Solved

Permission Problem when connecting to Exchange and Network on Primary Domain Controller.

Posted on 2008-10-20
25
284 Views
Last Modified: 2012-05-05
We lost power over the weekend, when our main server (Small Business Server 2003, SP2, not R2) came back up, a few computers haven't been able to connect to certain things.  Here's what works and what doesn't:

* when browsing our server, \\TANK we get the attached error message
* when browsing the ip of our server \\192.168.1.2 it works fine
* pinging TANK works fine
* pinging 192.168.1.2 works fine
* Exchange prompts for password, under any profile or any user and can't connect.  This means, I've tried administrator (who does have access to all mailboxes) or the user accounts, same problem keeps prompting for password.  I've tried user, domain/user, user@domain.local all with same problems.  Log into that same machine under a different username, same problem.  Connect the computer to a different switch or even wirelessly, same problem.  
* Can't connect a computer to a domain either, tried disconnecting and reconnecting through http://tank/connectcomputer, that doesn't work, also tried it manually through switching from workgroup to domain, and yet another error.
* OWA internally works fine http://tank/exchange or http://tank/remote
* There are no errors in the event log, this is happened to 4 users so far, one of them just dropped offline after lunch, the others have been off all day
* I have 25 spare licenses on the server not being used, so it's not a license issue either.
* DNS is setup correctly (pointing to 192.168.1.2, plus everyone else seems to connect to this fine)
* Latest greatest antivirus has been ran as well

Any information you have would help, I've had quite a bit of experience with small business server and am running out of ideas for troubleshooting.
whenbrowsingtank.jpg
0
Comment
Question by:gemvision
  • 14
  • 11
25 Comments
 
LVL 9

Expert Comment

by:monorail1
Comment Utility
Can you try removing a PC from the domain then rejoining - once done, does everything resolve ok? Can you attach any exports of your eventvwr?


~ CFJ
0
 
LVL 9

Expert Comment

by:monorail1
Comment Utility
Also, have you tried rebooting and/or restarting DNS?
0
 

Author Comment

by:gemvision
Comment Utility
Yes, I have tried adding/removing from the domain.  It removes fine, but doesn't let me re-add it.  I've tried through the /connectcomputer method (what I normally use), and adding it manually, doesn't work.  

I've attached errors for these.

erroraddingtodomainmanually.JPG
errorconnectingsbsrecommended.JPG
0
 

Author Comment

by:gemvision
Comment Utility
I have restarted the DNS server, problems still exist.  No errors in the DNS Server event log (or any other logs for that matter, just standard Informational messages)
0
 
LVL 9

Expert Comment

by:monorail1
Comment Utility
Can you do a start > run: services.msc, sort by what's set to auto start and provide a list of what is NOT started? Would it be possible for you to attach an .evt export of your system eventvwr?


~ CFJ
0
 

Author Comment

by:gemvision
Comment Utility
All services are started that need to be.  Okay, here's the update on this morning, all symptoms seem to be pointing to a licensing issue, but the server isn't giving any errors, and it's showing we have plenty of CALs.

* Yesterday someone shut their machine off, and one person who wasn't able to connect was able to get on.
* Last night, a couple people couldn't log in remotely that could during the day here and can now
* That computer that wouldn't reconnect to the domain, suddenly worked this morning when going to /connectcomputer, I'm guessing this is because not everyone is in yet.

I've attached my event logs, shouldn't I be getting some sort of licensing error if this was the case?
0
 

Author Comment

by:gemvision
Comment Utility
Okay, I spoke too soon.  I'm not saying it's not a licensing problem, but the information about certain things working that weren't before isn't entirely accurate.

* We originally had 3 computers that were having this issue, now it's up to 7 users (that I know of) with the same problem.  All of the computers that aren't able to connect to exchange, can no longer do so through outlook, but can still through OWA.
* The computer that I disconnected from the domain, then reconnected, still has the same issue.  I deleted all computer settings, etc. from A/D before re-adding it, and it still isn't working properly.

The information I thought to be where people were suddenly getting back on and weren't is sortof accurate.  Every once in awhile it would accept the password, but mail wouldn't come through, and it would still show disconnected.
0
 

Author Comment

by:gemvision
Comment Utility
One more thing, we have a remote office in the UK, they have one user there that has dropped off too, making the number of computers with this problem, 9.
0
 
LVL 9

Accepted Solution

by:
monorail1 earned 500 total points
Comment Utility
I actually had this issue with a client about 6 months ago, don't remember all the specifics but after the server rebooted (for maintenance) they had the same issues. I believe SBS comes with 5 CAL's (concurrent) installed with a max usage of 12 and somehow they started getting used up even after multiple reboots (server & workstation) and without an increase in the number of users, if 9 users are reporting issues chances are you've hit that 12 max. They were experiencing the exact same situation as you and what we ended up doing was purchasing additional CAL's and the issue was resolved.

Two Links that may help:

http://www.microsoft.com/windowsserver2003/sbs/techinfo/overview/licensingfaq.mspx
http://www.microsoft.com/windowsserver2003/sbs/howtobuy/pricing.mspx


~ CFJ
0
 

Author Comment

by:gemvision
Comment Utility
Well, we're beyond 12, but I'll check it out.  Do you know if I'm reading this right?

Installed Licenses: 50
Maximum Usage: 42

There should be a 75 CAL limit on SBS.  Yesterday the maximum usage was at 27, but either way I don't see any logs in the server and this hasn't been over the Installed Licenses (50)?
0
 
LVL 9

Expert Comment

by:monorail1
Comment Utility
Hm that's strange, you're correct on the 75 but your max usage should be higher than your installed licenses... You may want to call Microsoft about this one: 800-426-9400


~ CFJ
0
 

Author Comment

by:gemvision
Comment Utility
I did order new licenses, just in case.  I also ordered the R2 upgrade which I know will fix a couple other issues we're having (maxing out our 18GB exchange db, upgrading it to 75GB).  So, I'll try the licensing tomorrow morning when it comes in.  My experience with MS phone calls is usually about a 24 hour fix, and that's for emergency cases.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 9

Assisted Solution

by:monorail1
monorail1 earned 500 total points
Comment Utility
Good call on the R2 but I was under the impression Ex2003 SP2 fixed the 75GB ex db limit which you should be able to install as is then apply the registry change without needing the entire R2 upgrade. The # I included is for license sales who can (freely) redirect you through to tech support without you having to pay for it if related to licensing. Let me know what happens w/ it tomorrow morning this is pretty odd and I want to see it through.


~ CFJ
0
 

Author Comment

by:gemvision
Comment Utility
I will definately keep you updated, thank you for the insight.  I thought SP2 fixed the db as well, but we're still having the problems, I'll have to search for the registry key you're talking about.  The only one I'm aware of was the key that went from 16 to 18 or 16 to 17 or something like that.  Of course, that was prior to SP2.  

I am in the process of upgrading all servers to R2 anyway mainly for DFS.  Anyway, I'll let you know, more and more people are dropping offline now which isn't sounding much like a licensing issue.
0
 
LVL 9

Assisted Solution

by:monorail1
monorail1 earned 500 total points
Comment Utility
The Ex2003 SP2 DB size fix is:
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\Server name\Private-Mailbox Store GUID
- New DWORD, name: "Database Size Limit in Gb" (without quotes)
- Edit: change base to decimel and put # from 1-75 (Ex2003 standard) or 1-8000 (Ex2003 enterprise)
- Restart  istore services

How many total users are there, out of total users how many are affected? Is there anything common between the users/systems? Were any updates applied to the server prior to the shutdown/reboot and how long ago was the last reboot? Is it running Win2003 SP2? Can you check your chimney settings (http://support.microsoft.com/kb/912222)?


~ CFJ
0
 
LVL 9

Expert Comment

by:monorail1
Comment Utility
Sorry, that was http://support.microsoft.com/kb/912222

Is the SBS acting as a DHCP server? You said upgrading "all servers" in your last post, are there additional DC's or only standard member servers? You can have additional DC's in an SBS environment as long as the SBS is the FSMO DC. On the computers that fail to rejoin to the domain - is the windows firewall or 3rd party software firewall running? If you ping your internal AD domain (like gemvision.local or domain.com - the suffix FQDN of your computers) does it resolve to the SBS? If you do a start > run: %logonserver% from a workstation, does it resolve to the SBS also? Can you check the windows update site to review your update history and see if anything was maybe auto-installed recently?


~ CFJ
0
 

Author Comment

by:gemvision
Comment Utility
Okay, this is weird, I think we're getting somewhere now.  When i ping gemvision.local it's resolving 192.168.1.176 (which is someone's new vista 64 machine), it's not resolving to our primary DC (SBS), 192.168.1.2.  There was also a strange error in the event log (attached) for the person with the 176 address: newberg-bb.

I removed all entries of this from the DNS server (SBS) and from the DHCP server (our router) and many of them seemed to have come back online now, but not all.  However, I don't know what's causing this yet, and I'm sure this could happen again.

Also, the PC's that seem to still be having this problem are resolving %logonserver% to our uk DC (\\PEQUOD - 192.168.3.40) instead of our SBS PDC (\\TANK - 192.168.1.2).
Event Type:        Error

Event Source:    Kerberos

Event Category:                None

Event ID:              4

Date:                     10/21/2008

Time:                     6:12:17 AM

User:                     N/A

Computer:          TANK

Description:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server newberg-bb$.  The target name used was cifs/nebuchadnezzar.Gemvision.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (GEMVISION.LOCAL), and the client realm.   Please contact your system administrator.

Open in new window

0
 
LVL 9

Assisted Solution

by:monorail1
monorail1 earned 500 total points
Comment Utility
"In order to access any resource in the domain, the Kerberos client on this computer requires a ticket from the server managing the authentication requests (Kerberos Key Distribution Center or KDC). However, after requesting such a ticket from the KDC and sending the requested information back and forth, the KDC server answered that it did not receive the expected answer. Its as if it was meant for this computer but it contained the data from a different one. There might be some computers with the same name within the same part of the network."

It's a fair amount of reading but check this on Kerberos troubleshooting:
http://blogs.technet.com/askds/archive/2008/05/29/kerberos-authentication-problems-service-principal-name-spn-issues-part-1.aspx

Check what's installed and/or running on that Vista PC and check if there are duplicate hostnames. Start do a ping VistaPC -t from the SBS then disconnect the VistaPC's network cable, retry the ping and see if another machine responds. Can you try removing/rejoining that PC to the domain? Is that your only Vista client?

How many DC's exist throughout both locacations? How many at your location? Can you install windows support tools on the SBS and do a start > run: dcdiag & netdiag?


~ CFJ
0
 

Author Comment

by:gemvision
Comment Utility
Okay, it seems what happened was there were some incorrect DNS settings in the SBS server, there were about 5 entries in there listed as (same as parent) that were just regular pcs, deleted the incorrect ones and it seems to have fixed it.  Not sure what happened that would've caused them to show up at this level, as I don't even think that you can manually add entries at the (same as parent) level.

Anyway, for now, things seem to be okay, we're going through double checking everything on everyone's computers now just to be sure.  Thank you very much for your help with this, definately couldn't have done it without your suggestions.
0
 

Author Comment

by:gemvision
Comment Utility
I spoke too soon.  Some of them are still having problems.

It seems the ones that have %logonserver% that direct to our UK DC (PEQUOD) cannot connect to exchange (TANK) or browse to \\TANK.
0
 
LVL 9

Assisted Solution

by:monorail1
monorail1 earned 500 total points
Comment Utility
Strange. So, you have 2x DC's in your organization - one in the UK and your local SBS, TANK - right? Have you tried releasing & renewing those PC's IP addresses? Can you try and ipconfig /flushdns & ipconfig /registerdns? Does the UK DC broadcast DHCP over to your VLAN/subnet? Are those PC's pulling a correct IP from the SBS? Do they have any host file entries or manual IP/DNS settings?


~ CFJ
0
 

Author Comment

by:gemvision
Comment Utility
Okay, I'm not actually sure how many of our servers are Domain controllers, but here's some more info:

*I've attached the netdiag and dcdiag results
*more machines are still dropping off, even these are resolving %logonserver% to tank and when they ping gemvision.local it's also coming back to tank as it should be.  
*we have 3 DNS servers, one at each of 3 different locations: TANK - 192.168.1.2, DOZER - 192.168.2.35, and PEQUOD - 192.168.3.40
*ipconfig /flushdns, /registerdns will get the machines to point the %logonserver% back, however they will not connect with \\tank
*all 3 locations have the same router hooked up to them Linksys RV082 which are broadcasting DHCP only to the ones attached behind each box, plus a separate DNS for each location.
dcdiag.txt
netdiag.txt
0
 

Author Comment

by:gemvision
Comment Utility
We had to call Microsoft on this, took them almost a full week to fix it in critical status, here are their notes:

-we tried rebuilding the secure channel of the client machine with the server
-we found that secure channel of the DC is broken with other DC's in the domain, we tried building that.
-There was a DC which is no more connected and active, with the kb 216498 we cleared the instances for that DC.
-We made sure that replication work fine among all the DC's.
-We rebuilt the DNS, adding and removing settings for the DC's <-- This is actually the part that fixed it, the rest didn't seem to do anything.

Anyway, thanks for all of your help with this.
0
 

Author Closing Comment

by:gemvision
Comment Utility
Although I had to call Microsoft monorail1 was extremely helpful in this case.
0
 
LVL 9

Expert Comment

by:monorail1
Comment Utility
Hey gemvision, thanks for posting their comments. I unfortunately ruled out the unsuccessful demotion because of the SBS but my other post on it was http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23468011.html. Glad to hear everything worked out and sorry I didn't think to connect those dots but ah well, 'tis life.

Best,


~ CFJ
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
how to add IIS SMTP to handle application/Scanner relays into office 365.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now