Announcement

Collapse
No announcement yet.

AD Logon Issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD Logon Issue

    Remote office with 5 Windows XP clients connected to our main office over a VPN. In AD Sites and Services, the subnet is 10.15.3.0/24 and is listed as part of the main site, ACH. There are no servers at the remote site. Windows Server 2003 domain at the 2003 functional level.

    Clients cannot connect to the Exchange server in the main office. The clients are also not registering with our AD-integrated DNS, although they register successfully in WINS. They receive all TCP/IP details from the local Cisco router acting as a DHCP server. All scope options are correct, including default gateway, DNS and WINS servers. This is confirmed by running “ipconfig /all” on the clients.

    In the event viewer on the clients, there are Event IDs 40961 and 40960. We have followed the advice in KB244474 but this didn’t fix the problem.

    Basic network connectivity is fine. We have used Microsoft’s PrtQryUI.exe on the client to verify that the correct ports are listening on the DC in the main office.

    We have tried removing client PCs from the domain and re-adding them. Same problem.

    Netdiag on the client failed with the following: 1) DNS failed. 2) DC list test failed (Warning – cannot call dsbind to ACHDCS002 Error_Kernel_Error). 3) Kerberos Test failed (Fatal) – Kerberos does not have a ticket for host xxxx.

    Users can log on to the domain from the clients, but this often takes a long time. Users all have local profiles only. Checking the environment variable LOGONSERVER often shows that clients are connecting to random DCs across the country. This implies that clients do not know which site they are in. AD Sites and Services has been confirmed as definitely correct.

    Taking a working laptop from head office to the remote office, it did not experience any of these issues. Logons were quick, Outlook worked fine.

    Help!

  • #2
    Re: AD Logon Issue

    As a first step I would recommend to set up a Windows Server 2003 DHCP server at the main office and configure a scope for the remote office. Configure DHCP to register client records in DNS. Remove the DHCP server on the Cisco router. You may or may not need to configure the ip helper-address on the Cisco router. See what happens after following these steps.

    Comment


    • #3
      Re: AD Logon Issue

      We think it must be something Kerberos-related. Here is the netdiag results from a client.


      ........................................

      Computer Name: SAPDSK0003
      DNS Host Name: SAPDSK0003.hsa.co.uk
      System info : Windows 2000 Professional (Build 2600)
      Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
      List of installed hotfixes :
      .....


      Netcard queries test . . . . . . . : Passed



      Per interface results:

      Adapter : Local Area Connection

      Netcard queries test . . . : Passed

      Host Name. . . . . . . . . : SAPDSK0003.hsa.co.uk
      IP Address . . . . . . . . : 10.15.3.50
      Subnet Mask. . . . . . . . : 255.255.255.0
      Default Gateway. . . . . . : 10.15.3.254
      Primary WINS Server. . . . : 10.0.10.2
      Dns Servers. . . . . . . . : 10.0.10.1
      10.0.10.2


      AutoConfiguration results. . . . . . : Passed

      Default gateway test . . . : Passed

      NetBT name test. . . . . . : Passed
      [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
      r Service', <20> 'WINS' names is missing.

      WINS service test. . . . . : Passed


      Global results:


      Domain membership test . . . . . . : Passed


      NetBT transports test. . . . . . . : Passed
      List of NetBt transports currently configured:
      NetBT_Tcpip_{CAFDE34C-2C95-4D3D-9B04-563E0C1F4981}
      1 NetBt transport currently configured.


      Autonet address test . . . . . . . : Passed


      IP loopback ping test. . . . . . . : Passed


      Default gateway test . . . . . . . : Passed


      NetBT name test. . . . . . . . . . : Passed
      [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
      ce', <03> 'Messenger Service', <20> 'WINS' names defined.


      Winsock test . . . . . . . . . . . : Passed


      DNS test . . . . . . . . . . . . . : Failed
      [FATAL]: The DNS registration for 'SAPDSK0003.hsa.co.uk' is incorr
      ect on all DNS servers.


      Redir and Browser test . . . . . . : Passed
      List of NetBt transports currently bound to the Redir
      NetBT_Tcpip_{CAFDE34C-2C95-4D3D-9B04-563E0C1F4981}
      The redir is bound to 1 NetBt transport.

      List of NetBt transports currently bound to the browser
      NetBT_Tcpip_{CAFDE34C-2C95-4D3D-9B04-563E0C1F4981}
      The browser is bound to 1 NetBt transport.


      DC discovery test. . . . . . . . . : Passed


      DC list test . . . . . . . . . . . : Passed


      Trust relationship test. . . . . . : Passed
      Secure channel for domain 'HSAGROUP' is to '\\achdcs001.hsa.co.uk'.


      Kerberos test. . . . . . . . . . . : Failed
      [FATAL] Kerberos does not have a ticket for krbtgt/hsa.co.uk.
      [FATAL] Kerberos does not have a ticket for host/SAPDSK0003.hsa.co.uk.


      LDAP test. . . . . . . . . . . . . : Passed
      [FATAL] Cannot do Negotiate authenticated ldap_bind to 'achdcs001.hsa.co.uk'
      : Local Error.
      [WARNING] Failed to query SPN registration on DC 'achdcs001.hsa.co.uk'.
      [WARNING] Failed to query SPN registration on DC 'achdcs002.hsa.co.uk'.
      [WARNING] Failed to query SPN registration on DC 'jthdcs001.hsa.co.uk'.
      [WARNING] Failed to query SPN registration on DC 'lstdcs001.hsa.co.uk'.
      [WARNING] Failed to query SPN registration on DC 'WRDFPS001.hsa.co.uk'.
      [WARNING] Failed to query SPN registration on DC 'athdcs002.hsa.co.uk'.
      [WARNING] Failed to query SPN registration on DC 'dukdcs002.hsa.co.uk'.
      [FATAL] Cannot do Negotiate authenticated ldap_bind to 'hhodcs001.hsa.co.uk'
      : Local Error.
      [WARNING] Failed to query SPN registration on DC 'hhodcs001.hsa.co.uk'.
      [WARNING] Failed to query SPN registration on DC 'rhodcs001.hsa.co.uk'.
      [WARNING] Failed to query SPN registration on DC 'REMDCS001.hsa.co.uk'.
      [WARNING] Failed to query SPN registration on DC 'tmpdcs001.hsa.co.uk'.
      [WARNING] Failed to query SPN registration on DC 'temdcs002.hsa.co.uk'.


      Bindings test. . . . . . . . . . . : Passed


      WAN configuration test . . . . . . : Skipped
      No active remote access connections.


      Modem diagnostics test . . . . . . : Passed

      IP Security test . . . . . . . . . : Passed
      Service status is: Started
      Service startup is: Automatic
      IPSec service is available, but no policy is assigned or active
      Note: run "ipseccmd /?" for more detailed information


      The command completed successfully

      C:\Documents and Settings\philipj>

      Comment


      • #4
        Re: AD Logon Issue

        Originally posted by joeqwerty View Post
        As a first step I would recommend to set up a Windows Server 2003 DHCP server at the main office and configure a scope for the remote office. Configure DHCP to register client records in DNS. Remove the DHCP server on the Cisco router. You may or may not need to configure the ip helper-address on the Cisco router. See what happens after following these steps.
        Thanks for the advice. Can you explain the rationale behind this? You have given us an idea though - we will try using a static IP address on the client...

        Comment


        • #5
          Re: AD Logon Issue

          I'm thinking that even though the client should register itself in DNS that the Cisco DHCP is interfering with this process. By moving the DHCP services to a Windows 2003 server (which does handle DNS registrations on behalf of the clients very well) you'll eliminate the router as the cause of the problem. If you still have the same issue afterward at least you'll have eliminated one component from your troubleshooting.

          Comment


          • #6
            Re: AD Logon Issue

            Issue fixed!

            We found that the largest MTU that worked was 1390 by trying this command with different packet sizes.

            ping -f -l 1390 10.15.3.45

            Then we set the maximum MTU size for the client's adapter to 1390 too via the registry:

            System Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Tcpip\Parameters\
            Interfaces\[Adapter ID]]
            Value Name: MTU
            Data Type: REG_DWORD (DWORD Value)
            Value Data: 1390 (Decimal)

            Reboot the client. Registers itself in DNS fine and also Outlook now works correctly. We're very pleased, 4 of us have spent the last few days troubleshooting this!

            Comment


            • #7
              Re: AD Logon Issue

              Well done - and have some REP for posting back your solution - this will no doubt help others in future.


              Tom
              For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

              Anything you say will be misquoted and used against you

              Comment


              • #8
                Re: AD Logon Issue

                Originally posted by Hexen29 View Post
                Issue fixed!

                We found that the largest MTU that worked was 1390 by trying this command with different packet sizes.

                ping -f -l 1390 10.15.3.45

                Then we set the maximum MTU size for the client's adapter to 1390 too via the registry
                Instead of fixing it on the clients, I suggest that you fix it on the router side. If I'm not totally senile, you need to configure "adjust-mss" option on the Cisco.
                Guy Teverovsky
                "Smith & Wesson - the original point and click interface"

                Comment

                Working...
                X