Solved

Active directory

Posted on 2010-11-22
6
1,757 Views
Last Modified: 2012-05-10
Hi!

I have 3 domain controlers
2x 2008
1x 2003 server

When i use the nltest /server:dcN.domain.local /sc_verify:domain.local
i get: on the 2 of them OK status
on one of them i get
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

i did some tests and when i moved the role "Domain Role Owner" from the server i had the error to another DC the error moved also

is there any connection with the Domain role owner role? and the 1355 error?

0
Comment
Question by:virtualjim
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 2

Author Comment

by:virtualjim
ID: 34188336
To be more clear about:

1. dc1 server
FMSO role "domain owner role"
testing nltest /sc_verify:domain.local
error:  I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

2. dc2 server
no FMSO role
testing nltest /sc_verify:domain.local
success

now i move fmso domain owner rule to server DC2

1. dc1 server
FMSO none
testing nltest /sc_verify:domain.local
sucess

2. dc2 server
FMSO role "domain owner role"
testing nltest /sc_verify:domain.local
error:  I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

?!?!?
0
 
LVL 3

Expert Comment

by:elmagoal
ID: 34188914
0
 
LVL 2

Author Comment

by:virtualjim
ID: 34188976
Elmagoal:

the KB you send says about netbios and dns name resolutions, which if you read my comment shows that i do use dns to do resolve...
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 21

Expert Comment

by:snusgubben
ID: 34190020
What you're seeing is normal as "nltest /sc_query" is not reliable. It reports the status of the secure channel the last time it was used and by which DC that used the SC. It don't report the current SC status.

If DC1 authenticated towards DC2, both DC1 and DC2 will report back that the SC on DC1 was ok.

You will get the 1355 error on DC2 (nltest /server:dc2 /sc_query:domain.com)
0
 
LVL 2

Author Comment

by:virtualjim
ID: 34191430
snusgubben:

i guess i understand what you are saying, but i dont know hat has the role domain owner has to do with it?

so the nltest /sc_verify:domain.local is not reliable as a test?

0
 
LVL 21

Accepted Solution

by:
snusgubben earned 500 total points
ID: 34192131
It has nothing to do with the Domain Naming Master, that I'm aware of. Why should it?!

I guess if you transfered i.e. the PDC, you'd get the same result.

"nltest /sc_verify:domain.com" is not a reliable test to check the current secure channel status because it reports the last known state.

If the SC is broken you'll get replication errors and access denied in ie. dcdiag logs.

If replication is good, then the SC is good. Verify with ie. "repadmin /replsum"

 
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question