Solved

Lots of Event 1053 Errors

Posted on 2008-06-23
19
2,112 Views
Last Modified: 2012-06-22
My event log, under application, is filling up with event id 1053, with this text:

Windows cannot determine the user or computer name. (There are no more endpoints available from the endpoint mapper. ). Group Policy processing aborted.


About every 5 minutes another one is added.
0
Comment
Question by:dougp23
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
  • 5
19 Comments
 
LVL 1

Author Comment

by:dougp23
ID: 21848089
dcdiag:  cpmmand not found
netdiag:  command not found

Looks like I don't have these installed.  How do I get them installed?  Win2K3 SP2
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 1

Author Comment

by:dougp23
ID: 21849475
OK, installed both of them.  

DcDiag ran pretty cleanly.

NetDiag provided this little pearl:

DNS test . . . . . . . . . . . . . : Failed

    [WARNING] The DNS entries for this DC are not registered correctly on DNS se

rver '192.168.10.1'. Please wait for 30 minutes for DNS server replication.

    [FATAL] No DNS servers have the DNS records for this DC registered.



Now, THIS server IS 192.168.10.1....so how do I tell the server that to get to himself, he should ask...himself??
0
 
LVL 1

Author Comment

by:dougp23
ID: 21849560
Also, under DNS, my server is showing 2 forward lookup zones.

TOWN
TOWN.COM

I would imagine I only need TOWN.COM?  Is the fact that TOWN is in there confusing things?

Under Town.com I have an A record that says
Accounting.Town.com   192.168.10.1

So it seems like this DNS *should* know how to resolve itself....

Hope this helps!
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21849884
most likely you will need to keep town.com

run a netdiag /fix then a netdiag again and see what comes back.

Also in tcp ip properties for the lan connection you have the first DNS server set to itself (internal IP address) and the second to another internal DNS machine.
There should NOT be an ISP server in there
0
 
LVL 1

Author Comment

by:dougp23
ID: 21849962
TCP/IP Properties (2 NIC Cards)
192.168.10.1 has preferred DNS of 192.168.10.1 and no secondary DNS.
The 2nd NIC is capturing VOIP traffic to record calls that we need recorded, so it has a 10.0.55.1 IP with a 10.0.55.1 DNS.  Note that we run NO 10.x IPs, so I would imagine this interface cannot communicate out at all.

Ran netdiag  /fix, then netdiag again.  

The interesting (I think) parts:
NetBT name test. . . . . . : Passed                                             [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.                                                   No remote names have been found.                                                                                                                            WINS service test. . . . . : Skipped                                                There are no WINS servers configured for this interface.                                                                                                

DNS test . . . . . . . . . . . . . : Passed                                         PASS - All the DNS entries for DC are registered on DNS server '192.168.10.1' and other DCs also have some of the names registered.                                                                                                                                                                                        

I will clear out the EL, and see if they keep happening.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 21850837
Ar you running synaptec end point protection?
0
 
LVL 1

Author Comment

by:dougp23
ID: 21855211
no, no endpoint security.  OK, I followed some MS Technet docs, and I had no "endpoints" available, so did what they said.  They then said to do a portqry and see if certain ports were being blocked.  So, I did this, from the Town server:


portqry -n servername.police.org -o 1094,1025,1029,6004
Name resolved to 192.168.11.10





TCP port 1094 (unknown service): NOT LISTENING


TCP port 1025 (unknown service): NOT LISTENING


TCP port 1029 (unknown service): NOT LISTENING


TCP port 6004 (unknown service): NOT LISTENING

Any ideas?  Again, both buildings connect via fiber, so I don't think my firewall for the network is blocking this stuff.  Both servers have their network cards firewalls shut off.
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21856573
So after a /fix the errors are still occuring?
0
 
LVL 1

Author Comment

by:dougp23
ID: 21857906
Well, they've changed.  Event ID 4521 with information 9002.  Which I think is due to that police server not listening on those ports.  Perhaps I should close this question and open a new one, since I am no longer getting 1053 errors.  Or I'll bump the points up.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 21858217
I am going to review what we have for info. I'll admit these endpoint mappers and certs for the RPC service over VPN are not one of my strong points. If you don't mind, will you leave this open.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 21858366
In the meantime, i was on another post where the technet article didn't help, but this MS article provided the right key to the solution.
http://support.microsoft.com/kb/839880
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 21858402
The ports on your portqry that are "not listening" are not key to 2003 server services:

TCP port 1094 (unknown service): NOT LISTENING
TCP port 1025 (unknown service): NOT LISTENING
TCP port 1029 (unknown service): NOT LISTENING
TCP port 6004 (unknown service): NOT LISTENING

http://www.microsoft.com/smallbusiness/support/articles/ref_net_ports_ms_prod.mspx

So, what is perplexing to me is why isn't it working?
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 21858670
OK: The article that I provided says:
From the output, you know the DC is using port 1094 for FRS and 1025, 1029, and 6004 for Active Directory replication.

antivirus software May be blocking ports above 1024.

Please see step 4 of the article above. It describes your problem to a T.
0
 
LVL 1

Author Comment

by:dougp23
ID: 21864855
I had found KB839880 already, and yes I agree step 4 is a real wakeup.  But what they don't tell you is how to fix it.  I am against turning off the firewall on the server, but OK, I turned it off.  Now, I should turn off my antivirus too??  Only MS would offer this up as a solution!!

My Antivirus has no built in firewall, so I am just totall stumped, and ready to say "forget it, people will have to keep track of 2 logins".  Not my favored solution, but where else do I go from here?

If this helps, the prtqry from Town reported back properly on POlice, but a portqry on Police says it can't resolve the name accounting.town.com.  Is that a prob?  Remember, the folder I want to share is on Town, but the users are on Police.  Not sure if this matters.
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21866098
I would turn it all off to test and see what happens.
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 21867978
OK:

This is what I am thinking>

DFS (Distirbutive File Services) is responsible for distributing out GPOs. GPOs are first saved in SYSVOL. Then DFS uses Netbios broadcasts send out these shares to the local subnet. The only problem with that is netbios uses broadcastsed messages and it is not a routeable protocol. NON-routeable means that it will not go through a VPN tunnel, across a firewall, or over any sort of NAT.

To fix this issue, you will need netbios over TCP/IP for all computers within each subnet and you need something to transport from one subnet to another. There are two methods of doing just that for DFS.

So here are your fixes:
1) USE WINS between the two sites. Create a WINS server out of your lead server per subnet. What I mean by a lead server is the one that holds the FSMO roles. Below is an article that explains how to use WINS to go across a WAN configuration for the Browser service. This article will help you configure WINS as a transport between the two sites.

http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/net/chptr3.mspx?mfr=true

Alternative fix: Fix 2) An alternative fix is to use DNS as the transport for DFS:
 http://support.microsoft.com/kb/244380
PLEASE NOTE: Please look at the key ports used by Windows 2003 anything using ports 137, for WINS and Netbios datagram ports 138 and 139 are effected if you do not use WINS. If all you are after is DFS, then you could use DNS. So, there are drawbacks to using DNS.

Dropping your pants by disabling the firewall and AV products are just a test, and yes it's not a good idea. So, the test are done and you still probably still don't have what you need, because Netbios is not routeable.

What you should do is pay attention to what uses IP ports for netbios. Those would be Netbios/WINS port 137,  and netbios datagram ports 138, and 139. Without WINS, you will not be able to get to Site 2. So, let's review what key functions use these ports. If you want all services availlable between the LAN, you will have to use Fix 1;

This article for reference on the ports used by Key Serivices of 2003 server:
http://www.microsoft.com/smallbusiness/support/articles/ref_net_ports_ms_prod.mspx
1) WINS
2) The Domain Browser Service
3) DFS
4) License logging service
5) messanger
6) Netlogon
7) performance logs and alerts.
8) print spooler
9) RPC
10) SERVER service
11) System management service

With that said, I think the full range of symptoms you will have is:
~~Computers from the remote site will not show up in MY NETWORK PLACES.
~~The print spooler will not work on a remote site
~~You can't run files using RPC from the remote site and may have RPC is unavailable.
~~You can't view performance logs and alerts from the remote site.
~~You will probably have events 1030 can't get GPO, 1058 can't get GPO, 1053 as you are seeing,  and might see 8032 master browser conflict, 8032 master browser conflict.

*****IMPORTANT: Prior to applying the fixes, you can enable AV and firewalls.

Attached is a free body diagram that illustrates what you want. Use Netbios over TCP/IP to broadcast between clients and server on the same subnet. Then, use WINS to communicate between the two subnets. Disregard the part that says, here is your problem. Since you don't seem to have problems with the clients and server, all you may have to do is enable WINS on the subnet's master server.

For the browser service, I recommend you use the same article and make sure you have a master browser per subnet and a backup browser.

I hope this helps, and let me know if you have any questions.
browser-interaction.JPG
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 21901697
Excellent!! I am glad to see this worked for you. Thanks.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question