JSI Tip 8320. Troubleshooting - A domain controller is not functioning correctly?
August 2, 2004
This tip addresses the following behaviors on a Windows 2000 or Windows Server 2003 domain controller:
Dcdiag reports:
DC DiagnosisPerforming initial setup:[DC1] LDAP bind failed with error 31
Running REPADMIN /SHOWREPS locally produces:
[D:tprivatedssrcutilrepadminrepinfo.c, 389] LDAP error 82 (Local Error).
When you attempt to use network resources, including UNC and mapped drives, you receive:
No logon servers available (c000005e = "STATUS_NO_LOGON_SERVERS"
The Active Directory administration tools on the affected DC report one of the following:
Naming information cannot be located because: No authority could be contacted for authentication.
Naming information cannot be located because: Target account name is incorrect.
Outlook clients, authenticated by a working DC, who are connected to an Exchange Server that uses the affected DC for authentication, are prompted for credentials.
Netdiag displays:
DC list test . . . . . . . . . . . : Failed[WARNING] Cannot call DsBind to . (). [ERROR_DOMAIN_CONTROLLER_NOT_FOUND]Kerberos test. . . . . . . . . . . : Failed[FATAL] Kerberos does not have a ticket for krbtgt/.[FATAL] Kerberos does not have a ticket for .LDAP test. . . . . . . . . . . . . : Passed[WARNING] Failed to query SPN registration on DC
The System event log contains:
Type:ErrorEvent Source:Service Control ManagerEvent ID:7023Description: The Kerberos Key Distribution Center service terminated with the following error:The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation.
Work through the following procedures, in order, until the problem is resolved.
Correct any DNS configuration errors:
1. Open a command prompt and run the netdiag -v command. Resolve any DNS errors in the Netdiag.log file, created in the current folder.
NOTE: You can download the Windows 2000 Server Support Tools.
2. Make sure that the DNS address on the DC is pointing to itself, or another DNS server for your domain that supports SRV records and dynamic updates. You can configure forwarders to your ISP for Internet name resolution.
The following Microsoft Knowledge Base articles may be helpful:
291382 Frequently asked questions about Windows 2000 DNS and Windows Server 2003 DNS.
237675 Setting up the Domain Name System for Active Directory.
254680 DNS namespace planning.
255248 How to create a child domain in Active Directory and delegate the DNS namespace to the child domain.
Make sure that time is synchronized:
There must be an authoritative time server in your domain. Make sure that time is syncronized between DCs, and clients are synchronizing time with a DC. See the following:
How do I configure an authoritative time server in Windows 2000?
How do I configure the Windows Time service on the Windows Server 2003 forest root PDC emulator?
Your domain controller does not locate a new time source server in Windows Server 2003?
How do I configure the Windows 2000 time service to log when time is adjusted?
How can I verify that a computer's time is synchronized with the authoritative time server for my domain?
How do I make my PDC emulator an authoritative time server for my domain without it synchronizing with a reliable time source?
Your Windows XP, or Windows Server 2003, does NOT synchronize its time with the domain time source?
Verify: Access this computer from the network:
Approriate users must have the Access this computer from the network user right on the DC.
1. Open "%SystemRoot%SysvolSysvolPolicies\{6AC1786C-016F-11D2-945F-00C04fB984F9}MACHINEMicrosoftWindows NTSecEditGptTmpl.inf" in Notepad.
2. The SeNetworkLogonRight line should contain the well known SID for Administrators, Authenticated Users, and Everyone. Add any that are missing.
SeNetworkLogonRight = *S-1-5-32-554,*S-1-1-0,*S-1-5-9,*S-1-5-11,*S-1-5-32-544
3. The SeDenyNetworkLogonRight is empty by default on Windows 2000 Server, and contains the SID for the Support_RandomString account, used by Remote Assistance, in Windows Server 2003.
4. Increment the group policy version in "%SystemRoot%SysvolSysvolPolicies\{6AC1786C-016F-11D2-945F-00C04fB984F9}GPT.INI".
5. Apply the policy:
Windows 2000 Server - secedit /refreshpolicy machine_policy /enforce
Windows Server 2003 - GPUpdate /Force
NOTE You may have to check other policies to insure any SeNetworkLogonRight and SeDenyNetworkLogonRight entries are proper.
Verify the userAccountControl attribute:
All DCs must have a value of 532480 in the userAccountControl attribute.
The easiest way to find any incorrect values is to run the following script:
@echo offsetlocal ENABLEDELAYEDEXPANSIONset OK=Yfor /f "Tokens=*" %%s in ('DSQUERY SERVER -O RDN') do ( for /f "Skip=1 Tokens=*" %%a in ('dsquery * domainroot -filter "(&(objectCategory=Computer)(objectClass=Computer)(Name=%%s))" -attr userAccountControl -Limit 0') do ( set uac=%%a IF "!uac:~0,6!" NEQ "532480" ( @echo %%s has an invalid userAccountControl attribute - %%a. set OK=N ) ELSE ( @echo %%s has a valid userAccountControl attribute. ) ))If "%OK%" EQU "Y" ( @echo All domain controllers have a valid userAccountControl attribute.) ELSE ( @echo Fix the invalid userAccountControl attribute(s^) using ADSIEdit.msc.)
You can use ADSIEdit.msc to check, and change, the value:
1. Start / Run / adsiedit.msc / OK.
2. Expand the domain.
3. Expand the Domain Controllers container (OU).
4. Right-click an affected DC and press Properties.
5. In Windows Server 2003, check the Show mandatory attributes and Show optional attributes boxes on the Attribute Editor tab. In Windows 2000 Server, click Both in the Select which properties to view box.
6. In Windows Server 2003, select userAccountControl in the Attributes box. In Windows 2000 Server, select userAccountControl in the Select a property to view box.
7. If the value is NOT 532480, Edit it and set and apply the change.
8. Press OK.
9. Exit ADSI Edit.
For Windows 2000 DCs only:
1. Verify that the Kerberos realm is the NetBIOS domain name.
2. If you made a change, shutdown and restart the DC.
Reset the machine account password, and obtain a new Kerberos ticket:
1. Start / Run / Services.msc / OK.
2. Stop the Kerberos Key Distribution Center service.
3. Set the Startup type to Manual.
4. Open a CMD.EXE window.
5. Using Netdom.exe from the Support Tools, type the following command and press Enter:
netdom resetpwd /server: /userd:Administrator /passwordd:
The command must be completed successfully.
6. Restart the affected DC.
7. Using Services.msc, set the Startup type of the Kerberos Key Distribution Center to Automatic.
8. Start the Kerberos Key Distribution Center service.
See the following Microsoft Knowledge Base articles for additional information:
325322 - "The server is not operational" error message when you try to open Exchange System Manager.
257623 - Domain controller's Domain Name System suffix does not match domain name .
257346 - "Access This Computer from the Network" user right causes tools not to work.
316710 - Disabled Kerberos key distribution prevents Exchange services from starting.
329642 - Error messages when you open Active Directory snap-ins and Exchange System Manager.
272686 - Error messages occur when Active Directory Users and Computers snap-in is opened.
329887 - You cannot interact with Active Directory MMC snap-ins.
322267 - Removing Client for Microsoft Networks removes other services.
297234 - Time difference exists between the client and the server.
247151 - Down-level domain users may receive an error message when starting MMC snap-ins.
About the Author
You May Also Like