Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Active Directory Problem - Member server not able to 'see' a user

Posted on 2009-06-30
12
449 Views
Last Modified: 2012-06-27
This all came to light when I tried to add a user to our BlackBerry Enterprise Server that just happens to be on this box.  The RIM support tech and I quickly determined the problem was AD related.

In ADSI Edit on a member server, a user (CN=Jane Smith) appears as a text file icon rather than the folder icon you would expect to see.  There is also an empty space in the Class column where you would expect to see 'user'.  There is no response when I right-click and choose properties.

I cannot resolve the user when I try to add them to the security pane of a local directory.  Here's the strange thing though...  The changes stick if I go in from another machine via the administrative share and add the user from another PC that actually CAN query the DC properly.  Odd!

Both servers are 2K3.  The DC is R1 and the member server is R2.

This is the only user out of a domain of well over one hundred that has this problem.

Everything appears as it should in ADSI Edit on the domain controllers and all other member servers.

What is the cause of this unusual condition and how do I correct?
DET-VD01-ADSIEDIT.jpg
0
Comment
Question by:David Blair
  • 6
  • 2
  • 2
12 Comments
 
LVL 15

Expert Comment

by:tntmax
ID: 24769104
Can you post any event log errors? Run netdiag and dcdiag, then post those here. Check replmon and repadmin for errors. Does this affect anyone else?
0
 
LVL 1

Author Comment

by:David Blair
ID: 24774431
Event logs on both boxes are suprisingly clean.  Netdiag and dcdiag are posted below.  Replmon reports no errors.  Can you please be more specific on what you are looking for with repladmin?  I'm not terribly familiar with that tool.  Thanks!  Dave
----------- BEGIN NETDIAG RESULTS -----------
    Computer Name: MEMBERSERVER
    DNS Host Name: MEMBERSERVER.DOMAIN.local
    System info : Microsoft Windows Server 2003 R2 (Build 3790)
    Processor : x86 Family 15 Model 2 Stepping 5, GenuineIntel
    List of installed hotfixes : 
        KB921503
        KB923561
        KB924667-v2
        KB925398_WMP64
        KB925876
        KB925902
        KB926122
        KB927891
        KB929123
        KB930178
        KB931784
        KB932168
        KB933360
        KB933729
        KB933854
        KB935839
        KB935840
        KB936021
        KB936357
        KB936782
        KB938127
        KB938464
        KB939653
        KB941568
        KB941569
        KB941644
        KB941693
        KB942615
        KB942763
        KB942830
        KB942831
        KB942840
        KB943055
        KB943460
        KB943485
        KB944275
        KB944338
        KB944533
        KB944653
        KB945553
        KB946026
        KB947864
        KB948496
        KB948590
        KB948881
        KB950759
        KB950760
        KB950762
        KB950974
        KB951066
        KB951072-v2
        KB951698
        KB951748
        KB952004
        KB952068
        KB952069
        KB952954
        KB953838
        KB953839
        KB954211
        KB954550-v5
        KB954600
        KB955069
        KB955839
        KB956390
        KB956391
        KB956572
        KB956802
        KB956803
        KB956841
        KB957095
        KB957097
        KB958215
        KB958644
        KB958687
        KB958690
        KB959426
        KB960225
        KB960714
        KB960715
        KB960803
        KB961373
        KB961501
        KB963027
        KB969897
        KB969898
        KB970238
        KB970483
        Q147222
Netcard queries test . . . . . . . : Passed
 
Per interface results:
 
    Adapter : Local Area Connection
 
        Netcard queries test . . . : Passed
 
        Host Name. . . . . . . . . : MEMBERSERVER.DOMAIN.local
        IP Address . . . . . . . . : 172.20.2.5
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 172.20.2.254
        Primary WINS Server. . . . : 172.20.2.2
        Secondary WINS Server. . . : 172.20.1.2
        Dns Servers. . . . . . . . : 172.20.2.2
                                     172.20.2.1
 
        AutoConfiguration results. . . . . . : Passed
 
        Default gateway test . . . : Passed
 
        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
 
        WINS service test. . . . . : Passed
 
Global results:
 
Domain membership test . . . . . . : Passed
 
NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{1D1F5F38-C018-4A7F-9A22-6903934E9D77}
    1 NetBt transport currently configured.
 
Autonet address test . . . . . . . : Passed
 
 
IP loopback ping test. . . . . . . : Passed
 
 
Default gateway test . . . . . . . : Passed
 
 
NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
 
 
Winsock test . . . . . . . . . . . : Passed
 
 
DNS test . . . . . . . . . . . . . : Passed
 
 
Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{1D1F5F38-C018-4A7F-9A22-6903934E9D77}
    The redir is bound to 1 NetBt transport.
 
    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{1D1F5F38-C018-4A7F-9A22-6903934E9D77}
    The browser is bound to 1 NetBt transport.
 
 
DC discovery test. . . . . . . . . : Passed
 
 
DC list test . . . . . . . . . . . : Passed
 
 
Trust relationship test. . . . . . : Passed
    Secure channel for domain 'SCSP' is to '\\DOMAINCONTROLLER.DOMAIN.local'.
 
 
Kerberos test. . . . . . . . . . . : Passed
 
 
LDAP test. . . . . . . . . . . . . : Passed
 
 
Bindings test. . . . . . . . . . . : Passed
 
 
WAN configuration test . . . . . . : Skipped
    No active remote access connections.
 
 
Modem diagnostics test . . . . . . : Passed
 
IP Security test . . . . . . . . . : Skipped
 
    Note: run "netsh ipsec dynamic show /?" for more detailed information
 
The command completed successfully
 
----------- END NETDIAG RESULTS -----------
 
----------- BEGIN DCDIAG RESULTS -----------
 
 
Domain Controller Diagnosis
 
Performing initial setup:
   Done gathering initial info.
 
Doing initial required tests
   
   Testing server: DET\DOMAINCONTROLLER
      Starting test: Connectivity
         ......................... DOMAINCONTROLLER passed test Connectivity
 
Doing primary tests
   
   Testing server: DET\DOMAINCONTROLLER
      Starting test: Replications
         ......................... DOMAINCONTROLLER passed test Replications
      Starting test: NCSecDesc
         ......................... DOMAINCONTROLLER passed test NCSecDesc
      Starting test: NetLogons
         ......................... DOMAINCONTROLLER passed test NetLogons
      Starting test: Advertising
         ......................... DOMAINCONTROLLER passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... DOMAINCONTROLLER passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... DOMAINCONTROLLER passed test RidManager
      Starting test: MachineAccount
         ......................... DOMAINCONTROLLER passed test MachineAccount
      Starting test: Services
         ......................... DOMAINCONTROLLER passed test Services
      Starting test: ObjectsReplicated
         ......................... DOMAINCONTROLLER passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... DOMAINCONTROLLER passed test frssysvol
      Starting test: frsevent
         ......................... DOMAINCONTROLLER passed test frsevent
      Starting test: kccevent
         ......................... DOMAINCONTROLLER passed test kccevent
      Starting test: systemlog
         ......................... DOMAINCONTROLLER passed test systemlog
      Starting test: VerifyReferences
         ......................... DOMAINCONTROLLER passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : DOMAIN
      Starting test: CrossRefValidation
         ......................... DOMAIN passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DOMAIN passed test CheckSDRefDom
   
   Running enterprise tests on : DOMAIN.local
      Starting test: Intersite
         ......................... DOMAIN.local passed test Intersite
      Starting test: FsmoCheck
         ......................... DOMAIN.local passed test FsmoCheck
 
----------- END DCDIAG RESULTS -----------

Open in new window

0
 
LVL 15

Expert Comment

by:tntmax
ID: 24774456
Well, that's a good sign that it passed those tests, at least, nothing glaring. You can run from support tools:

repadmin /replsummary

To see if it has been replicating between the two properly.

If you add a user, does it get sync'd over to the other server? And netdiag and dcdiag comes up clean for both servers?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:David Blair
ID: 24774479
Repladmin is clean with no errors on either side.

Adding a new user works fine and everything carries over to the member server.  This is the only server and the only user I've *ever* seen this issue with.  Netdiag is clean on both servers.

Of course, this is about the last cantidate for a user rebuild in AD - it's an executive with two computers, remote access, and a whole lot of other stuff.  Hmm...  I know I'm not helping...
0
 
LVL 4

Expert Comment

by:Mike_Courtney
ID: 24774490
Hmmm!

How was the user created?

I'm also inclined to look at replication of that object - you mention running adsiedit on the server that's unable to resolve the user, but ADSIedit uses DNS to connect to a DC. If you manually connect  to the domain context on the second DC - does the user appear differently?

How does the user appear in the AD users and computers console
0
 
LVL 1

Author Comment

by:David Blair
ID: 24774571
The second server is NOT a domain controller - it's a just a regular server on the domain.  There are three other domain controllers in the domain but they are at three remote offices.  Just FYI in case we need to use them for testing.

OK...  I ran dsa.msc and I've honestly never seen this before so I posted another screenshot.  I added the user years ago just like any other user via AD Users and Computers.

Thanks Mike!
untitled.jpg
0
 
LVL 1

Author Comment

by:David Blair
ID: 24774581
Manually connect to the domain context??  I feel like a n00b.
0
 
LVL 4

Expert Comment

by:Mike_Courtney
ID: 24774622
IF you run adsi edit and right click -> connect to -> Domain context -> Manually specify DC

See if the same user appears the same way on all DC's. Is this a recent problem. You could consider an authoritative restore of that user.
0
 
LVL 1

Author Comment

by:David Blair
ID: 24774895
User appears the same on all DCs when viewed using adsi edit on the problem server.  Everything looks fine from the DC perspective or any other server on the network.  Dying to know why its just the one server.  I rebooted the problem box today because the office is closed - no change.  Dave
0
 
LVL 1

Accepted Solution

by:
David Blair earned 0 total points
ID: 24859178
It was a user problem.  The user was denied in AD Users & Computers.  No idea how this happened and it took MS 7 days to figure out.  Hope this helps someone else with the same problem!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question