Announcement

Collapse
No announcement yet.

Client connection fails between specific times

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Client connection fails between specific times

    Greetings All itís been a while.

    Iíve had an issue on my network for a few months now and have tried many things to try and resolve this.

    Local Domain 2003 with XP clients (and a few 2000)
    2 x DCsí
    Additional Servers
    1 x ISA 2006
    1 x WSUS3

    Ok this started some time ago with the following 2 errors on a client that kept having a problem with an application it was running.
    I noticed it was getting the same errors between 18:00 and 06:00 every hour or so every night.

    APPLICATION LOG

    Event Type: Error
    Event Source: Userenv
    Event Category: None
    Event ID: 1053
    Date: 15/04/2010
    Time: 19:05:59
    User: NT AUTHORITY\SYSTEM
    Computer: ****-HU-FLEX
    Description:
    Windows cannot determine the user or computer name. (An internal error occurred. ). Group Policy processing aborted.

    SYSTEM LOG

    Event Type: Warning
    Event Source: LSASRV
    Event Category: SPNEGO (Negotiator)
    Event ID: 40961
    Date: 15/04/2010
    Time: 19:05:57
    User: N/A
    Computer: ****-HU-FLEX
    Description:
    The Security System could not establish a secured connection with the server LDAP/delta2.****.org.uk. No authentication protocol was available.

    I have looked at possible causes and solutions but nothing has worked thus far
    I have tried

    Most of the solutions on EventID.com
    And there are a few!

    Upgrading NIC drivers
    Adding a reverse look-up zone in DNS
    Running rundll32.exe keymgr.dll, KRShowKeyMgr checking and adding entries as required.

    I donít think the Kerberos.dll hotfix is an issue although the versions are different as during the day there is not a problem.

    I have checked ISA schedules and put them to allow 24/7 internal to internal that also did not work.

    Has anyone come across this type of problem before where the connection fails but only at certain times?
    The Univurse is still winning!

    W2K AD, WSUS, RIS 2003. ISA also AVG Server
    ** If contributors help you, recognise them and give reputation points where appropriate **

  • #2
    Re: Client connection fails between specific times

    Internal to internal is normally pretty useless, unless you have added other subnets (for example remote offices) to your internal object.
    Please run dcdiag and post the output over here.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Client connection fails between specific times

      Is anything running on any of the servers during this time that would load them up??

      Are all the servers on the same subnet???

      Have you checked the power settings on the NIC?? I always uncheck the allow the computer to turn off the device to save power.

      Comment


      • #4
        Re: Client connection fails between specific times

        Hi Guys

        Thanks for the responce

        Both on same subnet nothing running on either and power settings are as far as I can see ok. Here is the DCdiag output from one (both show the same results)

        Testing server: Hull\DC2
        Starting test: Connectivity
        ......................... DC2 passed test Connectivity

        Doing primary tests

        Testing server: Hull\DC2
        Starting test: Replications
        ......................... DC2 passed test Replications
        Starting test: NCSecDesc
        ......................... DC2 passed test NCSecDesc
        Starting test: NetLogons
        ......................... DC2 passed test NetLogons
        Starting test: Advertising
        ......................... DC2 passed test Advertising
        Starting test: KnowsOfRoleHolders
        ......................... DC2 passed test KnowsOfRoleHolders
        Starting test: RidManager
        ......................... DC2 passed test RidManager
        Starting test: MachineAccount
        ......................... DC2 passed test MachineAccount
        Starting test: Services
        ......................... DC2 passed test Services
        Starting test: ObjectsReplicated
        ......................... DC2 passed test ObjectsReplicated
        Starting test: frssysvol
        ......................... DC2 passed test frssysvol
        Starting test: frsevent
        ......................... DC2 passed test frsevent
        Starting test: kccevent
        ......................... DC2 passed test kccevent
        Starting test: systemlog
        ......................... DC2 passed test systemlog
        Starting test: VerifyReferences
        ......................... DC2 passed test VerifyReferences

        Running partition tests on : ForestDnsZones
        Starting test: CrossRefValidation
        ......................... ForestDnsZones passed test CrossRefValidation

        Starting test: CheckSDRefDom
        ......................... ForestDnsZones passed test CheckSDRefDom

        Running partition tests on : DomainDnsZones
        Starting test: CrossRefValidation
        ......................... DomainDnsZones passed test CrossRefValidation

        Starting test: CheckSDRefDom
        ......................... DomainDnsZones passed test CheckSDRefDom

        Running partition tests on : Schema
        Starting test: CrossRefValidation
        ......................... Schema passed test CrossRefValidation
        Starting test: CheckSDRefDom
        ......................... Schema passed test CheckSDRefDom

        Running partition tests on : Configuration
        Starting test: CrossRefValidation
        ......................... Configuration passed test CrossRefValidation
        Starting test: CheckSDRefDom
        ......................... Configuration passed test CheckSDRefDom

        Running partition tests on : ****
        Starting test: CrossRefValidation
        ......................... **** passed test CrossRefValidation
        Starting test: CheckSDRefDom
        ......................... **** passed test CheckSDRefDom

        Running enterprise tests on : ****.org.uk
        Starting test: Intersite
        ......................... ****.org.uk passed test Intersite
        Starting test: FsmoCheck
        ......................... ****.org.uk passed test FsmoCheck


        This is so frustrating!
        I am seriously considering a rebuild from scratch on both DCs' I have even stripped GPOs back to minimum just in case there was an issue there and nothing seems to resolve it. The major issue is that one of the affected clients normally runs our Flexible working software and that needs to talk to a clock 24/7 (it's currently uninstalled while this issue is ongoing)

        I have just had a thought in that the clocks that run with this software are on the network with their own IPs and I'm just wondering if the DC's could be picking up something from them? They just sit in the backgrround on static IP 10.5.0.230 and 231. They just sit there the only thing that utilises the IP's is the software but I cant see how it might affect a DC
        Anyone think this could be an issue ?
        The Univurse is still winning!

        W2K AD, WSUS, RIS 2003. ISA also AVG Server
        ** If contributors help you, recognise them and give reputation points where appropriate **

        Comment


        • #5
          Re: Client connection fails between specific times

          Tried a secure channel reset??

          http://support.microsoft.com/kb/158148

          Comment


          • #6
            Re: Client connection fails between specific times

            please post a netdiag from the DC's and an ipconfig /all from a client....
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Client connection fails between specific times

              Dumber

              As requested

              NetDiag from both DCs and ipconfig from a client.

              wullieb1

              No not tried that yet.



              netdiag DC1
              .........................................

              Computer Name: DC1
              DNS Host Name: DC1.****.org.uk
              System info : Microsoft Windows Server 2003 (Build 3790)
              Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel

              Netcard queries test . . . . . . . : Passed



              Per interface results:

              Adapter : Local Area Connection

              Netcard queries test . . . : Passed

              Host Name. . . . . . . . . : DC1
              IP Address . . . . . . . . : 10.5.0.252
              Subnet Mask. . . . . . . . : 255.0.0.0
              Default Gateway. . . . . . : 10.5.0.251
              Primary WINS Server. . . . : 10.5.0.252
              Secondary WINS Server. . . : 10.5.0.243
              Dns Servers. . . . . . . . : 10.5.0.243
              10.5.0.252


              AutoConfiguration results. . . . . . : Passed

              Default gateway test . . . : Passed

              NetBT name test. . . . . . : Passed
              [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
              r Service', <20> 'WINS' names is missing.

              WINS service test. . . . . : Passed


              Global results:


              Domain membership test . . . . . . : Passed


              NetBT transports test. . . . . . . : Passed
              List of NetBt transports currently configured:
              NetBT_Tcpip_{9FA0FD83-B4A2-4074-8223-ABE25254E680}
              1 NetBt transport currently configured.


              Autonet address test . . . . . . . : Passed


              IP loopback ping test. . . . . . . : Passed


              Default gateway test . . . . . . . : Passed


              NetBT name test. . . . . . . . . . : Passed
              [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
              ce', <03> 'Messenger Service', <20> 'WINS' names defined.


              Winsock test . . . . . . . . . . . : Passed


              DNS test . . . . . . . . . . . . . : Passed
              PASS - All the DNS entries for DC are registered on DNS server '10.5.0.243'
              and other DCs also have some of the names registered.
              PASS - All the DNS entries for DC are registered on DNS server '10.5.0.252'
              and other DCs also have some of the names registered.


              Redir and Browser test . . . . . . : Passed
              List of NetBt transports currently bound to the Redir
              NetBT_Tcpip_{9FA0FD83-B4A2-4074-8223-ABE25254E680}
              The redir is bound to 1 NetBt transport.

              List of NetBt transports currently bound to the browser
              NetBT_Tcpip_{9FA0FD83-B4A2-4074-8223-ABE25254E680}
              The browser is bound to 1 NetBt transport.


              DC discovery test. . . . . . . . . : Passed


              DC list test . . . . . . . . . . . : Passed


              Trust relationship test. . . . . . : Passed
              Secure channel for domain '****' is to '\\DC2.****.org.uk'.


              Kerberos test. . . . . . . . . . . : Passed


              LDAP test. . . . . . . . . . . . . : Passed


              Bindings test. . . . . . . . . . . : Passed


              WAN configuration test . . . . . . : Skipped
              No active remote access connections.


              Modem diagnostics test . . . . . . : Passed

              IP Security test . . . . . . . . . : Skipped

              Note: run "netsh ipsec dynamic show /?" for more detailed information


              The command completed successfully



              __________________________________________________ ______________

              NETDIAG DC2

              Computer Name: DC2
              DNS Host Name: DC2.****.org.uk
              System info : Microsoft Windows Server 2003 (Build 3790)
              Processor : x86 Family 6 Model 15 Stepping 6, GenuineIntel



              Netcard queries test . . . . . . . : Passed



              Per interface results:

              Adapter : Local Area Connection

              Netcard queries test . . . : Passed

              Host Name. . . . . . . . . : DC2
              IP Address . . . . . . . . : 10.5.0.243
              Subnet Mask. . . . . . . . : 255.0.0.0
              Default Gateway. . . . . . : 10.5.0.251
              Primary WINS Server. . . . : 10.5.0.252
              Secondary WINS Server. . . : 10.5.0.243
              Dns Servers. . . . . . . . : 10.5.0.252
              10.5.0.243


              AutoConfiguration results. . . . . . : Passed

              Default gateway test . . . : Passed

              NetBT name test. . . . . . : Passed
              [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
              r Service', <20> 'WINS' names is missing.

              WINS service test. . . . . : Passed


              Global results:


              Domain membership test . . . . . . : Passed


              NetBT transports test. . . . . . . : Passed
              List of NetBt transports currently configured:
              NetBT_Tcpip_{9E2667AD-2BCB-4DD1-984D-F32DA1FE7091}
              1 NetBt transport currently configured.


              Autonet address test . . . . . . . : Passed


              IP loopback ping test. . . . . . . : Passed


              Default gateway test . . . . . . . : Passed


              NetBT name test. . . . . . . . . . : Passed
              [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
              ce', <03> 'Messenger Service', <20> 'WINS' names defined.


              Winsock test . . . . . . . . . . . : Passed


              DNS test . . . . . . . . . . . . . : Passed
              PASS - All the DNS entries for DC are registered on DNS server '10.5.0.252'
              and other DCs also have some of the names registered.
              PASS - All the DNS entries for DC are registered on DNS server '10.5.0.243'
              and other DCs also have some of the names registered.


              Redir and Browser test . . . . . . : Passed
              List of NetBt transports currently bound to the Redir
              NetBT_Tcpip_{9E2667AD-2BCB-4DD1-984D-F32DA1FE7091}
              The redir is bound to 1 NetBt transport.

              List of NetBt transports currently bound to the browser
              NetBT_Tcpip_{9E2667AD-2BCB-4DD1-984D-F32DA1FE7091}
              The browser is bound to 1 NetBt transport.


              DC discovery test. . . . . . . . . : Passed


              DC list test . . . . . . . . . . . : Passed


              Trust relationship test. . . . . . : Skipped


              Kerberos test. . . . . . . . . . . : Passed


              LDAP test. . . . . . . . . . . . . : Passed


              Bindings test. . . . . . . . . . . : Passed


              WAN configuration test . . . . . . : Skipped
              No active remote access connections.


              Modem diagnostics test . . . . . . : Passed

              IP Security test . . . . . . . . . : Skipped

              Note: run "netsh ipsec dynamic show /?" for more detailed information


              The command completed successfully
              __________________________________________________ ______________

              Client IPConfig

              Microsoft Windows XP [Version 5.1.2600]
              (C) Copyright 1985-2001 Microsoft Corp.

              C:\Documents and Settings\*********>ipconfig/all

              Windows IP Configuration

              Host Name . . . . . . . . . . . . : ****-hu-flex
              Primary Dns Suffix . . . . . . . : ****.org.uk
              Node Type . . . . . . . . . . . . : Hybrid
              IP Routing Enabled. . . . . . . . : No
              WINS Proxy Enabled. . . . . . . . : No
              DNS Suffix Search List. . . . . . : ****.org.uk
              org.uk

              Ethernet adapter Local Area Connection 2:

              Connection-specific DNS Suffix . :
              Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Eth
              ernet NIC
              Physical Address. . . . . . . . . : 00-40-F4-C0-C0-B4
              Dhcp Enabled. . . . . . . . . . . : No
              IP Address. . . . . . . . . . . . : 10.5.0.248
              Subnet Mask . . . . . . . . . . . : 255.0.0.0
              Default Gateway . . . . . . . . . : 10.5.0.251
              DNS Servers . . . . . . . . . . . : 10.5.0.252
              10.5.0.243
              Primary WINS Server . . . . . . . : 10.5.0.252

              Ethernet adapter Local Area Connection:

              Media State . . . . . . . . . . . : Media disconnected
              Description . . . . . . . . . . . : SiS 900-Based PCI Fast Ethernet Adap
              ter
              Physical Address. . . . . . . . . : 00-01-6C-3F-56-BE

              C:\Documents and Settings\**********>
              The Univurse is still winning!

              W2K AD, WSUS, RIS 2003. ISA also AVG Server
              ** If contributors help you, recognise them and give reputation points where appropriate **

              Comment


              • #8
                Re: Client connection fails between specific times

                it appears that the trust relationship is broken between the computer and the domain controller. try resetting the computer account's password in active directory. if this does not work then remove the computer from the domain and then rejoin it.

                MCSE, MCTS, MCITP

                Comment


                • #9
                  Re: Client connection fails between specific times

                  Morning

                  I have just taken Wullieb1's Advice and used NLTEST with results I did not expect!!

                  C:\Documents and Settings\Administrator>nltest /sc_query:****.org.uk
                  I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

                  C:\Documents and Settings\Administrator>nltest /sc_verify:****.org.uk
                  I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

                  C:\Documents and Settings\Administrator>nltest /dclist:****.org.uk
                  Get list of DCs in domain '****.org.uk' from '\\DC2.****.org.uk'.
                  DC1.****.org.uk [DS] Site: Hull
                  DC2.****.org.uk [PDC] [DS] Site: Hull
                  The command completed successfully

                  C:\Documents and Settings\Administrator>nltest /dcname:****.org.uk
                  NetGetDCName failed: Status = 2453 0x995 NERR_DCNotFound

                  C:\Documents and Settings\Administrator>


                  Obviously there appears to be an issue here. What's that next step?
                  The Univurse is still winning!

                  W2K AD, WSUS, RIS 2003. ISA also AVG Server
                  ** If contributors help you, recognise them and give reputation points where appropriate **

                  Comment


                  • #10
                    Re: Client connection fails between specific times

                    I have just run NLTest on DC1 and the sc_query works on that one. DC2 is the PDC
                    Is that a contributing factor as to why it will not identify when I run the same command on DC2 or is there a problem with this?
                    The Univurse is still winning!

                    W2K AD, WSUS, RIS 2003. ISA also AVG Server
                    ** If contributors help you, recognise them and give reputation points where appropriate **

                    Comment


                    • #11
                      Re: Client connection fails between specific times

                      Try running nltest /SC_RESET:<YOUR_DOMAIN_NAME> from the affected machine.

                      Comment


                      • #12
                        Re: Client connection fails between specific times

                        Ok done that

                        DC1 worked ok
                        DC2 However gave

                        C:\Documents and Settings\Administrator>nltest /sc_reset:HMCC.org.uk
                        I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

                        I am begining to think the original DCPromo on DC2 did not work correctly

                        I'll see if the issue remains in the morning when I check the Event logs on the clients

                        EDIT 14/7/2010

                        Nothing has changed the client is still reporting the errors as in the original post

                        I've done some further digging on this and it appears that the above responce is expected when run from a PDC emulator as DC2 is. *Sigh*

                        Oh well back to the drawing board
                        Last edited by AndyUK; 14th July 2010, 13:06.
                        The Univurse is still winning!

                        W2K AD, WSUS, RIS 2003. ISA also AVG Server
                        ** If contributors help you, recognise them and give reputation points where appropriate **

                        Comment


                        • #13
                          Re: Client connection fails between specific times

                          Originally posted by dgoldsmith1 View Post
                          it appears that the trust relationship is broken between the computer and the domain controller. try resetting the computer account's password in active directory. if this does not work then remove the computer from the domain and then rejoin it.

                          MCSE, MCTS, MCITP
                          dgoldsmith1 thanks for this but I've already tried this on more than one client and the result remains the same.
                          The Univurse is still winning!

                          W2K AD, WSUS, RIS 2003. ISA also AVG Server
                          ** If contributors help you, recognise them and give reputation points where appropriate **

                          Comment


                          • #14
                            Re: Client connection fails between specific times

                            Try moving the PDC emuator role from DC2 to DC1 and see if that makes a difference.

                            Also check your DNS settings on DC2 and enure that they are correct. Probably already done but worth a shot.

                            Comment

                            Working...
                            X