Solved

2003 server having time, DNS and sharing issues

Posted on 2008-06-16
28
623 Views
Last Modified: 2010-05-18
I have a single 2003 server standard, SP2 running AD and Exchange 2003.  At this time it is the only server, with only one client computer.

Starting with a reboot, I get the following in the system event log:

Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            6/16/2008
Time:            9:57:06 AM
User:            N/A
Computer:      ServerName
Description:
The Security System detected an authentication error for the server LDAP/Localhost.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

Data:
0000: 5e 00 00 c0               ^..À    

Followed quickly by:

Event Type:      Error
Event Source:      W32Time
Event Category:      None
Event ID:      17
Date:            6/16/2008
Time:            9:57:08 AM
User:            N/A
Computer:      ServerName
Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: No such service is known. The service cannot be found in the specified name space. (0x8007277C)


Exchange seems like it is behaving fine as far as mail sending/receiving , but is returning these errors in the application event log:

Event Type:      Error
Event Source:      MSExchangeAL
Event Category:      LDAP Operations
Event ID:      8026
Date:            6/16/2008
Time:            9:50:54 AM
User:            N/A
Computer:      ServerName
Description:
LDAP Bind was unsuccessful on directory servername.mydomain.org for distinguished name ''. Directory returned error:[0x34] Unavailable.    

Event Type:      Error
Event Source:      MSExchangeDSAccess
Event Category:      Topology
Event ID:      2102
Date:            6/16/2008
Time:            9:50:54 AM
User:            N/A
Computer:      ServerName
Description:
Process MAD.EXE (PID=2232). All Domain Controller Servers in use are not responding:
servername.mydomain.org
 

I can browse the internet fine from this machine.  DNS is pointing to itself.  I can map to shareds on this machine, but get access denied when trying to view them.  Automatic mappings do not show up at all.

I have followed MS KB article: http://support.microsoft.com/kb/816042 to try and get the time services issue fixed, to no avail.
0
Comment
Question by:EddyGurge
  • 12
  • 10
  • 2
  • +2
28 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21794297
0
 
LVL 3

Author Comment

by:EddyGurge
ID: 21794391
I've read that, but it doesn't really address any of the problems the server is currently having.  I included them for completeness, but I'm still having a number of issues on the box.  I'm really leaning toward some kind of funky DNS issue, but I just don't know.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21794549
From a command prompt try running netdiag /fix this could
repopulate the dns records for your dc

If you don't have the support tools installed, install them from your server
install disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take
into account slow links to dc's will also add to the testing time.

If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be output
in notepad text files that pop up automagically.

The script is located in the download section on my website at
http://www.pbbergs.com/windows/downloads.htm#DCDIAG

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages
0
 
LVL 17

Expert Comment

by:kadadi_v
ID: 21794609
DId you check your DNS server is working properly using netdiag.exe utility...chek it passes the all tests and IF your are using the Internal DNS server ten check the primary DNS address of the server and at cleint should be local ip address of the DNS server and ISP DNS address in forwarders tab of the DNS server console.

More INfo:-
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22484726.html

http://technet2.microsoft.com/windowsserver2008/en/library/e2776160-06a3-41c0-9d9b-f1bfa0ee79371033.mspx?mfr=true


Regards,

Vijay Kadadi
0
 
LVL 3

Author Comment

by:EddyGurge
ID: 21794773
Just ran the netdiag /fix, and the verbose netdiag and dcdiag.  No failures in any of them.  There is only this one DC, no other servers. The client is using the ip of the server, and can do DNS lookups just fine.

As an example though, if I run a w32tm /resync I get:
The computer did not resync because no time data was available

It's set to use time.nist.gov,0x1

There were some issues where the clock got set off a day for a while.  (never ask your wife what the date is when working on a server...) but the time shows correctly now, and has been rebooted quite a few times since it was fixed.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21795224
Try looking at this.

Based on my research, there are many factors which may cause the 40960
warning:


1. Computer account in parent domain with same name as child DC.
2. RPC Locator service was off on DC.
3. Secure dynamic updates failing if pointing to a DNS server that doesn't
support secure updates, Unix, etc.
4. NT4Emulator register value set to 1 on DC.
5. DHCP client service is disabled.
6. Time skew.
7. Kerberos UDP packet fragmentation.
8. Broken secure channel.
9. No reverse lookup zone for the DNS server.
10. Missing SPN.
11. Invalid cached credentials being used.
12. SAM account name of one account same as UPN of another account
0
 
LVL 3

Author Comment

by:EddyGurge
ID: 21795432
1.  Only server in the domain, so this shouldn't be it
2. RPC Locator was off and set to manual, started it, and changed it to automatic
3. Not sure I'm following you on that one
4. I don't see that in the registry, is it located somewhere else?
5. DHCP client service is enabled & runnning
6. Time is correct on the server
7. Not sure how to check for that
8. Not sure how to check for that
9. Reverse lookup zone exists
10. Not sure how to check for that
11. Not sure how to check for that
12. Not sure how to check for that

Still no changes in errors or problems :(
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21795562
Post the reports from the netdiag and repadmin. I need to look at a couple of things.
0
 
LVL 3

Author Comment

by:EddyGurge
ID: 21795726
I've not even run repadmin, so I'm not sure what you want there.  Here is the netdiag:




    Computer Name: servername
    DNS Host Name: servername.mydomain.org
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 6 Model 23 Stepping 7, GenuineIntel
    List of installed hotfixes :
        Q147222


Netcard queries test . . . . . . . : Passed
    [WARNING] The net card '1394 Net Adapter' may not be working because it has not received any packets.



Per interface results:

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : servername
        IP Address . . . . . . . . : 192.168.0.6
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 192.168.0.1
        Dns Servers. . . . . . . . : 127.0.0.1


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{B78DE4E6-F5BF-4822-9375-20F3308E0A2C}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '127.0.0.1'.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{B78DE4E6-F5BF-4822-9375-20F3308E0A2C}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{B78DE4E6-F5BF-4822-9375-20F3308E0A2C}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21795796
Put the DNS server IP address as 192.168.0.6. Had a problem with the local loopback address being in for the DNS before.
0
 
LVL 3

Author Comment

by:EddyGurge
ID: 21796237
I have the nic set using the local ipaddress (192.168.0.6) which it has been set to all along.  Are there any secondary places to set that?  I was kinda surprised to see the localhost listed there myself.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21796458
Check in DNS to see if it's listed there. Also, check in the TCP\IP settings that 127.0.0.1 isn't listed any where. Look under the Alternative settings and advance settings.
0
 
LVL 3

Author Comment

by:EddyGurge
ID: 21797184
I went ahead and removed and recreated the DNS server.  The proper address now shows in netdiag, but everything else is still messed up as above.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21797227
Have you done a ipconfig /flushdns on the server? Run this to netdiag /fix.
0
 
LVL 3

Author Comment

by:EddyGurge
ID: 21797475
Yeah, I've done them.  No luck.

I installed this server about a week and half ago.  It know it was working fine then.  I had since played around with RPC over HTTP and certificate server stuff.  I removed all that in add/remove programs last night, hoping it would fix the problem that my playing around might have caused.  I'm wondering if it has anything to do with my messing around blindly.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21797661
look at the fourth one down on this post.

http://www.pcreview.co.uk/forums/thread-1451643.php
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21797726
Here are a couple of more things to look at.

It is possibly a problem with the DNS dynamic updates registration credentials that the DHCP server supplies.

Go to the MMC for DHCP and bring up the server Properties, Advanced tab, Credentials and make sure the username and password are correct.

Windows Server 2003 is set to sync the time with an NTP server called time.windows.com I dont know if this server is no longer up but it does not respond to a simple ping. I changed my NTP server to point to one of the USNO servers and these errors stopped.

net time /setsntp:tock.usno.navy.mil
0
 
LVL 3

Author Comment

by:EddyGurge
ID: 21797901
Just about to drive home, where I'll be happy to continue on this.  Just a note before I go, I'm not running DHCP on this machine.
0
 
LVL 3

Author Comment

by:EddyGurge
ID: 21798147
I'm ready to try just about anything short of a reinstall.  I really want to avoid that.
0
 
LVL 38

Expert Comment

by:younghv
ID: 21798345
Off the wall question here - are you running Server 2003 or Server 2000?

Also off the wall, when I've seen the LSASVR and 40961/9 errors, the solution was to remove the workstation from the domain and re-add it (just drop to workgroup, re-add to the Domain - THEN - reboot the workstation).

Then start and stop the workstation time service.

Are either the Server or Workstation dropping into any kind of 'sleep' or 'hibernation' mode?
0
 
LVL 38

Expert Comment

by:younghv
ID: 21798352
Also - you only posted this in one Zone, but you can have it in three.

Verify the Server OS and we can get a Mod to add it to two more.
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 21798367
0
 
LVL 3

Author Comment

by:EddyGurge
ID: 21798810
Not ignoring you here.  The kerberos thing might have gotten me going, or at least looking in the right spots.  Now I'm just trying to get it all together and see where we are.  Numerous client and server reboots going on, id changes, and some other stuff.
0
 
LVL 3

Author Comment

by:EddyGurge
ID: 21799330
I'll continue this in the morning, but several things are most definitely working better now.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21801123
Disable Windows firewall. That should do in these errors.

You asked if there are any other DNS places to fix:
1) TCP/IP configuration of your server's nic
2) router's list of prefered DNS servers should be your DNS server
3) Your DNS address in host A accounts
4) DHCP configuration of DNS servers

You need to weed out that 127 loopback address:

So, once done with getting your configurations straight, go to the server's command prompt and type:
Ipconfig /flushdns
IPconfig /registerdns
net stop netlogon
net start netlogon

Then, go to the client's command prompt and type:
Ipconfig /flushdns

Assuming you have DHCP activated on your server, also type:
Ipconfig /release
Ipconfig /renew
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21801575
Ahh, good point VMOD. Thanks!

How about some information to reconfigure Windows firewall to allow LDAP and Time services to function correctly?

http://support.microsoft.com/kb/555381

The time error is because time is trying to synchronize prior to the Directory service up.
~~~ http://support.microsoft.com/kb/823712/en-us
SPnego error comes from being unable to communicate with an LDAP server.
~~~ http://support.microsoft.com/kb/823712/en-us
Exchange comes from the directory service not avail.
~~"Directory returned error:[0x34] Unavailable."

So, everything rides on the LDAP port open and the directory service set to automatic and started.  All of these errors say the same thing, they can't contact the domain controller LDAP.   I think this is a result of Windows firewall.
0
 
LVL 3

Author Comment

by:EddyGurge
ID: 21803910
@Vee

It is 2003 as stated.  Not sure why netdiag would say 2000, but it is 2003, SP2.  
Also, no additional firewall software or antivirus yet.

@younghv

I'm sorry I missed your posts last night, and I didn't know about the multiple zones possibilities on questions.  I'll keep that in mind!

@ChiefIT

I hate to say it, but the DNS removal/reinstall fixed the DNS complaints to a large degree, and was done before your post, but thanks for chiming in!

@Darius

Everything is now running fine.  It was a two (or three) part issue I'm guessing.  The Kerberos fix you linked was definitely part of the problem (and fixed the time sync issues right away), and got the rest of the ball rolling.  

The other issue appears that the client computer's user id was corrupt in AD in some fashion.  I deleted it, and created a new ID, and that fixed the mapping issues.  Time and DNS are working perfectly also.  

I'm only guessing here, but I'm going to put it down to time issues, and the clock getting messed up several times during and after install, which messed up internal authentication for the admin account, and the other userID.

Thanks for the help!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now