dravisk
asked on
Event ID: 40960 There are currently no logon servers available to service the logon request
We have a web server that has some authentication issues. The domain is Win2003, and there are two domain controllers. There are many other machines that exist in the same domain and no other machine has a problem. I checked connectivity with the domain controllers and everythign is ok. Once the Web server is restarted everything works fine for the next 2-3 days. For some reason this webserver always tries to communicate with only the PDC and never attemts SDC once the authentication has failed.
See the error below. Any advice appriciated.
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 5/15/2007
Time: 3:29:27 PM
User: N/A
Computer: PSWEB0
Description:
The Security System detected an authentication error for the server cifs/Pspdc. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
(0xc000005e)".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
See the error below. Any advice appriciated.
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 5/15/2007
Time: 3:29:27 PM
User: N/A
Computer: PSWEB0
Description:
The Security System detected an authentication error for the server cifs/Pspdc. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
(0xc000005e)".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
First of all unless you are using Windows NT4 or earlier you do not have PDC and BDC (or SDC). Since windows 2000 domain controllers are all updateaable and replicate changes to all other domain controllers. Howerver, the first DC will hold five single master roles, one of which happens to be a PDC emulator.
If you want client to use both DCs then both DCs must also have DNS installed. Active Directory Integrated DNS will ensure that this is done and replecated automatically. You also need to make sure that both DCs are a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand ,Sites, Default first site and Servers. Right click on the new server and select properties and tick the ‘Global Catalog’ checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)
If you are using DHCP you should spread this across the domain controllers, In a simple single domain this is easiest done by Setting up DHCP on the second Domain controller and using a scope on the same network that does not overlap with the existing scope on the other Domain Controller. Don’t forget to set the default gateway (router) and DNS Servers.
Talking of which all the clients (and the domain controllers themselves) need to have their Preferred DNS server set to one domain controller, and the Alternate DNS to the other, that way if one of the DNS Servers fails, the clients will automatically use the other.
If you want client to use both DCs then both DCs must also have DNS installed. Active Directory Integrated DNS will ensure that this is done and replecated automatically. You also need to make sure that both DCs are a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand ,Sites, Default first site and Servers. Right click on the new server and select properties and tick the ‘Global Catalog’ checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)
If you are using DHCP you should spread this across the domain controllers, In a simple single domain this is easiest done by Setting up DHCP on the second Domain controller and using a scope on the same network that does not overlap with the existing scope on the other Domain Controller. Don’t forget to set the default gateway (router) and DNS Servers.
Talking of which all the clients (and the domain controllers themselves) need to have their Preferred DNS server set to one domain controller, and the Alternate DNS to the other, that way if one of the DNS Servers fails, the clients will automatically use the other.
ASKER
Both DC have DNS installed and all three network cards on the server have their DNS servers pointing to PDC and SDC.
ASKER
Also I forgot to mention both DC's are global catalogs and DNS records are updated and current on both machines. No problem replicating or anything like that.
Okay, cool.
If you could run DCDiag and check for errors there. I guess the only other concern is the "all three network cards" part. That may pick up this KB Article along the way:
http://support.microsoft.com/kb/272294
Chris
ASKER
I am afraid that article explains multiple adapters that are on different networks. These adapters are on the same network, same subnet and on the same switch so they all see the same traffic. The domain controllers have only one interface, it is the webserver that has 3 interfaces.
What is troublesome is that no other machine is having a problem talking to the domain controllers, and I am wondering if this is in anyway somehow related to the machine account that is registered on AD. Is there anyway to check the health of that machine account on AD?
Here is a dc diag from both PDC and SDC.
C:\Program Files\Support Tools>dcdiag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\PS
Starting test: Connectivity
......................... PSPDC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\PS
Starting test: Replications
......................... PSPDC passed test Replications
Starting test: NCSecDesc
......................... PSPDC passed test NCSecDesc
Starting test: NetLogons
......................... PSPDC passed test NetLogons
Starting test: Advertising
......................... PSPDC passed test Advertising
Starting test: KnowsOfRoleHolders
......................... PSPDC passed test KnowsOfRoleHolders
Starting test: RidManager
......................... PSPDC passed test RidManager
Starting test: MachineAccount
......................... PSPDC passed test MachineAccount
Starting test: Services
......................... PSPDC passed test Services
Starting test: ObjectsReplicated
......................... PSPDC passed test ObjectsReplicated
Starting test: frssysvol
......................... PSPDC passed test frssysvol
Starting test: frsevent
......................... PSPDC passed test frsevent
Starting test: kccevent
......................... PSPDC passed test kccevent
Starting test: systemlog
......................... PSPDC passed test systemlog
Starting test: VerifyReferences
......................... PSPDC passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : colo
Starting test: CrossRefValidation
......................... colo passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... colo passed test CheckSDRefDom
Running enterprise tests on : colo.perrysysinc.com
Starting test: Intersite
......................... colo.perrysysinc.com passed test Intersite
Starting test: FsmoCheck
......................... colo.perrysysinc.com passed test FsmoCheck
C:\Program Files\Support Tools>
C:\Program Files\Support Tools>dcdiag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\PS
Starting test: Connectivity
......................... PSSDC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\PS
Starting test: Replications
......................... PSSDC passed test Replications
Starting test: NCSecDesc
......................... PSSDC passed test NCSecDesc
Starting test: NetLogons
......................... PSSDC passed test NetLogons
Starting test: Advertising
......................... PSSDC passed test Advertising
Starting test: KnowsOfRoleHolders
......................... PSSDC passed test KnowsOfRoleHolders
Starting test: RidManager
......................... PSSDC passed test RidManager
Starting test: MachineAccount
......................... PSSDC passed test MachineAccount
Starting test: Services
......................... PSSDC passed test Services
Starting test: ObjectsReplicated
......................... PSSDC passed test ObjectsReplicated
Starting test: frssysvol
......................... PSSDC passed test frssysvol
Starting test: frsevent
......................... PSSDC passed test frsevent
Starting test: kccevent
......................... PSSDC passed test kccevent
Starting test: systemlog
......................... PSSDC passed test systemlog
Starting test: VerifyReferences
......................... PSSDC passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : colo
Starting test: CrossRefValidation
......................... colo passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... colo passed test CheckSDRefDom
Running enterprise tests on : colo.perrysysinc.com
Starting test: Intersite
......................... colo.perrysysinc.com passed test Intersite
Starting test: FsmoCheck
......................... colo.perrysysinc.com passed test FsmoCheck
C:\Program Files\Support Tools>
What is troublesome is that no other machine is having a problem talking to the domain controllers, and I am wondering if this is in anyway somehow related to the machine account that is registered on AD. Is there anyway to check the health of that machine account on AD?
Here is a dc diag from both PDC and SDC.
C:\Program Files\Support Tools>dcdiag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\PS
Starting test: Connectivity
......................... PSPDC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\PS
Starting test: Replications
......................... PSPDC passed test Replications
Starting test: NCSecDesc
......................... PSPDC passed test NCSecDesc
Starting test: NetLogons
......................... PSPDC passed test NetLogons
Starting test: Advertising
......................... PSPDC passed test Advertising
Starting test: KnowsOfRoleHolders
......................... PSPDC passed test KnowsOfRoleHolders
Starting test: RidManager
......................... PSPDC passed test RidManager
Starting test: MachineAccount
......................... PSPDC passed test MachineAccount
Starting test: Services
......................... PSPDC passed test Services
Starting test: ObjectsReplicated
......................... PSPDC passed test ObjectsReplicated
Starting test: frssysvol
......................... PSPDC passed test frssysvol
Starting test: frsevent
......................... PSPDC passed test frsevent
Starting test: kccevent
......................... PSPDC passed test kccevent
Starting test: systemlog
......................... PSPDC passed test systemlog
Starting test: VerifyReferences
......................... PSPDC passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : colo
Starting test: CrossRefValidation
......................... colo passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... colo passed test CheckSDRefDom
Running enterprise tests on : colo.perrysysinc.com
Starting test: Intersite
......................... colo.perrysysinc.com passed test Intersite
Starting test: FsmoCheck
......................... colo.perrysysinc.com passed test FsmoCheck
C:\Program Files\Support Tools>
C:\Program Files\Support Tools>dcdiag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\PS
Starting test: Connectivity
......................... PSSDC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\PS
Starting test: Replications
......................... PSSDC passed test Replications
Starting test: NCSecDesc
......................... PSSDC passed test NCSecDesc
Starting test: NetLogons
......................... PSSDC passed test NetLogons
Starting test: Advertising
......................... PSSDC passed test Advertising
Starting test: KnowsOfRoleHolders
......................... PSSDC passed test KnowsOfRoleHolders
Starting test: RidManager
......................... PSSDC passed test RidManager
Starting test: MachineAccount
......................... PSSDC passed test MachineAccount
Starting test: Services
......................... PSSDC passed test Services
Starting test: ObjectsReplicated
......................... PSSDC passed test ObjectsReplicated
Starting test: frssysvol
......................... PSSDC passed test frssysvol
Starting test: frsevent
......................... PSSDC passed test frsevent
Starting test: kccevent
......................... PSSDC passed test kccevent
Starting test: systemlog
......................... PSSDC passed test systemlog
Starting test: VerifyReferences
......................... PSSDC passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : colo
Starting test: CrossRefValidation
......................... colo passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... colo passed test CheckSDRefDom
Running enterprise tests on : colo.perrysysinc.com
Starting test: Intersite
......................... colo.perrysysinc.com passed test Intersite
Starting test: FsmoCheck
......................... colo.perrysysinc.com passed test FsmoCheck
C:\Program Files\Support Tools>
ASKER
I solved the problem.
The server had 3 NICs, and one of them was faulty. It was hanging the communication between DC's and the Webserver.
I disabled that NIC and teamed the other two and all is good now.
The server had 3 NICs, and one of them was faulty. It was hanging the communication between DC's and the Webserver.
I disabled that NIC and teamed the other two and all is good now.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
We have to check the really common ones first :)
How is DNS configured for your network?
Really we would expect to see all servers using your DCs as DNS in every systems TCP/IP configuration.
Chris