SRV Records cannot be registered on a DNS server

[Guest]

Nobody can log on to one of the DC in my child domain. The KDC service gives an error message when I try to start it. After some trobleshooting, I found that the dns records for _kerberos and _kpasswd is missing for that DC. All other DC is fine on the child domain. It is an active directory integrated DNS and only secure updates.
I have tried stopping and starting the netlogon service, DNS service. Ipconfig /flushdns and registerdns doesn't help
I have tried dcdiag and netdiag and errors were the kerberos service errors.

 

[Kevin D. Goodknecht [MVP]]

In

Nobody can log on to one of the DC in my child domain. The KDC
service gives an error message when I try to start it. After some
trobleshooting, I found that the dns records for _kerberos and
_kpasswd is missing for that DC. All other DC is fine on the child
domain. It is an active directory integrated DNS and only secure
updates.
I have tried stopping and starting the netlogon service, DNS service.
Ipconfig /flushdns and registerdns doesn't help.
I have tried dcdiag and netdiag and errors were the kerberos service
errors.

This is a cause and effect situation, the records aren't create because the
KDC service isn't starting, the KDC service not starting is the reason
Netlogon isn't creating the SRV records.

You need to diagnose the KDC service, is there an event logged by the KDC
service?
Run dcdiag /fix and dcdiag /v check for errors.

 

[Guest]

I have already ran dcdiag /fix and dcdiag /v and it fail on test advertising --> key distribution center service not stated, fail test services --> KDC service stopped, failed test systemlog --> printer related

DCDIAG /v logs below

Domain Controller Diagnosi

Performing initial setup
* Verifying that the local machine server123, is a DC.
* Connecting to directory service on server server123
* Collecting site info
* Identifying all servers
* Found 101 DC(s). Testing 1 of them
Done gathering initial info

Doing initial required test

Testing server: site123\server12
Starting test: Connectivit
* Active Directory LDAP Services Chec
* Active Directory RPC Services Chec
......................... server123 passed test Connectivit

Doing primary test

Testing server: site123\server12
Starting test: Replication
* Replications Chec
......................... server123 passed test Replication
Test omitted by user request: Topolog
Test omitted by user request: CutoffServer
Starting test: NCSecDes
* Security Permissions Check fo
DC=abc,DC=domainxyz,DC=co
* Security Permissions Check fo
CN=Schema,CN=Configuration,DC=domainxyz,DC=co
* Security Permissions Check fo
CN=Configuration,DC=domainxyz,DC=co
......................... server123 passed test NCSecDes
Starting test: NetLogon
* Network Logons Privileges Chec
......................... server123 passed test NetLogon
Starting test: Advertisin
The DC server123 is advertising itself as a DC and having a DS
The DC server123 is advertising as an LDAP serve
The DC server123 is advertising as having a writeable director
Warning: server123 is not advertising as a Key Distribution Center
Check that the Directory has started
The DC server123 is advertising as a time serve
......................... server123 failed test Advertisin
Starting test: KnowsOfRoleHolder
Role Schema Owner = CN=NTDS Settings,CN=rootserver,CN=Servers,CN=roothub,CN=Sites,CN=Configuration,DC=domainxyz,DC=co
Role Domain Owner = CN=NTDS Settings,CN=rootserver,CN=Servers,CN=roothub,CN=Sites,CN=Configuration,DC=domainxyz,DC=co
Role PDC Owner = CN=NTDS Settings,CN=pdcserver,CN=Servers,CN=abchub,CN=Sites,CN=Configuration,DC=domainxyz,DC=co
Role Rid Owner = CN=NTDS Settings,CN=pdcserver,CN=Servers,CN=abchub,CN=Sites,CN=Configuration,DC=domainxyz,DC=co
Role Infrastructure Update Owner = CN=NTDS Settings,CN=pdcserver,CN=Servers,CN=abchub,CN=Sites,CN=Configuration,DC=domainxyz,DC=co
......................... server123 passed test KnowsOfRoleHolder
Starting test: RidManage
* Available RID Pool for the Domain is 35604 to 107374182
* pdcserver.abc.domainxyz.com is the RID Maste
* DsBind with RID Master was successfu
* rIDAllabcationPool is 25604 to 2610
* rIDNextRID: 2560
* rIDPreviousAllabcationPool is 25604 to 2610
......................... server123 passed test RidManage
Starting test: MachineAccoun
* SPN found :LDAP/server123.abc.domainxyz.com/abc.domainxyz.co
* SPN found :LDAP/server123.abc.domainxyz.co
* SPN found :LDAP/server12
* SPN found :LDAP/server123.abc.domainxyz.com/domainxyzab
* SPN found :LDAP/c5540b56-a969-4d04-8822-c7fb2d331435._msdcs.domainxyz.co
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/c5540b56-a969-4d04-8822-c7fb2d331435/abc.domainxyz.co
* SPN found :HOST/server123.abc.domainxyz.com/abc.domainxyz.co
* SPN found :HOST/server123.abc.domainxyz.co
* SPN found :HOST/server12
* SPN found :HOST/server123.abc.domainxyz.com/domainxyzab
* SPN found :GC/server123.abc.domainxyz.com/domainxyz.co
......................... server123 passed test MachineAccoun
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
kdc Service is stopped on [server123]
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: RPCLabcATOR
* Checking Service: w32time
* Checking Service: TrkWks
* Checking Service: TrkSvr
* Checking Service: NETLOGON
......................... server123 failed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
server123 is in domain DC=abc,DC=domainxyz,DC=com
Checking for CN=server123,OU=Domain Controllers,DC=abc,DC=domainxyz,DC=com in domain DC=abc,DC=domainxyz,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=server123,CN=Servers,CN=site123,CN=Sites,CN=Configuration,DC=domainxyz,DC=com in domain CN=Configuration,DC=domainxyz,DC=com on 1 servers
Object is up-to-date on all servers.
......................... server123 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service Event log test
The SYSVOL has been shared, and the AD is no longer
prevented from starting by the File Replication Service.
......................... server123 passed test frssysvol
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minutes.
......................... server123 passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event abccured. EventID: 0x00000457
Time Generated: 03/26/2004 10:32:30
Event String: Driver HP LaserJet 8000 Series PCL 6 required forprinter __printserver001_printer1 is unknown.Contact the administrator to install the driverbefore you log in again.
An Error Event abccured. EventID: 0x00000452
Time Generated: 03/26/2004 10:32:30
Event String: The printer could not be installed.
An Error Event abccured. EventID: 0x00000457
Time Generated: 03/26/2004 10:32:31
Event String: Driver HP Color LaserJet 4550 PCL 6 required forprinter __printserver001_printerc is unknown.Contact the administrator to install the driverbefore you log in again.
An Error Event abccured. EventID: 0x00000452
Time Generated: 03/26/2004 10:32:31
Event String: The printer could not be installed.
An Error Event abccured. EventID: 0x00000457
Time Generated: 03/26/2004 10:41:45
Event String: Driver HP LaserJet 8000 Series PCL 6 required forprinter __printserver001_printer1 is unknown.Contact the administrator to install the driverbefore you log in again.
An Error Event abccured. EventID: 0x00000452
Time Generated: 03/26/2004 10:41:45
Event String: The printer could not be installed.
An Error Event abccured. EventID: 0x00000457
Time Generated: 03/26/2004 10:41:46
Event String: Driver HP Color LaserJet 4550 PCL 6 required forprinter __printserver001_printerc is unknown.Contact the administrator to install the driverbefore you log in again.
An Error Event abccured. EventID: 0x00000452
Time Generated: 03/26/2004 10:41:46
Event String: The printer could not be installed.
......................... server123 failed test systemlog

Running enterprise tests on : domainxyz.com
Starting test: Intersite
Skipping site sitea, this site is outside the scope provided by the command line arguments provided.
Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided.
Skipping site siteb, this site is outside the scope provided by the command line arguments provided.
Skipping site sitec, this site is outside the scope provided by the command line arguments provided.
Skipping site sited, this site is outside the scope provided by the command line arguments provided.
Skipping site sitee, this site is outside the scope provided by the command line arguments provided.
Skipping site sitef, this site is outside the scope provided by the command line arguments provided.
Skipping site siteg, this site is outside the scope provided by the command line arguments provided.


......................... domainxyz.com passed test Intersite
Starting test: Fsmabcheck
GC Name: \\gcserver.abc.domainxyz.com
Labcator Flags: 0xe00001fc
PDC Name: \\pdcserver.abc.domainxyz.com
Labcator Flags: 0xe0000179
Time Server Name: \\server123.abc.domainxyz.com
Labcator Flags: 0xe00001d8
Preferred Time Server Name: \\server123.abc.domainxyz.com
Labcator Flags: 0xe00001d8
KDC Name: \\xserver.abc.domainxyz.com
Labcator Flags: 0xe000017c
......................... domainxyz.com passed test Fsmabcheck

 

[Guest]

DCDIAG / fix logs belo

Domain Controller Diagnosi

Performing initial setup
Done gathering initial info

Doing initial required test

Testing server: site123\server12
Starting test: Connectivit
......................... server123 passed test Connectivit

Doing primary test

Testing server: site123\server12
Starting test: Replication
......................... server123 passed test Replication
Starting test: NCSecDes
......................... server123 passed test NCSecDes
Starting test: NetLogon
......................... server123 passed test NetLogon
Starting test: Advertisin
Warning: server123 is not advertising as a Key Distribution Center
Check that the Directory has started
......................... server123 failed test Advertisin
Starting test: KnowsOfRoleHolder
......................... server123 passed test KnowsOfRoleHolder
Starting test: RidManage
......................... server123 passed test RidManage
Starting test: MachineAccoun
......................... server123 passed test MachineAccoun
Starting test: Service
kdc Service is stopped on [server123
......................... server123 failed test Service
Starting test: ObjectsReplicate
......................... server123 passed test ObjectsReplicate
Starting test: frssysvo
......................... server123 passed test frssysvo
Starting test: kcceven
......................... server123 passed test kcceven
Starting test: systemlo
An Error Event occured. EventID: 0x0000045
Time Generated: 03/26/2004 10:32:3
Event String: Driver HP LaserJet 8000 Series PCL 6 required for An Error Event occured. EventID: 0x0000045
Time Generated: 03/26/2004 10:32:3
Event String: The printer could not be installed.
An Error Event occured. EventID: 0x0000045
Time Generated: 03/26/2004 10:32:3
Event String: Driver HP Color LaserJet 4550 PCL 6 required for An Error Event occured. EventID: 0x0000045
Time Generated: 03/26/2004 10:32:3
Event String: The printer could not be installed.
An Error Event occured. EventID: 0x0000045
Time Generated: 03/26/2004 10:41:4
Event String: Driver HP LaserJet 8000 Series PCL 6 required for An Error Event occured. EventID: 0x0000045
Time Generated: 03/26/2004 10:41:4
Event String: The printer could not be installed.
An Error Event occured. EventID: 0x0000045
Time Generated: 03/26/2004 10:41:4
Event String: Driver HP Color LaserJet 4550 PCL 6 required for An Error Event occured. EventID: 0x0000045
Time Generated: 03/26/2004 10:41:4
Event String: The printer could not be installed.
......................... server123 failed test systemlo

Running enterprise tests on : domainxyz.co
Starting test: Intersit
......................... domainxyz.com passed test Intersit
Starting test: FsmoChec
......................... domainxyz.com passed test FsmoChec

Errors in Event logs are Event ID 7000, The kerberos key distribution center service failed to start due to the following error: The service did not respond to start or control request in a timely fashion

Any other ideas???

 

[Kevin D. Goodknecht [MVP]]

In

I have already ran dcdiag /fix and dcdiag /v and it fail on test
advertising --> key distribution center service not stated, fail test
services --> KDC service stopped, failed test systemlog --> printer
related.

You are probably going to have to call Microsoft Product Support Services on
this one. You may have a corrupted file or it is infected with a virus.
Event 7000 doesn't tell much except that the service failed to start. Why? I
can only guess.
Since this is a replica DC it might be easier and less expensive to remove
AD from this DC and reinstall the OS.

 

[Ace Fekay [MVP]]

In

DCDIAG / fix logs below

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: site123\server123
Starting test: Connectivity
......................... server123 passed test Connectivity

Doing primary tests

Testing server: site123\server123
Starting test: Replications
......................... server123 passed test Replications
Starting test: NCSecDesc
......................... server123 passed test NCSecDesc
Starting test: NetLogons
......................... server123 passed test NetLogons
Starting test: Advertising
Warning: server123 is not advertising as a Key Distribution
Center. Check that the Directory has started.
......................... server123 failed test Advertising
Starting test: KnowsOfRoleHolders
......................... server123 passed test
KnowsOfRoleHolders Starting test: RidManager
......................... server123 passed test RidManager
Starting test: MachineAccount
......................... server123 passed test
MachineAccount Starting test: Services
kdc Service is stopped on [server123]
......................... server123 failed test Services
Starting test: ObjectsReplicated
......................... server123 passed test
ObjectsReplicated Starting test: frssysvol
......................... server123 passed test frssysvol
Starting test: kccevent
......................... server123 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 03/26/2004 10:32:30
Event String: Driver HP LaserJet 8000 Series PCL 6
required for An Error Event occured. EventID:
0x00000452 Time Generated: 03/26/2004 10:32:30 Event
String: The printer could not be installed. An Error Event
occured. EventID: 0x00000457 Time Generated: 03/26/2004
10:32:31 Event String: Driver HP Color LaserJet 4550 PCL
6 required for An Error Event occured. EventID:
0x00000452 Time Generated: 03/26/2004 10:32:31 Event
String: The printer could not be installed. An Error Event
occured. EventID: 0x00000457 Time Generated: 03/26/2004
10:41:45 Event String: Driver HP LaserJet 8000 Series PCL
6 required for An Error Event occured. EventID:
0x00000452 Time Generated: 03/26/2004 10:41:45 Event
String: The printer could not be installed. An Error Event
occured. EventID: 0x00000457 Time Generated: 03/26/2004
10:41:46 Event String: Driver HP Color LaserJet 4550 PCL
6 required for An Error Event occured. EventID:
0x00000452 Time Generated: 03/26/2004 10:41:46 Event
String: The printer could not be installed.
......................... server123 failed test systemlog

Running enterprise tests on : domainxyz.com
Starting test: Intersite
......................... domainxyz.com passed test Intersite
Starting test: FsmoCheck
......................... domainxyz.com passed test FsmoCheck


Errors in Event logs are Event ID 7000, The kerberos key distribution
center service failed to start due to the following error: The
service did not respond to start or control request in a timely
fashion.

Any other ideas???

Could we possibly see an ipconfig /all from the affected DC?
Thanks

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

Windows 2000 IP Configuratio


Host Name . . . . . . . . . . . . : server12
Primary DNS Suffix . . . . . . . : abc.domainxyz.co
Node Type . . . . . . . . . . . . : Hybri

IP Routing Enabled. . . . . . . . : N

WINS Proxy Enabled. . . . . . . . : N

DNS Suffix Search List. . . . . . : abc.domainxyz.co
domainxyz.co

Ethernet adapter Team


Connection-specific DNS Suffix . : abc.domainxyz.co
Description . . . . . . . . . . . : HP Network Team #
Physical Address. . . . . . . . . : 00-0B-CD-2A-3C-7

DHCP Enabled. . . . . . . . . . . : N

IP Address. . . . . . . . . . . . : 10.10.248.7

Subnet Mask . . . . . . . . . . . : 255.255.255.19

Default Gateway . . . . . . . . . : 10.10.248.6

DNS Servers . . . . . . . . . . . : 10.10.248.7
10.10.231.20
Primary WINS Server . . . . . . . : 10.10.234.3

Secondary WINS Server . . . . . . : 10.10.231.206

 

[Ace Fekay [MVP]]

In

Windows 2000 IP Configuration



Host Name . . . . . . . . . . . . : server123
Primary DNS Suffix . . . . . . . : abc.domainxyz.com
Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : abc.domainxyz.com
domainxyz.com

Ethernet adapter Team:



Connection-specific DNS Suffix . : abc.domainxyz.com
Description . . . . . . . . . . . : HP Network Team #1
Physical Address. . . . . . . . . : 00-0B-CD-2A-3C-7B

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 10.10.248.73

Subnet Mask . . . . . . . . . . . : 255.255.255.192

Default Gateway . . . . . . . . . : 10.10.248.65

DNS Servers . . . . . . . . . . . : 10.10.248.73
10.10.231.206
Primary WINS Server . . . . . . . : 10.10.234.33

Secondary WINS Server . . . . . . : 10.10.231.206

Well, this actually looks pretty good. You do't have a single label name and
you're using your own DNS server.

Ok, a couple questions:

1. Based on your Primary DNS Suffix, your domain name is abc.domainxyz.com.
Do you have that zone created in DNS?
2. Is this a child domain to the parent domainxyz.com or is this the start
of your AD domain?
3. If so, do you have dynamic updates enabled in abc.domainxyz.com zone
properties?
4. If not, then under the parent zone, domainxyz.com, is there a subfolder
created called 'abc' and if so, did the SRVs get created in that zone?

Could we possibly see a screen shot of your DNS console? Open and expand
everything for us to take a good look at it. If reluctant to post that, you
can email me privately. If you do, please include this post, since I get
about 75+ emails a day and it's difficult sometimes to keep track of
everything...

Thanks

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

----- Ace Fekay [MVP] wrote: ----

In

Windows 2000 IP Configuratio
Primary DNS Suffix . . . . . . . : abc.domainxyz.co
Node Type . . . . . . . . . . . . : Hybri
Description . . . . . . . . . . . : HP Network Team #
Physical Address. . . . . . . . . : 00-0B-CD-2A-3C-7
10.10.231.20
Primary WINS Server . . . . . . . : 10.10.234.3

Well, this actually looks pretty good. You do't have a single label name an
you're using your own DNS server

Ok, a couple questions

1. Based on your Primary DNS Suffix, your domain name is abc.domainxyz.com
Do you have that zone created in DNS
YE

2. Is this a child domain to the parent domainxyz.com or is this the star
of your AD domain
CHILD DOMAI
3. If so, do you have dynamic updates enabled in abc.domainxyz.com zon
properties
YES, ONLY SECURE UPDATE
4. If not, then under the parent zone, domainxyz.com, is there a subfolde
created called 'abc' and if so, did the SRVs get created in that zone

Under abc.domainxzy.com zone I ge
_msdc
d
_site
_tcp (I am missing _kerberos file for this DC (server123)) all other DC has this _kerberos file, _ldap file is O
pd
_tc
_sites
site12
_tcp (I have _ldap file and _kerberos file OK
_tc
(missing _kerberos and _kpasswd file for this DC server123) _ldap file is ok and all other DC has _kerberos and _kpasswd fil
_ud
(missing _kerberos and _kpasswd file for this DC server123) Same as above



Could we possibly see a screen shot of your DNS console? Open and expan
everything for us to take a good look at it. If reluctant to post that, yo
can email me privately. If you do, please include this post, since I ge
about 75+ emails a day and it's difficult sometimes to keep track o
everything..

Thank

--
Regards
Ac

Please direct all replies to the newsgroup so all can benefit
This posting is provided "AS-IS" with no warranties and confers n
rights

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MV
Microsoft Windows MVP - Active Director

 

[Ace Fekay [MVP]]

In Eric <[email protected]> posted their thoughts, then I
offered mine

I see, so you're saying JUST the Kerberos relateds SRVs didn't show. I
apologize, I misunderstood that in your previous posts.

Make a suggestion to change dynamic updates to "YES" for now, and to delete
the system32\config\netlogon.dns and netlogon.dnb files. Run an
ipconfig /registerdns
net stop netlogon
net start netlogon

and see if they get registered. Restarting the netlogon service will
re-create that file and register it into DNS.

May even suggest to switch around the DNS addresses so that 10.10.231.206
shows as the first entry and see if it registers in to the zone on that
machine.

THen may want to try to re-run dcdiag /fix.

Is there any other errors? Are your clocks synched up between your DCs
within 5 minutes (relative time zones)?

Let us know if that helped.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

----- Ace Fekay [MVP] wrote: ----

In Eric <[email protected]> posted their thoughts, then
offered min

I see, so you're saying JUST the Kerberos relateds SRVs didn't show.
apologize, I misunderstood that in your previous posts

Make a suggestion to change dynamic updates to "YES" for now, and to delet
the system32\config\netlogon.dns and netlogon.dnb files. Run a
ipconfig /registerdn
net stop netlogo
net start netlogo

I have already tried the above but no luck. I have tried it again in the order you mention above. I deleted netlogon.dns and netlogon.dnb and then it was created automatically - i've check the time stamp.

and see if they get registered. Restarting the netlogon service wil
re-create that file and register it into DNS

May even suggest to switch around the DNS addresses so that 10.10.231.20
shows as the first entry and see if it registers in to the zone on tha
machine

I swapped the DNS addresse
THen may want to try to re-run dcdiag /fix

Ran dcdiag /fix. Failed at Advertising test. server123 is not advertising as a KDC

Is there any other errors? Are your clocks synched up between your DC
within 5 minutes (relative time zones)

The clocks are synched
I have also tried microsoft knowledge base article 31623

Let us know if that helped


--
Regards
Ac

Please direct all replies to the newsgroup so all can benefit
This posting is provided "AS-IS" with no warranties and confers n
rights

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MV
Microsoft Windows MVP - Active Director

 

[Ace Fekay [MVP]]

In Eric <[email protected]> posted their thoughts, then I
offered mine
<snip>

Sorry to hear that didn't work. Kind of at wits end on what's going on. If
it's not advertising and you'r still getting the Event log errors, then when
the netlogon service intializes, it's not getting that data from AD, hence
why they're not registering.

Can you remember when this first started happening? If so, can you remember
what was changed, installed or anything happened prior to that? Are there
any services that conflict with port 88 or anything else on the machine that
may be in someway conflicting with the KDC services?

Are any services disabled on the system, such as the DHCP client Service or
the TCP/IP NetBIOS Helper service? How about the MS Client or the F&P
Serices on the NIC? Those mentioned are actually required dependency
services (whether DHCP or not) for proper registration, DNS resolution,
among other functionality.

Do you possibly have a backup to restore it? If this is one of more DCs in
that domain, maybe a demotion and re-promotion will fix it up for you
without losing any domain info (users or groups).

Here are some links that may help or may not, but thought I would supply
them for you. Maybe we can enable error logging and such. Hope these help,
but I'm starting to lean on demoting that DC and re-promoting it, unless we
can find what it is.

262177 - HOW TO Enable Kerberos Event Logging:
http://support.microsoft.com/?id=262177

Kerberos Error Failure Codes (lists ports used as well):
http://www.windowsitlibrary.com/Content/617/06/7.html#8

Description of Common Kerberos-Related Errors in Windows 2000 (Q230476):
http://support.microsoft.com/?id=230476

314980 - HOW TO Configure Active Directory Diagnostic Event Logging in
Windows 2000:
http://support.microsoft.com/?kbid=314980

Chapter 10 - Active Directory Diagnostics, Troubleshooting, and Recovery
[Including LDAP]:
http://www.microsoft.com/resources/...erver/reskit/en-us/distsys/part1/dsgch10.mspx

305837 - DNS, Intersite Messaging, Global Catalog, NTFRS, and Invalid
Credentials Error Messages on Domain Controller:
http://support.microsoft.com/?id=305837


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

----- Ace Fekay [MVP] wrote: ----

In Eric <[email protected]> posted their thoughts, then
offered min
<snip

Sorry to hear that didn't work. Kind of at wits end on what's going on. I
it's not advertising and you'r still getting the Event log errors, then whe
the netlogon service intializes, it's not getting that data from AD, henc
why they're not registering

Can you remember when this first started happening? If so, can you remembe
what was changed, installed or anything happened prior to that? Are ther
any services that conflict with port 88 or anything else on the machine tha
may be in someway conflicting with the KDC services

The only thing that was changed was installing service pack 4 but it was working ok but one day it just would'nt start the KDC service and DNS was not working properly so I had to reinstall DNS. No services conflict with port 88 or the KDC services

Are any services disabled on the system, such as the DHCP client Service o
the TCP/IP NetBIOS Helper service? How about the MS Client or the F&
Serices on the NIC? Those mentioned are actually required dependenc
services (whether DHCP or not) for proper registration, DNS resolution
among other functionality

All the services mention above are started ok
Do you possibly have a backup to restore it? If this is one of more DCs i
that domain, maybe a demotion and re-promotion will fix it up for yo
without losing any domain info (users or groups)

I have a full backup to restore it if needed. This will be my last option to demote and re-promote the DC. It just gets messy because the DC is over a 32k/64k link to our hub site. We normally DCPROMO in our hub site and ship it to the branch site, move it to the correct site, change IP address, etc etc..

Here are some links that may help or may not, but thought I would suppl
them for you. Maybe we can enable error logging and such. Hope these help
but I'm starting to lean on demoting that DC and re-promoting it, unless w
can find what it is

Thanks for all your help

262177 - HOW TO Enable Kerberos Event Logging
http://support.microsoft.com/?id=26217

Kerberos Error Failure Codes (lists ports used as well)
http://www.windowsitlibrary.com/Content/617/06/7.html#

Description of Common Kerberos-Related Errors in Windows 2000 (Q230476)
http://support.microsoft.com/?id=23047

314980 - HOW TO Configure Active Directory Diagnostic Event Logging i
Windows 2000
http://support.microsoft.com/?kbid=31498

Chapter 10 - Active Directory Diagnostics, Troubleshooting, and Recover
[Including LDAP]
http://www.microsoft.com/resources/...server/reskit/en-us/distsys/part1/dsgch10.msp

305837 - DNS, Intersite Messaging, Global Catalog, NTFRS, and Invali
Credentials Error Messages on Domain Controller
http://support.microsoft.com/?id=30583


--
Regards
Ac

Please direct all replies to the newsgroup so all can benefit
This posting is provided "AS-IS" with no warranties and confers n
rights

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MV
Microsoft Windows MVP - Active Director

 

[Ace Fekay [MVP]]

In Eric <[email protected]> posted their thoughts, then I
offered mine
<snip>

I hope you are able to get this resolved. I'm curious as to what you find
out.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

----- Ace Fekay [MVP] wrote: ----

In Eric <[email protected]> posted their thoughts, then
offered min
<snip

I hope you are able to get this resolved. I'm curious as to what you fin
out

--
Regards
Ac

Please direct all replies to the newsgroup so all can benefit
This posting is provided "AS-IS" with no warranties and confers n
rights

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MV
Microsoft Windows MVP - Active Director

 

[Ace Fekay [MVP]]

In

Do you think if I modify netlogon.dns and netlogon.dnb to the
correct settings will it work. How do I import these settings back
into DNS. When I stop and start the netlogon service, the
netlogon.dns and netlogon.dnb gets overwritten.

That is NOT the proper way to do it. Those files are created by the netlogon
service and then it looks at the Primary DNS SUffix for the name to register
into. The netlogon service on W2k will re-create these files hourly.

So, no.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

In

That is NOT the proper way to do it. Those files are created by the netlogon
service and then it looks at the Primary DNS SUffix for the name to register
into. The netlogon service on W2k will re-create these files hourly.

So, no.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

I have tried to demote and then promote the server but it doesn't fix the problem. At the end I had to demote, rebuild the Os and then promote. Everything is back to normal now.