Solved

Active Directory Problem - Member server not able to 'see' a user

Posted on 2009-06-30
12
445 Views
Last Modified: 2012-06-27
This all came to light when I tried to add a user to our BlackBerry Enterprise Server that just happens to be on this box.  The RIM support tech and I quickly determined the problem was AD related.

In ADSI Edit on a member server, a user (CN=Jane Smith) appears as a text file icon rather than the folder icon you would expect to see.  There is also an empty space in the Class column where you would expect to see 'user'.  There is no response when I right-click and choose properties.

I cannot resolve the user when I try to add them to the security pane of a local directory.  Here's the strange thing though...  The changes stick if I go in from another machine via the administrative share and add the user from another PC that actually CAN query the DC properly.  Odd!

Both servers are 2K3.  The DC is R1 and the member server is R2.

This is the only user out of a domain of well over one hundred that has this problem.

Everything appears as it should in ADSI Edit on the domain controllers and all other member servers.

What is the cause of this unusual condition and how do I correct?
DET-VD01-ADSIEDIT.jpg
0
Comment
Question by:David Blair
  • 6
  • 2
  • 2
12 Comments
 
LVL 15

Expert Comment

by:tntmax
ID: 24769104
Can you post any event log errors? Run netdiag and dcdiag, then post those here. Check replmon and repadmin for errors. Does this affect anyone else?
0
 
LVL 1

Author Comment

by:David Blair
ID: 24774431
Event logs on both boxes are suprisingly clean.  Netdiag and dcdiag are posted below.  Replmon reports no errors.  Can you please be more specific on what you are looking for with repladmin?  I'm not terribly familiar with that tool.  Thanks!  Dave
----------- BEGIN NETDIAG RESULTS -----------

    Computer Name: MEMBERSERVER

    DNS Host Name: MEMBERSERVER.DOMAIN.local

    System info : Microsoft Windows Server 2003 R2 (Build 3790)

    Processor : x86 Family 15 Model 2 Stepping 5, GenuineIntel

    List of installed hotfixes : 

        KB921503

        KB923561

        KB924667-v2

        KB925398_WMP64

        KB925876

        KB925902

        KB926122

        KB927891

        KB929123

        KB930178

        KB931784

        KB932168

        KB933360

        KB933729

        KB933854

        KB935839

        KB935840

        KB936021

        KB936357

        KB936782

        KB938127

        KB938464

        KB939653

        KB941568

        KB941569

        KB941644

        KB941693

        KB942615

        KB942763

        KB942830

        KB942831

        KB942840

        KB943055

        KB943460

        KB943485

        KB944275

        KB944338

        KB944533

        KB944653

        KB945553

        KB946026

        KB947864

        KB948496

        KB948590

        KB948881

        KB950759

        KB950760

        KB950762

        KB950974

        KB951066

        KB951072-v2

        KB951698

        KB951748

        KB952004

        KB952068

        KB952069

        KB952954

        KB953838

        KB953839

        KB954211

        KB954550-v5

        KB954600

        KB955069

        KB955839

        KB956390

        KB956391

        KB956572

        KB956802

        KB956803

        KB956841

        KB957095

        KB957097

        KB958215

        KB958644

        KB958687

        KB958690

        KB959426

        KB960225

        KB960714

        KB960715

        KB960803

        KB961373

        KB961501

        KB963027

        KB969897

        KB969898

        KB970238

        KB970483

        Q147222

Netcard queries test . . . . . . . : Passed
 

Per interface results:
 

    Adapter : Local Area Connection
 

        Netcard queries test . . . : Passed
 

        Host Name. . . . . . . . . : MEMBERSERVER.DOMAIN.local

        IP Address . . . . . . . . : 172.20.2.5

        Subnet Mask. . . . . . . . : 255.255.255.0

        Default Gateway. . . . . . : 172.20.2.254

        Primary WINS Server. . . . : 172.20.2.2

        Secondary WINS Server. . . : 172.20.1.2

        Dns Servers. . . . . . . . : 172.20.2.2

                                     172.20.2.1
 

        AutoConfiguration results. . . . . . : Passed
 

        Default gateway test . . . : Passed
 

        NetBT name test. . . . . . : Passed

        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
 

        WINS service test. . . . . : Passed
 

Global results:
 

Domain membership test . . . . . . : Passed
 

NetBT transports test. . . . . . . : Passed

    List of NetBt transports currently configured:

        NetBT_Tcpip_{1D1F5F38-C018-4A7F-9A22-6903934E9D77}

    1 NetBt transport currently configured.
 

Autonet address test . . . . . . . : Passed
 
 

IP loopback ping test. . . . . . . : Passed
 
 

Default gateway test . . . . . . . : Passed
 
 

NetBT name test. . . . . . . . . . : Passed

    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
 
 

Winsock test . . . . . . . . . . . : Passed
 
 

DNS test . . . . . . . . . . . . . : Passed
 
 

Redir and Browser test . . . . . . : Passed

    List of NetBt transports currently bound to the Redir

        NetBT_Tcpip_{1D1F5F38-C018-4A7F-9A22-6903934E9D77}

    The redir is bound to 1 NetBt transport.
 

    List of NetBt transports currently bound to the browser

        NetBT_Tcpip_{1D1F5F38-C018-4A7F-9A22-6903934E9D77}

    The browser is bound to 1 NetBt transport.
 
 

DC discovery test. . . . . . . . . : Passed
 
 

DC list test . . . . . . . . . . . : Passed
 
 

Trust relationship test. . . . . . : Passed

    Secure channel for domain 'SCSP' is to '\\DOMAINCONTROLLER.DOMAIN.local'.
 
 

Kerberos test. . . . . . . . . . . : Passed
 
 

LDAP test. . . . . . . . . . . . . : Passed
 
 

Bindings test. . . . . . . . . . . : Passed
 
 

WAN configuration test . . . . . . : Skipped

    No active remote access connections.
 
 

Modem diagnostics test . . . . . . : Passed
 

IP Security test . . . . . . . . . : Skipped
 

    Note: run "netsh ipsec dynamic show /?" for more detailed information
 

The command completed successfully
 

----------- END NETDIAG RESULTS -----------
 

----------- BEGIN DCDIAG RESULTS -----------
 
 

Domain Controller Diagnosis
 

Performing initial setup:

   Done gathering initial info.
 

Doing initial required tests

   

   Testing server: DET\DOMAINCONTROLLER

      Starting test: Connectivity

         ......................... DOMAINCONTROLLER passed test Connectivity
 

Doing primary tests

   

   Testing server: DET\DOMAINCONTROLLER

      Starting test: Replications

         ......................... DOMAINCONTROLLER passed test Replications

      Starting test: NCSecDesc

         ......................... DOMAINCONTROLLER passed test NCSecDesc

      Starting test: NetLogons

         ......................... DOMAINCONTROLLER passed test NetLogons

      Starting test: Advertising

         ......................... DOMAINCONTROLLER passed test Advertising

      Starting test: KnowsOfRoleHolders

         ......................... DOMAINCONTROLLER passed test KnowsOfRoleHolders

      Starting test: RidManager

         ......................... DOMAINCONTROLLER passed test RidManager

      Starting test: MachineAccount

         ......................... DOMAINCONTROLLER passed test MachineAccount

      Starting test: Services

         ......................... DOMAINCONTROLLER passed test Services

      Starting test: ObjectsReplicated

         ......................... DOMAINCONTROLLER passed test ObjectsReplicated

      Starting test: frssysvol

         ......................... DOMAINCONTROLLER passed test frssysvol

      Starting test: frsevent

         ......................... DOMAINCONTROLLER passed test frsevent

      Starting test: kccevent

         ......................... DOMAINCONTROLLER passed test kccevent

      Starting test: systemlog

         ......................... DOMAINCONTROLLER passed test systemlog

      Starting test: VerifyReferences

         ......................... DOMAINCONTROLLER passed test VerifyReferences

   

   Running partition tests on : ForestDnsZones

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

   

   Running partition tests on : DomainDnsZones

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

   

   Running partition tests on : Schema

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

   

   Running partition tests on : Configuration

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

   

   Running partition tests on : DOMAIN

      Starting test: CrossRefValidation

         ......................... DOMAIN passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... DOMAIN passed test CheckSDRefDom

   

   Running enterprise tests on : DOMAIN.local

      Starting test: Intersite

         ......................... DOMAIN.local passed test Intersite

      Starting test: FsmoCheck

         ......................... DOMAIN.local passed test FsmoCheck
 

----------- END DCDIAG RESULTS -----------

Open in new window

0
 
LVL 15

Expert Comment

by:tntmax
ID: 24774456
Well, that's a good sign that it passed those tests, at least, nothing glaring. You can run from support tools:

repadmin /replsummary

To see if it has been replicating between the two properly.

If you add a user, does it get sync'd over to the other server? And netdiag and dcdiag comes up clean for both servers?
0
 
LVL 1

Author Comment

by:David Blair
ID: 24774479
Repladmin is clean with no errors on either side.

Adding a new user works fine and everything carries over to the member server.  This is the only server and the only user I've *ever* seen this issue with.  Netdiag is clean on both servers.

Of course, this is about the last cantidate for a user rebuild in AD - it's an executive with two computers, remote access, and a whole lot of other stuff.  Hmm...  I know I'm not helping...
0
 
LVL 4

Expert Comment

by:Mike_Courtney
ID: 24774490
Hmmm!

How was the user created?

I'm also inclined to look at replication of that object - you mention running adsiedit on the server that's unable to resolve the user, but ADSIedit uses DNS to connect to a DC. If you manually connect  to the domain context on the second DC - does the user appear differently?

How does the user appear in the AD users and computers console
0
Google Storage: Standard vs. Nearline vs. Coldline

Google Cloud Storage has a number of classes to choose from. Although there are a lot in common, they vary in price and usage terms. This post explains Google Cloud Storage classes and helps to understand which  one to choose.

 
LVL 1

Author Comment

by:David Blair
ID: 24774571
The second server is NOT a domain controller - it's a just a regular server on the domain.  There are three other domain controllers in the domain but they are at three remote offices.  Just FYI in case we need to use them for testing.

OK...  I ran dsa.msc and I've honestly never seen this before so I posted another screenshot.  I added the user years ago just like any other user via AD Users and Computers.

Thanks Mike!
untitled.jpg
0
 
LVL 1

Author Comment

by:David Blair
ID: 24774581
Manually connect to the domain context??  I feel like a n00b.
0
 
LVL 4

Expert Comment

by:Mike_Courtney
ID: 24774622
IF you run adsi edit and right click -> connect to -> Domain context -> Manually specify DC

See if the same user appears the same way on all DC's. Is this a recent problem. You could consider an authoritative restore of that user.
0
 
LVL 1

Author Comment

by:David Blair
ID: 24774895
User appears the same on all DCs when viewed using adsi edit on the problem server.  Everything looks fine from the DC perspective or any other server on the network.  Dying to know why its just the one server.  I rebooted the problem box today because the office is closed - no change.  Dave
0
 
LVL 1

Accepted Solution

by:
David Blair earned 0 total points
ID: 24859178
It was a user problem.  The user was denied in AD Users & Computers.  No idea how this happened and it took MS 7 days to figure out.  Hope this helps someone else with the same problem!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now