Microsoft KB Archive/826902

= You Cannot Browse the Drives of or Map a Drive to a Domain Controller from Any Client Computer =

Article ID: 826902

Article Last Modified on 1/31/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server

-





SYMPTOMS
When you try to browse the drives of a domain controller or to map a drive to a domain controller from any client computer, you cannot do so if you try to connect by using the domain controller name. You can browse the drives or map a drive if you try to connect by using the IP address of the domain controller. When you try to troubleshoot the issue, the following symptoms may occur:   After you try to connect to the domain controller by using the Universal Naming Convention (UNC) path (\\ ), you receive the following warning message in the system event log: Event ID: 3034

Type: Warning

Source: MRxSmb

Description:

The redirector was unable to initialize security context or query context attributes.  If you use a Lightweight Directory Access Protocol (LDAP) utility, such as Ldp.exe, to try to connect to the domain controller, you receive the following error message:

ldap_bind_sW failed with 0x52(82 (Local Error)

 If you run the Dcdiag.exe utility to test the connectivity of the domain controller, you receive the following error message:

DCDiag results in: LDAP bind failed with error 31

 If you try to manually force replication from a domain controller that you can browse the drives of or that you can map a drive to by using the server name to the domain controller that you cannot connect to by using the server name, you receive the following error message:

Target Principal Name Is Incorrect





CAUSE
This issue may occur if there is an incorrect value in the userAccountControl attribute for the domain controller that you cannot connect to by server name.



RESOLUTION
To determine if this issue is caused by a name resolution problem, first verify that the domain controller records appear correctly in Windows Internet Name Service (WINS) and Domain Name System (DNS). If the records are correct in WINS and DNS, use the Active Directory Service Interfaces (ADSI) Edit utility to edit the userAccountControl attribute value. (The ADSI Edit utility is located in the Support Tools folder on the Windows 2000 CD-ROM.) To edit the value, follow these steps.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.  Click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.</li> Expand Domain NC, expand DC= , and then expand OU=Domain Controllers.</li> Right-click the domain controller that you cannot browse the drives of or map a drive to, and then click Properties.</li> In the Select which properties to view box, click Both.</li> In the Select a property to view box, click userAccountControl.</li> In the Edit Attribute box, type 532480, click Set, click Apply, and then click OK.</li> Quit ADSI Edit.</li> Use the Netdom.exe utility to reset the security channel between the domain controller and one of its replication partners. (Netdom.exe is located in the Support Tools folder on the Windows 2000 CD-ROM.) To reset the security channel, follow these steps on the domain controller that you cannot browse or map a network drive to: <ol style="list-style-type: lower-alpha;"> Set the Startup type of the Kerberos Key Distribution Center service to Manual, and then stop the service. (Because you are trying to reset the password for a Windows domain controller, you must complete this procedure before you go to step 8b.) To do so, follow these steps: <ol> Click Start, point to Programs, point to Administrative Tools, and then click Services.</li> In the right pane, right-click Kerberos Key Distribution Center, and then click Properties.</li> In the Startup type box, click Manual.</li> Click Stop, and then click OK.</li></ol> </li> At a command prompt, type the following command, where  is the fully qualified DNS or NetBIOS name of a domain controller in the same domain as the local computer, and   is the NetBIOS domain name and administrator ID respectively:

netdom resetpwd /server: /userd: \  /passwordd:*

Adding the asterisk (*) value to the /passwordd: parameter specifies that you will be prompted for the password.</li></ol> </li> Restart the domain controller, and wait several minutes for replication to occur.

Note After you restart the domain controller, you can restart the Kerberos Key Distribution Center service and then reset its Startup type to Automatic.</li></ol>

<div class="moreinformation_section">

MORE INFORMATION
For additional information about how to install the Windows 2000 Support Tools, click the following article number to view the article in the Microsoft Knowledge Base:

301423 HOW TO: Install the Windows 2000 Support Tools to a Windows 2000 Server-Based Computer

For more information about the Dcdiag.exe utility, visit the following Microsoft Web site:

http://support.microsoft.com/kb/927229

For additional information about how to use Ldp.exe, click the following article number to view the article in the Microsoft Knowledge Base:

224543 Using Ldp.exe to Find Data in the Active Directory

For additional information about the Netdom.exe utility, click the following article number to view the article in the Microsoft Knowledge Base:

260575 HOW TO: Use Netdom.exe to Reset Machine Account Passwords of a Windows 2000 Domain Controller

Keywords: kbprb KB826902

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.