Active Directory keeps stopping

  • Thread starter Thread starter inthedark
  • Start date Start date
I

inthedark

A simple site running 1 AD server Windows 2000 and a few clients. Has
been running for years fine fore years but the company were picking up
lots of spam on their server. On the same day I did the following:

1) Run Windows Update
2) Installed FTGate mail server
3) Create a public lookup zone so that the server could become a
primary dns for a domain.
(This was need for just a few days until the new ISP could handle the
DNS.)

After a few hours, sometimes days the AD stops running. After reboot it
all works fine again. I have tried everything to resolve this error but
now need help.

What I did was (SPANNING SEVERAL WEEKS):

1) Remove public domain lookup zone from the dns.
2) Ran DCDIAG & NETDIAG to see if any problems:

Conclusion:

After reboot the netdiag report is clean but when AD enters error
condition I get the following (only part of report with errors is
included):

-----------netdiag

DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to myserv1.MYDOM.local (192.168.1.3).
[ERROR_OUTOFMEMORY]

Trust relationship test. . . . . . : Skipped

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed
[FATAL] Cannot open an LDAP session to 'myserv1.MYDOM.local' at
'192.168.1.3'.
[WARNING] Failed to query SPN registration on DC
myserv1.MYDOM.local'.

----------------------------------------

I have noted that many other people have had similar problems google
this:

Cannot call DsBind [ERROR_OUTOFMEMORY]

---------------------------------------

Other information:

When the system enters the error state there are no errors in the
System or Active Directory logs.

But after fails because AD is down the allocation logs starts to kick
off with USERENV errors messages.

Can anybody help resolve this issue?
 
Hi,
After a few hours, sometimes days the AD stops running
Click to expand...

Active Directory does not stop "running"
3) Create a public lookup zone so that the server could become a
primary dns for a domain.
(This was need for just a few days until the new ISP could handle the
DNS.)
Click to expand...

Well where was this Domain controller pointed to for primary DNS
before? and where is it pointing now? Please do not tell me you have
it pointed to your ISP :(

You have one domain controller, one DNS server. Make sure this DC is
pointed to itself for primary DNS and ONLY itself.
From the command prompt run the following
Click to expand...
ipconfig /flushdns & ipconfig /registerdns & net stop netlogon & net
start netlogon.

Make sure your clients are pointed to this DC for primary DNS.
Run DCdiag /v, Netdiag /v to check for errors.

Good luck

Harj Singh
Power Your Active Directory Investment
www.specopssoft.com

A simple site running 1 AD server Windows 2000 and a few clients. Has
been running for years fine fore years but the company were picking up
lots of spam on their server. On the same day I did the following:

1) Run Windows Update
2) Installed FTGate mail server
3) Create a public lookup zone so that the server could become a
primary dns for a domain.
(This was need for just a few days until the new ISP could handle the
DNS.)

After a few hours, sometimes days the AD stops running. After reboot it
all works fine again. I have tried everything to resolve this error but
now need help.

What I did was (SPANNING SEVERAL WEEKS):

1) Remove public domain lookup zone from the dns.
2) Ran DCDIAG & NETDIAG to see if any problems:

Conclusion:

After reboot the netdiag report is clean but when AD enters error
condition I get the following (only part of report with errors is
included):

-----------netdiag

DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to myserv1.MYDOM.local (192.168.1.3).
[ERROR_OUTOFMEMORY]

Trust relationship test. . . . . . : Skipped

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed
[FATAL] Cannot open an LDAP session to 'myserv1.MYDOM.local' at
'192.168.1.3'.
[WARNING] Failed to query SPN registration on DC
myserv1.MYDOM.local'.

----------------------------------------

I have noted that many other people have had similar problems google
this:

Cannot call DsBind [ERROR_OUTOFMEMORY]

---------------------------------------

Other information:

When the system enters the error state there are no errors in the
System or Active Directory logs.

But after fails because AD is down the allocation logs starts to kick
off with USERENV errors messages.

Can anybody help resolve this issue?
Click to expand...
 
I do agree with Harj that it looks like you have set the DNS server(s) in
your server's TCP/IP configuration to your ISP DNS servers.
As these servers do not host your domain zones (and most importantly, the
_msdcs zones), you have broken Active Directory.

The good news is that this is easilly fixed, as Harj pointed out.
1) Make sure your DC is running DNS
2) Make sure your AD DNS zone (eg. mycompany.local) is stored in Active
Directory and only secure updates are allowed (for security reasons)
(Secure only will allow DNS registration for Windows 2000 and above clients.
Win9X/NT/etc is not supported)
3) Make sure your DNS server isn't a root DNS server. Translated: Make sure
your DNS server is not hosting the . (dot) zone.
This will break DNS lookups for Internet addresses, as the DNS server thinks
he's on top of the DNS hierarchy.
If the . zone is hosted, delete it.
4) Do not configure your DNS server to forward to your ISP DNS servers, as
ISP DNS polution occurs more frequently nowadays
Instead, rely on the root hints, which are configured correctly within
Windows 2003 DNS. If a record outside your own AD zone is requested, your
DNS server will perform a lookup using the Internet root servers and caches
the results for future requests.
5) After the above configuration steps, run the following commands;
- net stop dns
- net start dns
- ipconfig /registerdns
- net stop netlogon
- net start netlogon
6) Check DNS for a host (A) record in your AD DNS zone. Also, check the
records under _msdcs.

Good luck!

Erik Cheizoo
eXcellence & Difference
We keep your business running



Harj said:
Hi,
After a few hours, sometimes days the AD stops running
Click to expand...

Active Directory does not stop "running"
3) Create a public lookup zone so that the server could become a
primary dns for a domain.
(This was need for just a few days until the new ISP could handle the
DNS.)
Click to expand...

Well where was this Domain controller pointed to for primary DNS
before? and where is it pointing now? Please do not tell me you have
it pointed to your ISP :(

You have one domain controller, one DNS server. Make sure this DC is
pointed to itself for primary DNS and ONLY itself.
From the command prompt run the following
Click to expand...
ipconfig /flushdns & ipconfig /registerdns & net stop netlogon & net
start netlogon.

Make sure your clients are pointed to this DC for primary DNS.
Run DCdiag /v, Netdiag /v to check for errors.

Good luck

Harj Singh
Power Your Active Directory Investment
www.specopssoft.com

A simple site running 1 AD server Windows 2000 and a few clients. Has
been running for years fine fore years but the company were picking up
lots of spam on their server. On the same day I did the following:

1) Run Windows Update
2) Installed FTGate mail server
3) Create a public lookup zone so that the server could become a
primary dns for a domain.
(This was need for just a few days until the new ISP could handle the
DNS.)

After a few hours, sometimes days the AD stops running. After reboot it
all works fine again. I have tried everything to resolve this error but
now need help.

What I did was (SPANNING SEVERAL WEEKS):

1) Remove public domain lookup zone from the dns.
2) Ran DCDIAG & NETDIAG to see if any problems:

Conclusion:

After reboot the netdiag report is clean but when AD enters error
condition I get the following (only part of report with errors is
included):

-----------netdiag

DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to myserv1.MYDOM.local (192.168.1.3).
[ERROR_OUTOFMEMORY]

Trust relationship test. . . . . . : Skipped

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed
[FATAL] Cannot open an LDAP session to 'myserv1.MYDOM.local' at
'192.168.1.3'.
[WARNING] Failed to query SPN registration on DC
myserv1.MYDOM.local'.

----------------------------------------

I have noted that many other people have had similar problems google
this:

Cannot call DsBind [ERROR_OUTOFMEMORY]

---------------------------------------

Other information:

When the system enters the error state there are no errors in the
System or Active Directory logs.

But after fails because AD is down the allocation logs starts to kick
off with USERENV errors messages.

Can anybody help resolve this issue?
Click to expand...
Click to expand...
 
You saird: Active Directory does not stop "running"

If only that were true :~( It does stop running. Or at least it
becomes inaccessable.

I think that the LDAP goes down in some way.
 
inthedark said:
You saird: Active Directory does not stop "running"

If only that were true :~( It does stop running. Or at least it
becomes inaccessable.

I think that the LDAP goes down in some way.
Click to expand...

Now you are STARTING to perform good troubleshooting by
isolating the actual symptoms.

Do you know that LDAP in some way stops working? How
specifically do you know that?

Once you identify the symptoms precisely, most problems are
easy, if not trivial to resolve.

Have you run DCDiag on each DC? When it works, and when
it fails?
 
There is only one Server which is the Primary AD server. (There is no
secondary AD server.)

The also is the DNS Server .

The TCP/IP network config only lists itself as a DNS server.

Only the DNS Server points DNS forwarders located at the ISP.

All clients only have 1 DNS Server which is the AD Server


Erik said:
I do agree with Harj that it looks like you have set the DNS server(s) in
your server's TCP/IP configuration to your ISP DNS servers.
As these servers do not host your domain zones (and most importantly, the
_msdcs zones), you have broken Active Directory.

The good news is that this is easilly fixed, as Harj pointed out.
1) Make sure your DC is running DNS
2) Make sure your AD DNS zone (eg. mycompany.local) is stored in Active
Directory and only secure updates are allowed (for security reasons)
(Secure only will allow DNS registration for Windows 2000 and above clients.
Win9X/NT/etc is not supported)
3) Make sure your DNS server isn't a root DNS server. Translated: Make sure
your DNS server is not hosting the . (dot) zone.
This will break DNS lookups for Internet addresses, as the DNS server thinks
he's on top of the DNS hierarchy.
If the . zone is hosted, delete it.
4) Do not configure your DNS server to forward to your ISP DNS servers, as
ISP DNS polution occurs more frequently nowadays
Instead, rely on the root hints, which are configured correctly within
Windows 2003 DNS. If a record outside your own AD zone is requested, your
DNS server will perform a lookup using the Internet root servers and caches
the results for future requests.
5) After the above configuration steps, run the following commands;
- net stop dns
- net start dns
- ipconfig /registerdns
- net stop netlogon
- net start netlogon
6) Check DNS for a host (A) record in your AD DNS zone. Also, check the
records under _msdcs.

Good luck!

Erik Cheizoo
eXcellence & Difference
We keep your business running



Harj said:
Hi,
After a few hours, sometimes days the AD stops running
Click to expand...

Active Directory does not stop "running"
3) Create a public lookup zone so that the server could become a
primary dns for a domain.
(This was need for just a few days until the new ISP could handle the
DNS.)
Click to expand...

Well where was this Domain controller pointed to for primary DNS
before? and where is it pointing now? Please do not tell me you have
it pointed to your ISP :(

You have one domain controller, one DNS server. Make sure this DC is
pointed to itself for primary DNS and ONLY itself.
From the command prompt run the following
Click to expand...
ipconfig /flushdns & ipconfig /registerdns & net stop netlogon & net
start netlogon.

Make sure your clients are pointed to this DC for primary DNS.
Run DCdiag /v, Netdiag /v to check for errors.

Good luck

Harj Singh
Power Your Active Directory Investment
www.specopssoft.com

A simple site running 1 AD server Windows 2000 and a few clients. Has
been running for years fine fore years but the company were picking up
lots of spam on their server. On the same day I did the following:

1) Run Windows Update
2) Installed FTGate mail server
3) Create a public lookup zone so that the server could become a
primary dns for a domain.
(This was need for just a few days until the new ISP could handle the
DNS.)

After a few hours, sometimes days the AD stops running. After reboot it
all works fine again. I have tried everything to resolve this error but
now need help.

What I did was (SPANNING SEVERAL WEEKS):

1) Remove public domain lookup zone from the dns.
2) Ran DCDIAG & NETDIAG to see if any problems:

Conclusion:

After reboot the netdiag report is clean but when AD enters error
condition I get the following (only part of report with errors is
included):

-----------netdiag

DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to myserv1.MYDOM.local (192.168.1.3).
[ERROR_OUTOFMEMORY]

Trust relationship test. . . . . . : Skipped

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed
[FATAL] Cannot open an LDAP session to 'myserv1.MYDOM.local' at
'192.168.1.3'.
[WARNING] Failed to query SPN registration on DC
myserv1.MYDOM.local'.

----------------------------------------

I have noted that many other people have had similar problems google
this:

Cannot call DsBind [ERROR_OUTOFMEMORY]

---------------------------------------

Other information:

When the system enters the error state there are no errors in the
System or Active Directory logs.

But after fails because AD is down the allocation logs starts to kick
off with USERENV errors messages.

Can anybody help resolve this issue?
Click to expand...
Click to expand...
Click to expand...
 
Are there any errors in the eventlog for System and/or Directory Services?
Are there any services stopped which are set to automatic?

Another possibillity is that you have set the scavaging period on your DNS
server very low, deleting the DNS records before they are refreshed by the
DC.

Kind regards,

Erik Cheizoo
eXcellence & difference
We keep your business running
 
DCDIAG and NETDIAG are both very happy until the error condition
arrives. There are no messages in the System, Directory Service or DNS
logs. After the error condition messages start to arrive in the
APplication Log, mostly becuase AD is unavailable.

After the error condition the NETDIAG reports the following problems:

DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to rmyc1.RMYC.local (192.168.1.3).
[ERROR_OUTOFMEMORY]
List of DCs in Domain 'RMYC':
rmyc1.RMYC.local

And also:

LDAP test. . . . . . . . . . . . . : Passed

Do un-authenticated LDAP call to 'rmyc1.RMYC.local'.
[FATAL] Cannot open an LDAP session to 'rmyc1.RMYC.local' at
'192.168.1.3'.
[WARNING] Failed to query SPN registration on DC 'rmyc1.RMYC.local'.
 
Further. I disabled DNS Zone transfers (as there is only onse server).

Becuase of the [ERROR_OUTOFMEMORY] message I looked at Task Manager and
found that:

After reboot Available memory was 300K out of 512K

In error condition available memory was 180K (so who ate the 120K)
 
By default, the LSASS process will use all memory available for caching the
AD database.
You will see LSASS memory consumtion go up when queries are performed (e.g.
Exchange, outlook)
 
inthedark said:
Further. I disabled DNS Zone transfers (as there is only onse server).

Becuase of the [ERROR_OUTOFMEMORY] message I looked at Task Manager and
found that:

After reboot Available memory was 300K out of 512K

In error condition available memory was 180K (so who ate the 120K)
Click to expand...

What is your Service pack/Hotfix status for this Win2000 Server?

[Disabling DNS zone transfers is irrelevant if you only
have one DNS server for the zone; or if you only have
AD Integrated DNS servers for the zone (or on any
DNS server with no slave secondaries.)]

You might wish to check updates, and then consider doing a
"repair install" since this usually fixes any damaged DLLs, services,
etc.

One disadvantage of doing the repair install is that if the problem
disappears (which it very may well do) then you won't know the
'source' of the problem.

Repair install is done from original CD, regular install to SAME
directory location and ENSURE that you both see and accept
the prompt for REPAIRING the current installation.
 
I have run Windows Update, that is when the problem started.

I think I will pay MS for solution as the customer is becoming a little
disappointed.
 
inthedark said:
I have run Windows Update, that is when the problem started.

I think I will pay MS for solution as the customer is becoming a little
disappointed.
Click to expand...

Ok, but the REPAIR install will usually fix things screwed up by
Windows update (even if you then re-install every hotfix it 'fixed'.)

My guess has always been that applying the latest fixes and skipping
over incremental ones somehow avoids bugs the developers missed
in testing -- this was much more true (needing to avoid those bugs)
in Win2000 also which makes the REPAIR install more likely.

BTW, usually most problems can be better answered here in the
forums than they can by paid support -- I say this even though I
believe Microsoft paid support is actually excellent.

Most of the time a problem that can be more quickly resolved by
phone support than by the newsgroups (which do have question-
response lag time) could have been solved by searching yourself
using Google against TechNet, the Internet, or by using the built-in
help.

If someone told me: You can have a free Premier Support ID
(I have had my own personal ones in the past) BUT you will
never again have access to the MS Newsgroups then I would
turn it down even though the newsgroups are free and support
costs real money.
 
Back
Top