Microsoft KB Archive/305837

= DNS, Intersite Messaging, Global Catalog, NTFRS, and &quot;Invalid Credentials&quot; Error Messages on Domain Controller =

Article ID: 305837

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q305837



SYMPTOMS
On a domain controller that runs Windows 2000, Event Viewer may log the following Domain Name System (DNS) events every 12 to 15 minutes:

Event Type: Error

Event Source: DNS

Event Category: None

Event ID: 4000

Description: The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

Data: 0000: f5 25 00 00

Event Type: Warning

Event Source: DNS

Event Category: None

Event ID: 4013

Description: The DNS server was unable to open the Active Directory. This DNS server is configured to use directory service information and cannot operate without access to the directory. The DNS server will wait for the directory to start. If the DNS server is started but the appropriate event has not been logged, then the DNS server is still waiting for the directory to start.

Data: 0000: f5 25 00 00

These events are logged even though Active Directory (AD) appears to be running, logons are successful, and various AD tools work.

When you try to move a DNS zone, you may receive an error message that says, &quot;The data on the Primary zone failed to set; AD service is not available.&quot;

If you run the command DCDiag /test:services /v, you may find that the Intersite Messaging Service is not started.

In addition, Event Viewer may record the following Directory Service events:

Event Type: Warning

Event Source: NTDS Intersite Messaging

Event Category: Intersite Messaging

Event ID: 1473

Description: The Intersite Messaging Service failed to read the configuration of the Intersite Transports out of the Directory. The error message is as follows:

Unable to update the password. The value provided as the current password is incorrect.

The service has stopped. It will be necessary to correct the problem and restart the service in order for intersite communication to occur. The KCC will be unable to calculate intersite topology without this service. There may be a problem retrieving data from the LDAP server. Please verify that LDAP queries are succeeding on this machine. You may also wish to try restarting the Intersite Messaging Service manually. The record data is the status code.

Data: 0000: 2b 05 00 00

Event Type: Error

Event Source: NTDS Intersite Messaging

Event Category: Internal Processing

Event ID: 1168

Description: Error 997(3e5) has occurred (Internal ID 11000252). Please contact Microsoft Product Support Services for assistance.

Event Type: Error

Event Source: NTDS Intersite Messaging

Event Category: Internal Processing

Event ID: 1168

Description: Error 49(31) has occurred (Internal ID 11000251). Please contact Microsoft Product Support Services for assistance.

Event Type: Error

Event Source: NTDS Intersite Messaging

Event Category: Internal Processing

Event ID: 1168

Description: Error 49(31) has occurred (Internal ID 11000250). Please contact Microsoft Product Support Services for assistance.

The Application Log for the Intersite Messaging service may record the following event:

Event Type: Error

Event Source: Service Control Manager

Event Category: None

Event ID: 7023

Description: The Intersite Messaging service terminated with the following error:

Unable to update the password. The value provided as the current password is incorrect.

The following events that pertain to communication with the global catalog may also be recorded:

Event Type: Warning

Event Source: NTDS General

Event Category: Global Catalog

Event ID: 1655

Description: The attempt to communicate with global catalog \\ .SoftwareManager.TheSoftwareManager.com failed with the following status:

Access is denied.

The operation in progress might be unable to continue. The directory service will use the locator to try to find an available global catalog server for the next operation that requires one.

The record data is the status code.

Data: 0000: 05 00 00 00

Event Type: Error

Event Source: NTDS General

Event Category: Global Catalog

Event ID: 1126

User: Everyone

Description: Unable to establish connection with global catalog.

Event Type: Error

Event Source: Userenv

Event Category: None

Event ID: 1000

User: NT AUTHORITY\SYSTEM

Description: Windows cannot determine the user or computer name. Return value (5).

There are no events in the File Replication service (FRS) to show that Active Directory is up and ready, and running DCDiag for the FRSSysVol test may not succeed.

If you run the command ntfrsutl sets, you may find that nothing is listed in active replica sets.

If LDAP binds in the system context by using Kerbos, the binds may not work. However, the binds may succeed with NTLM. A network trace reveals a failed LDAP bind, and you receive the following error message:

W8009030C LdapErr: DSID-0C0903E2, comment: AcceptSecurityContext error, data 52f, v893.

Finally, running the command ntfrsutl DS may result in an error on ldap_open, along with the following error message:

Error: 0x00000031 = Invalid Credentials.



CAUSE
This behavior can occur if you lock the system partition and remove the Everyone group from various locations.



RESOLUTION
To resolve the behavior, reset system default file permissions:  Set environment variables as follows:  At a command prompt, type net share sysvol, and then press ENTER. Notice the path that is returned. Right-click My Computer, and then click Properties. On the Advanced tab, click Environment Variables. In the System Variables section, click New. In the Variable Name box, type Sysvol .</li> In the Variable Value box, type the path that you noted in step a without the last \sysvol item.</li> Repeat these steps to create the %DSDIT% variable and the %DSLOG% variable.

To view the path for these variables, examine these variables in the registry under the following key:

.For example, the default location for the Database log files path and for the DSA Working Directory is the following:

C:\WINNT\NTDS

</li></ol> </li> At a command prompt, run the following commands:

cd \winnt\security\templates

secedit /configure /cfg &quot;setup security.inf&quot; /db ss.sdb /log ss.log /verbose

secedit /configure /cfg basicdc.inf /db basicdc.sdb /log basicdc.log /verbose

</li> Restart the computer.</li></ol>

Keywords: kberrmsg kbnetwork kbprb KB305837

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.