Evolutis
asked on
Access Denied between Domain Controllers
Hi,
I have a lot of problems between two DC (Windows 2003 Server) of the SAME DOMAIN (no firewalls - hardware or software - between them).
One of them is DC with GC, Files and printers and the other is a DC with GC and Exchange 2003 (all updates are installed).
From the Exchange Server to the other Server I got an Access Denied for every Admin or policy tool I use when a data exchange is needed with the other DC. I cannot also access Administrative Share (c$) on the other server (it works from the data server to the Exchange server).
I've check my DNS configuration and everything is ok.
If I try to demote/promote the Exchange server I get also an "Access Denied".
Here is also some other error I see in the Event Log :
Data Server
--------------
Kerberos, Event Id 4 (KRB_AP_ERR_MODIFIED)
NtFrs, Event Id 13508
Exchange Server
-------------------
Kerberos, Event Id 4 (KRB_AP_ERR_MODIFIED)
Userenv, Event Id 1058 (Access Denied)
NtFrs, Event Id 13508
SRMSVC, Event Id 12317 (Access Denied)
Some DCDiag errors:
NetLogons : An net use or LsaPolicy operation failed with error 5, Win32 Error 5
MachineAccount : Could not open pipe with [SERVERNAME]: failed with 5: Win32 Error 5, Could no get NetBIOSDomainName, Failed can not test for HOST SPN
Services : Could not open Remoteipc to [SERVERNAME]: failed with 5: Win32 Error 5
frssysvol : [SERVERNAME] An net use or LsaPolicy operation failed with error 5, Win32 Error 5. The registry lookup failed to determine the state of the SYSVOL. The error returned was 5. Check the FRS event log to see if the SYSVOL has successfully been shared.
URGENT HELP IS NEEDED
I have a lot of problems between two DC (Windows 2003 Server) of the SAME DOMAIN (no firewalls - hardware or software - between them).
One of them is DC with GC, Files and printers and the other is a DC with GC and Exchange 2003 (all updates are installed).
From the Exchange Server to the other Server I got an Access Denied for every Admin or policy tool I use when a data exchange is needed with the other DC. I cannot also access Administrative Share (c$) on the other server (it works from the data server to the Exchange server).
I've check my DNS configuration and everything is ok.
If I try to demote/promote the Exchange server I get also an "Access Denied".
Here is also some other error I see in the Event Log :
Data Server
--------------
Kerberos, Event Id 4 (KRB_AP_ERR_MODIFIED)
NtFrs, Event Id 13508
Exchange Server
-------------------
Kerberos, Event Id 4 (KRB_AP_ERR_MODIFIED)
Userenv, Event Id 1058 (Access Denied)
NtFrs, Event Id 13508
SRMSVC, Event Id 12317 (Access Denied)
Some DCDiag errors:
NetLogons : An net use or LsaPolicy operation failed with error 5, Win32 Error 5
MachineAccount : Could not open pipe with [SERVERNAME]: failed with 5: Win32 Error 5, Could no get NetBIOSDomainName, Failed can not test for HOST SPN
Services : Could not open Remoteipc to [SERVERNAME]: failed with 5: Win32 Error 5
frssysvol : [SERVERNAME] An net use or LsaPolicy operation failed with error 5, Win32 Error 5. The registry lookup failed to determine the state of the SYSVOL. The error returned was 5. Check the FRS event log to see if the SYSVOL has successfully been shared.
URGENT HELP IS NEEDED
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can you ping from one server to another?
Can you paste an ipconfig /all from both servers so we can see what is going on.
-red
Can you paste an ipconfig /all from both servers so we can see what is going on.
-red
ASKER
Red,
Yes, ping is working from one server to another.
Here is the ipconfig results
DATA SERVER :
Windows IP Configuration
Host Name .................... : <DATASERVERNAME>
Primary Dns Suffix ......... : <domain name>
Node Type .................... : Hybrid
IP Routing Enabled ......... : No
WINS Proxy Enabled ....... : No
DNS Suffix Search List .... : <domain name>
Ethernet adapter Local Area Connection :
Connection-specific DNS suffix :
Description ..........................
Physical Address .................. : <MAC Address>
Dhcp Enabled ....................... : No
IP Address ..........................
Subnet Mask ........................ : 255.255.255.0
Default Gateway ................... : 192.168.14.1
DNS Servers ........................ : 192.168.14.12
192.168.14.11
WINS Server ........................ : 192.168.14.12
EXCHANGE SERVER :
Windows IP Configuration
Host Name .................... : <DATASERVERNAME>
Primary Dns Suffix ......... : <domain name>
Node Type .................... : Hybrid
IP Routing Enabled ......... : No
WINS Proxy Enabled ....... : No
DNS Suffix Search List .... : <domain name>
Ethernet adapter Local Area Connection :
Connection-specific DNS suffix :
Description ..........................
Physical Address .................. : <MAC Address>
Dhcp Enabled ....................... : No
IP Address ..........................
Subnet Mask ........................ : 255.255.255.0
Default Gateway ................... : 192.168.14.1
DNS Servers ........................ : 192.168.14.12
192.168.14.11
WINS Server ........................ : 192.168.14.12
Evolutis
Yes, ping is working from one server to another.
Here is the ipconfig results
DATA SERVER :
Windows IP Configuration
Host Name .................... : <DATASERVERNAME>
Primary Dns Suffix ......... : <domain name>
Node Type .................... : Hybrid
IP Routing Enabled ......... : No
WINS Proxy Enabled ....... : No
DNS Suffix Search List .... : <domain name>
Ethernet adapter Local Area Connection :
Connection-specific DNS suffix :
Description ..........................
Physical Address .................. : <MAC Address>
Dhcp Enabled ....................... : No
IP Address ..........................
Subnet Mask ........................ : 255.255.255.0
Default Gateway ................... : 192.168.14.1
DNS Servers ........................ : 192.168.14.12
192.168.14.11
WINS Server ........................ : 192.168.14.12
EXCHANGE SERVER :
Windows IP Configuration
Host Name .................... : <DATASERVERNAME>
Primary Dns Suffix ......... : <domain name>
Node Type .................... : Hybrid
IP Routing Enabled ......... : No
WINS Proxy Enabled ....... : No
DNS Suffix Search List .... : <domain name>
Ethernet adapter Local Area Connection :
Connection-specific DNS suffix :
Description ..........................
Physical Address .................. : <MAC Address>
Dhcp Enabled ....................... : No
IP Address ..........................
Subnet Mask ........................ : 255.255.255.0
Default Gateway ................... : 192.168.14.1
DNS Servers ........................ : 192.168.14.12
192.168.14.11
WINS Server ........................ : 192.168.14.12
Evolutis
That all looks good, which means it is something else (which will be harder to find).
I hate posting links to eventid, but there really are too many possible options to try and list them. 1058 is the ID that is showing up with a heap of hits (as it is a vague error) so that is the best place to start.
http://www.eventid.net/display.asp?eventid=1058&eventno=1752&source=Userenv&phase=1
Sticking out to me is anti-virus scanning the sysvol folders, other than that, there is nothing obvious.
Let me know if you find anything, otherwise I will look around for something else (and try to attract other experts)
-red
I hate posting links to eventid, but there really are too many possible options to try and list them. 1058 is the ID that is showing up with a heap of hits (as it is a vague error) so that is the best place to start.
http://www.eventid.net/display.asp?eventid=1058&eventno=1752&source=Userenv&phase=1
Sticking out to me is anti-virus scanning the sysvol folders, other than that, there is nothing obvious.
Let me know if you find anything, otherwise I will look around for something else (and try to attract other experts)
-red
ASKER
Yes, it ssems to be really hard to resolve...
I saw this web page but nothing seems to work.
Another thing is that Exchange Information Store dont want to start anymore (0x80004005).
I'm becoming crazy with this issue !
Evolutis
I saw this web page but nothing seems to work.
Another thing is that Exchange Information Store dont want to start anymore (0x80004005).
I'm becoming crazy with this issue !
Evolutis
This is getting ugly,
http://support.microsoft.com/kb/822579
http://support.microsoft.com/kb/923171
I would make a copy of your EDB and STM files, and then work on the DNS/Connectivity issues that you are having.
-red
http://support.microsoft.com/kb/822579
http://support.microsoft.com/kb/923171
I would make a copy of your EDB and STM files, and then work on the DNS/Connectivity issues that you are having.
-red
ASKER
Yes, I backup all my MDBDATA folder to be sure that I'll loose nothing.
822579 is OK
923171 is not applicable.
It seems that problem is around DFS/FRS/GPO/AD.
Do you have any other idea ???
Evolutis
822579 is OK
923171 is not applicable.
It seems that problem is around DFS/FRS/GPO/AD.
Do you have any other idea ???
Evolutis
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Sembee,
You're right, that's not really recommended to have the DC role on an Exchange Server, but this have been done by the previous IT services company.
The problem is that the Exchange Server cannot access correctly Active Directory to publish informations through Outlook or OWA.
Hi Chris-Dent,
Both machines are in the Domain Controllers OU but I can access to the Default Domain Controller policy only from the Data server (Access Denied if I try from the mail server).
Evolutis
You're right, that's not really recommended to have the DC role on an Exchange Server, but this have been done by the previous IT services company.
The problem is that the Exchange Server cannot access correctly Active Directory to publish informations through Outlook or OWA.
Hi Chris-Dent,
Both machines are in the Domain Controllers OU but I can access to the Default Domain Controller policy only from the Data server (Access Denied if I try from the mail server).
Evolutis
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Everybody,
I finally resolve it, here are details :
The replication of SYSVOL was not working because of an error between the Default Domain Controllers policy (Digitally sign communications for Microsoft network server and Microsoft network client was set to disabled) and the registry (HKLM\system\CurrentContro
I also followed this article : http://support.microsoft.com/default.aspx?scid=kb;en-us;315457
Here is also some useful articles :
http://support.microsoft.com/?kbid=842162
http://support.microsoft.com/kb/292438
http://support.microsoft.com/kb/329491
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/stgmgmt/fs/file_replication_service_reference.asp
http://www.microsoft.com/windowsserver2003/technologies/storage/dfs/tshootfrs.mspx
http://technet2.microsoft.com/WindowsServer/en/library/7636aede-a944-4765-8973-40dc1e1f2d561033.mspx?mfr=true
After having solved the errors in active Directory, my Exchange Server went back online completely.
Thanks to all of you that have helped me !
Here is how and why I sent points to you :
redseatechnologies : 200 points because you was the faster to reply and DNS settings had te be rebuild
Sembee : 150 points because you told wich actions have to be avoid on an Exchange Server and I know that you're a God with Exchange (you saved my life already one time... ;-) )
Chris-Dent : 100 points because the Default Domain Controller Policy was one of the reason of this mess
Jay_Jay70 : 50 points, you've tried to help me also.
Thanks again to everybody.
Cheers
Evolutis.
I finally resolve it, here are details :
The replication of SYSVOL was not working because of an error between the Default Domain Controllers policy (Digitally sign communications for Microsoft network server and Microsoft network client was set to disabled) and the registry (HKLM\system\CurrentContro
I also followed this article : http://support.microsoft.com/default.aspx?scid=kb;en-us;315457
Here is also some useful articles :
http://support.microsoft.com/?kbid=842162
http://support.microsoft.com/kb/292438
http://support.microsoft.com/kb/329491
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/stgmgmt/fs/file_replication_service_reference.asp
http://www.microsoft.com/windowsserver2003/technologies/storage/dfs/tshootfrs.mspx
http://technet2.microsoft.com/WindowsServer/en/library/7636aede-a944-4765-8973-40dc1e1f2d561033.mspx?mfr=true
After having solved the errors in active Directory, my Exchange Server went back online completely.
Thanks to all of you that have helped me !
Here is how and why I sent points to you :
redseatechnologies : 200 points because you was the faster to reply and DNS settings had te be rebuild
Sembee : 150 points because you told wich actions have to be avoid on an Exchange Server and I know that you're a God with Exchange (you saved my life already one time... ;-) )
Chris-Dent : 100 points because the Default Domain Controller Policy was one of the reason of this mess
Jay_Jay70 : 50 points, you've tried to help me also.
Thanks again to everybody.
Cheers
Evolutis.
ASKER
... I forgot CharliePete00 that was the closer, so here is how redistribute points :
redseatechnologies : 150 points
Sembee : 100 points
CharliePete00 : 150 points
Chris-Dent : 80 points
Jay_Jay70 : 20 points
Evolutis
redseatechnologies : 150 points
Sembee : 100 points
CharliePete00 : 150 points
Chris-Dent : 80 points
Jay_Jay70 : 20 points
Evolutis
You realise that you haven't split the points, right?
If you want to, one of the PEs that was involved in this thread may be able to reopen it for you
-red
If you want to, one of the PEs that was involved in this thread may be able to reopen it for you
-red
ASKER
Right, I thought I can do it but I didn't find where...
I've just sent an email to info@experts-exchange.com to telle them to split the points.
Hope it will be done quickly.
Best regards.
Evolutis
I've just sent an email to info@experts-exchange.com to telle them to split the points.
Hope it will be done quickly.
Best regards.
Evolutis
Dont worry about the points for me, I didnt get you anywhere. Just use the split points down the bottom
James
James
ASKER
Thanks for your help.
The DNS configuration is as it :
- Exchange Server : DNS Master
- Data Server : DNS (Secondary).
I've delete zones on both servers and recreate it.
I still have the same problems after a reboot of both servers (and an ipconfig /registerdns to be sure).
It really seems that there is rights problems or something like that.
One other information : FRSDiag tells me that SYSVOL junction points are missing but that's wrong, they exists.
Evolutis