chole
asked on
small business server
when i run dcdiag on sbs server i get cant find a time server also when i try to join the domain xp clients cant join it says cant find a domain invoice.local but ns lookup works fine and the dns pulling my hair out
Lee W, MVP
Are your service records available in DNS? The client using DNS? Almost guarentee it's a DNS issue. (I HATE DNS).
You can reregister the service records by executing the following command from a command prompt:
net stop netlogon & net start netlogon
net stop netlogon & net start netlogon
leew
If your machines are able to resolve the domain then there are only 2 likely causes:
1. The Time on the Server is more than a few minutes (4-5) different from that on the workstations.
Use NET TIME \\servername /SET /YES on a workstation and retry joining the domain.
If this works then you will be able to do the same on every other workstation.
2. The DNS records for your domain may be missing
Make sure that the DNS settings for your server and ALL workstations and other servers are pointing to the SBS server (IE your INTERNAL DNS).
Make sure that the AD ZONE hosted by your SBS/DNS Server contains the _MSDCS records and that it is set to allow dynamic updates.
Run these commands at the SBS Server:
IPCONFIG /FLUSHDNS
IPCONFIG /REGISTERDNS
Stop and Restart the NETLOGON SERVICE as described by leew
Recheck the DNS ZONE for your AD for those service records and if they are in place retry joining the domain.
Cheers
JamesDS
If your machines are able to resolve the domain then there are only 2 likely causes:
1. The Time on the Server is more than a few minutes (4-5) different from that on the workstations.
Use NET TIME \\servername /SET /YES on a workstation and retry joining the domain.
If this works then you will be able to do the same on every other workstation.
2. The DNS records for your domain may be missing
Make sure that the DNS settings for your server and ALL workstations and other servers are pointing to the SBS server (IE your INTERNAL DNS).
Make sure that the AD ZONE hosted by your SBS/DNS Server contains the _MSDCS records and that it is set to allow dynamic updates.
Run these commands at the SBS Server:
IPCONFIG /FLUSHDNS
IPCONFIG /REGISTERDNS
Stop and Restart the NETLOGON SERVICE as described by leew
Recheck the DNS ZONE for your AD for those service records and if they are in place retry joining the domain.
Cheers
JamesDS
Not being able to find a time server doesn't suggest his sbs server is significantly off. however, you are of course correct (once had a Windows update problem because the time was SOOOO off, but Kerberos is dependant on all systems having a similar GMT time (which is adjusted automatically based on Time Zone).
I have frequently seen W32Time errors indicating an unavailable time server and it has nothing to do with the clocks being seriously out of sync.
Actually, what chole might want to try is to resolve the time server error is:
net time /querysntp
to determine what server is designated as a time server. I use sundial.columbia.edu, but you can generally use any of those listed here:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262680
I have frequently seen W32Time errors indicating an unavailable time server and it has nothing to do with the clocks being seriously out of sync.
Actually, what chole might want to try is to resolve the time server error is:
net time /querysntp
to determine what server is designated as a time server. I use sundial.columbia.edu, but you can generally use any of those listed here:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262680
leew
AD doesn't care if the time on the SBS domain controller is off. Indeed, it doesn't matter so long as the differential time between the server and the workstations is within a few minutes so kerberos can authenticate the hardware.
Windows Update has nothing to do with Kerberos authentication of machines attempting to join a domain.
Given that SBS comes with ISA, I thought it unwise to begin tackling external timesyncing without getting into potentially complex discussions on opening ports on the firewall. For the moment simply having the workstations set to within a few minutes of the server (regardless of timezone) will be sufficient to move on to the next stage (address possible DNS issues)
I'll stick up another post here to help you diagnose timesync problems.
Cheers
JamesDS
AD doesn't care if the time on the SBS domain controller is off. Indeed, it doesn't matter so long as the differential time between the server and the workstations is within a few minutes so kerberos can authenticate the hardware.
Windows Update has nothing to do with Kerberos authentication of machines attempting to join a domain.
Given that SBS comes with ISA, I thought it unwise to begin tackling external timesyncing without getting into potentially complex discussions on opening ports on the firewall. For the moment simply having the workstations set to within a few minutes of the server (regardless of timezone) will be sufficient to move on to the next stage (address possible DNS issues)
I'll stick up another post here to help you diagnose timesync problems.
Cheers
JamesDS
leew
Fixing timesync is different according to the machine type...
If it's a Member Server, standard Domain Controller (not a PDCEmulator) or standard workstation then behave as if its a member server (below)
If it's a PDCEmulator then make sure you allow port 123TCP/UDP outbound on your firewall and configure the external microsoft time service by entering this at the command line
NET TIME /SETSNTP:time.windows.com
If it's a workstation, member server or a standard Domain Controller:
Members of the Active Directory sync with their local DC (local as in local AD site). The DCs then sync with the PDCEmulator, so the PDCE is the root of all time - as it were!
Diagnosis of timesync errors is difficult, but do not be tempted to use NET TIME /SETSNTP: on all machines in the domain (as suggested to many questions like this one, unless it's a PDCE), as it specifically overrides the natural internal operation of the time service within Active Directory.
These commands are written for Windows 2003 and Windows XP. There are some equivalents for windows 2000, use W32tm /? or W32Time /? from the command line to look for alternatives on older OSs.
Use NET TIME /SETSNTP:
to clear any entry and return to the default settings
Use NET TIME /SET /YES
to synch NOW with your authenticating DC and begin the diagnosis:
Start by verifying your domain is synching AD by using REPLMON.EXE in the support tools pack on the Windows installation CD.
If this is OK then run this from the command line:
W32TM /monitor
to ensure that each member server/workstation is actually pointing to a DC.
If this is OK then run this from the command line:
W32TM /resync /rediscover
followed by:
W32TM /resync /nowait
and check the system eventlog for W32TIME errors. This process does a full reset and recheck of the time system as it relates to one member machine on your AD.
Post any errors here
Explanation of why it doesn't always instantly set the right time:
Timesync works as follows:
If the local clock time of the time client is behind the current time received from the time server, W32Time will change the local clock time immediately.
If the local clock time of the time client is more than three minutes ahead of the time on the time server, W32Time will change the local clock time immediately.
If the local clock time of the time client is less than three minutes ahead of the time on the server, W32Time will quarter or halve the clock frequency for long enough to bring the clocks into sync. If the client is less that 15 seconds ahead, it will halve the frequency; otherwise, it will quarter the frequency. The amount of time the clock spends running at an unusual frequency depends on the size of the offset that is being corrected.
W32Time will periodically check its local time with the current time by connecting to the time source. This process starts as soon as the service turns on during system start-up. W32Time attempts synchronization every 45 minutes until the clocks have successfully synchronized three times. When the clocks are correctly synchronized, W32Time then synchronizes at eight-hour intervals, unless there is a failure to obtain a timestamp, or a validation failure. If there is a failure, the process starts over from the beginning.
Set it by hand (or with the command NET TIME /SET /YES) as close as you can and then simply leave it to sort itself out.
Cheers
JamesDS
Fixing timesync is different according to the machine type...
If it's a Member Server, standard Domain Controller (not a PDCEmulator) or standard workstation then behave as if its a member server (below)
If it's a PDCEmulator then make sure you allow port 123TCP/UDP outbound on your firewall and configure the external microsoft time service by entering this at the command line
NET TIME /SETSNTP:time.windows.com
If it's a workstation, member server or a standard Domain Controller:
Members of the Active Directory sync with their local DC (local as in local AD site). The DCs then sync with the PDCEmulator, so the PDCE is the root of all time - as it were!
Diagnosis of timesync errors is difficult, but do not be tempted to use NET TIME /SETSNTP: on all machines in the domain (as suggested to many questions like this one, unless it's a PDCE), as it specifically overrides the natural internal operation of the time service within Active Directory.
These commands are written for Windows 2003 and Windows XP. There are some equivalents for windows 2000, use W32tm /? or W32Time /? from the command line to look for alternatives on older OSs.
Use NET TIME /SETSNTP:
to clear any entry and return to the default settings
Use NET TIME /SET /YES
to synch NOW with your authenticating DC and begin the diagnosis:
Start by verifying your domain is synching AD by using REPLMON.EXE in the support tools pack on the Windows installation CD.
If this is OK then run this from the command line:
W32TM /monitor
to ensure that each member server/workstation is actually pointing to a DC.
If this is OK then run this from the command line:
W32TM /resync /rediscover
followed by:
W32TM /resync /nowait
and check the system eventlog for W32TIME errors. This process does a full reset and recheck of the time system as it relates to one member machine on your AD.
Post any errors here
Explanation of why it doesn't always instantly set the right time:
Timesync works as follows:
If the local clock time of the time client is behind the current time received from the time server, W32Time will change the local clock time immediately.
If the local clock time of the time client is more than three minutes ahead of the time on the time server, W32Time will change the local clock time immediately.
If the local clock time of the time client is less than three minutes ahead of the time on the server, W32Time will quarter or halve the clock frequency for long enough to bring the clocks into sync. If the client is less that 15 seconds ahead, it will halve the frequency; otherwise, it will quarter the frequency. The amount of time the clock spends running at an unusual frequency depends on the size of the offset that is being corrected.
W32Time will periodically check its local time with the current time by connecting to the time source. This process starts as soon as the service turns on during system start-up. W32Time attempts synchronization every 45 minutes until the clocks have successfully synchronized three times. When the clocks are correctly synchronized, W32Time then synchronizes at eight-hour intervals, unless there is a failure to obtain a timestamp, or a validation failure. If there is a failure, the process starts over from the beginning.
Set it by hand (or with the command NET TIME /SET /YES) as close as you can and then simply leave it to sort itself out.
Cheers
JamesDS
ASKER
this is what i get if i run dcdiag/v
this sbs server is on the same net work as windows 2003 server which issues the ip address
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\Administrator>dcd
Invalid Syntax: Invalid option /s. Use dcdiag.exe /h for help.
C:\Documents and Settings\Administrator>dcd
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine accounts, is a DC.
* Connecting to directory service on server accounts.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\AC
Starting test: Connectivity
* Active Directory LDAP Services Check
The host 8407b8ae-2e1f-46b7-a1be-f6
could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(8407b8ae-2e1f-46b7-a1be-f
couldn't be resolved, the server name (accounts.invoicedept.loca
resolved to the IP address (192.168.1.8) and was pingable. Check that
the IP address is registered correctly with the DNS server.
......................... ACCOUNTS failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\AC
Skipping all tests, because server ACCOUNTS is
not responding to directory service requests
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: VerifyReplicas
Test omitted by user request: VerifyEnterpriseReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : invoicedept
Starting test: CrossRefValidation
......................... invoicedept passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... invoicedept passed test CheckSDRefDom
Running enterprise tests on : invoicedept.local
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... invoicedept.local passed test Intersite
Starting test: FsmoCheck
GC Name: \\accounts.invoicedept.loc
Locator Flags: 0xe00001bd
PDC Name: \\accounts.invoicedept.loc
Locator Flags: 0xe00001bd
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
this sbs server is on the same net work as windows 2003 server which issues the ip address
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\Administrator>dcd
Invalid Syntax: Invalid option /s. Use dcdiag.exe /h for help.
C:\Documents and Settings\Administrator>dcd
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine accounts, is a DC.
* Connecting to directory service on server accounts.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\AC
Starting test: Connectivity
* Active Directory LDAP Services Check
The host 8407b8ae-2e1f-46b7-a1be-f6
could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(8407b8ae-2e1f-46b7-a1be-f
couldn't be resolved, the server name (accounts.invoicedept.loca
resolved to the IP address (192.168.1.8) and was pingable. Check that
the IP address is registered correctly with the DNS server.
......................... ACCOUNTS failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\AC
Skipping all tests, because server ACCOUNTS is
not responding to directory service requests
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: VerifyReplicas
Test omitted by user request: VerifyEnterpriseReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : invoicedept
Starting test: CrossRefValidation
......................... invoicedept passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... invoicedept passed test CheckSDRefDom
Running enterprise tests on : invoicedept.local
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... invoicedept.local passed test Intersite
Starting test: FsmoCheck
GC Name: \\accounts.invoicedept.loc
Locator Flags: 0xe00001bd
PDC Name: \\accounts.invoicedept.loc
Locator Flags: 0xe00001bd
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi james ran netdig/fix this was the outcome
also ran dcdiag/c still cant find a time server any ideas on how to over come this the windows 2003 server is a time server but my small business edition wont pick it up thanks for the help
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\Administrator>net
..........................
Computer Name: ACCOUNTS
DNS Host Name: accounts.invoicedept.local
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
List of installed hotfixes :
KB819696
KB822132
KB822742
KB822743
KB822744
KB822745
KB822925
KB823182
KB823353
KB823559
KB823980
KB824073
KB824105
KB824139
KB824141
KB824146
KB825117
KB825119
KB826238
KB826936
KB828035
KB828741
KB830352
KB835732
KB837001
KB839643
KB839645
KB840315
KB840374
KB867801
Q147222
Q828026
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Server Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : accounts
IP Address . . . . . . . . : 192.168.1.8
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.1.1
Primary WINS Server. . . . : 192.168.1.8
Dns Servers. . . . . . . . : 192.168.1.8
192.168.1.3
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenge
r Service', <20> 'WINS' names is missing.
No remote names have been found.
WINS service test. . . . . : Passed
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{4C99058C-19ED
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00>
'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'192.168.1.8'
.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{4C99058C-19ED
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{4C99058C-19ED
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed
information
The command completed successfully
also ran dcdiag/c still cant find a time server any ideas on how to over come this the windows 2003 server is a time server but my small business edition wont pick it up thanks for the help
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\Administrator>net
..........................
Computer Name: ACCOUNTS
DNS Host Name: accounts.invoicedept.local
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
List of installed hotfixes :
KB819696
KB822132
KB822742
KB822743
KB822744
KB822745
KB822925
KB823182
KB823353
KB823559
KB823980
KB824073
KB824105
KB824139
KB824141
KB824146
KB825117
KB825119
KB826238
KB826936
KB828035
KB828741
KB830352
KB835732
KB837001
KB839643
KB839645
KB840315
KB840374
KB867801
Q147222
Q828026
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Server Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : accounts
IP Address . . . . . . . . : 192.168.1.8
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.1.1
Primary WINS Server. . . . : 192.168.1.8
Dns Servers. . . . . . . . : 192.168.1.8
192.168.1.3
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenge
r Service', <20> 'WINS' names is missing.
No remote names have been found.
WINS service test. . . . . : Passed
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{4C99058C-19ED
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00>
'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'192.168.1.8'
.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{4C99058C-19ED
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{4C99058C-19ED
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed
information
The command completed successfully
chole
Looks like you missing DNS entries are now fixed.
SBS insists that it is the PDCEmulator in any domain and all DCs look to the PDCE for timesync.
So, to sort timesync out, treat the SBS box as the PDCE and look at the post I wrote earlier on fixing timesync
Cheers
JamesDS
Looks like you missing DNS entries are now fixed.
SBS insists that it is the PDCEmulator in any domain and all DCs look to the PDCE for timesync.
So, to sort timesync out, treat the SBS box as the PDCE and look at the post I wrote earlier on fixing timesync
Cheers
JamesDS
ASKER
thanks james all working ok now
chole
Very welcome, glad to help
Cheers
JamesDS
Very welcome, glad to help
Cheers
JamesDS