• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2921
  • Last Modified:

Userenv 1054, DnsApi 11197 and Dhcp 1003 event viewer logs

I'm having a large amount of my clients (60%) being affect by similar event log errors.  Mainly I'm recieving DnsApi 11197, Dhcp 1003, Userenv 1054 and w32time and netlogon 5719 on other machines.  I have a variety of different desktop models all being affected.  I'm not sure where to start on this issue, but here are some of the event viewer logs.

All clients are running Windows XP with SP3.  Servers are all Windows 2003.  I have tried flushing the DNS, removing/adding machines to the domain and neither seemed to do anything.

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1054
Date:            12/27/2009
Time:            10:45:33 PM
User:            NT AUTHORITY\SYSTEM
Computer:      TINWKJLYNC
Description:
Windows cannot obtain the domain controller name for your computer network. (A socket operation was attempted to an unreachable host. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Warning
Event Source:      DnsApi
Event Category:      None
Event ID:      11197
Date:            12/28/2009
Time:            10:34:52 AM
User:            N/A
Computer:      TINWKJLYNC
Description:

The system failed to update and remove host (A) resource records (RRs) for network adapter
with settings:

   Adapter Name : {013B790B-BFE3-4B21-A1A9-139D1E98E95C}
   Host Name : TINWKJLYNC
   Primary Domain Suffix : CELTICCHICAGO.LOCAL
   DNS server list :
           10.8.2.15, 10.8.2.10
   Sent update to server : 10.1.1.1
   IP Address(es) :
     10.8.7.23

 The reason the update request failed was because of a system problem. For specific error code, see the record data displayed below.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 51 27 00 00               Q'..    

Event Type:      Warning
Event Source:      Dhcp
Event Category:      None
Event ID:      1003
Date:            12/28/2009
Time:            4:36:48 AM
User:            N/A
Computer:      TINWKJLYNC
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 002481CC2525.  The following error occurred:
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: c7 04 00 00               Ç...    
0
jmtoman
Asked:
jmtoman
  • 10
  • 7
  • 4
  • +1
3 Solutions
 
ChiefITCommented:
Update your servers to Windows SP2.
0
 
jmtomanAuthor Commented:
All DCs and member servers are updated to SP2 and are pretty close to being completely up to date.
0
 
ChiefITCommented:
What does IPconfig /all on the server look like. it appears to be a multihomed DC.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
jmtomanAuthor Commented:
Windows IP Configuration



   Host Name . . . . . . . . . . . . : TINDC1

   Primary Dns Suffix  . . . . . . . : CELTICCHICAGO.LOCAL

   Node Type . . . . . . . . . . . . : Hybrid

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : CELTICCHICAGO.LOCAL



Ethernet adapter Team 1:



   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : BASP Virtual Adapter

   Physical Address. . . . . . . . . : 00-1E-C9-E9-2B-C8

   DHCP Enabled. . . . . . . . . . . : No

   IP Address. . . . . . . . . . . . : 10.8.2.15

   Subnet Mask . . . . . . . . . . . : 255.248.0.0

   Default Gateway . . . . . . . . . : 10.8.1.1

   DNS Servers . . . . . . . . . . . : 10.8.2.15

   Primary WINS Server . . . . . . . : 10.8.2.15

It is not multihomed, but does have two nics running in a team.
0
 
Donald StewartNetwork AdministratorCommented:
0
 
ChiefITCommented:
Well, there's nothing wrong with that.

Your having problems with DHCP and DNS. There are a few firewalls that can block both. ISA is one of them. What about your software firewalls?
0
 
jmtomanAuthor Commented:
@ChiefIT:

Windows firewall turned off on all machines (servers included).  All workstations are on the same segment as all my servers.  As far as software, I only run Kaspersky AV on my workstations and Endpoint on my servers.

@dstewartjr:

I've verified no duplicate ptr/a records and verified permissions for workstations in question.  I've also turned off STP on my only managed switch temporarily to see if it helps at all.
0
 
Donald StewartNetwork AdministratorCommented:
Did you look into this?
 
http://support.microsoft.com/kb/282001 
0
 
jmtomanAuthor Commented:
I'm not getting those error messages in the event log on my DC
0
 
ChiefITCommented:
As destewartjr points out:

Event ID leads to some things that I was going to explore with you, next. It leads to a rogue DHCP server, and a switch configuration. I see that you are on a class A network. So, disabling Spanning tree on your switches may lead to a Broadcast flood. However, if you configure your server port to be an Access port instead of a trunk port, spanning tree should be disabled for that port, not switch wide. So, be extremely careful with Spanning tree algorithm on a class A network. By disabling it, you could potentially knock down the entire LAN with a simple ping and maybe part of your WAN, depending upon where you are at in the WAN and who routes through you.  

A rogue DHCP server is certainly an option. A rogue DHCP server will drop DHCP services on your Windows server. That could cause problems with your clients registering the Host A records. Rogue DHCP servers are usually 100% of the time a router or mass storage device, like a NAS server. I think that's the least invasive of the two is to check for a rogue DHCP server. 2003 server has a utility just for this:
Go to the command prompt and type DHCPloc.exe to determine what IP is providing DHCPACK (acknowledgements) to a DHCPREQ (request).

0
 
ChiefITCommented:
Oops my mistake:

instead of a DHCPACK, it should be a DHCPOFFER where the DHCP server is offering an IP address.
0
 
Donald StewartNetwork AdministratorCommented:
0
 
jmtomanAuthor Commented:
DHCP locate found only my DC/DHCP server (10.8.2.15) so I think we are good on rogue DHCP servers.  As far as the switches go, I have 3 switches, 1 unmanaged, and 2 managed (I originally said 1).  All of my servers are connected to my unmanaged.  I'll turn back STP on my managed switches to avoid any issues.  
0
 
ChiefITCommented:
Ok, let's explain Spanning tree and portfast.

Spanning tree was designed to prevent L2 loops. So, if you connect two switches together with two separate network cables, then those ports need spanning tree, because it will block one of the two connections.

Since your computers and printers are suppose to be ACCESS ports, spanning tree shouldn't apply to those ports at all. Spanning tree algorithm is used for Trunk ports, not access ports. However, I found that in some switches the ACCESS ports actually have spanning tree enabled. The problem being is the spanning tree uses a 45 second, (three 15 second intervals), hold before permitting packets to forward on. For any machine that is newer than 2000, that machine will time out intermittently. This means you will suffer intermittent communications on those machines, or no communications at all.

Portfast is the opposite of spanning tree. Portfast skips the hold and goes straight to forwarding the packets.

I have an article that explains the spanning tree algorithm and portfast.
http://tcpmag.com/qanda/article.asp?editorialsid=277
or
http://llnw.experts-exchange.com/Networking/Misc/Q_21600174.html

This is microsoft's thread that explains this issue:
http://support.microsoft.com/kb/247922

And this is an example of what I have seen before:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23161136.html


One last thing:
I have also seen these issues on an Imaged machine:
http://www.experts-exchange.com/Networking/Windows_Networking/NT/Q_21818378.html
0
 
jmtomanAuthor Commented:
@ChieftIT
 
thanks for all the articles + explanation.  It was very clean cut and straight forward.  I actually noticed while reading through logs that a majority of the errors were happening before the network card was totally initilized.  I updated the NIC drivers for 4 random machines with Broadcom cards and it appears to have fixed the issue.  I'll monitor them over the next couple of days to see if the errors return.
0
 
ChiefITCommented:
There is a group policy object that tells clients to wait until the nic is ready before authenticating:

http://www.experts-exchange.com/Networking/Windows_Networking/Q_23295492.html

This will probably help.

The errors are the result of trying to connect before the NIC was ready. This is why destewartjr and I were running through a number of networking scenarios that block or disable communcations.
0
 
Donald StewartNetwork AdministratorCommented:
This seems to apply to your issue as well


http://support.microsoft.com/kb/326152
0
 
AwinishCommented:
Yes,i was going to point update NIC only, the issue is with old drivers of NIC,DHCP,DNS,Netlogon all error point to Network card drivers.
Enable aging & scavenging into your dns server at zone as well as server level to cleanup the stale records.
In dhcp server, open dhcp admin console,right click the server name or zone,select always update host & pointer records,configure credentials in dhcp bing using static domain admin account.
In group policy applied at domain level as well as on DC configure this
Computer Configuration\Administrative Templates\System\Logon "Always wait for the network at computer startup and logon"
Enable the option in GPO.
References:
http://support.microsoft.com/kb/816592
http://support.microsoft.com/kb/938449 
http://support.microsoft.com/kb/938449 
 
0
 
jmtomanAuthor Commented:
I've updated NIC drivers on a couple of test machines and dropped them into an OU with the requested GPO changed.  I've enabled aging and scavenging and also designated DHCP credentials for the future.

It seems like now the errors are happening just slightly after the NIC card has been initialized.  I should point out that most normal operations are not affected and these errors are only occuring after the computer is turned on, or after it wakes up.
0
 
jmtomanAuthor Commented:
Another update:  I removed/added one of my target machiens from the domain, it didn't make any difference.  I then went and plugged this client directly into the switch that my domain controllers are plugged into, now the errors are gone.  
0
 
AwinishCommented:
So,it looks to be problem with the switch which is dropping the packets & resulting the error.
0
 
jmtomanAuthor Commented:
That would be my guess.  Which is odd because it seems to only be happening to certain clients and not all.  Either way I'm going to move as much stuff off that switch as possible and monitor for a day or two.
0
 
jmtomanAuthor Commented:
Thanks for your help guys, now that I've determine it is switch related I'll open a new question to troubleshoot those devices.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 10
  • 7
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now