LSASRV SPNEGO Error and 'logon server not available' after full domain restore
- From: "Brian" <newsgroups@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 17 Jan 2007 12:55:53 -0000
We are currently trying to document a successful procedure to follow in the
event we have to restore our domain from a disaster recovery point of view
where all domain controllers are lost (e.g. fire etc). We restored the
domain to some test servers (identical hardware) using a system state backup
of the domain controller holding all of the FSMO roles. The restore
appeared to work successfully on the test network, after the first reboot we
removed the other 'missing' domain controllers (using ntdsutil, cleared AD
S&S and DNS entries) which existed on the live network but not initially on
the test restore network. We were able to login to the DC using Domain
Admin etc without problem, but on trying to add a freshly installed
workstation or server onto the recovered domain we get the error:
"The following error occurred when DNS was queried for service location
(SRV) resource record for domain domain.net. Operation returned because
timeout period reached. Query was SRV record for
_LDAP._TCP._DC._MCDS.DOMAIN.NET "
The restored DC passes repadmin, dcdiag and netdiag tests. The errors or
areas of concern we have found so far are :
1. The restored Domain controller is called 'DC'. In AD S&S the dns alias
in the NTDS Settings is listed as 6b49248.....dc.domain.net and in DNS
(domain.net\_msdcs) DC is registering as 6b49248.... BUT on running
repadmin /showsig the server's signature is listed as e32431e4.......
On the live network the DC signature in repadmin matches the DNS alias in
NTDS settings. Should these match on the restored network ?
2. On bootup the DC lists 7 or 8 DNS Errors with ID 4004 (Unable to
complete Directory Service Enumeration) which are then followed by one DNS
ID 2 - DNS Service Started. The DC appears to be able to resolve old server
names which existed on the live network. But if a workstation connected to
the restored network pings 'DC.domain.net' it fails to resolve but if it
pings 'DC' this successfully resolves.
3. On bootup the restored DC is logging the warning LSASRV, Category -
SPNEGO, ID - 40960, Details - Security System detected an authentication
error for server ldap/dc.domain.net. Failure code from authentication
protocol Kerberos "No logon servers available".
Can anyone advise where we should start to get this restored network working
? Thanks for all the help to those that have already helped us get this
far.
Brian.
.
- Follow-Ups:
- Re: LSASRV SPNEGO Error and 'logon server not available' after full domain restore
- From: Herb Martin
- Re: LSASRV SPNEGO Error and 'logon server not available' after full domain restore
- From: Paul Bergson [MVP-DS]
- Re: LSASRV SPNEGO Error and 'logon server not available' after full domain restore
- Prev by Date: Re: What is a Reverse DNs record used for?
- Next by Date: Re: Bit of advice on current AD structure.
- Previous by thread: Bit of advice on current AD structure.
- Next by thread: Re: LSASRV SPNEGO Error and 'logon server not available' after full domain restore
- Index(es):
Relevant Pages
|
Loading
