resource (such as a printer) to allow users from the BTL domain to be able to add this printer, it searches for a while and then I get an error "Cannot display objects from this location because of the following reason:  The server is not operational."  Has anyone seen this issue before and, if so, can it be resolved?
0
Comment
Question by:manch03
  • 12
  • 9
  • 6
27 Comments
 

Author Comment

by:manch03
ID: 10733955
One more thing - The BTL  domain controller is the main server for this domain.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10733963
Usually this is caused by not publishing the printers in AD...    hmm

found a link to help you:

http://www.jsiinc.com/SUBF/TIP2600/rh2647.htm
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10734000
And, what other things are you seeing...??  Again, with this problem occurring, I would expect to see other errors, such as in the logon process...??

Have you run any network diag tests on this server..??  It could even be DNS causing the problem so make sure you ck it to make sure it is enumerating the zones correctly..

DCDiag and NetDiag in Windows 2000 Facilitate Domain Join and DC Creation:

http://support.microsoft.com/?kbid=265706

HOW TO: Use the Network Diagnostics Tool (Netdiag.exe) in Windows 2000:

http://support.microsoft.com/?kbid=321708

Description of the DNSLint Utility and dnslint.exe dnload:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;321045
0
 

Author Comment

by:manch03
ID: 10734118
I am not seeing any other issues except some group policy problems, but that is a different story.    I have not run any network diag tests on the server, but you may be onto something with the DNS suggestion.  I will check this out.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10734327
Yea..  DNS can result in a variety of issues if not enumerating correctly..  Let us know what you find there..

FE
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10735217
When publishing printers you are creating a printer object in the AD. Objects are controlled by the infrastructure master FSMO role, which delegates a small pool of object IDs to each DC to use. If the D runns out of object IDs it asks the IM role server for more.

So, if you're having trouble adding printers, it suggests that your IM is down and the other DCs have run out of pool IDs to give out.

Check your IM Server by opening up the Users and Computer snapin and rightclicking on the domain. Select Operations Masters and the Infrastructure Master tab. That tells you which server is having the issue.

Go to your problem server and check it's DNS settings, if it's pointing to the right place type the following at it's command line:

IPCONFIG /FLUSHDNS
IPCONFIG /REGISTERDNS

If that does not fix the issue then try transferring the IM role to another DC in the domain and trying again.

If you're problem is adding to security groups, then it suggests that your GC is no longer available. Use the Sites and Services tool to look at each DC and check to see if it is a GC. Anything you change should be follwed up with the above IPCONFIG commands at each DC in question.

Let us know how you get on

Cheers

JamesDS
0
 

Author Comment

by:manch03
ID: 10735871
I ran a dcdiag and apparently the dns is having some difficulty - I am going to type the output:

command prompt typed  dcdiag

Testing server:  btl\srvmcsbtl
starting test: connectivity
   SRVMCSBTL's server guid dns name could not be resolved to an IP address.  Check the DNS server, DHCP, server name, etc.
    Although the Guid DNS name
(7d396500-849d-........_msdcs.btl.k12.mi.us) could not be resolved, the server name (BTLMCSBTL.btl.k12.mi.us) resolved to the IP address (10.1.0.32) and was pingable.  Check tha thte IP address is registered correctly with the DNS server..... srvmcsbtl failed test connectivity.

I have checked all the nic card properties and the ip address is correct.  Can you give me a clue where to begin to look for what is wrong?

I looked in my dns and everything looks correct - that server shows up.  Something strange though - under my   Reverse Lookup Zone  - subnet   There is a list of the Start of authority, etc. but there are no dns entries under that.  In my other servers, I see a list of folders for the subnets and then if I click on those folders, all of my ip addresses are listed under the sub folders (the computers in the domain).  In this one there is nothing except for the Start of Authority, etc. lists.

0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10736158
Here is a great link to MS's everything you want to know about DNS...  Am on my way out of the office, but will ck back in after dinner..

http://support.microsoft.com/?kbid=298448
0
 
LVL 16

Accepted Solution

by:
JamesDS earned 500 total points
ID: 10736608
Right then, your DNS is not replicating and that seems to be the root cause (as are most problems with AD)

Go to your problem server and check it's DNS settings, if it's pointing to the right place type the following at it's command line:

IPCONFIG /FLUSHDNS
IPCONFIG /REGISTERDNS

Restart the DNS service and check the system and DNS event logs every 15 minutes to see if replication is working.

Cheers

JamesDS
0
 

Author Comment

by:manch03
ID: 10955498
I aplogize I have been away from this question - I did do the ipconfig /flushdns - command and I am getting a  ton of  DNS errors - DNS not operational.  Help!
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10957570
manch03
Are you going to tell us what the errors are?

Cheers

JamesDS
0
 

Author Comment

by:manch03
ID: 10958755
Yes - I was in a hurry last night and could not get into details, but here are the errors:

Registraton of the dns record' _gc._tcp.btl._sites.btl.k12.mi.us 600 IN SRV 0 100 3278 SRVMCSBTL.btl....failed with the following error:  DNS operation refused.

There are hundreds of these in the system log.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10958910
Just a thought, but what if we delete the entries in the Forward Lookup Zone and start over..??  eh, James..??  Or is there a better way to approach this..??
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 16

Expert Comment

by:JamesDS
ID: 10958971
Fatal_Exception/Manch03

We could fry the zone for btl.k12.mi.us but I don't think it will fix it.

I think that the DNS server is trying to register it's record in a zone that it has no rights over.

Either, this is because the zone only allows secure updates and the server is in the wrong domain
Or, the zone is configured to not allow any updates

I would check that the zone is configured to allow insecure updates and while we are there is also configured to allow zone transfers to any server.

After this has been confirmed we need to restart the DNS service on that server and try the IPCONFIG commands mentioned earlier again.

Cheers

JamesDS
0
 

Author Comment

by:manch03
ID: 10959636
Would you give me more specifics on this?  Where do I check all of this? I am in the DNS in the Forward Lookup Zones.  Where do I go from there?  

I did reactive a 2nd server on this domain   btl1 some time ago.  I checked the zone transfers - there were no boxes checked.  I believe because I only had this one server on the domain I did not do any zone transfers.  Now that I have a second domain controller, is that the reason I am getting the server not operational error?
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10959687
manch03
On the general tab of the zone properties look for the dynamic updates section and select insecure or all updates

On the zone transfers tab, select allow to any server

Are you running DNS as AD integrated? (look on the general tab in the zone properties)

Cheers

JamesDS
0
 

Author Comment

by:manch03
ID: 10959971
Yes running DNS as AD integrated.  Did all the above - I guess I just wait for 15 minutes for any errors to show up again.  Have not received a netlogon error since 9:54 a.m.  - it is now 10:18 a.m.  On the general tab it was selected for only secure updates -I changed that and I changed zone transfers to any server.
0
 

Author Comment

by:manch03
ID: 10961540
Ok - now I am getting a shorter error message:

Registration of the DNS record 'btl.k12.mi.us. 600 IN A 10.1.0.32' failed with the following error:
DNS operation refused.

The .32 is the server ip address
0
 

Author Comment

by:manch03
ID: 10961556
In the DNS log I got an error stamped at  10:18 a.m.  This error has not repeated since I made the above changes.

The DNS server encountered a packet addressed to itself -- IP address 10.1.0.32.
 
The DNS server should never be sending a packet to itself.  This situation usually indicates a configuration error.
 
Check the following areas for possible self-send configuration errors:
  1) Forwarders list. (DNS servers should not forward to themselves).
  2) Master lists of secondary zones.
  3) Notify lists of primary zones.
  4) Delegations of subzones.  Must not contain NS record for this DNS server unless subzone is also on this server.
 
Example of self-delegation:
  -> This DNS server dns1.foo.com is the primary for the zone foo.com.
  -> The foo.com zone contains a delegation of bar.foo.com to dns1.foo.com,
  (bar.foo.com NS dns1.foo.com)
  -> BUT the bar.foo.com zone is NOT on this server.
 
Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result.  If found, the subzone DNS server admin should remove the offending NS record.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10963065
manch03
Are you trying to host an AD integrated zone on a server that is NOT in the same domain, but in one of its children?

IE DNS Server is member of A.Local and hosting an AD integrated zone of B.A.Local where domain B.A.Local is a child of domain A.Local

This will cause the exact error you describe.

Cheers

JamesDS
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10963188
Nice one James..  never knew that..  I need to hang around you more often..  :)
0
 

Author Comment

by:manch03
ID: 10963238
No this is not a child - this is the primary domain controller, but the primary dns server is on another domain.  

I am getting this error again in the system log:

Registration of the DNS record 'gc._msdcs.btl.k12.mi.us. 600 IN A 10.1.0.32' failed with the following error:
DNS operation refused.  
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10963296
Fatal_Exception

bitter experience
6 domains, 1 parent, 385 live AD DC/DNS/GC servers, 35000 users, 200 sites, 110 countries, 1 Technical Architect :)

You only ever see the error "Registration of the DNS record 'gc._msdcs.btl.k12.mi.us. 600 IN A 10.1.0.32' failed with the following error: DNS operation refused" when the primary DNS server hosting the zone for btl.k12.mi.us is not configured to allow dynamic update.

Turn that on and this error will no longer appear.

Cheers

JamesDS
0
 

Author Comment

by:manch03
ID: 10963850
I made this change earlier in the day - does it take some time to take effect?
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10964466
manch03
it will if your replication is knackered, which it will be if DNS isn't operational.

I'll look at this again tomorrow

Cheers

JamesDS
0
 

Author Comment

by:manch03
ID: 11033569
This worked.  I am no longer getting any dns errors.  I looked at my other servers on my domain and they were pointing to themselves for their own dns.  This one domain controller in a different domain (BTL) was pointing to the domain controller in the other domain (mcs) so that could have been the problem.  Anyway, everything seems to be working well now.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11037624
manch03
Excellent!

Thanks for the points

Cheers

JamesDS
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now