I am ready to kick this server.....
Last night I upgraded AVG to newest version --- went home, all looked fine.
This morning no one can access TAM or internet
Reboot workstations - nothing
Reboot server a few times - nothing
Stop AVG firewall & reboot again - nothing
Our tech set us up with DHCP on the server.... so no server, no
internet. So to get people running, activated DHCP on router and
removed from server.... now the have internet but still can't access
server.
Computers all have event ID 15: Automatic Certificate enrollment for
Iddings\Marie (or whomever's computer it is...) failed to contact to Active directory (0X80070546) - The specified domain either does not exist or couldn't be contacted
Also all have: Event ID 1054: Windows cannot obtain the domain controller name for your computer network (The specified domain name either does not exist or couldn't be contacted) Group policy processing aborted.
I totally uninstalled AVG --- nada
I even changed my computer settings from Domain to Workgroup, and
then tried adding back to domain.... now I can't even boot into the
network... error says: A domain controller for the domain iddings.local could not be conntaced. Ensure that the domain name is typed in correctly (it is)
I have checked on the server.... the domain iddings.local is listed as active
I also checked the router.... the router can see the server as a connected
device with an assigned IP address, so I don't think it is the network card....
Help!
Thanks!
can you ping the domain controller? either by hostname or ip?
check cabling / switches for starters.
on the domain controller
Start -> Run -> cmd
c:\>dcdiag
see if the tests are good.
also find an old computer and setup a 2nd DC... and split your DHCP scope across the two.
@Marie: FYI - moved the topic from helpline to here and removed the duplicate.
dcdiag does not work on either a workstation or on the server where the domain controller is located - says it is not recognized as a command?
the rest.... sorry, you lost me. ???
I know next to nothing about domain controllers
This is a windows SBS 2003 server, BTW
OK - on the DC
START -> RUN -> cmd
c:\>ping www.yahoo.com
you could also try to ping the ip address of your router.
yahoo it could not find (odd because internet works for all others on internet, but not on the server...) but the router it found just fine...
try
c:\>net stop dns
c:\>net start dns
and then
c:\>nslookup www.yahoo.com
started and stopped fine
>nslookup www.yahoo.com came back with:
Server: appsrv02.iddings.local
Address: 192.168.1.104
DNS request timed out - timeout was 2 seconds
*** request to appsrv02.iddings.local timed out
I'm not as smart as Rick is, but I'll throw out some random thoughts here.
Have you checked the network settings on the server and workstations? The server should have a static IP address, and each workstation must point to that static IP address as the domain name server. Nothing internet related can happen if the DNS settings aren't correct.
Right click on "my computer" or "computer" on the server and choose properties. It should tell you the computer name, full computer name, and the domain name. If it doesn't, that's a problem.
Any other entries in the event viewer - system area on the server? This should tell you when something started to go wrong, and hopefully what went wrong.
did you run nslookup on the DC itself?
is it safe to assume both the hostname and ip address are correct?
I'll take luck over skill any day. I just wish I'd find some. ;D
Not a techie but some of the virus software will highjack the ip address so the software scans throughput before it releases to the machine IP itself. This creates a little internal loop that I am sure would not be good on a Domain controller.
Perhaps this is happening - can't remember now which software did that and on a workstation represents no problem but when I installed it on my Mdaemon server it created this loop and email was interupted
Also is the software you loaded specifically designed for a server ????
Rick
perhaps the virus software interuppted or change the internal routing tables of the server ????
both are correct...
looking at event view on server gives me Event ID 17:
Sourse W32Time --- Timeprovider ntpclient - an error occured during DNS lookup of the manually configured peer "time.windows.com 0x1" ntpclient will try again in 30 min
also have a bunch of Event ID 5774 & Event ID 5775 errors --- looking them up now
There's definitely a DNS issue.
do you think you could do the following from the command line on the DC and paste the results in here:
c:\>ipconfig /all
The event ID 5774 seems to have a lot of TCP/IP BIND errors associated with it. Possible corruption of the IP stack?
Restting the IP stack won't hurt anything. You may have to reconfigure the network settings of the server afterward, but we already suspect them anyway.
At a command prompt, type:
netsh winsock reset
netsh int ip reset logfile.txt
Here's a good article on DNS setup. I know you don't "do" servers, but you're plenty smart enough to fix this, and if you need help Rick will always be there for you. ;D
http://rcpmag.com/articles/2004/05/01/10-dns-errors-that-will-kill-your-network.aspx
Good luck, Marie.
Quote from: Jeff Zylstra on May 05, 2010, 04:43:51 PM
I know you don't "do" servers, but you're plenty smart enough to fix this, and if you need help Rick will always be there for you. ;D
Good luck, Marie.
ROFL! I need to do this to Steve some time! Too funny!
ok guys.... sorry for the delay- local guy trying to diagnose over the phone...
results of c:\>ipconfig /all (bear with me - have to type this all by hand)
Windows IP configuration
Host Name....................... appsrv02
Primary DNS Suffix............ iddings.local
Node Type...................... Hybrid
IP Routing Enabled .......... no
WINS Proxy enabled ........ no
DNS Suffix Search List...... iddings.local
Ethernet adapter Server Local Area Connection
Connection Specific DNS Suffix ....... : (blank)
Description:.................. Intel (R) Pro/1000 MT Network Connection
Physical Address............ 00-15-17-8D-9D-86
DHCP Enabled................ no
IP address.................... 192.168.1.1
Subnet Mask................. 255.255.255.0
IP Address.................... 192.168.1.200
Subnet Mask ................ 255.255.255.0
Default Gateway............ 192.168.1.1
192.168.1.200
DNS Servers ................ 192.168.1.1
192.168.1.104
Primary WINS Server...... 192.168.1.104
yes --- the IP Address appears twice under Local Area Connection,
and I screwed up something because that IP address should not
be 192.168.1.1 (that is the router's IP address)
I do have the ability to reserve an IP address for the
server in the router if needed.... I'm slightly frazzled here... :o
Changes in bold below...
Connection Specific DNS Suffix ....... : (blank)
Description:.................. Intel (R) Pro/1000 MT Network Connection
Physical Address............ 00-15-17-8D-9D-86
DHCP Enabled................ no
IP address.................... 192.168.1.104
Subnet Mask................. 255.255.255.0
IP Address.................... Are there 2 network cards or ports on this machine? If so, make this one 192.168.1.105
Subnet Mask ................ 255.255.255.0
Default Gateway............ 192.168.1.1
This should only contain your router, and this looks like this is your router.
DNS Servers ................ 192.168.1.104
Primary WINS Server...... 192.168.1.104
You may also want to stop and start your netlogon service again. Don't worry, it won't hurt anything.
At a command prompt type
net stop netlogon
after that's done, type
net start netlogon
I'm hoping this will reestablish the server logon role for workstations so the workstations can log on to it. Unfortunately I have to go to a meeting now. Hopefully Rick or someone else can log in and help you out.
I guess we should also try to establish what the DHCP scope is or was set for. You will likely want to make sure you leave a little address space reserved for static IPs - like your DC, router, etc.
even if you have two network cards - if they are not both cabled, just disable the unused one.
Once we get DNS resolving properly on the DC (hope the zones are still viable) - we'll delve into DHCP setup.
Ultimately, I'd like to see if it's possible to setup a 2nd DC to give you a bit of redundancy... if that cannot be worked into the budget, a *nix-based DNS slave and DHCP server could also be quite beneficial.
OK ---
Here is what I did...... I got brave and did the ip stack reset....
it re-enabled the DHCP server on the server... so I went into services
and stopped it... then went into the network card and reset the
IP address, DNS & WINS back to 192.168.1.104.... rebooted server
So, now ipconfig/all reads the way Jeff said it should and I have
internet access back on the server!.... BUT workstations still
can't access the DC (it is like iddings.local is not configured right now)
When I get back in tomorrow, I will check workstation & server
event logs to see if any new ones show up
Rick.... if I understand right... the router is set to use 192.168.1.50 to 99
for DHCP assigned addresses... is that what you were asking? And we
do have our old server still connected (appsrv01) which we use for
backups...might be able to establish second DC there?
Jeff & Rick.....Thanks so much for trying to help with this!
Glad to hear it! Being a small agency owner myself, I know what it's like when the system is down. I was checking on my backup to make sure it was working and decided to check on your situation.
Anyway, the 2 other things might be helpful to try tomorrow from a command prompt
Net stop dns
net start dns
net stop netlogon
net start netlogon
I had an issue with my new server where records were not updating properly, and stopping and restarting the dns somehow released them so they could update. The netlogon service allows or disallows workstations from logging on to the server.
If you have it all set like jeff said, you may want to do a ipconfig /release on a machine and get ip info from the server again. Your pcs are probably looking at the router for dns and need to be looking at the server.
Sorry for delay in replying to your email but I am in upnort (I spelled it like that on purpose) Wisconsin and I only got cell coverage at my hotel that I just arrived at. Will probably head to the agency around 7:30 tomorrow but I'll try to follow up with you then.
curse IE8! I have a whole reply written and lost it... and I was trying so hard to stick with one browser... oh well, desparate times...
let's try Chrome shall we... last time I used Chrome (at initial release) I crashed it in 15 minutes and have not touched it since.
So back to Marie's DC:
Looks like you are on the right path and it's good news you have an old server that would be perfectly suited to duties as a secondary DC. You may wish to get an outside tech involved if you are a bit hesitant to setup the second DC though.
The second DC will provide a redundant source of DNS and login script access and should pretty much hum along nicely with little interaction once configured (other than OS updates).
I would also look into running DHCP service on it - and hand out a different portion of your available scope from each DC (and disable DHCP on the router).
e.g. - DC 1 hands out 192.168.1.1-192.168.1.99, DC hands out 192.168.1.100-199 and leave .200-.254 for static addressing.
The redundancy is a nice thing to have and since you already have the hardware and OS - your costs will just be an hour of config. (If someone requires more than 60 mins to get this going for you - they don't know what they are doing.)
Good luck.
ok --- did all of Jeff's stuff...
Then went to workstation ---- did ipconfig /release... rebooted workstation...
no good...
Went and changed the workstations network card TCP/Ip property
settings to: IP address - automatic
DNS & WINS ---- set for 192.168.1.104 (pointing
to the server Dns/DC)
rebooted.... nada
performed ipconfig / release on workstation again & checked to make sure
workstation TCP/IP settings were still set where I left them - rebooted ---- nada
Internet works fine on workstations... bit anytime I try to do anything that needs to
see the server (My computer, windows explorer, etc) ---- it freezes and I have
to use taskmaster to end program)
stilll get the following event errors on WORKSTATION:
Under Application:
Event ID 1058: Windows can not access the file gpt.ini for GPO CN={......lots of numbers} CN=Policies CN+ System DC= Iddings DC= local
The file must be present at loc \\iddings.local\sysvol\iddings.local\polcies\{ more numbers}\gpt.ini
Event ID 1030: Windows can not query list of Group Policy Objects
Under System:
Event ID 9:
The device \Device\Ide\iastor0 did not respond within the time out period
Under the SERVER:
Event ID 1058:
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Iddings,DC=local. The file must be present at the location <\\Iddings.local\sysvol\Iddings.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted.
Event ID 1030:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
looks like problem is that the gpt.ini is missing? does that sound right?
whoa... I hope the sysvol isn't missing
check on the server to see if: \\iddings.local\sysvol\iddings.local\ exists
What about setting the server up as a workgroup instead of a domain (just until we get this figured out) - I have to get this up and running ASAP.....
or maybe just make a second domain and point people there?
I don't know, just grasping at straws here.... and I am supposed to be gone on and off
for the next two weeks, so I have to get this fixed somehow today......
Local tech doesn't know much more than me when it comes to domains :-(
Thanks....
Quote from: Rick Chisholm on May 06, 2010, 10:35:28 AM
whoa... I hope the sysvol isn't missing
check on the server to see if: \\iddings.local\sysvol\iddings.local\ exists
went into windows explorer and pasted the above in
just sat there...... guess thats not good? ???
this is like your DC has stopped being a DC.
usually the sysvol would be something like the previous UNC path you tried... you could also check
c:\WINDOWS\SYSVOL\[hostname.domainname]
ok.... found it under:
C:\WINDOWS\SYSVOL\sysvol\Iddings.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
Just curious here... If you go to Start - Active Directory Users and Computers, what is there? Is a domain controller listed there, and is it Iddings.local?
This whole thing of not being able to run DCDIAG is a little concerning. At a command prompt, try typing DCDIAG.EXE again. I can't believe that it's not there.
my concern is that it's been DCPROMO'd out somehow... now it's just a box with blinking lights
Quote from: Rick Chisholm on May 06, 2010, 12:06:52 PM
my concern is that it's been DCPROMO'd out somehow... now it's just a box with blinking lights
Yes, mine too. I'm still wondering what has caused this. Some times unbinding the protocols can have some very weird consequences. I'm hoping that is all that has happened. In any case, I think they need a tech who understands servers.
Quote from: Jeff Zylstra on May 06, 2010, 11:17:28 AM
Just curious here... If you go to Start - Active Directory Users and Computers, what is there? Is a domain controller listed there, and is it Iddings.local?
This whole thing of not being able to run DCDIAG is a little concerning. At a command prompt, try typing DCDIAG.EXE again. I can't believe that it's not there.
DCDiag is not there...
When I look under active dir & users.... I see APPSRV02, but not iddings.local
double clicking on APPSRV02 gives me a list of Shared printers, and something called NTFRS Subscriptions and RID set, but nothing else
I don't know what "DCPROMO'd out" means - but it can't be good :-) something like BSOD? sigh
Oh, Marie....I have a headache just reading the issues!!! I hope you find the solution quickly...
dcpromo is a command line utility for doing stuff with DCs - gets used as a verb sometimes...
http://technet.microsoft.com/en-us/library/cc732887(WS.10).aspx (http://technet.microsoft.com/en-us/library/cc732887(WS.10).aspx)
what Jeff and I fear is that some action has in effect demoted your DC, or otherwise removed AD Domain Services... although IIRC, removing the last DC (or only) in a forest would generate at least a few "Are You Sure You Want To Do This?" kind of messages.
I wonder if you restored the system state from tape from a couple days ago, if that would get things back in order. Either way, I think you need someone onsite familiar with AD and MS to get things back in order.
A couple of more wild guesses on my part here. I'm wondering if there is anything in Active Directory Users and Computers for "Lost and Found". And if so, what is it? Something else. What if SYSVOL was no longer shared? This would make it available locally on the server, but not from a workstation by its UNC path.
Oops, almost forgot. At a command prompt, type NET SHARE SYSVOL should be one of the folders that is shared. Let's hope that's it.
I agree that someone with knowledge of Active Directory needs to be on site to fix this.
Hey everyone, i gave Marie a hand on this and we figured it out. The firewall was functioning as the DHCP Server and it was handing out the ISP's DNS servers to the workstations, so the workstations couldn't find the domain. I moved DHCP to the SBS (Microsoft best-practice), setup the scope options, and everything's looking good.
Prior to that the server had the IP address of the router assigned to its network adapter causing a conflict.
Prior to that (the original cause of the problem) is unknown, as is so often the case... There were some Windows Updates installed around the time the problem started so who knows, something could have been thrown off in the course of that, and subsequent troubleshooting has resolved it since everything's running normally now.
The server looks healthy, nothing harmful in the system, application, FRS, DNS or Directory Services event logs.
And as an fyi, dcdiag isn't on a 2003 server by default. One has to install the Windows 2003 Support Tools in order to get it (in case it comes up in the future). It is built into a 2008 server.
Also a tidbit of info (from past experience) if the sysvol share were indeed missing, it would likely have been due to the SBS being in "Journal Wrap" - a condition that can occur when an environment has a single domain controller. There's a registry edit, followed by restarting some services that can cure that. So a missing sysvol is not necessarily a disastrous situation.
Thanks for helping her Steve! :)
I just want to send out a HUGE thank you to Steve Hart for all his help.... I only have the vaguest idea as to what he did, but it is fixed and works and now I can sleep tonight!
He went over and above to get us running again, and I just can't say enough
Thanks again Steve!!!!! I so owe you a beer (or a case) LOL
;D ;D ;D ;D ;D ;D ;D
And now we can say on THIS NG Forum .....I LOVE OUR NG!!...really IS Users Helping Users... ;D I think Marie was "our" first BIG save (not that I can take any credit - just sharing in her headache - but you "guys" are awesome!)
always....."what goes around - comes around".....
Oh, I so agree there Jan!
And I posted a thanks on the old NG's under Hardware... AND plugged this
web forum as well....
Don't know what I would have done without the help and support here
Web forums ROCK!
:D ;D :D
Karma for Steve.
Oh, definitely Karma! And for you and Jeff and Bob and anyone else who tried helping me as well....
Good news is, I learned a LOT about DHCP / DNS / DC's.... in fact, this morning our remote office still couldn't connect to the server... went into our terminal server and knew just how to point it in the right direction - tada... all better!
(I know, such small things make me happy) ::)
It always works that way, though.... you learn so much when things go down and you HAVE to try and fix them, and watch how other people DO fix them :-) really tends to stick in your head that way!
LOL
Glad to hear it, Marie! And thank you to Steve for helping out.
I should have come to that same conclusion for her sooner. I posted this link below in an earlier post, then didn't follow the very first rule:
"1. TCP/IP Configuration Points to Public DNS Servers"
"This is by far the most common DNS error. Each network interface has a set of TCP/IP settings that lists the DNS servers used by that interface.
If the TCP/IP settings for a member computer specify the IP address of a public DNS server—perhaps at an ISP or DNS vendor or the company's public-facing name server—the TCP/IP resolver won't find Service Locator (SRV) records that advertise domain controller services, LDAP, Kerberos and Global Catalog. Without these records, a member computer can't authenticate and get the information it needs to operate in the domain. It then acts like a teenager who can't get the car keys, growing sullen and exhibiting a variety of bad behaviors"
For anyone that manages a server, you should at least glance at the first 3 or 4 items in this article. I think Mark Piontek may have posted this in the past, so kudos to him for his DNS article.
http://rcpmag.com/articles/2004/05/01/10-dns-errors-that-will-kill-your-network.aspx
And thank you to Steve for the info on DCDIAG. I now remember installing the Support Tools on my 2000 Server machine about 10 years ago. My 2008 Server has this installed out of the box which made me assume there was a problem there. One should never ASSume I guess.
Quote from: Rick Chisholm on May 06, 2010, 10:00:39 AM
I would also look into running DHCP service on it - and hand out a different portion of your available scope from each DC (and disable DHCP on the router).
perhaps the part in brackets got overlooked in all the excitement... :-[
...or I didn't make it clear that it needed to be done once the current DC was handing out addresses.
Is Steve a vendor? If so, he should plug his biz in his sig - that's totally copesetic in here.
Quote from: Rick Chisholm on May 07, 2010, 12:24:30 PM
Quote from: Rick Chisholm on May 06, 2010, 10:00:39 AM
I would also look into running DHCP service on it - and hand out a different portion of your available scope from each DC (and disable DHCP on the router).
perhaps the part in brackets got overlooked in all the excitement... :-[
...or I didn't make it clear that it needed to be done once the current DC was handing out addresses.
Is Steve a vendor? If so, he should plug his biz in his sig - that's totally copesetic in here.
That's not hard to do when it's 2 days before you're going to be gone from the office for 2 weeks and you're not really comfortable with servers to begin with. People seem to freak out when they have to deal with a domain server. It would be nice if someone did a class or a wiki article on what a domain server is and does, and also maybe more importantly, what a DNS server is and does and how to properly configure DNS. DNS seems to be the leading killer of network access.
Steve is president of Advantage Micro Solutions. Been a friend of mine since he was 19 yr old college student. Great character, good person and good friend. He makes even the most difficult things look easy. (as you do Rick and others)
As a friend I asked him to take a look physically at the problem. Terminology and server expertise is too much for Marie (even me at times). She is more CSR/Office Manager/Administrator type. Last time I was certified was Novel 3.12. Long ago...
I think IT titles should be reserved to people like yourself Rick, Nick, Steve, Tim and so on. Some how power user or network administrator now = IT person. When that happens real IT people starting talking in tongue that goes over their heads because they really are admins. While intentions were best, she was getting lost. That's what I was seeing so I asked Steve to contact Marie directly as she was getting frazzled.
You were correct but DC, scope etc.. Intimidating for her and most are afraid to ask, what did you say? Hope that makes sense. I know Steve well enough to ask him to help directly which defused problem. Problem wasn't nearly as bad as it seemed again because of communication, different levels of understanding. I do appreciate your efforts as well as Jeff's. I just knew if someone didn't contact her directly problem would continue to escalate out of frustration. Easier for me to approach and ask Steve since you work for a firm and Jeff has an Agency to run.
Was great to see this forum step up and help! :)
Who me? Frazzled? What????? I never get frazzled..... :o
OK, wait, I did have lots of beers last night in relief, but that
had NOTHING to do with the server and domain whats-its and
the DCHP thingy and ......
LOL
Actually Rick, I did try what you said (or at least thought I did)
but I was actually just running around in circles.... and having
a boss asking every 10 minutes WHY AREN'T WE UP YET didn't help...
Oh, and had to handle a couple of client problems in the middle
of all this too.....
Don't get me wrong.... I SOOO appreciated the help you guys
were trying to give me... it just got to be too over my head :-)
Workstations are fine, but servers.... yikes!
I would LOVE to take a class (or two or ten) on server and domain
setup.... excellent idea!
Thanks again to everyone!
Quote from: Jeff Zylstra on May 07, 2010, 01:25:11 PM
It would be nice if someone did a class or a wiki article on what a domain server is and does, and also maybe more importantly, what a DNS server is and does and how to properly configure DNS. DNS seems to be the leading killer of network access.
Well - I've started a wiki Primer on DNS and AD, will likely leave config details for another wiki.
If anyone has input - feel free to add / edit...
I see nobody here took my Active Directory class at Tencon! *pout*
Unfortunately, in 18 years of working here, I have only been to one Tencon... so classes there don't help much :-(