Ed Shnatter
asked on
SBS 2011 Standard domain - users need to keep logging in to get to server shares. Certificate authority doesn't open.
On an domain with SBS 2011 standard, in the last couple days, users (there's only 5 of them) are not getting to server shares and printers.
In windows explorer, they can enter \\server and then they get prompted for their credentials. They use the same credentials they have been for months / years. They then see the shares.
It seems after their screen saver kicks in, then then have to repeat the process to get to the shares. Same for reboots... they log into the domain at the login screen, then have to re-enter their credentials to get to the server shares.
The SBS box is the DNS and DHCP server. no other DHCP servers on the network. They have a watchguard firewall, but DHCP is turned off.
I try opening the certificate authority on the SBS box. It shows the window and tree structure on the left, but hangs at not responding when trying to expand the tree.
ShadowProtect jobs on the desktops are failing with
An untrusted certificate authority was detected While processing the smartcard certificate used for authentication
ShadowProtect writes to a drive on the server.
In windows explorer, they can enter \\server and then they get prompted for their credentials. They use the same credentials they have been for months / years. They then see the shares.
It seems after their screen saver kicks in, then then have to repeat the process to get to the shares. Same for reboots... they log into the domain at the login screen, then have to re-enter their credentials to get to the server shares.
The SBS box is the DNS and DHCP server. no other DHCP servers on the network. They have a watchguard firewall, but DHCP is turned off.
I try opening the certificate authority on the SBS box. It shows the window and tree structure on the left, but hangs at not responding when trying to expand the tree.
ShadowProtect jobs on the desktops are failing with
An untrusted certificate authority was detected While processing the smartcard certificate used for authentication
ShadowProtect writes to a drive on the server.
Hypercat (Deb)
The place to start would be to run the "Fix my Network" wizard from the SBS management console. This will find the expired certificate and renew it for you if you just follow the steps presented by the wizard. If you're not familiar with these wizards, it may find problems that are not really problems but just configurations that the wizard doesn't expect to find. So, be sure you DON'T tell it to run anything other than what you want it to do, i.e., renew the certificate that's expired.
ASKER
Thanks! I have been trying to open SBS console. It opens, then I click on network tab... it spins a bit then a 'sbs 2011 console has stopped working.
same when I open certificate authority or mmc and add certificate authority.
same when I open certificate authority or mmc and add certificate authority.
ASKER
you know a command line way to start the fix my network wizard?
ASKER
never mind C:\Program Files\Windows Small Business Server\Bin\FNCW.exe
Ran it and it DIDN'T say anything about certs : (
but it did say
could not configure the router - as expected, it's a watchguard
dhcp is not configured correctly - doesn't say what's wrong.
The DNS server is not listenting to the IP of the promary network adapter - there's 1 NIC and properties in DNS interface, the listen on all IP addresses' is checked
DNS is using a DNS forwarder - that's OK?
DNS zone is missing - ?! It doesn't say anything more than that. There's a forward and revers and conditional forwardsers listed in DNS
An error occurred while trying to connect to exchange management shell - they are using office 365 for exchange / I stopped Exchange services months ago.
The windows time service is not enabled - the server time IS accurate. Would you let the wizard fix that?
Ran it and it DIDN'T say anything about certs : (
but it did say
could not configure the router - as expected, it's a watchguard
dhcp is not configured correctly - doesn't say what's wrong.
The DNS server is not listenting to the IP of the promary network adapter - there's 1 NIC and properties in DNS interface, the listen on all IP addresses' is checked
DNS is using a DNS forwarder - that's OK?
DNS zone is missing - ?! It doesn't say anything more than that. There's a forward and revers and conditional forwardsers listed in DNS
An error occurred while trying to connect to exchange management shell - they are using office 365 for exchange / I stopped Exchange services months ago.
The windows time service is not enabled - the server time IS accurate. Would you let the wizard fix that?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, static IP on the server, hasn't changed.
I changed the DNS config - changed it to only the 192.168.1.3 IP is checked. Restarted service. rebooted a computer. Still doesn't let you get to shares without reentering the same credentials.
DHCP - yeah, looks right DNS server is the server itself - 192.168.1.3 Gateway is correct 192.168.1.1 I checked ipconfig /all on desktop - got its IP from the server (DHCP server: 192.168.1.3) and only DNS server is the server 192.168.1.3
Sorry, tried doing screen captures but too many pages to include / things look OK / machine is slow. I realize a picture is worth a thousand words...
A couple things: In DHCP, properties of ipv4, the DNS tab - that's unchecked (enable DNS dynamic updates...)
Would you say that's OK?
And in trying to find that page, I right clicked on DHCP, manage authorized servers. There's NO servers listed - not even this one! (even though the only server listed is that one: server.ourdomain.local.
I went to add / authorize this server's IP and it gave the error - the DHCP service could not connect to active directory
In services, there's 3 AD services - certificate, domain and web. All are started.
I changed the DNS config - changed it to only the 192.168.1.3 IP is checked. Restarted service. rebooted a computer. Still doesn't let you get to shares without reentering the same credentials.
DHCP - yeah, looks right DNS server is the server itself - 192.168.1.3 Gateway is correct 192.168.1.1 I checked ipconfig /all on desktop - got its IP from the server (DHCP server: 192.168.1.3) and only DNS server is the server 192.168.1.3
Sorry, tried doing screen captures but too many pages to include / things look OK / machine is slow. I realize a picture is worth a thousand words...
A couple things: In DHCP, properties of ipv4, the DNS tab - that's unchecked (enable DNS dynamic updates...)
Would you say that's OK?
And in trying to find that page, I right clicked on DHCP, manage authorized servers. There's NO servers listed - not even this one! (even though the only server listed is that one: server.ourdomain.local.
I went to add / authorize this server's IP and it gave the error - the DHCP service could not connect to active directory
In services, there's 3 AD services - certificate, domain and web. All are started.
OK - then let's go look at the active directory status. Please run a dcdiag and pipe it out to a file so that you can post it.
dcdiag /v /c > c:\dcdiag.txt
The /c (comprehensive) switch takes a bit longer, but it will catch some things that of course the normal dcdiag could miss. You'll probably want to go through and remove the domain name and server name. I don't know your background/experience level, but if you are familiar with dcdiag, it's fine if you just post any errors that you see.
dcdiag /v /c > c:\dcdiag.txt
The /c (comprehensive) switch takes a bit longer, but it will catch some things that of course the normal dcdiag could miss. You'll probably want to go through and remove the domain name and server name. I don't know your background/experience level, but if you are familiar with dcdiag, it's fine if you just post any errors that you see.
Forgot to answer your question - you should enable dynamic updates in DHCP, although that's probably not causing this problem....but you never know.
ASKER
DcDiag had a bunch of errors - 1 was server with PDC role is down (the server isn't down... that's the machine I am running the command on...) googling some more, I see someone said back in 2010:
Delete _msdcs folder from dns & restart dns server & netlogon service the folder _msdcs will be recreated.
Doing that, I see that netlogon service wasn't started (but set to auto). I started it, now the server comes up in DHCP as authorized.now the question why was netlogon not running...
Rebooting, I see netlogon isn't started (although set to auto). I started it manually and it's still running.
that _msdcs folder hasn't been recreated. Did I cause some other problem?
going to rerun the dcdiag command line and post the results soon.
Delete _msdcs folder from dns & restart dns server & netlogon service the folder _msdcs will be recreated.
Doing that, I see that netlogon service wasn't started (but set to auto). I started it, now the server comes up in DHCP as authorized.now the question why was netlogon not running...
Rebooting, I see netlogon isn't started (although set to auto). I started it manually and it's still running.
that _msdcs folder hasn't been recreated. Did I cause some other problem?
going to rerun the dcdiag command line and post the results soon.
After you deleted the msdcs zone, on the server you need to do these commands, which should recreate the zone:
ipconfig /flushdns
then
ipconfig /registerdns
ipconfig /flushdns
then
ipconfig /registerdns
ASKER
THanks!
A few things - that's what I was seeing - that those commands would recreate the zones. But a couple pages said I'd have to recreate the zone and then those commands would populate the zone. I created a _msdcs and _msdcs.ourdomain.com zones under forward zones, ran those commands and 1 of those got populated (i didn't remember what was there orginally - _msdcs or the longer one.
But looking at things, the netlogon server doesn't show started (although listed as automatic in services). I'll start it and it seems to resolve problmes with users, but a server reboot brings it back to not started.
I don't see anything in the event log about failing to start, etc.
Also windows time isn't started. I start that (also set to automatic in services) and that too doesn't start after a reboot.
running dcdiag still shows some varied errors and dcdiag /fix doesn't resolve everything. Not sure if I want ot just leave things as is at this point - I might make things worse : )
I'm telling them they need a new server. I'll just babysit those 2 services?
Those hard drive errors - I think they've been in the event log for years. wasn't able to resolve those.
Any thoughts?
dcdiag-20190526.txt
A few things - that's what I was seeing - that those commands would recreate the zones. But a couple pages said I'd have to recreate the zone and then those commands would populate the zone. I created a _msdcs and _msdcs.ourdomain.com zones under forward zones, ran those commands and 1 of those got populated (i didn't remember what was there orginally - _msdcs or the longer one.
But looking at things, the netlogon server doesn't show started (although listed as automatic in services). I'll start it and it seems to resolve problmes with users, but a server reboot brings it back to not started.
I don't see anything in the event log about failing to start, etc.
Also windows time isn't started. I start that (also set to automatic in services) and that too doesn't start after a reboot.
running dcdiag still shows some varied errors and dcdiag /fix doesn't resolve everything. Not sure if I want ot just leave things as is at this point - I might make things worse : )
I'm telling them they need a new server. I'll just babysit those 2 services?
Those hard drive errors - I think they've been in the event log for years. wasn't able to resolve those.
Any thoughts?
dcdiag-20190526.txt
Everything looks pretty good now. The only thing I noticed is that the server has the PDC role but isn't properly configured as a time source for the domain. This can cause issues, so I suggest that you configure it following this article and....just maybe....those two services will start properly:
https://support.microsoft.com/en-us/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server
There are a number of NTP time sources you can use; personally I normally use the NIST time servers: time.nist.org (they have a number of servers and using this URL will point you to whatever server is available at the moment your server checks in).
https://support.microsoft.com/en-us/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server
There are a number of NTP time sources you can use; personally I normally use the NIST time servers: time.nist.org (they have a number of servers and using this URL will point you to whatever server is available at the moment your server checks in).
ASKER
THANKS! I learned loads with your help. Wonder how much of this was existing (was the time issue always existing?).
I'm still curious if on reboot the netlogon and time services don't start.
Before seeing your post, I saw this page:
https://www.vdberge.com/kennisbank/how-to-set-time-server-for-windows-server-2008-sbs2011-2012/
and ran those few lines.
Then ran dcdiag... and I think everything passed (except the hard drive errors - I think for that I need to run chkdsk at a reboot.
Please check this page - I am sure you'd have good insights! THANKS!
https://www.experts-exchange.com/questions/29147341/We're-looking-to-replace-an-SBS-2011-Standard-server-not-using-exchange-what-would-you-say-are-options.html
I'm still curious if on reboot the netlogon and time services don't start.
Before seeing your post, I saw this page:
https://www.vdberge.com/kennisbank/how-to-set-time-server-for-windows-server-2008-sbs2011-2012/
and ran those few lines.
Then ran dcdiag... and I think everything passed (except the hard drive errors - I think for that I need to run chkdsk at a reboot.
Please check this page - I am sure you'd have good insights! THANKS!
https://www.experts-exchange.com/questions/29147341/We're-looking-to-replace-an-SBS-2011-Standard-server-not-using-exchange-what-would-you-say-are-options.html
ASKER
THANKS!