nltest error

S

Steve Gould

Hello,

I am troubleshooting issues on our domain. See my other recent posts for
more info. One test I tried is "nltest". I am getting strange results. If I
run the "sc_query" for each member server I get a successful result. When I
do the test for DC2 I get a success. When I do the test for DC1 I get a
failure. DC1 has all FSMO roles and is a GC. DC2 is a GC also. Here is the
result from DC1 and DC2:

C:\>nltest /server:dc1 /sc_query:mydomain.org
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

C:\>nltest /server:dc2 /sc_query:mydomain.org
Flags: 10 HAS_IP
Trusted DC Name \\dc1.mydomain.org
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

Suggestions anyone?


--
Steve Gould
Network Administrator
APA - The Engineered Wood Association
253-620-7454
(e-mail address removed)
 
S

Steven Liu

Hi Steve,

Thanks for posting here.

We can try to disable the RestrictAnonymous on the DC1.

WARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using
Registry Editor incorrectly. Use Registry Editor at your own risk.

1. Open Registry Editor.

2. Locate the following key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

3. Click to select the following value:

"RestrictAnonymous"

4. On the "Edit" menu, click "DWORD", and then change the data (value) to
0, as indicated in the following information:


"Value Name": RestrictAnonymous
"Data Type": REG_DWORD
"Value": 0

5. Exit Registry Editor, and then restart the computer for the change to
take effect.

Let's see whether this works.

If not, let's disable the GC on the DC1.

We also can use the repadmin to force the 2 domain controllers to replicate
each other.

Also, we need to check whether the DNS records for the 2 domain controllers
are correct.

Thanks for using Microsoft Newsgroup!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.
 
S

Steven Liu

Hi Steve,

You also can try to run "nltest /server:dc1 /sc_reset:mydomain\dc2" to
reset the secure channel of the dc1 to dc2.

Thanks for using Microsoft Newsgroup!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.
 
S

Steve Gould

Not a good result Steven. Here is the true results.

C:\>nltest /server:hqfat /sc_reset:apawood.org\hqbkfax
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

I'll look at your other suggestion.

Steve
 
S

Steve Gould

No go Steven. The value is already 0.

See my other reply for nltest also. Other suggestions?

Steve
 
S

Steve Gould

Anyone else have some suggestions? The problem still persists. I'm not sure
what to look at to solve it.

Steve
 
O

Ozone

You may want to reset the secure channels for this server. This can be done
with nltest or netdom.

Ozone
 
S

Steve Gould

No luck. I already tried that. It errored out saying "ERROR_NO_SUCH_DOMAIN".

Steve
 
O

Ozone

Can you run a netdiag and dcdiag and post the results? or send them to me
(e-mail address removed)

Ozone
 
S

Steven Liu

Hi Steve,

Do you have more than one NIC installed on the domain controller? If yes,
make sure only one NIC which is connected to the local network will
register the DC in your local DNS and WINS server. The other NICs should
not register on the local DNS and WINS server. This may cause the name
resolution issue which will bring the NO_SUCH_DOMAIN error.

Thanks for using Microsoft Newsgroup!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.
 
S

Steve Gould

Good thought Steven. The server does have two NIC's. The second NIC is
disabled. It could have some settings associated with it, though. I'll
double check.

Steve
 
S

Steve Gould

No help. I went into the properties for the second NIC and un-selected
everything (even though it was disabled). nltest gives the same
"ERROR_NO_SUCH_DOMAIN " error.

I then set nltest /dbflag:0x2000ffff. When I use "nltest
/server:"servername" /sc_query:"domainname"" and then check the
"netlogon.log" file I found this entry:

03/03 11:07:28 [CRITICAL] NetrLogonControl can't find the client structure
of the domain apawood.org specified.



Steve
 
S

Steve Gould

I ran "dcdiag /v /s:<dc1> /test:blush:utboundsecurechannels
/testdomain:<domainname>" and here are the errors. The DC and domain names
have been modified for security. Very curious that it says a file is
missing...

Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
Could not Check secure channel from DC1 to <domainname>: The
specified domain either does not exist or could not be contacted.
Could not Query Trusted Domain :The system cannot find the file
specified.
* Secure channel from [DC2] to [\\DC1.<domainname>] is working
properly.
Could not Query Trusted Domain :The system cannot find the file
specified.
......................... DC1 failed test OutboundSecureChannels

Steve
 
S

Steven Liu

Hi Steve,

I also think you should check the DNS record for the domain controller.
Where is the DNS server?

You install it on a member server or on a domain controller?

If it's installed on a member server, you can manually delete the problem
DC records. Then, restart the problem DC and it will re-register the DNS
records automatically.

Thanks for using Microsoft Newsgroup!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.
 
S

Steve Gould

I set nltest /dbflag:0x2000ffff again and rebooted the server. The INIT
process came back with many CRITICAL errors. Here is one of each of the
errors (modified to remove actual IP addresses and server names).

03/03 16:47:22 [CRITICAL] NetpDcGetPingResponse: <my domain>.: Cannot
ldap_result ip address <the servers IP adress>: 89 Parameter Error

03/03 16:47:37 [CRITICAL] Cannot W32TimeGetNetlogonServiceBits 0x6b5 (this
is OK because we don't use W32Time)

03/03 16:47:37 [CRITICAL] NetpDcHandlePingResponse: <my domain>: response
opcode not valid. 0x14

03/03 16:47:37 [MAILSLOT] NetpDcPingListIp: apawood.org.: Sent UDP ping to
192.168.1.6

03/03 16:47:37 [CRITICAL] NetpDcGetNameIp: <my domain>: site specific SRV
records done.

03/03 16:47:48 [CRITICAL] Ping from <this DC> for domain <server.my domain>
(null) for (null) on <Local> is invalid since we don't host the named
domain.

03/03 16:47:48 [CRITICAL] NetpDcGetNameIp: <server.my domain>: No data
returned from DnsQuery.

03/03 16:47:48 [CRITICAL] NetpDcGetName: <server.my domain>: IP and Netbios
are both done.

03/03 16:48:19 [CRITICAL] NlMainLoop: Registry changed
 
S

Steven Liu

Hi Steve,

From now, I think we can backup the data on the DC1. (Using the NTbackup to
backup the System State and other necessary data. )

Then, run dcpromo to demote the DC1 to be a member server.

After this is done, remove the DC1 from the domain and join it back.

Then, run the dcpromo again to promote the DC1 to the domain controller.

Note: please transfer the FSMO while are hold on DC1 to DC2 before doing
this.

255690 HOW TO: View and Transfer FSMO Roles in the Graphical User Interface
http://support.microsoft.com/?id=255690

Thanks for using Microsoft Newsgroup!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.
 
S

Steve Gould

OK then. Thank you for your help Steven and Ozone. It will have to wait
about a month because the other DC has issues with RRAS. We ordered a new
member server to do RAS. As soon as that is up and stable I'll transfer the
FSMO roles, demote, then promote DC1. If the issue reappears I will repost.

Steve
 
S

Steve Gould

I have finally gotten my DC's in a configuration that allowed me to transfer
the PDC role from DC1 to DC2. The nltest issue follows the PDC emulator and
seems to be NORMAL. I'm just sad that nobody was able to respond with this
information and save all the work that went into troubleshooting a normal
operating condition.

Thanks to all of you that did respond. It was actually lots of fun to
troubleshoot so I don't mind all the hair pulling too much.

Steve Gould
 
S

Steven Liu

Hi Steve,

I'm glad to see that the problem is solved.

You are welcome!

Thanks for using Microsoft Newsgroup!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top