Directory Binding Error -2146892976

[justindwatkins]

My company is running all Windows 2003 Servers. We have two DC's that were upgraded to Windows 2003 from Windows 2000 about a year ago. Everything has been fine until I upgraded to SP1 about 2 months ago. I ran a DCDIAG /V on one of the DC's and here is the output:


Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine srv001, is a DC.
* Connecting to directory service on server srv001.
[srv001] Directory Binding Error -2146892976:
The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
This may limit some of the tests that can be performed.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\SRV001
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
[SRV001] DsBindWithSpnEx() failed with error -2146892976,
The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you..
......................... SRV001 failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\SRV001
Skipping all tests, because server SRV001 is
not responding to directory service requests
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: VerifyReplicas
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : gff
Starting test: CrossRefValidation
......................... gff passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... gff passed test CheckSDRefDom

Running enterprise tests on : gff.pvt
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope

provided by the command line arguments provided.
......................... gff.pvt passed test Intersite
Starting test: FsmoCheck
GC Name: \\srv001.gff.pvt
Locator Flags: 0xe00001fc
Warning: Couldn't verify this server as a PDC using DsListRoles()
PDC Name: \\srv000.gff.pvt
Locator Flags: 0xe00001fd
Time Server Name: \\srv001.gff.pvt
Locator Flags: 0xe00001fc
Preferred Time Server Name: \\srv001.gff.pvt
Locator Flags: 0xe00001fc
KDC Name: \\srv001.gff.pvt
Locator Flags: 0xe00001fc
......................... gff.pvt passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS


I have searched on google and I have been unable to find a resolution to the problem. If anyone knows anything I can try please let me know. Thanks!

 

[adcfaq]

looks like u have problem with your DC's SPN name.

u can adsiedit.msc on the questioned DC, locate SPN mutilvalue entry, copy the entry to clipborad and edit the entry appending @domain.com in the end and paste back the original location, that might work.

in prior, backup ur DC.

------------------------------------
Directory Services/Exchange Consultant

 

[justindwatkins]

Where exactly will I find the SPN multivalue entry within ADSIEdit?

 

[adcfaq]

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q305971

------------------------------------
Directory Services/Exchange Consultant

 

[justindwatkins]

I ran the ldp.exe and followed the instructions in the article you sent me. Here is the output:

ldap_search_s(ld, "DC=gff,DC=pvt", 2, "serviceprincipalname=Host/srv000.gff.pvt", attrList, 0, &msg)
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: CN=SRV000,OU=Domain Controllers,DC=gff,DC=pvt
5> objectClass: top; person; organizationalPerson; user; computer;
1> cn: SRV000;
1> distinguishedName: CN=SRV000,OU=Domain Controllers,DC=gff,DC=pvt;
1> name: SRV000;
1> canonicalName: gff.pvt/Domain Controllers/SRV000;

The same thing came back for my other DC. It says it only found 1 entry. Do you have any other ideas? Thanks for helping me!

 

[adcfaq]

can u make a backup for the entry and append "@urdomain.com" in the entry value.

------------------------------------
Directory Services/Exchange Consultant

 

[justindwatkins]

What entry value would I append? Again thank you for your help!

 

[adcfaq]

the SPN valuse. it should be a mutil-value entrty, u may append "@domain.com" on one of value.

------------------------------------
Directory Services/Exchange Consultant

 

[justindwatkins]

http://support.microsoft.com/?id=898060

I contacted Microsoft and they sent me the patch from the article above. Apparently this is a known problem with SP1 in some cases.