dekkar
asked on
remove/add DC box on a domain
Hi, I have a 2003 server that is DC and it is causing quite a few problems...
Originally it was a DNS problem, this was rectified, but I think its having WINS and other issues that is causing it to have authentication issues.
I have spent around a week looking at errors from nltest and netdiag, but nothing seems to apply.
The server is a print server and does do a few other small things, so I dont want to just trash it.
Would it be appropriate to dcpromo it, to make it a member server, then dcpromo it again to make it a DC again.
With the hope that the new AD stuff will fix any problems it was having before?
Thanks,
Dekkar
Originally it was a DNS problem, this was rectified, but I think its having WINS and other issues that is causing it to have authentication issues.
I have spent around a week looking at errors from nltest and netdiag, but nothing seems to apply.
The server is a print server and does do a few other small things, so I dont want to just trash it.
Would it be appropriate to dcpromo it, to make it a member server, then dcpromo it again to make it a DC again.
With the hope that the new AD stuff will fix any problems it was having before?
Thanks,
Dekkar
ASKER
Replication is actually working OK... according to repadmin...
The problem is really confusing me..... I'll give you some of the symptoms...
dcdiag give the error:
Starting test: NetLogons
* Network Logons Privileges Check
[FBRS-DC] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
......................... FBRS-DC failed test NetLogons
Starting test: MachineAccount
Checking machine account for DC FBRS-DC on DC FBRS-DC.
Could not open pipe with [FBRS-DC]:failed with 1203: No network provider accepted the given network path.
Netdiag gives:
IpConfig results . . . . . : Passed
Pinging the Primary WINS server 192.168.10.1 - reachable
AutoConfiguration results. . . . . . : Passed
AutoConfiguration is not in use.
Default gateway test . . . : Passed
Pinging gateway 192.168.10.254 - reachable
At least one gateway reachable for this adapter.
NetBT name test. . . . . . : Passed
NetBT_Tcpip_{0EFB38FB-D5D9
FBRS-DC <00> UNIQUE REGISTERED
FBRICE <00> GROUP REGISTERED
FBRICE <1C> GROUP REGISTERED
FBRS-DC <20> UNIQUE REGISTERED
FBRICE <1E> GROUP REGISTERED
FBRICE <1D> UNIQUE REGISTERED
..__MSBROWSE__.<01> GROUP REGISTERED
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
NS test . . . . . . . . . . . . . : Passed
Interface {0EFB38FB-D5D9-4742-BC94-7
DNS Domain: fbrice.net.au
DNS Servers: 192.168.10.1 192.168.10.240
IP Address: Expected registration with PDN (primary DNS domain name):
Hostname: fbrs-dc.fbrice.net.au.
Authoritative zone: fbrice.net.au.
Primary DNS server: fbrs-dc.fbrice.net.au 192.168.10.1
Authoritative NS:192.168.10.240 192.168.10.1 192.168.30.3 192.168.30.1
Check the DNS registration for DCs entries on DNS server '192.168.10.1'
The Record is different on DNS server '192.168.10.1'.
DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.10.1', no need to re-register.
Im getting these event logs:
DNS:
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4004
Date: 8/09/2011
Time: 8:43:30 AM
User: N/A
Computer: FBRS-DC
Description:
The DNS server was unable to complete directory service enumeration of zone 30.168.192.in-addr.arpa. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00 *#..
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4016
Date: 8/09/2011
Time: 8:43:30 AM
User: N/A
Computer: FBRS-DC
Description:
The DNS server timed out attempting an Active Directory service operation on DC=30.168.192.in-addr.arpa
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 55 00 00 00 U...
millions of these in security:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 13/09/2011
Time: 4:55:56 PM
User: NT AUTHORITY\SYSTEM
Computer: FBRS-DC
Description:
Pre-authentication failed:
User Name: DSR
User ID: FBRICE\DSR
Service Name: krbtgt/FBRICE.NET.AU
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 192.168.10.229
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
And finally, clients can access the servers \\fbrs-dc\netlogon folder....
but if I try and browse this from the server itself, I get the "No network provider accepted the given network path"
All the problems seem minor, and the server is doing most things OK... Im just worried that something will happen and it will implode eventually.....
The problem is really confusing me..... I'll give you some of the symptoms...
dcdiag give the error:
Starting test: NetLogons
* Network Logons Privileges Check
[FBRS-DC] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
......................... FBRS-DC failed test NetLogons
Starting test: MachineAccount
Checking machine account for DC FBRS-DC on DC FBRS-DC.
Could not open pipe with [FBRS-DC]:failed with 1203: No network provider accepted the given network path.
Netdiag gives:
IpConfig results . . . . . : Passed
Pinging the Primary WINS server 192.168.10.1 - reachable
AutoConfiguration results. . . . . . : Passed
AutoConfiguration is not in use.
Default gateway test . . . : Passed
Pinging gateway 192.168.10.254 - reachable
At least one gateway reachable for this adapter.
NetBT name test. . . . . . : Passed
NetBT_Tcpip_{0EFB38FB-D5D9
FBRS-DC <00> UNIQUE REGISTERED
FBRICE <00> GROUP REGISTERED
FBRICE <1C> GROUP REGISTERED
FBRS-DC <20> UNIQUE REGISTERED
FBRICE <1E> GROUP REGISTERED
FBRICE <1D> UNIQUE REGISTERED
..__MSBROWSE__.<01> GROUP REGISTERED
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
NS test . . . . . . . . . . . . . : Passed
Interface {0EFB38FB-D5D9-4742-BC94-7
DNS Domain: fbrice.net.au
DNS Servers: 192.168.10.1 192.168.10.240
IP Address: Expected registration with PDN (primary DNS domain name):
Hostname: fbrs-dc.fbrice.net.au.
Authoritative zone: fbrice.net.au.
Primary DNS server: fbrs-dc.fbrice.net.au 192.168.10.1
Authoritative NS:192.168.10.240 192.168.10.1 192.168.30.3 192.168.30.1
Check the DNS registration for DCs entries on DNS server '192.168.10.1'
The Record is different on DNS server '192.168.10.1'.
DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.10.1', no need to re-register.
Im getting these event logs:
DNS:
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4004
Date: 8/09/2011
Time: 8:43:30 AM
User: N/A
Computer: FBRS-DC
Description:
The DNS server was unable to complete directory service enumeration of zone 30.168.192.in-addr.arpa. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00 *#..
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4016
Date: 8/09/2011
Time: 8:43:30 AM
User: N/A
Computer: FBRS-DC
Description:
The DNS server timed out attempting an Active Directory service operation on DC=30.168.192.in-addr.arpa
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 55 00 00 00 U...
millions of these in security:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 13/09/2011
Time: 4:55:56 PM
User: NT AUTHORITY\SYSTEM
Computer: FBRS-DC
Description:
Pre-authentication failed:
User Name: DSR
User ID: FBRICE\DSR
Service Name: krbtgt/FBRICE.NET.AU
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 192.168.10.229
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
And finally, clients can access the servers \\fbrs-dc\netlogon folder....
but if I try and browse this from the server itself, I get the "No network provider accepted the given network path"
All the problems seem minor, and the server is doing most things OK... Im just worried that something will happen and it will implode eventually.....
It seems that the netlogon and sysvol share are not available and hence the DC is not advertising as the Domain Controller.Ran net share command see if the netlogn and sysvol share are available.
If the netlogn or sysvol share are not availabe or sysvol folder is empty you need to auth and non auth restore of sysvol.On healthy DC you need to ran d4 and on the DC where sysvol or netlogn share is not available you need to do d2.http://support.microsoft.com/kb/290762
If the isue persist post dcdiag /q and repadmin /replsum output.
If the netlogn or sysvol share are not availabe or sysvol folder is empty you need to auth and non auth restore of sysvol.On healthy DC you need to ran d4 and on the DC where sysvol or netlogn share is not available you need to do d2.http://support.microsoft.com/kb/290762
If the isue persist post dcdiag /q and repadmin /replsum output.
ASKER
Will give it a go... see what I get..... Might have to wait for the weekend before I can try...
ASKER
Just thought I would post these as requested before I go ahead with the changes....
C:\Program Files\Support Tools>dcdiag /q
[FBRS-DC] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
......................... FBRS-DC failed test NetLogons
Could not open pipe with [FBRS-DC]:failed with 1203: No network provider accepted the given network path.
Could not get NetBIOSDomainName
Failed can not test for HOST SPN
Failed can not test for HOST SPN
* Missing SPN :(null)
* Missing SPN :(null)
......................... FBRS-DC failed test MachineAccount
Could not open Remote ipc to [FBRS-DC]:failed with 1203: No network provider accepted the given network path.
......................... FBRS-DC failed test Services
[FBRS-DC] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
......................... FBRS-DC failed test frssysvol
......................... FBRS-DC failed test frsevent
Failed to enumerate event log records, error No network provider accepted the given network path.
......................... FBRS-DC failed test kccevent
Failed to enumerate event log records, error No network provider accepted the given network path.
......................... FBRS-DC failed test systemlog
C:\Program Files\Support Tools>repadmin /replsum
Replication Summary Start Time: 2011-09-14 14:14:33
Beginning data collection for replication summary, this may take awhile:
.......
Source DC largest delta fails/total %% error
FBRM-DC 01h:16m:36s 0 / 10 0
FBRM-DC2 19m:49s 0 / 5 0
FBRS-DC 28m:14s 0 / 5 0
FBRS-DC2 01h:19m:48s 0 / 10 0
Destination DC largest delta fails/total %% error
FBRM-DC 01h:19m:48s 0 / 10 0
FBRM-DC2 25m:48s 0 / 5 0
FBRS-DC 01h:16m:36s 0 / 10 0
FBRS-DC2 28m:14s 0 / 5 0
Thanks,
Dekkar
C:\Program Files\Support Tools>dcdiag /q
[FBRS-DC] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
......................... FBRS-DC failed test NetLogons
Could not open pipe with [FBRS-DC]:failed with 1203: No network provider accepted the given network path.
Could not get NetBIOSDomainName
Failed can not test for HOST SPN
Failed can not test for HOST SPN
* Missing SPN :(null)
* Missing SPN :(null)
......................... FBRS-DC failed test MachineAccount
Could not open Remote ipc to [FBRS-DC]:failed with 1203: No network provider accepted the given network path.
......................... FBRS-DC failed test Services
[FBRS-DC] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
......................... FBRS-DC failed test frssysvol
......................... FBRS-DC failed test frsevent
Failed to enumerate event log records, error No network provider accepted the given network path.
......................... FBRS-DC failed test kccevent
Failed to enumerate event log records, error No network provider accepted the given network path.
......................... FBRS-DC failed test systemlog
C:\Program Files\Support Tools>repadmin /replsum
Replication Summary Start Time: 2011-09-14 14:14:33
Beginning data collection for replication summary, this may take awhile:
.......
Source DC largest delta fails/total %% error
FBRM-DC 01h:16m:36s 0 / 10 0
FBRM-DC2 19m:49s 0 / 5 0
FBRS-DC 28m:14s 0 / 5 0
FBRS-DC2 01h:19m:48s 0 / 10 0
Destination DC largest delta fails/total %% error
FBRM-DC 01h:19m:48s 0 / 10 0
FBRM-DC2 25m:48s 0 / 5 0
FBRS-DC 01h:16m:36s 0 / 10 0
FBRS-DC2 28m:14s 0 / 5 0
Thanks,
Dekkar
Checked the DNS setting on the Server it should point to itself.If the public ip address is added in the NIC DNS setting remove the same and add to DNS forwarders if required.If 127.0.0.1 is entered as dns remove the same and add ip address.
Chech NIC binding the Nic which is online and has ip details should be in first order.If multiple NIC are present then disabled the unrequired NIC.
Disable the window firewall.Rboot the server for the setting to take effect.
Make sure the system time on all DC are sync.Check AD sites and services, make sure no dead or non-exsiting DC.
Did you check with the nslookup if you can contact the DNS Server and if it is responding properly?
Sometimes, when the DNS Server is not responding/resolving or it is not running properly it's necessary to reinstall the DNS Server again, instead to try to troubleshoot it.
Check the DNS console is the zone information loaded correctly.
Also check that both sysvol and netlogn share are available.
Chech NIC binding the Nic which is online and has ip details should be in first order.If multiple NIC are present then disabled the unrequired NIC.
Disable the window firewall.Rboot the server for the setting to take effect.
Make sure the system time on all DC are sync.Check AD sites and services, make sure no dead or non-exsiting DC.
Did you check with the nslookup if you can contact the DNS Server and if it is responding properly?
Sometimes, when the DNS Server is not responding/resolving or it is not running properly it's necessary to reinstall the DNS Server again, instead to try to troubleshoot it.
Check the DNS console is the zone information loaded correctly.
Also check that both sysvol and netlogn share are available.
ASKER
Hi here are the details:
C:\Program Files\Support Tools>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : fbrs-dc
Primary Dns Suffix . . . . . . . : fbrice.net.au
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : fbrice.net.au
Ethernet adapter LAN 10.1:
Connection-specific DNS Suffix . : fbrice.net.au
Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-11-0A-E9-B9-2C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.10.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.254
DNS Servers . . . . . . . . . . . : 192.168.10.1
192.168.10.240
Primary WINS Server . . . . . . . : 192.168.10.1
There has only ever been one NIC enabled... nslookup works OK and I have restarted the server an number of times since the problem occurred.
As for sysvol and netlogon...... I can access these shares from any machine OK, but when I try and access them from the DC (locally) it doesn't allow it.
C:\Program Files\Support Tools>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : fbrs-dc
Primary Dns Suffix . . . . . . . : fbrice.net.au
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : fbrice.net.au
Ethernet adapter LAN 10.1:
Connection-specific DNS Suffix . : fbrice.net.au
Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-11-0A-E9-B9-2C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.10.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.254
DNS Servers . . . . . . . . . . . : 192.168.10.1
192.168.10.240
Primary WINS Server . . . . . . . : 192.168.10.1
There has only ever been one NIC enabled... nslookup works OK and I have restarted the server an number of times since the problem occurred.
As for sysvol and netlogon...... I can access these shares from any machine OK, but when I try and access them from the DC (locally) it doesn't allow it.
What error meaagase you recieve when you access sysvol and netlogn share?
ASKER
\\fbrs-dc\NETLOGON is not accessible. You might not have permission to use this network resource. Contact the administrator of the server to find out if you have access permissions.
No Network provider accepted the given network path.
It happens when I try and access any share on the DC box locally.
All other machines have no problem accessing them. So it looks as though the DC has locked itself out, but everything else works OK.
No Network provider accepted the given network path.
It happens when I try and access any share on the DC box locally.
All other machines have no problem accessing them. So it looks as though the DC has locked itself out, but everything else works OK.
Check the permission on the sysvol folder the id with which you are login has full access.
Try to acesss by entering the IP adress of the server \\serverIPadress only and check if the sysvol and netlogn share are acessable.
Try to acesss by entering the IP adress of the server \\serverIPadress only and check if the sysvol and netlogn share are acessable.
ASKER
Hmmmmm permissions are all OK.
and no one can access the DC1 box via \\192.168.10.1
Just get an error saying windows cannot find it.
and no one can access the DC1 box via \\192.168.10.1
Just get an error saying windows cannot find it.
Disable the firewall setting on the DC.Also disable the antivirus app.
Check the sysvol share permission every one should have read permission and in ntfs security authentictated user should have atleast read permission.
check File and Printer sharing for Microsoft Networks are enabled on NIC.
Check the sysvol share permission every one should have read permission and in ntfs security authentictated user should have atleast read permission.
check File and Printer sharing for Microsoft Networks are enabled on NIC.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ended up doing what I had planned to do.....
Are you seeing replication errors, errors in logs?
repadmin /showrepl ....how long since it has replicated
dcdiag is another good tool
Thanks
Mike