Announcement

Collapse
No announcement yet.

Broken Active Directory 2003

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Broken Active Directory 2003

    Hi all.

    I had a Windows 2003 DC that was chugging along just fine until I tried to join a linux file server to the domain...

    Now everyone's computers are freezing randomly, various AD-related apps don't work, and DNS isn't working right because it stores its information in AD.

    For example... DCDIAG (at the DC) reports that active directory isn't responding, AD Users & Computers and GP Management (from my PC) say they can't contact the DC.

    However, it is still authenticating users, and AD tools (mostly) seem to work at the DC. I can still join PCs to the domain using <IP Address>\Username.

    I've been googling for two days, and tried a few things... no change. Any ideas?

    Thanks!

  • #2
    Re: Broken Active Directory 2003

    and if you disconnect the linux machine for testing purposes?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Broken Active Directory 2003

      Of course, it's been disconnected since the problems started.

      Comment


      • #4
        Re: Broken Active Directory 2003

        1- verify DNS records

        2- Ping the server using the GUID
        Ping the server using the GUID in the server properties in dssite.msc

        3- Verify that KDC is running
        use ("dcdiag /test:services")

        4- Verify that the correct PDC is always returned
        "use (""Nltest /dsgetdc: /pdc /force /avoidself"").
        Nltest /sc_query:domainname
        Nltest /sc_verify:domainname"

        5- Check GC Connectivity
        use ("nltest /dsgetdc: /gc /force")

        6- Verify Time server connectivity
        use ("nltest /dsgetdc:domain /timeserv")

        7- Verify GPO
        use gpotool.exe
        8- Verify network settings
        use netdiag.exe
        9- Verify AD setting
        use dcdiag.exe

        10- Verify the replication toplogy
        use ("dcdiag/test:topology")

        11- Verify replication partners and correct replication "use (""Repadmin.exe utility with the /showreps"")
        use (""Repadmin.exe utility with the /showconn"")"
        12- Verify replication synchronization
        use ("repadmin/syncall")
        13- Use the Replmon.exe utility to determine if the pwdLastSet and unicodePwd attributes have consistent time/date stamps across computers
        Replmon.exe
        14- testing that service principal names (SPNs) are registered on each domain controller
        Use dcdiag/testutboundsecurechannels

        15- Make sure that the Enterprise Domain Controllers group has the required permissions on the directory partitions ACLs "a- Start the Active Directory Users and Computers snap-in.
        b- On the View menu, click Advanced Features, if it is not already selected.
        c- Right-click the root domain object, and then click Properties.
        d- Click the Security tab, click ENTERPRISE DOMAIN CONTROLLERS in the name list, and then make sure that the following permissions are selected under Allow:
        Manage Replication Topology
        Replicating Directory Changes
        Replication Synchronization
        "

        16- Use AD diagnostic tool ("DSASTAT.exe ")

        Comment


        • #5
          Re: Broken Active Directory 2003

          1- verify DNS records
          How should I do that?

          2- Ping the server using the GUID
          Ping request could not find host 663c7edc-64f7-4d37-8769-9cb64a9b030e._msdcs.<OURDOMAIN>. Please check the name and try again.
          DCDIAG (at the DC) also says the GUID is not resolvable.


          3- Verify that KDC is running
          running and set to automatic.

          4- Verify that the correct PDC is always returned
          nltest /dsgetdc: /pdc /force /avoidself
          nltest /sc_query:domainname
          nltest /sc_verify:domainname

          DsGetDcName failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
          I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
          I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN


          5- Check GC Connectivity
          nltest /dsgetdc: /gc /force

          DC: \\<PDC-FQDN>
          Address: \\<PDC-IP-ADDRESS>
          Dom Guid: ebc76c6c-ae3b-4c0f-a0a1-7605d04fb86d
          Dom Name: <OUR-DOMAIN>
          Forest Name: <OUR-DOMAIN>
          Dc Site Name: Default-First-Site-Name
          Our Site Name: Default-First-Site-Name
          Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE
          The command completed successfully


          6- Verify Time server connectivity
          nltest /dsgetdc:<our-domain-netbios> /timeserv

          DC: \\<PDC-NETBIOS>
          Address: \\<PDC-IP-ADDRESS>
          Dom Guid: ebc76c6c-ae3b-4c0f-a0a1-7605d04fb86d
          Dom Name: <OUR-DOMAIN-NETBIOS>
          Forest Name: <OUR-DOMAIN>
          Dc Site Name: Default-First-Site-Name
          Our Site Name: Default-First-Site-Name
          Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE
          The command completed successfully


          7- Verify GPO
          gpotool

          It looks like it can't find the PDC...?
          Also, modification times are weird... I've never modified a GPO after 5pm.

          Validating DCs...
          Available DCs:

          <BDC-FQDN>
          Searching for policies...
          Found 5 policies
          ================================================== ==========
          Policy {0972125C-3947-4239-B5A4-7724A45D0C02}
          Error: Cannot access \\
          <BDC-FQDN>\sysvol\<our-domain>\policies\{0972125C-3947-4239-B5A4-7724A45D0C02}, error 2
          Friendly name: IE - iVOS Mod
          Details:
          ------------------------------------------------------------
          DC:
          <BDC-FQDN>
          Friendly name: IE - iVOS Mod
          Created: 7/25/2007 9:18:27 PM
          Changed: 7/30/2007 7:07:16 PM
          DS version: 16(user) 8(machine)
          Sysvol version: not found
          Flags: 0 (user side enabled; machine side enabled)
          User extensions: [{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
          Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}]
          Functionality version: 2
          ------------------------------------------------------------
          ================================================== ==========
          Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
          Friendly name: Default Domain Policy
          Policy OK
          ================================================== ==========
          Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
          Friendly name: Default Domain Controllers Policy
          Policy OK
          ================================================== ==========
          Policy {6C49E44F-7155-4CC8-8218-C36C804BC5F0}
          Error: Cannot access \\
          <BDC-FQDN>\sysvol\<our-domain>\policies\{6C49E44F-7155-4CC8-8218-C36C804BC5F0}, error 2
          Friendly name: IE - Proxy-Desktop
          Details:
          ------------------------------------------------------------
          DC: [/FONT]<BDC-FQDN>
          Friendly name: IE - Proxy-Desktop
          Created: 7/25/2007 9:38:33 PM
          Changed: 7/30/2007 7:07:16 PM
          DS version: 1(user) 1(machine)
          Sysvol version: not found
          Flags: 0 (user side enabled; machine side enabled)
          User extensions: [{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
          Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}]
          Functionality version: 2
          ------------------------------------------------------------
          ================================================== ==========
          Policy {9C2E34D0-0844-465B-A9C6-797B758E338D}
          Error: Version mismatch on
          <bdc-FQDN>, DS=262153, sysvol=131075
          Friendly name: WordPerfect ODMA Patch
          Details:
          ------------------------------------------------------------
          DC:
          <BDC-FQDN>
          Friendly name: WordPerfect ODMA Patch
          Created: 5/16/2007 5:50:48 PM
          Changed: 7/30/2007 7:07:15 PM
          DS version: 4(user) 9(machine)
          Sysvol version: 2(user) 3(machine)
          Flags: 0 (user side enabled; machine side enabled)
          User extensions:
          Machine extensions: [{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]
          Functionality version: 2
          ------------------------------------------------------------
          ================================================== ==========

          Errors found


          8- Verify network settings
          netdiag

          This looks whacked. How do I fix it?

          <snip>
          NetBT name test. . . . . . : Passed
          [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

          <snip>
          NetBT name test. . . . . . . . . . : Passed
          [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.

          <snip>
          DNS test . . . . . . . . . . . . . : Failed
          [FATAL] File \config\netlogon.dns contains invalid DNS entries. [FATAL] File \config\netlogon.dns contains invalid DNS entries. [FATAL] File \config\netlogon.dns contains invalid DNS entries. [FATAL] No DNS servers have the DNS records for this DC registered.

          <snip>


          9- Verify AD setting
          use dcdiag.exe

          The host 663c7edc-64f7-4d37-8769-9cb64a9b030e._msdcs.<our-domain> could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc
          Although the Guid DNS name (663c7edc-64f7-4d37-8769-9cb64a9b030e._msdcs.
          <our-domain>)
          couldn't be resolved, the server name (
          <PDC-FQDN>) resolved to the IP address (<PDC-IP>) and was pingable. Check that the IP address is registered correctly with the DNS server.
          .........................
          <PDC-NETBIOS> failed test Connectivity
          <snip>
          Testing server: Default-First-Site-Name\<PDC-NETBIOS>
          Skipping all tests, because server <PDC-NETBIOS> is not responding to directory service requests

          <snip>

          All other tests completed successfully.


          10- Verify the replication toplogy
          dcdiag /test:topology

          This also failed GUID resolution with no other errors.

          11- Verify replication partners and correct replication
          repadmin /showreps
          repadmin /showconn

          I couldn't get showconn to work.
          Output from showreps looks like it stopped replicating when I shut it down and hasn't replicated since? I don't get it.

          Default-First-Site-Name\<PDC-NETBIOS>
          DC Options: IS_GC
          Site Options: (none)
          DC object GUID: 663c7edc-64f7-4d37-8769-9cb64a9b030e
          DC invocationID: 663c7edc-64f7-4d37-8769-9cb64a9b030e

          ==== INBOUND NEIGHBORS ======================================

          DC=
          <domain-path>
          Default-First-Site-Name\<BDC-NETBIOS> via RPC

          DC object GUID: 063c11a0-1b4d-4cdc-a20c-34e7939e38b5
          Last attempt @ 2007-08-01 09:58:29 failed, result 8453 (0x2105):
          Replication access was denied.
          330 consecutive failure(s).
          Last success @ 2007-07-20 16:52:06.

          CN=Configuration,DC=
          <domain-path>
          Default-First-Site-Name\<BDC-NETBIOS> via RPC
          DC object GUID: 063c11a0-1b4d-4cdc-a20c-34e7939e38b5
          Last attempt @ 2007-08-01 09:58:30 failed, result 8453 (0x2105):
          Replication access was denied.
          300 consecutive failure(s).
          Last success @ 2007-07-20 16:52:06.

          CN=Schema,CN=Configuration,DC=
          <domain-path>
          Default-First-Site-Name\<BDC-NETBIOS> via RPC
          DC object GUID: 063c11a0-1b4d-4cdc-a20c-34e7939e38b5
          Last attempt @ 2007-08-01 09:58:30 failed, result 8453 (0x2105): Replication access was denied.
          291 consecutive failure(s).
          Last success @ 2007-07-20 16:52:06.

          Source: Default-First-Site-Name\
          <BDC-NETBIOS>
          ******* 330 CONSECUTIVE FAILURES since 2007-07-20 16:52:06

          Last error: 8453 (0x2105): Replication access was denied.
          Last edited by Sheree; 1st August 2007, 19:15.

          Comment


          • #6
            Re: Broken Active Directory 2003

            12- Verify replication synchronization
            repadmin /syncall

            CALLBACK MESSAGE: Error contacting server <PDC-GUID> (network error): 1722 (0x6ba): The RPC server is unavailable.

            CALLBACK MESSAGE: Error contacting server
            <BDC-GUID> (network error): 1722 (0x6ba): The RPC server is unavailable.

            SyncAll exited with fatal Win32 error: 8440 (0x20f: The naming context specified for this replication operation is invalid.


            13- Determine if the pwdLastSet and unicodePwd attributes have consistent time/date stamps across computers
            replmon.exe

            How do I use it? replmon and replmon /? don't seem to do anything.

            14- testing that service principal names (SPNs) are registered on each domain controller
            dcdiag /testutboundsecurechannels

            Nothing useful in this output. Just the names of what it was testing--no results.

            15- Make sure that the Enterprise Domain Controllers group has the required permissions on the directory partitions ACLs
            make sure that the following permissions are selected under Allow:
            Manage Replication Topology
            Replicating Directory Changes
            Replication Synchronization

            Yes, it is already set that way.

            16- Use AD diagnostic tool
            dsastat

            What exactly am I supposed to do with it? Forgive me, I'm not really any expert on Active Directory...

            Comment


            • #7
              Re: Broken Active Directory 2003

              Fix you're DNS first.
              If i read the errors, you got a problem with dns.

              Make a backup of %systemroot%\system32\config\netlogon.dns file and delete the files Netlogon.dns and Netlogon.dnb

              Then restart the netlogon service on this server.
              Afther that run netdiag /fix and then run netdiag /testNS /v
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: Broken Active Directory 2003

                As a reminder, we have:
                PDC: My department's Primary Domain Controller (the spazzy one)
                BDC: My department's Backup Domain Controller (the one that got shut off over a weekend)
                ITS' Primary and secondary DNS servers (The DNS servers, hosted by the ITS department, that we forward WAN requests to).


                netdiag /fix
                Erros and warnings:

                NetBT name test. . . . . . : Passed
                [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

                NetBT name test. . . . . . . . . . : Passed
                [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.

                Testing DNS
                PASS - All the DNS entries for DC are registered on DNS server '
                <PDC-IP>' and other DCs also have some of the names registered.
                [WARNING] The DNS entries for this DC are not registered correctly on DNS server '
                <PDC-IP>'. Please wait for 30 minutes for DNS server replication.
                [WARNING] The DNS entries for this DC are not registered correctly on DNS server '
                <ITS-2ND-DNS-IP>'. Please wait for 30 minutes for DNS server replication.


                netdiag /testNS /v
                many of these:

                Check the DNS registration for DCs entries on DNS server '<PDC-IP>'
                The Record is different on DNS server '
                <PDC-IP>'.
                DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain.

                many of these:
                Query for DC DNS entry <our-domain>. on DNS server <ITS-1ST-DNS-IP> failed.
                DNS Error code: 0x0000251D



                dcdiag
                Here's where it seems to get really interesting (and this is new after I followed Dumber's instructions):

                Starting test: MachineAccount
                The account
                <PDC-NETBIOS-Name> is not trusted for delegation. It cannot replicate.
                The account
                <PDC-NETBIOS-Name> is not a DC account. It cannot replicate.
                Warning: Attribute userAccountControl of
                <PDC-NETBIOS-Name> is: 0x11000 = ( UF_WORKSTATION_TRUST_ACCOUNT | UF_DONT_EXPIRE_PASSWD )
                Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION ) This may be affecting replication?
                .........................
                <PDC-NETBIOS-Name> failed test MachineAccount

                Comment


                • #9
                  Re: Broken Active Directory 2003

                  This has been fixed!

                  Thank you, Dumber, for pointing me in the right direction with how to fix DNS.
                  The rest of it involved editing the PDC's attributes with ADSIEdit and forcing replication from both DCs...

                  Everything is back to normal now.

                  Comment


                  • #10
                    Re: Broken Active Directory 2003

                    <insert loud scream> PDC and BDC do NOT apply to an Active Directory domain.
                    1 1 was a racehorse.
                    2 2 was 1 2.
                    1 1 1 1 race 1 day,
                    2 2 1 1 2

                    Comment


                    • #11
                      Re: Broken Active Directory 2003

                      Good to hear that you fixed it.
                      Did you also checked the replication with replmon?
                      Marcel
                      Technical Consultant
                      Netherlands
                      http://www.phetios.com
                      http://blog.nessus.nl

                      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                      "No matter how secure, there is always the human factor."

                      "Enjoy life today, tomorrow may never come."
                      "If you're going through hell, keep going. ~Winston Churchill"

                      Comment


                      • #12
                        Re: Broken Active Directory 2003

                        Originally posted by biggles77
                        <insert loud scream> PDC and BDC do NOT apply to an Active Directory domain.
                        That sure was helpful... Whooo-ee, next time I have a broken Windows 2003 server I'll forgo asking questions and just come find you so I can get screamed at.

                        I suppose now you're going to tell me not to end a sentence with a preposition. =p


                        Originally posted by Dumber
                        Did you also checked the replication with replmon?
                        ... Still can't figure out what replmon is supposed to be doing... invoking it with command line or double-click doesn't do anything. All REPADMIN, DCDIAG, and other tools show them replicating successfully though. All seems well!

                        EDIT: Oh, duh, there must be a DLL that I forgot to register on the DC (Didn't install the support tools, just copied the ones I wanted to use). It works on my PC (Which does have them installed), and shows successful replications.
                        /smack forehead
                        Last edited by Sheree; 3rd August 2007, 17:44.

                        Comment


                        • #13
                          Re: Broken Active Directory 2003

                          well done
                          Marcel
                          Technical Consultant
                          Netherlands
                          http://www.phetios.com
                          http://blog.nessus.nl

                          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                          "No matter how secure, there is always the human factor."

                          "Enjoy life today, tomorrow may never come."
                          "If you're going through hell, keep going. ~Winston Churchill"

                          Comment


                          • #14
                            Re: Broken Active Directory 2003

                            Originally posted by Sheree
                            I suppose now you're going to tell me not to end a sentence with a preposition. =p
                            Would never dream of it, but ending the sentence with a proposition is not unheard of.


                            For the last 7 (going on 8 ) years we have had Active Directory yet people/Administrators/IT Professionals still refer to a PDC and a BDC when talking about their Domain Controllers. Technical terminology is very precise and using the wrong words to describe a problem can result in wrong solutions being applied and the problem made worse.

                            I am NOT having a go at you, I just hate PDC and BDC being used to describe an AD environment. (It is hard being a pedantic bastard.)

                            Lastly, never slap yourself on the forehead. Get a junior assistant and use the back of theirs.
                            1 1 was a racehorse.
                            2 2 was 1 2.
                            1 1 1 1 race 1 day,
                            2 2 1 1 2

                            Comment


                            • #15
                              Re: Broken Active Directory 2003

                              Okay, well, it was easier to type than "Flexible Single Master Operations Role Holder and Primary Domain Controller Emulator and Also the First Domain Controller that We Set Up--Oh, yeah, and The One That Everyone Logs In To."

                              ... I am the junior assistant. Anyone hiring? Ha ha.
                              Last edited by Sheree; 6th August 2007, 22:59.

                              Comment

                              Working...
                              X