dns problem

[Eduardo Sicouret]

Hello... Need your help ASAP

I have a windows 2000 domain with 2 domain controllers. XXXPDC and XXXBDC
machines.

when i try to open active directory users and computers in XXXPDC get the
following message:

Naming information cannot be located because:
The target principal name is incorrect.
Contact your system administrator to verify that your domain is properly
configured and is currently online.

When i run netdiag get the following errors:

DC list test.... Failed
`Warning] Cannot call DsBind to xxxpdc.domainname [SEC_E_WRONG_PRINCIPAL]
Trust relationship test ... Failed
[FATAL] Secure channel to domain 'domainname' is broken
[ERROR_ACCESS_DENIED]
[Warning] Failed to query SPN registration on DC 'xxxpdc.domainname'
[Warning] Failed to query SPN registration on DC 'xxxbdc.domainname'

when running dcdiag:

[xxxpdc] LDAP bind failed with error 31.
a device attached to the system is no functioning


Any help with this??? i've tried a lot of web pages and troubleshooting, but
problem persists.

Users cannot access domain controller shares.

Regards,

Eduardo Sicouret

 

[farees]

*Hello... Need your help ASAP

I have a windows 2000 domain with 2 domain controllers. XXXPDC and
XXXBDC
machines.

when i try to open active directory users and computers in XXXPDC
get the
following message:

Naming information cannot be located because:
The target principal name is incorrect.
Contact your system administrator to verify that your domain is
properly
configured and is currently online.

When i run netdiag get the following errors:

DC list test.... Failed
`Warning] Cannot call DsBind to xxxpdc.domainname
[SEC_E_WRONG_PRINCIPAL]
Trust relationship test ... Failed
[FATAL] Secure channel to domain 'domainname' is broken
[ERROR_ACCESS_DENIED]
[Warning] Failed to query SPN registration on DC 'xxxpdc.domainname'
[Warning] Failed to query SPN registration on DC 'xxxbdc.domainname'

when running dcdiag:

[xxxpdc] LDAP bind failed with error 31.
a device attached to the system is no functioning


Any help with this??? i've tried a lot of web pages and
troubleshooting, but
problem persists.

Users cannot access domain controller shares.

Regards,

Eduardo Sicouret *

 

[Ace Fekay [MVP]]

In

Hello... Need your help ASAP

I have a windows 2000 domain with 2 domain controllers. XXXPDC and
XXXBDC machines.

when i try to open active directory users and computers in XXXPDC get the
following message:

Naming information cannot be located because:
The target principal name is incorrect.
Contact your system administrator to verify that your domain is
properly configured and is currently online.

When i run netdiag get the following errors:

DC list test.... Failed
`Warning] Cannot call DsBind to xxxpdc.domainname
[SEC_E_WRONG_PRINCIPAL] Trust relationship test ... Failed
[FATAL] Secure channel to domain 'domainname' is broken
[ERROR_ACCESS_DENIED]
[Warning] Failed to query SPN registration on DC 'xxxpdc.domainname'
[Warning] Failed to query SPN registration on DC 'xxxbdc.domainname'

when running dcdiag:

[xxxpdc] LDAP bind failed with error 31.
a device attached to the system is no functioning


Any help with this??? i've tried a lot of web pages and
troubleshooting, but problem persists.

Users cannot access domain controller shares.

Regards,

Eduardo Sicouret

The one thing that stands out is your domain is a single label name called
'domainname'. DNS is hierarchal based and requires at least a two-level
name, such as 'domainname.com'. Single label names will not update into DNS
unless forced by altering a registry entry. However, 2000 (post SP4), 2003
servers and XP clients have difficulty resolving single label name DNS
domain names. The resolver service believes the name 'domainname' is a TLD
(top level domain name) such as 'com' or 'net' and will query the Roots
looking for the nameserver on record for 'domainname'. This generates alot
of traffic as was found by the ISC (http://www.isc.org/index.pl) found
during a study. This was the main reason why Microsoft stopped registration
with a single label name when 2000 SP4 was released. besdies the fact the
resolver service not being able to handle it.

In your case, besides the single label name, you may even be using an ISP's
DNS or some other DNS server that is not hosting the AD zone name in your
DCs (and possibly your client's) IP properties. Remember the cardinal rule,
never use an ISP's DNS anywhere in an AD infrastructure otehr than
configured as a Forwarder.

The SPN registration error is looking for the FQDN of the machine, such as
xxxpdc.domainname.com, and not xxxpdc.domainname.

How do you fix it? The best scenario depends on domain mode. If the mode is
2000 Functional levels, then the best thing would be to install a brand new
domain with the proper naming convention and migrate your resources (users,
computers, etc) from the current domain. If it is in mixed mode, you can
install an NT4 BDC into it, demote the 2000 DCs or just remove them (delete
their server name reference in NT4 Server Manager), then promote the BDC to
a PDC, then upgrade it to 2000, but this time make sure the proper naming
convention is chosen.

Here's a bandaid for it but keep in mind this is only a temp fix (but won't
work for clients) in order for you to plan on fixing it.

Single-Label DNS Names:
http://support.microsoft.com/default.aspx?scid=kb;en-us;300684

If you use the fix provided in 300684, make sure you also remove any ISPs
DNS addresses or even if you are using your router as a DNS server too.

Sorry to be the bearer of bad news.

--
Ace
Innovative IT Concepts, Inc
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...