user authentication failure on windows 2000 domain

B

bjaming

Hello,

I have a client network that had an existing domain controller that
contained all the FSMO roles and the GC, there were some serious
problems with AD like the domain naming master being deleted, the root
CA deleted (still is) and hardware that is about to fail on the old
domain controller. I promoted another server to DC and gave it the
domain naming master role, left other roles as they were and began
testing user authentication.

When I unplug the first DC (pre-existing) and try to authenticate to
the DC I created user authentication fails. DNS is set up correctly,
the users DHCP pushes down the IP address of the new server as a DNS,
its in the _tcp, _sites, etc.. yet it will not authenticate a users
attempting to log on.

Are there any tools I can use to find out why user authentication is
failing? I found NLtest but that looks like something that is mostly
used for win NT 4 and for troubleshooting trust relationships.

Thank you
 
B

bjaming

I suppose I should add that I used dcdiag on the new domain controller
and it passed all tests.
 
B

bjaming

Yes the domain controller is configured as a GC, and is the config
server for the exchange server.

Here's some more information:

This computer was not able to set up a secure session with a domain
controller in domain XXXXX due to the following:
There are currently no logon servers available to service the logon
request.
This may lead to authentication problems. Make sure that this computer
is connected to the network. If the problem persists, please contact
your domain administrator.

-----------------------------------

The session setup to the Windows NT or Windows 2000 Domain Controller
\\DC1 for the domain XXXXXXXXX is not responsive. The current RPC call
from Netlogon on \\EXSERVER to \\DC1 has been cancelled.


results of a dcdiag on the secondary domain controller.

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: SAN\DC2
Starting test: Connectivity
......................... DC2 passed test Connectivity

Doing primary tests

Testing server: SAN\DC2
Starting test: Replications
......................... DC2 passed test Replications
Starting test: NCSecDesc
......................... DC2 passed test NCSecDesc
Starting test: NetLogons
......................... DC2 passed test NetLogons
Starting test: Advertising
......................... DC2 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... DC2 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... DC2 passed test RidManager
Starting test: MachineAccount
......................... DC2 passed test MachineAccount
Starting test: Services
......................... DC2 passed test Services
Starting test: ObjectsReplicated
......................... DC2 passed test ObjectsReplicated
Starting test: frssysvol
......................... DC2 passed test frssysvol
Starting test: kccevent
......................... DC2 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 01/02/2006 11:07:14
Event String: Driver HP DeskJet 930C/932C/935C required for

An Error Event occured. EventID: 0x00000452
Time Generated: 01/02/2006 11:07:14
Event String: The printer could not be installed.
......................... DC2 failed test systemlog

Running enterprise tests on : domain.com
Starting test: Intersite
......................... domain.com passed test Intersite
Starting test: FsmoCheck
......................... domain.com passed test FsmoCheck
 
B

bjaming

Here's some errors from the domain controller and the exchange server

this one from exchange (repeatedly)

Logon Failure:
Reason: An error occurred during logon
User Name: USER
Domain: DOMAIN
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: USER-PC
Status code: 0xC000005E
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.0.0.27
Source Port: 4977


This one from the DC2 repeatedly

Service Ticket Request Failed:
User Name:
User Domain:
Service Name:
Ticket Options: 0x40830000
Failure Code: 0xE
Client Address: 10.0.0.40
 
P

Paul Bergson

What switches did you use when you ran the dcdiag? Verbose, Enterprise,
etc... Try also running a netdiag. What errors are listed in the failing
dc? Can you ping the failing dc with the fqdn? Can you browse to the
netlogon of the failing dc?

\\dc01\NETLOGON
\\dc01\sysvol


Run dcdiag and netdiag in verbose mode.

If you download a gui script I wrote it should be simple to set and run. It
also has the option to run individual tests without having to learn all the
switch options.

The script is at http://pbbergs.dynu.com/windows/windows.htm, download it
and save it to c:\program files\support tools\

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.


--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 
B

bjaming

the only error I really see in either file is


[WARNING] Failed to query SPN registration on DC 'dc2.domain.net'.

same error for dc1 in netdiag and in dcdiag, I've read up on that error
and it looks like it might actually be a problem with the version of
dcdiag and netdiag I have (win 2k)

if you'd like I can paste the entire output here if you like, its quite
large though
 
B

bjaming

I think maybe you have misunderstood my issue after re-reading your
comments. I have brought a second domain controller (dc2) online with
the goal of decommissioing the existing domain controller (dc1) due to
hardware related issues. If I remove the network cable from the
existing domain controller (dc1) and attempt to authenticate from a
workstation I am getting the error condition of not being able to
authenticate to the domain and not being able to access exchange. Is
this just due to the FSMO roles being help by the existing domain
controller (dc1)? It is my understanding that authentication should
still work and that users should be able to access network resrouces
(eg-exchange) when the FSMO role holder is in a down state. These are
not down level clients, they are windows 2000 professional and/or
windows xp professional.
 
P

Paul Bergson

I'm beginning to think this all stems from the loss of your root CA. I
don't have a high level of exp.erience in this area, but believe you should
clean this up. Below is a start on removing the CA from AD. I would
recommend you get a good backup before you proceed. The CA provides signing
for the AD since it isn't available I'm not sure what it does to handle it
if it still thinks it is in the domain. But the system is complaining about
encryption, etc...

From:
http://support.microsoft.com/?id=889250


MORE INFORMATION
Utilities to help you remove CA objects
The Microsoft Windows Server 2003 Administration Tools Pack provides
utilities to help you remove CA objects from the domain.
The Certutil.exe utility
The Windows Server 2003 version of the Certutil.exe utility can be used to
remove both Windows Server 2003 and Windows 2000 CAs from Active Directory.
To remove a CA from Active Directory, type the following at a command
prompt:
certutil -dsdel CA Name
In this example, the CA name is Windows2000 Enterprise Root CA. Therefore,
the command line in this example is the following:
certutil -dsdel "Windows2000 Enterprise Root CA"

Note If your CA name contains spaces, you must enclose the name in quotation
marks.
The Pkiview.msc utility
This graphical MMC snap-in can be used to view, add, and remove certificates
and objects from Active Directory. To use the Pkiview.msc utility, follow
these steps: 1. Click Start, click Run, type MMC, and then click OK.
2. Click File, click Open, and then locate the folder where the
Pkiview.msc utility is installed.
3. Right-click the root node (Enterprise PKI), and then click Manage
AD Containers.
4. Click each tab, and then remove all references to the
decommissioned CA.
Note These utilities work for both Windows 2000 and Windows Server 2003
enterprise and stand-alone CAs.

For additional information about how to obtain the Windows Server 2003
Administration Tools Pack, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/...15-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en
(http://www.microsoft.com/downloads/...15-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en)

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.


the only error I really see in either file is


[WARNING] Failed to query SPN registration on DC 'dc2.domain.net'.

same error for dc1 in netdiag and in dcdiag, I've read up on that error
and it looks like it might actually be a problem with the version of
dcdiag and netdiag I have (win 2k)

if you'd like I can paste the entire output here if you like, its quite
large though
 
P

Paul Bergson

This has nothing to do with the fsmo roles not being available. It has to
do with signed communication between the client and the dc.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 
B

bjaming

I had thought about that as well, very interesting. Windows 2003 must
handle this differently since I've seen the same problem in a 2003
domain (the root CA being deleted) and the DCOM and auto-enrollment
errors in the event logs of the domain controllers but user
authentication still working.

I dont know if this is the problem, I suppose it could be, since its
really the only issue remaining from the "admin" who was there before
me. I'll try deleting the root CA and creating a new root CA on an
existing server. I know that it in group policy you can configure the
client/server encryption to "always" or "when possible" if the missing
root CA is the issue, then configuring this to "when possible" should
eliminate the problem.
 
P

Paul Bergson

Have you tried resetting the dc password via netdom?

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 
P

Paul Bergson

PSS charges $250.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 
B

bjaming

no but I will, looks like I may have to call PSS I guess, I thought
there were some microsoft techs that frequented these newsgroups.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top