When ever I reboot my FSMO DC (dc1) my Exchange 2003 server gives LDAP
errors. According to the messages the Exchange server reports both of my
DC's as being unreachable. Below are the error strings. I have checked
netdiag, nltest, and the Active Directory Administration Tool. It seems DNS,
Wins, LDAP, etc. are working properly. It almost seems like a kerberos
problem because of the last error message. This particular DC (dc2) has no
event errors logged. Both DC's are GC's, both run DNS and Wins. Dc2 also
runs RAS, DHCP, printer shares, and Backup Exec for all the servers.

Can anyone suggest what to test next?

Errors:

Application Log Errors:

* Source: MSExchangeDSAccess - Event ID: 2114 - Process INETINFO.EXE
(PID=1600). Topology Discovery failed, error 0x80040a02.

* Source: MSExchangeDSAccess - Event ID: 2102 - Process MAD.EXE (PID=1964).
All Domain Controller Servers in use are not responding:
dc1.apawood.org
dc2.apawood.org

* Source: MSExchangeSA - Event ID: 9154 - DSACCESS returned an error
'0x80004005' on DS notification. Microsoft Exchange System Attendant will
re-set DS notification later.

System Log Errors:

* Source: NETLOGON - Event ID: 5719 - This computer was not able to set up a
secure session with a domain controller in domain APA_NT due to the
following:
The remote procedure call was cancelled. This may lead to authentication
problems. Make sure that this computer is connected to the network. If the
problem persists, please contact your domain administrator.

* Source: LSASRV - Event ID: 40961 - The Security System could not establish
a secured connection with the server ldap/dc2.apawood.org. No
authentication protocol was available.



Thanks,

--
Steve Gould
Network Administrator
APA - The Engineered Wood Association
253-620-7454
(E-Mail Removed)

Hi Steve,

Thanks for posting here.

To the Exchange problems, I think you can create post in the
microsoft.public.exchane.admin for help.

To the LSASRV 40961 error, we can try to create a Reverse Lookup Zone, and
enter a record for your DNS Server.

Are you using the APA_NT as your domain NetBIOS name of the apawood.org
domain?

I also want to know whether you are using the Windows 2000 server or the
Windows 2003 server? If you are using the Windows 2000 server, please make
sure the Windows 2000 SP4 is installed.

Please save and empty the system event log. Restart the computer. Save the
system event log and paste it in the reply post. I will continue to help
you about the Windows system issues.

Thanks for using Microsoft Newsgroup!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Thank you for your reply Steve. I'll look into your suggestions.

I have an update that complicates the issue. Last night I moved the PDC role
from dc1 to dc2. All the servers report that their browser services have
failed (unable to retrieve backup list). Network Neighborhood is unpopulated
on Windows 2000 and XP machines as well as all the other servers. Win 95 and
98 systems seem to be OK and can log on to the domain. I tried restarting
the "computer browser" service on dc2, but that didn't help. It sees the
network resources, but the other servers and post Win 2K clients continue to
be unable to browse the network. "net view" also comes up empty.

Suggestions anyone?

Steve

Steve,

The reverse lookup zone has all the servers correctly listed.

APA_NT is our NetBIOS name that was brought forward when we migrated from NT
4.

Exchange 2003 is running on Windows Server 2003.

I'll get the system log as soon as I reach a point where I can reboot the
server.

See my other message that details some more related problems.

Steve


""Steven Liu"" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Steve,
>
> Thanks for posting here.
>
> To the Exchange problems, I think you can create post in the
> microsoft.public.exchane.admin for help.
>
> To the LSASRV 40961 error, we can try to create a Reverse Lookup Zone, and
> enter a record for your DNS Server.
>
> Are you using the APA_NT as your domain NetBIOS name of the apawood.org
> domain?
>
> I also want to know whether you are using the Windows 2000 server or the
> Windows 2003 server? If you are using the Windows 2000 server, please make
> sure the Windows 2000 SP4 is installed.
>
> Please save and empty the system event log. Restart the computer. Save the
> system event log and paste it in the reply post. I will continue to help
> you about the Windows system issues.
>
> Thanks for using Microsoft Newsgroup!
>
> Sincerely,
>
> Steven Liu [MSFT]
>
> Microsoft Online Partner Support
>
> MCSE 2000
>
> Get Secure! - www.microsoft.com/security
>
> This posting is provided "as is" with no warranties and confers no rights.
>

Hi Steve,

Please also check whether these server's computer time are same. If the
time difference is too long, this will cause the kerberos identification
failt. So, please make sure the time of these server are almost same.

You can refer to the article to setup and configure the time server.

216734 How to Configure an Authoritative Time Server in Windows 2000
http://support.microsoft.com/?id=216734

Note: by default, the clients and servers will sync time with the PDC
Emulator. Please also check the PDC Emulator. If you have installed the ISA
or other firewall application on the network, you can refer to the
following article to solve the problem.

323621 HOW TO: Configure the Simple Network Time Protocol (SNTP) on ISA
Server
http://support.microsoft.com/?id=323621

Since the Exchange 2003 is installed on the Windows 2003 member server and
the error is about the secure channel, if the above steps does not solve
the problem, we can try to use nltest.exe to reset the Windows 2003 member
server computer account.

You can refer the article about how to do this.

216393 Resetting Computer Accounts in Windows 2000 and Windows XP
http://support.microsoft.com/?id=216393

If this does not work, please reply the post and I will continue to help
you.

Thanks for using Microsoft Newsgroup!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Steven,

Nice try. The time thing made sense, but that's not it. We use a third party
time server (Tardis) and all servers are within one second. All clients get
their clocks set by the login script.

I'll look at the nltest issue.

I have more info on the network browsing issue. When dc2 was the PDC master,
and hence the browse master, it could see all the network resources in My
Network Places viewed on the server (net view from the server console). The
only resources that were visible to network clients were dialup users that
were connected to dc2 which is also our RAS server. So, dc2 was maintaining
the browse list, but it wasn't available to network clients, except for the
dialed-in client computers. Too weird.

Steve

""Steven Liu"" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Steve,
>
> Please also check whether these server's computer time are same. If the
> time difference is too long, this will cause the kerberos identification
> failt. So, please make sure the time of these server are almost same.
>
> You can refer to the article to setup and configure the time server.
>
> 216734 How to Configure an Authoritative Time Server in Windows 2000
> http://support.microsoft.com/?id=216734
>
> Note: by default, the clients and servers will sync time with the PDC
> Emulator. Please also check the PDC Emulator. If you have installed the
ISA
> or other firewall application on the network, you can refer to the
> following article to solve the problem.
>
> 323621 HOW TO: Configure the Simple Network Time Protocol (SNTP) on ISA
> Server
> http://support.microsoft.com/?id=323621
>
> Since the Exchange 2003 is installed on the Windows 2003 member server and
> the error is about the secure channel, if the above steps does not solve
> the problem, we can try to use nltest.exe to reset the Windows 2003 member
> server computer account.
>
> You can refer the article about how to do this.
>
> 216393 Resetting Computer Accounts in Windows 2000 and Windows XP
> http://support.microsoft.com/?id=216393
>
> If this does not work, please reply the post and I will continue to help
> you.
>
> Thanks for using Microsoft Newsgroup!
>
> Sincerely,
>
> Steven Liu [MSFT]
>
> Microsoft Online Partner Support
>
> MCSE 2000
>
> Get Secure! - www.microsoft.com/security
>
> This posting is provided "as is" with no warranties and confers no rights.
>

Steven,

Here is the system log you requested. No abnormal errors:

2/18/2004 5:02:14 PM Removable Storage Service Error None 1 N/A HQBKFAX
Unable to auto-configure library unit Changer0. The current setup of the
library unit does not support automatic configuration. You will either have
to modify the current setup of the library to adhere to automatic
configuration guidelines (if possible) or manually configure the device.
2/18/2004 5:02:02 PM DhcpServer Information None 1044 N/A HQBKFAX The
DHCP/BINL service on the local machine, belonging to the Windows
Administrative domain apawood.org, has determined that it is authorized to
start. It is servicing clients now.
2/18/2004 5:01:40 PM Wins Information None 4097 N/A HQBKFAX WINS initialized
properly and is now fully operational.
2/18/2004 5:01:38 PM UPS Information None 1002 N/A HQBKFAX Communication
established
2/18/2004 5:01:36 PM SNMP Information None 1001 N/A HQBKFAX The SNMP Service
has started successfully.
2/18/2004 5:01:32 PM SNMP Warning None 1101 N/A HQBKFAX The SNMP Service is
ignoring extension agent key SOFTWARE\Microsoft\ACS\CurrentVersion because
it is missing or misconfigured.
2/18/2004 5:01:31 PM UPS Information None 1001 N/A HQBKFAX *** PowerChute
PLUS Version 5.2 started ***
2/18/2004 5:01:26 PM LPDSVC Information None 4000 N/A HQBKFAX LPD service
started successfully.
2/18/2004 5:01:25 PM BROWSER Information None 8015 N/A HQBKFAX The browser
has forced an election on network
\Device\NetBT_Tcpip_{5561E811-3CD3-499C-B811-E33EAEEF6D49} because a Windows
2000 Server (or domain master) browser is started.
2/18/2004 5:01:01 PM AppleTalk Information None 5 N/A HQBKFAX "A name was
successfully registered for this node via AppleTalk protocol on adapter
""IBM Netfinity 10/100 Ethernet Adapter"". "
2/18/2004 5:00:37 PM E100B Information None 5 N/A HQBKFAX Adapter IBM
Netfinity 10/100 Ethernet Adapter: Adapter Link Up
2/18/2004 5:00:26 PM Otman5 Information None 1 N/A HQBKFAX Open Transaction
Manager (tm) version 1.12 build 201 Copyright (c) 1996-99 Columbia Data
Products, Inc. All Rights Reserved!
2/18/2004 5:00:45 PM EventLog Information None 6005 N/A HQBKFAX The Event
log service was started.
2/18/2004 5:00:45 PM EventLog Information None 6009 N/A HQBKFAX Microsoft
(R) Windows 2000 (R) 5.0 2195 Service Pack 4 Multiprocessor Free.
2/18/2004 4:58:05 PM EventLog Information None 6006 N/A HQBKFAX The Event
log service was stopped.

Hi Steve,

In order to provide the good browser, it's better to install the WINS
server in the network and also configure all the clients and servers to use
the WINS server as their prefferred WINS server.

When the user opens the My Network Place to browser the network, the list
is get from the Browser Master or the WINS server. If you have more network
segments in your local network. Browser Master will not maintain the whole
information. WINS server can provide more stable and performance. In this
problem, I think we can setup the WINS server and check whether the problem
can be solved.

You said that the DC2 also installed with the RRAS server. If it contains 2
netword cards, the problem may occurs. 2 network interface will both
register themselves to the network. The other computer or service may found
the DC2 by the external network interface which cause problem. So, we
strongly suggested to only use one network interface in the domain
controller.

Please remove the RRAS server from the DC2. Setup a member server to hold
the RRAS server. This will be a good solution.

Thanks for using Microsoft Newsgroup!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Thank you for your continued help Steven.

Both our DC's are WINS servers. DC2 is primary. We only have one switched
LAN segment. DC2 has only one NIC. It has two modems for the RRAS service.
RRAS is configured for external clients to dial in and access the Exchange
server. There is no outbound RRAS enabled.

I agree with you that we should have a server dedicated as a DC only. Since
we are a small non-profit we can't afford to have stand alone single purpose
servers. All our servers support multiple roles. My original plan called for
DC2 to be a member server and to purchase an additional server to be DC1.
Our current DC1 was slated to be DC2.

I understand what you are saying about WINS. NETDIAG against both DC's
indicates that WINS is working normally. Our DHCP config is set to push the
WINS server addresses to the clients. I verified that Win 95/98 clients get
it. What do Win 2K and XP clients use? I've read that they no longer use
WINS because Microsoft is phasing it out.

Steve


""Steven Liu"" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Steve,
>
> In order to provide the good browser, it's better to install the WINS
> server in the network and also configure all the clients and servers to
use
> the WINS server as their prefferred WINS server.
>
> When the user opens the My Network Place to browser the network, the list
> is get from the Browser Master or the WINS server. If you have more
network
> segments in your local network. Browser Master will not maintain the whole
> information. WINS server can provide more stable and performance. In this
> problem, I think we can setup the WINS server and check whether the
problem
> can be solved.
>
> You said that the DC2 also installed with the RRAS server. If it contains
2
> netword cards, the problem may occurs. 2 network interface will both
> register themselves to the network. The other computer or service may
found
> the DC2 by the external network interface which cause problem. So, we
> strongly suggested to only use one network interface in the domain
> controller.
>
> Please remove the RRAS server from the DC2. Setup a member server to hold
> the RRAS server. This will be a good solution.
>
> Thanks for using Microsoft Newsgroup!
>
> Sincerely,
>
> Steven Liu [MSFT]
>
> Microsoft Online Partner Support
>
> MCSE 2000
>
> Get Secure! - www.microsoft.com/security
>
> This posting is provided "as is" with no warranties and confers no rights.
>

This response contains a reference to a third party World Wide Web site.
Microsoft is providing this information as a convenience to you. Microsoft
does not control these sites and has not tested any software or information
found on these sites; therefore, Microsoft cannot make any representations
regarding the quality, safety, or suitability of any software or
information found there. There are inherent dangers in the use of any
software found on the Internet, and Microsoft cautions you to make sure
that you completely understand the risk before retrieving any software from
the Internet.

Hi Steve,

Yes, the Windows 2000 and Windows XP computers will use the DNS for the
computer name resolution by default.

As to the System log you pasted, the errors about the system disappear.

The rest error in the system event log is about the Removable Storage
Service.

This message occurs only because the Removable Storage Manager (RSM) of
Windows
is trying to claim the device, but is unable to do so as VERITAS drivers
now
have it. To prevent the error from occurring, perform the following steps:



1. Start > Programs > Administrative Tools> Computer Management.



2. Right-click on the Removable Storage icon, select properties. Now go the
General tab and unselect the following options:



X Send Operator Requests to Messenger Service

X Tray Icon for pending Operator Requests



This is described at:

http://seer.support.veritas.com/docs/236992.htm


To the Exchange errors, I think you also can create post in the
microsoft.public.exchange.admin for help.

Thanks for using Microsoft Newsgroup!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.