Virtual Server 2005 R2 causing errors with Windows 2003 R2 SP2

Posted on 2007-08-10
Last Modified: 2013-11-29
Hi, I hope you can help me trouble shoot this issues with Virtual Server 2005 R2 and Windows Server 2003 Enterprise R2 SP2.  The server runs as a Domain Controller as well as an app server.  Both are a fresh and default installation.

Virtual Server 2005 makes these errors when loading:
"An error has occured during the creation of Service Connection points for Virtual Server in Active Directory. Either a domain controller is not available to complete the operation or there is a security problem accessing the domain. This operation will be retried the next time the service starts. Error 0x80070005 - Access is denied. "


"The service principal names for Virtual Server could not be registered. Constrained delegation cannot be used until the SPNs have been registered manually. Error 0x80072098 - Insufficient access rights to perform the operation. "

I have read this KB and applied what it said:;en-us;890893

The contents of my setspn -L command include:


Can you please help me understand what is happening here, and how can I fix this?

Thank you,

Question by:FreshyMeshy
    LVL 51

    Accepted Solution

    Make sure your server only points to itself for DNS.
    Make sure the DNS zone _msdcs.ILYS.local exists and the server is registered.


    Author Comment

    Thanks Netman.  Can you please tell me the step by step instructions on how I can make sure of these things?

    LVL 51

    Expert Comment

    Open up DNS from the Administrative Tools.
    Expand the Server, then the Forward Lookup zone.
    There should be 2 zones listed. _msdcs.ILYS.local and ILYS.local
    If there isn't the _msdcs zone, then create it - it's a Primary, AD Integrated zone and replicates to all DNS servers in the Forest.
    If it's there, it should contain sub folders for dc, domain, gc, pdc and 3 other records (SOA, NS and CNAME).

    Inside those subfolders should be records for your DCs depending on the roles they hold.  All of them should show up under domains>GUID>_tcp with LDAP records.

    Make sure the DC you're having issues with is listed in the appropriate folders.  If the zone needed to be created then either reboot the server and restart the Netlogon service.  Make sure the NIC is only pointing to your own DNS server and has the checkmark checked to register in DNS.
    LVL 1

    Expert Comment

    Forced accept.

    EE Admin
    LVL 1

    Expert Comment

    I was having a similar problem and checking the NIC & DNS config ended up exposing my issue.  I realized my shortcut for Virt Serv Administration was pointing to the NetBios server name, so I tried the IP address instead and got a login prompt.  Then I noticed I had a secondary NIC that was not plugged in yet but the IP was showing in DNS - fixed that issue and refreshed everything, still didn't work with NetBios name.  I changed the shortcut to point to the full DNS name of the server, and got right in.   The only fix I had implemented was to register the SPN entries manually, which also may have helped. (  I will fix the NetBios thing later if it continues to be a problem

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
    As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now