Active Directory keeps stopping
in [Active Directory]
|
From: inthedark on 2 Jan 2007 09:56 A simple site running 1 AD server Windows 2000 and a few clients. Has been running for years fine fore years but the company were picking up lots of spam on their server. On the same day I did the following: 1) Run Windows Update 2) Installed FTGate mail server 3) Create a public lookup zone so that the server could become a primary dns for a domain. (This was need for just a few days until the new ISP could handle the DNS.) After a few hours, sometimes days the AD stops running. After reboot it all works fine again. I have tried everything to resolve this error but now need help. What I did was (SPANNING SEVERAL WEEKS): 1) Remove public domain lookup zone from the dns. 2) Ran DCDIAG & NETDIAG to see if any problems: Conclusion: After reboot the netdiag report is clean but when AD enters error condition I get the following (only part of report with errors is included): -----------netdiag DC list test . . . . . . . . . . . : Failed [WARNING] Cannot call DsBind to myserv1.MYDOM.local (192.168.1.3). [ERROR_OUTOFMEMORY] Trust relationship test. . . . . . : Skipped Kerberos test. . . . . . . . . . . : Passed LDAP test. . . . . . . . . . . . . : Passed [FATAL] Cannot open an LDAP session to 'myserv1.MYDOM.local' at '192.168.1.3'. [WARNING] Failed to query SPN registration on DC myserv1.MYDOM.local'. ---------------------------------------- I have noted that many other people have had similar problems google this: Cannot call DsBind [ERROR_OUTOFMEMORY] --------------------------------------- Other information: When the system enters the error state there are no errors in the System or Active Directory logs. But after fails because AD is down the allocation logs starts to kick off with USERENV errors messages. Can anybody help resolve this issue?
From: Harj on 2 Jan 2007 11:06 Hi, > After a few hours, sometimes days the AD stops running Active Directory does not stop "running" > 3) Create a public lookup zone so that the server could become a > primary dns for a domain. > (This was need for just a few days until the new ISP could handle the > DNS.) Well where was this Domain controller pointed to for primary DNS before? and where is it pointing now? Please do not tell me you have it pointed to your ISP :( You have one domain controller, one DNS server. Make sure this DC is pointed to itself for primary DNS and ONLY itself. >From the command prompt run the following ipconfig /flushdns & ipconfig /registerdns & net stop netlogon & net start netlogon. Make sure your clients are pointed to this DC for primary DNS. Run DCdiag /v, Netdiag /v to check for errors. Good luck Harj Singh Power Your Active Directory Investment www.specopssoft.com inthedark wrote: > A simple site running 1 AD server Windows 2000 and a few clients. Has > been running for years fine fore years but the company were picking up > lots of spam on their server. On the same day I did the following: > > 1) Run Windows Update > 2) Installed FTGate mail server > 3) Create a public lookup zone so that the server could become a > primary dns for a domain. > (This was need for just a few days until the new ISP could handle the > DNS.) > > After a few hours, sometimes days the AD stops running. After reboot it > all works fine again. I have tried everything to resolve this error but > now need help. > > What I did was (SPANNING SEVERAL WEEKS): > > 1) Remove public domain lookup zone from the dns. > 2) Ran DCDIAG & NETDIAG to see if any problems: > > Conclusion: > > After reboot the netdiag report is clean but when AD enters error > condition I get the following (only part of report with errors is > included): > > -----------netdiag > > DC list test . . . . . . . . . . . : Failed > [WARNING] Cannot call DsBind to myserv1.MYDOM.local (192.168.1.3). > [ERROR_OUTOFMEMORY] > > Trust relationship test. . . . . . : Skipped > > Kerberos test. . . . . . . . . . . : Passed > > LDAP test. . . . . . . . . . . . . : Passed > [FATAL] Cannot open an LDAP session to 'myserv1.MYDOM.local' at > '192.168.1.3'. > [WARNING] Failed to query SPN registration on DC > myserv1.MYDOM.local'. > > ---------------------------------------- > > I have noted that many other people have had similar problems google > this: > > Cannot call DsBind [ERROR_OUTOFMEMORY] > > --------------------------------------- > > Other information: > > When the system enters the error state there are no errors in the > System or Active Directory logs. > > But after fails because AD is down the allocation logs starts to kick > off with USERENV errors messages. > > Can anybody help resolve this issue?
From: Erik Cheizoo on 2 Jan 2007 18:57 I do agree with Harj that it looks like you have set the DNS server(s) in your server's TCP/IP configuration to your ISP DNS servers. As these servers do not host your domain zones (and most importantly, the _msdcs zones), you have broken Active Directory. The good news is that this is easilly fixed, as Harj pointed out. 1) Make sure your DC is running DNS 2) Make sure your AD DNS zone (eg. mycompany.local) is stored in Active Directory and only secure updates are allowed (for security reasons) (Secure only will allow DNS registration for Windows 2000 and above clients. Win9X/NT/etc is not supported) 3) Make sure your DNS server isn't a root DNS server. Translated: Make sure your DNS server is not hosting the . (dot) zone. This will break DNS lookups for Internet addresses, as the DNS server thinks he's on top of the DNS hierarchy. If the . zone is hosted, delete it. 4) Do not configure your DNS server to forward to your ISP DNS servers, as ISP DNS polution occurs more frequently nowadays Instead, rely on the root hints, which are configured correctly within Windows 2003 DNS. If a record outside your own AD zone is requested, your DNS server will perform a lookup using the Internet root servers and caches the results for future requests. 5) After the above configuration steps, run the following commands; - net stop dns - net start dns - ipconfig /registerdns - net stop netlogon - net start netlogon 6) Check DNS for a host (A) record in your AD DNS zone. Also, check the records under _msdcs. Good luck! Erik Cheizoo eXcellence & Difference We keep your business running "Harj" <cisqokid(a)gmail.com> wrote in message news:1167753968.019463.168040(a)n51g2000cwc.googlegroups.com... > Hi, > >> After a few hours, sometimes days the AD stops running > > Active Directory does not stop "running" > >> 3) Create a public lookup zone so that the server could become a >> primary dns for a domain. >> (This was need for just a few days until the new ISP could handle the >> DNS.) > > Well where was this Domain controller pointed to for primary DNS > before? and where is it pointing now? Please do not tell me you have > it pointed to your ISP :( > > You have one domain controller, one DNS server. Make sure this DC is > pointed to itself for primary DNS and ONLY itself. >>From the command prompt run the following > ipconfig /flushdns & ipconfig /registerdns & net stop netlogon & net > start netlogon. > > Make sure your clients are pointed to this DC for primary DNS. > Run DCdiag /v, Netdiag /v to check for errors. > > Good luck > > Harj Singh > Power Your Active Directory Investment > www.specopssoft.com > > > inthedark wrote: >> A simple site running 1 AD server Windows 2000 and a few clients. Has >> been running for years fine fore years but the company were picking up >> lots of spam on their server. On the same day I did the following: >> >> 1) Run Windows Update >> 2) Installed FTGate mail server >> 3) Create a public lookup zone so that the server could become a >> primary dns for a domain. >> (This was need for just a few days until the new ISP could handle the >> DNS.) >> >> After a few hours, sometimes days the AD stops running. After reboot it >> all works fine again. I have tried everything to resolve this error but >> now need help. >> >> What I did was (SPANNING SEVERAL WEEKS): >> >> 1) Remove public domain lookup zone from the dns. >> 2) Ran DCDIAG & NETDIAG to see if any problems: >> >> Conclusion: >> >> After reboot the netdiag report is clean but when AD enters error >> condition I get the following (only part of report with errors is >> included): >> >> -----------netdiag >> >> DC list test . . . . . . . . . . . : Failed >> [WARNING] Cannot call DsBind to myserv1.MYDOM.local (192.168.1.3). >> [ERROR_OUTOFMEMORY] >> >> Trust relationship test. . . . . . : Skipped >> >> Kerberos test. . . . . . . . . . . : Passed >> >> LDAP test. . . . . . . . . . . . . : Passed >> [FATAL] Cannot open an LDAP session to 'myserv1.MYDOM.local' at >> '192.168.1.3'. >> [WARNING] Failed to query SPN registration on DC >> myserv1.MYDOM.local'. >> >> ---------------------------------------- >> >> I have noted that many other people have had similar problems google >> this: >> >> Cannot call DsBind [ERROR_OUTOFMEMORY] >> >> --------------------------------------- >> >> Other information: >> >> When the system enters the error state there are no errors in the >> System or Active Directory logs. >> >> But after fails because AD is down the allocation logs starts to kick >> off with USERENV errors messages. >> >> Can anybody help resolve this issue? >
From: inthedark on 3 Jan 2007 11:52 You saird: Active Directory does not stop "running" If only that were true :~( It does stop running. Or at least it becomes inaccessable. I think that the LDAP goes down in some way.
From: Herb Martin on 3 Jan 2007 12:00 "inthedark" <nyoung(a)vipintersoft.com> wrote in message news:1167843179.586652.226420(a)s34g2000cwa.googlegroups.com... > You saird: Active Directory does not stop "running" > > If only that were true :~( It does stop running. Or at least it > becomes inaccessable. > > I think that the LDAP goes down in some way. Now you are STARTING to perform good troubleshooting by isolating the actual symptoms. Do you know that LDAP in some way stops working? How specifically do you know that? Once you identify the symptoms precisely, most problems are easy, if not trivial to resolve. Have you run DCDiag on each DC? When it works, and when it fails?
|
Next
|
Last
Pages: 1 2 3 Prev: domainprep failure Next: Blocking programs from running using group policies. |