Users keep losing their authentication & network drives.
I have an office with about 40 users onsite and another 10 that are remoet via Citrix. It seems my users, at random times of the day, will lose their authentication on the network. They will lose access to a network drive and get a logon failure message. They will of course lose network printers that go through that same server.
If they try to connect using \\server\vol or \\server.domain.com\vol it will error out but if I try \\x.x.x.x\vol then it works. The clients are XP Pro and the servers are 2003.
I have been out of the SysAdmin role for years, having been doing networking so my AD & other M$ services are really rusty. I'm just now getting back into it and I have not been able to resolve this issue. I'd appreciate any help on this.
Thank You
If they try to connect using \\server\vol or \\server.domain.com\vol it will error out but if I try \\x.x.x.x\vol then it works. The clients are XP Pro and the servers are 2003.
I have been out of the SysAdmin role for years, having been doing networking so my AD & other M$ services are really rusty. I'm just now getting back into it and I have not been able to resolve this issue. I'd appreciate any help on this.
Thank You
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
amichael - 1. It seems to be affecting the users at random times throughout the day. Most of them leave their PCs locked over night and find they've lost access when they come back in the morning. 2. I can still do a ping using just the hostname. It seems to be resolving fine. 3. The DC is the DNS server as well.
mikainz - I'll check out that link. I've been reviewing the logs but nothing is catching my eye. I might be overlooking somethnig though.
mikainz - I'll check out that link. I've been reviewing the logs but nothing is catching my eye. I might be overlooking somethnig though.
Sounds like a master browser conflict.
check your Server's event logs for errors in the 8000's, like error 8021 and 8032. These errors are just symtpoms of the real problem. So, we will have to troubleshoot for the real problem.
check your Server's event logs for errors in the 8000's, like error 8021 and 8032. These errors are just symtpoms of the real problem. So, we will have to troubleshoot for the real problem.
ASKER
Looked through the logs on both DCs and the last entries with any 8xxx event IDs were from 12/22/09. Nothing after that:
Event Type: Error
Event Source: BROWSER
Event Category: None
Event ID: 8032
Date: 12/22/200
Time: 7:34:49 PM
User: N/A
Computer: MAIL01
Description:
The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{DEB64
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 40 00 00 00
Any suspicious evntlog entries on the XP clients?
What about the guys shutting down their pcs, do they also have the issues in the morning?
What about the guys shutting down their pcs, do they also have the issues in the morning?
ASKER
Got these:
--------------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 1/4/2010
Time: 2:33:42 AM
User: N/A
Computer: ACCT1
Description:
The Security System could not establish a secured connection with the server ldap/mail01.domain.com/dom
--------------------------
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 1/5/2010
Time: 9:21:48 AM
User: N/A
Computer: ACCT1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/miafs1.domain.com. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (DOMANI.COM), and the client realm. Please contact your system administrator.
--------------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 1/4/2010
Time: 2:33:42 AM
User: N/A
Computer: ACCT1
Description:
The Security System could not establish a secured connection with the server ldap/mail01.domain.com/dom
--------------------------
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 1/5/2010
Time: 9:21:48 AM
User: N/A
Computer: ACCT1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/miafs1.domain.com. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (DOMANI.COM), and the client realm. Please contact your system administrator.
Did you find any similiar entries in other client pcs?
ASKER
I'm seeing the kerberos errors in the other PCs. I'm going to start looking more into that.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Based on what I've been reading on the MS site regarding Kerberos, I've made adjustments to the configuration of the NTP server. I found some settings were incorrect compared to what Microsoft recommends. I'm making the changes and keeping an eye on my users. I've inherited this network from a previous admin so surprises like these keep me busy. :-)
Intermittent DNS can cause this:
Go to the Server's command prompt and type:
Dcdiag /v
Make sure DNS tests are done.
Also on the server, this informaiton would help:
IPconfig /all
Go to the Server's command prompt and type:
Dcdiag /v
Make sure DNS tests are done.
Also on the server, this informaiton would help:
IPconfig /all
ASKER
ChiefIT-
ipconfig shows the usual. Two interfaces. One is for the network and the 2nd one is being used for a DRobo disk array (iSCSI).
It passed all the portions of the dcdiag test, with the exception of the following below.
The DC01DR being reference is a 2003 server that was offline for over 3 months. It was a DC they had and my understanding is that it's 'tombstoned'. I can shut it down if I need to.
--------------------------
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x000016AD
Time Generated: 01/05/2010 17:07:05
Event String: The session setup from the computer DC01DR failed to authenticate. The following error occurred:
%%5
An Error Event occured. EventID: 0x0000165B
Time Generated: 01/05/2010 17:17:10
Event String: The session setup from computer 'DC01DR' failed
because the security database does not contain a trust account 'DC01DR$' referenced by the specified computer.
USER ACTION
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem:
If 'DC01DR$' is a legitimate machine account for the computer 'DC01DR', then 'DC01DR' should be rejoined to the domain.
If 'DC01DR$' is a legitimate interdomain trustaccount, then the trust should be recreated.
Otherwise, assuming that 'DC01DR$' is not alegitimate account, the following action should be taken on 'DC01DR':
If 'DC01DR' is a Domain Controller, then the trust associated with 'DC01DR$' should be deleted.
If 'DC01DR' is not a Domain Controller, it should be disjoined from the domain.
......................... MIAFS1 failed test systemlog
ipconfig shows the usual. Two interfaces. One is for the network and the 2nd one is being used for a DRobo disk array (iSCSI).
It passed all the portions of the dcdiag test, with the exception of the following below.
The DC01DR being reference is a 2003 server that was offline for over 3 months. It was a DC they had and my understanding is that it's 'tombstoned'. I can shut it down if I need to.
--------------------------
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x000016AD
Time Generated: 01/05/2010 17:07:05
Event String: The session setup from the computer DC01DR failed to authenticate. The following error occurred:
%%5
An Error Event occured. EventID: 0x0000165B
Time Generated: 01/05/2010 17:17:10
Event String: The session setup from computer 'DC01DR' failed
because the security database does not contain a trust account 'DC01DR$' referenced by the specified computer.
USER ACTION
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem:
If 'DC01DR$' is a legitimate machine account for the computer 'DC01DR', then 'DC01DR' should be rejoined to the domain.
If 'DC01DR$' is a legitimate interdomain trustaccount, then the trust should be recreated.
Otherwise, assuming that 'DC01DR$' is not alegitimate account, the following action should be taken on 'DC01DR':
If 'DC01DR' is a Domain Controller, then the trust associated with 'DC01DR$' should be deleted.
If 'DC01DR' is not a Domain Controller, it should be disjoined from the domain.
......................... MIAFS1 failed test systemlog
OK, I think I figured out the problem.
Were things working good for a long time and then all of a sudden, PROBLEMS?
Were things working good for a long time and then all of a sudden, PROBLEMS?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, things weer fine then these problems started to surface.
The DC01DR box is physically at a remote site and it's a VM box. I'll shut it down and then perform the other steps. I'm scheduled to fly up to the DR site soon so I can live with the box being down. The machines there can just talk to HQ.
The DC01DR box is physically at a remote site and it's a VM box. I'll shut it down and then perform the other steps. I'm scheduled to fly up to the DR site soon so I can live with the box being down. The machines there can just talk to HQ.
ASKER
Update: After making sure the tombstoned DC was completely out of our configs then setting all NTP related settings according to Microsoft's recommendations, it looks like things are much more stable. I have not received any complaints all day.
I'll close this ticket out tomorrow if I have no further issues. Looks good so far. Thanks to you all for your assistance.
I'll close this ticket out tomorrow if I have no further issues. Looks good so far. Thanks to you all for your assistance.
You can keep DC01 disconnected, then force demote this DC and repromote it back into the domain.
Let us know if you want to get this DC back on board as a DC.
Let us know if you want to get this DC back on board as a DC.
ASKER
I had it powered off and all was well. I powered it on and I started to get calls within 30 minutes of people losing their network drives again. I tried to dcpromo the box to demote it and that was failing. Very annoying. It's offline now and the few that were hit have rebooted so they're ok now.
with DC01 not connected, go to the command prompt and type:
DCpromo /forceremoval
DCpromo /forceremoval
ASKER
Everything is good now. I greatly appreciate the assistance.
I'm having the same problem at our offices...can someone try to explain this in not so tech terms...i'm just a beginner.
2. When this occurs, can the users ping the server by hostname? Can they ping any other devices on the network by hostname?
3. Is your DC also your DNS?