elorc
asked on
Win2k3: "Windows could not determine the user or computer name"
I've been having an issue with one of my Windows 2003 SP2 servers where it keeps showing an error in the event log:
Type: Error
User: NT AUTHORITY\SYSTEM
Source: Userenv
Event ID: 1053
Description: Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted.). Group policy processing aborted.
I searched for information on this error and found several results. Between my findings and the initial troubleshooting that I've performed, this is what I've done:
1. Removed the server from the domain, and deleted its entry from Active Directory. I then rejoined it to the domain.
2. Set the server's IP information to static. Verified the DNS servers I've set are accurate.
3. Once again removed the server from the domain and rejoined it.
None of this has made a difference. The problem persists. The server is in the same OU as three others, and none of them are experiencing this issue.
I'm not really sure how to proceed now.
Type: Error
User: NT AUTHORITY\SYSTEM
Source: Userenv
Event ID: 1053
Description: Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted.). Group policy processing aborted.
I searched for information on this error and found several results. Between my findings and the initial troubleshooting that I've performed, this is what I've done:
1. Removed the server from the domain, and deleted its entry from Active Directory. I then rejoined it to the domain.
2. Set the server's IP information to static. Verified the DNS servers I've set are accurate.
3. Once again removed the server from the domain and rejoined it.
None of this has made a difference. The problem persists. The server is in the same OU as three others, and none of them are experiencing this issue.
I'm not really sure how to proceed now.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are there any netlogon(event id 5719)
or LSASRV events logged in the event viewer?
If yes follow the kb mentioned below and reboot it:
support.microsoft.com/kb/9
support.microsoft.com/kb/2
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Arun: I found a 1058 in the event log, but it hasn't happened since June 2009. 1053 seems to pop up every few hours or so in the log.
himvy: Yep, I found 5719. The last one happened last night. When I follow the instructions on the first link you provided, I still get the 1053 but I now also get 2003 warning: The configuration information of performance library "C:\Windows\system32\perft s.dll" for the "TermService" service does not match the trusted performance library information stored in the registry. The functions in this library will not be treated as trusted.
After applying the changes in the second KB, the 1053 error still pops up after I reboot the machine.
himvy: Yep, I found 5719. The last one happened last night. When I follow the instructions on the first link you provided, I still get the 1053 but I now also get 2003 warning: The configuration information of performance library "C:\Windows\system32\perft
After applying the changes in the second KB, the 1053 error still pops up after I reboot the machine.
ASKER
Something else I noticed on this server's event log, under System... there's a LsaSrv warning that pops up:
Source: LSASRV
Type: Warning
Category: SPNEGO (Negotiator)
Event ID: 40960
Description: The Security System detected an authentication error for the server MSSQLSvc/SQLSERV.mydomain. com:1433. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request."
On a side note, I've verified that I can ping both the PDC and the SQL server that the above error message is complaining about.
Source: LSASRV
Type: Warning
Category: SPNEGO (Negotiator)
Event ID: 40960
Description: The Security System detected an authentication error for the server MSSQLSvc/SQLSERV.mydomain.
On a side note, I've verified that I can ping both the PDC and the SQL server that the above error message is complaining about.
ASKER
Another observation I've made: I ran gpresult /scope computer on a working server, and again on the problem server. On the working server, it is a member of more security groups than the non-working server.
Working Server
-------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
SRV2$
Domain Computers
Problem Server
------------------
BUILTIN\Administrators
Everyone
NT AUTHORITY\Authenticated Users
Noticeable difference. Think that's got something to do with it?
Working Server
-------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
SRV2$
Domain Computers
Problem Server
------------------
BUILTIN\Administrators
Everyone
NT AUTHORITY\Authenticated Users
Noticeable difference. Think that's got something to do with it?
ASKER
If I could edit my post I would, but to add to my last one, I went into AD Users and Computers and took a look at the problem server. On its "Member Of" tab, it does show that it's in "Domain Computers" so I'm not sure why that at least isn't showing up on the gpresult.
Hi Elorc,
Did you follow the article I posted?
Thanks,
Arun.
Did you follow the article I posted?
Thanks,
Arun.
Please make sure that this domain controller is syncing the time with primary domain controller currectly and time difference should not be greater than =/- 5 minutes.
If the DNS configuration is right as you have mentioned and you have applied the fixes involved in the kb I mentioned earlier.Please verify the time settings and the issues should get resolved.
ASKER
Arun: Sorry, no. I mistakenly assumed that since I didn't see a 1058, that the article didn't apply. I just tried it now and unfortunately it too had no effect.
himvy: This server isn't functioning as a domain controller. It's actually just a Citrix server. The time on the server is the same as it is on the PDC. Although I have noticed W32Time showing up in the System event log under errors and warnings.
Source: W32Time
Type: Error
Category: None
Event ID: 29
Description: The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time.
Source: W32Time
Type: Warning
Category: None
Event ID: 14
Description: The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 15 minutes.
I'm not really familiar with time synchronization. How would I fix this? I haven't seen this error/warning combination show up on any of the other servers.
himvy: This server isn't functioning as a domain controller. It's actually just a Citrix server. The time on the server is the same as it is on the PDC. Although I have noticed W32Time showing up in the System event log under errors and warnings.
Source: W32Time
Type: Error
Category: None
Event ID: 29
Description: The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time.
Source: W32Time
Type: Warning
Category: None
Event ID: 14
Description: The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 15 minutes.
I'm not really familiar with time synchronization. How would I fix this? I haven't seen this error/warning combination show up on any of the other servers.
If this was a domain controller and you disjoined it /rejoined it to the domain ,might have messed up its secure channel.If this is still a dc ,I would say if you have good system state backup ,restore it.
Let me know if it is a member server or a DC.
Go to
HKLM/SYSTEM/CCS/SERVICES/W
The NTPServer --should be the Ip of the pdc followed by 0x1
Type ----NT5DS
HKLM/SYSTEM/CCS/SERVICES/W
Announce flag --10 (decimal)
Make sure these settings are there.
-restart the time service.
-run
w32tm /resync /rediscover.
=If it is successfully completed ,the issue is resolved.
HI,
I would like to know where did you make the registry changes? On the server or the DC?
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------
If you have multiple DCs, you can use the ADM template in the following article to set this registry on all the DCs.
http://support.microsoft.com/kb/244474
And for MaxTokenSize, you can use the ADM in following article:
http://support.microsoft.com/kb/938118.
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------
You just said in your first post that you removed this machine from the domain and then rejoined it back. Did we have any roles being handled by this machine? Like DNS, DC or DHCP? Did you clean the DNS properly to remove its instances?
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------
The SPNEGO event is occuring due to the non-availability of the DCs.
And non-availability of DCs generally happens due to Name resolution issues. Please check which DNS server is this server pointing to? Go to that server and check for the site specific SRV records.
(_tcp). Also check if it had the GUID records of the DCs under _MSDCS folder.
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------
For correcting windows time issue, you can follwo the steps suggested by himvy but I doubt that id the server is not able to find any DC, it wont find the PDC as well (which is the authoritative time server in domain heirarchy). So we have to fix name resolution first in that case.
Regards,
Arun
I would like to know where did you make the registry changes? On the server or the DC?
--------------------------
If you have multiple DCs, you can use the ADM template in the following article to set this registry on all the DCs.
http://support.microsoft.com/kb/244474
And for MaxTokenSize, you can use the ADM in following article:
http://support.microsoft.com/kb/938118.
--------------------------
You just said in your first post that you removed this machine from the domain and then rejoined it back. Did we have any roles being handled by this machine? Like DNS, DC or DHCP? Did you clean the DNS properly to remove its instances?
--------------------------
The SPNEGO event is occuring due to the non-availability of the DCs.
And non-availability of DCs generally happens due to Name resolution issues. Please check which DNS server is this server pointing to? Go to that server and check for the site specific SRV records.
(_tcp). Also check if it had the GUID records of the DCs under _MSDCS folder.
--------------------------
For correcting windows time issue, you can follwo the steps suggested by himvy but I doubt that id the server is not able to find any DC, it wont find the PDC as well (which is the authoritative time server in domain heirarchy). So we have to fix name resolution first in that case.
Regards,
Arun
ASKER
I really appreciate all of your help with this, both of you have been a lot of help. I'm out of my office for now but I'll try your suggestions tomorrow and follow up with you.
ASKER
himvy: The keys you referenced do exist. It was pointing to time.microsoft.com. After I ran that command, it's now pointing to one of my secondary domain controllers.
Arun: I made the changes to the problem server, not the PDC. Was that not correct? This server has no special roles. It just runs Citrix Presentation Server. DNS and DHCP are handled by our PDC. I have tried the flush DNS on the problem server (a few times).
This is really irritating because I have three servers functioning as domain controllers on my network. Every other server on my network can communicate fine with them. Clearly, this problem server can find them too (it found one of the secondary DC's when I resynched the time service). I'm still getting this damn 1053 error though.
Arun: I made the changes to the problem server, not the PDC. Was that not correct? This server has no special roles. It just runs Citrix Presentation Server. DNS and DHCP are handled by our PDC. I have tried the flush DNS on the problem server (a few times).
This is really irritating because I have three servers functioning as domain controllers on my network. Every other server on my network can communicate fine with them. Clearly, this problem server can find them too (it found one of the secondary DC's when I resynched the time service). I'm still getting this damn 1053 error though.
Please run netdiag on the problem machine and any other userenv error from the event log .based on that we might be able help you much better.
Also the time server should be the PRIMARY DOMAIN CONTROLLER (PDC) not the secondary DC.
Also the time server should be the PRIMARY DOMAIN CONTROLLER (PDC) not the secondary DC.
ASKER
Weird. How would it have pointed to a secondary domain controller, then? I checked under AD Users and Computers, and Operations Masters shows that the PDC is set correctly. Our PDC is DCSRV1, yet the problem machine is pointing to DCSRV2 (one of the secondary controllers) for the time service.
The only userenv error I'm seeing in the event log is the 1053 error that occurs when the machine boots up. There is also still the 5719 netlogon error ("The computer was not able to set up a secure session with a domain controller in domain MYDOMAIN due to the following: There are currently no logon servers available to service the logon request.").
I ran netdiag on the problem machine (SRV3) and attached what I got back. To give you an idea of the machines involved:
DCSRV1 - 192.168.1.10 - PDC, DNS, DHCP
DCSRV2 - 192.168.1.8 - Secondary DC
DCSRV3 - 192.168.1.9 - Secondary DC, Alternate DNS
SRV3 - 192.168.1.13 - This is the problem server
All are running Windows 2003.
The only userenv error I'm seeing in the event log is the 1053 error that occurs when the machine boots up. There is also still the 5719 netlogon error ("The computer was not able to set up a secure session with a domain controller in domain MYDOMAIN due to the following: There are currently no logon servers available to service the logon request.").
I ran netdiag on the problem machine (SRV3) and attached what I got back. To give you an idea of the machines involved:
DCSRV1 - 192.168.1.10 - PDC, DNS, DHCP
DCSRV2 - 192.168.1.8 - Secondary DC
DCSRV3 - 192.168.1.9 - Secondary DC, Alternate DNS
SRV3 - 192.168.1.13 - This is the problem server
All are running Windows 2003.
...................................
Computer Name: SRV3
DNS Host Name: SRV3.my.domain.com
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
List of installed hotfixes :
KB923561
KB924667-v2
KB925398_WMP64
KB925876
KB925902
KB926122
KB927891
KB929123
KB930178
KB931784
KB932168
KB933729
KB933854
KB935839
KB935840
KB936021
KB936357
KB936782
KB938127
KB938127-IE7
KB938464
KB941569
KB941693
KB942830
KB942831
KB943055
KB943460
KB943485
KB944338-v2
KB944653
KB945553
KB946026
KB948496
KB948590
KB950762
KB950974
KB951066
KB951072-v2
KB951698
KB951748
KB952004
KB952069
KB952954
KB953838
KB953838-IE7
KB953839
KB954550-v5
KB954600
KB955069
KB955839
KB956572
KB956802
KB956803
KB957097
KB958644
KB958687
KB958690
KB959426
KB960225
KB960715
KB960803
KB961118
KB961371
KB961373
KB961501
KB963027-IE7
KB967715
KB968537
KB969897-IE7
KB970238
KB970483
KB971633
KB973346
Q147222
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Network Bridge
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : SRV3.my.domain.com
IP Address . . . . . . . . : 192.168.1.13
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.1.1
Dns Servers. . . . . . . . : 192.168.1.10
192.168.1.9
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{3789AEC7-9ACF-4A0A-A660-D00F778501FC}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{3789AEC7-9ACF-4A0A-A660-D00F778501FC}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{3789AEC7-9ACF-4A0A-A660-D00F778501FC}
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Passed
Secure channel for domain 'mydomain' is to '\\DCSRV3.my.domain.com'.
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
HI,
Regarding the time issue:
Check if the TYPE key is set to NTP on the secondary server as well? It should be NTP only on the PDC and on rest, it should be NT5DS.
Also, if your PDC is pointing to external time source, the value of 'annouce flags' should be 10 (Dec).
Regarding 1053:
Forcing Kerberos: You should make maxpacketsize and maxtokensize keys on all DCs. Look, what we are doing is to make sure that the authentication packets are not dropped during the transmission. AS UDP is non-reliable protocol, the authentication fails if the packets are dropped and we do not get precise error messages.
Second: Please do this: ( I think I have suggested this before):
1. See which DNS the problem machine is pointing to.
2. Go to that DNS server and open dnsmgmt.msc.
3. Expand forward lookup zone.
4. Check the _msdcs folder to ensure that the DCs have registered their GUID records.
5. Now expand the domain's zone.
6. Go to _Sites and then expand the site name where the problem machine is in.
7. Expand the _tcp folder and look if the DCs have registered their SRV records there.
8. After checking them, look for the host records for the DCs under the zone itself.
I am assuming that there is no firewall between the machine and the DCs.
Regards,
Arun.
Regarding the time issue:
Check if the TYPE key is set to NTP on the secondary server as well? It should be NTP only on the PDC and on rest, it should be NT5DS.
Also, if your PDC is pointing to external time source, the value of 'annouce flags' should be 10 (Dec).
Regarding 1053:
Forcing Kerberos: You should make maxpacketsize and maxtokensize keys on all DCs. Look, what we are doing is to make sure that the authentication packets are not dropped during the transmission. AS UDP is non-reliable protocol, the authentication fails if the packets are dropped and we do not get precise error messages.
Second: Please do this: ( I think I have suggested this before):
1. See which DNS the problem machine is pointing to.
2. Go to that DNS server and open dnsmgmt.msc.
3. Expand forward lookup zone.
4. Check the _msdcs folder to ensure that the DCs have registered their GUID records.
5. Now expand the domain's zone.
6. Go to _Sites and then expand the site name where the problem machine is in.
7. Expand the _tcp folder and look if the DCs have registered their SRV records there.
8. After checking them, look for the host records for the DCs under the zone itself.
I am assuming that there is no firewall between the machine and the DCs.
Regards,
Arun.
I am not sure as to what else can cause this ,as per the info(time ,dns,registery entries for kerberos) are in place but still the error.
I would say check the solution mentioned in the link below and see any of it helps you
http://www.eventid.net/display.asp?eventid=1053&eventno=1584&source=Userenv&phase=1
Let us know the results.
ASKER
Arun: Correct, there is no firewall between this server and any of the DCs. Type is set to NT5DS on my secondary controller. On the PDC, AnnounceFlags was set to 5. At your recommendation I have changed it to 10.
With regard to forcing kerberos, MaxTokenSize should be 65535 and MaxPacketSize should be 1? Is this correct?
The problem server is pointing to our primary DNS, which is on the PDC.
- Under _msdcs, I see a GUID entry for each DC on my domain. Aside from verifying that the entries are present, I don't know how else to confirm that they're correct (i.e., that the GUID is accurate) although I'm not sure that's even an issue.
- Under _sites, all of our servers are under default-first-site-name. I see SRV entries for _gc, _kerberos, and _ldap. It appears that all of the DCs are represented here as well (with the exception of _gc, which has an entry for only two of my DCs, one of which being the PDC).
- Under the zone itself, I see a "same as parent folder" NS entry for the PDC, as well as a Host (A) record for it. The IP address set under the Host (A) record is correct.
himvy: I have reviewed the eventid.net entry for this error before, but I'll go over it a second time to see if maybe there was something that I missed.
With regard to forcing kerberos, MaxTokenSize should be 65535 and MaxPacketSize should be 1? Is this correct?
The problem server is pointing to our primary DNS, which is on the PDC.
- Under _msdcs, I see a GUID entry for each DC on my domain. Aside from verifying that the entries are present, I don't know how else to confirm that they're correct (i.e., that the GUID is accurate) although I'm not sure that's even an issue.
- Under _sites, all of our servers are under default-first-site-name. I see SRV entries for _gc, _kerberos, and _ldap. It appears that all of the DCs are represented here as well (with the exception of _gc, which has an entry for only two of my DCs, one of which being the PDC).
- Under the zone itself, I see a "same as parent folder" NS entry for the PDC, as well as a Host (A) record for it. The IP address set under the Host (A) record is correct.
himvy: I have reviewed the eventid.net entry for this error before, but I'll go over it a second time to see if maybe there was something that I missed.
ASKER
I tried the following, yet the problem still exists:
- Set NIC to 100/Full Duplex (it was on Auto before)
- Removed the machine from the domain and left it that way for a couple hours
- Removed the machine's entry in Active Directory
- Rejoined the domain
- Set NIC to 100/Full Duplex (it was on Auto before)
- Removed the machine from the domain and left it that way for a couple hours
- Removed the machine's entry in Active Directory
- Rejoined the domain
Hi,
Sorry for the delay elorc!
If the DNS is ok, the issues seems to be with packet fragmentation may be. Please follow the MaxPacketSize and MaxTokenSize step that I suggested. Yes you are right with the value. I would suggest 65534 for MaxtokenSize instead of 65535. Please make these keys on all the DCs. and reboot them once (one by one ofcourse). I know it will take time but i think its worth doing it...
BTW: You can check the GUIDs by pinging them. If you get reply from valid IP, its correct.
Regards,
Arun.
Sorry for the delay elorc!
If the DNS is ok, the issues seems to be with packet fragmentation may be. Please follow the MaxPacketSize and MaxTokenSize step that I suggested. Yes you are right with the value. I would suggest 65534 for MaxtokenSize instead of 65535. Please make these keys on all the DCs. and reboot them once (one by one ofcourse). I know it will take time but i think its worth doing it...
BTW: You can check the GUIDs by pinging them. If you get reply from valid IP, its correct.
Regards,
Arun.
ASKER
Thanks for all the help and sorry about taking a while to get back to you about this. I got tied up with some other issues.
Unfortunately the server continued to complain about the name issue. Even though it more or less functioned fine aside from that, I've rebuilt the server.
Unfortunately the server continued to complain about the name issue. Even though it more or less functioned fine aside from that, I've rebuilt the server.
ASKER