Sign in with
Sign up | Sign in
Your question

Problems with DC & Client PCs suddenly cannot access any I..

Tags:
  • Domain Controller
  • Active Directory
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
September 8, 2005 8:11:10 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi we’re having big problems with our Domain Controller (Windows Server 2000)
and i hope this could be resolved asap. The symptoms of it is :-

1.Suddenly client PCs cannot browse Internet (whether via proxy or direct
connection to Internet). Received Page Not Found error.(If IP released &
renewed then it's ok for few minutes)

2.On the Domain Controller- cannot open Active Directory Users and
Computers, gives an error message "Naming information cannot be located
because: The Server is not operational"

3.If we try opening the ADUC, right-click on domain and select Operation
Master, it shows no operations master.

4.If we reboot the Domain Controller, everything works fine on DC, but the
clients have to be rebooted also.

See error from event viewer below:-

- Event ID :1000 - Windows cannot determine the user or computer name.
Return value (14).

- Event ID :1000 - Windows could not execute \\uplandsdc1\NETLOGON\login.bat
due to the following error: The system cannot find the file specified.

- Event ID :1000 - Windows cannot connect to uplands.org with (0x0).

- Event ID :1000 - Windows cannot query for the list of Group Policy objects
.. A message that describes the reason for this was previously logged by this
policy engine.

- Event ID :36872 - No suitable default server credential exists on this
system. This will prevent server applications that expect to make use of the
system default credentials from accepting SSL connections. An example of such
an application is the directory server. Applications that manage their own
credentials, such as the internet information server, are not affected by
this.

- Event ID :8021 – The browser was unable to retrieve a list of servers from
the browser master \\UPLANDSDC1 on the network
\Device\NetBT_Tcpip_{98A03878-3C9E-4F49-B902-4CA612900128}. The data is the
error code.

- Event ID :1053 – Windows cannot determine the user or computer name. (Not
enough storage is available to complete this operation. ). Group Policy
processing aborted.

- Event ID :1058 – Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=uplands,DC=org.
The file must be present at the location
<\\uplands.org\sysvol\uplands.org\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
(Configuration information could not be read from the domain controller,
either because the machine is unavailable, or access has been denied. ).
Group Policy processing aborted.

- Event ID :1030 – Windows cannot query for the list of Group Policy
objects. Check the event log for possible messages previously logged by the
policy engine that describes the reason for this.

Please help or advise.
Thanking you in Advance.
--
The International School of Penang (Uplands)

More about : problems client pcs suddenly access

Anonymous
September 8, 2005 2:08:13 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In news:7C5B0CE1-09DB-4329-825F-782F73A8B967@microsoft.com,
aznan <aznan@discussions.microsoft.com> made this post, which I then
commented about below:
> Hi we're having big problems with our Domain Controller (Windows
> Server 2000) and i hope this could be resolved asap. The symptoms of
> it is :-
>
> 1.Suddenly client PCs cannot browse Internet (whether via proxy or
> direct connection to Internet). Received Page Not Found error.(If IP
> released & renewed then it's ok for few minutes)
>
> 2.On the Domain Controller- cannot open Active Directory Users and
> Computers, gives an error message "Naming information cannot be
> located because: The Server is not operational"
>
> 3.If we try opening the ADUC, right-click on domain and select
> Operation Master, it shows no operations master.
>
> 4.If we reboot the Domain Controller, everything works fine on DC,
> but the clients have to be rebooted also.
>
> See error from event viewer below:-
>
> - Event ID :1000 - Windows cannot determine the user or computer name.
> Return value (14).
>
> - Event ID :1000 - Windows could not execute
> \\uplandsdc1\NETLOGON\login.bat due to the following error: The
> system cannot find the file specified.
>
> - Event ID :1000 - Windows cannot connect to uplands.org with (0x0).
>
> - Event ID :1000 - Windows cannot query for the list of Group Policy
> objects . A message that describes the reason for this was previously
> logged by this policy engine.
>
> - Event ID :36872 - No suitable default server credential exists on
> this system. This will prevent server applications that expect to
> make use of the system default credentials from accepting SSL
> connections. An example of such an application is the directory
> server. Applications that manage their own credentials, such as the
> internet information server, are not affected by this.
>
> - Event ID :8021 - The browser was unable to retrieve a list of
> servers from the browser master \\UPLANDSDC1 on the network
> \Device\NetBT_Tcpip_{98A03878-3C9E-4F49-B902-4CA612900128}. The data
> is the error code.
>
> - Event ID :1053 - Windows cannot determine the user or computer
> name. (Not enough storage is available to complete this operation. ).
> Group Policy processing aborted.
>
> - Event ID :1058 - Windows cannot access the file gpt.ini for GPO
> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=uplands,DC=org.
> The file must be present at the location
> <\\uplands.org\sysvol\uplands.org\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
> (Configuration information could not be read from the domain
> controller, either because the machine is unavailable, or access has
> been denied. ). Group Policy processing aborted.
>
> - Event ID :1030 - Windows cannot query for the list of Group Policy
> objects. Check the event log for possible messages previously logged
> by the policy engine that describes the reason for this.
>
> Please help or advise.
> Thanking you in Advance.

These are all symptoms of and indicative of a misconfigured DNS
infrastructure, possible single label DNS domain name, mixing ISP and
internal DNS on the DCs and clients, etc.

Due to the numerous possible causes, can you provide some info to better
nail it down please, such as:

1. Unedited ipconfig /all of one of the DCs and one of the clients.
2. The exact zone name spellng in DNS and whether updates are allowed on the
zone.
3. The AD DNS domain name as it shows up in ADUC.
4. If the SRV records exist under your zone.


Thanks,

--
Regards,
Ace

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================
Anonymous
September 9, 2005 9:56:02 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi , thanks for the reply , i have prepared all of your requested information
but all of them is screen shots , is there a way of attaching a .doc file
together with this post or do you have any email address so that i can email
you the attachment with screen shots. Please help we're actually in a deep
problem

Thanking you in Advance

--
The International School of Penang (Uplands)


"Ace Fekay [MVP]" wrote:

> In news:7C5B0CE1-09DB-4329-825F-782F73A8B967@microsoft.com,
> aznan <aznan@discussions.microsoft.com> made this post, which I then
> commented about below:
> > Hi we're having big problems with our Domain Controller (Windows
> > Server 2000) and i hope this could be resolved asap. The symptoms of
> > it is :-
> >
> > 1.Suddenly client PCs cannot browse Internet (whether via proxy or
> > direct connection to Internet). Received Page Not Found error.(If IP
> > released & renewed then it's ok for few minutes)
> >
> > 2.On the Domain Controller- cannot open Active Directory Users and
> > Computers, gives an error message "Naming information cannot be
> > located because: The Server is not operational"
> >
> > 3.If we try opening the ADUC, right-click on domain and select
> > Operation Master, it shows no operations master.
> >
> > 4.If we reboot the Domain Controller, everything works fine on DC,
> > but the clients have to be rebooted also.
> >
> > See error from event viewer below:-
> >
> > - Event ID :1000 - Windows cannot determine the user or computer name.
> > Return value (14).
> >
> > - Event ID :1000 - Windows could not execute
> > \\uplandsdc1\NETLOGON\login.bat due to the following error: The
> > system cannot find the file specified.
> >
> > - Event ID :1000 - Windows cannot connect to uplands.org with (0x0).
> >
> > - Event ID :1000 - Windows cannot query for the list of Group Policy
> > objects . A message that describes the reason for this was previously
> > logged by this policy engine.
> >
> > - Event ID :36872 - No suitable default server credential exists on
> > this system. This will prevent server applications that expect to
> > make use of the system default credentials from accepting SSL
> > connections. An example of such an application is the directory
> > server. Applications that manage their own credentials, such as the
> > internet information server, are not affected by this.
> >
> > - Event ID :8021 - The browser was unable to retrieve a list of
> > servers from the browser master \\UPLANDSDC1 on the network
> > \Device\NetBT_Tcpip_{98A03878-3C9E-4F49-B902-4CA612900128}. The data
> > is the error code.
> >
> > - Event ID :1053 - Windows cannot determine the user or computer
> > name. (Not enough storage is available to complete this operation. ).
> > Group Policy processing aborted.
> >
> > - Event ID :1058 - Windows cannot access the file gpt.ini for GPO
> > CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=uplands,DC=org.
> > The file must be present at the location
> > <\\uplands.org\sysvol\uplands.org\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
> > (Configuration information could not be read from the domain
> > controller, either because the machine is unavailable, or access has
> > been denied. ). Group Policy processing aborted.
> >
> > - Event ID :1030 - Windows cannot query for the list of Group Policy
> > objects. Check the event log for possible messages previously logged
> > by the policy engine that describes the reason for this.
> >
> > Please help or advise.
> > Thanking you in Advance.
>
> These are all symptoms of and indicative of a misconfigured DNS
> infrastructure, possible single label DNS domain name, mixing ISP and
> internal DNS on the DCs and clients, etc.
>
> Due to the numerous possible causes, can you provide some info to better
> nail it down please, such as:
>
> 1. Unedited ipconfig /all of one of the DCs and one of the clients.
> 2. The exact zone name spellng in DNS and whether updates are allowed on the
> zone.
> 3. The AD DNS domain name as it shows up in ADUC.
> 4. If the SRV records exist under your zone.
>
>
> Thanks,
>
> --
> Regards,
> Ace
>
> If this post is viewed at a non-Microsoft community website, and you were to
> respond to it through that community's website, I may not see your reply.
> Therefore, please direct all replies ONLY to the Microsoft public newsgroup
> this thread originated in so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
> Infinite Diversities in Infinite Combinations.
> =================================
>
>
>
Related resources
Anonymous
September 10, 2005 3:01:51 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In news:920D653E-8121-47E4-BF1C-224096B96218@microsoft.com,
aznan <aznan@discussions.microsoft.com> made this post, which I then
commented about below:
> Hi , thanks for the reply , i have prepared all of your requested
> information but all of them is screen shots , is there a way of
> attaching a .doc file together with this post or do you have any
> email address so that i can email you the attachment with screen
> shots. Please help we're actually in a deep problem
>
> Thanking you in Advance

My email address is stated as firstnamelastname@hotmail.com. Just replace my
actual first name and last name.

Ace
Anonymous
September 11, 2005 9:24:06 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

hi, i just sent the screen shots to your email address.

Thank you very much for your help

--
The International School of Penang (Uplands)


"Ace Fekay [MVP]" wrote:

> In news:920D653E-8121-47E4-BF1C-224096B96218@microsoft.com,
> aznan <aznan@discussions.microsoft.com> made this post, which I then
> commented about below:
> > Hi , thanks for the reply , i have prepared all of your requested
> > information but all of them is screen shots , is there a way of
> > attaching a .doc file together with this post or do you have any
> > email address so that i can email you the attachment with screen
> > shots. Please help we're actually in a deep problem
> >
> > Thanking you in Advance
>
> My email address is stated as firstnamelastname@hotmail.com. Just replace my
> actual first name and last name.
>
> Ace
>
>
>
Anonymous
September 14, 2005 7:04:05 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi , can anyone help me with these problems...
--
The International School of Penang (Uplands)


"aznan" wrote:

> hi, i just sent the screen shots to your email address.
>
> Thank you very much for your help
>
> --
> The International School of Penang (Uplands)
>
>
> "Ace Fekay [MVP]" wrote:
>
> > In news:920D653E-8121-47E4-BF1C-224096B96218@microsoft.com,
> > aznan <aznan@discussions.microsoft.com> made this post, which I then
> > commented about below:
> > > Hi , thanks for the reply , i have prepared all of your requested
> > > information but all of them is screen shots , is there a way of
> > > attaching a .doc file together with this post or do you have any
> > > email address so that i can email you the attachment with screen
> > > shots. Please help we're actually in a deep problem
> > >
> > > Thanking you in Advance
> >
> > My email address is stated as firstnamelastname@hotmail.com. Just replace my
> > actual first name and last name.
> >
> > Ace
> >
> >
> >
Anonymous
September 14, 2005 10:22:25 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In news:0DE224B4-7067-41D5-B850-8381FF0E46B2@microsoft.com,
aznan <aznan@discussions.microsoft.com> made this post, which I then
commented about below:
> Hi , can anyone help me with these problems...
>
>> hi, i just sent the screen shots to your email address.
>>
>> Thank you very much for your help

Did you receive my email reply?

Ace
Anonymous
September 14, 2005 10:26:06 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In news:0DE224B4-7067-41D5-B850-8381FF0E46B2@microsoft.com,
aznan <aznan@discussions.microsoft.com> made this post, which I then
commented about below:
> Hi , can anyone help me with these problems...

Aznan,

Here was my reply to your email from 9/11 in case you did not receive it.


----- Original Message -----
From: Ace Fekay
To: Aznan
Sent: Sunday, September 11, 2005 11:52 PM
Subject: Re: Requested info from Uplands School
Thanks for sending me the info. All the configuration info actually looks
fine. I am surprised all the issues that have suddenly arised assuming it
was all working fine in the past.

btw- What is (Mdaemon) ? What email service are you using? I assume it's not
Exchange?

Also, your original post said thru Proxy or direct. Are you using MS Proxy,
ISA or another vendor? Is there software that needs to be installed on the
client too?

Were you trying to install MSDE or SQL on a DC? May I ask why?

What was the very last thing that was installed, changed, or updated on ANY
machine, including the DCs, and your Proxy (or whatever it is), routers,
etc, PRIOR to all of the errors?

Ace
Anonymous
September 14, 2005 10:26:07 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Ace , i've got your email dated 11th Sept 2005 and i've replied to that
email:- see below

From: "Aznan" <aznan@uplands.org>
To: acefekay@hotmail.com
Date: 14/09/2005 06:04 PM
Subject: Fwd: Re: Requested info from Uplands School


Hi Ace , are you still working with my case ?

Sorry for keep on bothering you , i'm actually in desperate.
Regards
Aznan


-----Original Message-----
From: "Aznan" <aznan@uplands.org>
To: "Ace Fekay" <acefekay@hotmail.com>
Date: Tue, 13 Sep 2005 08:33:50 +0800
Subject: Re: Requested info from Uplands School

Ace , thanks for your prompt reply. We're using ISA Server as our proxy
server, no software needs to be installed at clients.

MSDE is required and is automatically installed when we install SurfControl
(Web Filter), ISA, Sophos (Anti-Virus).

The last changes was as attached in my previous email (Compile Changes Made
to DCs.doc). Let me know if you need another copy.

Thanks
Aznan

--
The International School of Penang (Uplands)


"Ace Fekay [MVP]" wrote:

> In news:0DE224B4-7067-41D5-B850-8381FF0E46B2@microsoft.com,
> aznan <aznan@discussions.microsoft.com> made this post, which I then
> commented about below:
> > Hi , can anyone help me with these problems...
>
> Aznan,
>
> Here was my reply to your email from 9/11 in case you did not receive it.
>
>
> ----- Original Message -----
> From: Ace Fekay
> To: Aznan
> Sent: Sunday, September 11, 2005 11:52 PM
> Subject: Re: Requested info from Uplands School
> Thanks for sending me the info. All the configuration info actually looks
> fine. I am surprised all the issues that have suddenly arised assuming it
> was all working fine in the past.
>
> btw- What is (Mdaemon) ? What email service are you using? I assume it's not
> Exchange?
>
> Also, your original post said thru Proxy or direct. Are you using MS Proxy,
> ISA or another vendor? Is there software that needs to be installed on the
> client too?
>
> Were you trying to install MSDE or SQL on a DC? May I ask why?
>
> What was the very last thing that was installed, changed, or updated on ANY
> machine, including the DCs, and your Proxy (or whatever it is), routers,
> etc, PRIOR to all of the errors?
>
> Ace
>
>
>
>
>
>
Anonymous
September 14, 2005 11:53:01 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In news:6BB46EDA-F247-4B1D-84DA-E934FACD4C24@microsoft.com,
aznan <aznan@discussions.microsoft.com> made this post, which I then
commented about below:
> Ace , i've got your email dated 11th Sept 2005 and i've replied to
> that email:- see below
>
> From: "Aznan" <aznan@uplands.org>
> To: acefekay@hotmail.com
> Date: 14/09/2005 06:04 PM
> Subject: Fwd: Re: Requested info from Uplands School
>
>
> Hi Ace , are you still working with my case ?
>
> Sorry for keep on bothering you , i'm actually in desperate.
> Regards
> Aznan
>
<snip>
> Ace , thanks for your prompt reply. We're using ISA Server as our
> proxy server, no software needs to be installed at clients.
>
> MSDE is required and is automatically installed when we install
> SurfControl (Web Filter), ISA, Sophos (Anti-Virus).
>
> The last changes was as attached in my previous email (Compile
> Changes Made to DCs.doc). Let me know if you need another copy.
>
> Thanks
> Aznan

Sorry for being late. Putting some fires out.

Wow, you have two major applications running on this domain controller. I
didn't realize you have that installed. Now I understand why the possible
problems. I'm starting to think it's either ISA and/or SurfControl causing
it.

Did you just install them on there or have they been on there? Curious, how
long have either of these apps been installed on the DC? Was DC
functionality working in the past with these apps installed? Was there a
setting change on ISA or SurfControl recently been made? Is the ISA Lat
correct?

I noticed the DC has only one NIC in your ipconfig /all, so that indicates
ISA is not being used for firewall or Secure NAT services, so I am assuming
you're using it as a Proxy for web control only. If so, why then is
SurfControl being used?

What is "mdaemon" that you mentioned in the "compile changes made to DC.doc"
file?

The reason I believe it's either ISA or SurfControl, is because all of a
sudden, IE doesn't work properly and you had to reinstall IE to get it to
work. That indicates either you installed the Firewall client on the DC or
SurfControl made some changes to IE. I believe ISA is also blocking clients
from accessing the DC's AD services. Plus the server service and netlogon
service are both required services for AD, maybe one of those apps is
curtailing access. Especially with those Event ID 1000's you mentioned,
which are indicative of AD communication failure.

Normally for services such as these, we *highly* recommend to NOT install
them on a DC. This is actually a golden rule for any application on a DC,
including Exchange, SQL, and anything else.

Curious, if you uninstalled ISA and SurfControl off this DC, does it work?
After all of this time, it may be prudent to test this. It won't take that
long. It will help to pinpoint what is NOT causing it.

Ace
Anonymous
September 14, 2005 11:55:26 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In news:6BB46EDA-F247-4B1D-84DA-E934FACD4C24@microsoft.com,
aznan <aznan@discussions.microsoft.com> made this post, which I then
commented about below:
<snip>

I just wanted to add, we usually recommend to let a DC be a DC to service
your infrastructure's needs. For other services, it's hihgly recommended to
install them on a member server. I've seen many issues from 3rd party apps
installed or not configured properly cause major issues on a DC, especially
ISA service if the LAT is incorrect or allowed ports are not properly
opened, (which there are 30 of them for AD functionality)

Ace
Anonymous
September 15, 2005 5:56:07 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Ace,

ISA/SurfControl has been running for many months without problem. We
reinstall ISA/SurfControl because we've been using evaluation version of ISA,
and our license copy has arrived.

ISA act as our proxy server, SurfControl provide web filtering.

MDaemon is our email server.

Interestingly, the DCs has been working fine since last Thursday. It makes
me suspect it's not ISA/SurfControl problem coz no settings has been changed.
The only change i can recall is the DNS setting for the NIC Card on DC1, it
used to point to itself as primary DNS, and point to DC2 as secondary DNS,
just for testing purposes, we've change both primary and secondary DNS to
point to DC2. make me wonder whether the DNS Server at DC1 is having problem.

Current Setting:

DC1 NIC Card - primary dns is DC2, secondary dns is DC2
DC2 NIC Card - primary dns is DC1, secondary dns is DC2
Both DNS Servers use forwarder - point to Internet DNS Servers.
DC1 DNS Server is the master and accept dynamic updates.

--
The International School of Penang (Uplands)


"Ace Fekay [MVP]" wrote:

> In news:6BB46EDA-F247-4B1D-84DA-E934FACD4C24@microsoft.com,
> aznan <aznan@discussions.microsoft.com> made this post, which I then
> commented about below:
> <snip>
>
> I just wanted to add, we usually recommend to let a DC be a DC to service
> your infrastructure's needs. For other services, it's hihgly recommended to
> install them on a member server. I've seen many issues from 3rd party apps
> installed or not configured properly cause major issues on a DC, especially
> ISA service if the LAT is incorrect or allowed ports are not properly
> opened, (which there are 30 of them for AD functionality)
>
> Ace
>
>
>
Anonymous
September 15, 2005 10:26:05 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In news:EF9FC6EE-14DF-40F8-A5EF-9C7A68154E4F@microsoft.com,
aznan <aznan@discussions.microsoft.com> made this post, which I then
commented about below:
> Hi Ace,
>
> ISA/SurfControl has been running for many months without problem. We
> reinstall ISA/SurfControl because we've been using evaluation version
> of ISA, and our license copy has arrived.
>
> ISA act as our proxy server, SurfControl provide web filtering.
>
> MDaemon is our email server.
>
> Interestingly, the DCs has been working fine since last Thursday. It
> makes me suspect it's not ISA/SurfControl problem coz no settings has
> been changed. The only change i can recall is the DNS setting for the
> NIC Card on DC1, it used to point to itself as primary DNS, and point
> to DC2 as secondary DNS, just for testing purposes, we've change both
> primary and secondary DNS to point to DC2. make me wonder whether the
> DNS Server at DC1 is having problem.
>
> Current Setting:
>
> DC1 NIC Card - primary dns is DC2, secondary dns is DC2
> DC2 NIC Card - primary dns is DC1, secondary dns is DC2
> Both DNS Servers use forwarder - point to Internet DNS Servers.
> DC1 DNS Server is the master and accept dynamic updates.

Maybe when you reinstalled ISA and/or SurfControl (I am assuming you are
referring to two separate products and using evals of each product), maybe
you didn't re-set the settings. Honestly, I would not use a DC for this,
whether it was working or not. Any machine that will interact with the
Internet on behalf of your clients is subject to attack. You don't want your
DCs to be the pawns in this war.

If you make the zone AD Integrated, does the error disappear on DC1 or more
accurately, will DC1 work?

Ace
!