Re: LSASRV SPNEGO Error and 'logon server not available' after full domain restore
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Wed, 17 Jan 2007 08:10:52 -0600
"Brian" <newsgroups@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ugbwRbjOHHA.4940@xxxxxxxxxxxxxxxxxxxxxxx
We are currently trying to document a successful procedure to follow in
the event we have to restore our domain from a disaster recovery point of
view where all domain controllers are lost (e.g. fire etc). We restored
the domain to some test servers (identical hardware) using a system state
backup of the domain controller holding all of the FSMO roles. The
restore appeared to work successfully on the test network, after the first
reboot we removed the other 'missing' domain controllers (using ntdsutil,
cleared AD S&S and DNS entries) which existed on the live network but not
initially on the test restore network. We were able to login to the DC
using Domain Admin etc without problem, but on trying to add a freshly
installed workstation or server onto the recovered domain we get the
error:
"The following error occurred when DNS was queried for service location
(SRV) resource record for domain domain.net. Operation returned because
timeout period reached. Query was SRV record for
_LDAP._TCP._DC._MCDS.DOMAIN.NET "
The restored DC passes repadmin, dcdiag and netdiag tests. The errors or
areas of concern we have found so far are :
1. The restored Domain controller is called 'DC'. In AD S&S the dns
alias in the NTDS Settings is listed as 6b49248.....dc.domain.net and in
DNS (domain.net\_msdcs) DC is registering as 6b49248.... BUT on running
repadmin /showsig the server's signature is listed as e32431e4.......
On the live network the DC signature in repadmin matches the DNS alias in
NTDS settings. Should these match on the restored network ?
2. On bootup the DC lists 7 or 8 DNS Errors with ID 4004 (Unable to
complete Directory Service Enumeration) which are then followed by one DNS
ID 2 - DNS Service Started. The DC appears to be able to resolve old
server names which existed on the live network. But if a workstation
connected to the restored network pings 'DC.domain.net' it fails to
resolve but if it pings 'DC' this successfully resolves.
3. On bootup the restored DC is logging the warning LSASRV, Category -
SPNEGO, ID - 40960, Details - Security System detected an authentication
error for server ldap/dc.domain.net. Failure code from authentication
protocol Kerberos "No logon servers available".
Can anyone advise where we should start to get this restored network
working ? Thanks for all the help to those that have already helped us
get this far.
Brian.
DNS and GC are the most likely things to overlook or get wrong.
Does the "test client" point NIC->IP properties STRICTLY at the
"correct DNS" server -- presumably on the "working DC"?
Is that "working DC" a GC? (in native mode this would be critical
for user logon.)
.
- Follow-Ups:
- References:
- Prev by Date: Re: Domain Password Policies
- Next by Date: IT Courses
- Previous by thread: Re: LSASRV SPNEGO Error and 'logon server not available' after full domain restore
- Next by thread: Re: LSASRV SPNEGO Error and 'logon server not available' after full domain restore
- Index(es):
Relevant Pages
|
