Event ID: Userenv 1054

I have a production windows 2003 environment with multiple front end servers hosted in a web farm.  Recently we have implemented Load Balancers to accomodate the load on the Web Servers and during the implementation had to change the default gateway from the Router to point to the Load Balancer.  During initial testing all traffic was passed through the Load Balancer correctly and I could browse the net, connect to other computers on the subnet and logon with domain accounts.  However, every 15 minutes to 30 minutes I receive this in the Application Event Log:

Source:  Userenv  Type:  Error
Event ID:  1054
User:  NT Authority\System
Computer:  Computername

Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

This appears to be sparratic as maybe 1 out of 10 attempts to update the GPO will succeed.  Here is the output from a netdiag that I have run:

C:\Program Files\Support Tools>netdiag

....................................

    Computer Name: COMPUTERNAME
    DNS Host Name: COMPUTERNAME.DOMAIN.COM
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 15 Model 2 Stepping 5, GenuineIntel
    List of installed hotfixes :
        KB819696
        KB823182
        KB823353
        KB823559
        KB824105
        KB824141
        KB824151
        KB825119
        KB828035
        KB828741
        KB832894
        KB833987
        KB834707
        KB835732
        KB837001
        KB837009
        KB839643
        KB839643-DirectX9
        KB839645
        KB840315
        KB840374
        KB840987
        KB841356
        KB841533
        KB867460
        KB867801
        KB873376
        KB885881
        Q147222
        Q828026
Netcard queries test . . . . . . . : Passed
Per interface results:
    Adapter : Local Area Connection 2
        Netcard queries test . . . : Passed
        Host Name. . . . . . . . . : web04b
        IP Address . . . . . . . . : 10.1.1.96
        Subnet Mask. . . . . . . . : 255.0.0.0
        Default Gateway. . . . . . : 10.1.1.68
        Dns Servers. . . . . . . . : 10.1.1.7
                                     10.1.1.11
        AutoConfiguration results. . . . . . : Passed
        Default gateway test . . . : Passed
        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.
        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.
    Adapter : Local Area Connection
        Netcard queries test . . . : Passed
        Host Name. . . . . . . . . : web04b
        IP Address . . . . . . . . : 10.1.1.95
        Subnet Mask. . . . . . . . : 255.0.0.0
        Default Gateway. . . . . . :
        Dns Servers. . . . . . . . : 10.1.1.7
                                     10.1.1.11
        AutoConfiguration results. . . . . . : Passed
        Default gateway test . . . : Skipped
            [WARNING] No gateways defined for this adapter.
        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.
            No remote names have been found.
        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{905CE11D-94FD-4911-A867-623CFDF841C2}
        NetBT_Tcpip_{A988AC4C-3B6A-43F0-A609-F610397F912A}
    2 NetBt transports currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{905CE11D-94FD-4911-A867-623CFDF841C2}
        NetBT_Tcpip_{A988AC4C-3B6A-43F0-A609-F610397F912A}
    The redir is bound to 2 NetBt transports.
    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{905CE11D-94FD-4911-A867-623CFDF841C2}
        NetBT_Tcpip_{A988AC4C-3B6A-43F0-A609-F610397F912A}
    The browser is bound to 2 NetBt transports.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Passed
    Secure channel for domain 'DOMAIN' is to '\\DC.DOMAIN.COM'.
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
    No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
    Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully

Here is an IPConfig /all

Windows IP Configuration
   Host Name . . . . . . . . . . . . : COMPUTERNAME
   Primary Dns Suffix  . . . . . . . : COMPUTERNAME.DOMAIN.COM
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : DOMAIN.COM
Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Fiber WOL #2
   Physical Address. . . . . . . . . : 00-09-6B-B5-E5-42
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.1.1.95
   Subnet Mask . . . . . . . . . . . : 255.0.0.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.1.1.7
                                       10.1.1.11
Ethernet adapter Local Area Connection 2:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Fiber WOL
   Physical Address. . . . . . . . . : 00-09-6B-B5-E5-43
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.1.1.96
   Subnet Mask . . . . . . . . . . . : 255.0.0.0
   Default Gateway . . . . . . . . . : 10.1.1.68
   DNS Servers . . . . . . . . . . . : 10.1.1.7
                                       10.1.1.11

I am able to go start -> run -> \\domain.com\sysvol\domain.com and it connects successfully.  Logon succeeds without issue and I haven't noticed any other behaviour that would indicate anything causing an issue connecting to the Domain Contoroller other than this.  At this point, I'm completely stumped.  

Any help would be greatly appreciated.
LVL 4
dmoxAsked:
Who is Participating?
 
GPomerleauConnect With a Mentor Commented:
there a couple of thing that could cause this. I experienced some of them. First did you try to access the sysvol with \\computername\sysvol or \\domainname\sysvol\ ?

also did you lockdown you web server? Does DFS client running? I did not see in your IPconfig any Wins server, is there any in your network?

Your web server, are they 2000 or 2003? If 2000 look at SMB signing in your local security policy because in 2003 they are enebled by default and not in 2000.
0
 
WeHeCommented:
This behavior may occur if the address for the configured preferred DNS server on the client is invalid or unreachable.
Check 10.1.1.7 and 10.1.1.11 if they are working correct and are reachable
0
 
dmoxAuthor Commented:
The DNS servers are the Domain Controllers.  10.1.1.7 is the FSMO and 10.1.1.11 is the backup.  I am able to resolve names to IP's by doing a ping -a to any machine on the subnet and to any public websites (google for example).  

Here is the output for Dnscmd /info on both DNS servers from one of the effected machines:

dnscmd \\dc01 /info

Query result:
Server info
      server name              = dc01.DOMAIN.COM
      version                  = 0ECE0205 (5.2 build 3790)
      DS container             = cn=MicrosoftDNS,cn=System,DC=DOMAIN,DC=COM
      forest name              = DOMAIN.COM
      domain name              = DOMAIN.COM
      builtin domain partition = ForestDnsZones.DOMAIN.COM
      builtin forest partition = DomainDnsZones.DOMAIN.COM
      last scavenge cycle      = not since restart (0)
  Configuration:
      dwLogLevel               = 00000000
      dwDebugLevel             = 00000000
      dwRpcProtocol            = FFFFFFFF
      dwNameCheckFlag          = 00000002
      cAddressAnswerLimit      = 0
      dwRecursionRetry         = 3
      dwRecursionTimeout       = 15
      dwDsPollingInterval      = 180
  Configuration Flags:
      fBootMethod                  = 3
      fAdminConfigured             = 1
      fAllowUpdate                 = 1
      fDsAvailable                 = 1
      fAutoReverseZones            = 1
      fAutoCacheUpdate             = 0
      fSlave                       = 0
      fNoRecursion                 = 0
      fRoundRobin                  = 1
      fStrictFileParsing           = 0
      fLooseWildcarding            = 0
      fBindSecondaries             = 1
      fWriteAuthorityNs            = 0
      fLocalNetPriority            = 1
  Aging Configuration:
      ScavengingInterval           = 0
      DefaultAgingState            = 0
      DefaultRefreshInterval       = 168
      DefaultNoRefreshInterval     = 168
  ServerAddresses:
 Addr Count = 2
            Addr[0] => 10.1.1.7
            Addr[1] => 10.1.1.8

  ListenAddresses:
      NULL IP Array.
  Forwarders:
 Addr Count = 2
            Addr[0] => 192.168.0.52
            Addr[1] => 192.168.0.54
      forward timeout  = 5
      slave            = 0
Command completed successfully.

dnscmd \\dc02 /info

Query result:
Server info
      server name              = DC02.DOMAIN.COM
      version                  = C2000005 (5.0)
      DS container             = cn=MicrosoftDNS,cn=System,DC=DOMAIN,DC=COM
      forest name              = N/A
      domain name              = N/A
      builtin domain partition = N/A
      builtin forest partition = N/A
      last scavenge cycle      = not since restart (0)
  Configuration:
      dwLogLevel               = 00000000
      dwDebugLevel             = 00000000
      dwRpcProtocol            = FFFFFFFF
      dwNameCheckFlag          = 00000002
      cAddressAnswerLimit      = 0
      dwRecursionRetry         = 0
      dwRecursionTimeout       = 15
      dwDsPollingInterval      = 300
  Configuration Flags:
      fBootMethod                  = 0
      fAdminConfigured             = 1
      fAllowUpdate                 = 1
      fDsAvailable                 = 1
      fAutoReverseZones            = 1
      fAutoCacheUpdate             = 0
      fSlave                       = 0
      fNoRecursion                 = 0
      fRoundRobin                  = 1
      fStrictFileParsing           = 0
      fLooseWildcarding            = 0
      fBindSecondaries             = 1
      fWriteAuthorityNs            = 0
      fLocalNetPriority            = 1
  Aging Configuration:
      ScavengingInterval           = 0
      DefaultAgingState            = 0
      DefaultRefreshInterval       = 168
      DefaultNoRefreshInterval     = 168
  ServerAddresses:
 Addr Count = 1
            Addr[0] => 10.1.1.11
  ListenAddresses:
 Addr Count = 1
            Addr[0] => 10.1.1.11
  Forwarders:
 Addr Count = 2
            Addr[0] => 192.168.0.52
            Addr[1] => 192.168.0.54
      forward timeout  = 5
      slave            = 0
Command completed successfully.


The DNS Forwarders are actually other DNS/Domain Controllers across a Site to Site VPN.  DNS communication between the two has been %100 successful since this strategy has been implemented.  They have had no issues transferring zone information.  However, the DOMAIN.COM is hosted on the same site as DC01 and DC02.  The zones that are transferred are relevant to DNS in the other domain...
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
WeHeCommented:
do you have a firewall somewhere? (check, if access to localhost or 127.0.0.1 is blocked)
or
do you use ipsec anywhere? disable it.
or
maybe you should update nic drivers.
or
set “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableDHCPMediaSense” to “1” as per Q239924.
or
any dhcp installed and not configured? uninstall it.

if nothing helps, take a look here: http://www.eventid.net/display.asp?eventid=1054&eventno=1393&source=Userenv&phase=1

no more ideas at the moment.
0
 
dmoxAuthor Commented:
1.  Yes, there is a firewall, but the domain traffic is local.  There isn't a Firewall between the Member Servers and the Domain Controllers.

2.  No, we don't use IPSEC.  It's still in it's infancy stage with Microsoft.

3.  NIC Drivers are up to date.

4.  Just gave this a try, but unfortunately didn't resolve the issue.  :(

5.  DHCP is installed but is being used.  The server is servicing clients and reserving IP's for specific servers.

6.  EventID.net is a great resource, and I have tried evertything relevant in that documentation.  


0
 
dmoxAuthor Commented:
To throw a wrench into this....I have 3 servers that are showing this behavior.  Last night, I accidentally left myself logged on through Terminal Services to one of them and every 10 to 30 minutes it would cause the Userenv 1054 error.  However, the machines that I was NOT logged on to gave a successful Event ID (SceCli 1704).  

So it appears when someone is logged on to the servers it fails, but when nobody is logged on, it's fine.  
0
 
dmoxAuthor Commented:
We've isolated this down to an issue with the Child Domain that these servers are residing.  We have a parent domain called "Domain.com" and a child domain called "Child.Domain.com" (Edited for simplicity).

When the servers try to access the Domain.com for their Group Policy updates they get an "Access Denied" when trying to access the SYSVOL share.  However, if they access the local domain, Child.domain.com, they can successfully update their GPO's.  I gathered this information by running Ethereal to see what was happening.

So, is it possible to force these servers to only look at the Domain Controllers for Child.Domain.com rather than the Domain Controllers in Domain.com?  I have tried editing the hosts file, but that doesn't seem to help any.  As far as the Access Denied error, there is a legitimate Computer Account on the Child domain but not in the Parent Domain.  However, the domains have a full Transitive Trust going both ways and it has been tested and verified.  I an access the SYSVOL share successfully when I am logged on as myself as a Domain Admin.

There are only 8 servers on the domain that are experiencing this issue.  They are web servers located behind a Load Balancer, and the Load Balancer is their Default Gateway.  When the DFG is changed to the router, the GPO update process completes successfully.  When it's the Load Balancer, it doesn't.  The Load Balancer is "Impersonating" the machine when the machine tries to communicate with Domain.com and I'm suspecting that's where the "Access Denied" error is coming from.

So if I could force the machines to communicate with Child.Domain.com this should resolve my issue.
0
 
dmoxAuthor Commented:
1.  Yes I can access the Sysvol share on both the Child.domain.com and Domain.com
2.  We're using a PIX firewall to protect the web servers.  The built in firewall (or 3rd party) is not enabled.  There is no firewall between the webservers and the DC's.
3.  No, we don't have WINS and don't have a need to implement it.
4.  Yes, the DFS client is running.  Ran into a lot of issues years ago by disabling it and learned my lesson
5.  We're running pure 2003 Enterprise.
6.  I've just enabled SMB signing and things appear to be better!

I also tried something else.  The machines that I'm logging into a memebers of Child.Domain.com.  When I log in as an account from Child.Domain.com the GPO applies successfully (Sceli EventID message).  When I log in as an account from Domain.com then the GPO Fails (Userenv Errors).

So it's a combination of enabling SMB and logging on to the same domain, not the parent domain, that is allowing the GPO's to apply successfully!
0
 
dmoxAuthor Commented:
For Future note, here's the link to enable/disable SMB Signing:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/568.mspx

0
All Courses

From novice to tech pro — start learning today.