Userenv error when Admin logs on to server

From: Owen Williams (SpamProof_at_NoSpam.com)
Date: 05/08/04

Next message: Sammy: "Block the WAN IP address from being pinged"
Previous message: Marina Roos [SBS-MVP]: "Re: Critical server reports?!"
Next in thread: Dave Nickason [SBS MVP]: "Re: Userenv error when Admin logs on to server"
Reply: Dave Nickason [SBS MVP]: "Re: Userenv error when Admin logs on to server"
Messages sorted by: [ date ] [ thread ]

Date: Sat, 8 May 2004 17:14:08 -0400

I apologize for the length of this post. I have seen many threads on
this general subject and have tried most of the suggestions, without any
luck. So, I am including a lot of information to help you understand my
configuration.

I recently migrated a client from SBS4.5 to SBS2003 Standard (new
hardware). Overall, the server is running great. However, when the
Administrator logs on to the server console (either sitting at it or via
Remote Web Workplace's Connect to Server Desktop), I get this message in
the Application Event log:
- - - - -
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 5/8/2004
Time: 3:36:45 PM
User: BCOV2\SBSAdmin
Computer: PC01
Description:
Windows cannot query for the list of Group Policy objects. Check the
event log for possible messages previously logged by the policy engine
that describes the reason for this.
- - - - -
[NOTE: I followed the instructions in SBS2003 Help to rename
"Administrator" to "SBSAdmin" using GPO.]

The corresponding message in the System Event log is:
- - - - -
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 5/8/2004
Time: 3:36:45 PM
User: N/A
Computer: PC01
Description:
The Security System could not establish a secured connection with the
server ldap/pc01.BCOv2.office/BCOv2.office@BCOv2.office. No
authentication protocol was available.
Data:
0000: 03 03 09 80 ...?
- - - - -

NONE of the regular user accounts generate these errors when they logon
to their PCs, only the administrator account logging on to the server.

The server has a single NIC (behind a hardware firewall). The NIC is
pointing to itself for DNS and the DNS Event log does not show any
errors or warnings. Here's the configuration:
- - - - -
Name: Server Local Area Connection
Type: LAN or High-Speed Internet
Status: Enabled
Device Name: Intel(R) PRO/1000 MT Network Connection
Owner: System
- - - - -
Properties - General
This connection uses the following items:
[x] Client for Microsoft Networks
[x] File and Printer Sharing for Microsoft Networks
[x] Internet Protocol (TCP/IP)
- - - - -
Internet Protocol (TCP/IP) Properties - General
(*) Use the Following IP Address:
IP address: 10.0.0.3
Subnet mask: 255.255.255.0
Default gateway: 10.0.0.1

(*) Use the following DNS server addresses:
Preferred DNS server: 10.0.0.3
Alternate DNS server: [none]
- - - - -
Advanced TCP IP Settings - IP Settings
IP addresses
IP address Subnet mask
10.0.0.3 255.255.255.0

Default gateways:
Gateway Metric
10.0.0.1 1

[x] Automatic metric
- - - - -
Advanced TCP IP Settings - DNS
DNS server addresses, in order of use:
10.0.0.3

(*) Append primary and connection specific DNS suffixes
[x] Append parent suffixes of the primary DNS suffix

[x] Register this connection's addresses in DNS
- - - - -
Advanced TCP IP Settings - WINS
WINS addresses, in order of use:
10.0.0.3

[x] Enable LMHOSTS lookup

NetBIOS setting
(*) Enable NetBIOS over TCP/IP
- - - - -
Advanced TCP IP Settings - Options
Optional settings:
TCP/IP filtering
- - - - -
TCP/IP Filtering
[ ] Enable TCP/IP Filtering (All adapters)

- - - - -

Following Les Connor's advice from 04-13-2004, I got an NSLookup:
- - - - -
C:\Documents and Settings\Administrator>nslookup

Default Server: pc01.bcov2.office
Address: 10.0.0.3

> set type=soa
> 10.in-addr.arpa
Server: pc01.bcov2.office
Address: 10.0.0.3

10.in-addr.arpa
        primary name server = nsdc.ba-dsg.net
        responsible mail addr = dnsadmin.ba-dsg.net
        serial = 2003070101
        refresh = 86400 (1 day)
        retry = 3600 (1 hour)
        expire = 604800 (7 days)
        default TTL = 86400 (1 day)
10.in-addr.arpa nameserver = qstbo.ba-dsg.net
10.in-addr.arpa nameserver = qstnj.ba-dsg.net
10.in-addr.arpa nameserver = qstny.ba-dsg.net
10.in-addr.arpa nameserver = qstph.ba-dsg.net
10.in-addr.arpa nameserver = qstpi.ba-dsg.net
10.in-addr.arpa nameserver = nsdc.ba-dsg.net
10.in-addr.arpa nameserver = gtebo.ba-dsg.net
10.in-addr.arpa nameserver = gtenj.ba-dsg.net
10.in-addr.arpa nameserver = gteny.ba-dsg.net
10.in-addr.arpa nameserver = gteph.ba-dsg.net
10.in-addr.arpa nameserver = gtepi.ba-dsg.net
nsdc.ba-dsg.net internet address = 199.45.45.14
gtebo.ba-dsg.net internet address = 141.154.0.68
gtenj.ba-dsg.net internet address = 141.150.0.68
gteny.ba-dsg.net internet address = 141.155.0.68
gteph.ba-dsg.net internet address = 141.151.0.68
gtepi.ba-dsg.net internet address = 141.151.128.68
qstbo.ba-dsg.net internet address = 151.203.0.68
qstnj.ba-dsg.net internet address = 151.198.0.68
qstny.ba-dsg.net internet address = 151.202.0.68
qstph.ba-dsg.net internet address = 151.197.0.68
qstpi.ba-dsg.net internet address = 151.201.0.68

- - - - -

And here are the server's forward and reverse lookup zones:
- - - - -
FORWARD LOOKUP:
Name Type Data
_msdcs
_sites
_tcp
_udp
DomainDnsZones
ForestDnsZones
(same as parent folder) Start of Authority (SOA) [101],
pc01.bcov2.office., hostmaster.
(same as parent folder) Name Server (NS) pc01.bcov2.office.
(same as parent folder) Host (A) 10.0.0.3
companyweb Alias (CNAME) pc01.bcov2.office.
pc01 Host (A) 10.0.0.3
PC02 Host (A) 10.0.0.15
PC03 Host (A) 10.0.0.16
PC04 Host (A) 10.0.0.13

- - - - -
REVERSE LOOKUP:
Name Type Data
(same as parent folder) Start of Authority (SOA) [12],
pc01.bcov2.office., hostmaster.bcov2.office.
(same as parent folder) Name Server (NS) pc01.bcov2.office.
10.0.0.13 Pointer (PTR) pc04.bcov2.office.
10.0.0.15 Pointer (PTR) pc02.bcov2.office.
10.0.0.16 Pointer (PTR) pc03.bcov2.office.
10.0.0.3 Pointer (PTR) pc01.bcov2.office.
- - - - -

Any suggestions as to why I am getting the errors and how I can fix
whatever is causing them will be appreciated.

Next message: Sammy: "Block the WAN IP address from being pinged"
Previous message: Marina Roos [SBS-MVP]: "Re: Critical server reports?!"
Next in thread: Dave Nickason [SBS MVP]: "Re: Userenv error when Admin logs on to server"
Reply: Dave Nickason [SBS MVP]: "Re: Userenv error when Admin logs on to server"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: DNS Issues?
... My ISP's DNS servers were correctly in the forwarders tab. ... Tools - DNS - rclick server name - properties and see if the ISP's dns ... settings are in the forwarders tab. ... Connection-specific DNS Suffix. ...
(microsoft.public.windows.server.sbs)
Re: Domain Password Synchronisation
... Directory and reinstalled it with Win2K3 as a member server - as far as I ... settings. ... ISA is set to use Integrated Authentication and the ... Most authentication problems are really DNS ...
(microsoft.public.windows.server.active_directory)
Antwort: Re: Antwort: Re: timeout by DNS? [Virus checked]
... I think the client try to connect the first nameserver, ... If the second nameserver is o.k. ... *** Can't find server name for address 93.47.226.200:No response from ... Subject: Antwort: Re: timeout by DNS? ...
(AIX-L)
Antwort: Re: Antwort: Re: timeout by DNS? [Virus checked]
... I think the client try to connect the first nameserver, ... If the second nameserver is o.k. ... *** Can't find server name for address 93.47.226.200:No response from ... Subject: Antwort: Re: timeout by DNS? ...
(AIX-L)
Re: Server/Client help - User Profiles
... First correct your DNS server. ... Check using nslookup at client M/C. ... In the left pane, expand Computer Configuration, expand Windows Settings, ...
(microsoft.public.windows.server.active_directory)