Active Directory not working properly 1

[kwei]

One of my servers doesnt seem to be applying group policies. On top of that, i am unable to access "domain controler security policy" and "domain security policy". When I try to open both of them, I get a Group Policy Error, stating "failed to open the Group Policy Object. You may not have appropriate rights." And a message under details stating "The specific domain either does not exist or could not be contacted."

Ive been dealing with this for weeks on end, GP has worked in the past, as have these snap ins. running "dcdiag.exe" does not come up with anything except once it gave an error with syslog.

This is a standalone DC on the network. everything else seems to be working properly. Any suggestions would be greatly appreciated on this one, as always,

Justin

 

[YFronts]

Right click on the object in Active Directory users and computers and use the delegation of control wizard to delegate the object to a specific account which you may be using.

You may need to log on as enterprise admin in order to do this.

 

[kwei]

Hey YFronts, I tried that, doesnt seem to work. The account I'm logged in with is the domain admin account, which also is a member of enterprise admins. Just to be sure I'm on the same page as you when you say right click on the object, i assume you mean the top of my domain tree that contains all my groups, OUs, etc. If thats what you meant, that is what I did. Still no dice.

I think there might just be a problem with AD and it needs to be indexed. Is there a way to do this...or something along the lines of what I'm saying? Thanks!

Justin

 

[YFronts]

There must be stuff in the event log which homes you in a bit more on the problem. A standalone DC you say? Do you mean it is the only one in the domain?
How about other servers, from what you say they have access to AD ok. Try looking on the security tab of the domain (if you haven't already) and see if the server belongs to one of the groups which has access. Check there are no denys ticked.
I don't know anything about indexing AD I'm afraid. Hope you get somewhere.

 

[kwei]

Ya I'm combing through the eventlog now. So far nothing that raises any flags. It is the only server on the network, and the only DC. All other computers are 2000 pro workstations. I will also check the security tab while I'm at it. Hopefully I find something. I tried reinstalling SP4 earlier today and that didnt help...

Justin

 

[YFronts]

I know you say your account has enterprise rights but have you tried another account too?

 

[kwei]

Ya, Ive checked the security tab of both domain controler security policy as well as domain security policy. they both have administrators in there with full rights, I also added the specific admin account that I used and gave it full controll, still no dice.

Only errors I'm seing in eventlog that might be related are Userenv event ID 1000 "Windows cannot unload your registry class file. If you have a roaming profile, your settings are not replicated. Contact your administrator.

DETAIL Access is denied. , Build number ((2195))."

So looks like were still at square 1 unfortunately. Thanks for all the help thus far, hopefully its something that can be resolved!

Justin

 

[svsawkar]

So if I understand you correctly, pretty much nothing will open up- snap-in, group policy, etc?

Are you pointed to yourself for DNS?
Is your DC protected by a hardware firewall from the internet and is it configured to actually block data?

If not, then you probably have a virus that removed a bunch of local security settings.

Add *S-1-1-0 to SeNetworkAccess on the Default Domain Controller Gpttmpl.ini file in SYSVOL. It's in the 6AC guid folder all the way at the bottom. Refresh your group policy forcefully and you will be good to go.

I realize that unless you have a good command of the OS, the above commands are cryptic, but they are that way for a reason. This is a fantastic way to break your environment even more, so if you want me to walk you through this, feel free to email me and we can go over this offline.

/Siddharth

 

[kwei]

Hi svsawkar, I'm not entirely sure on what you mean with your instructions... As far as your question about nothing opening, that is not entirely correct, only the security policies will not open, but any new GPs I make will not apply, I can open DHCP, DNS, etc, and they open. DNS is working as is DHCP.

There is a hardware firewall albeit a weak one (linksys) It is running with most of the default settings. Running a virus scan has not brought any virus' to my attention, although as you said there still could be something. Thanks for the help thus far,

Justin

 

[svsawkar]

Can you open up AD Users and Computers, Sites and Services and Domains and Trusts without any errors?

/Siddharth

 

[kwei]

Siddharth, yes to all three, they all open with no problems and checking the event log afterwards shows no new errors...

Justin

 

[svsawkar]

Humor and repeat that last test after logging out and logging back in. If in the past you specified the snap-ins to use a non-pdc computer, it will snap back to those by default.

/Siddharth

 

[kwei]

Siddharth,

Logged out, then back in, same results as before. Sorry for the delay, wanted to wait for my virus scan to complete first (nothing found there either).

Justin

 

[kwei]

Hey Siddharth, just wondering if you have any more tips for me to fix this situation?

One thing I was thinking to try that might be a little extreme is to hook another server up to the domain, set it to take over the domain fucntions, remove AD from the original server, then reinstate AD on it and transfer all the old duties of it back from the other one. This would I think hopefully fix the problem and help me from loosing any key domain settings. Any thoughts on this anyone?

Justin

 

[svsawkar]

Hrm, how about a 'dcdiag /v' output for us to look at. something else must be going on. The promo may or may not work depending on what is broken on the DC. You can certainly try your plan.

/Siddharth

 

[kwei]

Hey there, thanks for getting back to me. Here is the output of dcdiag /v. Clackserv2 isnt responding because I took it offline yesturday morning...Thanks!

Justin


DC Diagnosis

Performing initial setup:
* Verifing that the local machine clackserv, is a DC.
* Connecting to directory service on server clackserv.
* Collecting site info.
* Identifying all servers.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial non skippeable tests

Testing server: Default-First-Site-Name\CLACKSERV
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... CLACKSERV passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\CLACKSERV
Starting test: Replications
* Replications Check
[Replications Check,CLACKSERV] A recent replication attempt failed:
From CLACKSERV2 to CLACKSERV
Naming Context: CN=Schema,CN=Configuration,DC=clack,DC=ssm,DC=local
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2003-09-20 12:51.23.
The last success occurred at 2003-09-19 06:50.12.
30 failures have occurred since the last success.
[CLACKSERV2] DsBind() failed with error 1722,
The RPC server is unavailable..
The source remains down. Please check the machine.
[Replications Check,CLACKSERV] A recent replication attempt failed:
From CLACKSERV2 to CLACKSERV
Naming Context: CN=Configuration,DC=clack,DC=ssm,DC=local
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2003-09-20 12:51.00.
The last success occurred at 2003-09-19 07:20.28.
30 failures have occurred since the last success.
The source remains down. Please check the machine.
[Replications Check,CLACKSERV] A recent replication attempt failed:
From CLACKSERV2 to CLACKSERV
Naming Context: DC=clack,DC=ssm,DC=local
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2003-09-20 12:50.37.
The last success occurred at 2003-09-19 07:29.32.
30 failures have occurred since the last success.
The source remains down. Please check the machine.
......................... CLACKSERV passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=clack,DC=ssm,DC=local
* Security Permissions Check for
CN=Configuration,DC=clack,DC=ssm,DC=local
* Security Permissions Check for
DC=clack,DC=ssm,DC=local
......................... CLACKSERV passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
......................... CLACKSERV passed test NetLogons
Starting test: Advertising
The DC CLACKSERV is advertising itself as a DC and having a DS.
The DC CLACKSERV is advertising as an LDAP server
The DC CLACKSERV is advertising as having a writeable directory
The DC CLACKSERV is advertising as a Key Distribution Center
The DC CLACKSERV is advertising as a time server
The DS CLACKSERV is advertising as a GC.
......................... CLACKSERV passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=CLACKSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=clack,DC=ssm,DC=local
Role Domain Owner = CN=NTDS Settings,CN=CLACKSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=clack,DC=ssm,DC=local
Role PDC Owner = CN=NTDS Settings,CN=CLACKSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=clack,DC=ssm,DC=local
Role Rid Owner = CN=NTDS Settings,CN=CLACKSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=clack,DC=ssm,DC=local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=CLACKSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=clack,DC=ssm,DC=local
......................... CLACKSERV passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 2102 to 1073741823
* clackserv.clack.ssm.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1102 to 1601
* rIDNextRID: 1188
* rIDPreviousAllocationPool is 1102 to 1601
......................... CLACKSERV passed test RidManager
Starting test: MachineAccount
* SPN found :LDAP/clackserv.clack.ssm.local/clack.ssm.local
* SPN found :LDAP/clackserv.clack.ssm.local
* SPN found :LDAP/CLACKSERV
* SPN found :LDAP/clackserv.clack.ssm.local/CLACK
* SPN found :LDAP/a5dd0560-c6c0-4cb5-94d6-b0f20fde7fa8._msdcs.clack.ssm.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/a5dd0560-c6c0-4cb5-94d6-b0f20fde7fa8/clack.ssm.local
* SPN found :HOST/clackserv.clack.ssm.local/clack.ssm.local
* SPN found :HOST/clackserv.clack.ssm.local
* SPN found :HOST/CLACKSERV
* SPN found :HOST/clackserv.clack.ssm.local/CLACK
* SPN found :GC/clackserv.clack.ssm.local/clack.ssm.local
......................... CLACKSERV passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: RPCLOCATOR
* Checking Service: w32time
* Checking Service: TrkWks
* Checking Service: TrkSvr
* Checking Service: NETLOGON
* Checking Service: Dnscache
* Checking Service: NtFrs
......................... CLACKSERV passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
CLACKSERV is in domain DC=clack,DC=ssm,DC=local
Checking for CN=CLACKSERV,OU=Domain Controllers,DC=clack,DC=ssm,DC=local in domain DC=clack,DC=ssm,DC=local on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=CLACKSERV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=clack,DC=ssm,DC=local in domain CN=Configuration,DC=clack,DC=ssm,DC=local on 1 servers
Object is up-to-date on all servers.
......................... CLACKSERV passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service Event log test
The SYSVOL has been shared, and the AD is no longer
prevented from starting by the File Replication Service.
......................... CLACKSERV passed test frssysvol
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x80000438
Time Generated: 09/20/2003 13:43:03
Event String: Replication warning: Couldn't notify directory

c5b0b596-629b-4955-89e0-4a338a267094._msdcs.clack.ssm.local

with changes to partition

DC=clack,DC=ssm,DC=local. The error is:

The RPC server is unavailable.



The record data is the status code.
An Warning Event occured. EventID: 0x80000438
Time Generated: 09/20/2003 13:45:58
Event String: Replication warning: Couldn't notify directory

c5b0b596-629b-4955-89e0-4a338a267094._msdcs.clack.ssm.local

with changes to partition

CN=Configuration,DC=clack,DC=ssm,DC=local. The

error is:

The RPC server is unavailable.



The record data is the status code.
An Warning Event occured. EventID: 0x80000438
Time Generated: 09/20/2003 13:48:45
Event String: Replication warning: Couldn't notify directory

c5b0b596-629b-4955-89e0-4a338a267094._msdcs.clack.ssm.local

with changes to partition

DC=clack,DC=ssm,DC=local. The error is:

The RPC server is unavailable.



The record data is the status code.
......................... CLACKSERV failed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x00000457
Time Generated: 09/20/2003 13:47:38
Event String: Driver HP LaserJet 4100 Series PCL required for

printer __mikef_HP LaserJet 4100 Series PCL is

unknown. Contact the administrator to install the

driver before you log in again.
An Error Event occured. EventID: 0x00000452
Time Generated: 09/20/2003 13:47:38
Event String: The printer could not be installed.
......................... CLACKSERV failed test systemlog

Running enterprise tests on : clack.ssm.local
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope

provided by the command line arguments provided.
......................... clack.ssm.local passed test Intersite
Starting test: FsmoCheck
GC Name: \\clackserv.clack.ssm.local
Locator Flags: 0xe00001fd
PDC Name: \\clackserv.clack.ssm.local
Locator Flags: 0xe00001fd
Time Server Name: \\clackserv.clack.ssm.local
Locator Flags: 0xe00001fd
Preferred Time Server Name: \\clackserv.clack.ssm.local
Locator Flags: 0xe00001fd
KDC Name: \\clackserv.clack.ssm.local
Locator Flags: 0xe00001fd
......................... clack.ssm.local passed test FsmoCheck

 

[jvierra]

Just a bit of info but we had similar problems due to HP LaserJet legacy drivers. Switched to non-kernel more drivers and problem went away. Don't know if it was a damaged driver or what but removal of drivers and installation of Windows 2003 drivers from CD stopped the GPO errors and numerous othe issues including failures to search or find AD.

 

[kwei]

Hi jvierra, sorry for not letting you know how things worked, I wasnt sent an email notification that the thread was updated so I didnt think to check it! Anyways, I just removed about 7 drivers from the server (laserjet 5, 5000, 4, 4000, 4100, etc.) hopefully that will fix it after a reboot...wont be able to do so until later tonight though. Will give an update on what happens. As of right now I left one driver intact as it was added after the problem started and it is the latest version of the driver anyways...

Justin

 

[jvierra]

Warning! The admin that I was working with thought the same thing. Guess what? Even the drivers added after the problem started had to be removed.

When adding HP drivers specifically the HP drivers you mentioned, look in the driver list for the "Windows 2003" drivers of you are on 2003. They will have a little blue graphic checkmark, I believe, next to them. These are the drivers delivered with 2003 and are certified compatible. Nearly all of the HP drivers are delivered with 2003.

The dcpromo log has an entry like the ones we were getting

The record data is the status code.
......................... CLACKSERV failed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x00000457
Time Generated: 09/20/2003 13:47:38
Event String: Driver HP LaserJet 4100 Series PCL required for

printer __mikef_HP LaserJet 4100 Series PCL is

unknown. Contact the administrator to install the

The rpc server seems to not be available. Does the log look clean after a reboot and before anyone prints (spooler should be emptied before reboot"

The rpc server has to be running or the machine would probably shut down. My guess is that is either hanging, busy or not being found. This could all come from a bad kernel mode driver I believe.

 

[kwei]

Wow, well if rebooting it doesnt fix my problem, I'll uninstall the current driver as well. Its a Brother HL-1440.

I am actually running 2000 server, not 2003. I dont currently have 2003 installed on any of my servers. I'll have to see if i can get them off of the beta disk I have.

I'll check the log right after I reboot it to see if there are any problems with RPC.

Its good news to me at least to have found something that is a likely candidate for what is causing the issue, at least now I can start working on the solution: )

Thanks!

Justin