ACE/STEVE

[bill s via WinServerKB.com]

Here is the info....I can see problems with Netlogon???? Not sure and not
sure how to fix if so.
Thanks again......hope you can help

Ace / Steve here goes

Netdiag /fix

Computer name server1
DNS host name server1.bgcmeriden.org
Net card queries test Passed

Per interface results
Adapter Local area connection
NetCard queries test Passed
Host name Server1.bgcmeriden.org
IP address 192.168.1.4
Subnet mask 255.255.255.0
Default gateway 192.168.1.1
DNS server 192.168.1.4

Autoconfiguration results Passed
Global results
Domain membership Passed
NetBt transport test Passed
Autonet address test Passed
IP loopback Passed
NtBt home test Passed
Winsock Passed
DNS test Passed
Pass-all DNS entries for DC are registered on DNS
Server 192.168.1.4

Redirector and browser test Passed
DC discovery test Passed
DC list test Passed
Failed to enumerate DC’s by using Browser
Trust relationship Skipped
Kerberos test Passed
LDAP test Passed
Bindings test Passed
WAN config Skipped
Modem diag Passed
Command completed successfully

DCdiag /fix results

Starting test: Connectivity
Server1 passed test connectivity
Primary tests
Replications Server1 passed test replications
NCSecDesc Server1passed
Netlogons Server1…A net use or LSA policy
operation failed with
Error 67 The network
name cannot be found

Server1 failed Netlogons
Advertising Passed
KnowsofRoleHoldings Passed
Ridmanager Passed

Machine account could not open pipe with Server1 failed
with 67
Network name cannot be found
Could not get NetBios Domain
name failed connect test
for Host SPN
failed connect test
Missing SPN
Missing SPN
Server1 failed test
machine account
Could not open remote IPC to Server1 failed with 67 network name cannot be
found
Server1 failed test
services

Test: Objects
Server1 Passed test for objects replicated
Test: frssysvol
Server1 A net use or LSA policy operation
failed with error 67
Network name cannot be found
Server1 passed test
frssysvol (yes..it said passed)
Test: Kccevent
Failed to enumerate event log records error,
network name cannot be
Found
Server1 failed test
Kccevent
Test: syslog
Failed to enumerate event log records
Network name cannot be found
Server1 failed test
Systemlog

Enterprise tests on: bcmeriden.org
Test: intersite
Bgcmeriden.org Passed
Test: FsmcCheck
Bcmeriden.org Passed

DCdiag /v /fix
DC Diagnosis
Found 1 DC Testing 1 of them
Testing server Default first site name \ Server1

Test: Connectivity
Active Directory LDAP Services check
Active Directory RPC Services check
Server1 Passed test
connectivity

Primary tests
Replications check
Server1 passed test replications
Test: NCSecDesc
Server1 passed test NCSecDesc
Test: Netlogons
Server1..A net user LSA policy operation failed
with error 67
Network name cannot be found
Server1 failed test Netlogon
DC Server1 is advertising itself as a DC and has DNS

Is advertising as an LDAP Server
As having writeable
directory
As a key Dist Center
As a time Service
As a C
Server1 Passed advertising
Test: KnowofRoleHolders
Server1 Passed test KnowofRoleHolders
Test: RID manager
Server1 Passed test RDmanager
Test machine account:
Could not open pipe with Server1 failed with 67:
Network name cannot be found

Could not get NetBios name
Failed cannot test for Host SPN

SPN found: LDAP/Server1gcmeriden.org/bgcmeriden.org
SPN found: LDAP/Server1
Missing SPN(null)
SPN found: LDAP/41ad3a6f-1d84-4086-83bb-60dbc7dadfgd
Msdcs.bgcmeriden.org
SPN found /bgcmeriden.org
SPN found Host/server1.
bgcmeriden.org/bgcmeriden.org
SPN found Host/server1.
bgcmeriden.rg
SPN found Host/server1
Missing SPN (null)
SPN found GC/server1.bgcmeriden.
org/bgcmeriden.org
Server1 failed test machine account

Test: Services
Could not open IPC Server1 failed with 67 network
name cannot be found
Server1 failed test services

Test: Objects Replication
Server1 Passed test Objects Rep

Test: frssysvol
File replication service event log or LSA policy
operation failed
Network name cannot be found
File replication services sysvol is ready
Server1 Passed test frssysvol
Test: Kccvent
Failed to enumerate event log records
Network name cannot be found
Test: Fsmocheck
GC name \\server1.bgcmeriden.org
Locater flags 0xe0001fd
PDC name server1.bgcmeriden.org
Bgcmeriden.org Passed

CLIENT Ipconfig/all

Host name Tech5
Primary DNS _______
Node type hybrid
IP routing No
WINS proxy enable No
Connection specific DNS suffix bcmeriden.org
Description 3 com
Dhcp enabled Yes
Auto config Yes
IP Address 192.168.1.100
DNS server 192.168.1.4
(correct)

DC ipconfig/all

Host name Server1
Primary DNS bgcmeriden.org
Node hybrid
IP routing no
Wins no
DNS suffix bgcmeriden.org

Ethernet adapter

Connection specific DNS suffix
bgcmeriden.org
Description
3Com
Physical Address
blah blah
DHCP enabled
No (dhcp console says activated)
IP Address
192.168.1.4
Subnet Mask
255.255.255.0
Default gateway
192.168.1.1
DNS Server
192.168.1.4

 

[Ace Fekay [MVP]]

In

Here is the info....I can see problems with Netlogon???? Not sure and
not sure how to fix if so.
Thanks again......hope you can help

Ace / Steve here goes

Netdiag /fix

Computer name server1
DNS host name server1.bgcmeriden.org
Net card queries test Passed

Per interface results
Adapter Local area connection
NetCard queries test Passed
Host name Server1.bgcmeriden.org
IP address 192.168.1.4
Subnet mask 255.255.255.0
Default gateway 192.168.1.1
DNS server 192.168.1.4

Autoconfiguration results Passed
Global results
Domain membership Passed
NetBt transport test Passed
Autonet address test Passed
IP loopback Passed
NtBt home test Passed
Winsock Passed
DNS test Passed
Pass-all DNS entries for DC are registered on DNS
Server 192.168.1.4

Redirector and browser test Passed
DC discovery test Passed
DC list test Passed
Failed to enumerate DC's by using Browser
Trust relationship Skipped
Kerberos test Passed
LDAP test Passed
Bindings test Passed
WAN config Skipped
Modem diag Passed
Command completed successfully

DCdiag /fix results

Starting test: Connectivity
Server1 passed test connectivity
Primary tests
Replications Server1 passed test replications
NCSecDesc Server1passed
Netlogons Server1.A net use or LSA
policy operation failed with
Error 67 The
network name cannot be found

Server1 failed
Netlogons Advertising Passed
KnowsofRoleHoldings Passed
Ridmanager Passed

Machine account could not open pipe with Server1
failed with 67
Network name cannot be
found Could not get
NetBios Domain
name failed connect test
for Host SPN
failed connect test
Missing SPN
Missing SPN
Server1 failed
test machine account
Could not open remote IPC to Server1 failed with 67 network name
cannot be found
Server1 failed
test services

Test: Objects
Server1 Passed test for objects
replicated Test: frssysvol
Server1 A net use or LSA policy operation
failed with error 67
Network name cannot be found
Server1 passed
test frssysvol (yes..it said passed)
Test: Kccevent
Failed to enumerate event log records
error, network name cannot be
Found
Server1 failed
test Kccevent
Test: syslog
Failed to enumerate event log records
Network name cannot be found
Server1 failed
test Systemlog

Enterprise tests on: bcmeriden.org
Test: intersite
Bgcmeriden.org Passed
Test: FsmcCheck
Bcmeriden.org Passed

DCdiag /v /fix
DC Diagnosis
Found 1 DC Testing 1 of them
Testing server Default first site name \ Server1

Test: Connectivity
Active Directory LDAP Services
check Active Directory RPC
Services check
Server1 Passed test
connectivity

Primary tests
Replications check
Server1 passed test replications
Test: NCSecDesc
Server1 passed test NCSecDesc
Test: Netlogons
Server1..A net user LSA policy operation
failed with error 67
Network name cannot be found
Server1 failed test Netlogon
DC Server1 is advertising itself as a DC and has DNS

Is advertising as an LDAP Server
As having
writeable directory
As a key Dist
Center As a time
Service As a C
Server1 Passed advertising
Test: KnowofRoleHolders
Server1 Passed test KnowofRoleHolders
Test: RID manager
Server1 Passed test RDmanager
Test machine account:
Could not open pipe with Server1 failed
with 67: Network name cannot be found

Could not get NetBios name
Failed cannot test for Host SPN

SPN found: LDAP/Server1gcmeriden.org/bgcmeriden.org
SPN found: LDAP/Server1
Missing SPN(null)
SPN found: LDAP/41ad3a6f-1d84-4086-83bb-60dbc7dadfgd
Msdcs.bgcmeriden.org
SPN found /bgcmeriden.org
SPN found Host/server1.
bgcmeriden.org/bgcmeriden.org
SPN found Host/server1.
bgcmeriden.rg
SPN found Host/server1
Missing SPN (null)
SPN found
GC/server1.bgcmeriden. org/bgcmeriden.org
Server1 failed test machine account

Test: Services
Could not open IPC Server1 failed with 67
network name cannot be found
Server1 failed test services

Test: Objects Replication
Server1 Passed test Objects Rep

Test: frssysvol
File replication service event log or LSA policy
operation failed
Network name cannot be found
File replication services sysvol is ready
Server1 Passed test frssysvol
Test: Kccvent
Failed to enumerate event log records
Network name cannot be found
Test: Fsmocheck
GC name \\server1.bgcmeriden.org
Locater flags 0xe0001fd
PDC name server1.bgcmeriden.org
Bgcmeriden.org
Passed

CLIENT Ipconfig/all

Host name Tech5
Primary DNS _______
Node type hybrid
IP routing No
WINS proxy enable No
Connection specific DNS suffix bcmeriden.org
Description 3 com
Dhcp enabled Yes
Auto config Yes
IP Address
192.168.1.100
DNS server 192.168.1.4
(correct)

DC ipconfig/all

Host name Server1
Primary DNS bgcmeriden.org
Node hybrid
IP routing no
Wins no
DNS suffix
bgcmeriden.org

Ethernet adapter

Connection specific DNS suffix
bgcmeriden.org
Description
3Com
Physical Address
blah blah
DHCP enabled
No (dhcp console says activated)
IP Address
192.168.1.4
Subnet Mask
255.255.255.0
Default gateway
192.168.1.1
DNS Server
192.168.1.4

Thank you for posting that info. The ipconfigs look good.

Apparently back to the lack of the DC registering into DNS which is causing
all of this. Plus the " Error 67 The network name cannot be found"
message states that it cannot find the NetBIOS name via broadcast or WINS.

- Is DNS updates enabled on the bgcmeriden.org zone?
- Where there any registry changes altered to prevent registration?
- Is the checkbox to allow registration set in the DC's IP properties,
advanced, DNS tab?
- Are any services stopped for any reason (such as you may have thought to
be a security concern)?
- Is NetBIOS disabled? (IP Properties, advanced, WINS tab)
- Is F&P Services diabled? (IP Properties)
- Is the Microsoft Client Service disabled? (IP Properties)
- DNS properties, Interfaces tab, what is set for the machine to listen to?
- Any odd entries in the Nameservers tab?
- Hosts file been compromised?


Also what's scary is the client has no Primary DNS Suffix. Is this machine
actually joined to the domain? Was that intentionally left with underscores
or is that truly blank or is it that you are having trouble joining this
machine?

CLIENT Ipconfig/all

Host name Tech5
Primary DNS _______

When registering, the machines use that Primary DNS Suffix name to register
into that zone in DNS. I assume the zone name in DNS is bgcmeriden.org ?
That name is populated when ou join a machine to the domain automatically
unless the checkbox was inadvertenly unchecked.

Try this on the DC/DNS server:
1. Change the zone to a Primary
2. Backup the system32\dns folder
3. Delete the zone.
4. Delete the netlogon.dns and the netlogon.dnb file in the system32\config
folder.
5. Recreate the zone
6. Make sure updates are set to allowed
7. Run in a CMD prompt:
ipconfig /registerdns
net stop netlogon
net start netlogon
netdiag /v /fix
dcdiag /v /fix
8. Then check the zone to see if the SRV records populated and if the server
registered itself in the zone.

Post the results and the answers to the questions above please.

Ace

 

[Steve Duff [MVP]]

What do you see on this server when you do a "net share"? And are there any error events being logged?

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

 

[bill s via WinServerKB.com]

What do you see on this server when you do a "net share"? And are there any error events being logged?

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

Here is the info....I can see problems with Netlogon???? Not sure and not
sure how to fix if so.

[quoted text clipped - 222 lines]

DNS Server
192.168.1.4

Let me ask this.......A I correct when I say that a DC should NEVER be
exposed to any node on the network that points to an external DNS? This I
presume is ANY node??
I have (on the live network) staff members that have their own PC's with XP
home which I believe cannot join a domain. So........all the staff members
are in a workgroup. However, they have administrative rights and can change
anything they want........and believe me they do. Could this have corrupted
the DC, and before I go live again do I need to ensure ALL PC's point to the
DC DNS? No exceptions?
I have a funny feeling that was the case when I put the DC on live and
someone in the workgroup may have corrupted the DNS data by changing their
DNS to an external DNS.
If this is so I will have to take total control before I go live again..

Thanks for your efforts guys....I really appreciate it. I'll be back.

BIll

 

[Ace Fekay [MVP]]

In

What do you see on this server when you do a "net share"? And are
there any error events being logged?

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

Here is the info....I can see problems with Netlogon???? Not sure
and not sure how to fix if so.

[quoted text clipped - 222 lines]

DNS Server
192.168.1.4

Let me ask this.......A I correct when I say that a DC should NEVER be
exposed to any node on the network that points to an external DNS?
This I presume is ANY node??
I have (on the live network) staff members that have their own PC's
with XP home which I believe cannot join a domain. So........all the
staff members are in a workgroup.

The machines being in a workgroup explain why they do not have a Primary DNS
Suffix.

However, they have administrative
rights and can change anything they want........and believe me they
do. Could this have corrupted the DC, and before I go live again

If the admin username and password is identical to what's on the server,
then yes, they may have changed something, otherwise, no.

do I
need to ensure ALL PC's point to the DC DNS? No exceptions?

I'm surprised you haven't done so already???? Wasn't that discussed in your
prior threads and were advised not to? That can be the WHOLE problem with
joining the domain.
Absolutely NO DNS servers referenced in any machines' IP properties in your
domain. that does NOT have any reference to your AD domain. This pretty much
means NO external DNS servers.

I have a funny feeling that was the case when I put the DC on live and
someone in the workgroup may have corrupted the DNS data by changing
their DNS to an external DNS.

That would not corrupt anything. It wou;ld just cause the client machine not
to be able to access or authenticate in the domain.

If this is so I will have to take total control before I go live
again.
Absolutely.


Thanks for your efforts guys....I really appreciate it. I'll be back.

BIll

You are welcome.

What was the results of Steve's question about a net share?
Also, do you have any responses to my questions in my other post?

Ace

 

[bill s via WinServerKB.com]

In [quoted text clipped - 14 lines]

with XP home which I believe cannot join a domain. So........all the
staff members are in a workgroup.

The machines being in a workgroup explain why they do not have a Primary DNS
Suffix.

However, they have administrative
rights and can change anything they want........and believe me they
do. Could this have corrupted the DC, and before I go live again

If the admin username and password is identical to what's on the server,
then yes, they may have changed something, otherwise, no.

do I
need to ensure ALL PC's point to the DC DNS? No exceptions?

I'm surprised you haven't done so already???? Wasn't that discussed in your
prior threads and were advised not to? That can be the WHOLE problem with
joining the domain.
Absolutely NO DNS servers referenced in any machines' IP properties in your
domain. that does NOT have any reference to your AD domain. This pretty much
means NO external DNS servers.

I have a funny feeling that was the case when I put the DC on live and
someone in the workgroup may have corrupted the DNS data by changing
their DNS to an external DNS.

That would not corrupt anything. It wou;ld just cause the client machine not
to be able to access or authenticate in the domain.

If this is so I will have to take total control before I go live
again.
Absolutely.

Thanks for your efforts guys....I really appreciate it. I'll be back.

BIll

You are welcome.

What was the results of Steve's question about a net share?
Also, do you have any responses to my questions in my other post?

Ace

Ace......
To be honest this is getting into it a wee bit more than the situation calls
for. That and the fact it's pretty muddled at this point. Seeing I am under
little pressure from the powers that be I reloaded Winserver2K, set up my DNS
and DHCP (this is on the lab network) and am now joining the domain with a PC.
I even put the PC back into a workgroup and them back in to the domain
without a problem. I ran diagnostics to see the difference in the readouts
compared to before. It is now quite clear and concise and very easy to follow.
Someone mentioned Norton hanging in the registry after removal and sure thing
there is some Norton still in the registry. I will keep an eye in that stuff
but right now it doesn't appear to be causing a problem. Norton does say to
place your PC's in trusted zones because it blocks Microsoft networking.
However the confusion lies in the fact that it seems not to block 100% of the
time. My other concern is the PC's with an outside DNS but if you say that
the only result of that is the user won't be able to log on then I really
don't care if they get on or not. You know who they will come to whan they
cannot! As long as I can be ABSOLUTELY sure that is the only ramification
and that it cannot "corrupt" AD, that's fine with me. It sure was a
coincidence though the last time I put the DC on the live network.
Anyway...let's figure this to be the baseline and I will document every move
so if it happens again we know we don't have any previous problems lying
around............Thanks much.. I will be back if I have problems going live.

 

[Ace Fekay [MVP]]

In

Ace......
To be honest this is getting into it a wee bit more than the
situation calls for. That and the fact it's pretty muddled at this
point. Seeing I am under little pressure from the powers that be I
reloaded Winserver2K, set up my DNS and DHCP (this is on the lab
network) and am now joining the domain with a PC. I even put the PC
back into a workgroup and them back in to the domain without a
problem. I ran diagnostics to see the difference in the readouts
compared to before. It is now quite clear and concise and very easy
to follow. Someone mentioned Norton hanging in the registry after
removal and sure thing there is some Norton still in the registry. I
will keep an eye in that stuff but right now it doesn't appear to be
causing a problem. Norton does say to place your PC's in trusted
zones because it blocks Microsoft networking. However the confusion
lies in the fact that it seems not to block 100% of the time. My
other concern is the PC's with an outside DNS but if you say that the
only result of that is the user won't be able to log on then I really
don't care if they get on or not. You know who they will come to whan
they cannot! As long as I can be ABSOLUTELY sure that is the only
ramification and that it cannot "corrupt" AD, that's fine with me. It
sure was a coincidence though the last time I put the DC on the live
network. Anyway...let's figure this to be the baseline and I will
document every move so if it happens again we know we don't have any
previous problems lying around............Thanks much.. I will be
back if I have problems going live.

That was me mentioning Norton, Zone Alarm, etc, in the registry with DLLs.

Bill, you really should ONLY use your own DNS server, especially the DC. If
the clients aren't using it, it;s more than just not being able to logon.
There are numerous functions a client machine in Active Directory that can
only be done using the internal DNS. Maybe I should have explained more
instead of giving you the "just can't logon" line. Depending on many
factors, there's authentication, accessing printers, accessing shares,
domain security, group policy, email, etc. See when a client tries to
communicate to AD, it queries DNS for service locations AD is offering. If
you use your ISP's, they don't have the answer and many functions fail. Do
yourself a favor, to help you in the future with AD, and follow best
practices, as any well versed AD administrator/IT director, try to follow
the golden rule with AD and DNS, and that is to ONLY use your own internal
DNS or you may wind up posting back with more errors in the future. Not that
we don't want to help, but an ounce of understand and following these best
practices is worth a ton of functionality. (That sounds corny!) Configure a
forwarder for efficient Internet name resolution. This article shows you how
to configure a forwarder, among a few other things:

323380 - HOW TO: Configure DNS for Internet Access in Windows Server 2003
http://support.microsoft.com/d/?=323380

Here's more info about AD and DNS. Please read up on them.

825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003
http://support.microsoft.com/?id=825036

Frequently asked questions about Windows 2000 DNS and Windows Server 2003
DNS
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

Good luck with everything.

Ace

 

[bill s via WinServerKB.com]

In

Ace......
To be honest this is getting into it a wee bit more than the

[quoted text clipped - 21 lines]

previous problems lying around............Thanks much.. I will be
back if I have problems going live.

That was me mentioning Norton, Zone Alarm, etc, in the registry with DLLs.

Bill, you really should ONLY use your own DNS server, especially the DC. If
the clients aren't using it, it;s more than just not being able to logon.

Ace
I understand about the forwarder and will put my external DNS in it when the
time comes. I learned the hard way but this was a very valuable lesson
concerning the DNS setting on the Clients. Of course I had to set them to
external when using workgroups without a server.
This is a great site with many great helping hands. I am glad I found it.
Thanks again all and as I said, my baseline is now set up so anymore problems
can maybe be more clearly understood. Amazing how one little change can bring
the network to a halt. Pretty cool stuff.
Cheers
Bill

 

[Ace Fekay [MVP]]

In

Ace
I understand about the forwarder and will put my external DNS in it
when the time comes. I learned the hard way but this was a very
valuable lesson concerning the DNS setting on the Clients. Of course
I had to set them to external when using workgroups without a server.
This is a great site with many great helping hands. I am glad I found
it. Thanks again all and as I said, my baseline is now set up so
anymore problems can maybe be more clearly understood. Amazing how
one little change can bring the network to a halt. Pretty cool stuff.
Cheers
Bill

I am glad you found this newsgroup as well to help you out.

Cheers!

Ace