Microsoft KB Archive/837513

= Domain controller is not functioning correctly =

Article ID: 837513

Article Last Modified on 4/25/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Server

-



Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
When you run the Dcdiag tool on a Microsoft Windows 2000-Server based domain controller or on a Windows Server 2003-based domain controller, you may receive the following error message:

DC Diagnosis

Performing initial setup:

[DC1] LDAP bind failed with error 31

When you run the REPADMIN /SHOWREPS utility locally on a domain controller, you may receive one of the following error messages:

[D:\nt\private\ds\src\util\repadmin\repinfo.c, 389] LDAP error 82 (Local Error).

Last attempt @ yyyy-mm-dd hh:mm.ss failed, result 1753: There are no more endpoints available from the endpoint mapper.

Last attempt @ yyyy-mm-dd hh:mm.ss failed, result 5: Access is denied.

If you use Active Directory Sites and Services to trigger replication, you may receive a message that indicates that access is denied.

When you try to use network resources from the console of an affected domain controller, including Universal Naming Convention (UNC) resources or mapped network drives, you may receive the following error message:

No logon servers available (c000005e = &quot;STATUS_NO_LOGON_SERVERS&quot;)

If you start any Active Directory administrative tools from the console of an affected domain controller, including Active Directory Sites and Services and Active Directory Users and Computers, you may receive one of the following error messages:

Naming information cannot be located because: No authority could be contacted for authentication. Contact your system administrator to verify that your domain is properly configured and is currently online.

Naming information cannot be located because: Target account name is incorrect. Contact your system administrator to verify that your domain is properly configured and is currently online.

Microsoft Outlook clients that are connected to Microsoft Exchange Server computers that are using affected domain controllers for authentication may be prompted for logon credentials, even though there is successful logon authentication from other domain controllers.

The Netdiag tool may display the following error messages:

DC list test. . . . . . . . . . . : Failed

[WARNING] Cannot call DsBind to. . [ERROR_DOMAIN_CONTROLLER_NOT_FOUND]

Kerberos test. . . . . . . . . . . : Failed

[FATAL] Kerberos does not have a ticket for krbtgt/.

[FATAL] Kerberos does not have a ticket for.

LDAP test. . . . . . . . . . . . . : Passed

[WARNING] Failed to query SPN registration on DC \

The following event may be logged in the system event log of the affected domain controller: Event Type: Error

Event Source: Service Control Manager

Event ID: 7023

Description: The Kerberos Key Distribution Center service terminated with the following error: The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation.



RESOLUTION
There are several resolutions for these symptoms. The following is a list of methods to try. The list is followed by steps to perform each method. Try each method until the problem is resolved. Microsoft Knowledge Base articles that describe less common fixes for these symptoms are listed later.
 * 1) Method 1: Fix Domain Name System (DNS) errors.
 * 2) Method 2: Synchronize the time between computers.
 * 3) Method 3: Check the Access this computer from the network user rights.
 * 4) Method 4: Verify that the domain controller's userAccountControl attribute is 532480.
 * 5) Method 5: Fix the Kerberos realm (confirm that the PolAcDmN registry key and the PolPrDmN registry key match).
 * 6) Method 6: Reset the machine account password, and then obtain a new Kerberos ticket.

Method 1: Fix DNS errors
 At a command prompt, run the netdiag -v command. This command creates a Netdiag.log file in the folder where the command was run. Resolve any DNS errors in the Netdiag.log file before you continue. The Netdiag tool is in the Windows 2000 Server Support Tools on the Windows 2000 Server CD-ROM or as a download. To download the Windows 2000 Server Support Tools, visit the following Microsoft Web site:

http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/supporttools.mspx

 Make sure that DNS is configured correctly. One of the most common DNS mistakes is to point the domain controller to an Internet Service Provider (ISP) for DNS instead of pointing DNS to itself or to another DNS server that supports dynamic updates and SRV records. We recommend that you point the domain controller to itself or to another DNS server that supports dynamic updates and SRV records. We recommend that you set up forwarders to the ISP for name resolution on the Internet.

For more information about configuring DNS for Active Directory directory service, click the following article numbers to view the articles in the Microsoft Knowledge Base:

291382 Frequently asked questions about Windows 2000 DNS and Windows Server 2003 DNS

237675 Setting up the Domain Name System for Active Directory

254680 DNS namespace planning

255248 How to create a child domain in Active Directory and delegate the DNS namespace to the child domain

Method 2: Synchronize the time between computers
Verify that the time is correctly synchronized between domain controllers. Additionally, verify that the time is correctly synchronized between client computers and domain controllers.

For more information about how to configure the Windows Time service, click the following article numbers to view the articles in the Microsoft Knowledge Base:

258059 How to synchronize the time on a Windows 2000-based computer in a Windows NT 4.0 domain

216734 How to configure an authoritative time server in Windows 2000

Method 3: Check the &quot;Access this computer from the network&quot; user rights
Modify the Gpttmpl.inf file to confirm that the appropriate users have the Access this computer from the network user right on the domain controller. To do this, follow these steps:
 * 1) Modify the Gpttmpl.inf file for the Default Domain Controllers Policy. By default, the Default Domain Controllers Policy is where user rights are defined for a domain controller. By default, the Gpttmpl.inf file for the Default Domain Controllers Policy is located in the following folder.

Note Sysvol may be in a different location, but the path for the Gpttmpl.inf file will be the same.

For Windows Server 2003 domain controllers:

C:\WINDOWS\Sysvol\Sysvol\\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf

For Windows 2000 Server domain controllers:

C:\WINNT\Sysvol\Sysvol\\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
 * 1) To the right of the SeNetworkLogonRight entry, add the security identifiers for Administrators, for Authenticated Users, and for Everyone. See the following examples.

For Windows Server 2003 domain controllers:

SeNetworkLogonRight = *S-1-5-32-554,*S-1-5-9,*S-1-5-32-544,*S-1-1-0

For Windows 2000 Server domain controllers:

SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544,*S-1-1-0

Note Administrators (S-1-5-32-544), Authenticated Users (S-1-5-11), Everyone (S-1-1-0), and Enterprise Controllers (S-1-5-9) use well-known security identifiers that are the same in every domain.
 * 1) Remove any entries to the right of the SeDenyNetworkLogonRight entry (Deny access to this computer from the network) to match the following example.

SeDenyNetworkLogonRight =

Note The example is the same for Windows 2000 Server and for Windows Server 2003.

By default, Windows 2000 Server has no entries in the SeDenyNetworkLogonRight entry. By default, Windows Server 2003 has only the Support_ account in the SeDenyNetworkLogonRight entry. (The Support_ account is used by Remote Assistance.) Because the Support_  account uses a different security identifier (SID) in every domain, the account is not easily distinguishable from a typical user account just by looking at the SID. You may want to copy the SID to another text file, and then remove the SID from the SeDenyNetworkLogonRight entry. That way, you can put it back when you are finished troubleshooting the problem.

SeNetworkLogonRight and SeDenyNetworkLogonRight can be defined in any policy. If the previous steps do not resolve the issue, check the Gpttmpl.inf file in other policies in Sysvol to confirm that the user rights are not also being defined there. If a Gpttmpl.inf file contains no reference to SeNetworkLogonRight or to SeDenyNetworkLogonRight, those settings are not defined in the policy and that policy is not causing this issue. If those entries do exist, make sure that they match the settings listed earlier for the Default Domain Controller policy.

Method 4: Verify that the domain controller's userAccountControl attribute is 532480

 * 1) Click Start, click Run, and then type adsiedit.msc.
 * 2) Expand Domain NC, expand DC= , and then expand OU=Domain Controllers.
 * 3) Right-click the affected domain controller, and then click Properties.
 * 4) In Windows Server 2003, click to select the Show mandatory attributes check box and the Show optional attributes check box on the Attribute Editor tab. In Windows 2000 Server, click Both in the Select which properties to view box.
 * 5) In Windows Server 2003, click userAccountControl in the Attributes box. In Windows 2000 Server, click userAccountControl in the Select a property to view box.
 * 6) If the value is not 532480, type 532480 in the Edit Attribute box, click Set, click Apply, and then click OK.
 * 7) Quit ADSI Edit.

Method 5: Fix the Kerberos realm (confirm that the PolAcDmN registry key and the PolPrDmN registry key match)
Note This method is valid only for Windows 2000 Server.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
 * 1) Start Registry Editor.
 * 2) In the left pane, expand Security.
 * 3) On the Security menu, click Permissions to grant the Administrators local group Full Control of the SECURITY hive and its child containers and objects.
 * 4) Locate the HKEY_LOCAL_MACHINE\SECURITY\Policy\PolPrDmN key.
 * 5) In the right pane of Registry Editor, click the : REG_NONE entry one time.
 * 6) On the View menu, click Display Binary Data. In the Format section of the dialog box, click Byte.
 * 7) The domain name appears as a string in the right side of the Binary Data dialog box. The domain name is the same as the Kerberos realm.
 * 8) Locate the HKEY_LOCAL_MACHINE\SECURITY\Policy\PolACDmN registry key.
 * 9) In the right pane of Registry Editor, double-click the : REG_NONE entry.
 * 10) In the Binary Editor dialog box, paste the value from PolPrDmN. (The value from PolPrDmN will be the NetBIOS domain name).
 * 11) Restart the domain controller.

Method 6: Reset the machine account password, and then obtain a new Kerberos ticket

 * 1) Stop the Kerberos Key Distribution Center service, and then set the startup value to Manual.
 * 2) Use the Netdom tool from the Windows 2000 Server Support Tools or from the Windows Server 2003 Support Tools to reset the domain controller's machine account password:

netdom resetpwd /server: /userd:domain\administrator /passwordd:

Make sure that the netdom command is returned as completed successfully. If it is not, the command did not work. For the domain Contoso, where the affected domain controller is DC1, and a working domain controller is DC2, you run the following netdom command from the console of DC1:

netdom resetpwd /server:DC2 /userd:contoso\administrator /passwordd:
 * 1) Restart the affected domain controller.
 * 2) Start the Kerberos Key Distribution Center service, and then set the startup setting to Automatic.

For more information about this issue, click the following article numbers to view the articles in the Microsoft Knowledge Base:

325322 &quot;The server is not operational&quot; error message when you try to open Exchange System Manager

284929 Cannot start Active Directory snap-ins; error message states that no authority could be contacted for authentication

257623 The DNS suffix of the computer name of a new domain controller may not match the name of the domain after you install upgrade a Windows NT 4.0 Primary domain controller to Windows 2000

257346 &quot;Access This Computer from the Network&quot; user right causes tools not to work

316710 Disabled Kerberos key distribution prevents Exchange services from starting

329642 Error messages when you open Active Directory snap-ins and Exchange System Manager

272686 Error messages occur when Active Directory Users and Computers snap-in is opened

323542 You cannot start the Active Directory Users and Computers tool because the server is not operational

329887 You cannot interact with Active Directory MMC snap-ins

325465 Windows 2000 domain controllers require SP3 or later when using Windows Server 2003 administration tools

322267 Removing Client for Microsoft Networks removes other services

297234 Time difference exists between the client and the server

247151 Down-level domain users may receive an error message when starting MMC snap-ins

280833 Failure to specify all DNS zones in proxy client leads to DNS failures that are difficult to track

322307 Cannot start Exchange Services or Active Directory snap-ins after you install Service Pack 2 (SP2) for Windows 2000

Keywords: kbactivedirectoryrepl kbactivedirectory kbevent kbtshoot kberrmsg KB837513

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.