Re: LSASRV SPNEGO Error and 'logon server not available' after full domain restore
- From: "Brian" <newsgroups@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 19 Jan 2007 17:30:10 -0000
Hi Paul. Thanks for your suggestions. I will try this over the weekend and
post the results at the start of next week.
Thanks,
Brian.
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:urqLvUlOHHA.2312@xxxxxxxxxxxxxxxxxxxxxxx
This all looks good, how about re-running dcdiag and repadmin and posting
both in seperate responses.
DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Brian" <newsgroups@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23WucJQlOHHA.1248@xxxxxxxxxxxxxxxxxxxxxxx
Hi Paul, thanks for your reply. Please find below the details you
mentioned:
ipconfig output:
Windows IP Configuration
Host Name . . . . . . . . . . . . : DC
Primary Dns Suffix . . . . . . . : DOMAIN.NET
Node Type . . . . . . . . . . . . : Unknown Description . .
. . . . . . . . . : Gigabit Adapter
Physical Address. . . . . . . . . : 00-xx-xx-xx-xx-3E
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS suffix Search List. . . . . . : DOMAIN.NET
Ethernet adapter DOMAIN:
Connection-specific DNS Suffix . :
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.11
Reverse DNS is setup. The reverse DNS was cleared of all DCs and servers
which were not going to appear on the recovered network. The entries for
the recovered DC were not removed as it is the primary and only DNS
server on the recovered network. This also applies to the way the
Forward Lookup Zone was cleared. Following the NTDSUTIL, AD S&S we also
flushed the ipconfig dns, deleted netlogon.dnb and dns, restarted
netlogon service and run netdiag /fix.
There are two nics in the DC, both onboard, the second nic is disabled on
the live and the recovered network.
The output from dnslint /ad /s "192.168.1.11"
Root of Active Directory Forest:
DOMAIN.NET
Active Directory Forest Replication GUIDs Found:
DC:DC
GUID: 6b49248.......380e41ec5be9
Total GUIDs found: 1
The following 1 DNS Servers were checked for records related to AD forest
replication:
DNS Server: DC.DOMAIN.NET
IP Address: 192.168.1.11
UDP Port 53 responding to queries: YES
TCP Port 53 responding to queries: Not Tested
Answering authoritatively for domain: YES
SOA record data from server:
Authoritative name server: DC.DOMAIN.NET
Hostmaster: admin.DOMAIN.NET
Zone serial number: 544
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds
Additional authoritative (NS) records from server:
DC.DOMAIN.NET Unknown
Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: 6b49248.......380e41ec5be9._msdcs.DOMAIN.NET
Alias: dc.DOMAIN.NET
Glue: 192.168.1.11
Total number of CNAME records found on this server: 1
Total number of CNAME records missing on this server: 0
Total number of glue (A) records this server could not find: 0
Thanks for your help.
Brian.
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:OWcq%235jOHHA.4484@xxxxxxxxxxxxxxxxxxxxxxx
Post the following:
ipconfig /all
Do you have reverse dns setup? Was the reverse cleaned up as well?
How many nic's are defined on the dc?
From your dc try running dnslint /ad /s "ip address of your
dc"
Description and download
http://support.microsoft.com/kb/321045
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Brian" <newsgroups@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ugbwRbjOHHA.4940@xxxxxxxxxxxxxxxxxxxxxxx
We are currently trying to document a successful procedure to follow in
the event we have to restore our domain from a disaster recovery point
of view where all domain controllers are lost (e.g. fire etc). We
restored the domain to some test servers (identical hardware) using a
system state backup of the domain controller holding all of the FSMO
roles. The restore appeared to work successfully on the test network,
after the first reboot we removed the other 'missing' domain
controllers (using ntdsutil, cleared AD S&S and DNS entries) which
existed on the live network but not initially on the test restore
network. We were able to login to the DC using Domain Admin etc
without problem, but on trying to add a freshly installed workstation
or server onto the recovered domain we get the error:
"The following error occurred when DNS was queried for service location
(SRV) resource record for domain domain.net. Operation returned
because timeout period reached. Query was SRV record for
_LDAP._TCP._DC._MCDS.DOMAIN.NET "
The restored DC passes repadmin, dcdiag and netdiag tests. The errors
or areas of concern we have found so far are :
1. The restored Domain controller is called 'DC'. In AD S&S the dns
alias in the NTDS Settings is listed as 6b49248.....dc.domain.net and
in DNS (domain.net\_msdcs) DC is registering as 6b49248.... BUT on
running repadmin /showsig the server's signature is listed as
e32431e4.......
On the live network the DC signature in repadmin matches the DNS alias
in NTDS settings. Should these match on the restored network ?
2. On bootup the DC lists 7 or 8 DNS Errors with ID 4004 (Unable to
complete Directory Service Enumeration) which are then followed by one
DNS ID 2 - DNS Service Started. The DC appears to be able to resolve
old server names which existed on the live network. But if a
workstation connected to the restored network pings 'DC.domain.net' it
fails to resolve but if it pings 'DC' this successfully resolves.
3. On bootup the restored DC is logging the warning LSASRV, Category -
SPNEGO, ID - 40960, Details - Security System detected an
authentication error for server ldap/dc.domain.net. Failure code from
authentication protocol Kerberos "No logon servers available".
Can anyone advise where we should start to get this restored network
working ? Thanks for all the help to those that have already helped us
get this far.
Brian.
.
- References:
- LSASRV SPNEGO Error and 'logon server not available' after full domain restore
- From: Brian
- Re: LSASRV SPNEGO Error and 'logon server not available' after full domain restore
- From: Paul Bergson [MVP-DS]
- Re: LSASRV SPNEGO Error and 'logon server not available' after full domain restore
- From: Brian
- Re: LSASRV SPNEGO Error and 'logon server not available' after full domain restore
- From: Paul Bergson [MVP-DS]
- LSASRV SPNEGO Error and 'logon server not available' after full domain restore
- Prev by Date: Re: ADFS & MOSS 2007 troubles
- Next by Date: Add Windows User to ADAM Role using LDIFDE.exe
- Previous by thread: Re: LSASRV SPNEGO Error and 'logon server not available' after full domain restore
- Next by thread: Re: LSASRV SPNEGO Error and 'logon server not available' after full domain restore
- Index(es):
Relevant Pages
|
