I have a Windows 2003 server that is unable to communicate with the domain controller

  • Thread starter Thread starter rfasenmyer
  • Start date Start date
R

rfasenmyer

I have a windows 2003 server that is unable to communicate with the
domain controller. Because of the communication issue domain users
cannot login to the machine and all network shares are unaccessable to
domain users because the server cannot authenticate the users to see if
they have permission to access the shares. Only local computer users
can access the server.

The only changes I have made to the system is that I installed VMware
server and the VMware server is running a backup domain controller
virtual machine.

Even thought i made these changes, the host server had no problems with
domain for approximately 2 months. All of sudden users could not
access their network shares. I restarted the server hoping that the
problem would resolve itself. After the restart the same problem
remained.

I removed the server from the domain and rejoined it again and it
appeard to be successful because the server said 'welcome to the prep
domain. Please restart your computer for the changes to take affect'.
'prep' is the name of our domain. After I restart the server the same
problem persists

I thought maybe VMware and virtual machine were creating problems so I
uninstalled the VMware software but still have the same problem.

When i check the event viewer on the server I see the following message

----------------------------------------------------------------------------------------------------------------------------
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1053
Date: 6/22/2006
Time: 10:34:42 AM
User: NT AUTHORITY\SYSTEM
Computer: PREPSERVER3
Description:
Windows cannot determine the user or computer name. (Access is denied.
). Group Policy processing aborted.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------------------------------------------------------------------------------------------------------------------------

I don't know what else to do. If you have expereinced a similar
problem please advise.

Thanks,

Ryan
 
Hi

Sounds A network connectivity or configuration problem follow these steps:

1- In Event Viewer, click System, and check for any networking-related
messages, such as Netlogon messages, that indicate a network connectivity
issue.
2- At the command prompt, type netdiag, and note any errors. Those errors
usually have to be resolved before Group Policy processing can continue.
3- At the command prompt, type gpupdate, and then check Event Viewer to see
if the Userenv 1053 event is logged again.
4- To verify that the domain controller can be contacted through Domain Name
System (DNS), try to access \\mydomain.com\sysvol\mydomain.com, where
mydomain.com is the fully qualified DNS name of your domain.
5- Verify that you can access the domain controller by using tools such as
the Active Directory Users and Computers snap-in.
6- Check to see whether other computers on your network are having the same
problem.
7- If this computer is a part of a cross-forest domain, verify that the
forest for the user account is currently available and can be contacted by
the computer on which the Group Policy processing failed.

Additonal related Links:

How to troubleshoot RPC Endpoint Mapper errors
http://support.microsoft.com/kb/839880/en-us

Lookup of Permissions on ACLs Shows Only SIDs
http://support.microsoft.com/kb/262958/en-us

Event ID 1053 and 1058 appear in the Application log after you upgrade to
Windows 2000 Server or Windows Server 2003 with Active Directory
http://support.microsoft.com/kb/883271/en-us

EventID.net - Event ID: 1053
http://www.eventid.net/display.asp?eventid=1053&eventno=1584&source=Userenv&phase=1


Let me know if it helped.

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator
 
Jorge,

Thanks for taking the time to help with my problem.

All of this information looks like the suggestions offered by the
microsoft web site.

When I look at the event viewer I see messages that indicate the domain
controller cannot be found.
-----------------------------------------------------------------------------------------------------------------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 6/26/2006
Time: 8:13:15 AM
User: N/A
Computer: PREPSERVER3
Description:
The Security System detected an authentication error for the server
cifs/prepserver1.prep. The failure code from authentication protocol
Kerberos was "The attempted logon is invalid. This is either due to a
bad username or authentication information.
(0xc000006d)".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À


-----------------------------------------------------------------------------------------------------------------------------

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 6/26/2006
Time: 8:13:15 AM
User: N/A
Computer: PREPSERVER3
Description:
The Security System could not establish a secured connection with the
server cifs/prepserver1.prep. No authentication protocol was
available.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À

-----------------------------------------------------------------------------------------------------------------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 6/26/2006
Time: 8:15:30 AM
User: N/A
Computer: PREPSERVER3
Description:
The Security System detected an authentication error for the server
LDAP/prepserver1.prep/prep@prep. The failure code from authentication
protocol Kerberos was "The attempted logon is invalid. This is either
due to a bad username or authentication information.
(0xc000006d)".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À
-----------------------------------------------------------------------------------------------------------------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 6/26/2006
Time: 8:15:30 AM
User: N/A
Computer: PREPSERVER3
Description:
The Security System could not establish a secured connection with the
server LDAP/prepserver1.prep/prep@prep. No authentication protocol was
available.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À
-----------------------------------------------------------------------------------------------------------------------------
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 3210
Date: 6/26/2006
Time: 8:15:33 AM
User: N/A
Computer: PREPSERVER3
Description:
This computer could not authenticate with \\prepserver1.prep, a Windows
domain controller for domain PREP, and therefore this computer might
deny logon requests. This inability to authenticate might be caused by
another computer on the same network using the same name or the
password for this computer account is not recognized. If this message
appears again, contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 22 00 00 c0 "..À
-----------------------------------------------------------------------------------------------------------------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 6/26/2006
Time: 9:13:24 AM
User: N/A
Computer: PREPSERVER3
Description:
The Security System detected an authentication error for the server
cifs/prepserver1.prep. The failure code from authentication protocol
Kerberos was "The attempted logon is invalid. This is either due to a
bad username or authentication information.
(0xc000006d)".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À
-----------------------------------------------------------------------------------------------------------------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 6/26/2006
Time: 9:13:24 AM
User: N/A
Computer: PREPSERVER3
Description:
The Security System could not establish a secured connection with the
server cifs/prepserver1.prep. No authentication protocol was
available.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À
-----------------------------------------------------------------------------------------------------------------------------
Event Type: Warning
Event Source: DnsApi
Event Category: None
Event ID: 11165
Date: 6/26/2006
Time: 9:58:05 AM
User: N/A
Computer: PREPSERVER3
Description:
The system failed to register host (A) resource records (RRs) for
network adapter
with settings:

Adapter Name : {C54498E9-A7D4-47AF-817E-40822BFD0303}
Host Name : prepserver3
Primary Domain Suffix : prep
DNS server list :
10.0.0.82, 10.0.0.83
Sent update to server : <?>
IP Address(es) :
10.0.5.128

The reason the system could not register these RRs was because the DNS
server contacted refused the update request. The reasons for this might
be (a) you are not allowed to update the specified DNS domain name, or
(b) because the DNS server authoritative for this name does not support
the DNS dynamic update protocol.

To register the DNS host (A) resource records using the specific DNS
domain name and IP addresses for this adapter, contact your DNS server
or network systems administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00 *#..

-----------------------------------------------------------------------------------------------------------------------------





The netdiag command does not work on my server. Its Windows Server
2003 standard editon.
When I type the command i get the follwoing error message.
-----------------------------------------------------------------------------------------------------------------------------
C:\Documents and Settings\Administrator.PREPSERVER3>netdiag
'netdiag' is not recognized as an internal or external command,
operable program or batch file.
-----------------------------------------------------------------------------------------------------------------------------


When I type gpupdate in the commandline I get the following response
-----------------------------------------------------------------------------------------------------------------------------
C:\Documents and Settings\Administrator.PREPSERVER3>gpupdate

Refreshing Policy...

User Policy Refresh has completed.
Computer Policy Refresh has completed.

To check for errors in policy processing, review the event log.
-----------------------------------------------------------------------------------------------------------------------------


When i check the event viewere under 'Application' I see the following
message

-----------------------------------------------------------------------------------------------------------------------------
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1053
Date: 6/26/2006
Time: 10:44:25 AM
User: NT AUTHORITY\SYSTEM
Computer: PREPSERVER3
Description:
Windows cannot determine the user or computer name. (Access is denied.
). Group Policy processing aborted.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

-----------------------------------------------------------------------------------------------------------------------------

When I attempt to contact the domain controller through system DNS
(step 4), I'm Successful.

when i try to use the active directory snap in i get the following
error message:

-----------------------------------------------------------------------------------------------------------------------------
The domain prepserver1 could not be found because:
The specified domain either does not exist or could not be contacted.
-----------------------------------------------------------------------------------------------------------------------------

No other computers on my network have trouble accessing the domain
controller.

There are 2 domains so i guess you can say it is a forrest. The user
account is working on other computers. Both domains are listed when i
login to the server.

Do you have any other suggestions?

Thanks,

Ryan


fuho
 
--UPDATE--

I was able to fix the problem.

I checked the event viewer on the domain controller and it gave a
message like this:

The session setup from the computer DOMAINMEMBER failed to
authenticate. The name of the account referenced in the security
database is DOMAINMEMBER$. The following error occurred: Access is
denied.

I looked it up on the microsoft support site @
http://support.microsoft.com/?kbid=216393

It told me to reset the account on the DC. I did this and it still did
not work so i removed the server from the domain and added it again.
Problem solved.

Thanks for your help. Hopefully this discussion can help someone else.

- Ryan
 
- for the errors 40960,40961, configure a DNS reverse lookup zone.
- For the error 3210, To correct this issue, you must reset the machine
account password on your domain controller. To do this, you'll require both
the Windows Support Tools and the Kerbtray.exe application. You should
already have the Windows Support Tools on Server. To install Kerbtray,
Install ResourceKit Tools.

You are now ready to proceed with resetting the computer account on Server.
Imagine that Server1 is one of your existing domain controllers and Server2
is your recently repaired domain controller that has been offline for over a
month.



1. Stop the Key Distribution Center (KDC) service on Server2. To do so, open
a Command Prompt, type net stop KDC, and press Enter.



2. Load Kerbtray.exe. You can do so by clicking Start, clicking Run, and
then typing c:\program files\resource kit\kerbtray.exe and pressing Enter.
You should see a little green ticket icon in your system tray in the lower
right corner of your desktop.



3. Purge the ticket cache on Server2, right-click the green ticket icon in
your system tray, and then click Purge Tickets. You should receive a
confirmation that your ticket cache was purged. Click OK.



4. Reset the Server domain controller account password on Server1 (the PDC
emulator).

To do so, open a command prompt and type: netdom /resetpwd /server:server2
/userd:domain.com\administrator /passwordd:password, and then press Enter.



5. Synchronize the domain. To do so, open a command prompt, type repadmin
/syncall, and then press Enter.



6. Start the KDC service on Server2. To do so, open a command prompt, type
net start KDC, and press Enter. This completes the process, and the domain
controllers should be replicating success-fully now.



--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

Jorge,

Thanks for taking the time to help with my problem.

All of this information looks like the suggestions offered by the
microsoft web site.

When I look at the event viewer I see messages that indicate the domain
controller cannot be found.
-----------------------------------------------------------------------------------------------------------------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 6/26/2006
Time: 8:13:15 AM
User: N/A
Computer: PREPSERVER3
Description:
The Security System detected an authentication error for the server
cifs/prepserver1.prep. The failure code from authentication protocol
Kerberos was "The attempted logon is invalid. This is either due to a
bad username or authentication information.
(0xc000006d)".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À


-----------------------------------------------------------------------------------------------------------------------------

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 6/26/2006
Time: 8:13:15 AM
User: N/A
Computer: PREPSERVER3
Description:
The Security System could not establish a secured connection with the
server cifs/prepserver1.prep. No authentication protocol was
available.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À

-----------------------------------------------------------------------------------------------------------------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 6/26/2006
Time: 8:15:30 AM
User: N/A
Computer: PREPSERVER3
Description:
The Security System detected an authentication error for the server
LDAP/prepserver1.prep/prep@prep. The failure code from authentication
protocol Kerberos was "The attempted logon is invalid. This is either
due to a bad username or authentication information.
(0xc000006d)".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À
-----------------------------------------------------------------------------------------------------------------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 6/26/2006
Time: 8:15:30 AM
User: N/A
Computer: PREPSERVER3
Description:
The Security System could not establish a secured connection with the
server LDAP/prepserver1.prep/prep@prep. No authentication protocol was
available.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À
-----------------------------------------------------------------------------------------------------------------------------
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 3210
Date: 6/26/2006
Time: 8:15:33 AM
User: N/A
Computer: PREPSERVER3
Description:
This computer could not authenticate with \\prepserver1.prep, a Windows
domain controller for domain PREP, and therefore this computer might
deny logon requests. This inability to authenticate might be caused by
another computer on the same network using the same name or the
password for this computer account is not recognized. If this message
appears again, contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 22 00 00 c0 "..À
-----------------------------------------------------------------------------------------------------------------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 6/26/2006
Time: 9:13:24 AM
User: N/A
Computer: PREPSERVER3
Description:
The Security System detected an authentication error for the server
cifs/prepserver1.prep. The failure code from authentication protocol
Kerberos was "The attempted logon is invalid. This is either due to a
bad username or authentication information.
(0xc000006d)".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À
-----------------------------------------------------------------------------------------------------------------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 6/26/2006
Time: 9:13:24 AM
User: N/A
Computer: PREPSERVER3
Description:
The Security System could not establish a secured connection with the
server cifs/prepserver1.prep. No authentication protocol was
available.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À
-----------------------------------------------------------------------------------------------------------------------------
Event Type: Warning
Event Source: DnsApi
Event Category: None
Event ID: 11165
Date: 6/26/2006
Time: 9:58:05 AM
User: N/A
Computer: PREPSERVER3
Description:
The system failed to register host (A) resource records (RRs) for
network adapter
with settings:

Adapter Name : {C54498E9-A7D4-47AF-817E-40822BFD0303}
Host Name : prepserver3
Primary Domain Suffix : prep
DNS server list :
10.0.0.82, 10.0.0.83
Sent update to server : <?>
IP Address(es) :
10.0.5.128

The reason the system could not register these RRs was because the DNS
server contacted refused the update request. The reasons for this might
be (a) you are not allowed to update the specified DNS domain name, or
(b) because the DNS server authoritative for this name does not support
the DNS dynamic update protocol.

To register the DNS host (A) resource records using the specific DNS
domain name and IP addresses for this adapter, contact your DNS server
or network systems administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00 *#..

-----------------------------------------------------------------------------------------------------------------------------





The netdiag command does not work on my server. Its Windows Server
2003 standard editon.
When I type the command i get the follwoing error message.
-----------------------------------------------------------------------------------------------------------------------------
C:\Documents and Settings\Administrator.PREPSERVER3>netdiag
'netdiag' is not recognized as an internal or external command,
operable program or batch file.
-----------------------------------------------------------------------------------------------------------------------------


When I type gpupdate in the commandline I get the following response
-----------------------------------------------------------------------------------------------------------------------------
C:\Documents and Settings\Administrator.PREPSERVER3>gpupdate

Refreshing Policy...

User Policy Refresh has completed.
Computer Policy Refresh has completed.

To check for errors in policy processing, review the event log.
-----------------------------------------------------------------------------------------------------------------------------


When i check the event viewere under 'Application' I see the following
message

-----------------------------------------------------------------------------------------------------------------------------
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1053
Date: 6/26/2006
Time: 10:44:25 AM
User: NT AUTHORITY\SYSTEM
Computer: PREPSERVER3
Description:
Windows cannot determine the user or computer name. (Access is denied.
). Group Policy processing aborted.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

-----------------------------------------------------------------------------------------------------------------------------

When I attempt to contact the domain controller through system DNS
(step 4), I'm Successful.

when i try to use the active directory snap in i get the following
error message:

-----------------------------------------------------------------------------------------------------------------------------
The domain prepserver1 could not be found because:
The specified domain either does not exist or could not be contacted.
-----------------------------------------------------------------------------------------------------------------------------

No other computers on my network have trouble accessing the domain
controller.

There are 2 domains so i guess you can say it is a forrest. The user
account is working on other computers. Both domains are listed when i
login to the server.

Do you have any other suggestions?

Thanks,

Ryan


fuho
 
Back
Top