David Blair
asked on
Active Directory Problem - Member server not able to 'see' a user
This all came to light when I tried to add a user to our BlackBerry Enterprise Server that just happens to be on this box. The RIM support tech and I quickly determined the problem was AD related.
In ADSI Edit on a member server, a user (CN=Jane Smith) appears as a text file icon rather than the folder icon you would expect to see. There is also an empty space in the Class column where you would expect to see 'user'. There is no response when I right-click and choose properties.
I cannot resolve the user when I try to add them to the security pane of a local directory. Here's the strange thing though... The changes stick if I go in from another machine via the administrative share and add the user from another PC that actually CAN query the DC properly. Odd!
Both servers are 2K3. The DC is R1 and the member server is R2.
This is the only user out of a domain of well over one hundred that has this problem.
Everything appears as it should in ADSI Edit on the domain controllers and all other member servers.
What is the cause of this unusual condition and how do I correct?
DET-VD01-ADSIEDIT.jpg
In ADSI Edit on a member server, a user (CN=Jane Smith) appears as a text file icon rather than the folder icon you would expect to see. There is also an empty space in the Class column where you would expect to see 'user'. There is no response when I right-click and choose properties.
I cannot resolve the user when I try to add them to the security pane of a local directory. Here's the strange thing though... The changes stick if I go in from another machine via the administrative share and add the user from another PC that actually CAN query the DC properly. Odd!
Both servers are 2K3. The DC is R1 and the member server is R2.
This is the only user out of a domain of well over one hundred that has this problem.
Everything appears as it should in ADSI Edit on the domain controllers and all other member servers.
What is the cause of this unusual condition and how do I correct?
DET-VD01-ADSIEDIT.jpg
Can you post any event log errors? Run netdiag and dcdiag, then post those here. Check replmon and repadmin for errors. Does this affect anyone else?
ASKER
Event logs on both boxes are suprisingly clean. Netdiag and dcdiag are posted below. Replmon reports no errors. Can you please be more specific on what you are looking for with repladmin? I'm not terribly familiar with that tool. Thanks! Dave
----------- BEGIN NETDIAG RESULTS -----------
Computer Name: MEMBERSERVER
DNS Host Name: MEMBERSERVER.DOMAIN.local
System info : Microsoft Windows Server 2003 R2 (Build 3790)
Processor : x86 Family 15 Model 2 Stepping 5, GenuineIntel
List of installed hotfixes :
KB921503
KB923561
KB924667-v2
KB925398_WMP64
KB925876
KB925902
KB926122
KB927891
KB929123
KB930178
KB931784
KB932168
KB933360
KB933729
KB933854
KB935839
KB935840
KB936021
KB936357
KB936782
KB938127
KB938464
KB939653
KB941568
KB941569
KB941644
KB941693
KB942615
KB942763
KB942830
KB942831
KB942840
KB943055
KB943460
KB943485
KB944275
KB944338
KB944533
KB944653
KB945553
KB946026
KB947864
KB948496
KB948590
KB948881
KB950759
KB950760
KB950762
KB950974
KB951066
KB951072-v2
KB951698
KB951748
KB952004
KB952068
KB952069
KB952954
KB953838
KB953839
KB954211
KB954550-v5
KB954600
KB955069
KB955839
KB956390
KB956391
KB956572
KB956802
KB956803
KB956841
KB957095
KB957097
KB958215
KB958644
KB958687
KB958690
KB959426
KB960225
KB960714
KB960715
KB960803
KB961373
KB961501
KB963027
KB969897
KB969898
KB970238
KB970483
Q147222
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : MEMBERSERVER.DOMAIN.local
IP Address . . . . . . . . : 172.20.2.5
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 172.20.2.254
Primary WINS Server. . . . : 172.20.2.2
Secondary WINS Server. . . : 172.20.1.2
Dns Servers. . . . . . . . : 172.20.2.2
172.20.2.1
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Passed
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{1D1F5F38-C018-4A7F-9A22-6903934E9D77}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{1D1F5F38-C018-4A7F-9A22-6903934E9D77}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{1D1F5F38-C018-4A7F-9A22-6903934E9D77}
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Passed
Secure channel for domain 'SCSP' is to '\\DOMAINCONTROLLER.DOMAIN.local'.
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
----------- END NETDIAG RESULTS -----------
----------- BEGIN DCDIAG RESULTS -----------
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: DET\DOMAINCONTROLLER
Starting test: Connectivity
......................... DOMAINCONTROLLER passed test Connectivity
Doing primary tests
Testing server: DET\DOMAINCONTROLLER
Starting test: Replications
......................... DOMAINCONTROLLER passed test Replications
Starting test: NCSecDesc
......................... DOMAINCONTROLLER passed test NCSecDesc
Starting test: NetLogons
......................... DOMAINCONTROLLER passed test NetLogons
Starting test: Advertising
......................... DOMAINCONTROLLER passed test Advertising
Starting test: KnowsOfRoleHolders
......................... DOMAINCONTROLLER passed test KnowsOfRoleHolders
Starting test: RidManager
......................... DOMAINCONTROLLER passed test RidManager
Starting test: MachineAccount
......................... DOMAINCONTROLLER passed test MachineAccount
Starting test: Services
......................... DOMAINCONTROLLER passed test Services
Starting test: ObjectsReplicated
......................... DOMAINCONTROLLER passed test ObjectsReplicated
Starting test: frssysvol
......................... DOMAINCONTROLLER passed test frssysvol
Starting test: frsevent
......................... DOMAINCONTROLLER passed test frsevent
Starting test: kccevent
......................... DOMAINCONTROLLER passed test kccevent
Starting test: systemlog
......................... DOMAINCONTROLLER passed test systemlog
Starting test: VerifyReferences
......................... DOMAINCONTROLLER passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : DOMAIN
Starting test: CrossRefValidation
......................... DOMAIN passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DOMAIN passed test CheckSDRefDom
Running enterprise tests on : DOMAIN.local
Starting test: Intersite
......................... DOMAIN.local passed test Intersite
Starting test: FsmoCheck
......................... DOMAIN.local passed test FsmoCheck
----------- END DCDIAG RESULTS -----------
Well, that's a good sign that it passed those tests, at least, nothing glaring. You can run from support tools:
repadmin /replsummary
To see if it has been replicating between the two properly.
If you add a user, does it get sync'd over to the other server? And netdiag and dcdiag comes up clean for both servers?
repadmin /replsummary
To see if it has been replicating between the two properly.
If you add a user, does it get sync'd over to the other server? And netdiag and dcdiag comes up clean for both servers?
ASKER
Repladmin is clean with no errors on either side.
Adding a new user works fine and everything carries over to the member server. This is the only server and the only user I've *ever* seen this issue with. Netdiag is clean on both servers.
Of course, this is about the last cantidate for a user rebuild in AD - it's an executive with two computers, remote access, and a whole lot of other stuff. Hmm... I know I'm not helping...
Adding a new user works fine and everything carries over to the member server. This is the only server and the only user I've *ever* seen this issue with. Netdiag is clean on both servers.
Of course, this is about the last cantidate for a user rebuild in AD - it's an executive with two computers, remote access, and a whole lot of other stuff. Hmm... I know I'm not helping...
Hmmm!
How was the user created?
I'm also inclined to look at replication of that object - you mention running adsiedit on the server that's unable to resolve the user, but ADSIedit uses DNS to connect to a DC. If you manually connect to the domain context on the second DC - does the user appear differently?
How does the user appear in the AD users and computers console
How was the user created?
I'm also inclined to look at replication of that object - you mention running adsiedit on the server that's unable to resolve the user, but ADSIedit uses DNS to connect to a DC. If you manually connect to the domain context on the second DC - does the user appear differently?
How does the user appear in the AD users and computers console
ASKER
The second server is NOT a domain controller - it's a just a regular server on the domain. There are three other domain controllers in the domain but they are at three remote offices. Just FYI in case we need to use them for testing.
OK... I ran dsa.msc and I've honestly never seen this before so I posted another screenshot. I added the user years ago just like any other user via AD Users and Computers.
Thanks Mike!
untitled.jpg
OK... I ran dsa.msc and I've honestly never seen this before so I posted another screenshot. I added the user years ago just like any other user via AD Users and Computers.
Thanks Mike!
untitled.jpg
ASKER
Manually connect to the domain context?? I feel like a n00b.
IF you run adsi edit and right click -> connect to -> Domain context -> Manually specify DC
See if the same user appears the same way on all DC's. Is this a recent problem. You could consider an authoritative restore of that user.
See if the same user appears the same way on all DC's. Is this a recent problem. You could consider an authoritative restore of that user.
ASKER
User appears the same on all DCs when viewed using adsi edit on the problem server. Everything looks fine from the DC perspective or any other server on the network. Dying to know why its just the one server. I rebooted the problem box today because the office is closed - no change. Dave
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.