What's wrong with our dcs?
in [Windows Servers]
|
From: Ray on 4 Feb 2006 19:06 Hi there, I rebooted our domain controllers today, the starting time was really long on each controller with event error. I checked event viewer, "The Kerberos Key Distribution Center service hung on starting.", Event ID: 7022. Our systems are Windows 2003. I run the dcdiag to check, the information was confused me. And I could not find netdiag. Anything wrong? Thank you very much. C:\>dcdiag Domain Controller Diagnosis Performing initial setup: [adc2] Directory Binding Error -2146892976: The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you. This may limit some of the tests that can be performed. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\ADC2 Starting test: Connectivity [ADC2] DsBindWithSpnEx() failed with error -2146892976, The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.. ......................... ADC2 failed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\ADC2 Skipping all tests, because server ADC2 is not responding to directory service requests Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : econai Starting test: CrossRefValidation ......................... econai passed test CrossRefValidation Starting test: CheckSDRefDom ......................... econai passed test CheckSDRefDom Running enterprise tests on : econai.com Starting test: Intersite ......................... econai.com passed test Intersite Starting test: FsmoCheck ......................... econai.com passed test FsmoCheck Ray
From: Steven L Umbach on 4 Feb 2006 19:25 I would also be sure to run netdiag as that info can be very helpful and you may want to run netdiag /v to a text file as the output will be long. If netdiag is not on the server [search for it] then install the support tools from the install disk that are in the support/tools directory where you will need to run the setup there. When running netdiag look too see if it shows an ipsec policy is assigned. I would also run gpotool and see if it shows that Group Policy replication is good or not and that it shows all domain controllers. Also look in the logs of the domain controllers via Event viewer to see what kind of warnings/errors are shown and verify that your DNS is configured correctly in the domain using the link below as guidance. You NEVER want to list an ISP DNS server as a preferred DNS server on any domain computer as shown via ipconfig /all. Check basic connectivity between domain controllers by pinging by fully qualified domain name [dc1.mydomain.com and IP address. --- Steve http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 "Ray" <ray(a)utah.edu> wrote in message news:OnFKDheKGHA.720(a)TK2MSFTNGP14.phx.gbl... > Hi there, > > I rebooted our domain controllers today, the starting time was really long > on each controller with event error. I checked event viewer, "The Kerberos > Key Distribution Center service hung on starting.", Event ID: 7022. Our > systems are Windows 2003. > > I run the dcdiag to check, the information was confused me. And I could > not find netdiag. Anything wrong? Thank you very much. > > C:\>dcdiag > > Domain Controller Diagnosis > > Performing initial setup: > [adc2] Directory Binding Error -2146892976: > The system detected a possible attempt to compromise security. Please > ensure > that you can contact the server that authenticated you. > This may limit some of the tests that can be performed. > Done gathering initial info. > > Doing initial required tests > > Testing server: Default-First-Site-Name\ADC2 > Starting test: Connectivity > [ADC2] DsBindWithSpnEx() failed with error -2146892976, > The system detected a possible attempt to compromise security. > Please > ensure that you can contact the server that authenticated you.. > ......................... ADC2 failed test Connectivity > > Doing primary tests > > Testing server: Default-First-Site-Name\ADC2 > Skipping all tests, because server ADC2 is > not responding to directory service requests > > Running partition tests on : Schema > Starting test: CrossRefValidation > ......................... Schema passed test CrossRefValidation > Starting test: CheckSDRefDom > ......................... Schema passed test CheckSDRefDom > > Running partition tests on : Configuration > Starting test: CrossRefValidation > ......................... Configuration passed test > CrossRefValidation > Starting test: CheckSDRefDom > ......................... Configuration passed test CheckSDRefDom > > Running partition tests on : econai > Starting test: CrossRefValidation > ......................... econai passed test CrossRefValidation > Starting test: CheckSDRefDom > ......................... econai passed test CheckSDRefDom > > Running enterprise tests on : econai.com > Starting test: Intersite > ......................... econai.com passed test Intersite > Starting test: FsmoCheck > ......................... econai.com passed test FsmoCheck > > Ray >
From: Ray on 4 Feb 2006 19:31 I ran netdiag /test:Kerberos, why did it say "Windows 2000 Server"??? Anyway, it passed. Then what's wrong? C:\Program Files\Support Tools>netdiag /test:Kerberos ......... Computer Name: ADC2 DNS Host Name: adc2.econadi.com System info : Windows 2000 Server (Build 3790) Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel List of installed hotfixes : KB890046 KB893756 KB896358 KB896422 KB896424 KB896428 KB898715 KB899587 KB899588 KB899589 KB899591 KB900725 KB901017 KB901214 KB902400 KB904706 KB905414 KB905915 KB908519 KB909520 KB910437 KB912919 Q147222 Netcard queries test . . . . . . . : Passed Per interface results: Adapter : Local Area Connection Netcard queries test . . . : Passed Global results: Domain membership test . . . . . . : Passed NetBT transports test. . . . . . . : Passed List of NetBt transports currently configured: NetBT_Tcpip_{72D6A7C5-92EC-4803-98DA-0832EC31CA35} 1 NetBt transport currently configured. Kerberos test. . . . . . . . . . . : Passed The command completed successfully.
From: Ray on 4 Feb 2006 19:59 Thanks, Steven. It seems that the "dcdiag" problem was related to DNS. I changed to AD-intergrated DNS with Secure only update. It seems it's OK. But one of our dc still has ""The Kerberos Key Distribution Center service hung on starting.", Event ID: 7022. Let me do more. Thanks agin. Ray "Steven L Umbach" <n9rou(a)n0-spam-for-me-comcast.net> wrote in message news:e7kukqeKGHA.3960(a)TK2MSFTNGP09.phx.gbl... >I would also be sure to run netdiag as that info can be very helpful and >you may want to run netdiag /v to a text file as the output will be long. >If netdiag is not on the server [search for it] then install the support >tools from the install disk that are in the support/tools directory where >you will need to run the setup there. When running netdiag look too see if >it shows an ipsec policy is assigned. I would also run gpotool and see if >it shows that Group Policy replication is good or not and that it shows all >domain controllers. Also look in the logs of the domain controllers via >Event viewer to see what kind of warnings/errors are shown and verify that >your DNS is configured correctly in the domain using the link below as >guidance. You NEVER want to list an ISP DNS server as a preferred DNS >server on any domain computer as shown via ipconfig /all. Check basic >connectivity between domain controllers by pinging by fully qualified >domain name [dc1.mydomain.com and IP address. --- Steve > > > http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 > > "Ray" <ray(a)utah.edu> wrote in message > news:OnFKDheKGHA.720(a)TK2MSFTNGP14.phx.gbl... >> Hi there, >> >> I rebooted our domain controllers today, the starting time was really >> long on each controller with event error. I checked event viewer, "The >> Kerberos Key Distribution Center service hung on starting.", Event ID: >> 7022. Our systems are Windows 2003. >> >> I run the dcdiag to check, the information was confused me. And I could >> not find netdiag. Anything wrong? Thank you very much. >> >> C:\>dcdiag >> >> Domain Controller Diagnosis >> >> Performing initial setup: >> [adc2] Directory Binding Error -2146892976: >> The system detected a possible attempt to compromise security. Please >> ensure >> that you can contact the server that authenticated you. >> This may limit some of the tests that can be performed. >> Done gathering initial info. >> >> Doing initial required tests >> >> Testing server: Default-First-Site-Name\ADC2 >> Starting test: Connectivity >> [ADC2] DsBindWithSpnEx() failed with error -2146892976, >> The system detected a possible attempt to compromise security. >> Please >> ensure that you can contact the server that authenticated you.. >> ......................... ADC2 failed test Connectivity >> >> Doing primary tests >> >> Testing server: Default-First-Site-Name\ADC2 >> Skipping all tests, because server ADC2 is >> not responding to directory service requests >> >> Running partition tests on : Schema >> Starting test: CrossRefValidation >> ......................... Schema passed test CrossRefValidation >> Starting test: CheckSDRefDom >> ......................... Schema passed test CheckSDRefDom >> >> Running partition tests on : Configuration >> Starting test: CrossRefValidation >> ......................... Configuration passed test >> CrossRefValidation >> Starting test: CheckSDRefDom >> ......................... Configuration passed test CheckSDRefDom >> >> Running partition tests on : econai >> Starting test: CrossRefValidation >> ......................... econai passed test CrossRefValidation >> Starting test: CheckSDRefDom >> ......................... econai passed test CheckSDRefDom >> >> Running enterprise tests on : econai.com >> Starting test: Intersite >> ......................... econai.com passed test Intersite >> Starting test: FsmoCheck >> ......................... econai.com passed test FsmoCheck >> >> Ray >> > >
From: Paul Williams [MVP] on 5 Feb 2006 05:13 On the DC that is still showing this problem, point to a central DC for DNS and restart NETLOGON. Give it a couple of minutes and reboot. If the error has gone away, point DNS back to wherever you want as long it is a DC. -- Paul Williams Microsoft MVP - Windows Server - Directory Services http://www.msresource.net | http://forums.msresource.net
|
Next
|
Last
Pages: 1 2 3 Prev: Change local console screen resolution through RDP client ? Next: Event ID 2000 Source Srv |