Nightmare in a network

[Rydra]

I suspect this may be the wrong forum for this, since it's one of about 17 different problems!

Recently became the Network Manager for a Primary School, where I used to be a Technician for a previous school.

There is something screwy going on with the network, and I cannot for the life of me work out what it is.

So as a first, here's what I've got to work with....

2 DC's running Windows Server 2003 SP2, 1 running DHCP + DNS (server1), and other running DNS (server2).

I do not yet know the relationship between the two of them, except that server1 appears to be the primary. I cannot tell what the link is between them, and as yet not sure of server2 runs or replicates any AD services, but it is a DC.

Approximately 50 student workstations running XP added to domain, and about 600 users.... Managed by Winsuite.
Winsuite will be coming out very soon with any luck!

Now to the problem....

The majority of the workstations seem to have a problem connecting to the domain. When trying to login, they come up with an error along the lines of "Unable to connect to domain...." with lots more text I generally don't read. Reboot the workstation 1-4 times, and it eventually lets you connect.

As with all things like this, I cannot now replicate the error on any workstation, so I shall post that as/when i can get a computer to not work for me....

The 2nd problem, is with workstations currently NOT on the domain, they are experiencing a similar problem. when trying to access the DC in any way, including browsing to it on the network, attempting to add a computer to the domain, or even attempting to access a network printer on it, It throws up errors along the lines of: Logon Failure: The Target Account Name is incorrect.

The printers thing is a similar issue but not quite the same; 1/10 times, I can get at the printers. The other 9/10 times, I get Access Denied: Unable to connect.
Reboot works 10% of the time, but 5 minutes later lose the connection again.

I've almost ruled out a networking error, as at all times i have no trouble browsing the net, assigning ip's, pinging workstations/servers. But beyond that, I'm completely stumped!

Googling the error points to DC pairing issues, AD being outdated/DC issues, or DNS/DC issues!

Any/all help on this would be appreciated. If you need more info, just say.

I suspect these problems are all interlinked, but cannot for the life of me work out what it is. I have checked event logs on both servers, the client pc's, when they both do and do not work. Nothing obvious is showing up in the logs.

[mattx]

Whats in the event logs ? [ on bother the servers and workstations ] You say nothing but even the smallest clue may help.....then it's time for some DNS checking.....

http://technet.microsoft.com/en-us/l...8WS.10%29.aspx

http://www.computerperformance.co.uk...ows_dcdiag.htm

http://www.computerperformance.co.uk...Guy/dcdiag.zip

[dwhyte85]

When you ping the domain, eg, MySchool.local what happens on the problematic machines? Are all machines problematic?

[RabbieBurns]

First point of call in my opiinion is always DNS. Make sure DHCP is handing out the correct DNS Server for the primary. The Domain Controllers should point to themselves for DNS. In 2003 they did away with the PDC and secondary DC, they are all just Domain Controllers. It would be wise to have your servers with both AD and stuff replicating for redundancy..

[Michael]

The majority of the workstations seem to have a problem connecting to the domain. When trying to login, they come up with an error along the lines of "Unable to connect to domain...." with lots more text I generally don't read. Reboot the workstation 1-4 times, and it eventually lets you connect.

I suspect the servers are possibly not replicating properly. Winsuite will only work from the one server, I don't believe it can be installed across multiple servers. I would have a look in DHCP Server and take out the secondary DC for the time being.
Reboot the workstations and see if it makes any difference. When you run ipconfig /all it should then only list your primary DNS and any external DNS.

The 2nd problem, is with workstations currently NOT on the domain, they are experiencing a similar problem. when trying to access the DC in any way, including browsing to it on the network, attempting to add a computer to the domain, or even attempting to access a network printer on it, It throws up errors along the lines of: Logon Failure: The Target Account Name is incorrect.

Again as above this does sound like a possible DHCP problem. Login locally as an administrator and configure a static IP configuration, then reboot.

[Rydra]

Whats in the event logs ? [ on bother the servers and workstations ] You say nothing but even the smallest clue may help.....then it's time for some DNS checking.....

AS with any network the 'event logs' have a lot of stuff in them! To list them all I'd need a new forum to host it all!

But the few errors i've come across that MIGHT be related....

In File Replication Service:

The File Replication Service is having trouble enabling replication from Server2 to server1 for c:\windows\sysvol\domain using the DNS name server2.domain.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name server2.domain.local from this computer.
[2] FRS is not running on server2.domain.local.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I am looking to having server2 rebooted in about half an hour, since it hasn't been rebooted in approximately 4 months. The above error has been going on daily for about a week, since I first discovered that the primary DC hadn't been rebooted for 7 months, had an out of date AV running on it, and all sorts of crap that shouldn't be on a server. removed the rubbish, rebooted.... The above error has been going on since.

Second entry, System tab:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server CPS-ICT-IT2-C10$. The target name used was cifs/CPS-CLA-NEC-OB9.chantry.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (CHANTRY.LOCAL), and the client realm. Please contact your system administrator.

This happens randomly, no idea what's going on here....

As another side note, all the users profile areas and userdata is stored on a iSCSI drive on the DC... The NAS that iSCSI connected to is dead at the moment, awaiting a new hard drive (Thank god for Raid 5, new drive in and it'll be back up!)

[Michael]

After rebooting both DCs, check the static IP configuration on your servers. DCs should point to themselves first then any secondary DCs.

[mattx]

Just out of interest have you tried to force a replication ?
In regards to your kerberos error - I have had those sometimes and found out I have had dupicate DNS entries [ old PCs being re-built with a different name and either DNS or DHCP getting messed up ]
Check for duplicates in your DNS and delete the relevant one or both in your forward look up zone. [ They will get re-created when the PC next boots up ]
I don't think this was sort out your main problem though as it certainly sounds like a replication / DNS problem....... will be interesting to see what DC DIAG comes up with.

Just another thought - whats the SOA numbers in your forward look up zones on your servers - they should be the same....

AS with any network the 'event logs' have a lot of stuff in them! To list them all I'd need a new forum to host it all!

But the few errors i've come across that MIGHT be related....

In File Replication Service:


I am looking to having server2 rebooted in about half an hour, since it hasn't been rebooted in approximately 4 months. The above error has been going on daily for about a week, since I first discovered that the primary DC hadn't been rebooted for 7 months, had an out of date AV running on it, and all sorts of crap that shouldn't be on a server. removed the rubbish, rebooted.... The above error has been going on since.

Second entry, System tab:


This happens randomly, no idea what's going on here....

As another side note, all the users profile areas and userdata is stored on a iSCSI drive on the DC... The NAS that iSCSI connected to is dead at the moment, awaiting a new hard drive (Thank god for Raid 5, new drive in and it'll be back up!)

[Rydra]

DCdiag...

C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\server1
Starting test: Connectivity
......................... server1 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\SERVER1
Starting test: Replications
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source SERVER2
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
......................... SERVER1 passed test Replications
Starting test: NCSecDesc
......................... SERVER1 passed test NCSecDesc
Starting test: NetLogons
......................... SERVER1 passed test NetLogons
Starting test: Advertising
......................... SERVER1 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... SERVER1 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... SERVER1 passed test RidManager
Starting test: MachineAccount
......................... SERVER1 passed test MachineAccount
Starting test: Services
......................... SERVER1 passed test Services
Starting test: ObjectsReplicated
......................... SERVER1 passed test ObjectsReplicated
Starting test: frssysvol
......................... SERVER1 passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... SERVER1 failed test frsevent
Starting test: kccevent
......................... SERVER1 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x40000004
Time Generated: 01/25/2010 10:04:29
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 01/25/2010 10:04:29
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 01/25/2010 10:04:29
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 01/25/2010 10:04:29
Event String: The kerberos client received a
An Error Event occured. EventID: 0x40000004
Time Generated: 01/25/2010 10:04:29
Event String: The kerberos client received a
An Error Event occured. EventID: 0x000003F6
Time Generated: 01/25/2010 10:19:34
Event String: The following problem occurred with the Jet
An Error Event occured. EventID: 0x000003F8
Time Generated: 01/25/2010 10:19:34
Event String: The DHCP service encountered the following error
An Error Event occured. EventID: 0x000003F2
Time Generated: 01/25/2010 10:19:34
Event String: The DHCP service encountered the following error
......................... SERVER1 failed test systemlog
Starting test: VerifyReferences
......................... SERVER1 passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : domain
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom

Running enterprise tests on : domain.local
Starting test: Intersite
......................... domain.local passed test Intersite
Starting test: FsmoCheck
......................... domain.local passed test FsmoCheck

looking more and more like a dns/replication error. will see what the reboot does in about 10-20 minutes time!

[p858snake]

I know this may sound a tad extreme but have you thought about nuking both of them and redoing the setups, since your now the NM, that way you can make sure everything is setup how you want, everything is documented correctly and other little bits and pieces?

[MGSTech]

I don't suppose the workstations were cloned (ghosted) without sysprep being run?

Duplicate SID's?

Try running Sysprep and select reseal then rename the workstation (delete the COMPUTER account in AD BEFORE renaming PC...

[Rydra]

It's on the cards....

We are getting a complete new network infrastructure in 3 weeks time, new switches, new cabling, the works.

Shortly after that I am having a server renewal as well; upgrading existing servers, combining admin/curriculum network and all that fun stuff. But it's not an option for today! What I do need is to get the printing up and running again, as 80% of the printing is done a single managed printer/photocopier.

I don't care about most of the rest of the problems, but I NEED printing up and running again!

[Rydra]

I don't suppose the workstations were cloned (ghosted) without sysprep being run?

Duplicate SID's?

Try running Sysprep and select reseal then rename the workstation (delete the COMPUTER account in AD BEFORE renaming PC...

This is likely, evidence suggests my predecessors were in some respects I daresay incompetent. They had an understanding of "We need to do this" without some of the other aspects.... Like hosting a website off of the C drive of the DC, moving the domain administrator profile to a NAS..... I could go on but it'd be mean and off topic.

[MGSTech]

Try sysprepping a workstation and see if it resolves the can't find domain issue (easy fix and worth a try)

[ahuxham]

This is likely, evidence suggests my predecessors were in some respects I daresay incompetent. They had an understanding of "We need to do this" without some of the other aspects.... Like hosting a website off of the C drive of the DC, moving the domain administrator profile to a NAS..... I could go on but it'd be mean and off topic.

It's your post, no such thing as off topic

Anywho, Duplicate SID's will do this. I do believe sysinternals made a program called "NewSID" which is discontinued (as Microsoft now own the company), however I'm sure someone somewhere has the software.

Just run it on your machines and see if this alleviates the problems you are experiencing, saves you having to sysprep the machines, less work = better in my opinion.