Link to home
Create AccountLog in
Avatar of techspeak
techspeakFlag for Canada

asked on

SBS 2003 Can't access Server / DNS issues

I have a new client that had one existing Win SBS 2003 server (DC, AD). I went out a few months ago for the first time and corrected some DNS errors that have not recurred. Everything's been running great - until someone in their office installed a new router. The user disabled DHCP at the server and enabled it at the router. They're not actually using DHCP for workstation addresses as he created static ip addresses for the workstations at the router - and didn't specify a DNS server (internally).

The workstations have been running really slowly - and getting lots of Userenv and Autoenrollment errors.

I went out a couple of days ago to check on the Server status because they've asked me to install Exchange; this is when I first heard of the router and speed issues. I cleaned up a number of workstation permission issues and then added the File Server's IP address (192.168.0.2) to the router's DHCP section. (The workstations are using Statis IP as I mentioned, but without the specified DNS entry, they defaulted to the DNS servers of the ISP.) The workstations were then using the Server's IP address.

The users reported that everything ran much faster - and their error logs were clean.

Today, I asked them to restart the server at lunch - and the three workstations; this had not been done since I made the router DNS change. I wanted to get a fresh look at their error logs and to make sure everything was working before starting on Exchange. After that, the workstations could no longer login (Userenv and Autoenrollment again) with no access at all to the Server (permissions errors). The Server reported 7062 errors.

I saw Microsoft's pages on the Server error (218814 & 249868) and went thru and verified that DNS was ok. (The last time I looked, I was no longer getting these messages.) I verified that the workstations were getting the Server's DNS address - which they were - but they couldn't browse the internet with this address, since the Server was inaccessible. If I change the DNS address back to the router, the internet works (of course) - but still no Server.

I am no longer at the client's site. I'll be back in on Sunday. Frankly, I'm a bit stymied.

Any ideas?
Avatar of Netman66
Netman66
Flag of Canada image

That's the way it works, I'm afraid.

If this is AD, then the workstations and the server need to use only the local DNS server.  Either Root Hints or Forwarders are used for queries to the internet.

If the server goes offline, then the client won't have any DNS resolution - which is to be expected.  If you add the router as the Secondary DNS entry on the NICs then they should (after a few attempts) start using the router for DNS.

The problem is that when this practice is used in a closed AD environment then network glitches or slowness causes the client to use the router (secondary) DNS for domain lookups which won't work.

Once the client has started using the router, it doesn't automatically try the Primary DNS entry again to see if it's back up until you actually reboot.

Either way, it's not a great scenario.  Your best option is to have 2 DNS servers local - but even that isn't particularly cost effective or foolproof.

The only thing to do is continue to use the local DNS server only.  If it goes offline and will be out of commision for a long time, then change the client DNS - other than that, just get the server back online again.

NM
Avatar of techspeak

ASKER

Hey Netman66 -

Thanks for the reply. I really appreciate the info, but think I might have been unclear. Currently, whether I designate the Server OR the router as the DNS server (any kind of way) the user can't see the Server. No matter how I set the DNS settings, users cannot login into the Server. If I set the DNS Server to the router (or ISP), the users can at least use the Internet.

The Server itself is up and running - and did not have any DNS errors when I was there last - so I'm really perplexed. It is possible that since I was there another 7062 error was logged, but my remote access isn't working, so I can't say for sure.

There is one FLZ and one RLZ. The root hints were recreated today by looking to the ISP's DNS Server.

Any ideas? I can't login to the SErver, no matter what I do.
I would guess that (due to previous configurations) the server has not registered any SRV records with it's DNS.  Therefore, the clients can't locate it.

Make sure the Server has a static address and ONLY points to itself for DNS.
Make sure your DNS FLZ and RLZ are set to allow Secure Dynamic Updates.
(Optional) Make sure the zones are AD Integrated.
Make sure the _msdcs.domain.com zone exists.

Restart the Netlogon Service on the server.
Run (from CMD window) IPCONFIG /registerdns

Check in DNS to make sure the records for _msdcs.domain.com now exist.

Your clients should now point to your DNS server - and if things are right, they'll work properly.

You are wonderful. All great suggestions - I'll try on Sunday when I can get back in.
Two quick questions:
- Is there any benefit to running DHCP on a router (like the Linksys) vs the Server? I usually run on the Server.......but am curious.
- When you say to check for the _msdcs.domain.com zone, I remember seeing _msdcs as a sub of the rza.local zone. Do you mean that the FLZ should be _msdcs.rza.local?
In a Domain environment, you should be running DHCP from the server.  It then has the ability to register records on behalf of the client - if you want it to.  You also have only one place to manage the network from - the server.

If this was alway a 2003 DNS setup then the _msdcs zone should be at the same level as the domain zone.  It used to be inside the domain zone in 2000, but was moved outside to facilitate Application Partitions and replication scope.

If it's inside the main domain zone, then it's simple to create a top level zone - let me know BEFORE you do anything so I can provide you with the proper advice.
There is only the rza.local FLZ with _msdcs underneath. It is a relatively new SBS 2003 install - never upgraded. Let me know how best to proceed.
Also, they're not even using DHCP, as far as I can tell, but have it turned on on the router - with Static IP exceptions created and assigned to MAC addresses. Would you recommend that I disable this and assign the Static IP addresses from the User or Computer records on the Server?
For SBS it's best to leave things as the Wizard set them up - however, it's not the same as a default Server 2003 install (non-SBS) and that puzzles me.  They (MS) are probably using the old 2000 scripts to create everything.
 
They are using Reservations if there are MAC addresses in there.

You can certainly repeat this inside the server DHCP installation.  You would add a Reservation by MAC in under the new scope.  Make sure the server has a STATIC address and is excluded from the scope (as is the router).



Thanks, Netman66. I agree about the MS scripts - but I was talking about the router. When I say they, I mean the guy who does the inhouse support when I'm not there. He setup the router with DHCP - and static IP addresses for the workstations. I was understanding you to say that I would be well advised to move the static IP addresses to either the workstations or to the Server, inside the computer object. Correct? .....since they're not really using DHCP anyway.

Also, you had mentioned before that I should tell you if the _msdcs was underneath the top level zone, which it is. You said you'd give me proper advice on creating a new top-level zone......?
By the way, your advice is REALLY appreciated.
It's safe to use proper DHCP on this network.  It's less maintenance for you in the end.

I would turn off DHCP on the router.
Anything that needs a specific IP address, then make that reservation in DHCP.
Anything that is statically addressed (except the workstations) should be excluded from the scope.

Since this is SBS, leave the _msdcs zone where it is.  Just make sure the server and SRV records are properly registered inside that zone.

Re: the zones - I'm a little confused. I thought you were originally saying that I should have both a _msdcs.domain.com AND a domain.com under FLZ. Yes? I don't. I only have the domain.com with a _msdcs underneath. I will run ipconfig/registerdns and see where that leaves me.

Is there anything I should run to determine DNS health? I'm going in at 1pm today with people standing over my shoulder the whole time. I would LOVE to knock this out!

OH. And how to I make my DNS changes propogate immediately? I know sometimes it takes awhile for it to happen automatically.......
I think I've found the answer to the last DNS question (re: propogating).
Don't be confused.

DNS in Server 2003 *normally* has the _msdcs.domain.com zone at the same level as the domain.com zone.  In this case (since it's SBS) it's okay to leave it where it is.

DNS uses FRS to replicate - you never mentioned there was a second DC running DNS.  In AD Sites and Services, expand the server then select it (on the left) on the right pane you right click NTDS settings the select Replicate Now.

If there are two DNS servers, on the second (non-root) DC is the _msdcs zone present in the domain.com zone.

Hey -
OK. I'm onsite. I've run ipconfig/registerdns, reviewed all DNS settings and made the corrections you sugested. I've stopped and restarted netlogon. I tried to run the Replicate Now - but when I click on the NTDS settings listed on the left, there's nothing in the right window to click on.

??
Just so you know, I am using one workstation to test. I have given that workstation a static IP address with the router as the gateway and the server as the dns server. I am still getting the exact same result: the workstation tries to login but generates Userenv 1054 and Autoenrollment 15 errors. If I browse to the server and try to connect, it says the server is inaccessible; that I may not have permissions.
Also, i'm getting tons of 7062 erros in the server's dns logs.
OK. I've completely recreated the FLZ & RLZ, stopped and restarted DNS and NetLogon. I am getting no DNS errors in the log but netdiag /fix gives me tons of _ldap and _msdcs errors.
Any other ideas? I still can't attach a workstation......
OK. As per another EE entry, I have added a second primary zone called _msdcs.rza.local. I stopped and started NetLogon and then reran IPconfig /registerdns. No errors in the DNS logs, but none of the usual folders either: no _msdcs, _sites, _tcp or _udp. Do you want me to upload netdiag /fix output? the netlogon.dns - which seems full of entries? I'm not sure what else to do at this point.....
I am posting the results of netdiag/fix. I'm really in a pinch..........Any ideas?

Netcard queries test . . . . . . . : Passed
Per interface results:

    Adapter : Server Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : Server
        IP Address . . . . . . . . : 192.168.0.2
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 192.168.0.1
        Primary WINS Server. . . . : 192.168.0.2
        Dns Servers. . . . . . . . : 192.168.0.2


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messeng
r Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Passed


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{11974A5C-7DCF-4638-A497-5C39361C9278}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Serv
ce', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Failed
          [WARNING] Cannot find a primary authoritative DNS server for the name
            'Server.rza.local.'. [RCODE_SERVER_FAILURE]
            The name 'Server.rza.local.' may not be registered in DNS.
    [FATAL] Failed to fix: DC DNS entry rza.local. re-registeration on DNS serv
r '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.rza.local. re-registeration
n DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sit
s.rza.local. re-registeration on DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.pdc._msdcs.rza.local. re-reg
steration on DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.rza.local. re-regi
teration on DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sit
s.gc._msdcs.rza.local. re-registeration on DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.ae248820-dd3e-48f7-8b3f-fb3a
6c4e384.domains._msdcs.rza.local. re-registeration on DNS server '192.168.0.2'
ailed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry gc._msdcs.rza.local. re-registeration o
 DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry 99987cb0-7e98-49ab-89d5-ec72b5285e4e._m
dcs.rza.local. re-registeration on DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.dc._msdcs.rza.local. re-
egisteration on DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name.
sites.dc._msdcs.rza.local. re-registeration on DNS server '192.168.0.2' failed.

DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.dc._msdcs.rza.local. re-regi
teration on DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sit
s.dc._msdcs.rza.local. re-registeration on DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.rza.local. re-registerat
on on DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name.
sites.rza.local. re-registeration on DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _gc._tcp.rza.local. re-registeration on
DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _gc._tcp.Default-First-Site-Name._sites
rza.local. re-registeration on DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kerberos._udp.rza.local. re-registerat
on on DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.rza.local. re-registerati
n on DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kpasswd._udp.rza.local. re-registerati
n on DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry ForestDnsZones.rza.local. re-registerat
on on DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.ForestDnsZones.rza.local. re
registeration on DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sit
s.ForestDnsZones.rza.local. re-registeration on DNS server '192.168.0.2' failed

DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry DomainDnsZones.rza.local. re-registerat
on on DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.DomainDnsZones.rza.local. re
registeration on DNS server '192.168.0.2' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sit
s.DomainDnsZones.rza.local. re-registeration on DNS server '192.168.0.2' failed

DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Fix Failed: netdiag failed to re-register missing DNS entries for t
is DC on DNS server '192.168.0.2'.
    [FATAL] No DNS servers have the DNS records for this DC registered.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{11974A5C-7DCF-4638-A497-5C39361C9278}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{11974A5C-7DCF-4638-A497-5C39361C9278}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Failed
        Failed to enumerate DCs by using the browser. [ERROR_BAD_NETPATH]


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully

C:\Program Files\Support Tools>
Anybody have any input on this?
Latest: DNS has now been fully populated. I'm not getting any DNS errors in netdiag  /fix. My workstations are still not connecting tho - Userenv/1054 and Autoenrollment/15. Any advice?
It looks like there are 2 NICs in the server - move the Internal (LAN side) NIC to the top of the binding order.

Restart the server.

HEYYYY! God, I am desperate.
There aren't two nics - only one. the only errors i'm getting are in browstat status - it just says that browsing is not enabled on the domain. I think we're SO close!
Here's the latest netdiag output:
Computer Name: SERVER
    DNS Host Name: Server.rza.local
    System info : Microsoft Windows Server 2003 (Build 3790)
    Processor : x86 Family 15 Model 4 Stepping 10, GenuineIntel
    List of installed hotfixes :
        KB890046
        KB893756
        KB896358
        KB896422
        KB896424
        KB896428
        KB896688
        KB898715
        KB898792
        KB899587
        KB899588
        KB899589
        KB899591
        KB900725
        KB901017
        KB901214
        KB902400
        KB904706
        KB904942
        KB905414
        KB908519
        KB908531
        KB908981
        KB910437
        KB911280
        KB911562
        KB911567
        KB911897
        KB911927
        KB912919
        KB914388
        KB914389
        KB914783
        KB916281
        KB917159
        KB917344
        KB917422
        KB917537
        KB917734
        KB917953
        KB918118
        KB918439
        KB918899
        KB920213
        KB920214
        KB920670
        KB920683
        KB920685
        KB921398
        KB921883
        KB922582
        KB922616
        KB922760
        KB922819
        KB923191
        KB923414
        KB923689
        KB923694
        KB923980
        KB924191
        KB924496
        KB924667
        KB925398_WMP64
        KB925454
        KB925486
        KB926436
        KB928090-IE7
        KB928255
        KB928843
        KB929969
        KB931836
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Server Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : Server
        IP Address . . . . . . . . : 192.168.0.2
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 192.168.0.1
        Primary WINS Server. . . . : 192.168.0.2
        Dns Servers. . . . . . . . : 192.168.0.2


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Passed


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{11974A5C-7DCF-4638-A497-5C39361C9278}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '192.168.0.2'.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{11974A5C-7DCF-4638-A497-5C39361C9278}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{11974A5C-7DCF-4638-A497-5C39361C9278}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Failed
        Failed to enumerate DCs by using the browser. [ERROR_NO_BROWSER_SERVERS_FOUND]


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully
NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

This error generally means the NIC at the top of the binding order is on the outside of the LAN.

Please look in Device Manager, under Network Cards - what is listed?  There is likely a Firewire adapter there if you say there isn't 2 NICs.
In device mgr at the Server/pdc, i have one intel pro/100 mt network connection. nothing else.
On the main DC, check this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters

for the following two values:

IsDomainMaster = "Yes"
MaintainServerList = "Auto"

If they are not set correctly, then set them as above.
If they are missing, create them exactly as above - they are REG_SZ (String) values.

Let me know
Well, i thought you were onto something, but no change. the 'isdomainmaster' was FALSE - so I changed to TRUE; 'Maintainserverlist" was set to Yes. (I changed to Auto)
Browstat still says that browsing is not active - and because I've turned on several workstations, not thinks the browser name is held by one of them. ????
No, reboot the server now and wait a bit.

You should see (in the Event Log) that it forced an election.  

It's not an immediate thing - it now needs to gather network browser information, which takes some time.

ok. i'm going to do that now. thanks.......
just fyi, browstat is still showing same. i'm not sure how long to wait......but i'm falling into a little techno-clump. my brain is fried. if you think it'll take more than 5 more minutes to update, i'm going to call it a night.........by the way, i opened another ticket out of sheer desparation. if you figure this out, you should respond to it as well for megapoints. no one has given me much yet.....
Post the output of "browstat status", "browstat stats" and "browstat dumpnet"


one last thing. i have the workstations temporarily setup with 192.168 static ip's with 0.1 as gateway and dns - just so they can at least use the internet in the morning. if i try to browse for the server, i see it in the list but get \\server not accessible, might not have permission when i try to look at it.

to test it tomorrow, they should be able to browse ok without changing ip addresses, right? if they can't browse to the server by tomorrow morning, i can assume it's still not working........?
Well, for DNS they need to point to the server or domain functionality is non-existent.

Is the File and Print service checked in the TCP/IP properties of the NIC?

Re: DNS - ok. we'll change the workstation ip dns back to the server (0.2) to test in the morning.
Re: F&P Service - I believe so, but I'll double-check.
Re: Remote Access - I had Remote Desktop working before this started. It hasn't worked since - and still isn't working from my office, so I guess the problem is not yet resolved.
Morning, netman.
Well, it is still not working. File and Printer Sharing is checked and even if the workstation changes its dns address to 0.2 it's having the same problem seeing the server.
Two things: Even if I try to browse the network from the Server I get the messages about inaccesibility and lack of permissions. I don't even have to try a workstation to know it's not working.

Also, I'm still getting the DC list test failure with netdiag. This has got to be a huge clue.......but to what?
Two more notes:
Exchange is enabled but not setup, as far as I can tell. I had disabled Exchange the last time I was there, so I was noting that someone had re-enabled.
In my manic search, i did notice some MS articles on single-label domain problems. Their domain name is rza.local. I made the two registry changes at the server and one workstation, but this seemed to have no effect.
It doesn't look like a Single-Label DNS issue even though it's behaving like one.

I'd love to remote in and take a look - see what you can do.

Is NetBIOS over TCP/IP enabled?
Is there a reason why you are running WINS?

Well, I would LOVE for RDC to work - but I can't get it to since this happens. It seems that whatever caused this problem browsing/logging in has affected my RDC connection.
NetBios over IP is enabled. I tried disabling it just to see what happened and it just made browstat in operable - and no change browsing/accessing Server. (Browstat Status would then just bring me to a command line.) I only added WINS during all of this to troubleshoot. We have three XP pro and two W2K workstations..........
The only errors (warngings) in the error log when I left last night were WinMgmt (5603) and NNTP (101)......if this helps. It really bothers me that I have NO other errors of problems on the Server. Everything looks so close to perfect.....except that DC list test error.
OH. I also tried manually starting Computer Browser (related?) and it wouldn't start, but just says it doesn't start because it's not needed.
One more thing: I cannot ping the server from any workstation. The server can ping the workstations - and see the internet. Do you think there could be a problem with the protocol? i have had a few occassions where an IP repair worked wonders at a workstation...............Is there a good clean way to repair or reinstall IP? Maybe I should add another protocol to test?
Is the firewall on?

Not at the Server - just the router, which I CAN access remotely.
I am going out to the client's again in an hour. I'm curious to know if you have any other ideas........

Thanks!
I think I've pretty much run out of ideas.

You can post the result of DCDIAG /v off that server if you like.

Other than that, a remote session would be ideal.
will do.......
OK. I'm at the client's........and have run dcdiag /v. here 'tis:

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine Server, is a DC.
   * Connecting to directory service on server Server.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 1 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\SERVER
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... SERVER passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\SERVER
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
         * Replication Site Latency Check
         ......................... SERVER passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC SERVER.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=rza,DC=local
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=rza,DC=local
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=rza,DC=local
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=rza,DC=local
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=rza,DC=local
            (Domain,Version 2)
         ......................... SERVER passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\SERVER\netlogon
         Verified share \\SERVER\sysvol
         ......................... SERVER passed test NetLogons
      Starting test: Advertising
         The DC SERVER is advertising itself as a DC and having a DS.
         The DC SERVER is advertising as an LDAP server
         The DC SERVER is advertising as having a writeable directory
         The DC SERVER is advertising as a Key Distribution Center
         The DC SERVER is advertising as a time server
         The DS SERVER is advertising as a GC.
         ......................... SERVER passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=rza,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=rza,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=rza,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=rza,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=rza,DC=local
         ......................... SERVER passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 1609 to 1073741823
         * Server.rza.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1109 to 1608
         * rIDPreviousAllocationPool is 1109 to 1608
         * rIDNextRID: 1156
         ......................... SERVER passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC SERVER on DC SERVER.
         * SPN found :LDAP/Server.rza.local/rza.local
         * SPN found :LDAP/Server.rza.local
         * SPN found :LDAP/SERVER
         * SPN found :LDAP/Server.rza.local/RZA
         * SPN found :LDAP/99987cb0-7e98-49ab-89d5-ec72b5285e4e._msdcs.rza.local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/99987cb0-7e98-49ab-89d5-ec72b5285e4e/rza.local
         * SPN found :HOST/Server.rza.local/rza.local
         * SPN found :HOST/Server.rza.local
         * SPN found :HOST/SERVER
         * SPN found :HOST/Server.rza.local/RZA
         * SPN found :GC/Server.rza.local/rza.local
         ......................... SERVER passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
            IsmServ Service is stopped on [SERVER]
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... SERVER failed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         SERVER is in domain DC=rza,DC=local
         Checking for CN=SERVER,OU=Domain Controllers,DC=rza,DC=local in domain DC=rza,DC=local on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=rza,DC=local in domain CN=Configuration,DC=rza,DC=local on 1 servers
            Object is up-to-date on all servers.
         ......................... SERVER passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... SERVER passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         ......................... SERVER passed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minutes.
         ......................... SERVER passed test kccevent
      Starting test: systemlog
         * The System Event log test
         Found no errors in System Event log in the last 60 minutes.
         ......................... SERVER passed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)

         CN=SERVER,OU=Domain Controllers,DC=rza,DC=local and backlink on

         CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=rza,DC=local

         are correct.
         The system object reference (frsComputerReferenceBL)

         CN=SERVER,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=rza,DC=local

         and backlink on CN=SERVER,OU=Domain Controllers,DC=rza,DC=local are

         correct.
         The system object reference (serverReferenceBL)

         CN=SERVER,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=rza,DC=local

         and backlink on

         CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=rza,DC=local

         are correct.
         ......................... SERVER passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : rza
      Starting test: CrossRefValidation
         ......................... rza passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... rza passed test CheckSDRefDom
   
   Running enterprise tests on : rza.local
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope

         provided by the command line arguments provided.
         ......................... rza.local passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\Server.rza.local
         Locator Flags: 0xe00001fd
         PDC Name: \\Server.rza.local
         Locator Flags: 0xe00001fd
         Time Server Name: \\Server.rza.local
         Locator Flags: 0xe00001fd
         Preferred Time Server Name: \\Server.rza.local
         Locator Flags: 0xe00001fd
         KDC Name: \\Server.rza.local
         Locator Flags: 0xe00001fd
         ......................... rza.local passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS
Here are the results of the dcdiag /v /test:dns:

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine Server, is a DC.
   * Connecting to directory service on server Server.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 1 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\SERVER
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... SERVER passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\SERVER
      Test omitted by user request: Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Test omitted by user request: NCSecDesc
      Test omitted by user request: NetLogons
      Test omitted by user request: Advertising
      Test omitted by user request: KnowsOfRoleHolders
      Test omitted by user request: RidManager
      Test omitted by user request: MachineAccount
      Test omitted by user request: Services
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: ObjectsReplicated
      Test omitted by user request: frssysvol
      Test omitted by user request: frsevent
      Test omitted by user request: kccevent
      Test omitted by user request: systemlog
      Test omitted by user request: VerifyReplicas
      Test omitted by user request: VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError
   
   Running partition tests on : ForestDnsZones
      Test omitted by user request: CrossRefValidation
      Test omitted by user request: CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Test omitted by user request: CrossRefValidation
      Test omitted by user request: CheckSDRefDom
   
   Running partition tests on : Schema
      Test omitted by user request: CrossRefValidation
      Test omitted by user request: CheckSDRefDom
   
   Running partition tests on : Configuration
      Test omitted by user request: CrossRefValidation
      Test omitted by user request: CheckSDRefDom
   
   Running partition tests on : rza
      Test omitted by user request: CrossRefValidation
      Test omitted by user request: CheckSDRefDom
   
   Running enterprise tests on : rza.local
      Test omitted by user request: Intersite
      Test omitted by user request: FsmoCheck
      Starting test: DNS
         Test results for domain controllers:
           
            DC: Server.rza.local
            Domain: rza.local

                 
               TEST: Authentication (Auth)
                  Authentication test: Successfully completed
                 
               TEST: Basic (Basc)
                   Microsoft(R) Windows(R) Server 2003 for Small Business Server (Service Pack level: 1.0) is supported
                  NETLOGON service is running
                  kdc service is running
                  DNSCACHE service is running
                  DNS service is running
                  DC is a DNS server
                  Network adapters information:
                  Adapter [00000001] Intel(R) PRO/1000 MT Network Connection:
                     MAC address is 00:13:72:FD:CF:CC
                     IP address is static
                     IP address: 192.168.0.2
                     DNS servers:
                        192.168.0.2 (<name unavailable>) [Valid]
                  The A record for this DC was found
                  The SOA record for the Active Directory zone was found
                  The Active Directory zone on this DC/DNS server was found (primary)
                  Root zone on this DC/DNS server was not found
                 
               TEST: Forwarders/Root hints (Forw)
                  Recursion is enabled
                  Forwarders Information:
                     67.69.184.160 (<name unavailable>) [Valid]
                 
               TEST: Delegations (Del)
                  No delegations were found in this zone on this DNS server
                 
               TEST: Dynamic update (Dyn)
                  Dynamic update is enabled on the zone rza.local.
                  Test record _dcdiag_test_record added successfully in zone rza.local.
                  Test record _dcdiag_test_record deleted successfully in zone rza.local.
                 
               TEST: Records registration (RReg)
                  Network Adapter [00000001] Intel(R) PRO/1000 MT Network Connection:
                     Matching A record found at DNS server 192.168.0.2:
                     Server.rza.local

                     Matching CNAME record found at DNS server 192.168.0.2:
                     99987cb0-7e98-49ab-89d5-ec72b5285e4e._msdcs.rza.local

                     Matching DC SRV record found at DNS server 192.168.0.2:
                     _ldap._tcp.dc._msdcs.rza.local

                     Matching GC SRV record found at DNS server 192.168.0.2:
                     _ldap._tcp.gc._msdcs.rza.local

                     Matching PDC SRV record found at DNS server 192.168.0.2:
                     _ldap._tcp.pdc._msdcs.rza.local

         
         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 192.168.0.2 (<name unavailable>)
               All tests passed on this DNS server
               This is a valid DNS server.
               Name resolution is funtional. _ldap._tcp SRV record for the forest root domain is registered
               
            DNS server: 67.69.184.160 (<name unavailable>)
               All tests passed on this DNS server
               This is a valid DNS server.
               
         Summary of DNS test results:
         
                                            Auth Basc Forw Del  Dyn  RReg Ext  
               ________________________________________________________________
            Domain: rza.local
               Server                       PASS PASS PASS PASS PASS PASS n/a  
         
         ......................... rza.local passed test DNS
IsmServ Service is stopped on [SERVER]

Start that service and make sure it's set to Automatic - not sure if that will solve things, but it looks like it should be running.

Also - TCP/IP NetBIOS Helper service - make sure it's started and set to Automatic.
OH MY GOD. That may have done it.......I'm getting the beginnings of a connection!!!!!! I just ran browstat status and it is not saying that browsing is active on the domain! it's still showing a workstation as Master, though. How best to force the Server?
It will happen on it's own - shortly.

Well......that didn't do it, but we do have some great clues. I had added IPX/SPX just to see if that had any affect - and it did have some. The workstations can connect via \\Server and Browstat Status shows all protocols with browsing active with the Server as the Master. if I take out IPX, I'm back to square one. This really seems like an IP issue, yes? It seems we are SOOOO close!
ASKER CERTIFIED SOLUTION
Avatar of Netman66
Netman66
Flag of Canada image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Can i use the netsh command at the Server (netsh in ip reset) like I would to reset IP for an XP workstation?
Thanks for the article. I'll try the netsh command above first and then the rest if need be.....
Ahh....caution there..

This is a production DC.  Read the article.  Don't rush in doing untested things or you'll have a bigger mess to fix.

Well, I'm lucky I didn't read your caution first. I got lucky. I ran the netsh int ip reset - and am back up and running. I had been wondering about IP - but was unsure about how to reset it, and was getting no errors...... It was the document you sent, though, that gave me permission to try. It mentions that a symptom was this command failing, so I gave it a twirl.

You have certainly earned these points, my friend. Thank you SO much for hanging in with me. WHEW!
Anytime.  It's not often the IP stack gets screwed up, but I suppose it happens.  From the looks of the posts, there were other things that needed fixing too - so I guess you got the "tune up" special here!

Cheers,
NM
Don't forget to accept an answer!