Cannot see Win2003 Server in network places

Hi Everyone,

We have recently formatted our server and installed Win2003 Small Business Server as a domain controller.  Our file server has had Win2003 server standard edition installed and is configured to run as a controller to authenticate logins should the SBS server goes down.  

Up until recently, around about the time when I ran Windows update, everything was working fine.  However, now the SBS will not authenticate any logins and you cannot see it in Network places (but you can ping the machine).  I have checked the settings and cannot see anything that has changed.

I have tried installing the support tools and running various commands to eliminate a potential endpoint mapper problem
(http://support.microsoft.com/default.aspx?scid=kb;en-us;839880), but that returned no answers.

Can anyone offer some guidence?
Thanks in advance,
gb
grantballantyneAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

blueoakmoCommented:
What type of Event Viewer entries are appearing on the SBS?

Are you saying you have SBS and Win2K3 working as domain controllers in the same domain?  As I understand, SBS must be the only domain controller in its domain......

Is the Win2K3 machine only a member server?
0
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
SBS can be the only DC in it's Domain.
0
richarddrentCommented:
Soundslike more a Firewall error....

is there maybe an firewall software added on,.. or maybe is the intergrater firewall closed on some ports...????

Is this the only SBS in the network, if there are more,.. are there more then one DC..


Greetz Richard
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Julian_CCommented:
Out of interest, if you go onto another machine on the same network that Ping works from and bring up a cmd pompt. What do you get when you:

telnet yourserver 139

and

telnet yourserver 445


You should get a blank screen with flashing cursor sor each of these if the network ports are open and not blocked. What happens?


cheers
Julian
0
grantballantyneAuthor Commented:
Hi,

Thanks for all your input.

Julian - I cannot telnet on these ports - "...Could not open connection to the host
0
grantballantyneAuthor Commented:
Also,

The 2003 Server IS configured as a DC.
Is it safe to remove this role from this server?  I am worried that if I do, I will not be able to authenticate logins.

Although the SBS server doesn't show in network connections, you can still map directly to the path of shared files.

Cheers
gb
0
blueoakmoCommented:
If you have 2003 Server Standard acting as a domain controller within a SBS domain, you are going to have issues.  I would strongly recommend demoting that server to a member server and let SBS do the authenticating.

What are the results when you run the nltest commands to list the domain controllers?

try nltest /dclist:domainname

What are the results.

Heres a link to nltest commands.
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/nltest_syntax.asp
0
Julian_CCommented:
As you can't telnet to these ports at all then it sounds like something is stopping the network access. This shouldn't have anything to do with the fact that it's a domain controller but probably suggests that there is a packet filter in the way some where. So, to see if this is the case. Can you telnet to port 139 on one of the other machines from the troublesome server? It needs to be a machine that other machines can see shares on etc.

If you can get a session going in that direction then -> On the SBS box: Has the network connection got it's firewall turned on? In the advanced TCP/IP config is there a filter on? Or is the blockage external to the server (doubt it as I guess it was working before the SBS install) it external to the server? I don't suppose you have a hub (or can set up a span port on the switch) and a packet sniffer of some kind?

Cheers
Julian
0
blueoakmoCommented:
gb,

This could also be a DNS issue.  Is the SBS machine a DNS server?  Did any of the updates deal with DNS?  Since you can ping it but can't use the name, something may have changed in the DNS setup.

0
Joseph NyaemaIT ConsultantCommented:
When you check the servrices

Has the netlogon service started?
what about the server service?

To check go to
start->run
cmd

sc query netlogon
sc query lanmanserver

the state for both should be running.
The server service should be running for you to see the server in network places
The nelogon for authentication.

If they are stopped try starting them.

0
Joseph NyaemaIT ConsultantCommented:
When you check the servrices

Has the netlogon service started?
what about the server service?

To check go to
start->run
cmd

sc query netlogon
sc query lanmanserver

the state for both should be running.
The server service should be running for you to see the server in network places
The nelogon for authentication.

If they are stopped try starting them.

Should also see errors in the system sectionof event viewer

0
browolfCommented:
sounds like a dns problem. you should be using nslookup to check the resolving.
if there's any errors you should concentrate fixing them first. Also tell us what's in the event log.
0
Julian_CCommented:
>sounds like a dns problem

Retry the telnet using IP addresses only to check this out. To me this doesn't fit as you say you can ping the machine and I think this would fail also. Theonly difference is that. Ping will go straight for DNS but mounting a share etc may go via WINS but the Telnet I asked youto do should have got a result if the file sharing and directory services where running and would use DNS anyway. The issue is, PING works but nothing else does? If the Telnet using IP addresses works then revise this but otherwise this is the lowest level symptoms.

Cheers
Julian
0
Julian_CCommented:
>To me this doesn't fit as you say you can ping the machine and I think this would fail also

As I assume you can ping by name?

Did you get anywhere with the reverse telnet idea?

Cheers
Julian
0
grantballantyneAuthor Commented:
Hi everyone,

Sorry for the delay in getting back to you all, I have been off ill for the past week.  I hope the following information is suitable:

Julian - When I tried to telnet to the server again it worked on both of the ports this time (The server has been restarted several times) - Telnet to port 23 however does not work - the service is disabled
Blueoakmo - The standard server was set up to be an additional server in an existing domain, but shows as a DC in the server roles screen.  The nltest command returns:

C:\Documents and Settings\Administrator>nltest /dclist:bmcdomain2000
Get list of DCs in domain 'bmcdomain2000' from '\\BMCSERVER2000'.
    bmcserver2000.BMCDOMAIN2000 [PDC] [DS] Site: Default-First-Site-Name
    bmcfileserver.BMCDOMAIN2000.local       [DS] Site: Default-First-Site-Name
The command completed successfully

Nyaema - Both the services are running correctly
browolf - nslookup and PING commands work ok for both servers using both IP and names.  

Further observations:
In Active Directory Domains and Trusts on the fileserver, the type comes up as domainDNS.  When you try and check the properties, I get the following error: "You cannot modify domain or trust information because a PDC emulator cannot be contacted.  Please verify that the PDC emulator and the network are both online and functioning properly".

Also, within Domain controller Security Policy on the fileserver, I receive the error Failed to open the group policy object . You may not have appropriate rights.  Details: The specified domain either does not exist or could not be contacted"  
When you try the same on the SBS server you get the following errors:
"The following entry in the [strings] section is too long and has been truncated.
Allows you to view and change a list of DCOM server application ids(appsids) which are exempted from the DCOM activation security check......"
"The following entry in the [strings] section is too long and has been truncated.
The policy setting lists network files and folders that are always available for offline use.  This ensures that the specified files......"
"The following entry in the [strings] section is too long and has been truncated.
The policy setting allows you to manage a list of files or folders for which you wish to prohibit the "make available offline" option. \n\nIf you enable this policy setting......"
"The following entry in the [strings] section is too long and has been truncated.
Allows you to view and change program execptions list defined by group policy. Windows firewall uses two program exceptions lists: one is defined by group policy settings and the other is defined by  the windows firewall component in control panel."

Here is a list of a few problems found in event manager:
Event Type:      Error
Event Source:      MSExchangeAL
Event Category:      LDAP Operations
Event ID:      8026
Date:            24/11/2004
Time:            09:19:17
User:            N/A
Computer:      BMCSERVER2000
Description:
LDAP Bind was unsuccessful on directory BMCSERVER2000 for distinguished name ''. Directory returned error:[0x51] Server Down.    

For more information, click http://www.microsoft.com/contentredirect.asp.

Event Type:      Error
Event Source:      NETLOGON
Event Category:      None
Event ID:      5513
Date:            06/12/2004
Time:            16:21:03
User:            N/A
Computer:      BMCSERVER2000
Description:
The computer DENISE tried to connect to the server \\BMCSERVER2000 using the trust relationship established by the BMCDOMAIN2000 domain. However, the computer lost the correct security identifier (SID) when the domain was reconfigured. Reestablish the trust relationship.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Warning
Event Source:      NETLOGON
Event Category:      None
Event ID:      5781
Date:            06/12/2004
Time:            16:25:46
User:            N/A
Computer:      BMCSERVER2000
Description:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'BMCDOMAIN2000.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  

Possible causes of failure include:  
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration  

Here is a list of the hot fixes applied.
819696
822132
822742
822743
822744
822745
822925
823182
823353
823559
823980
824073
824105
824139
824141
824146
824151
825117
825119
826238
826936
828035
828741
830352
833987
834707
835732
837001
839643
839645
840315
840374
840987
841356
841533
867460
873376
883935
885881
872769

Thanks in advance for all your help again
gb
0
blueoakmoCommented:
This still sounds like a DNS issue.  Active Directory and DNS are VERY interlaced in Win2k and Win2k3.

This may sound overly simplistic, but make sure the servers and workstations are only looking at the internal DNS server.

Make sure under TCP/IP properties that the machines are set to "Obtain DNS address automatically" and that no other entries are included. Also, the DC should be pointing to itself.

Make sure the DNS server has forwarding set up correctly to allow internet access and the DHCP server has entries pointing to the DNS server under Scope options.

Here's a couple DNS and DHCP setup links:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DHCP_imp_SetupScopeNode.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382
0
browolfCommented:
whats this trust relationship?
does it mean actual trust between 2 domains?
0
blueoakmoCommented:
Also,

Make sure the root entry in the DNS server is deleted.  If present, it would be the entry above your domain under forward lookup zones.  It would be labeled "."
0
grantballantyneAuthor Commented:
Hi,

Tried the various DNS options blueoakmo.  Please find below a selection of the errors from the netdiag.exe /fix command from the support tools:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>netdiag.exe /fix

        Host Name. . . . . . . . . : bmcserver2000
        IP Address . . . . . . . . : 192.168.1.4
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 192.168.1.1
        Dns Servers. . . . . . . . : 192.168.1.4

DNS test . . . . . . . . . . . . . : Failed
          [WARNING] Cannot find a primary authoritative DNS server for the name
            'bmcserver2000.BMCDOMAIN2000.'. [RCODE_SERVER_FAILURE]
            The name 'bmcserver2000.BMCDOMAIN2000.' may not be registered in DNS
.
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.BMCDOMAIN2000.local. re-regis
teration on DNS server '192.168.1.4' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._site
s.BMCDOMAIN2000.local. re-registeration on DNS server '192.168.1.4' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.pdc._msdcs.BMCDOMAIN2000.loca
l. re-registeration on DNS server '192.168.1.4' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.BMCDOMAIN2000.local
. re-registeration on DNS server '192.168.1.4' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._site
s.gc._msdcs.BMCDOMAIN2000.local. re-registeration on DNS server '192.168.1.4' fa
iled.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.fc3ffc35-fc96-4dc9-a917-49758
a6b07d9.domains._msdcs.BMCDOMAIN2000.local. re-registeration on DNS server '192.
168.1.4' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry 1a713d01-6306-42c1-b8c3-42fba5602d0d._ms
dcs.BMCDOMAIN2000.local. re-registeration on DNS server '192.168.1.4' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.dc._msdcs.BMCDOMAIN2000.local
. re-registeration on DNS server '192.168.1.4' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._site
s.dc._msdcs.BMCDOMAIN2000.local. re-registeration on DNS server '192.168.1.4' fa
iled.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _gc._tcp.BMCDOMAIN2000.local. re-registe
ration on DNS server '192.168.1.4' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _gc._tcp.Default-First-Site-Name._sites.
BMCDOMAIN2000.local. re-registeration on DNS server '192.168.1.4' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.dc._msdcs.BMCDOMAIN2000.l
ocal. re-registeration on DNS server '192.168.1.4' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._
sites.dc._msdcs.BMCDOMAIN2000.local. re-registeration on DNS server '192.168.1.4
' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.BMCDOMAIN2000.local. re-r
egisteration on DNS server '192.168.1.4' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._
sites.BMCDOMAIN2000.local. re-registeration on DNS server '192.168.1.4' failed.

DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kerberos._udp.BMCDOMAIN2000.local. re-r
egisteration on DNS server '192.168.1.4' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.BMCDOMAIN2000.local. re-re
gisteration on DNS server '192.168.1.4' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kpasswd._udp.BMCDOMAIN2000.local. re-re
gisteration on DNS server '192.168.1.4' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.DomainDnsZones.BMCDOMAIN2000.
local. re-registeration on DNS server '192.168.1.4' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._site
s.DomainDnsZones.BMCDOMAIN2000.local. re-registeration on DNS server '192.168.1.
4' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.ForestDnsZones.BMCDOMAIN2000.
local. re-registeration on DNS server '192.168.1.4' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._site
s.ForestDnsZones.BMCDOMAIN2000.local. re-registeration on DNS server '192.168.1.
4' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Fix Failed: netdiag failed to re-register missing DNS entries for th
is DC on DNS server '192.168.1.4'.
    [FATAL] No DNS servers have the DNS records for this DC registered.

LDAP test. . . . . . . . . . . . . : Passed
    [WARNING] The default SPN registration for 'HOST/bmcserver2000.BMCDOMAIN2000
' is missing on DC 'bmcfileserver.BMCDOMAIN2000.local'.


Apologies if the solution to this problem is staring me in the face, but this is the first 2003 network I have setup, and having limited knowledge of DNS I thankfully have never experienced this problem before.

Thanks
gb
0
Joseph NyaemaIT ConsultantCommented:
OK. I see your problem...

From what I can tell, the two servers are not in the same FQDN domain.
bmcserver2000 is in the Fully Qualified Domain BMCDomain2000
and
bmcfileserver is in the Fully Qualified Domain BMCDomain2000.local
Both are using the Netbios domain name BMCDomain2000
This probably happened because you did not select new domain controller in existing domain when installing active directory on BMCFileServer

I assume bmcserver2000 is the SBS server
and bmcfileserver is the Windows 2003 server.... correct me if I am wrong.

Obviously the two domains are clushing...

You will need to redo active directory on bmcfileserver.
To remove it use the following command.
dcpromo /force

Then we need to repair DNS to make bmcserver start working properly.
Ironically, you followed microsoft best practices when creating the domain  on
Win 2003 Server but did not do it right the first time round.
Microsoft does not recommend using a single-label domain (BMCDomain2000)
BMCDomain2000.local is what is recommended.
That can only be fixed by a reinstall of active directory (DCPromo)

But if you want to keep it....

On the SBS Server...

start->run
gpedit.msc
expand Local Computer Policy->Computer Configuration->Administrative Templates
->Network
Click DNS Client
On the right pane double click Update Top Level Domain Zones
Select enabled
Click Apply then OK
Quit Group Policy Editor

To repair DNS.
Open the DNS console and delete the following domains if they exist
BMCDOMAIN2000.local and BMCDOMAIN2000

Recreate the Domain BMCDOMAIN2000 by
right click on forward lookup zones and selecting new domain.
Close the DNS console.

Open Network and Dialup connections
Right Click Local Area Network->properties
TCP/IP
Properties-> Advanced
DNS Tab
remove any DNS entires there
Make sure register ths Connections Addresses in DNS is selected.
Select OK

Got to the command prompt.
start->run
cmd

register the Computer A record in DNS by typing the following commands
ipconfig /flushdns
ipconfig /registerdns

Restart ther server.

The resource records will be recreated created when the server starts

You can now join the Windows 2003 Server to the SBS as a second SBS server.

Point the DNS entries in TCP/IP to the SBS server's IP (192.168.0.4)

rund DCPromo
select new domain controller in existing domain.

blah...blah...blah.
0
Joseph NyaemaIT ConsultantCommented:
Sorry on that last bit
 should read....

 Point the DNS entries in TCP/IP to the SBS server's IP (192.168.1.4)
0
Joseph NyaemaIT ConsultantCommented:
To avoid future problems I would suggest you start afresh and use the domain
BMCDOMAIN2000.local
0
grantballantyneAuthor Commented:
Hi Nyaema,

Thanks for the advice.

I have removed active directory from the Win2003 server, and followed your instructions to amend the DNS settings.  

I still have problems seeing bmcserver2000 in network places.

You mention to avoid future problems that we should start afresh? Considering we have a small company, this seems the most logical thing to do as we have spent along timetroubleshooting the problem and not getting anywhere.

- To do this do I remove active directory from bmcserver2000 and reinstall it?  

Thanks again for all your help - it is much appreciated

gb
0
Joseph NyaemaIT ConsultantCommented:
Correct. Remove active directory and reinstall
start->run
DCPromo.

Remember to remove the old reference to BMCDOMAIN2000 domain in DNS
and create BMCDOMAIN2000.local

And since you are starting afresh I suggest you use 192.168.1.253 as the SBS server IP
leaving 192.168.1.254 for the router - 192.168.1.4 is in the middle...

To install
start->run
DCPromo.


After the reinstall, all computers will need to be rejoined to the Domain again.
There DNS entires should all point to the SBS server.
To keep track of your client TCP/IP settings I recomment you use DHCP
The DHCP scope maybe can start from 192.168.1.10 or 20 (reserving the lower ones for other devices like printers and print servers) and end at 192.168.1.200 (Upper reserved for Admin use)

that way you an easily reconfigure clients.

Good luck...
0
Joseph NyaemaIT ConsultantCommented:
Remeber to use BMCDOMAIN2000.local
when you run DCPromo the second time after the reboot.
0
grantballantyneAuthor Commented:
Thanks Nyaema, I'll let you know how I get on!

gb
0
Joseph NyaemaIT ConsultantCommented:
TheLearnedOne..
grantballantyne never got back on this
but I believe that was because I sorted his problem
and therefore believe I deserve the points


Right Grantballantyne ;-)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
blueoakmoCommented:
Hm... a mind reader...

Maybe we should split the points?
0
Joseph NyaemaIT ConsultantCommented:
Ha ha...

That's upto TheLearnedOne and Grantballantyne.

Grantballantyne Please decide this question for us.
For we would really like to know what happened.

All the same I'm sure you followed my instructions and got your problem sorted... =-)  Right...

TheLearnedOne has already posted a URL on how you can close this question.
http://www.experts-exchange.com/help.jsp#hs5
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.