Problems with DC & Client PCs suddenly cannot access any IE pages

[Guest]

Hi we’re having big problems with our Domain Controller (Windows Server 2000)
and i hope this could be resolved asap. The symptoms of it is :-

1.Suddenly client PCs cannot browse Internet (whether via proxy or direct
connection to Internet). Received Page Not Found error.(If IP released &
renewed then it's ok for few minutes)

2.On the Domain Controller- cannot open Active Directory Users and
Computers, gives an error message "Naming information cannot be located
because: The Server is not operational"

3.If we try opening the ADUC, right-click on domain and select Operation
Master, it shows no operations master.

4.If we reboot the Domain Controller, everything works fine on DC, but the
clients have to be rebooted also.

See error from event viewer below:-

- Event ID :1000 - Windows cannot determine the user or computer name.
Return value (14).

- Event ID :1000 - Windows could not execute \\uplandsdc1\NETLOGON\login.bat
due to the following error: The system cannot find the file specified.

- Event ID :1000 - Windows cannot connect to uplands.org with (0x0).

- Event ID :1000 - Windows cannot query for the list of Group Policy objects
.. A message that describes the reason for this was previously logged by this
policy engine.

- Event ID :36872 - No suitable default server credential exists on this
system. This will prevent server applications that expect to make use of the
system default credentials from accepting SSL connections. An example of such
an application is the directory server. Applications that manage their own
credentials, such as the internet information server, are not affected by
this.

- Event ID :8021 – The browser was unable to retrieve a list of servers from
the browser master \\UPLANDSDC1 on the network
\Device\NetBT_Tcpip_{98A03878-3C9E-4F49-B902-4CA612900128}. The data is the
error code.

- Event ID :1053 – Windows cannot determine the user or computer name. (Not
enough storage is available to complete this operation. ). Group Policy
processing aborted.

- Event ID :1058 – Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=uplands,DC=org.
The file must be present at the location
<\\uplands.org\sysvol\uplands.org\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
(Configuration information could not be read from the domain controller,
either because the machine is unavailable, or access has been denied. ).
Group Policy processing aborted.

- Event ID :1030 – Windows cannot query for the list of Group Policy
objects. Check the event log for possible messages previously logged by the
policy engine that describes the reason for this.

Please help or advise.
Thanking you in Advance.

 

[Ace Fekay [MVP]]

In

Hi we're having big problems with our Domain Controller (Windows
Server 2000) and i hope this could be resolved asap. The symptoms of
it is :-

1.Suddenly client PCs cannot browse Internet (whether via proxy or
direct connection to Internet). Received Page Not Found error.(If IP
released & renewed then it's ok for few minutes)

2.On the Domain Controller- cannot open Active Directory Users and
Computers, gives an error message "Naming information cannot be
located because: The Server is not operational"

3.If we try opening the ADUC, right-click on domain and select
Operation Master, it shows no operations master.

4.If we reboot the Domain Controller, everything works fine on DC,
but the clients have to be rebooted also.

See error from event viewer below:-

- Event ID :1000 - Windows cannot determine the user or computer name.
Return value (14).

- Event ID :1000 - Windows could not execute
\\uplandsdc1\NETLOGON\login.bat due to the following error: The
system cannot find the file specified.

- Event ID :1000 - Windows cannot connect to uplands.org with (0x0).

- Event ID :1000 - Windows cannot query for the list of Group Policy
objects . A message that describes the reason for this was previously
logged by this policy engine.

- Event ID :36872 - No suitable default server credential exists on
this system. This will prevent server applications that expect to
make use of the system default credentials from accepting SSL
connections. An example of such an application is the directory
server. Applications that manage their own credentials, such as the
internet information server, are not affected by this.

- Event ID :8021 - The browser was unable to retrieve a list of
servers from the browser master \\UPLANDSDC1 on the network
\Device\NetBT_Tcpip_{98A03878-3C9E-4F49-B902-4CA612900128}. The data
is the error code.

- Event ID :1053 - Windows cannot determine the user or computer
name. (Not enough storage is available to complete this operation. ).
Group Policy processing aborted.

- Event ID :1058 - Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=uplands,DC=org.
The file must be present at the location
<\\uplands.org\sysvol\uplands.org\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
(Configuration information could not be read from the domain
controller, either because the machine is unavailable, or access has
been denied. ). Group Policy processing aborted.

- Event ID :1030 - Windows cannot query for the list of Group Policy
objects. Check the event log for possible messages previously logged
by the policy engine that describes the reason for this.

Please help or advise.
Thanking you in Advance.

These are all symptoms of and indicative of a misconfigured DNS
infrastructure, possible single label DNS domain name, mixing ISP and
internal DNS on the DCs and clients, etc.

Due to the numerous possible causes, can you provide some info to better
nail it down please, such as:

1. Unedited ipconfig /all of one of the DCs and one of the clients.
2. The exact zone name spellng in DNS and whether updates are allowed on the
zone.
3. The AD DNS domain name as it shows up in ADUC.
4. If the SRV records exist under your zone.


Thanks,

--
Regards,
Ace

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

 

[Guest]

Hi , thanks for the reply , i have prepared all of your requested information
but all of them is screen shots , is there a way of attaching a .doc file
together with this post or do you have any email address so that i can email
you the attachment with screen shots. Please help we're actually in a deep
problem

Thanking you in Advance

 

[Ace Fekay [MVP]]

In

Hi , thanks for the reply , i have prepared all of your requested
information but all of them is screen shots , is there a way of
attaching a .doc file together with this post or do you have any
email address so that i can email you the attachment with screen
shots. Please help we're actually in a deep problem

Thanking you in Advance

My email address is stated as (e-mail address removed). Just replace my
actual first name and last name.

Ace

 

[Guest]

hi, i just sent the screen shots to your email address.

Thank you very much for your help

 

[Guest]

Hi , can anyone help me with these problems...

 

[Ace Fekay [MVP]]

In

Hi , can anyone help me with these problems...

Did you receive my email reply?

Ace

 

[Ace Fekay [MVP]]

In

Hi , can anyone help me with these problems...

Aznan,

Here was my reply to your email from 9/11 in case you did not receive it.


----- Original Message -----
From: Ace Fekay
To: Aznan
Sent: Sunday, September 11, 2005 11:52 PM
Subject: Re: Requested info from Uplands School
Thanks for sending me the info. All the configuration info actually looks
fine. I am surprised all the issues that have suddenly arised assuming it
was all working fine in the past.

btw- What is (Mdaemon) ? What email service are you using? I assume it's not
Exchange?

Also, your original post said thru Proxy or direct. Are you using MS Proxy,
ISA or another vendor? Is there software that needs to be installed on the
client too?

Were you trying to install MSDE or SQL on a DC? May I ask why?

What was the very last thing that was installed, changed, or updated on ANY
machine, including the DCs, and your Proxy (or whatever it is), routers,
etc, PRIOR to all of the errors?

Ace

 

[Guest]

Ace , i've got your email dated 11th Sept 2005 and i've replied to that
email:- see below

From: "Aznan" <[email protected]>
To: (e-mail address removed)
Date: 14/09/2005 06:04 PM
Subject: Fwd: Re: Requested info from Uplands School


Hi Ace , are you still working with my case ?

Sorry for keep on bothering you , i'm actually in desperate.
Regards
Aznan


-----Original Message-----
From: "Aznan" <[email protected]>
To: "Ace Fekay" <[email protected]>
Date: Tue, 13 Sep 2005 08:33:50 +0800
Subject: Re: Requested info from Uplands School

Ace , thanks for your prompt reply. We're using ISA Server as our proxy
server, no software needs to be installed at clients.

MSDE is required and is automatically installed when we install SurfControl
(Web Filter), ISA, Sophos (Anti-Virus).

The last changes was as attached in my previous email (Compile Changes Made
to DCs.doc). Let me know if you need another copy.

Thanks
Aznan

 

[Ace Fekay [MVP]]

In

Ace , i've got your email dated 11th Sept 2005 and i've replied to
that email:- see below

From: "Aznan" <[email protected]>
To: (e-mail address removed)
Date: 14/09/2005 06:04 PM
Subject: Fwd: Re: Requested info from Uplands School


Hi Ace , are you still working with my case ?

Sorry for keep on bothering you , i'm actually in desperate.
Regards
Aznan

Ace , thanks for your prompt reply. We're using ISA Server as our
proxy server, no software needs to be installed at clients.

MSDE is required and is automatically installed when we install
SurfControl (Web Filter), ISA, Sophos (Anti-Virus).

The last changes was as attached in my previous email (Compile
Changes Made to DCs.doc). Let me know if you need another copy.

Thanks
Aznan

Sorry for being late. Putting some fires out.

Wow, you have two major applications running on this domain controller. I
didn't realize you have that installed. Now I understand why the possible
problems. I'm starting to think it's either ISA and/or SurfControl causing
it.

Did you just install them on there or have they been on there? Curious, how
long have either of these apps been installed on the DC? Was DC
functionality working in the past with these apps installed? Was there a
setting change on ISA or SurfControl recently been made? Is the ISA Lat
correct?

I noticed the DC has only one NIC in your ipconfig /all, so that indicates
ISA is not being used for firewall or Secure NAT services, so I am assuming
you're using it as a Proxy for web control only. If so, why then is
SurfControl being used?

What is "mdaemon" that you mentioned in the "compile changes made to DC.doc"
file?

The reason I believe it's either ISA or SurfControl, is because all of a
sudden, IE doesn't work properly and you had to reinstall IE to get it to
work. That indicates either you installed the Firewall client on the DC or
SurfControl made some changes to IE. I believe ISA is also blocking clients
from accessing the DC's AD services. Plus the server service and netlogon
service are both required services for AD, maybe one of those apps is
curtailing access. Especially with those Event ID 1000's you mentioned,
which are indicative of AD communication failure.

Normally for services such as these, we *highly* recommend to NOT install
them on a DC. This is actually a golden rule for any application on a DC,
including Exchange, SQL, and anything else.

Curious, if you uninstalled ISA and SurfControl off this DC, does it work?
After all of this time, it may be prudent to test this. It won't take that
long. It will help to pinpoint what is NOT causing it.

Ace

 

[Ace Fekay [MVP]]

In aznan <[email protected]> made this post, which I then
commented about below:
<snip>

I just wanted to add, we usually recommend to let a DC be a DC to service
your infrastructure's needs. For other services, it's hihgly recommended to
install them on a member server. I've seen many issues from 3rd party apps
installed or not configured properly cause major issues on a DC, especially
ISA service if the LAT is incorrect or allowed ports are not properly
opened, (which there are 30 of them for AD functionality)

Ace

 

[Guest]

Hi Ace,

ISA/SurfControl has been running for many months without problem. We
reinstall ISA/SurfControl because we've been using evaluation version of ISA,
and our license copy has arrived.

ISA act as our proxy server, SurfControl provide web filtering.

MDaemon is our email server.

Interestingly, the DCs has been working fine since last Thursday. It makes
me suspect it's not ISA/SurfControl problem coz no settings has been changed.
The only change i can recall is the DNS setting for the NIC Card on DC1, it
used to point to itself as primary DNS, and point to DC2 as secondary DNS,
just for testing purposes, we've change both primary and secondary DNS to
point to DC2. make me wonder whether the DNS Server at DC1 is having problem.

Current Setting:

DC1 NIC Card - primary dns is DC2, secondary dns is DC2
DC2 NIC Card - primary dns is DC1, secondary dns is DC2
Both DNS Servers use forwarder - point to Internet DNS Servers.
DC1 DNS Server is the master and accept dynamic updates.

 

[Ace Fekay [MVP]]

In

Hi Ace,

ISA/SurfControl has been running for many months without problem. We
reinstall ISA/SurfControl because we've been using evaluation version
of ISA, and our license copy has arrived.

ISA act as our proxy server, SurfControl provide web filtering.

MDaemon is our email server.

Interestingly, the DCs has been working fine since last Thursday. It
makes me suspect it's not ISA/SurfControl problem coz no settings has
been changed. The only change i can recall is the DNS setting for the
NIC Card on DC1, it used to point to itself as primary DNS, and point
to DC2 as secondary DNS, just for testing purposes, we've change both
primary and secondary DNS to point to DC2. make me wonder whether the
DNS Server at DC1 is having problem.

Current Setting:

DC1 NIC Card - primary dns is DC2, secondary dns is DC2
DC2 NIC Card - primary dns is DC1, secondary dns is DC2
Both DNS Servers use forwarder - point to Internet DNS Servers.
DC1 DNS Server is the master and accept dynamic updates.

Maybe when you reinstalled ISA and/or SurfControl (I am assuming you are
referring to two separate products and using evals of each product), maybe
you didn't re-set the settings. Honestly, I would not use a DC for this,
whether it was working or not. Any machine that will interact with the
Internet on behalf of your clients is subject to attack. You don't want your
DCs to be the pawns in this war.

If you make the zone AD Integrated, does the error disappear on DC1 or more
accurately, will DC1 work?

Ace

 

[Guest]

Hi guys,

I'm having a similar problem. My server just seems to disconnect itself from
the domain services and i can't change or update any of the directory
services until i reboot the server. I still haven't solved the problem but i
have read that it could be something to do with the MaxTokenSize registry
value. I haven't explored it as yet, but here is a link to a microsoft
article about it.
http://support.microsoft.com/default.aspx?scid=kb;en-us;327825

My server has 2gb of ram and when the problem occurs 1.62gb is consumed, so
i don't know if that's an issue. Let me know how you go.

Andrew

 

[Ace Fekay [MVP]]

In

Hi guys,

I'm having a similar problem. My server just seems to disconnect
itself from the domain services and i can't change or update any of
the directory services until i reboot the server. I still haven't
solved the problem but i have read that it could be something to do
with the MaxTokenSize registry value. I haven't explored it as yet,
but here is a link to a microsoft article about it.
http://support.microsoft.com/default.aspx?scid=kb;en-us;327825

My server has 2gb of ram and when the problem occurs 1.62gb is
consumed, so i don't know if that's an issue. Let me know how you go.

Andrew

That error is due to when a user belongs to too many groups and not
necessarily due to how much RAM you have.

Can we see an ipconfig /all from your server please?

Ace

 

[Guest]

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : kermit
Primary DNS Suffix . . . . . . . : curriculum.school.hackney.uk
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : curriculum.school.hackney.uk
school.hackney.uk
admin.school.hackney.uk

Ethernet adapter Broadcom NetXtreme Gigabit Ethernet Adapter - Onboard:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit
Ethernet
Physical Address. . . . . . . . . : 00-0F-1F-69-63-C5
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.0.20
Subnet Mask . . . . . . . . . . . : 255.240.0.0
Default Gateway . . . . . . . . . : 10.0.0.1
DNS Servers . . . . . . . . . . . : 10.0.0.10
10.0.0.20

10.0.0.1 is the root DC

I did try to post a link to this yesterday as well but the newsgroups were
unavailable for a while. It also refered to the MaxTokenSize, but i can't
bloody find it now!

If i restart the server it is fine for a while (like a day). But then i
still get "Not enough storage space to complete this command" listed in the
logs.

Regards,
Andrew

C:\Documents and Settings\andrew>

 

[Ace Fekay [MVP]]

In

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : kermit
Primary DNS Suffix . . . . . . . :
curriculum.school.hackney.uk Node Type . . . . . . . . . . . .
: Hybrid IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . :


curriculum.school.hackney.uk
school.hackney.uk
admin.school.hackney.uk

Ethernet adapter Broadcom NetXtreme Gigabit Ethernet Adapter -
Onboard:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit
Ethernet
Physical Address. . . . . . . . . : 00-0F-1F-69-63-C5
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.0.20
Subnet Mask . . . . . . . . . . . : 255.240.0.0
Default Gateway . . . . . . . . . : 10.0.0.1
DNS Servers . . . . . . . . . . . : 10.0.0.10
10.0.0.20

10.0.0.1 is the root DC

I did try to post a link to this yesterday as well but the newsgroups
were unavailable for a while. It also refered to the MaxTokenSize,
but i can't bloody find it now!

If i restart the server it is fine for a while (like a day). But then
i still get "Not enough storage space to complete this command"
listed in the logs.

Regards,
Andrew

Interesting issue.

You say the root DC is 10.0.0.1? Does that mean it's a DC of the parent
domain: school.hackney.uk?

If it;s a DC, then why is it the default gateway? Then it's telling me the
DC is multihomed. DC's are highly recommended NOT to multihome or a number
of issues can come about because of that. Why? Because of the incorrect data
register into DNS. If you want to multihome a machine, we suggest to use a
member server to eliminate the headaches to fix a multihomed DC (reg
entries, and other changes).

Can we see an ipconfig /all of that guy please?

Ace

 

[Guest]

Sorry mate... typo! it was meant to read 10.0.0.10 is the root DC of the
parent domain school.hackney.uk

Another thing i looked at was this kb article relating to the SMB error
section of it.

http://support.microsoft.com/default.aspx?scid=kb;en-us;319504

I ran netstat -a and it indeed has used up all 5000 ports on the problem
server. I'm trying to track down what it is, and it's something that is
making the requests on port 8194. I've added MaxUserPorts and decreased the
TcpTimedWaitDelay so i'll see how that goes when i get a chance to reboot the
server.

Any ideas on what might be using port 8194?

Perhaps Aznan should look into that too?!?!

Cheers,
Andrew

 

[Ace Fekay [MVP]]

In

Sorry mate... typo! it was meant to read 10.0.0.10 is the root DC of
the parent domain school.hackney.uk

Another thing i looked at was this kb article relating to the SMB
error section of it.

http://support.microsoft.com/default.aspx?scid=kb;en-us;319504

I ran netstat -a and it indeed has used up all 5000 ports on the
problem server. I'm trying to track down what it is, and it's
something that is making the requests on port 8194. I've added
MaxUserPorts and decreased the TcpTimedWaitDelay so i'll see how that
goes when i get a chance to reboot the server.

Any ideas on what might be using port 8194?

Perhaps Aznan should look into that too?!?!

Cheers,
Andrew

Typo?

You mean this article? ( I just want to make sure since you didn't post the
title).
Error Message: The Name Limit for the Local Computer Network Adapter Card
Was Exceeded
http://support.microsoft.com/default.aspx?scid=kb;en-us;319504

8194 is not listed as a common or known port. I would go to
www.foundstone.com and download FPORT. It will tell you what ports are open
and what service or executible is listening on it.

Ace

 

[Guest]

Yep, that's the article i mean.

I downloaded FPORT and it looks like it's the Sophos Antivirus checks from
all the PC's on the network. They were set to check every 5 minutes so it
seems that when lots of machines are checking for updates and the time out
for the connection is too high, the ports get used up. I've set the antivirus
updates fo 30minutes now and chanced what was in that article as well. So
i'll see how things go now. Hopefully smoothly. Thanks for the tip on FPORT,
very handy! And thanks for your advice!

Andrew