west-com
asked on
Kerberos Authentication failing (reported on NetDiag)
Our server had viruses on it. Having (we think) resolved this issue, we are now having intermittent problems with PCs connecting to it.
Issue Description:
I can duplicate the following fault repeatedly.
1) Boot PC
2) Log on as a user (called test in this example and created with an "empty" profile on the server)
3) User's profile fails to load
4) when logged on (with temporary profile), I try and connect to \\server\netlogon and am asked for a username and password. If I supply Domain\test as the username, I cannot (The username you have typed is the same user name you logged in with. That username has already been tried. A domain controller cannot be found to verify that username). If I use Domain\another I can see the Netlogon share
5) having connected to netlogon as another user, if I delete all mappings and map a drive to NETLOGON as Test, I connect correctly.
I can repeat this logging on as domain\another and connecting to netlogon as domain\test i.e. reversing the account roles.
NETDIAG -v reports as follows
Testing Kerberos authentication... Failed
DC list test ... failed
Kerberos test. . . . . . . . . . . : Failed
LDAP test. . . . . . . . . . . . . : Failed
I'm at a loss as to what to do.
Issue Description:
I can duplicate the following fault repeatedly.
1) Boot PC
2) Log on as a user (called test in this example and created with an "empty" profile on the server)
3) User's profile fails to load
4) when logged on (with temporary profile), I try and connect to \\server\netlogon and am asked for a username and password. If I supply Domain\test as the username, I cannot (The username you have typed is the same user name you logged in with. That username has already been tried. A domain controller cannot be found to verify that username). If I use Domain\another I can see the Netlogon share
5) having connected to netlogon as another user, if I delete all mappings and map a drive to NETLOGON as Test, I connect correctly.
I can repeat this logging on as domain\another and connecting to netlogon as domain\test i.e. reversing the account roles.
NETDIAG -v reports as follows
Testing Kerberos authentication... Failed
DC list test ... failed
Kerberos test. . . . . . . . . . . : Failed
LDAP test. . . . . . . . . . . . . : Failed
I'm at a loss as to what to do.
Gathering IPX configuration information.
Querying status of the Netcard drivers... Passed
Testing IpConfig - pinging the DHCP Server... Passed
Testing IpConfig - pinging the Primary WINS server... Passed
Testing Domain membership... Passed
Gathering NetBT configuration information.
Testing for autoconfiguration... Passed
Testing IP loopback ping... Passed
Testing default gateways... Passed
Enumerating local and remote NetBT name cache... Passed
Testing the WINS server
Local Area Connection
Sending name query to primary WINS server 192.168.0.1 - Failed
There is no secondary WINS server defined for this adapter.
Gathering Winsock information.
Testing DNS
The DNS registration for CHWS-15.churchhouse.local is correct on all DNS servers
Testing redirector and browser... Passed
Testing DC discovery.
Looking for a DC
Looking for a PDC emulator
Looking for a Windows 2000 DC
Gathering the list of Domain Controllers for domain 'CHURCHHOUSE'
Testing trust relationships... Passed
Testing Kerberos authentication... Failed
Testing LDAP servers in Domain CHURCHHOUSE ...
Gathering routing information
Gathering network statistics information.
Gathering configuration of bindings.
Gathering RAS connection information
Gathering Modem information
Gathering Netware information
Gathering IP Security information
Tests complete.
Computer Name: CHWS-15
DNS Host Name: CHWS-15.churchhouse.local
DNS Domain Name: churchhouse.local
System info : Windows 2000 Professional (Build 2600)
Processor : x86 Family 15 Model 4 Stepping 9, GenuineIntel
Hotfixes :
Installed? Name
Yes KB902344
Yes KB911564
Yes KB917734_WMP10
Yes KB923561
Yes KB923689
Yes KB925398_WMP64
Yes KB936782_WMP10
Yes KB938127-IE7
Yes KB938464
Yes KB938464-v2
Yes KB941569
Yes KB944533-IE7
Yes KB946648
Yes KB947864-IE7
Yes KB950759-IE7
Yes KB950760
Yes KB950762
Yes KB950974
Yes KB951066
Yes KB951072-v2
Yes KB951376
Yes KB951376-v2
Yes KB951698
Yes KB951748
Yes KB951978
Yes KB952004
Yes KB952069_WM9
Yes KB952287
Yes KB952954
Yes KB953838-IE7
Yes KB953839
Yes KB954211
Yes KB954459
Yes KB954600
Yes KB955069
Yes KB955839
Yes KB956390-IE7
Yes KB956391
Yes KB956572
Yes KB956802
Yes KB956803
Yes KB956841
Yes KB957095
Yes KB957097
Yes KB958215-IE7
Yes KB958644
Yes KB958687
Yes KB958690
Yes KB959426
Yes KB960225
Yes KB960714-IE7
Yes KB960715
Yes KB960803
Yes KB961260-IE7
Yes KB961373
Yes KB963027-IE7
Yes KB967715
Yes Q147222
No ServicePackUninstall
Netcard queries test . . . . . . . : Passed
Information of Netcard drivers:
---------------------------------------------------------------------------
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
Device: \DEVICE\{DEE1B2B7-CB83-4E0B-92E5-56986064AC84}
Media State: Connected
Device State: Connected
Connect Time: 02:43:43
Media Speed: 100 Mbps
Packets Sent: 25753
Bytes Sent (Optional): 0
Packets Received: 29845
Directed Pkts Recd (Optional): 28484
Bytes Received (Optional): 0
Directed Bytes Recd (Optional): 0
---------------------------------------------------------------------------
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC
Device: \DEVICE\{5F166796-4D58-4261-A4B1-BD6F62E804CC}
Media State: Connected
Device State: Connected
Connect Time: 02:43:43
Media Speed: 100 Mbps
Packets Sent: 25753
Bytes Sent (Optional): 0
Packets Received: 29845
Directed Pkts Recd (Optional): 28484
Bytes Received (Optional): 0
Directed Bytes Recd (Optional): 0
---------------------------------------------------------------------------
[PASS] - At least one netcard is in the 'Connected' state.
Per interface results:
Adapter : Local Area Connection
Adapter ID . . . . . . . . : {5F166796-4D58-4261-A4B1-BD6F62E804CC}
Netcard queries test . . . : Passed
Adapter type . . . . . . . : Ethernet
Host Name. . . . . . . . . : CHWS-15.churchouse.local
Description. . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
Physical Address . . . . . : 00-17-31-28-3B-4F
Dhcp Enabled . . . . . . . : Yes
DHCP ClassID . . . . . . . :
Autoconfiguration Enabled. : Yes
IP Address . . . . . . . . : 192.168.0.47
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.0.2
DHCP Server. . . . . . . . : 192.168.0.1
Primary WINS Server. . . . : 192.168.0.1
Lease Obtained . . . . . . : 24 April 2009 12:01:26
Lease Expires. . . . . . . : 02 May 2009 12:01:26
Dns Servers. . . . . . . . : 192.168.0.1
IpConfig results . . . . . : Passed
Pinging DHCP server - reachable
Pinging the Primary WINS server 192.168.0.1 - reachable
AutoConfiguration results. . . . . . : Passed
AutoConfiguration is not in use.
Default gateway test . . . : Passed
Pinging gateway 192.168.0.2 - reachable
At least one gateway reachable for this adapter.
NetBT name test. . . . . . : Passed
NetBT_Tcpip_{5F166796-4D58-4261-A4B1-BD6F62E804CC}
CHWS-15 <00> UNIQUE REGISTERED
CHURCHHOUSE <00> GROUP REGISTERED
CHWS-15 <20> UNIQUE REGISTERED
CHURCHHOUSE <1E> GROUP REGISTERED
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
NetBios Resolution : via DHCP
Netbios Remote Cache Table
Name Type HostAddress Life [sec]
---------------------------------------------------------------
CHOUSE-SVR01.CH<55> UNIQUE 192.168.0.1 117
WINS service test. . . . . : Failed
Sending name query to primary WINS server 192.168.0.1 - Failed
There is no secondary WINS server defined for this adapter.
The test failed. We were unable to query the WINS servers.
IPX test : IPX is not installed on this machine.
Global results:
IP General configuration
LMHOSTS Enabled. . . . . . . . : Yes
DNS for WINS resolution. . . . : Enabled
Node Type. . . . . . . . . . . : Hybrid
NBT Scope ID . . . . . . . . . :
Routing Enabled. . . . . . . . : No
WINS Proxy Enabled . . . . . . : No
DNS resolution for NETBIOS . . : No
Domain membership test . . . . . . : Passed
Machine is a . . . . . . . . . : Member Workstation
Netbios Domain name. . . . . . : CHURCHHOUSE
Dns domain name. . . . . . . . : churchhouse.local
Dns forest name. . . . . . . . : churchhouse.local
Domain Guid. . . . . . . . . . : {D006232E-0C01-4AFA-A2B8-5F0A857B3C90}
Domain Sid . . . . . . . . . . : S-1-5-21-1202660629-1292428093-839522115
Logon User . . . . . . . . . . : test
Logon Domain . . . . . . . . . : CHURCHHOUSE
Logon Server . . . . . . . . . : \\CHOUSE-SVR01
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{5F166796-4D58-4261-A4B1-BD6F62E804CC}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
PASS - you have at least one non-autoconfigured IP address
IP loopback ping test. . . . . . . : Passed
PASS - pinging IP loopback address was successful.
Your IP stack is most probably OK.
Default gateway test . . . . . . . : Passed
PASS - you have at least one reachable gateway.
NetBT name test. . . . . . . . . . : Passed
No NetBT scope defined
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
The number of protocols which have been reported : 10
Description: MSAFD Tcpip [TCP/IP]
Provider Version :2
Max message size : Stream Oriented
Description: MSAFD Tcpip [UDP/IP]
Provider Version :2
Description: RSVP UDP Service Provider
Provider Version :6
Description: RSVP TCP Service Provider
Provider Version :6
Max message size : Stream Oriented
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5F166796-4D58-4261-A4B1-BD6F62E804CC}] SEQPACKET 0
Provider Version :2
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5F166796-4D58-4261-A4B1-BD6F62E804CC}] DATAGRAM 0
Provider Version :2
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C1CB8D61-958B-4269-A0AD-1BD6BD2AAD64}] SEQPACKET 1
Provider Version :2
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C1CB8D61-958B-4269-A0AD-1BD6BD2AAD64}] DATAGRAM 1
Provider Version :2
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{46DCDE0A-35C1-498B-9F9E-E9FA61B4B62E}] SEQPACKET 2
Provider Version :2
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{46DCDE0A-35C1-498B-9F9E-E9FA61B4B62E}] DATAGRAM 2
Provider Version :2
Max UDP size : 65507 bytes
DNS test . . . . . . . . . . . . . : Passed
Interface {5F166796-4D58-4261-A4B1-BD6F62E804CC}
DNS Domain: churchouse.local
DNS Servers: 192.168.0.1
IP Address: 192.168.0.47
Expected registration with PDN (primary DNS domain name):
Hostname: CHWS-15.churchhouse.local.
Authoritative zone: churchhouse.local.
Primary DNS server: chouse-svr01.churchhouse.local 192.168.0.1
Authoritative NS:192.168.0.1
Expected registration with adapter's DNS Domain Name:
Hostname: CHWS-15.churchouse.local.
Registration with adapter's DNS domain name is disabled.
Verify DNS registration:
Name: CHWS-15.churchhouse.local
Expected IP: 192.168.0.47
Server 192.168.0.1: NO_ERROR
The DNS registration for CHWS-15.churchhouse.local is correct on all DNS servers
Redir and Browser test . . . . . . : Passed
List of transports currently bound to the Redir
NetbiosSmb
NetBT_Tcpip_{5F166796-4D58-4261-A4B1-BD6F62E804CC}
The redir is bound to 1 NetBt transport.
List of transports currently bound to the browser
NetBT_Tcpip_{5F166796-4D58-4261-A4B1-BD6F62E804CC}
The browser is bound to 1 NetBt transport.
Mailslot test for CHURCHHOUSE* passed.
DC discovery test. . . . . . . . . : Passed
Find DC in domain 'CHURCHHOUSE':
Found this DC in domain 'CHURCHHOUSE':
DC. . . . . . . . . . . : \\chouse-svr01.churchhouse.local
Address . . . . . . . . : \\192.168.0.1
Domain Guid . . . . . . : {D006232E-0C01-4AFA-A2B8-5F0A857B3C90}
Domain Name . . . . . . : churchhouse.local
Forest Name . . . . . . : churchhouse.local
DC Site Name. . . . . . : Default-First-Site
Our Site Name . . . . . : Default-First-Site
Flags . . . . . . . . . : PDC emulator GC DS KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE 0x8
Find PDC emulator in domain 'CHURCHHOUSE':
Found this PDC emulator in domain 'CHURCHHOUSE':
DC. . . . . . . . . . . : \\chouse-svr01.churchhouse.local
Address . . . . . . . . : \\192.168.0.1
Domain Guid . . . . . . : {D006232E-0C01-4AFA-A2B8-5F0A857B3C90}
Domain Name . . . . . . : churchhouse.local
Forest Name . . . . . . : churchhouse.local
DC Site Name. . . . . . : Default-First-Site
Our Site Name . . . . . : Default-First-Site
Flags . . . . . . . . . : PDC emulator GC DS KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE 0x8
Find Windows 2000 DC in domain 'CHURCHHOUSE':
Found this Windows 2000 DC in domain 'CHURCHHOUSE':
DC. . . . . . . . . . . : \\chouse-svr01.churchhouse.local
Address . . . . . . . . : \\192.168.0.1
Domain Guid . . . . . . : {D006232E-0C01-4AFA-A2B8-5F0A857B3C90}
Domain Name . . . . . . : churchhouse.local
Forest Name . . . . . . : churchhouse.local
DC Site Name. . . . . . : Default-First-Site
Our Site Name . . . . . : Default-First-Site
Flags . . . . . . . . . : PDC emulator GC DS KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE 0x8
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to chouse-svr01.churchhouse.local (192.168.0.1). [ERROR_INTERNAL_ERROR]
List of DCs in Domain 'CHURCHHOUSE':
chouse-svr01.churchhouse.local
Trust relationship test. . . . . . : Passed
Test to ensure DomainSid of domain 'CHURCHHOUSE' is correct.
Secure channel for domain 'CHURCHHOUSE' is to '\\chouse-svr01.churchhouse.local'.
Secure channel for domain 'CHURCHHOUSE' was successfully set to DC '\\chouse-svr01.churchhouse.local'.
Kerberos test. . . . . . . . . . . : Failed
Cached Tickets:
[FATAL] Kerberos does not have a ticket for krbtgt/churchhouse.local.
[FATAL] Kerberos does not have a ticket for host/CHWS-15.churchhouse.local.
LDAP test. . . . . . . . . . . . . : Failed
Do un-authenticated LDAP call to 'chouse-svr01.churchhouse.local'.
Found 1 entries:
Attr: currentTime
Val: 17 20090424134507.0Z
Attr: subschemaSubentry
Val: 63 CN=Aggregate,CN=Schema,CN=Configuration,DC=churchhouse,DC=local
Attr: dsServiceName
Val: 115 CN=NTDS Settings,CN=CHOUSE-SVR01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=churchhouse,DC=local
Attr: namingContexts
Val: 23 DC=churchhouse,DC=local
Val: 40 CN=Configuration,DC=churchhouse,DC=local
Val: 50 CN=Schema,CN=Configuration,DC=churchhouse,DC=local
Val: 41 DC=DomainDnsZones,DC=churchhouse,DC=local
Val: 41 DC=ForestDnsZones,DC=churchhouse,DC=local
Attr: defaultNamingContext
Val: 23 DC=churchhouse,DC=local
Attr: schemaNamingContext
Val: 50 CN=Schema,CN=Configuration,DC=churchhouse,DC=local
Attr: configurationNamingContext
Val: 40 CN=Configuration,DC=churchhouse,DC=local
Attr: rootDomainNamingContext
Val: 23 DC=churchhouse,DC=local
Attr: supportedControl
Val: 22 1.2.840.113556.1.4.319
Val: 22 1.2.840.113556.1.4.801
Val: 22 1.2.840.113556.1.4.473
Val: 22 1.2.840.113556.1.4.528
Val: 22 1.2.840.113556.1.4.417
Val: 22 1.2.840.113556.1.4.619
Val: 22 1.2.840.113556.1.4.841
Val: 22 1.2.840.113556.1.4.529
Val: 22 1.2.840.113556.1.4.805
Val: 22 1.2.840.113556.1.4.521
Val: 22 1.2.840.113556.1.4.970
Val: 23 1.2.840.113556.1.4.1338
Val: 22 1.2.840.113556.1.4.474
Val: 23 1.2.840.113556.1.4.1339
Val: 23 1.2.840.113556.1.4.1340
Val: 23 1.2.840.113556.1.4.1413
Val: 23 2.16.840.1.113730.3.4.9
Val: 24 2.16.840.1.113730.3.4.10
Val: 23 1.2.840.113556.1.4.1504
Val: 23 1.2.840.113556.1.4.1852
Val: 22 1.2.840.113556.1.4.802
Val: 23 1.2.840.113556.1.4.1907
Val: 23 1.2.840.113556.1.4.1948
Attr: supportedLDAPVersion
Val: 1 3
Val: 1 2
Attr: supportedLDAPPolicies
Val: 14 MaxPoolThreads
Val: 15 MaxDatagramRecv
Val: 16 MaxReceiveBuffer
Val: 15 InitRecvTimeout
Val: 14 MaxConnections
Val: 15 MaxConnIdleTime
Val: 11 MaxPageSize
Val: 16 MaxQueryDuration
Val: 16 MaxTempTableSize
Val: 16 MaxResultSetSize
Val: 22 MaxNotificationPerConn
Val: 11 MaxValRange
Attr: highestCommittedUSN
Val: 7 4266792
Attr: supportedSASLMechanisms
Val: 6 GSSAPI
Val: 10 GSS-SPNEGO
Val: 8 EXTERNAL
Val: 10 DIGEST-MD5
Attr: dnsHostName
Val: 30 chouse-svr01.churchhouse.local
Attr: ldapServiceName
Val: 49 churchhouse.local:chouse-svr01$@CHURCHHOUSE.LOCAL
Attr: serverName
Val: 98 CN=CHOUSE-SVR01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=churchhouse,DC=local
Attr: supportedCapabilities
Val: 22 1.2.840.113556.1.4.800
Val: 23 1.2.840.113556.1.4.1670
Val: 23 1.2.840.113556.1.4.1791
Attr: isSynchronized
Val: 4 TRUE
Attr: isGlobalCatalogReady
Val: 4 TRUE
Attr: domainFunctionality
Val: 1 2
Attr: forestFunctionality
Val: 1 0
Attr: domainControllerFunctionality
Val: 1 2
Do NTLM authenticated LDAP call to 'chouse-svr01.churchhouse.local'.
Found 1 entries:
Attr: currentTime
Val: 17 20090424134507.0Z
Attr: subschemaSubentry
Val: 63 CN=Aggregate,CN=Schema,CN=Configuration,DC=churchhouse,DC=local
Attr: dsServiceName
Val: 115 CN=NTDS Settings,CN=CHOUSE-SVR01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=churchhouse,DC=local
Attr: namingContexts
Val: 23 DC=churchhouse,DC=local
Val: 40 CN=Configuration,DC=churchhouse,DC=local
Val: 50 CN=Schema,CN=Configuration,DC=churchhouse,DC=local
Val: 41 DC=DomainDnsZones,DC=churchhouse,DC=local
Val: 41 DC=ForestDnsZones,DC=churchhouse,DC=local
Attr: defaultNamingContext
Val: 23 DC=churchhouse,DC=local
Attr: schemaNamingContext
Val: 50 CN=Schema,CN=Configuration,DC=churchhouse,DC=local
Attr: configurationNamingContext
Val: 40 CN=Configuration,DC=churchhouse,DC=local
Attr: rootDomainNamingContext
Val: 23 DC=churchhouse,DC=local
Attr: supportedControl
Val: 22 1.2.840.113556.1.4.319
Val: 22 1.2.840.113556.1.4.801
Val: 22 1.2.840.113556.1.4.473
Val: 22 1.2.840.113556.1.4.528
Val: 22 1.2.840.113556.1.4.417
Val: 22 1.2.840.113556.1.4.619
Val: 22 1.2.840.113556.1.4.841
Val: 22 1.2.840.113556.1.4.529
Val: 22 1.2.840.113556.1.4.805
Val: 22 1.2.840.113556.1.4.521
Val: 22 1.2.840.113556.1.4.970
Val: 23 1.2.840.113556.1.4.1338
Val: 22 1.2.840.113556.1.4.474
Val: 23 1.2.840.113556.1.4.1339
Val: 23 1.2.840.113556.1.4.1340
Val: 23 1.2.840.113556.1.4.1413
Val: 23 2.16.840.1.113730.3.4.9
Val: 24 2.16.840.1.113730.3.4.10
Val: 23 1.2.840.113556.1.4.1504
Val: 23 1.2.840.113556.1.4.1852
Val: 22 1.2.840.113556.1.4.802
Val: 23 1.2.840.113556.1.4.1907
Val: 23 1.2.840.113556.1.4.1948
Attr: supportedLDAPVersion
Val: 1 3
Val: 1 2
Attr: supportedLDAPPolicies
Val: 14 MaxPoolThreads
Val: 15 MaxDatagramRecv
Val: 16 MaxReceiveBuffer
Val: 15 InitRecvTimeout
Val: 14 MaxConnections
Val: 15 MaxConnIdleTime
Val: 11 MaxPageSize
Val: 16 MaxQueryDuration
Val: 16 MaxTempTableSize
Val: 16 MaxResultSetSize
Val: 22 MaxNotificationPerConn
Val: 11 MaxValRange
Attr: highestCommittedUSN
Val: 7 4266792
Attr: supportedSASLMechanisms
Val: 6 GSSAPI
Val: 10 GSS-SPNEGO
Val: 8 EXTERNAL
Val: 10 DIGEST-MD5
Attr: dnsHostName
Val: 30 chouse-svr01.churchhouse.local
Attr: ldapServiceName
Val: 49 churchhouse.local:chouse-svr01$@CHURCHHOUSE.LOCAL
Attr: serverName
Val: 98 CN=CHOUSE-SVR01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=churchhouse,DC=local
Attr: supportedCapabilities
Val: 22 1.2.840.113556.1.4.800
Val: 23 1.2.840.113556.1.4.1670
Val: 23 1.2.840.113556.1.4.1791
Attr: isSynchronized
Val: 4 TRUE
Attr: isGlobalCatalogReady
Val: 4 TRUE
Attr: domainFunctionality
Val: 1 2
Attr: forestFunctionality
Val: 1 0
Attr: domainControllerFunctionality
Val: 1 2
Do Negotiate authenticated LDAP call to 'chouse-svr01.churchhouse.local'.
[FATAL] Cannot do Negotiate authenticated ldap_bind to 'chouse-svr01.churchhouse.local': Local Error.
[WARNING] Failed to query SPN registration on DC 'chouse-svr01.churchhouse.local'.
[FATAL] No LDAP servers work in the domain 'CHURCHHOUSE'.
Routing table test . . . . . . . . : Passed
Active Routes :
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.2 192.168.0.47 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.47 192.168.0.47 20
192.168.0.47 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.47 192.168.0.47 20
224.0.0.0 240.0.0.0 192.168.0.47 192.168.0.47 20
255.255.255.255 255.255.255.255 192.168.0.47 192.168.0.47 1
No persistent route entries.
Netstat information test . . . . . : Passed
Interface Statistics
Received Sent
Unicast Packets 21769390 3538925
Non-unicast packets 1431 71
Discards 0 0
Errors 0 0
Unknown protocols 0 458244
Interface index = 1
Description = MS TCP Loopback interface
Type = 24
MTU = 1520
Speed = 10000000
Physical Address = 00-00-00-00-00-00
Administrative Status = 1
Operational Status = 1
Last Changed = 14259168
Output Queue Length = 0
Interface index = 2
Description = Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
Type = 6
MTU = 1500
Speed = 100000000
Physical Address = 00-17-31-28-3B-4F
Administrative Status = 1
Operational Status = 1
Last Changed = 14259170
Output Queue Length = 0
Active Connections
Proto Local Address Foreign Address State
TCP CHWS-15:epmap CHWS-15.churchhouse.local:6298 LISTENING
TCP CHWS-15:microsoft-ds CHWS-15.churchhouse.local:36872 LISTENING
TCP CHWS-15:3389 CHWS-15.churchhouse.local:24775 LISTENING
TCP CHWS-15:5225 CHWS-15.churchhouse.local:34826 LISTENING
TCP CHWS-15:5226 CHWS-15.churchhouse.local:30923 LISTENING
TCP CHWS-15:8008 CHWS-15.churchhouse.local:39070 LISTENING
TCP CHWS-15:1048 CHWS-15.churchhouse.local:14381 LISTENING
TCP CHWS-15:1505 localhost:5225 CLOSE_WAIT
TCP CHWS-15:1506 localhost:5225 CLOSE_WAIT
TCP CHWS-15:1508 localhost:5225 CLOSE_WAIT
TCP CHWS-15:1509 localhost:5225 CLOSE_WAIT
TCP CHWS-15:1510 localhost:5226 ESTABLISHED
TCP CHWS-15:1514 localhost:5225 CLOSE_WAIT
TCP CHWS-15:1515 localhost:5225 CLOSE_WAIT
TCP CHWS-15:1516 localhost:5225 CLOSE_WAIT
TCP CHWS-15:5226 localhost:1510 ESTABLISHED
TCP CHWS-15:8005 CHWS-15.churchhouse.local:16566 LISTENING
TCP CHWS-15:netbios-ssn CHWS-15.churchhouse.local:4202 LISTENING
TCP CHWS-15:1775 chouse-svr01.churchhouse.local:microsoft-ds ESTABLISHED
TCP CHWS-15:2373 chouse-svr01.churchhouse.local:8014 ESTABLISHED
TCP CHWS-15:2376 chouse-svr01.churchhouse.local:microsoft-ds TIME_WAIT
TCP CHWS-15:2384 chouse-svr01.churchhouse.local:microsoft-ds TIME_WAIT
TCP CHWS-15:2392 chouse-svr01.churchhouse.local:microsoft-ds TIME_WAIT
TCP CHWS-15:2400 chouse-svr01.churchhouse.local:microsoft-ds TIME_WAIT
TCP CHWS-15:2408 chouse-svr01.churchhouse.local:microsoft-ds TIME_WAIT
TCP CHWS-15:2416 chouse-svr01.churchhouse.local:microsoft-ds TIME_WAIT
TCP CHWS-15:2423 chouse-svr01.churchhouse.local:epmap TIME_WAIT
TCP CHWS-15:2424 chouse-svr01.churchhouse.local:1026 TIME_WAIT
TCP CHWS-15:2430 chouse-svr01.churchhouse.local:microsoft-ds ESTABLISHED
TCP CHWS-15:2437 chouse-svr01.churchhouse.local:epmap ESTABLISHED
TCP CHWS-15:2438 chouse-svr01.churchhouse.local:1026 ESTABLISHED
TCP CHWS-15:2440 chouse-svr01.churchhouse.local:1026 ESTABLISHED
TCP CHWS-15:2441 chouse-svr01.churchhouse.local:1026 ESTABLISHED
TCP CHWS-15:2443 chouse-svr01.churchhouse.local:ldap TIME_WAIT
TCP CHWS-15:2444 chouse-svr01.churchhouse.local:ldap TIME_WAIT
TCP CHWS-15:2445 chouse-svr01.churchhouse.local:ldap ESTABLISHED
TCP CHWS-15:2451 chouse-svr01.churchhouse.local:ldap TIME_WAIT
TCP CHWS-15:3389 CDBFSQLSERVER:4079 ESTABLISHED
UDP CHWS-15:microsoft-ds *:*
UDP CHWS-15:isakmp *:*
UDP CHWS-15:4500 *:*
UDP CHWS-15:ntp *:*
UDP CHWS-15:1025 *:*
UDP CHWS-15:1038 *:*
UDP CHWS-15:1793 *:*
UDP CHWS-15:1900 *:*
UDP CHWS-15:2442 *:*
UDP CHWS-15:ntp *:*
UDP CHWS-15:netbios-ns *:*
UDP CHWS-15:netbios-dgm *:*
UDP CHWS-15:1900 *:*
IP Statistics
Packets Received = 29,866
Received Header Errors = 0
Received Address Errors = 11
Datagrams Forwarded = 0
Unknown Protocols Received = 0
Received Packets Discarded = 7
Received Packets Delivered = 29,857
Output Requests = 26,500
Routing Discards = 0
Discarded Output Packets = 0
Output Packet No Route = 0
Reassembly Required = 0
Reassembly Successful = 0
Reassembly Failures = 0
Datagrams successfully fragmented = 0
Datagrams failing fragmentation = 0
Fragments Created = 0
Forwarding = 2
Default TTL = 128
Reassembly timeout = 60
TCP Statistics
Active Opens = 924
Passive Opens = 18
Failed Connection Attempts = 19
Reset Connections = 51
Current Connections = 18
Received Segments = 27,950
Segment Sent = 24,900
Segment Retransmitted = 37
Retransmission Timeout Algorithm = vanj
Minimum Retransmission Timeout = 300
Maximum Retransmission Timeout = 120,000
Maximum Number of Connections = -1
UDP Statistics
Datagrams Received = 1,740
No Ports = 201
Receive Errors = 2
Datagrams Sent = 1,444
ICMP Statistics
Received Sent
Messages 116 116
Errors 0 0
Destination Unreachable 1 1
Time Exceeded 0 0
Parameter Problems 0 0
Source Quenchs 0 0
Redirects 0 0
Echos 8 8
Echo Replies 107 107
Timestamps 0 0
Timestamp Replies 0 0
Address Masks 0 0
Address Mask Replies 0 0
Bindings test. . . . . . . . . . . : Passed
Component Name : NDIS Usermode I/O Protocol
Bind Name: Ndisuio
Binding Paths:
Owner of the binding path : NDIS Usermode I/O Protocol
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndis5
Upper Component: NDIS Usermode I/O Protocol
Lower Component: Realtek RTL8139 Family PCI Fast Ethernet NIC
Component Name : Point to Point Protocol Over Ethernet
Bind Name: RasPppoe
Binding Paths:
Owner of the binding path : Point to Point Protocol Over Ethernet
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndis5
Upper Component: Point to Point Protocol Over Ethernet
Lower Component: Realtek RTL8139 Family PCI Fast Ethernet NIC
Component Name : Point to Point Tunneling Protocol
Bind Name: mspptp
Binding Paths:
Component Name : Layer 2 Tunneling Protocol
Bind Name: msl2tp
Binding Paths:
Component Name : Remote Access NDIS WAN Driver
Bind Name: NdisWan
Binding Paths:
Owner of the binding path : Remote Access NDIS WAN Driver
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndiscowan
Upper Component: Remote Access NDIS WAN Driver
Lower Component: Direct Parallel
Owner of the binding path : Remote Access NDIS WAN Driver
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndiswan
Upper Component: Remote Access NDIS WAN Driver
Lower Component: WAN Miniport (PPPOE)
Owner of the binding path : Remote Access NDIS WAN Driver
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndiswan
Upper Component: Remote Access NDIS WAN Driver
Lower Component: WAN Miniport (PPTP)
Owner of the binding path : Remote Access NDIS WAN Driver
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndiscowan
Upper Component: Remote Access NDIS WAN Driver
Lower Component: WAN Miniport (L2TP)
Owner of the binding path : Remote Access NDIS WAN Driver
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndiswanasync
Upper Component: Remote Access NDIS WAN Driver
Lower Component: RAS Async Adapter
Component Name : Message-oriented TCP/IP Protocol (SMB session)
Bind Name: NetbiosSmb
Binding Paths:
Component Name : WINS Client(TCP/IP) Protocol
Bind Name: NetBT
Binding Paths:
Owner of the binding path : WINS Client(TCP/IP) Protocol
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndis5
Upper Component: Internet Protocol (TCP/IP)
Lower Component: Realtek RTL8139 Family PCI Fast Ethernet NIC
Owner of the binding path : WINS Client(TCP/IP) Protocol
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndiswanip
Upper Component: Internet Protocol (TCP/IP)
Lower Component: WAN Miniport (IP)
Component Name : Internet Protocol (TCP/IP)
Bind Name: Tcpip
Binding Paths:
Owner of the binding path : Internet Protocol (TCP/IP)
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndis5
Upper Component: Internet Protocol (TCP/IP)
Lower Component: Realtek RTL8139 Family PCI Fast Ethernet NIC
Owner of the binding path : Internet Protocol (TCP/IP)
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndiswanip
Upper Component: Internet Protocol (TCP/IP)
Lower Component: WAN Miniport (IP)
Component Name : Client for Microsoft Networks
Bind Name: LanmanWorkstation
Binding Paths:
Owner of the binding path : Client for Microsoft Networks
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios_smb
Upper Component: Client for Microsoft Networks
Lower Component: Message-oriented TCP/IP Protocol (SMB session)
Owner of the binding path : Client for Microsoft Networks
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios
Upper Component: Client for Microsoft Networks
Lower Component: WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndis5
Upper Component: Internet Protocol (TCP/IP)
Lower Component: Realtek RTL8139 Family PCI Fast Ethernet NIC
Owner of the binding path : Client for Microsoft Networks
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios
Upper Component: Client for Microsoft Networks
Lower Component: WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndiswanip
Upper Component: Internet Protocol (TCP/IP)
Lower Component: WAN Miniport (IP)
Component Name : WebClient
Bind Name: WebClient
Binding Paths:
Component Name : Wireless Zero Configuration
Bind Name: wzcsvc
Binding Paths:
Component Name : Steelhead
Bind Name: RemoteAccess
Binding Paths:
Component Name : Dial-Up Server
Bind Name: msrassrv
Binding Paths:
Component Name : Remote Access Connection Manager
Bind Name: RasMan
Binding Paths:
Component Name : Dial-Up Client
Bind Name: msrascli
Binding Paths:
Component Name : File and Printer Sharing for Microsoft Networks
Bind Name: LanmanServer
Binding Paths:
Owner of the binding path : File and Printer Sharing for Microsoft Networks
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios_smb
Upper Component: File and Printer Sharing for Microsoft Networks
Lower Component: Message-oriented TCP/IP Protocol (SMB session)
Owner of the binding path : File and Printer Sharing for Microsoft Networks
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios
Upper Component: File and Printer Sharing for Microsoft Networks
Lower Component: WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndis5
Upper Component: Internet Protocol (TCP/IP)
Lower Component: Realtek RTL8139 Family PCI Fast Ethernet NIC
Owner of the binding path : File and Printer Sharing for Microsoft Networks
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios
Upper Component: File and Printer Sharing for Microsoft Networks
Lower Component: WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndiswanip
Upper Component: Internet Protocol (TCP/IP)
Lower Component: WAN Miniport (IP)
Component Name : NetBIOS Interface
Bind Name: NetBIOS
Binding Paths:
Owner of the binding path : NetBIOS Interface
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios
Upper Component: NetBIOS Interface
Lower Component: WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndis5
Upper Component: Internet Protocol (TCP/IP)
Lower Component: Realtek RTL8139 Family PCI Fast Ethernet NIC
Owner of the binding path : NetBIOS Interface
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios
Upper Component: NetBIOS Interface
Lower Component: WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndiswanip
Upper Component: Internet Protocol (TCP/IP)
Lower Component: WAN Miniport (IP)
Component Name : QoS Packet Scheduler
Bind Name: PSched
Binding Paths:
Owner of the binding path : QoS Packet Scheduler
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndis5
Upper Component: QoS Packet Scheduler
Lower Component: Realtek RTL8139 Family PCI Fast Ethernet NIC
Owner of the binding path : QoS Packet Scheduler
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndiswanip
Upper Component: QoS Packet Scheduler
Lower Component: WAN Miniport (IP)
Component Name : QoS RSVP
Bind Name: RSVP
Binding Paths:
Component Name : Generic Packet Classifier
Bind Name: Gpc
Binding Paths:
Component Name : Application Layer Gateway
Bind Name: ALG
Binding Paths:
Component Name : WAN Miniport (IP)
Bind Name: NdisWanIp
Binding Paths:
Component Name : Direct Parallel
Bind Name: {7DDA9096-CA3E-4235-B1BD-989A7EDA6D9C}
Binding Paths:
Component Name : WAN Miniport (PPPOE)
Bind Name: {64A59686-534B-4FBF-A42C-AAD7F06F71FA}
Binding Paths:
Component Name : WAN Miniport (PPTP)
Bind Name: {513FDAC2-3EAE-4EE1-BBCB-7CF31E9914F1}
Binding Paths:
Component Name : WAN Miniport (L2TP)
Bind Name: {604114C1-6AA0-438F-8B01-DA1D15121710}
Binding Paths:
Component Name : RAS Async Adapter
Bind Name: {FFABC96A-D98A-48EF-A240-D8431D70C9BD}
Binding Paths:
Component Name : Realtek RTL8139 Family PCI Fast Ethernet NIC
Bind Name: {5F166796-4D58-4261-A4B1-BD6F62E804CC}
Binding Paths:
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
Service status is: Started
Service startup is: Automatic
IPSec service is available, but no policy is assigned or active
Note: run "ipseccmd /?" for more detailed information
The command completed successfully
ASKER
192.168.0.1 is the Domain Controller and therefore the internal DNS
192.168.0.1 is the DC
192.168.0.2 is the router
I could remove WINS from DHCP as WINS is no longer installed on the server, but I though that DNS took priority over WINS and therefore this setting should not be an issue.
Domain Controller:
Windows IP Configuration
Host Name . . . . . . . . . . . . : chouse-svr01
Primary Dns Suffix . . . . . . . : churchhouse.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : churchhouse.local
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC
Physical Address. . . . . . . . . : 00-16-E6-4A-63-5E
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.2
DNS Servers . . . . . . . . . . . : 127.0.0.1
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : churchhouse.local
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-17-31-28-3B-4F
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.0.47
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.2
DHCP Server . . . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.1
Primary WINS Server . . . . . . . : 192.168.0.1
Lease Obtained. . . . . . . . . . : 24 April 2009 15:03:43
Lease Expires . . . . . . . . . . : 02 May 2009 15:03:43
192.168.0.1 is the DC
192.168.0.2 is the router
I could remove WINS from DHCP as WINS is no longer installed on the server, but I though that DNS took priority over WINS and therefore this setting should not be an issue.
Domain Controller:
Windows IP Configuration
Host Name . . . . . . . . . . . . : chouse-svr01
Primary Dns Suffix . . . . . . . : churchhouse.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : churchhouse.local
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC
Physical Address. . . . . . . . . : 00-16-E6-4A-63-5E
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.2
DNS Servers . . . . . . . . . . . : 127.0.0.1
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : churchhouse.local
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-17-31-28-3B-4F
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.0.47
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.2
DHCP Server . . . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.1
Primary WINS Server . . . . . . . : 192.168.0.1
Lease Obtained. . . . . . . . . . : 24 April 2009 15:03:43
Lease Expires . . . . . . . . . . : 02 May 2009 15:03:43
ASKER
on the LAST comment, the second IPConfig list refers to the PC with the repeatable fault
Change 127.0.0.1 to the actual IP address 192.168.0.1. WINS is still in the ip config.
Run ipconfig /registerdns then netdiag /fix
ASKER
Not sure whether to run these on the server or the client so I've done both since I don't think there will be issues.
Run on the server:
Run on the server:
C:\Documents and Settings\Administrator.CHURCHHOUSE>netdiag /fix
....................................
Computer Name: CHOUSE-SVR01
DNS Host Name: chouse-svr01.churchhouse.local
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
List of installed hotfixes :
KB923561
KB924667-v2
KB925398_WMP64
KB925876
KB925902-v2
KB927891
KB929123
KB930178
KB932168
KB933729
KB933854
KB935839
KB935840
KB936357
KB936782
KB938127
KB938127-IE7
KB938464
KB941569
KB942830
KB942831
KB943055
KB943460
KB943485
KB943729
KB944338-v2
KB944653
KB945553
KB946026
KB948496
KB949014
KB950760
KB950762
KB950974
KB951066
KB951698
KB951746
KB951748
KB952004
KB952069
KB952954
KB953838-IE7
KB954211
KB954550-v5
KB954600
KB955069
KB955839
KB956390-IE7
KB956572
KB956802
KB956803
KB956841
KB957097
KB958215
KB958644
KB958687
KB958690
KB959426
KB960225
KB960714
KB960715
KB960803
KB961063
KB961064
KB961118
KB961260-IE7
KB961373
KB963027-IE7
KB967715
Q147222
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection 3
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : chouse-svr01
IP Address . . . . . . . . : 192.168.0.1
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.0.2
Dns Servers. . . . . . . . : 192.168.0.1
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{7F26FE54-59EA-4AFF-9445-CF61C949BD02}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '192.168.0.1'
.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{7F26FE54-59EA-4AFF-9445-CF61C949BD02}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{7F26FE54-59EA-4AFF-9445-CF61C949BD02}
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
ASKER
Run on the client:
C:\Documents and Settings\administrator>netdiag /fix
........................................
Computer Name: CHWS-15
DNS Host Name: CHWS-15.churchhouse.local
System info : Windows 2000 Professional (Build 2600)
Processor : x86 Family 15 Model 4 Stepping 9, GenuineIntel
List of installed hotfixes :
KB902344
KB911564
KB917734_WMP10
KB923561
KB923689
KB925398_WMP64
KB936782_WMP10
KB938127-IE7
KB938464
KB938464-v2
KB941569
KB944533-IE7
KB946648
KB947864-IE7
KB950759-IE7
KB950760
KB950762
KB950974
KB951066
KB951072-v2
KB951376
KB951376-v2
KB951698
KB951748
KB951978
KB952004
KB952069_WM9
KB952287
KB952954
KB953838-IE7
KB953839
KB954211
KB954459
KB954600
KB955069
KB955839
KB956390-IE7
KB956391
KB956572
KB956802
KB956803
KB956841
KB957095
KB957097
KB958215-IE7
KB958644
KB958687
KB958690
KB959426
KB960225
KB960714-IE7
KB960715
KB960803
KB961260-IE7
KB961373
KB963027-IE7
KB967715
Q147222
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : CHWS-15.churchhouse.local
IP Address . . . . . . . . : 192.168.0.47
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.0.2
Primary WINS Server. . . . : 192.168.0.1
Dns Servers. . . . . . . . : 192.168.0.1
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Failed
The test failed. We were unable to query the WINS servers.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{5F166796-4D58-4261-A4B1-BD6F62E804CC}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{5F166796-4D58-4261-A4B1-BD6F62E804CC}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{5F166796-4D58-4261-A4B1-BD6F62E804CC}
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to chouse-svr01.churchhouse.local (192.168.0.1)
. [ERROR_INTERNAL_ERROR]
Trust relationship test. . . . . . : Passed
Secure channel for domain 'CHURCHHOUSE' is to '\\chouse-svr01.churchhouse.lo
cal'.
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for krbtgt/churchhouse.local.
[FATAL] Kerberos does not have a ticket for host/CHWS-15.churchhouse.loc
al.
LDAP test. . . . . . . . . . . . . : Failed
[FATAL] Cannot do Negotiate authenticated ldap_bind to 'chouse-svr01.churchh
ouse.local': Local Error.
[WARNING] Failed to query SPN registration on DC 'chouse-svr01.churchhouse.l
ocal'.
[FATAL] No LDAP servers work in the domain 'CHURCHHOUSE'.
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
Service status is: Started
Service startup is: Automatic
IPSec service is available, but no policy is assigned or active
Note: run "ipseccmd /?" for more detailed information
Check the times on the DC and the client. Kerberos isn't very tolerant of clock skew. The DC's indicate that they are time servers, but it's an easy check to ensure the client agree.
ASKER
time is consistent within 2 or three seconds between client and server.
The client will fail.
2-3 seconds should be adequate unless you've changed the skew tolerance. But it is a large difference for machines within a domain, which tends to indicate other connectivity problems with the DC.
The DC list test failure indicates that the problem has to do with the RPC endpoint mapper on the DC. Check the event logs for error messages as you're running the netdiag on the client.
The DC list test failure indicates that the problem has to do with the RPC endpoint mapper on the DC. Check the event logs for error messages as you're running the netdiag on the client.
The DC netdiag is passing which is correct but the client is failing because those tests can't be run on a client. So, I don't see any issues.
I believe the DC List Test should work from a client that's a member of the domain. It simply tries to get a list of domain controllers in the domain from the directory service. I won't have access to a domain environment to validate this for a couple of days, but I did go over the support page again for Netdiag and don't see anything that should preclude the test from running on a Windows client, unless I've missed something. If I haven't missed something, there should be an error in the event logs (check the server and client).
Your client computer lost its computer password. I believe you will have to use netdom to reinitiate the computer password in order to get a kerberose ticket for it.
http://support.microsoft.com/kb/260575
An easier way to do this is to just rejoin the domain with the client computer.
Also, another thing that can cause this issue is a software firewall. some software firewalls will block the Kerberose to grant a ticket to the client machine. Check to see if you have a software firewall on client or server. I think Windows firewall will do just that.
Some of the newer viruses will shut down services on your DC as well as infect client computers without user interaction needed to spread the virus. One is called conflicker. What virus did you have on the server that you found?
http://support.microsoft.com/kb/260575
An easier way to do this is to just rejoin the domain with the client computer.
Also, another thing that can cause this issue is a software firewall. some software firewalls will block the Kerberose to grant a ticket to the client machine. Check to see if you have a software firewall on client or server. I think Windows firewall will do just that.
Some of the newer viruses will shut down services on your DC as well as infect client computers without user interaction needed to spread the virus. One is called conflicker. What virus did you have on the server that you found?
ASKER
The engineer who removed the viruses does not believe that conflicker was one of them.
However, I have removed the client from the domain and re attached it (even changing its name the second attempt) without a resolution.
I had already removed Windows Firewall and Symantec EPP firewall software from the client when the problems were first discovered.
I am wondering if Acive Directory can be corrupted by viruses and cause this, forcing me to build a new installation of the Domain and recreating Comuter and User accounts.
Also, as another drastic solution, whether to build a new DC and remove the existing DC from the domain. The premise for this is that the DC may have a corruption in Windows that is causing the problems.
However, I have removed the client from the domain and re attached it (even changing its name the second attempt) without a resolution.
I had already removed Windows Firewall and Symantec EPP firewall software from the client when the problems were first discovered.
I am wondering if Acive Directory can be corrupted by viruses and cause this, forcing me to build a new installation of the Domain and recreating Comuter and User accounts.
Also, as another drastic solution, whether to build a new DC and remove the existing DC from the domain. The premise for this is that the DC may have a corruption in Windows that is causing the problems.
Again the netdiag will fail on the client because it isn't a DC.
Fair enough.
It's curious that the domain/test account fails to authenticate when used to login a user, but succeeds when used as the credentials to map a drive, both from the same machine. Since the domain/another account can be used to log in, it would appear the machine's credentials are OK, and that connectivity to the DC isn't a problem. Are there any unusual events reported in the client and DC event logs when after the domain/test login fails?
It's curious that the domain/test account fails to authenticate when used to login a user, but succeeds when used as the credentials to map a drive, both from the same machine. Since the domain/another account can be used to log in, it would appear the machine's credentials are OK, and that connectivity to the DC isn't a problem. Are there any unusual events reported in the client and DC event logs when after the domain/test login fails?
ASKER
Client repeatedly gets in the Application Log:
EventID: 1053
Windows cannot determine the user or computer name. (An internal error occurred. ). Group Policy processing aborted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
....and more occasionally....
Event ID: 15
Automatic certificate enrollment for local system failed to contact the active directory (0x80072095). A directory service error has occurred.
Enrollment will not be performed.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
..... And in the system Log .....
Event ID: 40961
The Security System could not establish a secured connection with the server LDAP/chouse-svr01.churchho use.local/ churchhous e.local. No authentication protocol was available.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
EventID: 1053
Windows cannot determine the user or computer name. (An internal error occurred. ). Group Policy processing aborted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
....and more occasionally....
Event ID: 15
Automatic certificate enrollment for local system failed to contact the active directory (0x80072095). A directory service error has occurred.
Enrollment will not be performed.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
..... And in the system Log .....
Event ID: 40961
The Security System could not establish a secured connection with the server LDAP/chouse-svr01.churchho
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Can you ping the domain name? Can you the DC and DNS server?
dariusq:
When I see these errors, I usually think a multihomed DC. Both errors can pop up during a multihomed DC.
When I see these errors, I usually think a multihomed DC. Both errors can pop up during a multihomed DC.
ASKER
I can ping both the DC and the domain successfully and it returns the correct IP address.
When you mean Multi-homed, ChiefIT, you mean a server with multiple IP addresses? The DC is the only DC and it only has one IP address.
Windows IP Configuration
Host Name . . . . . . . . . . . . : chouse-svr01
Primary Dns Suffix . . . . . . . : churchhouse.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : churchhouse.local
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC
Physical Address. . . . . . . . . : 00-16-E6-4A-63-5E
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.2
DNS Servers . . . . . . . . . . . : 192.168.0.1
When you mean Multi-homed, ChiefIT, you mean a server with multiple IP addresses? The DC is the only DC and it only has one IP address.
Windows IP Configuration
Host Name . . . . . . . . . . . . : chouse-svr01
Primary Dns Suffix . . . . . . . : churchhouse.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : churchhouse.local
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC
Physical Address. . . . . . . . . : 00-16-E6-4A-63-5E
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.2
DNS Servers . . . . . . . . . . . : 192.168.0.1
From the client:
ping.exe churchhouse.local
Pinging churchhouse.local [192.168.0.1] with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
ping.exe chouse-svr01
Pinging chouse-svr01.churchhouse.local [192.168.0.1] with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
ASKER
Network configuration:
One DC which is DNS/DHCP server as well
One Database server (was a DC two years ago but was removed from this role.)
30 Client XP PCs
One DC which is DNS/DHCP server as well
One Database server (was a DC two years ago but was removed from this role.)
30 Client XP PCs
I agree Cheif but I don't see that second NIC in this issue. The problem is only occurring on one client as well.
west-com,
Have you tried replacing the NIC on the client?
west-com,
Have you tried replacing the NIC on the client?
In addition to changing the NIC, there have been some reports of auto-negotiation problems (ie. setting to 10FD on a 100FD network) causing Kerberos authentication problems. Whiloe you might want to check this as well, it unfortunately doesn't explain the symptoms described in the post, in which the second attempt to map a drive as domain/test works.
Can you verify this sequence as I understand it
1. Create new account domain\test
2. Log in as as domain\test - fails
3. Log in as domain\another - success
4. Map \\server\netlogon as domain\test - fails
5. Map \\server\netlogon as domain\another - success
6. Drop mapping
7. Map \\server\netlogon as domain\test - success
Steps 2-7 are executed from the same machine in sequence.
In short, the domain\test account works for mapping \\server\netlogon, but only the second attempt after mapping it using the domain\another account.
Is this correct?
Can you verify this sequence as I understand it
1. Create new account domain\test
2. Log in as as domain\test - fails
3. Log in as domain\another - success
4. Map \\server\netlogon as domain\test - fails
5. Map \\server\netlogon as domain\another - success
6. Drop mapping
7. Map \\server\netlogon as domain\test - success
Steps 2-7 are executed from the same machine in sequence.
In short, the domain\test account works for mapping \\server\netlogon, but only the second attempt after mapping it using the domain\another account.
Is this correct?
ASKER
1. Create new account domain\test
2. Log in as as domain\test - partial success (therefore accepting password)
3. Will not run login script and therefore Map \\server\netlogon as domain\test - fails
4. Map \\server\netlogon as domain\test - fails
5. Map \\server\netlogon as domain\another - success
6. Drop mapping - net use * /d
7. Map \\server\netlogon as domain\test - success
It does not seem to matter what account I use, the sequence is the same.
2. Log in as as domain\test - partial success (therefore accepting password)
3. Will not run login script and therefore Map \\server\netlogon as domain\test - fails
4. Map \\server\netlogon as domain\test - fails
5. Map \\server\netlogon as domain\another - success
6. Drop mapping - net use * /d
7. Map \\server\netlogon as domain\test - success
It does not seem to matter what account I use, the sequence is the same.
ASKER
Just retested this... and Hummm.... no fault found!!!
Why has this fault just gone away????
Why has this fault just gone away????
churchhouse.local and chouse-svr01 are the same computer? You just pinged it with two different netbios names and got the same IP address. You have a records conflict or two nodes on the same IP.
Did you rename this server?
Did you rename this server?
Made a mistake in the above comment. You pinged by two DNS names and got the same IP address. Go to the client machine and clear your Netbios cache by typing IPconfig /flushDNS at the command prompt. Then, clear out your HOST file of all names referencing that IP.
Also go to the command prompt and type NBTSTAT -a 192.168.0.1 to see if you have two nodes on the same IP address. If so, your event logs should have warned you about two nodes conflicting with the IP.
192.168.0.1 is the default IP for some mass storage devices and routers. So, be wary of that if you bring a router or mass storage device into the domain.
Also go to the command prompt and type NBTSTAT -a 192.168.0.1 to see if you have two nodes on the same IP address. If so, your event logs should have warned you about two nodes conflicting with the IP.
192.168.0.1 is the default IP for some mass storage devices and routers. So, be wary of that if you bring a router or mass storage device into the domain.
ASKER
Ok.
churchhouse.local is the domain name aand chouse-svr01 the Domain Controller.
My understanding of DNS is that if you ping the Domain Name, one of the DC's (in my case I only have one) will respond.
Below is the NBTSTAT results.
I don't think I have any other device connected with this IP address
churchhouse.local is the domain name aand chouse-svr01 the Domain Controller.
My understanding of DNS is that if you ping the Domain Name, one of the DC's (in my case I only have one) will respond.
Below is the NBTSTAT results.
I don't think I have any other device connected with this IP address
C:\>NBTSTAT -a 192.168.0.1
Local Area Connection 3:
Node IpAddress: [192.168.0.1] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
CHOUSE-SVR01 <00> UNIQUE Registered
CHURCHHOUSE <00> GROUP Registered
CHURCHHOUSE <1C> GROUP Registered
CHOUSE-SVR01 <20> UNIQUE Registered
CHURCHHOUSE <1B> UNIQUE Registered
CHURCHHOUSE <1E> GROUP Registered
CHURCHHOUSE <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
MAC Address = 00-16-E6-4A-63-5E
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I still am not sure why the problem went away, but am not sure anyone will be able to diagnose that now.
All clients and servers should be pointing to your internal DNS servers. You set DNS forwarding up for external DNS resolution.
Remove 192.168.0.1 and put the internal DNS server.