SBS can't see itself as GC?

[ECCOGuy]

I installed a few MS updates last week. 923694,925398,928388,929120,911897,923689. When the server came back from reboot, Exchange SA didn't start (or IS for that matter). Also, from a client I couldn't access the UNC for the server. The server can't access anyone's UNC. But all IIS functions correctly and I can ping by IP address and DNS name. I can manually start SA and IS and Exchange seems to work fine from a user perspective. But a look in the App Log shows otherwise as it is filled to the brim with:

MSExchangeSA 9074 The Directory Service Referral interface failed to service a client request. RFRI is returning the error code:[0x3f0].
MSExchangeSA 9143 Referral Interface cannot contact any Global Catalog that supports the NSPI Service. Clients making RFR requests will fail to connect until a Global Catalog becomes available again. After a Domain Controller is promoted to a Global Catalog, it must be rebooted to support MAPI Clients.
Userenv 1030 Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
Userenv 1058 Windows cannot access the file gpt.ini for GPO CN={77EA5877-F7CC-4F4B-89DE-688D0001503B},CN=Policies,CN=System,DC=domain,DC=net. The file must be present at the location <\\domain.net\SysVol\domain.net\Policies\{77EA5877-F7CC-4F4B-89DE-688D0001503B}\gpt.ini>. (The network location cannot be reached. For information about network troubleshooting, see Windows Help. ). Group Policy processing aborted.

It seems that the SBS doesn't see itself as a GC anymore! I've Googled around and found many hints that point in the right direction, but nothing's worked so far. I haven't yet removed the updates because the discription of them doesn't suggest that it would affect this. I installed Ultrasound on the good server (2003 Std) and it shows no problems. They've played good for three months since I went through the fun challange of installing a SBS in an existing 2003 domain. My next step is going to be to: netsh int ip reset [ log_file_name ] to rebuild the IP stack. I wanted to bounce my situation off people here first, because you might help me see something I haven't seen yet.

Thanks for any help!!!



Spencer
MCSE2k, MCSA2k, Net+, A+

 

[ShackDaddy]

Check your Domain Controller Security Policy and your Domain Security Policy and make sure you haven't disabled signed communications. Your symptoms sound like there's a problem there.

Recent patches change SMB signing settings, and using the Highly Secure security template in conjunction with the patches has caused the issue in the past. Read this thread:

http://x220.minasi.com/forum/topic.asp?TOPIC_ID=15363

It's not with SBS, but it afflicted a single 2003 DC server with the same symptoms.

Other tests:

Run DCDIAG and see what the results are.

Stop and start Netlogon service to rebuild possible DNS entries that might be missing.


ShackDaddy
Shackelford Consulting

 

[ECCOGuy]

Thanks for the tips. The problem with the first tip is that because it couldn't find a GC, I couldn't open the Group Policy Object Editor snap-in and therefore couldn't view/change the Domain Security Policy. I figured you were right about the fact it's not SBS. The main reason it was showing the issues was that by default SBS makes you put almost all your eggs in one basket.
I did manage to get it corrected last night, however. The NetBIOS over TCP/IP seemed to have gotten corruped with the updates and associated reboot. The helper was running in services, but a ipconfig /all showed it as disabled. The other hint was in the System Log that upon reboot showed three entries for NetBT 4311 of which Microsoft says "can be safely ignored". That's what I get for trusting in Microsoft Rebuilding the IP stack and rebooting fixed it! Yea for a simple fix.

Spencer
MCSE2k, MCSA2k, Net+, A+