Accessing AD from member servers

[Ji Lee]

I have setup 3 new servers. Server1 is a DC, and others
are just member servers. After I installed everything from
scratch including sp4, member servers cannot access DC's
AD. The error message is

Naming information cannot be located because:
The server is not operational.
Contact your system administrator to verify that your
domain is properly configure and is corrently online.

Is there something I misconfigured???
Please advise.
Thanks in advanced

 

[Johan Arwidmark]

The error might be due to Windows 2000 corrupt security settings.

You can rebuild the Windows 2000 security settings by running the
following commands from a command prompt:

secedit /configure /cfg c:\windows\repair\secsetup.inf /db
secsetup.sdb /verbose

secedit /configure /cfg c:\windows\repair\secsetup.inf /db secdc.sdb


Please also check that the Windows Time Service, w32time, is started

Here are some additional articles

You Cannot Browse the Drives of or Map a Drive to a Domain Controller
from Any Client Computer
http://support.microsoft.com/?id=826902

AD error on Domain Controller
http://members.aol.com/_ht_a/bergert/w2k/tip07.htm

regards
Johan Arwidmark

Windows User Group - Nordic
http://www.wug-nordic.net

 

[Ji Lee]

Thanks for the suggestions.
But when I run the command you provided me didn't work.
I have received the following messages

The system cannot find the file specified.

Thask is completed with error.
See log %windir%\security\logs\scesrv.log for detail info.

When I checked the log file it reported that
the "secsetup.inf" file cannot be found.
And, the Windows time service was started, but there was
error message in the Event log and let me run "w32tm/s"
from the command line. It returned "RPC to local server
retured 0x0" message.As a result, nothing was successful.
Do you think I should reinstall Winsows 2000 server & sp4??

-----Original Message-----
The error might be due to Windows 2000 corrupt security settings.

You can rebuild the Windows 2000 security settings by running the
following commands from a command prompt:

secedit /configure /cfg c:\windows\repair\secsetup.inf /db
secsetup.sdb /verbose

secedit /configure /cfg

c:\windows\repair\secsetup.inf /db secdc.sdb

 

[Ben Ybarra [MSFT]]

Hello Ji,

Thank you for your post.

Do you recieved the error dialog when opening any of the Active Directory
MMCs?

I recommend to start troubleshooting from the domain controller first. Some
common things to look at :
1) On the TCP/IP Setting on the NIC, the Prefer DNS Server is the same as
the DCs IP Address.
2) Is the SYSVOL and Netlogon Share out (To Check: Open a command prompt
and type "Net Share")
3) Is the Policy folder in the SYSVOL (example:
C:\WINNT\sysvol\SYSVOL\domain.com\Policy)
4) Make sure the Default Domain Controller Policy and Default Domain Policy
are in place within the Policy Folder. (To Check: Look for folders named:
{31B2F340-016D-11D2-945F-00C04FB984F9} -- representing the Default Domain
policy and {6AC1786C-016F-11D2-945F-00C04fB984F9} -- representing the
Default Domain Controllers policy)
(Note: If there is a problem applying the policies Windows will log Events
in the Application log. 1000, 1001 and 1202)
5) If the policies are in place, I recommend to run MPS Reports on the
Domain Controller (MPS Reports can be found using the following link -
http://www.microsoft.com/downloads/details.aspx?FamilyId=CEBF3C7C-7CA5-408F-
88B7-F9C79B7306C0&displaylang=en Please download MPSRPT_DirSvc.exe)
Review the NTUSERRIGHTS.LOG and check Access this computer from the Network
and make sure Everyone, Authenticated Users, and Administrators are listed.
If you perfer not to use MPS Reports, you can open the Default Domain
Controller Security Policy using the MMC, in Administrator tools.
If you attempted to open "Default Domain Controller Security Policy" and
received an Access Denied. I recommend to browse to the following location
and open the gptmpl.inf with notepad. <sysvol path>\sysvol\<domain
name>\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\<MACHINE>\Microsoft\Wi
ndows NT\SecEdit\
Look for SeNetworkLogonRight and ensure that *S-1-1-0 (Everyone group) is
listed, if not add it. Open a command prompt and refresh the policy -
"secedit /refreshpolicy machine_policy /enforce"

If everything checks out okay on the Domain Controller, and you can open
Active Directory MMCs with out error. Then look at the clients themselves.
1) On the TCP/IP Setting on the NIC, the Prefer DNS Server is the same as
the DCs IP Address.
2) Check the Secure Channel between the Member Server with the Domain
Controller. You will need to install the Windows 2000 Support Tools (Note:
They are located on the Windows 2000 CD, under \Support\Tools\Setup.exe)
Open a command prompt and type "Netdom VERIFY myserver /Domain:mydomain.com"
If the Secure Channel Test fails then you can reset the secure channel by
typing the following command "netdom resetpwd /server:mydomaincontroller
/userd:<mydomain>\administrator /passwordd:*"

Reference Knowledgebase Articles:
257346 "Access This Computer from the Network" User Right Causes Tools Not
to
http://support.microsoft.com/?id=257346

260575 HOW TO: Use Netdom.exe to Reset Machine Account Passwords of a
Windows
http://support.microsoft.com/?id=260575

223321 "The Server Is Not Operational" Error Message in Active Directory
Tools
http://support.microsoft.com/?id=223321

327781 How to Troubleshoot Missing SYSVOL and NETLOGON Shares on Windows
Server
http://support.microsoft.com/?id=327781

266206 User Cannot logon to Windows 2000 Domain Controllers that have been
http://support.microsoft.com/?id=266206

Best Regards,
Ben Ybarra, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.