Active Directory Problems - Cannot connect

Posted on 2004-09-26
Medium Priority
Last Modified: 2012-06-27
I am currently running a Windows Server 2003 machine with AD, Exchange, and web setup.  As of about 2 weeks ago, out of the blue, the machine decided that it will no longer connect to either exchange or AD - when I try to connect, I receive an error saying that the server is not operational.  What could this be???  The server is a domain controller within a forest, but has never had trouble connecting TO ITSELF.  I have checked for viruses over and over again and find nothing.  I have also installed DNS Server on the machine since some recommended that it might be the cause of the problem, but that did not help.  If anyone has any ideas, please let me know.
Question by:g12nirvana
  • 9
  • 4
  • 4
  • +1
LVL 16

Expert Comment

ID: 12157878
DNS is essential to the operation of AD and Exchange 2000/2003. If you installed it but did not configure it then this is almost certainly the cause of the issue.

Make sure that the DNS Services has a ZONE configured with the same name as your AD and that the zone allows updates, then configure the machine to point to itself ONLY for DNS and stop and restart the NETLOGON service. Look on the new DNS zone for _MSDCS records and if these are now present you are halfway there.



Author Comment

ID: 12157916
That is all currently setup on the server and _MSDCS exists.  

Also, why would this happen all of a sudden??? It has been running smoothly without DNS for several months and a few years before that as a 2000 DC.....
LVL 16

Expert Comment

ID: 12157985
Please post the output from IPCONFIG /ALL and NETDIAG

NETDIAG is provided with the support tools pack on the CD under \support.

AD cannot work properly without DNS, if it has been working then you have been somehow getting away with netbios name resolution and have been very lucky! However, I bet you had lots of red messages in your event logs all that time.


Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.


Author Comment

ID: 12158068
Here are the results from IPCONFIG:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : polybots-web
   Primary Dns Suffix  . . . . . . . : polybots.poly.edu
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : polybots.poly.edu

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : polybots.poly.edu
   Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI For Complete
 PC Management NIC (3C905C-TX)
   Physical Address. . . . . . . . . : 00-01-02-46-E4-B8
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . :
   Primary WINS Server . . . . . . . :
   Secondary WINS Server . . . . . . :

As for NETDIAG - it kept freezing and gave me no results.

LVL 33

Expert Comment

ID: 12158811
As a test, can you try to connect to AD Users and Computer using an custom MMC instead of the normal Administrators tool.

1) Start --> Run --> Type MMC (on the Open line)
2) File --> Add/Remove Snapin
3) Add/Remove Snapin dialog box, choose ADD
4) Add the AD Users and Computer snapin

Now try to connect to AD using this snap-in.

(If this works, you may consider re-installing the admin tools (adminpak.msi) on the server CD.)

Thank you,

Joe Poandl  MCSE

LVL 16

Expert Comment

ID: 12158935

You should remove the DNS servers,, If you must use external DNS Servers, then configure these as forders on the DNS Service itself.

Without the NETDIAG output I cannot proceed.

LVL 33

Expert Comment

ID: 12159116
Note:  I dissaggree with g12nirvana:

"You should remove the DNS servers,, If you must use external DNS Servers, then configure these as forders on the DNS Service itself."

I don't believe that these additional DNS servers are EXTERNAL:,,

If these are indeed internal DNS servers, there is no issue.  If they are external ISP DNS servers, then I aggree, you should remove these.

General Rule: All clients should point to internal DNS servers ONLY.  Internal DNS servers should then be configured to FORWARD to external ISP DNS servers.

Thank you,

Joe Poandl MCSE
LVL 16

Expert Comment

ID: 12159236

Thank you for disagreeing with my comment.
As you appear to be far more qualified than I, I will unsubscribe from this one and you can proceed with re-installing the adminpak - which I am sure will be most helpful.


LVL 33

Expert Comment

ID: 12159341
(touchy touchy...)  Calm down...your comments are helpful too.  Seeing how the primary DNS IP is the local machine, I'm sure contact to DNS is working.  It doesn't hurt to have other Internal DNS servers listed.  You are correct the EXTERNAL IP should NOT be listed.

Some other suggestions:

Starting Active Directory Users and Computers errors with 'The Server is not operational'? :http://www.jsifaq.com/SUBL/tip5800/rh5804.htm

"The Server Is Not Operational" Error Message in Active Directory Tools  http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B223321


This tip addresses the following behaviors on a Windows 2000 or Windows Server 2003 domain controller:
Dcdiag reports:
DC Diagnosis
Performing initial setup:
[DC1] LDAP bind failed with error 31

Running REPADMIN /SHOWREPS locally produces:
[D:\nt\private\ds\src\util\repadmin\repinfo.c, 389] LDAP error 82 (Local Error).

When you attempt to use network resources, including UNC and mapped drives, you receive:
No logon servers available (c000005e = "STATUS_NO_LOGON_SERVERS"

The Active Directory administration tools on the affected DC report one of the following:
Naming information cannot be located because: No authority could be contacted for authentication.

Naming information cannot be located because: Target account name is incorrect.

Outlook clients, authenticated by a working DC, who are connected to an Exchange Server that uses the affected DC for authentication, are prompted for credentials.

Netdiag displays:
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to <servername>.<fqdn> (<ip address>). [ERROR_DOMAIN_CONTROLLER_NOT_FOUND]
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for krbtgt/<fqdn>.
[FATAL] Kerberos does not have a ticket for <hostname>.
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC <hostname>\<fqdn>

The System event log contains:
Type: Error
Event Source: Service Control Manager
Event ID: 7023
Description: The Kerberos Key Distribution Center service terminated with the following error:
The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation.

Work through the following procedures, in order, until the problem is resolved.
Correct any DNS configuration errors:
1. Open a command prompt and run the netdiag -v command. Resolve any DNS errors in the Netdiag.log file, created in the current folder.
NOTE: You can download the Windows 2000 Server Support Tools.

2. Make sure that the DNS address on the DC is pointing to itself, or another DNS server for your domain that supports SRV records and dynamic updates. You can configure forwarders to your ISP for Internet name resolution.

The following Microsoft Knowledge Base articles may be helpful:

291382 Frequently asked questions about Windows 2000 DNS and Windows Server 2003 DNS.
237675 Setting up the Domain Name System for Active Directory.
254680 DNS namespace planning.
255248 How to create a child domain in Active Directory and delegate the DNS namespace to the child domain.

Make sure that time is synchronized:
There must be an authoritative time server in your domain. Make sure that time is syncronized between DCs, and clients are synchronizing time with a DC. See the following:
How do I configure an authoritative time server in Windows 2000?
How do I configure the Windows Time service on the Windows Server 2003 forest root PDC emulator?
Your domain controller does not locate a new time source server in Windows Server 2003?
How do I configure the Windows 2000 time service to log when time is adjusted?
How can I verify that a computer's time is synchronized with the authoritative time server for my domain?
How do I make my PDC emulator an authoritative time server for my domain without it synchronizing with a reliable time source?
Your Windows XP, or Windows Server 2003, does NOT synchronize its time with the domain time source?

Verify: Access this computer from the network:
Approriate users must have the Access this computer from the network user right on the DC.
1. Open "%SystemRoot%\Sysvol\Sysvol\<Domainname>\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf" in Notepad.

2. The SeNetworkLogonRight line should contain the well known SID for Administrators, Authenticated Users, and Everyone. Add any that are missing.

SeNetworkLogonRight = *S-1-5-32-554,*S-1-1-0,*S-1-5-9,*S-1-5-11,*S-1-5-32-544

3. The SeDenyNetworkLogonRight is empty by default on Windows 2000 Server, and contains the SID for the Support_RandomString account, used by Remote Assistance, in Windows Server 2003.

4. Increment the group policy version in "%SystemRoot%\Sysvol\Sysvol\<Domainname>\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI".

5. Apply the policy:

Windows 2000 Server - secedit /refreshpolicy machine_policy /enforce
Windows Server 2003 - GPUpdate /Force

NOTE You may have to check other policies to insure any SeNetworkLogonRight and SeDenyNetworkLogonRight entries are proper.

Verify the userAccountControl attribute:
All DCs must have a value of 532480 in the userAccountControl attribute.
The easiest way to find any incorrect values is to run the following script:

@echo off
set OK=Y
for /f "Tokens=*" %%s in ('DSQUERY SERVER -O RDN') do (
 for /f "Skip=1 Tokens=*" %%a in ('dsquery * domainroot -filter "(&(objectCategory=Computer)(objectClass=Computer)(Name=%%s))" -attr userAccountControl -Limit 0') do (
 set uac=%%a
 IF "!uac:~0,6!" NEQ "532480" (
  @echo %%s has an invalid userAccountControl attribute - %%a.
  set OK=N
 ) ELSE (
  @echo %%s has a valid userAccountControl attribute.
If "%OK%" EQU "Y" (
 @echo All domain controllers have a valid userAccountControl attribute.
) ELSE (
 @echo Fix the invalid userAccountControl attribute(s^) using ADSIEdit.msc.
You can use ADSIEdit.msc to check, and change, the value:
1. Start / Run / adsiedit.msc / OK.

2. Expand the domain.

3. Expand the Domain Controllers container (OU).

4. Right-click an affected DC and press Properties.

5. In Windows Server 2003, check the Show mandatory attributes and Show optional attributes boxes on the Attribute Editor tab. In Windows 2000 Server, click Both in the Select which properties to view box.

6. In Windows Server 2003, select userAccountControl in the Attributes box. In Windows 2000 Server, select userAccountControl in the Select a property to view box.

7. If the value is NOT 532480, Edit it and set and apply the change.

8. Press OK.

9. Exit ADSI Edit.

For Windows 2000 DCs only:
1. Verify that the Kerberos realm is the NetBIOS domain name.
2. If you made a change, shutdown and restart the DC.

Reset the machine account password, and obtain a new Kerberos ticket:
1. Start / Run / Services.msc / OK.
2. Stop the Kerberos Key Distribution Center service.

3. Set the Startup type to Manual.

4. Open a CMD.EXE window.

5. Using Netdom.exe from the Support Tools, type the following command and press Enter:

netdom resetpwd /server:<A Working DC> /userd:<NetBIIOS Domain Name>\Administrator /passwordd:<Administrator Password>

The command must be completed successfully.

6. Restart the affected DC.

7. Using Services.msc, set the Startup type of the Kerberos Key Distribution Center to Automatic.

8. Start the Kerberos Key Distribution Center service.

See the following Microsoft Knowledge Base articles for additional information:
325322   -   "The server is not operational" error message when you try to open Exchange System Manager.
284929   -   Cannot start Active Directory snap-ins; error message states that no authority could be contacted for authentication.

257623   -   Domain controller's Domain Name System suffix does not match domain name .

257346   -   "Access This Computer from the Network" user right causes tools not to work.

316710   -   Disabled Kerberos key distribution prevents Exchange services from starting.

329642   -   Error messages when you open Active Directory snap-ins and Exchange System Manager.

272686   -   Error messages occur when Active Directory Users and Computers snap-in is opened.

323542   -   You cannot start the Active Directory Users and Computers tool because the server is not operational.

329887   -   You cannot interact with Active Directory MMC snap-ins.

325465   -   Windows 2000 domain controllers require SP3 or later when using Windows Server 2003 administration tools.

322267   -   Removing Client for Microsoft Networks removes other services.

297234   -   Time difference exists between the client and the server.

247151   -   Down-level domain users may receive an error message when starting MMC snap-ins.

280833   -   Failure to specify all DNS zones in proxy client leads to DNS failures that are difficult to track.

322307   -   Cannot start Exchange Services or Active Directory snap-ins after you install Service Pack 2 (SP2) for Windows 2000.


Author Comment

ID: 12161931
Wow, I didn't know I could start controversy on an Operating System help forum :-)

NJ - I tried to connect to AD via the MMC "work-around" snap-in, and receieved the same error message.

As for the DNS servers, they are indeed internal and without them the school will not let me connect to the outside world (gotta love schools).

I tried the first link you gave me once before - http://www.jsifaq.com/SUBL/tip5800/rh5804.htm
Again to no avail....

I am currently trying the other suggestions you gave and will get back to you guys when I'm done :-).
LVL 33

Expert Comment

ID: 12162240
Thanks for the feedback...  Sorry for the "controversy" in your post.  I didn't mean for that to happen...typing information can lead to people misunderstanding what you mean.  

Anyway, thanks for the feedback...the test of adding the AD via MMC prooves that your buil-in utilities are not the problem.  I have had a situation in the past where the tool itself got corrupt.

Anyway, go through the docs...

A quick thing to check is just go to a command prompt on the server and type NSLOOKUP

Then enter your domain name

Your IP address for the DC should be shown.  If not, you definately have DNS problems.  AD will not function without DNS.  

Also, reboot the DC.  When the DC comes back online, look at the Event Viewer logs.  Especailly look at the System log.  do you see any errors?  How bout in DNS and other AD logs?

Thank you,

Joe Poandl MCSE

Author Comment

ID: 12164023
I tried the other solutions and they didn't work, however, NSLOOKUP came up with an interesting result...

According to one of the school's DNS servers (the primary DNS server), my server has TWO IP addresses assigned to it.  

In addition, some of the other checks recommended by the links you gave me showed that my existing DNS server failed - I have redone the DNS and will check to see if it passes this time, but could this 2 assigned IP address issue be the cause of all my woes????

And if so, what can I do to get rid of it without calling up the school's IT dept?? (They take about 3 weeks to get back to you and don't have an answer when they do....)

Thanks alot.
LVL 51

Expert Comment

ID: 12168805
If your server has 2 IP addresses then the following must be true:

1)  In DNS, you must choose the NIC to listen on - do not pick ALL addresses since this just causes more problems than it solves - choose the IP of the local LAN.

2)  Make sure that the same NIC you choose above is at the top of the binding order.

3)  Either restart the server or a)  Run IPCONFIG /FLUSHDNS, b) Clear the DNS server's cached lookups, c) restart the Netlogon service.


Author Comment

ID: 12182493

The server doesn't have 2 IP addresses, it only has one, but according to the primary DNS server in the school, my server has two.

As for the steps you recommended, I tried all of them and it didn't work.
LVL 51

Expert Comment

ID: 12187728
That's your issue.

Find and delete all records that exist in the Forward and Reverse Lookup zones for your server using the bad IP address.

This should clear up a few things pretty much immediately.


Author Comment

ID: 12203797
Yea, I figured that could be the cause.... But I didn't find it out until a couple of days ago - I'm gonna have to call the school's IS department though to take care of it since I don't have access to their servers.

I'll let everyone know how it goes :-)

Author Comment

ID: 12328752
Alright, got IS to delete the extra IP address on their DNS servers, but it still doesn't work....

Anyone have any other ideas before I have to rebuild this server????
LVL 51

Accepted Solution

Netman66 earned 1500 total points
ID: 12331388
Try running this now that the bad addresses are gone:

ipconfig /flushdns

Restart the Netlogon service on the server.

Check DNS for the exisitence of the records now.  There must be entries in DNS under _msdcs for your server or it isn't registering correctly.

Author Comment

ID: 12361646
Uhhhhhh.... This is wonderfully annoying....  FlushDNS didn't work once again....  Also, DNS has records for it under _msdcs, and it's registering properely in regards to the server's name, but AD is still not working....

Author Comment

ID: 12361664
Netman, please e-mail me at g12nirvana@aol.com

Featured Post

[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
How to fix display issue, screen flickering issue when I plug in power cord to the machine. Before I start explaining the solution lets check out once the issue how it looks like after I connect the power cord. most of you also have faced this…
Is your organization moving toward a cloud and mobile-first environment? In this transition, your IT department will encounter many challenges, such as navigating how to: Deploy new applications and services to a growing team Accommodate employee…
Suggested Courses

594 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question