Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

After Upgrade to Windows 2003 domain, Error on Directory Service

27 views
Skip to first unread message

Eric Lau

unread,
Sep 6, 2004, 4:23:01 PM9/6/04
to
On this particular server, every time when I reboot I got this error as below.
But after 2 second later I got other messages saying Global Catalog server
is located.

Event Type: Error
Event Source: NTDS General
Event Category: Global Catalog
Event ID: 1126
Date: 9/6/2004
Time: 12:41:50 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC01
Description:
Active Directory was unable to establish a connection with the global
catalog.

Additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.
Internal ID:
3200caf

User Action:
Make sure a global catalog is available in the forest, and is reachable from
this domain controller. You may use the nltest utility to diagnose this
problem.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

-----------------------------------------------------------------------------------

But 2 second later, I got these.

Event Type: Information
Event Source: NTDS General
Event Category: Service Control
Event ID: 1394
Date: 9/6/2004
Time: 12:41:52 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC01
Description:
Attempts to update the Active Directory database are succeeding. The Net
Logon service has restarted.


Event Type: Information
Event Source: NTDS General
Event Category: Global Catalog
Event ID: 1869
Date: 9/6/2004
Time: 12:41:52 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC01
Description:
Active Directory has located a global catalog in the following site.

Global catalog:
\\dc01.SC.ESILICON.COM
Site:
Default-First-Site-Name

----------------------------------------------------------------------------------

When I run Netdiag, I got
[FATAL] Secure channel to domain 'SC' is broken. [ERROR_NO_LOGON_SERVERS]


When I run nltest /server:dc01 /query, I got more errors
C:\Documents and Settings\elau>nltest /server:dc01 /query
Flags: 0
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully

C:\Documents and Settings\elau>nltest /server:dc00 /query
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully

C:\Documents and Settings\elau>nltest /server:dc02 /query
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully

C:\Documents and Settings\elau>nltest /server:dc00 /query
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully

C:\Documents and Settings\elau>nltest /server:dc01 /query
Flags: 0
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully

C:\Documents and Settings\elau>nltest /server:dc01 /query
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully

C:\Documents and Settings\elau>nltest /server:dc00 /query
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully

C:\Documents and Settings\elau>nltest /server:dc02 /query
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully

-----------------------------------------------------------------------

After all these, 15-30 minutes later if I run the same commands again
everything would pass.
Netdiag would say "Trust relationship test. . . . . . : Passed
Secure channel for domain 'SC' is to '\\dc00.SC.ESILICON.COM'


C:\Documents and Settings\elau>nltest /server:dc01 /query
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully

Can anyone tell me what's wrong with Active Directory or DNS?
I seems to me everything works fine except I got these messages at the
beginning. But the error went away if I try these later.

Thanks.

Eric

Ace Fekay [MVP]

unread,
Sep 6, 2004, 6:55:53 PM9/6/04
to
In news:E58820F1-A26D-4662...@microsoft.com,
Eric Lau <Eri...@discussions.microsoft.com> made a post then I commented
below

Is this DC overworked? Any other services/apps running on it? Older machine?
Network cable in good shape? Switch settings altered from default? Pointing
only to the internal DNS server?

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================


Eric Lau

unread,
Sep 6, 2004, 9:55:02 PM9/6/04
to
Ace,
Thanks for your reply.
This is a Dell Poweredge 2450 server with 2 850MHz cpu and 1G ram machine.
It is a dedicated DC which has DNS, DHCP, CA-InoculateIT installed.
It shouldn't be overworked.
It is a 3 1/2 years old server.
Before the W2K3 upgrade this Friday, everything works fine. I don't think
the cable is the issue. But I will change it just in case.
Since it is a DNS itself, it is pointing to itself - an internal DNS server.
Here is the ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : dc01
Primary Dns Suffix . . . . . . . : SC.ESILICON.COM
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : SC.ESILICON.COM
ESILICON.COM

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 Network Connection #6
Physical Address. . . . . . . . . : 00-B0-D0-B0-21-D1
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.5.22
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.5.1
DNS Servers . . . . . . . . . . . : 10.1.5.22
Primary WINS Server . . . . . . . : 10.1.5.22

Thanks.

Eric

Chad A. Lacy

unread,
Sep 7, 2004, 8:49:12 AM9/7/04
to
Eric,

With the information provided I can't say with any confidence that this is
your issue, but you might want to consider the possibility of an effect known
as DNS islanding. This happens when you have multiple internal DNS servers
and each one only points to themself for name resolution (i.e. DNS1 points to
DNS1 and DNS2 points to DNS2). What happens is that a resource updates its
record on DNS1 which should replicate over to DNS2. However, DNS1 doesn't
know about DNS2 so replication never occurs. Other resources update their
records on DNS2 which never get back to DNS1. After awhile you'll see that
some resources have records on both DNS servers with different information
because DHCP leases have been expired and regenerated. As you can imagine,
this leads to some very weird responses.

The way you correct this is by point DNS1 to DNS2 for name resolution and
vice versa.

Spin

unread,
Sep 7, 2004, 12:26:10 PM9/7/04
to
Chad,

Wouldn't the effects of DNS islanding be mitigated (or eliminated) through
enabling zone transfers?

"Chad A. Lacy" <cl...@nospam.familydollar.com> wrote in message
news:1EE5FDA7-6B62-48DA...@microsoft.com...

Chad A. Lacy

unread,
Sep 7, 2004, 12:37:03 PM9/7/04
to
Yes, if you aren't using Active Directory integrated DNS...zone transfers are
the same idea and the principle is the same. The DNS server has to know who
to exchange information with.

Spin

unread,
Sep 8, 2004, 9:38:43 AM9/8/04
to
I don't understand your reply. If all DNS point to themselves, and only
themselves in their NIC properties, DNS islanding *should not* occur in my
book so long as some sort of zone transfer mechanism is in place such as:

1) Zones are AD-integrated or,
2) Zone transfers are enabled if DNS is setup in the standard
primary/secondary configuration

Am I missing something? :)

"Chad A. Lacy" <cl...@nospam.familydollar.com> wrote in message

news:5569C1C8-6366-4306...@microsoft.com...

Chad A. Lacy

unread,
Sep 8, 2004, 9:57:05 AM9/8/04
to
DNS islanding is really only a problem if you are running a Windows
2000-based AD implementation and you are using Active Directory integrated
DNS. In this senario, if each DNS server is only pointing to themself, then
it is possible that they will lose knowledge of each other. For more
information about DNS islanding, refer to:
http://support.microsoft.com/default.aspx?scid=kb;en-us;275278

However, from what you have described, I do not think this is your issue.

ptwilliams

unread,
Sep 8, 2004, 4:23:32 PM9/8/04
to
Like Chad said, the Island problem is rare; and if you're really concerned
about it, point the DNS servers at each other. Or themselves, and each
other as the second DNS. Or Mix and match things ;-)


--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


"Chad A. Lacy" <cl...@nospam.familydollar.com> wrote in message

news:EDC09C07-63B6-4885...@microsoft.com...

Eric Lau

unread,
Sep 11, 2004, 9:23:02 PM9/11/04
to
Thanks for all your reply.
I do point my all DCs to one DNS server now. I still got the Active
Directory error. This is another log file when I ran MPSRPT_DirSvc
/c:"full.bat".
Hope this provide more information.

Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine dc01, is a DC.
* Connecting to directory service on server dc01.
[dc01] Directory Binding Error 1753:
There are no more endpoints available from the endpoint mapper.
This may limit some of the tests that can be performed.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 6 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DC01
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
[DC01] DsBindWithSpnEx() failed with error 1753,
There are no more endpoints available from the endpoint mapper..
Printing RPC Extended Error Info:
Error Record 1, ProcessID is 2936 (DcDiag)
System Time is: 9/12/2004 0:54:6:37
Generating component is 2 (RPC runtime)
Status is 1753: There are no more endpoints available from the
endpoint mapper.

Detection location is 500
NumberOfParameters is 4
Unicode string: ncacn_ip_tcp
Unicode string:
e1a7405f-2296-4b89-9e3c-a39b4805e807._msdcs.SC.ESILICON.com
Long val: -481213899
Long val: 65537
Error Record 2, ProcessID is 2936 (DcDiag)
System Time is: 9/12/2004 0:54:6:37
Generating component is 2 (RPC runtime)
Status is 1722: The RPC server is unavailable.

Detection location is 761
NumberOfParameters is 1
Unicode string: 1025
Error Record 3, ProcessID is 2936 (DcDiag)
System Time is: 9/12/2004 0:54:6:37
Generating component is 8 (winsock)
Status is 1722: The RPC server is unavailable.

Detection location is 313
Error Record 4, ProcessID is 2936 (DcDiag)
System Time is: 9/12/2004 0:54:6:37
Generating component is 8 (winsock)
Status is 10048: Only one usage of each socket address
(protocol/network address/port) is normally permitted.

Detection location is 311
NumberOfParameters is 3
Long val: 1025
Pointer val: 0
Pointer val: 0
Error Record 5, ProcessID is 2936 (DcDiag)
System Time is: 9/12/2004 0:54:6:37
Generating component is 8 (winsock)
Status is 10048: Only one usage of each socket address
(protocol/network address/port) is normally permitted.

Detection location is 318
......................... DC01 failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\DC01
Skipping all tests, because server DC01 is
not responding to directory service requests
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: VerifyReplicas
Test omitted by user request: VerifyEnterpriseReferences

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : SC
Starting test: CrossRefValidation
......................... SC passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... SC passed test CheckSDRefDom

Running enterprise tests on : SC.ESILICON.com
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope

provided by the command line arguments provided.
......................... SC.ESILICON.com passed test Intersite
Starting test: FsmoCheck
GC Name: \\dc01.SC.ESILICON.COM
Locator Flags: 0xe00001bc
Warning: Couldn't verify this server as a PDC using DsListRoles()
PDC Name: \\dc00.SC.ESILICON.COM
Locator Flags: 0xe00001b9
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
1355
A Good Time Server could not be located.
KDC Name: \\dc01.SC.ESILICON.COM
Locator Flags: 0xe00001bc
......................... SC.ESILICON.com failed test FsmoCheck


Eric

0 new messages