Logon Domain = Access Denied 1

[jade1001]

Greetings,

We have a Win2k Server that is our Primary Domain Controller, WINS, IIS, and is a our login/Active Directory Server. Our Win2k Server has been behaving itself for the most part. No major problems... until now.

The problem is complicated and I am still not sure exactly what/where the problem is, so let me explain the symptoms.

Symptom #1:
When a user who is logged into the domain on a Windows 2000 Professional Workstation cannot access file shares on the server. But if the computer disjoins the domain and is in a workgroup they can access these shares fine. When the user rejoins the domain, at the very moment before they restart their computer, they can access the server but as soon as they restart and get back into windows they cannot. They get the following error message:

“<COMPUTERNAME> is not accessible.
There are currently no logon servers available to service the login request.”

Symptom #2:
--Occurs when the user goes to Users and Passwords in the Control Panel and tries to add domain users to their local workstation. They get the famous error message that reads:

“The user could not be added because the following error has occurred:
The trust relationship between this workstation and the primary domain failed.”

The usual fix has always been disjoined the workstation from the domain and put it in the workgroup “WORKGROUP”, deleted the computer object out of the Active Directory, rebooted the workstation, and finally have it rejoin the domain to recreate the trust relationship. But this fix appears to not work anymore. Of course at that very moment, if you don’t restart the computer when it asks you to after joining the domain, you can add Domain users to the local workstation from Users and Passwords. But when you restart and log into the domain, again, the user is unable to access the server. Almost as if rebooting breaks the trust relationship.

Symptom #3:
-- Occurs when the user tries to access another workstation, say in a workgroup. When the user is logged into the domain and tries to access a file share on another co-workers workstation that they have had access to before this mess had happened, they get the same error message as described in problem 2.


I've also made some observations:

The weird thing is at the beginning of the onset of these problems, it was intermittent. Only one workstation exhibited it. Now all the computers in the domain have this problem. Thankfully it is Sunday, 4 a.m. (tomorrow I will call in sick unless I find a solution )

Another observation is no changes have occurred to the PDC that would have invoked this problem. The only change that has occurred is Windows Updates, it does them automatically. Another change on our network as a whole which has occurred is the introduction of an XServe. That thing was a B*^%$ to make communicate with the AD. But no changes where made to the PDC server to make the XServe communicate with it.

Third observation is the System event log in the PDC server is filled with the following errors repetitiously:

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5774
Date: 6/8/2003
Time: 3:54:48 AM
User: N/A
Computer: XXXX
Description:
Registration of the DNS record '_kpasswd._udp.coll.univ.edu. 600 IN SRV 0 100 464 servname.coll.univ.edu.' failed with the following error:
DNS server unable to interpret format.
Data:
0000: 29 23 00 00 )#..

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5774
Date: 6/8/2003
Time: 3:54:48 AM
User: N/A
Computer: XXXX
Description:
Registration of the DNS record '_kpasswd._tcp.coll.univ.edu. 600 IN SRV 0 100 464 servername.coll.univ.edu.' failed with the following error:
DNS server unable to interpret format.
Data:
0000: 29 23 00 00 )#..

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5774
Date: 6/8/2003
Time: 3:54:48 AM
User: N/A
Computer: XXXX
Description:
Registration of the DNS record '_kerberos._udp.coll.univ.edu. 600 IN SRV 0 100 88 servname.coll.univ.edu.' failed with the following error:
DNS server unable to interpret format.
Data:
0000: 29 23 00 00 )#..
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5774
Date: 6/8/2003
Time: 3:54:48 AM
User: N/A
Computer: XXXX
Description:
Registration of the DNS record '_gc._tcp.Default-First-Site-Name._sites.coll.univ.edu. 600 IN SRV 0 100 3268 servname.coll.univ.edu.' failed with the following error:
DNS server unable to interpret format.
Data:
0000: 29 23 00 00 )#..


Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5774
Date: 6/8/2003
Time: 3:54:47 AM
User: N/A
Computer: XXXX
Description:
Registration of the DNS record '_kerberos._tcp.Default-First-Site-Name._sites.coll.univ.edu. 600 IN SRV 0 100 88 servname.coll.univ.edu.' failed with the following error:
DNS server unable to interpret format.
Data:
0000: 29 23 00 00 )#..

On the client end the following System event logs are being logged:
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5788
Date: 6/8/2003
Time: 3:58:24 AM
User: N/A
Computer: Userscomputer
Description:
Attempt to update HOST Service Principal Names (SPNs) of the computer object in Active Directory failed. The updated values were '<UNAVAILABLE>' and '<UNAVAILABLE>'. The following error occurred:
Could not find the domain controller for this domain.
Data:
0000: 74 07 00 00 t...

Applications Event Log on client computer shows:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 6/8/2003
Time: 4:01:31 AM
User: NT AUTHORITY\SYSTEM
Computer: Userscomputer
Description:
Windows cannot determine the user or computer name. Return value (1908).

Event Type: Information
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 6/8/2003
Time: 3:56:05 AM
User: NT AUTHORITY\SYSTEM
Computer: Userscomputer
Description:
Windows could not save the registry settings in your user profile on its first try because another program or service was editing them. Windows tried again and saved them after 8 attempts.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 6/8/2003
Time: 3:12:43 AM
User: NT AUTHORITY\SYSTEM
Computer: Userscomputer
Description:
Windows cannot unload your registry file. If you have a roaming profile, your settings are not replicated. Contact your administrator.

DETAIL - Access is denied. , Build number ((2195)).


My manager looked at these event logs and scratched his head. He said, “When I was taught DNS at school I was playing DOOM”. --In other words, I’m on my own.

Basically if the user logs into the domain they can’t access any computer file shares almost as if they are using cached credentials. When the user logs in locally they can access everything. Problem to this is, none of our users log in locally. Most of our computers are in a lab classroom for public use.

I’m sorry if this post is too long but I want to make sure the reader has a clear picture of what is going on because I am not sure myself. If anyone has any suggestions, would like more details on something I might have left out, or have dealt with this sort of problem please let me know. I'm curious.

Thanks in Advance,
jade >:O>

 

[ChicagoTechNet]

check the dns settings and records. For more information, go to

http://www25.brinkster.com/ChicagoTech

Robert Lin, MS-MVP, MCSE & CNE
Windows, Network and How to at

http://www25.brinkster.com/ChicagoTech

 

[tomomark]

Hello,

Have you installed the windows update 329170 / Q 329170

When this windows update was installed on my PDC none of the network shares wud work...uninstalled and everything worked fine...

...worth a look

mark

 

[billieT]

tomomark's suggestion is right on - delete that update first, and if things still don't come right, then any others installed since you implemented automatic updating.

DO NOT USE AUTOMATIC UPDATES ON A SERVER, MUCH LESS A DOMAIN CONTROLLER.

Here's a link about the liabilies of Windows Update.

http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0305&L=ntbugtraq&F=P&S=&P=4505.

I recommend using HFNetchk from

http://www.shavlik.com/pHFNetChkLT.aspx

to check for updates. You can check all your servers from one machine. If you have lots of servers, it might be worth making your own Windows Update server, so that you can test patches and then deploy them yourself


Finally, is DNS installed on the first (&quot;PDC&quot domain controller in the domain? Or any of the domain controllers. If not, stick it on.

 

[jade1001]

Thanks everyone for your helpful suggestions. I am going to recommend uninstalling those above mentioned updates. I have been trying to talk my manager out of having it do automatic updates. Unfortunetely he says he's the boss and its his way or the highway.

So now, as I type this he is in the process of uninstall those updates and mumbling to himself about Automated updates. (I told him it was his fault its not working *cause* of those automated updates.) As it was uninstalling he clicked cancel right in the middle and he messed up the uninstall process-- so now it is telling him Windows will not work properly... Heh Heh Heh...

BTW, this PDC does everything: DNS, WINS, DHCP, IIS, AD, the whole nine yards, except email -- thankfully. The way my manager is uninstalling things, I expect a BSoD at the end of the day.

I noticed something else this morning I should probably mention. I am responsible for a departmental server which is a web server and a file server only. I log into the domain at the console. (It is not configured to do automated updates in case your wondering) It is unable to access the PDC as well where it was able to before. I stopped the IPSec service and started it and when attemting to connect to the PDC it worked. I did this because I got this error in the event log on the my server:

Event Type: Error
Event Source: IPSEC
Event Category: None
Event ID: 4284
Date: 6/9/2003
Time: 7:58:06 AM
User: N/A
Computer: OTHERSEVER
Description:
Received 100 packet(s) in the clear from XXX.XXX.XX.XXX which should have been secured. This could be a temporary glitch; if it persists please stop and restart the IPSec Policy Agent service on this machine.
Data:
0000: 00 00 00 00 03 00 50 00 ......P.
0008: 00 00 00 00 bc 10 00 c0 ....¼..À
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

My brother is just now telling me that he made a change to the server. He kept getting the following error messeage when he tries to add a computer to the domain:

The following error occured attempting to join the domain &quot;capdksu&quot;:
Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact yoru system administrator to havet he limit reset or increased.

So he went in and made a change outlined in knowledge base article 251335, method 2:

http://support.microsoft.com/default.aspx?scid=kb;en-us;251335

Thanks everyone for responding to my post and giving us your help recommendations. I'll let you know how things turn out

Thanks,
jade >:O>

 

[jade1001]

Hello again,

We un-installed all updates that were installed in the month of May clear up to now and the problem still exists. We are finding that this problem not only happens to Win2k boxes but to XP boxes as well. I found stopping and restarting IPSec on our departmental server fixed the problem for a short period of time and then it would again resume not being able to access the PDC.

By freak accident I deleted one workstation out of the Computers folder in the Active Directory and that user had to rejoin the domain. And it was able to rejoin Ok with the same error messages I outline below later in this post. I don't know if this was because it was trusted before or what the deal is.

Maybe if we knew what exactly takes place when a machine joins the domain then maybe we might be able to pin point what component is broken. Maybe someone out there knows.

We are thinking about making a service call to Microsoft and paying the $200 bucks. <-- Ack!

We ran a dcdiag and a netdiag and this is what it reported:

C:\>dcdiag

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\SERVERNAME
Starting test: Connectivity
......................... SERVERNAME passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\SERVERNAME
Starting test: Replications
......................... SERVERNAME passed test Replications
Starting test: NCSecDesc
......................... SERVERNAME passed test NCSecDesc
Starting test: NetLogons
......................... SERVERNAME passed test NetLogons
Starting test: Advertising
......................... SERVERNAME passed test Advertising
Starting test: KnowsOfRoleHolders
......................... SERVERNAME passed test KnowsOfRoleHolders
Starting test: RidManager
......................... SERVERNAME passed test RidManager
Starting test: MachineAccount
......................... SERVERNAME passed test MachineAccount
Starting test: Services
......................... SERVERNAME passed test Services
Starting test: ObjectsReplicated
......................... SERVERNAME passed test ObjectsReplicated
Starting test: frssysvol
Error: No record of File Replication System, SYSVOL started.
The Active Directory may be prevented from starting.
......................... SERVERNAME passed test frssysvol
Starting test: kccevent
......................... SERVERNAME passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x0000165B
Time Generated: 06/10/2003 10:18:03
Event String: The session setup from the computer BLAWRENCE
......................... SERVERNAME failed test systemlog

Running enterprise tests on : dept.schoolname.edu
Starting test: Intersite
......................... dept.schoolname.edu passed test Intersite
Starting test: FsmoCheck
......................... dept.schoolname.edu passed test FsmoCheck

C:\>netdiag

............................................

Computer Name: SERVERNAME
DNS Host Name: servername.dept.schoolname.edu
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 6 Model 5 Stepping 2, GenuineIntel
List of installed hotfixes :
Q147222
Q295688
Q320206
Q321599
Q322842
Q322913
q323172
Q323255
Q324096
Q324380
Q326830
Q326886
Q327269
Q327696
Q328310
Q328523
Q329115
Q329170
Q329553
Q329834
Q331953
Q810030
Q810649
Q810833
Q811493
Q811630
Q814033
Q815021
Q816093


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : servername
IP Address . . . . . . . . : XXX.XXX.xx.xxx
Subnet Mask. . . . . . . . : XXX.XXX.xxx.x
Default Gateway. . . . . . : XXX.XXX.xx.xxx
Primary WINS Server. . . . : XXX.XXX.xx.xxx
Secondary WINS Server. . . : XXX.XXX.xx.xxx
Dns Servers. . . . . . . . : XXX.XXX.xx.xxx
XXX.XXX.xx.x
XXX.XXX.xx.xxx
XXX.XXX.xx.xx


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Passed

Ipx configration
Network Number . . . . : 00000057
Node . . . . . . . . . : XXXXXXXXXXXX
Frame type . . . . . . : 802.3



Adapter : IPX Internal Interface

Netcard queries test . . . : Passed

Ipx configration
Network Number . . . . : 00000000
Node . . . . . . . . . : 000000000001
Frame type . . . . . . : Ethernet II



Adapter : IpxLoopbackAdapter

Netcard queries test . . . : Passed

Ipx configration
Network Number . . . . : 00000057
Node . . . . . . . . . : xxxxxxxxxxxx
Frame type . . . . . . : 802.2



Adapter : NDISWANIPX

Netcard queries test . . . : Passed

Ipx configration
Network Number . . . . : 00000000
Node . . . . . . . . . : xxxxxxxxxxxx
Frame type . . . . . . : Ethernet II




Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{E1DB0B7D-320B-4999-A06B-C207C5C0BA93}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server 'xxx.xxx.xx.x
xx'.
[WARNING] The DNS entries for this DC are not registered correctly on DNS se
rver 'xxx.xxx.xxx.x'. Please wait for 30 minutes for DNS server replication.
[WARNING] The DNS entries for this DC are not registered correctly on DNS se
rver 'xxx.xxx.xx.xxx'. Please wait for 30 minutes for DNS server replication.
[WARNING] The DNS entries for this DC are not registered correctly on DNS se
rver 'xxx.xxx.xx.xx'. Please wait for 30 minutes for DNS server replication.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{E1DB0B7D-320B-4999-A06B-C207C5C0BA93}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{E1DB0B7D-320B-4999-A06B-C207C5C0BA93}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC 'servername.dept.schoolname.edu'.


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed


Netware configuration
You are not logged in to your preferred server .
Netware User Name. . . . . . . :
Netware Server Name. . . . . . :
Netware Tree Name. . . . . . . :
Netware Workstation Context. . :

IP Security test . . . . . . . . . : Passed
Local IPSec Policy Active: 'Server (Request Security)'


The command completed successfully


Since we've been stumped on this problem for a long time
we decided to take a closer look at things. We decided to clear the event logs on the workstation end and have the workstation join a Workgroup. --No error messages logged. Everything looks clean. Then we decided to have it join the domain again and before rebooting we took a peak at the event log and got these two errors in the System log:

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5789
Date: 6/9/2003
Time: 1:38:12 PM
User: N/A
Computer: WORKSTATION
Description:
Attempt to update DNS Host Name of the computer object in Active Directory failed. The updated value was 'workstation.coll.univ.edu'. The following error occurred:
The security context could not be established due to a failure in the requested quality of service (e.g. mutual authentication or delegation).
Data:
0000: 32 03 09 80 2..?

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5789
Date: 6/9/2003
Time: 1:38:12 PM
User: N/A
Computer: WORKSTATION
Description:
Attempt to update DNS Host Name of the computer object in Active Directory failed. The updated value was 'workstation.coll.univ.edu'. The following error occurred:
The security context could not be established due to a failure in the requested quality of service (e.g. mutual authentication or delegation).
Data:
0000: 32 03 09 80 2..?

I think the stuff after &quot;The following error occurred:&quot; is important because after I reboot the workstation these two errors will get logged over and over except after the text &quot;The following error occured:&quot; will now read, &quot;Could not find the domain controller for this Domain&quot;.

If anyone has any suggestions or anything at all to share please let us know. If there's more info you need let me know that too. Anyone's help or reply is always appreciated.

Thanks,
jade >:O>

 

[tomomark]

Domain Suffix

Ok a couple more things...

Network connection properies...

Start > Setting > Network & Dial Up Connections > Right Click on your LAN Connection > Properties > Advanced > DNS > Domain Suffix

Check thats correct and also check the tick box below is checked? &quot;register this connections address in DNS&quot;

there is more...

Start > Settings > Control Panel > System > Network ID

Check domain suffix there.

also...

ipconfig /all

do that and post back!


Sorry if i offfend you by telling you how to get to the control panel and that; i do appologise but i provide technical support to computer customers over the phone...

...see my point? lol

Cheers

 

[jade1001]

Tomomark,

I already checked all that. It was one of the first things I checked. It appears everything is as it should be.

I appreciate your post. Let me know if there's anything else I should check.

I am now examining the client end some more. I'll let you now what I find.

Thanks,
jade >:O>

 

[bkuepers]

Are you forcing IPSEC or Secure signing in group policy on this server or at the domain OU or Site level? If so loosen those group policies a bit to see if it helps.

 

[jade1001]

I figured it out!!! I ran the netdiag on one of the client workstations that was experiencing this problem and it reported:

Testing Kerberos authentication... Failed

DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to servname.coll.univ.edu (XXX.XXX.XX.XXX). [ERROR_DOMAIN_CONTROLLER_NOT_FOUND]

Kerberos test. . . . . . . . . . . : Failed
Cached Tickets:
Server: krbtgt/COLL.UNIV.EDU
End Time: 6/11/2003 15:50:26
Renew Time: 6/21/2003 8:50:26
[FATAL] Kerberos does not have a ticket for CLIENTCOMP$.

I did a search on Microsoft's website and found the following article 244474:

http://support.microsoft.com/default.aspx?scid=kb;en-us;244474

Applied this reg fix to the client machines that were experiencing this problem and they are now able to access everything they used to be able to access.

If you read that article it mentions UDP is the first protocol it uses. So now we are investigating our switches. It could be possible that at the University level they have applied some sort of &quot;filter&quot; which may affects this kind of packet. (I'll have to inform them we don't run Napster down here ) Basically we have found the problem but are investigating possible causes.

I decided to post this information in case anyone else out there may run into this problem. I know I was pounding my head on it for a week and a half. It may save someone some time in finding a resolultion.

Thanks everyone for replying to my posts. Your support is always helpful.

Thanks,
jade >:O>

 

[joegz]

Yeah!!! This fixed our network problem we have been having as well on our domain. Now I can stop banging my head against the wall as well.

Cheers

joegz
&quot;Sometimes you just need to find out what it's not first to figure out what it is.&quot;