EddyGurge
asked on
2003 server having time, DNS and sharing issues
I have a single 2003 server standard, SP2 running AD and Exchange 2003. At this time it is the only server, with only one client computer.
Starting with a reboot, I get the following in the system event log:
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 6/16/2008
Time: 9:57:06 AM
User: N/A
Computer: ServerName
Description:
The Security System detected an authentication error for the server LDAP/Localhost. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
(0xc000005e)".
Data:
0000: 5e 00 00 c0 ^..À
Followed quickly by:
Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 17
Date: 6/16/2008
Time: 9:57:08 AM
User: N/A
Computer: ServerName
Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: No such service is known. The service cannot be found in the specified name space. (0x8007277C)
Exchange seems like it is behaving fine as far as mail sending/receiving , but is returning these errors in the application event log:
Event Type: Error
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8026
Date: 6/16/2008
Time: 9:50:54 AM
User: N/A
Computer: ServerName
Description:
LDAP Bind was unsuccessful on directory servername.mydomain.org for distinguished name ''. Directory returned error:[0x34] Unavailable.
Event Type: Error
Event Source: MSExchangeDSAccess
Event Category: Topology
Event ID: 2102
Date: 6/16/2008
Time: 9:50:54 AM
User: N/A
Computer: ServerName
Description:
Process MAD.EXE (PID=2232). All Domain Controller Servers in use are not responding:
servername.mydomain.org
I can browse the internet fine from this machine. DNS is pointing to itself. I can map to shareds on this machine, but get access denied when trying to view them. Automatic mappings do not show up at all.
I have followed MS KB article: http://support.microsoft.com/kb/816042 to try and get the time services issue fixed, to no avail.
Starting with a reboot, I get the following in the system event log:
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 6/16/2008
Time: 9:57:06 AM
User: N/A
Computer: ServerName
Description:
The Security System detected an authentication error for the server LDAP/Localhost. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
(0xc000005e)".
Data:
0000: 5e 00 00 c0 ^..À
Followed quickly by:
Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 17
Date: 6/16/2008
Time: 9:57:08 AM
User: N/A
Computer: ServerName
Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: No such service is known. The service cannot be found in the specified name space. (0x8007277C)
Exchange seems like it is behaving fine as far as mail sending/receiving , but is returning these errors in the application event log:
Event Type: Error
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8026
Date: 6/16/2008
Time: 9:50:54 AM
User: N/A
Computer: ServerName
Description:
LDAP Bind was unsuccessful on directory servername.mydomain.org for distinguished name ''. Directory returned error:[0x34] Unavailable.
Event Type: Error
Event Source: MSExchangeDSAccess
Event Category: Topology
Event ID: 2102
Date: 6/16/2008
Time: 9:50:54 AM
User: N/A
Computer: ServerName
Description:
Process MAD.EXE (PID=2232). All Domain Controller Servers in use are not responding:
servername.mydomain.org
I can browse the internet fine from this machine. DNS is pointing to itself. I can map to shareds on this machine, but get access denied when trying to view them. Automatic mappings do not show up at all.
I have followed MS KB article: http://support.microsoft.com/kb/816042 to try and get the time services issue fixed, to no avail.
ASKER
I've read that, but it doesn't really address any of the problems the server is currently having. I included them for completeness, but I'm still having a number of issues on the box. I'm really leaning toward some kind of funky DNS issue, but I just don't know.
From a command prompt try running netdiag /fix this could
repopulate the dns records for your dc
If you don't have the support tools installed, install them from your server
install disk.
d:\support\tools\setup.exe
Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take
into account slow links to dc's will also add to the testing time.
If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be output
in notepad text files that pop up automagically.
The script is located in the download section on my website at
http://www.pbbergs.com/windows/downloads.htm#DCDIAG
Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)
When complete search for fail, error and warning messages
repopulate the dns records for your dc
If you don't have the support tools installed, install them from your server
install disk.
d:\support\tools\setup.exe
Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take
into account slow links to dc's will also add to the testing time.
If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be output
in notepad text files that pop up automagically.
The script is located in the download section on my website at
http://www.pbbergs.com/windows/downloads.htm#DCDIAG
Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)
When complete search for fail, error and warning messages
DId you check your DNS server is working properly using netdiag.exe utility...chek it passes the all tests and IF your are using the Internal DNS server ten check the primary DNS address of the server and at cleint should be local ip address of the DNS server and ISP DNS address in forwarders tab of the DNS server console.
More INfo:-
https://www.experts-exchange.com/questions/22484726/Critical-LDAP-bind-was-unsuccessful-on-directory-servername-Directory-returned-error-0x51-Server-Down.html
http://technet2.microsoft.com/windowsserver2008/en/library/e2776160-06a3-41c0-9d9b-f1bfa0ee79371033.mspx?mfr=true
Regards,
Vijay Kadadi
More INfo:-
https://www.experts-exchange.com/questions/22484726/Critical-LDAP-bind-was-unsuccessful-on-directory-servername-Directory-returned-error-0x51-Server-Down.html
http://technet2.microsoft.com/windowsserver2008/en/library/e2776160-06a3-41c0-9d9b-f1bfa0ee79371033.mspx?mfr=true
Regards,
Vijay Kadadi
ASKER
Just ran the netdiag /fix, and the verbose netdiag and dcdiag. No failures in any of them. There is only this one DC, no other servers. The client is using the ip of the server, and can do DNS lookups just fine.
As an example though, if I run a w32tm /resync I get:
The computer did not resync because no time data was available
It's set to use time.nist.gov,0x1
There were some issues where the clock got set off a day for a while. (never ask your wife what the date is when working on a server...) but the time shows correctly now, and has been rebooted quite a few times since it was fixed.
As an example though, if I run a w32tm /resync I get:
The computer did not resync because no time data was available
It's set to use time.nist.gov,0x1
There were some issues where the clock got set off a day for a while. (never ask your wife what the date is when working on a server...) but the time shows correctly now, and has been rebooted quite a few times since it was fixed.
Try looking at this.
Based on my research, there are many factors which may cause the 40960
warning:
1. Computer account in parent domain with same name as child DC.
2. RPC Locator service was off on DC.
3. Secure dynamic updates failing if pointing to a DNS server that doesn't
support secure updates, Unix, etc.
4. NT4Emulator register value set to 1 on DC.
5. DHCP client service is disabled.
6. Time skew.
7. Kerberos UDP packet fragmentation.
8. Broken secure channel.
9. No reverse lookup zone for the DNS server.
10. Missing SPN.
11. Invalid cached credentials being used.
12. SAM account name of one account same as UPN of another account
Based on my research, there are many factors which may cause the 40960
warning:
1. Computer account in parent domain with same name as child DC.
2. RPC Locator service was off on DC.
3. Secure dynamic updates failing if pointing to a DNS server that doesn't
support secure updates, Unix, etc.
4. NT4Emulator register value set to 1 on DC.
5. DHCP client service is disabled.
6. Time skew.
7. Kerberos UDP packet fragmentation.
8. Broken secure channel.
9. No reverse lookup zone for the DNS server.
10. Missing SPN.
11. Invalid cached credentials being used.
12. SAM account name of one account same as UPN of another account
ASKER
1. Only server in the domain, so this shouldn't be it
2. RPC Locator was off and set to manual, started it, and changed it to automatic
3. Not sure I'm following you on that one
4. I don't see that in the registry, is it located somewhere else?
5. DHCP client service is enabled & runnning
6. Time is correct on the server
7. Not sure how to check for that
8. Not sure how to check for that
9. Reverse lookup zone exists
10. Not sure how to check for that
11. Not sure how to check for that
12. Not sure how to check for that
Still no changes in errors or problems :(
2. RPC Locator was off and set to manual, started it, and changed it to automatic
3. Not sure I'm following you on that one
4. I don't see that in the registry, is it located somewhere else?
5. DHCP client service is enabled & runnning
6. Time is correct on the server
7. Not sure how to check for that
8. Not sure how to check for that
9. Reverse lookup zone exists
10. Not sure how to check for that
11. Not sure how to check for that
12. Not sure how to check for that
Still no changes in errors or problems :(
Post the reports from the netdiag and repadmin. I need to look at a couple of things.
ASKER
I've not even run repadmin, so I'm not sure what you want there. Here is the netdiag:
Computer Name: servername
DNS Host Name: servername.mydomain.org
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 6 Model 23 Stepping 7, GenuineIntel
List of installed hotfixes :
Q147222
Netcard queries test . . . . . . . : Passed
[WARNING] The net card '1394 Net Adapter' may not be working because it has not received any packets.
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : servername
IP Address . . . . . . . . : 192.168.0.6
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.0.1
Dns Servers. . . . . . . . : 127.0.0.1
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{B78DE4E6-F5BF
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '127.0.0.1'.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{B78DE4E6-F5BF
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{B78DE4E6-F5BF
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
Computer Name: servername
DNS Host Name: servername.mydomain.org
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 6 Model 23 Stepping 7, GenuineIntel
List of installed hotfixes :
Q147222
Netcard queries test . . . . . . . : Passed
[WARNING] The net card '1394 Net Adapter' may not be working because it has not received any packets.
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : servername
IP Address . . . . . . . . : 192.168.0.6
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.0.1
Dns Servers. . . . . . . . : 127.0.0.1
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{B78DE4E6-F5BF
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '127.0.0.1'.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{B78DE4E6-F5BF
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{B78DE4E6-F5BF
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
Put the DNS server IP address as 192.168.0.6. Had a problem with the local loopback address being in for the DNS before.
ASKER
I have the nic set using the local ipaddress (192.168.0.6) which it has been set to all along. Are there any secondary places to set that? I was kinda surprised to see the localhost listed there myself.
Check in DNS to see if it's listed there. Also, check in the TCP\IP settings that 127.0.0.1 isn't listed any where. Look under the Alternative settings and advance settings.
ASKER
I went ahead and removed and recreated the DNS server. The proper address now shows in netdiag, but everything else is still messed up as above.
Have you done a ipconfig /flushdns on the server? Run this to netdiag /fix.
ASKER
Yeah, I've done them. No luck.
I installed this server about a week and half ago. It know it was working fine then. I had since played around with RPC over HTTP and certificate server stuff. I removed all that in add/remove programs last night, hoping it would fix the problem that my playing around might have caused. I'm wondering if it has anything to do with my messing around blindly.
I installed this server about a week and half ago. It know it was working fine then. I had since played around with RPC over HTTP and certificate server stuff. I removed all that in add/remove programs last night, hoping it would fix the problem that my playing around might have caused. I'm wondering if it has anything to do with my messing around blindly.
Here are a couple of more things to look at.
It is possibly a problem with the DNS dynamic updates registration credentials that the DHCP server supplies.
Go to the MMC for DHCP and bring up the server Properties, Advanced tab, Credentials and make sure the username and password are correct.
Windows Server 2003 is set to sync the time with an NTP server called time.windows.com I dont know if this server is no longer up but it does not respond to a simple ping. I changed my NTP server to point to one of the USNO servers and these errors stopped.
net time /setsntp:tock.usno.navy.mi
It is possibly a problem with the DNS dynamic updates registration credentials that the DHCP server supplies.
Go to the MMC for DHCP and bring up the server Properties, Advanced tab, Credentials and make sure the username and password are correct.
Windows Server 2003 is set to sync the time with an NTP server called time.windows.com I dont know if this server is no longer up but it does not respond to a simple ping. I changed my NTP server to point to one of the USNO servers and these errors stopped.
net time /setsntp:tock.usno.navy.mi
ASKER
Just about to drive home, where I'll be happy to continue on this. Just a note before I go, I'm not running DHCP on this machine.
ASKER
I'm ready to try just about anything short of a reinstall. I really want to avoid that.
Off the wall question here - are you running Server 2003 or Server 2000?
Also off the wall, when I've seen the LSASVR and 40961/9 errors, the solution was to remove the workstation from the domain and re-add it (just drop to workgroup, re-add to the Domain - THEN - reboot the workstation).
Then start and stop the workstation time service.
Are either the Server or Workstation dropping into any kind of 'sleep' or 'hibernation' mode?
Also off the wall, when I've seen the LSASVR and 40961/9 errors, the solution was to remove the workstation from the domain and re-add it (just drop to workgroup, re-add to the Domain - THEN - reboot the workstation).
Then start and stop the workstation time service.
Are either the Server or Workstation dropping into any kind of 'sleep' or 'hibernation' mode?
Also - you only posted this in one Zone, but you can have it in three.
Verify the Server OS and we can get a Mod to add it to two more.
Verify the Server OS and we can get a Mod to add it to two more.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Not ignoring you here. The kerberos thing might have gotten me going, or at least looking in the right spots. Now I'm just trying to get it all together and see where we are. Numerous client and server reboots going on, id changes, and some other stuff.
ASKER
I'll continue this in the morning, but several things are most definitely working better now.
Disable Windows firewall. That should do in these errors.
You asked if there are any other DNS places to fix:
1) TCP/IP configuration of your server's nic
2) router's list of prefered DNS servers should be your DNS server
3) Your DNS address in host A accounts
4) DHCP configuration of DNS servers
You need to weed out that 127 loopback address:
So, once done with getting your configurations straight, go to the server's command prompt and type:
Ipconfig /flushdns
IPconfig /registerdns
net stop netlogon
net start netlogon
Then, go to the client's command prompt and type:
Ipconfig /flushdns
Assuming you have DHCP activated on your server, also type:
Ipconfig /release
Ipconfig /renew
You asked if there are any other DNS places to fix:
1) TCP/IP configuration of your server's nic
2) router's list of prefered DNS servers should be your DNS server
3) Your DNS address in host A accounts
4) DHCP configuration of DNS servers
You need to weed out that 127 loopback address:
So, once done with getting your configurations straight, go to the server's command prompt and type:
Ipconfig /flushdns
IPconfig /registerdns
net stop netlogon
net start netlogon
Then, go to the client's command prompt and type:
Ipconfig /flushdns
Assuming you have DHCP activated on your server, also type:
Ipconfig /release
Ipconfig /renew
Ahh, good point VMOD. Thanks!
How about some information to reconfigure Windows firewall to allow LDAP and Time services to function correctly?
http://support.microsoft.com/kb/555381
The time error is because time is trying to synchronize prior to the Directory service up.
~~~ http://support.microsoft.com/kb/823712/en-us
SPnego error comes from being unable to communicate with an LDAP server.
~~~ http://support.microsoft.com/kb/823712/en-us
Exchange comes from the directory service not avail.
~~"Directory returned error:[0x34] Unavailable."
So, everything rides on the LDAP port open and the directory service set to automatic and started. All of these errors say the same thing, they can't contact the domain controller LDAP. I think this is a result of Windows firewall.
How about some information to reconfigure Windows firewall to allow LDAP and Time services to function correctly?
http://support.microsoft.com/kb/555381
The time error is because time is trying to synchronize prior to the Directory service up.
~~~ http://support.microsoft.com/kb/823712/en-us
SPnego error comes from being unable to communicate with an LDAP server.
~~~ http://support.microsoft.com/kb/823712/en-us
Exchange comes from the directory service not avail.
~~"Directory returned error:[0x34] Unavailable."
So, everything rides on the LDAP port open and the directory service set to automatic and started. All of these errors say the same thing, they can't contact the domain controller LDAP. I think this is a result of Windows firewall.
ASKER
@Vee
It is 2003 as stated. Not sure why netdiag would say 2000, but it is 2003, SP2.
Also, no additional firewall software or antivirus yet.
@younghv
I'm sorry I missed your posts last night, and I didn't know about the multiple zones possibilities on questions. I'll keep that in mind!
@ChiefIT
I hate to say it, but the DNS removal/reinstall fixed the DNS complaints to a large degree, and was done before your post, but thanks for chiming in!
@Darius
Everything is now running fine. It was a two (or three) part issue I'm guessing. The Kerberos fix you linked was definitely part of the problem (and fixed the time sync issues right away), and got the rest of the ball rolling.
The other issue appears that the client computer's user id was corrupt in AD in some fashion. I deleted it, and created a new ID, and that fixed the mapping issues. Time and DNS are working perfectly also.
I'm only guessing here, but I'm going to put it down to time issues, and the clock getting messed up several times during and after install, which messed up internal authentication for the admin account, and the other userID.
Thanks for the help!
It is 2003 as stated. Not sure why netdiag would say 2000, but it is 2003, SP2.
Also, no additional firewall software or antivirus yet.
@younghv
I'm sorry I missed your posts last night, and I didn't know about the multiple zones possibilities on questions. I'll keep that in mind!
@ChiefIT
I hate to say it, but the DNS removal/reinstall fixed the DNS complaints to a large degree, and was done before your post, but thanks for chiming in!
@Darius
Everything is now running fine. It was a two (or three) part issue I'm guessing. The Kerberos fix you linked was definitely part of the problem (and fixed the time sync issues right away), and got the rest of the ball rolling.
The other issue appears that the client computer's user id was corrupt in AD in some fashion. I deleted it, and created a new ID, and that fixed the mapping issues. Time and DNS are working perfectly also.
I'm only guessing here, but I'm going to put it down to time issues, and the clock getting messed up several times during and after install, which messed up internal authentication for the admin account, and the other userID.
Thanks for the help!
http://support.microsoft.com/kb/824217