Prev: certsvc error 58 et 100
Next: ERROR_NO_SUCH_DOMAIN
From: kbergros on 29 May 2006 02:30 Hi Ace! And thanks for your replays! Here comes an ipconfig /all from one of the memberservers with the 40960 logging. The ipadresses 192.168.3.3 and 192.168.3.4 is my DC and is also acting as our DNS servers (i'm not pointing to any ISP DNS). I had one missing PTR record that I discovered and added, but the error is still being logged... Windows IP Configuration Host Name . . . . . . . . . . . . : gimli Primary Dns Suffix . . . . . . . : test.timber.se Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : test.timber.se Ethernet adapter Teamadapter: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : BASP Virtual Adapter Physical Address. . . . . . . . . : 00-14-5E-36-11-82 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.3.202 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.3.1 DNS Servers . . . . . . . . . . . : 192.168.3.3 192.168.3.4 Ace Fekay [MVP] skrev: > In news:uA%23E6ZKgGHA.5088(a)TK2MSFTNGP02.phx.gbl, > kbergros <kbergros(a)hotmail.com> stated, which I commented on below: > >>Hi! >> >>Thanxs for your answer. >>I have checked my Dns zones (several times) and all my machines has >>the correct ptr entry... I have checked with Nslookup both my forward >>and recursive zones and get the correct answer every time... >>Any other suggestions on how to solve this? >> >>regards >> >>Kbergros > > > Looking again at your original post, the description part of the error says: > > Description: > The Security System detected an authentication error for the server > ldap/gollum.test.timber.se/test.timber.se(a)test.timber.se. The failure > code from authentication protocol Kerberos was "The attempted logon is > invalid. This is either due to a bad username or authentication information. > (0xc000006d)". > > This indicates to me that you are possibly pointing to your ISP's DNS in IP > properties. Now if AD is trying to coorespond it's SPNEGO by contacting them > for a PTR for the internal IP range, then I can understand why this is > happening. > > The cardinal rule is in any AD infrastructure, no matter how small or large, > NEVER use the ISP's DNS in IP properties of ANY machine that is part of AD > (DCs servers and clients). If not sure what I'm talking about, please post > an unedited ipconfig /all to better assist you and we can point out any > problems in your config. > > Ace > >
From: Ace Fekay [MVP] on 30 May 2006 08:47 In news:ujA1ylugGHA.4080(a)TK2MSFTNGP03.phx.gbl, kbergros <kbergros(a)hotmail.com> stated, which I commented on below: > Hi Ace! > > And thanks for your replays! > Here comes an ipconfig /all from one of the memberservers with the > 40960 logging. The ipadresses 192.168.3.3 and 192.168.3.4 is my DC > and is also acting as our DNS servers (i'm not pointing to any ISP > DNS). I had one missing PTR record that I discovered and added, but the > error is still being logged... > > > Windows IP Configuration > > Host Name . . . . . . . . . . . . : gimli > Primary Dns Suffix . . . . . . . : test.timber.se > Node Type . . . . . . . . . . . . : Unknown > IP Routing Enabled. . . . . . . . : No > WINS Proxy Enabled. . . . . . . . : No > DNS Suffix Search List. . . . . . : test.timber.se > > > Ethernet adapter Teamadapter: > > Connection-specific DNS Suffix . : > Description . . . . . . . . . . . : BASP Virtual Adapter > Physical Address. . . . . . . . . : 00-14-5E-36-11-82 > DHCP Enabled. . . . . . . . . . . : No > IP Address. . . . . . . . . . . . : 192.168.3.202 > Subnet Mask . . . . . . . . . . . : 255.255.255.0 > Default Gateway . . . . . . . . . : 192.168.3.1 > DNS Servers . . . . . . . . . . . : 192.168.3.3 > 192.168.3.4 Well that looks fine. Mixed 2000 and 2003 DCs? Which holds the Schema and DNM roles? Is the 2003 a GC (which should also hold the DNM)? The reverse zone thing usually takes care of this issue for 2003, but if 2000 is involved, I haven't see that yet because 2000 doesn't use the SPN Ego for self-identification (Kerberos authentication). Take a look at these articles to see if they better help out: http://www.eventid.net/display.asp?eventid=40960&eventno=787&source=LsaSrv&phase=1 http://www.eventid.net/display.asp?eventid=40961&eventno=1398&source=LsaSrv&phase=1 Ace
From: kbergros on 30 May 2006 09:59 Hi! Thanks for your replay! The windows 2003 server holds all of the FSMO roles and both the 2003 DC and The 2000 DC holds the global catalog. Regards Kbergros Ace Fekay [MVP] skrev: > In news:ujA1ylugGHA.4080(a)TK2MSFTNGP03.phx.gbl, > kbergros <kbergros(a)hotmail.com> stated, which I commented on below: > >>Hi Ace! >> >>And thanks for your replays! >>Here comes an ipconfig /all from one of the memberservers with the >>40960 logging. The ipadresses 192.168.3.3 and 192.168.3.4 is my DC >>and is also acting as our DNS servers (i'm not pointing to any ISP >>DNS). I had one missing PTR record that I discovered and added, but the >>error is still being logged... >> >> >>Windows IP Configuration >> >> Host Name . . . . . . . . . . . . : gimli >> Primary Dns Suffix . . . . . . . : test.timber.se >> Node Type . . . . . . . . . . . . : Unknown >> IP Routing Enabled. . . . . . . . : No >> WINS Proxy Enabled. . . . . . . . : No >> DNS Suffix Search List. . . . . . : test.timber.se >> >> >>Ethernet adapter Teamadapter: >> >> Connection-specific DNS Suffix . : >> Description . . . . . . . . . . . : BASP Virtual Adapter >> Physical Address. . . . . . . . . : 00-14-5E-36-11-82 >> DHCP Enabled. . . . . . . . . . . : No >> IP Address. . . . . . . . . . . . : 192.168.3.202 >> Subnet Mask . . . . . . . . . . . : 255.255.255.0 >> Default Gateway . . . . . . . . . : 192.168.3.1 >> DNS Servers . . . . . . . . . . . : 192.168.3.3 >> 192.168.3.4 > > > Well that looks fine. Mixed 2000 and 2003 DCs? Which holds the Schema and > DNM roles? Is the 2003 a GC (which should also hold the DNM)? > > The reverse zone thing usually takes care of this issue for 2003, but if > 2000 is involved, I haven't see that yet because 2000 doesn't use the SPN > Ego for self-identification (Kerberos authentication). Take a look at these > articles to see if they better help out: > http://www.eventid.net/display.asp?eventid=40960&eventno=787&source=LsaSrv&phase=1 > http://www.eventid.net/display.asp?eventid=40961&eventno=1398&source=LsaSrv&phase=1 > > Ace > >
From: Ace Fekay [MVP] on 31 May 2006 00:34 In news:%23cEaMF$gGHA.1264(a)TK2MSFTNGP05.phx.gbl, kbergros <kbergros(a)hotmail.com> stated, which I commented on below: > Hi! > > Thanks for your replay! > The windows 2003 server holds all of the FSMO roles and both the 2003 > DC and The 2000 DC holds the global catalog. > > Regards > > Kbergros No problem for the reply, and thank you for yours. But did you check out those links? Did those links help you out? Did they apply to your scenario? Can I assume the 2000 DC is SP4 and the 2003 is SP1? Any errors on the 2000 machine? How about the clients? As I said, I haven't seen this before with a mixed situation. Maybe I can suggest to get the GC off the 2000 machine. Ace
From: kbergros on 31 May 2006 05:25
Ace Fekay [MVP] skrev: > In news:%23cEaMF$gGHA.1264(a)TK2MSFTNGP05.phx.gbl, > kbergros <kbergros(a)hotmail.com> stated, which I commented on below: > >>Hi! >> >>Thanks for your replay! >>The windows 2003 server holds all of the FSMO roles and both the 2003 >>DC and The 2000 DC holds the global catalog. >> >>Regards >> >>Kbergros > > > No problem for the reply, and thank you for yours. But did you check out > those links? Did those links help you out? Did they apply to your scenario? > > Can I assume the 2000 DC is SP4 and the 2003 is SP1? Any errors on the 2000 > machine? How about the clients? > > As I said, I haven't seen this before with a mixed situation. Maybe I can > suggest to get the GC off the 2000 machine. > > Ace > > Hi! Yes. the 2000 dc has SP4 and the 2003 DC has SP1. Have no other errors on any of the DC's and memberservers (both w2k and win2003) (except some w32time errors) I will check the links and come back with the result! Regards Kbergros |