DNS access denied.

  • Thread starter Thread starter Shariq
  • Start date Start date
S

Shariq

Dear All,

I have installed an additional domain controller on my
existing forest but the active directory does not
open.When i click on Adminitrative tools->WINS,I could see
that the main DC is responding.But when i click on DNS on
the additional DC it says Access denied.When I log off and
log back again,I could see DNS responding but after
sometime the same error comes saying 'Access denied'.I
belive this is due to this reason that I cannot open ADUC.
When I try to open ADUC it says:
Naming convention cannot open because:
The logon attempy failed.

Need help urgently!!!
 
Hello Shariq,

Please take a look at the following artile that has the resolution for the
problem you are having.

329887 You Cannot Interact with Active Directory MMC Snap-Ins
http://support.microsoft.com/?id=329887

For your convenience I have copied the CAUSE and RESOLUTION sections here.
Hope that helps!

CAUSE
=====
This issue may occur if the Windows 2000 security settings are corrupted.

RESOLUTION
==========
To resolve this issue, reset the Windows 2000 security
configuration to the default values. To do this, follow these steps:
1. Click "Start", click "Run", type "cmd" (without the quotation marks)
in the "Open" box, and then press ENTER.
2. At the command prompt, type the following commands,
pressing ENTER after each command

"Secedit /configure /cfg <drive>:\winnt\repair\secsetup.inf /db
secsetup.sdb" (without the quotation marks)
"Secedit /configure /cfg <drive>:\winnt\repair\secdc.inf /db
secdc.sdb" (without the quotation marks)
"exit" (without the quotation marks) where <drive> is your boot drive
(generally drive C).

--
Regards,
Mohanchand Koduri [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.
OR
If you wish to include a script sample in your post please add "Use of
included
script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm"
 
Are you logged on as an admin account on the machine or the domain?
User accounts (non-administrators) logging in will get this message for many
of the administration tools, such as DNS and ADUC.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Hi Mohanchand,

I tried running that command on my main domain controller
as well as on the additional domain controller that is
having this problem.When I restarted both the servers,
the domain controller that was having the problem was
able to open the Active Directory.But after 10 mins I
checked again and I got the same error as before.I also
tried to open the DNS from the administrative tools but
it said DNS access denied!

I dont really know where to go from here and our help
will be really appreciated.

Regards,

Shariq
-----Original Message-----
Hello Shariq,

Please take a look at the following artile that has the resolution for the
problem you are having.

329887 You Cannot Interact with Active Directory MMC Snap-Ins
http://support.microsoft.com/?id=329887

For your convenience I have copied the CAUSE and RESOLUTION sections here.
Hope that helps!

CAUSE
=====
This issue may occur if the Windows 2000 security settings are corrupted.

RESOLUTION
==========
To resolve this issue, reset the Windows 2000 security
configuration to the default values. To do this, follow these steps:
1. Click "Start", click "Run", type "cmd" (without the quotation marks)
in the "Open" box, and then press ENTER.
2. At the command prompt, type the following commands,
pressing ENTER after each command

"Secedit /configure /cfg
Click to expand...
secsetup.sdb" (without the quotation marks)
"Secedit /configure /cfg
Click to expand...
secdc.sdb" (without the quotation marks)
"exit" (without the quotation marks) where <drive> is your boot drive
(generally drive C).

--
Regards,
Mohanchand Koduri [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.
OR
If you wish to include a script sample in your post please add "Use of
included
script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm"

Shariq said:
Dear All,

I have installed an additional domain controller on my
existing forest but the active directory does not
open.When i click on Adminitrative tools->WINS,I could see
that the main DC is responding.But when i click on DNS on
the additional DC it says Access denied.When I log off and
log back again,I could see DNS responding but after
sometime the same error comes saying 'Access denied'.I
belive this is due to this reason that I cannot open ADUC.
When I try to open ADUC it says:
Naming convention cannot open because:
The logon attempy failed.

Need help urgently!!!
Click to expand...


.
Click to expand...
 
Hi Ace,

I am logged in as a domain administrator.What actually
happens is when I restart my domain controller(Additional)
that is having a problem, it does open the Active
Directory and even the DNS does open. But after like 10
minutes the AD does not open giving the same error as
before.When I go into the DNS then,it says DNS Access
denied.
 
Surpirsed that the article posted by Mohanchand Koduri didn't help.

I would like to begin troubleshooting by looking at your sytem's
configuration. Can we see an iupconfig /all please?

Can you also post any Event log errors by their Event ID #'s please.

Thanks Sariq.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Hi Ace,

I agree there is something weird going on here.Let me
give you a little background.I have 2 domain controllers
and I wanted to add 2 more.So i installed W2K and typed
in dcpromo. After that both the servers had the same
problem.I also installed SP4 and all the windoes updates
but no luck.The command told by Mr.Mohanchand, I tried on
both, my main domain controller and also on the
problamatic domain controller but no luck.I also know
that when I go into domain controller security settings
it says windows cannot open the template.When i restart
my problamatic DC the ADUC opens fine but only for 5-7
minutes.After that if I go into DNS it say access denied
and when I try to open the ADUC it does not open!The
errors I am having on the promalmatic DC is as follows:

Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13562
Date: 9/19/2003
Time: 2:57:23 PM
User: N/A
Computer: GREENSTREET
Description:
Following is the summary of warnings and errors
encountered by File
Replication Service while polling the Domain Controller
greenstreet.habibsons.com for FRS replica set
configuration information.

Could not bind to a Domain Controller. Will try again at
next polling
cycle.
The number 2 error:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 9/19/2003
Time: 11:44:08 PM
User: NT AUTHORITY\SYSTEM
Computer: GREENSTREET
Description:
Windows cannot obtain the domain controller name
for your computer network. Return value (59).

and the ip config file:

C:\>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : greenstreet
Primary DNS Suffix . . . . . . . : habibsons.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : habibsons.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R)
PRO/100 VE Network
Connecti
on
Physical Address. . . . . . . . . : 00-08-02-E5-
DC-C2
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 101.100.100.57
Primary WINS Server . . . . . . . : 101.100.100.57

Where 101.100.100.57 is my main DC as well as my DNS
server and WINS.

I really appreciate your help...!!
 
Ace,

One more thing.When I run the command given by
Mr.Mohanchand on my main domain controller I get the
following results:

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\Profiles\Administrator>secedit /configure /cfg
c:\winnt\repair\secsetup
..inf /db secsetup.sdb

Task is completed successfully.
See log %windir%\security\logs\scesrv.log for detail info.

C:\WINNT\Profiles\Administrator>secedit /configure /cfg
c:\winnt\repair\secdc.in
f /db secdc.sdb

Task is completed. Some files in the configuration are
not found on this system
so security cannot be set/queried. It's ok to ignore.
See log %windir%\security\logs\scesrv.log for detail info.

C:\WINNT\Profiles\Administrator>


Thut id just let you know.As far as I think I shud run
the command on the main domain controller right?
 
One mistake in your command...see below...

In
Shariq said:
Ace,

One more thing.When I run the command given by
Mr.Mohanchand on my main domain controller I get the
following results:

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\Profiles\Administrator>secedit /configure /cfg
c:\winnt\repair\secsetup
.inf /db secsetup.sdb

Task is completed successfully.
See log %windir%\security\logs\scesrv.log for detail info.

C:\WINNT\Profiles\Administrator>secedit /configure /cfg
c:\winnt\repair\secdc.in
f /db secdc.sdb
Click to expand...
Click to expand...

That's actually supposed to be secdc.inf not secdc.in. It's an INF file it's
referencing.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Thanks for posting that info. Your ipconfig /all looks good, however, I have
two questions:

1. The 101.100.100.57 server, I realize that's on a different subnet, but is
it going across a NAT device? Meaning is the 192.168.0.0 range a private
range and the 101.100.100.x range a public range and there is a NAT server
between them? If there is a NAT between them, then this can cause the WHOLE
problem. If your machine is mutlihomed andperforming NAT, this can cause it
too and there is a fix for that. But need more info on your network
configuration and subnets.

2. Is habibsons.com your Active Directory DNS Domain name?

About the 13562 error, read this:
http://www.eventid.net/display.asp?eventid=13562&source=
It references the fact that you may have had or still have DFS but removed
it? Can you verify that?

The userenv errors can be caused by DNS misconfiguration. But your
configuration seems ok at first glance from looking at your ipconfig /all.
But I'm leaning on a NAT issue.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Hi Ace,

Thanks for your reply. Let me explain you my network
setup.The 101.100.100.57 is my main DC and its a private
IP(The guy b4 me has done this ip scheme).And this server
is located in some other office.Now we had a new site and
so we connected them thru VPN and the router was NAT.Now
the scheme on the new branch is 192.168.x.x.So the
problamatic DC is located in the new branch having the IP
address 192.168.0.3. and the subnest is also
255.255.255.0 while the main DC has the subnet of
255.0.0.0.

2.habibsons.com is the AD DNS domain name.

I hope it helps.If you have any further queries please
let me know.

Thanks omce again.
 
In
Shariq said:
Hi Ace,

Thanks for your reply. Let me explain you my network
setup.The 101.100.100.57 is my main DC and its a private
IP(The guy b4 me has done this ip scheme).And this server
is located in some other office.Now we had a new site and
so we connected them thru VPN and the router was NAT.Now
the scheme on the new branch is 192.168.x.x.So the
problamatic DC is located in the new branch having the IP
address 192.168.0.3. and the subnest is also
255.255.255.0 while the main DC has the subnet of
255.0.0.0.

2.habibsons.com is the AD DNS domain name.

I hope it helps.If you have any further queries please
let me know.

Thanks omce again.
Click to expand...

Ok, that helps narrow it down. The subnet masks would just affect the local
subnet, so that won't be an issue.

So from the new one you can't access itself thru the MMCs?

I had to go back and reread some of the posts. So what's happening it seems
is that the new machine, 192.168.0.3 is using the DNS server at
101.100.100.57. Queries must go across the WAN link. That's not usually
recommended.

Assuming they are both in the same domain (I don't think you mentioned that
yet), my suggestion is to make the zone on the 101 server AD Integrated, and
install DNS on the 192 machine and create the zone and make it AD Integrated
also, and for the branch users over there, only use this guy as the DNS.

One other concern is the VPN and NAT. NAT does not translate LDAP, Kerberos
or RPC traffic, and they are the 3 things needed for domain communication.
If the VPN is in tunnel mode and the NAT is the endpoint, then that will
work. One more thing, if there are any modifications to the VPN, such as MTU
changes or H.323 modifications, (such as to improve video conferencing),
that will also squelch domain communication.

Hope that helps you out.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Hi Ace,

I am really greatful as I did manage to resolve the
problem and now I can interact with the ADUC through
MMC.Once again thanks a lot.
However,one very inetersting thing which you mentioned
was creating the new DC as DNS(the 192 one) and instead
of passing DNS traffic throgh WAN do it the other way.Now
that seems to be really good as having a DNS locally will
help the users to login faster(at present it takes 1
minute.Can you guide me through how I can achieve that?

Thanks a million once again!
 
In
Shariq said:
Hi Ace,

I am really greatful as I did manage to resolve the
problem and now I can interact with the ADUC through
MMC.Once again thanks a lot.
However,one very inetersting thing which you mentioned
was creating the new DC as DNS(the 192 one) and instead
of passing DNS traffic throgh WAN do it the other way.Now
that seems to be really good as having a DNS locally will
help the users to login faster(at present it takes 1
minute.Can you guide me through how I can achieve that?

Thanks a million once again!
Click to expand...


It's really easy. Install DNS on the 192 DC. Create the zone habibsons.com.
Make it AD Integrated. That's it. Then point all your machines as the first
one in the list to this DNS at that location. As soon as you make it AD
Integrated, then zone info appears, since the zone is AD Integrated on the
101 DC. If it's not AD Integrated at the 101 DC, make it so. It just pretty
much works.

Here's some info on planning and such. You can go also goto
www.microsoft.com/dns for MS' central DNS site for how to's..

Chapter 2 - Structural Planning for Branch Office Environments:
http://www.microsoft.com/technet/tr...windows2000/deploy/adguide/adplan/adpch02.asp

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top