AD Problems

  • Thread starter Thread starter Ryan Slimmon
  • Start date Start date
R

Ryan Slimmon

Hello, I am having some problems with my server. Whenever I try to do
anything that required AD Authentication, it bongs and tells me I can't.
When I try and go into any AD snap in, it says:

Naming information cannot be located because:
No authority could be contacted for authentication.
Contact your system administrator to verify that your domain is configured
and is currently online.

If I try and browse the network (I.E. \\OtherPC\), it tells me:
"There are currently no logon server available to service the logon
request."

Now, I can access this machine via \\BrokenServer\share\ no problem.

I think it is a problem with the local AD Database and I want to wipe out
the data, but leave the configuration so that it can replicate with the
other server. HOWEVER, this server is my Global Catalog so it will have
precedence over the other server.

What I have done:
Run AD Symmetric Checker - No Errors
Ran the Eseutil Intgrity checker - no errors
Installed SP3 (was sp2 previously)

Does anyone know how to fix this issue? It is like the data inside the AD
Database is corrupt. Any and all help is greatly appreciated.

Thanks,
Ryan
 
The DNS server does allow dynamic updates. This is the DNS server, and
it is pointed to itself. This is 1 of two servers. My other sever
however, is having no problems.
 
There are coulple of things that can cause this. The most
prelevant is that you may have been infected by a
virus\trojan program. Since we use a Network API call
whenever a MMC is opened if the "Access this computer from
the network" has been tampered with in the Default Domain
Controllers policy it will cause this error. Note that
whenever a 2K\XP client attempt to access a resource in a
2000 domain it must contact the KDC service on a DC in
order to get a Session ticket for that resource. That
would explain your symptoms.

To fix browse to your
C:\Winnt\Sysvol\Sysvol\Domainname\Policies\6AC...\Machine\<
icrosoft\WindowsNT\Secedit directory (assuming sysvol is
in the default location). Copy\paste the GPTTMPL.INF to a
safe location and open it with Notepad. Look for the
SENETWORKLOGONRIGHT (Access this computer from the
network) and make sure it has the following entries.

SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544,*S-1-1-0

(See 267553 below)

If not add them, save the changes and replace the
GPTTMPL.INF file in the directory above. Run the following
command from a command prompt

secedit /refreshpolicy machine_policy /enforce

Open AD Users and Computers. Note if your server has been
compromised I would strongly suggest a restore\rebuild.
Good luck.

http://support.microsoft.com/default.aspx?scid=kb;en-
us;267553

http://support.microsoft.com/default.aspx?scid=kb;en-
us;243330
 
This was actually cause because the secure channel on the server was
broken. I had to edit the hkey_LM\Security\Policies\PolAcDmN\<noname>
to make it the same as HKey_LM\Security\Policies\PolPrDmN\<noname>

Ryan
 
Back
Top