Link to home
Start Free TrialLog in
Avatar of g12nirvana
g12nirvana

asked on

Active Directory Problems - Cannot connect

I am currently running a Windows Server 2003 machine with AD, Exchange, and web setup.  As of about 2 weeks ago, out of the blue, the machine decided that it will no longer connect to either exchange or AD - when I try to connect, I receive an error saying that the server is not operational.  What could this be???  The server is a domain controller within a forest, but has never had trouble connecting TO ITSELF.  I have checked for viruses over and over again and find nothing.  I have also installed DNS Server on the machine since some recommended that it might be the cause of the problem, but that did not help.  If anyone has any ideas, please let me know.
Avatar of JamesDS
JamesDS

g12nirvana
DNS is essential to the operation of AD and Exchange 2000/2003. If you installed it but did not configure it then this is almost certainly the cause of the issue.

Make sure that the DNS Services has a ZONE configured with the same name as your AD and that the zone allows updates, then configure the machine to point to itself ONLY for DNS and stop and restart the NETLOGON service. Look on the new DNS zone for _MSDCS records and if these are now present you are halfway there.

Cheers

JamesDS
Avatar of g12nirvana

ASKER

That is all currently setup on the server and _MSDCS exists.  

Also, why would this happen all of a sudden??? It has been running smoothly without DNS for several months and a few years before that as a 2000 DC.....
g12nirvana
Please post the output from IPCONFIG /ALL and NETDIAG

NETDIAG is provided with the support tools pack on the CD under \support.

AD cannot work properly without DNS, if it has been working then you have been somehow getting away with netbios name resolution and have been very lucky! However, I bet you had lots of red messages in your event logs all that time.

Cheers

JamesDS
Here are the results from IPCONFIG:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : polybots-web
   Primary Dns Suffix  . . . . . . . : polybots.poly.edu
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : polybots.poly.edu

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : polybots.poly.edu
   Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI For Complete
 PC Management NIC (3C905C-TX)
   Physical Address. . . . . . . . . : 00-01-02-46-E4-B8
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 128.238.25.18
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 128.238.25.1
   DNS Servers . . . . . . . . . . . : 128.238.25.18
                                       128.238.29.22
                                       128.238.2.38
                                       128.238.32.22
   Primary WINS Server . . . . . . . : 128.238.29.23
   Secondary WINS Server . . . . . . : 128.238.29.22


As for NETDIAG - it kept freezing and gave me no results.

As a test, can you try to connect to AD Users and Computer using an custom MMC instead of the normal Administrators tool.

1) Start --> Run --> Type MMC (on the Open line)
2) File --> Add/Remove Snapin
3) Add/Remove Snapin dialog box, choose ADD
4) Add the AD Users and Computer snapin

Now try to connect to AD using this snap-in.

(If this works, you may consider re-installing the admin tools (adminpak.msi) on the server CD.)

Thank you,

Joe Poandl  MCSE



 
g12nirvana

You should remove the DNS servers 128.238.29.22, 128.238.2.38, 128.238.32.22. If you must use external DNS Servers, then configure these as forders on the DNS Service itself.

Without the NETDIAG output I cannot proceed.
Cheers

JamesDS
Note:  I dissaggree with g12nirvana:

"You should remove the DNS servers 128.238.29.22, 128.238.2.38, 128.238.32.22. If you must use external DNS Servers, then configure these as forders on the DNS Service itself."

I don't believe that these additional DNS servers are EXTERNAL:  128.238.29.22, 128.238.2.38, 128.238.32.22

If these are indeed internal DNS servers, there is no issue.  If they are external ISP DNS servers, then I aggree, you should remove these.

General Rule: All clients should point to internal DNS servers ONLY.  Internal DNS servers should then be configured to FORWARD to external ISP DNS servers.

Thank you,

Joe Poandl MCSE
NJComputerNetworks

Thank you for disagreeing with my comment.
As you appear to be far more qualified than I, I will unsubscribe from this one and you can proceed with re-installing the adminpak - which I am sure will be most helpful.

Cheers

JamesDS
(touchy touchy...)  Calm down...your comments are helpful too.  Seeing how the primary DNS IP is the local machine, I'm sure contact to DNS is working.  It doesn't hurt to have other Internal DNS servers listed.  You are correct the EXTERNAL IP should NOT be listed.

Some other suggestions:

Starting Active Directory Users and Computers errors with 'The Server is not operational'? :http://www.jsifaq.com/SUBL/tip5800/rh5804.htm

"The Server Is Not Operational" Error Message in Active Directory Tools  http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B223321


http://www.jsifaq.com/subq/tip8300/rh8320.htm

This tip addresses the following behaviors on a Windows 2000 or Windows Server 2003 domain controller:
Dcdiag reports:
DC Diagnosis
Performing initial setup:
[DC1] LDAP bind failed with error 31


Running REPADMIN /SHOWREPS locally produces:
[D:\nt\private\ds\src\util\repadmin\repinfo.c, 389] LDAP error 82 (Local Error).


When you attempt to use network resources, including UNC and mapped drives, you receive:
No logon servers available (c000005e = "STATUS_NO_LOGON_SERVERS"


The Active Directory administration tools on the affected DC report one of the following:
Naming information cannot be located because: No authority could be contacted for authentication.

Naming information cannot be located because: Target account name is incorrect.


Outlook clients, authenticated by a working DC, who are connected to an Exchange Server that uses the affected DC for authentication, are prompted for credentials.

Netdiag displays:
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to <servername>.<fqdn> (<ip address>). [ERROR_DOMAIN_CONTROLLER_NOT_FOUND]
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for krbtgt/<fqdn>.
[FATAL] Kerberos does not have a ticket for <hostname>.
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC <hostname>\<fqdn>


The System event log contains:
Type: Error
Event Source: Service Control Manager
Event ID: 7023
Description: The Kerberos Key Distribution Center service terminated with the following error:
The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation.


Work through the following procedures, in order, until the problem is resolved.
Correct any DNS configuration errors:
1. Open a command prompt and run the netdiag -v command. Resolve any DNS errors in the Netdiag.log file, created in the current folder.
NOTE: You can download the Windows 2000 Server Support Tools.

2. Make sure that the DNS address on the DC is pointing to itself, or another DNS server for your domain that supports SRV records and dynamic updates. You can configure forwarders to your ISP for Internet name resolution.

The following Microsoft Knowledge Base articles may be helpful:

291382 Frequently asked questions about Windows 2000 DNS and Windows Server 2003 DNS.
237675 Setting up the Domain Name System for Active Directory.
254680 DNS namespace planning.
255248 How to create a child domain in Active Directory and delegate the DNS namespace to the child domain.

Make sure that time is synchronized:
There must be an authoritative time server in your domain. Make sure that time is syncronized between DCs, and clients are synchronizing time with a DC. See the following:
How do I configure an authoritative time server in Windows 2000?
How do I configure the Windows Time service on the Windows Server 2003 forest root PDC emulator?
Your domain controller does not locate a new time source server in Windows Server 2003?
How do I configure the Windows 2000 time service to log when time is adjusted?
How can I verify that a computer's time is synchronized with the authoritative time server for my domain?
How do I make my PDC emulator an authoritative time server for my domain without it synchronizing with a reliable time source?
Your Windows XP, or Windows Server 2003, does NOT synchronize its time with the domain time source?

Verify: Access this computer from the network:
Approriate users must have the Access this computer from the network user right on the DC.
1. Open "%SystemRoot%\Sysvol\Sysvol\<Domainname>\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf" in Notepad.

2. The SeNetworkLogonRight line should contain the well known SID for Administrators, Authenticated Users, and Everyone. Add any that are missing.

SeNetworkLogonRight = *S-1-5-32-554,*S-1-1-0,*S-1-5-9,*S-1-5-11,*S-1-5-32-544

3. The SeDenyNetworkLogonRight is empty by default on Windows 2000 Server, and contains the SID for the Support_RandomString account, used by Remote Assistance, in Windows Server 2003.

4. Increment the group policy version in "%SystemRoot%\Sysvol\Sysvol\<Domainname>\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI".

5. Apply the policy:

Windows 2000 Server - secedit /refreshpolicy machine_policy /enforce
Windows Server 2003 - GPUpdate /Force

NOTE You may have to check other policies to insure any SeNetworkLogonRight and SeDenyNetworkLogonRight entries are proper.

Verify the userAccountControl attribute:
All DCs must have a value of 532480 in the userAccountControl attribute.
The easiest way to find any incorrect values is to run the following script:

@echo off
setlocal ENABLEDELAYEDEXPANSION
set OK=Y
for /f "Tokens=*" %%s in ('DSQUERY SERVER -O RDN') do (
 for /f "Skip=1 Tokens=*" %%a in ('dsquery * domainroot -filter "(&(objectCategory=Computer)(objectClass=Computer)(Name=%%s))" -attr userAccountControl -Limit 0') do (
 set uac=%%a
 IF "!uac:~0,6!" NEQ "532480" (
  @echo %%s has an invalid userAccountControl attribute - %%a.
  set OK=N
 ) ELSE (
  @echo %%s has a valid userAccountControl attribute.
 )
 )
)
If "%OK%" EQU "Y" (
 @echo All domain controllers have a valid userAccountControl attribute.
) ELSE (
 @echo Fix the invalid userAccountControl attribute(s^) using ADSIEdit.msc.
)
You can use ADSIEdit.msc to check, and change, the value:
1. Start / Run / adsiedit.msc / OK.

2. Expand the domain.

3. Expand the Domain Controllers container (OU).

4. Right-click an affected DC and press Properties.

5. In Windows Server 2003, check the Show mandatory attributes and Show optional attributes boxes on the Attribute Editor tab. In Windows 2000 Server, click Both in the Select which properties to view box.

6. In Windows Server 2003, select userAccountControl in the Attributes box. In Windows 2000 Server, select userAccountControl in the Select a property to view box.

7. If the value is NOT 532480, Edit it and set and apply the change.

8. Press OK.

9. Exit ADSI Edit.

For Windows 2000 DCs only:
1. Verify that the Kerberos realm is the NetBIOS domain name.
2. If you made a change, shutdown and restart the DC.

Reset the machine account password, and obtain a new Kerberos ticket:
1. Start / Run / Services.msc / OK.
2. Stop the Kerberos Key Distribution Center service.

3. Set the Startup type to Manual.

4. Open a CMD.EXE window.

5. Using Netdom.exe from the Support Tools, type the following command and press Enter:

netdom resetpwd /server:<A Working DC> /userd:<NetBIIOS Domain Name>\Administrator /passwordd:<Administrator Password>

The command must be completed successfully.

6. Restart the affected DC.

7. Using Services.msc, set the Startup type of the Kerberos Key Distribution Center to Automatic.

8. Start the Kerberos Key Distribution Center service.

See the following Microsoft Knowledge Base articles for additional information:
325322   -   "The server is not operational" error message when you try to open Exchange System Manager.
284929   -   Cannot start Active Directory snap-ins; error message states that no authority could be contacted for authentication.

257623   -   Domain controller's Domain Name System suffix does not match domain name .

257346   -   "Access This Computer from the Network" user right causes tools not to work.

316710   -   Disabled Kerberos key distribution prevents Exchange services from starting.

329642   -   Error messages when you open Active Directory snap-ins and Exchange System Manager.

272686   -   Error messages occur when Active Directory Users and Computers snap-in is opened.

323542   -   You cannot start the Active Directory Users and Computers tool because the server is not operational.

329887   -   You cannot interact with Active Directory MMC snap-ins.

325465   -   Windows 2000 domain controllers require SP3 or later when using Windows Server 2003 administration tools.

322267   -   Removing Client for Microsoft Networks removes other services.

297234   -   Time difference exists between the client and the server.

247151   -   Down-level domain users may receive an error message when starting MMC snap-ins.

280833   -   Failure to specify all DNS zones in proxy client leads to DNS failures that are difficult to track.

322307   -   Cannot start Exchange Services or Active Directory snap-ins after you install Service Pack 2 (SP2) for Windows 2000.





Wow, I didn't know I could start controversy on an Operating System help forum :-)

NJ - I tried to connect to AD via the MMC "work-around" snap-in, and receieved the same error message.

As for the DNS servers, they are indeed internal and without them the school will not let me connect to the outside world (gotta love schools).

I tried the first link you gave me once before - http://www.jsifaq.com/SUBL/tip5800/rh5804.htm
Again to no avail....

I am currently trying the other suggestions you gave and will get back to you guys when I'm done :-).
Thanks for the feedback...  Sorry for the "controversy" in your post.  I didn't mean for that to happen...typing information can lead to people misunderstanding what you mean.  

Anyway, thanks for the feedback...the test of adding the AD via MMC prooves that your buil-in utilities are not the problem.  I have had a situation in the past where the tool itself got corrupt.

Anyway, go through the docs...

A quick thing to check is just go to a command prompt on the server and type NSLOOKUP

Then enter your domain name

Your IP address for the DC should be shown.  If not, you definately have DNS problems.  AD will not function without DNS.  

Also, reboot the DC.  When the DC comes back online, look at the Event Viewer logs.  Especailly look at the System log.  do you see any errors?  How bout in DNS and other AD logs?

Thank you,

Joe Poandl MCSE
I tried the other solutions and they didn't work, however, NSLOOKUP came up with an interesting result...

According to one of the school's DNS servers (the primary DNS server), my server has TWO IP addresses assigned to it.  

In addition, some of the other checks recommended by the links you gave me showed that my existing DNS server failed - I have redone the DNS and will check to see if it passes this time, but could this 2 assigned IP address issue be the cause of all my woes????

And if so, what can I do to get rid of it without calling up the school's IT dept?? (They take about 3 weeks to get back to you and don't have an answer when they do....)

Thanks alot.
Avatar of Netman66
If your server has 2 IP addresses then the following must be true:

1)  In DNS, you must choose the NIC to listen on - do not pick ALL addresses since this just causes more problems than it solves - choose the IP of the local LAN.

2)  Make sure that the same NIC you choose above is at the top of the binding order.

3)  Either restart the server or a)  Run IPCONFIG /FLUSHDNS, b) Clear the DNS server's cached lookups, c) restart the Netlogon service.


Advise.
Netman:

The server doesn't have 2 IP addresses, it only has one, but according to the primary DNS server in the school, my server has two.

As for the steps you recommended, I tried all of them and it didn't work.
That's your issue.

Find and delete all records that exist in the Forward and Reverse Lookup zones for your server using the bad IP address.

This should clear up a few things pretty much immediately.

Advise.
Yea, I figured that could be the cause.... But I didn't find it out until a couple of days ago - I'm gonna have to call the school's IS department though to take care of it since I don't have access to their servers.

I'll let everyone know how it goes :-)
Alright, got IS to delete the extra IP address on their DNS servers, but it still doesn't work....

Anyone have any other ideas before I have to rebuild this server????
ASKER CERTIFIED SOLUTION
Avatar of Netman66
Netman66
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Uhhhhhh.... This is wonderfully annoying....  FlushDNS didn't work once again....  Also, DNS has records for it under _msdcs, and it's registering properely in regards to the server's name, but AD is still not working....
Netman, please e-mail me at g12nirvana@aol.com