Win2k3: "Windows could not determine the user or computer name"

That's one of the documents I was working from. It doesn't seem to have made any effect. DNS configuration looks good on the problem server's configuration and on our network's DNS. I don't really see what's different between the three functional servers and this one. It's getting very frustrating.

Are there any netlogon(event id 5719)
 or LSASRV events logged in the event viewer?

If yes follow the kb mentioned below and reboot it:
support.microsoft.com/kb/938449
support.microsoft.com/kb/244474

Arun: I found a 1058 in the event log, but it hasn't happened since June 2009. 1053 seems to pop up every few hours or so in the log.

himvy: Yep, I found 5719. The last one happened last night. When I follow the instructions on the first link you provided, I still get the 1053 but I now also get 2003 warning: The configuration information of performance library "C:\Windows\system32\perfts.dll" for the "TermService" service does not match the trusted performance library information stored in the registry. The functions in this library will not be treated as trusted.

After applying the changes in the second KB, the 1053 error still pops up after I reboot the machine.

Something else I noticed on this server's event log, under System... there's a LsaSrv warning that pops up:

Source: LSASRV
Type: Warning
Category: SPNEGO (Negotiator)
Event ID: 40960
Description: The Security System detected an authentication error for the server MSSQLSvc/SQLSERV.mydomain.com:1433. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request."


On a side note, I've verified that I can ping both the PDC and the SQL server that the above error message is complaining about.

Another observation I've made: I ran gpresult /scope computer on a working server, and again on the problem server. On the working server, it is a member of more security groups than the non-working server.

Working Server
-------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
SRV2$
Domain Computers


Problem Server
------------------
BUILTIN\Administrators
Everyone
NT AUTHORITY\Authenticated Users


Noticeable difference. Think that's got something to do with it?

If I could edit my post I would, but to add to my last one, I went into AD Users and Computers and took a look at the problem server. On its "Member Of" tab, it does show that it's in "Domain Computers" so I'm not sure why that at least isn't showing up on the gpresult.

Hi Elorc,

Did you follow the article I posted?

Thanks,

Arun.

Please make sure that this domain controller is syncing the time with primary domain controller currectly and time difference should not be greater than =/- 5 minutes.
If the DNS configuration is right as you have mentioned and you have applied the fixes involved in the kb I mentioned earlier.Please verify the time settings and the issues should get resolved.

Arun: Sorry, no. I mistakenly assumed that since I didn't see a 1058, that the article didn't apply. I just tried it now and unfortunately it too had no effect.

himvy: This server isn't functioning as a domain controller. It's actually just a Citrix server. The time on the server is the same as it is on the PDC. Although I have noticed W32Time showing up in the System event log under errors and warnings.

Source: W32Time
Type: Error
Category: None
Event ID: 29
Description: The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time.

Source: W32Time
Type: Warning
Category: None
Event ID: 14
Description: The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 15 minutes.


I'm not really familiar with time synchronization. How would I fix this? I haven't seen this error/warning combination show up on any of the other servers.

If this was a domain controller and you disjoined it /rejoined it to the domain ,might have messed up its secure channel.If this is still a dc ,I would say if you have good system state backup ,restore it.

Let me know if it is a member server or a DC.

Go to

HKLM/SYSTEM/CCS/SERVICES/W32time/PARAMETERS/

The NTPServer --should be the Ip of the pdc followed by 0x1
 Type ----NT5DS

HKLM/SYSTEM/CCS/SERVICES/W32time/config
Announce flag --10 (decimal)

Make sure these settings are there.
-restart the time service.
-run
w32tm /resync /rediscover.

=If it is successfully completed ,the issue is resolved.

HI,
I would like to know where did you make the registry changes? On the server or the DC?
-----------------------------------------------------------------------------------------------------------------------------
If you have multiple DCs, you can use the ADM template in the following article to set this registry on all the DCs.
http://support.microsoft.com/kb/244474

And for MaxTokenSize, you can use the ADM in following article:
http://support.microsoft.com/kb/938118.
-----------------------------------------------------------------------------------------------------------------------------
You just said in your first post that you removed this machine from the domain and then rejoined it back. Did we have any roles being handled by this machine? Like DNS, DC or DHCP? Did you clean the DNS properly to remove its instances?
-----------------------------------------------------------------------------------------------------------------------------
The SPNEGO event is occuring due to the non-availability of the DCs.
And non-availability of DCs generally happens due to Name resolution issues. Please check which DNS server is this server pointing to? Go to that server and check for the site specific SRV records.
(_tcp). Also check if it had the GUID records of the DCs under _MSDCS folder.
-----------------------------------------------------------------------------------------------------------------------------
For correcting windows time issue, you can follwo the steps suggested by himvy but I doubt that id the server is not able to find any DC, it wont find the PDC as well (which is the authoritative time server in domain heirarchy). So we have to fix name resolution first in that case.

Regards,

Arun

I really appreciate all of your help with this, both of you have been a lot of help. I'm out of my office for now but I'll try your suggestions tomorrow and follow up with you.

himvy: The keys you referenced do exist. It was pointing to time.microsoft.com. After I ran that command, it's now pointing to one of my secondary domain controllers.

Arun: I made the changes to the problem server, not the PDC. Was that not correct? This server has no special roles. It just runs Citrix Presentation Server. DNS and DHCP are handled by our PDC. I have tried the flush DNS on the problem server (a few times).

This is really irritating because I have three servers functioning as domain controllers on my network. Every other server on my network can communicate fine with them. Clearly, this problem server can find them too (it found one of the secondary DC's when I resynched the time service). I'm still getting this damn 1053 error though.

Please run netdiag on the problem machine and any other userenv error from the event log .based on that we might be able help you much better.

Also the time server should be the PRIMARY DOMAIN CONTROLLER (PDC) not the secondary DC.

Weird. How would it have pointed to a secondary domain controller, then? I checked under AD Users and Computers, and Operations Masters shows that the PDC is set correctly. Our PDC is DCSRV1, yet the problem machine is pointing to DCSRV2 (one of the secondary controllers) for the time service.

The only userenv error I'm seeing in the event log is the 1053 error that occurs when the machine boots up. There is also still the 5719 netlogon error ("The computer was not able to set up a secure session with a domain controller in domain MYDOMAIN due to the following: There are currently no logon servers available to service the logon request.").

I ran netdiag on the problem machine (SRV3) and attached what I got back. To give you an idea of the machines involved:

DCSRV1 - 192.168.1.10 - PDC, DNS, DHCP
DCSRV2 - 192.168.1.8 - Secondary DC
DCSRV3 - 192.168.1.9 - Secondary DC, Alternate DNS

SRV3 - 192.168.1.13 - This is the problem server

All are running Windows 2003.

...................................

    Computer Name: SRV3
    DNS Host Name: SRV3.my.domain.com
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
    List of installed hotfixes : 
        KB923561
        KB924667-v2
        KB925398_WMP64
        KB925876
        KB925902
        KB926122
        KB927891
        KB929123
        KB930178
        KB931784
        KB932168
        KB933729
        KB933854
        KB935839
        KB935840
        KB936021
        KB936357
        KB936782
        KB938127
        KB938127-IE7
        KB938464
        KB941569
        KB941693
        KB942830
        KB942831
        KB943055
        KB943460
        KB943485
        KB944338-v2
        KB944653
        KB945553
        KB946026
        KB948496
        KB948590
        KB950762
        KB950974
        KB951066
        KB951072-v2
        KB951698
        KB951748
        KB952004
        KB952069
        KB952954
        KB953838
        KB953838-IE7
        KB953839
        KB954550-v5
        KB954600
        KB955069
        KB955839
        KB956572
        KB956802
        KB956803
        KB957097
        KB958644
        KB958687
        KB958690
        KB959426
        KB960225
        KB960715
        KB960803
        KB961118
        KB961371
        KB961373
        KB961501
        KB963027-IE7
        KB967715
        KB968537
        KB969897-IE7
        KB970238
        KB970483
        KB971633
        KB973346
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Network Bridge

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : SRV3.my.domain.com
        IP Address . . . . . . . . : 192.168.1.13
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 192.168.1.1
        Dns Servers. . . . . . . . : 192.168.1.10
                                     192.168.1.9


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{3789AEC7-9ACF-4A0A-A660-D00F778501FC}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{3789AEC7-9ACF-4A0A-A660-D00F778501FC}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{3789AEC7-9ACF-4A0A-A660-D00F778501FC}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Passed
    Secure channel for domain 'mydomain' is to '\\DCSRV3.my.domain.com'.


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully

Select allOpen in new window

HI,

Regarding the time issue:

Check if the TYPE key is set to NTP on the secondary server as well? It should be NTP only on the PDC and on rest, it should be NT5DS.

Also, if your PDC is pointing to external time source, the value of 'annouce flags' should be 10 (Dec).

Regarding 1053:

Forcing Kerberos: You should make maxpacketsize and maxtokensize keys on all DCs. Look, what we are doing is to make sure that the authentication packets are not dropped during the transmission. AS UDP is non-reliable protocol, the authentication fails if the packets are dropped and we do not get precise error messages.

Second: Please do this: ( I think I have suggested this before):

1. See which DNS the problem machine is pointing to.
2. Go to that DNS server and open dnsmgmt.msc.
3. Expand forward lookup zone.
4. Check the _msdcs folder to ensure that the DCs have registered their GUID records.
5. Now expand the domain's zone.
6. Go to _Sites and then expand the site name where the problem machine is in.
7. Expand the _tcp folder and look if the DCs have registered their SRV records there.
8. After checking them, look for the host records for the DCs under the zone itself.

I am assuming that there is no firewall between the machine and the DCs.

Regards,

Arun.

I am not sure as to what else can cause this ,as per the info(time ,dns,registery entries for kerberos) are in place but still the error.

I would say check the solution mentioned in the link below and see any of it helps you

http://www.eventid.net/display.asp?eventid=1053&eventno=1584&source=Userenv&phase=1

Let us know the results.

Arun: Correct, there is no firewall between this server and any of the DCs. Type is set to NT5DS on my secondary controller. On the PDC, AnnounceFlags was set to 5. At your recommendation I have changed it to 10.

With regard to forcing kerberos, MaxTokenSize should be 65535 and MaxPacketSize should be 1? Is this correct?

The problem server is pointing to our primary DNS, which is on the PDC.

- Under _msdcs, I see a GUID entry for each DC on my domain. Aside from verifying that the entries are present, I don't know how else to confirm that they're correct (i.e., that the GUID is accurate) although I'm not sure that's even an issue.
- Under _sites, all of our servers are under default-first-site-name. I see SRV entries for _gc, _kerberos, and _ldap. It appears that all of the DCs are represented here as well (with the exception of _gc, which has an entry for only two of my DCs, one of which being the PDC).
- Under the zone itself, I see a "same as parent folder" NS entry for the PDC, as well as a Host (A) record for it. The IP address set under the Host (A) record is correct.

himvy: I have reviewed the eventid.net entry for this error before, but I'll go over it a second time to see if maybe there was something that I missed.

I tried the following, yet the problem still exists:

- Set NIC to 100/Full Duplex (it was on Auto before)
- Removed the machine from the domain and left it that way for a couple hours
- Removed the machine's entry in Active Directory
- Rejoined the domain

Hi,
Sorry for the delay elorc!

If the DNS is ok, the issues seems to be with packet fragmentation may be. Please follow the MaxPacketSize and MaxTokenSize step that I suggested. Yes you are right with the value. I would suggest 65534 for MaxtokenSize instead of 65535. Please make these keys on all the DCs. and reboot them once (one by one ofcourse). I know it will take time but i think its worth doing it...

BTW: You can check the GUIDs by pinging them. If you get reply from valid IP, its correct.



Regards,

Arun.

Thanks for all the help and sorry about taking a while to get back to you about this. I got tied up with some other issues.

Unfortunately the server continued to complain about the name issue. Even though it more or less functioned fine aside from that, I've rebuilt the server.