| Author |
 Topic  |
|
Jenna
Seasoned But Casual Onlooker
41 Posts
Status: offline |
 Posted - 02/23/2005 : 2:58:54 PM
|
Newbie Admin here. This is my first real admin job and I've inherited a Windows Server 2003 network that has problems! Thanks for any and all help in advance, I'll provide more info as needed.
The problem/symptoms:
I have 2 Windows 2003 servers. AD was not updating on Server2 when I started this job. Last week AD went belly-up and will not start. I get AD Error Message "Naming information cannot be located because: The target principal name is incorrect" when trying to open the Users and Computers Snap-In.
I cannot ping Server2 from server1 by using the fqdn, but I can ping using ip address. Server2 pings Server1 with no problems.
The event logs are full of activity that I've been trying to figure out, but I can't get an accurate timeline of when server2 came up and if it ever worked to begin with.
DCDIAG has the following output:
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\>dcdiag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SERVER2
Starting test: Connectivity
The host 56f96b25-4159-4cc0-b919-e94296488928._msdcs.main.DOMAIN.co
m could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(56f96b25-4159-4cc0-b919-e94296488928._msdcs.main.DOMAIN.com)
couldn't be resolved, the server name
(SERVER2.main.DOMAIN.com) resolved to the IP address
(192.168.0.241) and was pingable. Check that the IP address is
registered correctly with the DNS server.
......................... SERVER2 failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SERVER2
Skipping all tests, because server SERVER2 is
not responding to directory service requests
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : main
Starting test: CrossRefValidation
......................... main passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... main passed test CheckSDRefDom
Running enterprise tests on : main.DOMAIN.com
Starting test: Intersite
......................... main.DOMAIN.com passed test Intersite
Starting test: FsmoCheck
[SERVER1] LDAP bind failed with error 8341,
A directory service error has occurred..
......................... main.DOMAIN.com passed test FsmoCheck
I suspect DNS...but I don't know enough about it to fix anything just yet. Researching my rear off. Thanks for any help.
~Jen
|
|
|
ptwilliams
Moderator
United Kingdom
4401 Posts
Status: offline |
Posted - 02/23/2005 : 3:23:16 PM
|
Point both DCs at the Primary DNS server, or at DC01 if you're using AD-Integrated, and restart the netlogon service*.
For good measure, also run ipconfig /registerdns
Now load dssite.msc and trigger replication by right-clicking on the connection object for each DC and choosing replicate now.
Run the tests again. They should pass.
Change DNS back if you want/ need to.
*Note: This assumes the DHCP Client Service is running (and set to automatic) on both DCs - even though they have static IP addresses and are not actually DHCP clients.
|
 |
|
|
Jenna
Seasoned But Casual Onlooker
41 Posts
Status: offline |
Posted - 02/23/2005 : 4:18:14 PM
|
Paul,
Thanks for the quick reply. I took your suggestions and all went well up until I tried to replicate. I get :
The following error occured during the attempt to contact the domain controller SERVER2: The RPC Server is unavailable. This condition may be caused by a DNS lookup problem
Still Googling here.
Thanks again,
Jen |
|
|
|
stash
Major Contributor
USA
809 Posts
Status: offline |
Posted - 02/23/2005 : 7:45:11 PM
|
| How about a netdiag /v? |
|
|
|
stash
Major Contributor
USA
809 Posts
Status: offline |
Posted - 02/23/2005 : 7:46:02 PM
|
| Sorry, hit send too soon. Netdiag /v will dump out all the networking info for this box, including all the DNS information. |
|
|
|
Jenna
Seasoned But Casual Onlooker
41 Posts
Status: offline |
Posted - 02/25/2005 : 3:57:29 PM
|
Sorry about the delay, my new job is quite busy. Here is the netdiag /v output (I've replaced names of domain and servers). I hope it makes more sense to you than it does to me. Thanks again for all your help. I've ordered DNS for Dummies to help me understand more of the technology that has been entrusted to me.
Gathering IPX configuration information.
Querying status of the Netcard drivers... Passed
Testing Domain membership... Passed
Gathering NetBT configuration information.
Testing for autoconfiguration... Passed
Testing IP loopback ping... Passed
Testing default gateways... Passed
Enumerating local and remote NetBT name cache... Passed
Testing the WINS server
Local Area Connection
There is no primary WINS server defined for this adapter.
There is no secondary WINS server defined for this adapter.
Gathering Winsock information.
Testing DNS
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '192.168.0.240'. Please wait for 30 minutes for DNS server replication.
[FATAL] No DNS servers have the DNS records for this DC registered.
Testing redirector and browser... Passed
Testing DC discovery.
Looking for a DC
Looking for a PDC emulator
Looking for a Windows 2000 DC
Gathering the list of Domain Controllers for domain 'MAIN-DOMAIN'
Testing trust relationships... Failed
Testing Kerberos authentication... Failed
Testing LDAP servers in Domain MAIN-DOMAIN ...
Gathering routing information
Gathering network statistics information.
Gathering configuration of bindings.
Gathering RAS connection information
Gathering Modem information
Gathering Netware information
Gathering IP Security information
Tests complete.
Computer Name: SERVER02
DNS Host Name: SERVER02.main.DOMAIN.com
DNS Domain Name: main.DOMAIN.com
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
Hotfixes :
Installed? Name
Yes KB819696
Yes KB823182
Yes KB823559
Yes KB824105
Yes KB824141
Yes KB825119
Yes KB828035
Yes KB828741
Yes KB833987
Yes KB834707
Yes KB835732
Yes KB837001
Yes KB839643
Yes KB839645
Yes KB840315
Yes KB840374
Yes KB840987
Yes KB841356
Yes KB841533
Yes KB873376
Yes KB885835
Yes KB885836
Yes Q147222
Netcard queries test . . . . . . . : Passed
Information of Netcard drivers:
---------------------------------------------------------------------------
Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
Device: \DEVICE\{DD14D08A-1322-468E-8374-544C433785C6}
Media State: Connected
Device State: Connected
Connect Time: 6 days, 22:26:17
Media Speed: 100 Mbps
Packets Sent: 10260802
Bytes Sent (Optional): 934844818
Packets Received: 14203252
Directed Pkts Recd (Optional): 14029751
Bytes Received (Optional): 1533884208
Directed Bytes Recd (Optional): 1533884208
Packets SendError: 3
---------------------------------------------------------------------------
[PASS] - At least one netcard is in the 'Connected' state.
Per interface results:
Adapter : Local Area Connection
Adapter ID . . . . . . . . : {DD14D08A-1322-468E-8374-544C433785C6}
Netcard queries test . . . : Passed
Adapter type . . . . . . . : Ethernet
Host Name. . . . . . . . . : SERVER02
Description. . . . . . . . : 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
Physical Address . . . . . : 00-0A-48-11-02-A5
Dhcp Enabled . . . . . . . : No
DHCP ClassID . . . . . . . :
Autoconfiguration Enabled. : Yes
IP Address . . . . . . . . : 192.168.0.241
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.0.1
Dns Servers. . . . . . . . : 192.168.0.240
IpConfig results . . . . . : Passed
AutoConfiguration results. . . . . . : Passed
AutoConfiguration is not in use.
Default gateway test . . . : Passed
Pinging gateway 192.168.0.1 - reachable
At least one gateway reachable for this adapter.
NetBT name test. . . . . . : Passed
NetBT_Tcpip_{DD14D08A-1322-468E-8374-544C433785C6}
SERVER02 <00> UNIQUE REGISTERED
MAIN-DOMAIN<00> GROUP REGISTERED
MAIN-DOMAIN<1C> GROUP REGISTERED
SERVER02 <20> UNIQUE REGISTERED
MAIN-DOMAIN<1E> GROUP REGISTERED
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
NetBios Resolution : via DHCP
Netbios Remote Cache Table
Name Type HostAddress Life [sec]
---------------------------------------------------------------
SERVER01 <20> UNIQUE 192.168.0.240 547
SERVER01.MAI<4E> UNIQUE 192.168.0.240 392
WINS service test. . . . . : Skipped
There is no primary WINS server defined for this adapter.
There is no secondary WINS server defined for this adapter.
There are no WINS servers configured for this interface.
IPX test : IPX is not installed on this machine.
Global results:
IP General configuration
LMHOSTS Enabled. . . . . . . . : Yes
DNS for WINS resolution. . . . : Enabled
Node Type. . . . . . . . . . . : Broadcast
NBT Scope ID . . . . . . . . . :
Routing Enabled. . . . . . . . : No
WINS Proxy Enabled . . . . . . : No
DNS resolution for NETBIOS . . : No
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the local machine. This machine is not working properly as a DC.
Machine is a . . . . . . . . . : Domain Controller
Netbios Domain name. . . . . . : MAIN-DOMAIN
Dns domain name. . . . . . . . : main.DOMAIN.com
Dns forest name. . . . . . . . : main.DOMAIN.com
Domain Guid. . . . . . . . . . : {986FCAF3-EDBC-4A9A-9DB2-9DC2FE152470}
Domain Sid . . . . . . . . . . : S-1-5-21-3940175930-2121868115-3107012010
Logon User . . . . . . . . . . : Administrator
Logon Domain . . . . . . . . . : MAIN-DOMAIN
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{DD14D08A-1322-468E-8374-544C433785C6}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
PASS - you have at least one non-autoconfigured IP address
IP loopback ping test. . . . . . . : Passed
PASS - pinging IP loopback address was successful.
Your IP stack is most probably OK.
Default gateway test . . . . . . . : Passed
PASS - you have at least one reachable gateway.
NetBT name test. . . . . . . . . . : Passed
No NetBT scope defined
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
The number of protocols which have been reported : 10
Description: MSAFD Tcpip [TCP/IP]
Provider Version :2
Max message size : Stream Oriented
Description: MSAFD Tcpip [UDP/IP]
Provider Version :2
Description: RSVP UDP Service Provider
Provider Version :6
Description: RSVP TCP Service Provider
Provider Version :6
Max message size : Stream Oriented
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DD14D08A-1322-468E-8374-544C433785C6}] SEQPACKET 0
Provider Version :2
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DD14D08A-1322-468E-8374-544C433785C6}] DATAGRAM 0
Provider Version :2
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CE05FE19-BD4D-49E9-8DF0-0511B36A4F2F}] SEQPACKET 1
Provider Version :2
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CE05FE19-BD4D-49E9-8DF0-0511B36A4F2F}] DATAGRAM 1
Provider Version :2
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{31365781-1C3A-4956-BD64-F856ED10A444}] SEQPACKET 2
Provider Version :2
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{31365781-1C3A-4956-BD64-F856ED10A444}] DATAGRAM 2
Provider Version :2
Max UDP size : 65507 bytes
DNS test . . . . . . . . . . . . . : Failed
Interface {DD14D08A-1322-468E-8374-544C433785C6}
DNS Domain:
DNS Servers: 192.168.0.240
IP Address: Expected registration with PDN (primary DNS domain name):
Hostname: SERVER02.main.DOMAIN.com.
Authoritative zone: main.DOMAIN.com.
Primary DNS server: SERVER01.main.DOMAIN.com 192.168.0.240
Authoritative NS:192.168.0.240
Check the DNS registration for DCs entries on DNS server '192.168.0.240'
The Record is different on DNS server '192.168.0.240'.
DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.0.240', no need to re-register.
+------------------------------------------------------+
The record on your DC is:
DNS NAME = main.DOMAIN.com.
DNS DATA =
A 192.168.0.241
The record on DNS server 192.168.0.240 is:
DNS NAME = main.DOMAIN.com
DNS DATA =
A 192.168.0.240
A 192.168.0.241
+------------------------------------------------------+
The Record is different on DNS server '192.168.0.240'.
DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.0.240', no need to re-register.
+------------------------------------------------------+
The record on your DC is:
DNS NAME = _ldap._tcp.main.DOMAIN.com.
DNS DATA =
SRV 0 100 389 SERVER02.main.DOMAIN.com.
The record on DNS server 192.168.0.240 is:
DNS NAME = _ldap._tcp.main.DOMAIN.com
DNS DATA =
SRV 0 100 389 SERVER02.main.DOMAIN.com
SRV 0 100 389 SERVER01.main.DOMAIN.com
+------------------------------------------------------+
The Record is different on DNS server '192.168.0.240'.
DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.0.240', no need to re-register.
+------------------------------------------------------+
The record on your DC is:
DNS NAME = _ldap._tcp.Default-First-Site-Name._sites.main.DOMAIN.com.
DNS DATA =
SRV 0 100 389 SERVER02.main.DOMAIN.com.
The record on DNS server 192.168.0.240 is:
DNS NAME = _ldap._tcp.Default-First-Site-Name._sites.main.DOMAIN.com
DNS DATA =
SRV 0 100 389 SERVER02.main.DOMAIN.com
SRV 0 100 389 SERVER01.main.DOMAIN.com
+------------------------------------------------------+
The Record is different on DNS server '192.168.0.240'.
DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.0.240', no need to re-register.
+------------------------------------------------------+
The record on your DC is:
DNS NAME = _ldap._tcp.986fcaf3-edbc-4a9a-9db2-9dc2fe152470.domains._msdcs.main.DOMAIN.com.
DNS DATA =
SRV 0 100 389 SERVER02.main.DOMAIN.com.
The record on DNS server 192.168.0.240 is:
DNS NAME = _ldap._tcp.986fcaf3-edbc-4a9a-9db2-9dc2fe152470.domains._msdcs.main.DOMAIN.com
DNS DATA =
SRV 0 100 389 SERVER02.main.DOMAIN.com
SRV 0 100 389 SERVER01.main.DOMAIN.com
+------------------------------------------------------+
The Record is different on DNS server '192.168.0.240'.
DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.0.240', no need to re-register.
+------------------------------------------------------+
The record on your DC is:
DNS NAME = _kerberos._tcp.dc._msdcs.main.DOMAIN.com.
DNS DATA =
SRV 0 100 88 SERVER02.main.DOMAIN.com.
The record on DNS server 192.168.0.240 is:
DNS NAME = _kerberos._tcp.dc._msdcs.main.DOMAIN.com
DNS DATA =
SRV 0 100 88 SERVER02.main.DOMAIN.com
SRV 0 100 88 SERVER01.main.DOMAIN.com
+------------------------------------------------------+
The Record is different on DNS server '192.168.0.240'.
DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.0.240', no need to re-register.
+------------------------------------------------------+
The record on your DC is:
DNS NAME = _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.main.DOMAIN.com.
DNS DATA =
SRV 0 100 88 SERVER02.main.DOMAIN.com.
The record on DNS server 192.168.0.240 is:
DNS NAME = _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.main.DOMAIN.com
DNS DATA =
SRV 0 100 88 SERVER01.main.DOMAIN.com
SRV 0 100 88 SERVER02.main.DOMAIN.com
+------------------------------------------------------+
The Record is different on DNS server '192.168.0.240'.
DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.0.240', no need to re-register.
+------------------------------------------------------+
The record on your DC is:
DNS NAME = _ldap._tcp.dc._msdcs.main.DOMAIN.com.
DNS DATA =
SRV 0 100 389 SERVER02.main.DOMAIN.com.
The record on DNS server 192.168.0.240 is:
DNS NAME = _ldap._tcp.dc._msdcs.main.DOMAIN.com
DNS DATA =
SRV 0 100 389 SERVER02.main.DOMAIN.com
SRV 0 100 389 SERVER01.main.DOMAIN.com
+------------------------------------------------------+
The Record is different on DNS server '192.168.0.240'.
DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.0.240', no need to re-register.
+------------------------------------------------------+
The record on your DC is:
DNS NAME = _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.main.DOMAIN.com.
DNS DATA =
SRV 0 100 389 SERVER02.main.DOMAIN.com.
The record on DNS server 192.168.0.240 is:
DNS NAME = _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.main.DOMAIN.com
DNS DATA =
SRV 0 100 389 SERVER01.main.DOMAIN.com
SRV 0 100 389 SERVER02.main.DOMAIN.com
+------------------------------------------------------+
The Record is different on DNS server '192.168.0.240'.
DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.0.240', no need to re-register.
+------------------------------------------------------+
The record on your DC is:
DNS NAME = _kerberos._tcp.main.DOMAIN.com.
DNS DATA =
SRV 0 100 88 SERVER02.main.DOMAIN.com.
The record on DNS server 192.168.0.240 is:
DNS NAME = _kerberos._tcp.main.DOMAIN.com
DNS DATA =
SRV 0 100 88 SERVER02.main.DOMAIN.com
SRV 0 100 88 SERVER01.main.DOMAIN.com
+------------------------------------------------------+
The Record is different on DNS server '192.168.0.240'.
DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.0.240', no need to re-register.
+------------------------------------------------------+
The record on your DC is:
DNS NAME = _kerberos._tcp.Default-First-Site-Name._sites.main.DOMAIN.com.
DNS DATA =
SRV 0 100 88 SERVER02.main.DOMAIN.com.
The record on DNS server 192.168.0.240 is:
DNS NAME = _kerberos._tcp.Default-First-Site-Name._sites.main.DOMAIN.com
DNS DATA =
SRV 0 100 88 SERVER02.main.DOMAIN.com
SRV 0 100 88 SERVER01.main.DOMAIN.com
+------------------------------------------------------+
The Record is different on DNS server '192.168.0.240'.
DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.0.240', no need to re-register.
+------------------------------------------------------+
The record on your DC is:
DNS NAME = _kerberos._udp.main.DOMAIN.com.
DNS DATA =
SRV 0 100 88 SERVER02.main.DOMAIN.com.
The record on DNS server 192.168.0.240 is:
DNS NAME = _kerberos._udp.main.DOMAIN.com
DNS DATA =
SRV 0 100 88 SERVER02.main.DOMAIN.com
SRV 0 100 88 SERVER01.main.DOMAIN.com
+------------------------------------------------------+
The Record is different on DNS server '192.168.0.240'.
DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.0.240', no need to re-register.
+------------------------------------------------------+
The record on your DC is:
DNS NAME = _kpasswd._tcp.main.DOMAIN.com.
DNS DATA =
SRV 0 100 464 SERVER02.main.DOMAIN.com.
The record on DNS server 192.168.0.240 is:
DNS NAME = _kpasswd._tcp.main.DOMAIN.com
DNS DATA =
SRV 0 100 464 SERVER02.main.DOMAIN.com
SRV 0 100 464 SERVER01.main.DOMAIN.com
+------------------------------------------------------+
The Record is different on DNS server '192.168.0.240'.
DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.0.240', no need to re-register.
+------------------------------------------------------+
The record on your DC is:
DNS NAME = _kpasswd._udp.main.DOMAIN.com.
DNS DATA =
SRV 0 100 464 SERVER02.main.DOMAIN.com.
The record on DNS server 192.168.0.240 is:
DNS NAME = _kpasswd._udp.main.DOMAIN.com
DNS DATA =
SRV 0 100 464 SERVER02.main.DOMAIN.com
SRV 0 100 464 SERVER01.main.DOMAIN.com
+------------------------------------------------------+
Query for DC DNS entry 56f96b25-4159-4cc0-b919-e94296488928._msdcs.main.DOMAIN.com. on DNS server 192.168.0.240 failed.
DNS Error code: DNS_ERROR_RCODE_NAME_ERROR (Name does not exist on DNS server)
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '192.168.0.240'. Please wait for 30 minutes for DNS server replication.
[FATAL] No DNS servers have the DNS records for this DC registered.
Redir and Browser test . . . . . . : Passed
List of transports currently bound to the Redir
NetbiosSmb
NetBT_Tcpip_{DD14D08A-1322-468E-8374-544C433785C6}
The redir is bound to 1 NetBt transport.
List of transports currently bound to the browser
NetBT_Tcpip_{DD14D08A-1322-468E-8374-544C433785C6}
The browser is bound to 1 NetBt transport.
Mailslot test for MAIN-DOMAIN* passed.
DC discovery test. . . . . . . . . : Passed
Find DC in domain 'MAIN-DOMAIN':
Found this DC in domain 'MAIN-DOMAIN':
DC. . . . . . . . . . . : \\SERVER01.main.DOMAIN.com
Address . . . . . . . . : \\192.168.0.240
Domain Guid . . . . . . : {986FCAF3-EDBC-4A9A-9DB2-9DC2FE152470}
Domain Name . . . . . . : main.DOMAIN.com
Forest Name . . . . . . : main.DOMAIN.com
DC Site Name. . . . . . : Default-First-Site-Name
Our Site Name . . . . . : Default-First-Site-Name
Flags . . . . . . . . . : PDC emulator GC DS KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE 0x8
Find PDC emulator in domain 'MAIN-DOMAIN':
Found this PDC emulator in domain 'MAIN-DOMAIN':
DC. . . . . . . . . . . : \\SERVER01.main.DOMAIN.com
Address . . . . . . . . : \\192.168.0.240
Domain Guid . . . . . . : {986FCAF3-EDBC-4A9A-9DB2-9DC2FE152470}
Domain Name . . . . . . : main.DOMAIN.com
Forest Name . . . . . . : main.DOMAIN.com
DC Site Name. . . . . . : Default-First-Site-Name
Our Site Name . . . . . : Default-First-Site-Name
Flags . . . . . . . . . : PDC emulator GC DS KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE 0x8
Find Windows 2000 DC in domain 'MAIN-DOMAIN':
Found this Windows 2000 DC in domain 'MAIN-DOMAIN':
DC. . . . . . . . . . . : \\SERVER01.main.DOMAIN.com
Address . . . . . . . . : \\192.168.0.240
Domain Guid . . . . . . : {986FCAF3-EDBC-4A9A-9DB2-9DC2FE152470}
Domain Name . . . . . . : main.DOMAIN.com
Forest Name . . . . . . : main.DOMAIN.com
DC Site Name. . . . . . : Default-First-Site-Name
Our Site Name . . . . . : Default-First-Site-Name
Flags . . . . . . . . . : PDC emulator GC DS KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE 0x8
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to SERVER01.main.DOMAIN.com (192.168.0.240). [SEC_E_WRONG_PRINCIPAL]
List of DCs in Domain 'MAIN-DOMAIN':
SERVER01.main.DOMAIN.com
Trust relationship test. . . . . . : Failed
Test to ensure DomainSid of domain 'MAIN-DOMAIN' is correct.
[FATAL] Secure channel to domain 'MAIN-DOMAIN' is broken. [ERROR_ACCESS_DENIED]
Kerberos test. . . . . . . . . . . : Failed
Cached Tickets:
Server: krbtgt/MAIN.DOMAIN.COM
End Time: 2/25/2005 15:27:38
Renew Time: 2/25/2005 11:57:09
Server: krbtgt/MAIN.DOMAIN.COM
End Time: 2/25/2005 20:57:09
Renew Time: 2/25/2005 11:57:09
Server: cifs/SERVER01.main.DOMAIN.com
End Time: 2/25/2005 15:27:40
Renew Time: 2/25/2005 11:57:09
Server: LDAP/SERVER01.main.DOMAIN.com
End Time: 2/25/2005 15:27:40
Renew Time: 2/25/2005 11:57:09
Server: LDAP/SERVER01.main.DOMAIN.com/main.DOMAIN.com
End Time: 2/25/2005 15:27:17
Renew Time: 2/25/2005 11:57:09
Server: ldap/f807371d-c709-4f55-9ed6-a3820c7a7f7b._msdcs.main.DOMAIN.com
End Time: 2/23/2005 14:45:04
Renew Time: 2/23/2005 14:28:28
Server: DNS/SERVER01.main.DOMAIN.com
End Time: 2/21/2005 16:31:15
Renew Time: 2/21/2005 8:21:31
Server: LDAP/SERVER01
End Time: 2/21/2005 16:07:57
Renew Time: 2/21/2005 8:21:31
[FATAL] Kerberos does not have a ticket for host/SERVER02.main.DOMAIN.com.
LDAP test. . . . . . . . . . . . . : Passed
Do un-authenticated LDAP call to 'SERVER01.main.DOMAIN.com'.
Found 1 entries:
Attr: currentTime
Val: 17 20050225203037.0Z
Attr: subschemaSubentry
Val: 68 CN=Aggregate,CN=Schema,CN=Configuration,DC=main,DC=DOMAIN,DC=com
Attr: dsServiceName
Val: 124 CN=NTDS Settings,CN=SERVER01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=main,DC=DOMAIN,DC=com
Attr: namingContexts
Val: 28 DC=main,DC=DOMAIN,DC=com
Val: 45 CN=Configuration,DC=main,DC=DOMAIN,DC=com
Val: 55 CN=Schema,CN=Configuration,DC=main,DC=DOMAIN,DC=com
Val: 46 DC=DomainDnsZones,DC=main,DC=DOMAIN,DC=com
Val: 46 DC=ForestDnsZones,DC=main,DC=DOMAIN,DC=com
Attr: defaultNamingContext
Val: 28 DC=main,DC=DOMAIN,DC=com
Attr: schemaNamingContext
Val: 55 CN=Schema,CN=Configuration,DC=main,DC=DOMAIN,DC=com
Attr: configurationNamingContext
Val: 45 CN=Configuration,DC=main,DC=DOMAIN,DC=com
Attr: rootDomainNamingContext
Val: 28 DC=main,DC=DOMAIN,DC=com
Attr: supportedControl
Val: 22 1.2.840.113556.1.4.319
Val: 22 1.2.840.113556.1.4.801
Val: 22 1.2.840.113556.1.4.473
Val: 22 1.2.840.113556.1.4.528
Val: 22 1.2.840.113556.1.4.417
Val: 22 1.2.840.113556.1.4.619
Val: 22 1.2.840.113556.1.4.841
Val: 22 1.2.840.113556.1.4.529
Val: 22 1.2.840.113556.1.4.805
Val: 22 1.2.840.113556.1.4.521
Val: 22 1.2.840.113556.1.4.970
Val: 23 1.2.840.113556.1.4.1338
Val: 22 1.2.840.113556.1.4.474
Val: 23 1.2.840.113556.1.4.1339
Val: 23 1.2.840.113556.1.4.1340
Val: 23 1.2.840.113556.1.4.1413
Val: 23 2.16.840.1.113730.3.4.9
Val: 24 2.16.840.1.113730.3.4.10
Val: 23 1.2.840.113556.1.4.1504
Val: 23 1.2.840.113556.1.4.1852
Val: 22 1.2.840.113556.1.4.802
Attr: supportedLDAPVersion
Val: 1 3
Val: 1 2
Attr: supportedLDAPPolicies
Val: 14 MaxPoolThreads
Val: 15 MaxDatagramRecv
Val: 16 MaxReceiveBuffer
Val: 15 InitRecvTimeout
Val: 14 MaxConnections
Val: 15 MaxConnIdleTime
Val: 11 MaxPageSize
Val: 16 MaxQueryDuration
Val: 16 MaxTempTableSize
Val: 16 MaxResultSetSize
Val: 22 MaxNotificationPerConn
Val: 11 MaxValRange
Attr: highestCommittedUSN
Val: 7 1796838
Attr: supportedSASLMechanisms
Val: 6 GSSAPI
Val: 10 GSS-SPNEGO
Val: 8 EXTERNAL
Val: 10 DIGEST-MD5
Attr: dnsHostName
Val: 31 SERVER01.main.DOMAIN.com
Attr: ldapServiceName
Val: 52 main.DOMAIN.com:SERVER01$@MAIN.DOMAIN.COM
Attr: serverName
Val: 107 CN=SERVER01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=main,DC=DOMAIN,DC=com
Attr: supportedCapabilities
Val: 22 1.2.840.113556.1.4.800
Val: 23 1.2.840.113556.1.4.1670
Val: 23 1.2.840.113556.1.4.1791
Attr: isSynchronized
Val: 4 TRUE
Attr: isGlobalCatalogReady
Val: 4 TRUE
Attr: domainFunctionality
Val: 1 0
Attr: forestFunctionality
Val: 1 0
Attr: domainControllerFunctionality
Val: 1 2
Do NTLM authenticated LDAP call to 'SERVER01.main.DOMAIN.com'.
Found 1 entries:
Attr: currentTime
Val: 17 20050225203037.0Z
Attr: subschemaSubentry
Val: 68 CN=Aggregate,CN=Schema,CN=Configuration,DC=main,DC=DOMAIN,DC=com
Attr: dsServiceName
Val: 124 CN=NTDS Settings,CN=SERVER01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=main,DC=DOMAIN,DC=com
Attr: namingContexts
Val: 28 DC=main,DC=DOMAIN,DC=com
Val: 45 CN=Configuration,DC=main,DC=DOMAIN,DC=com
Val: 55 CN=Schema,CN=Configuration,DC=main,DC=DOMAIN,DC=com
Val: 46 DC=DomainDnsZones,DC=main,DC=DOMAIN,DC=com
Val: 46 DC=ForestDnsZones,DC=main,DC=DOMAIN,DC=com
Attr: defaultNamingContext
Val: 28 DC=main,DC=DOMAIN,DC=com
Attr: schemaNamingContext
Val: 55 CN=Schema,CN=Configuration,DC=main,DC=DOMAIN,DC=com
Attr: configurationNamingContext
Val: 45 CN=Configuration,DC=main,DC=DOMAIN,DC=com
Attr: rootDomainNamingContext
Val: 28 DC=main,DC=DOMAIN,DC=com
Attr: supportedControl
Val: 22 1.2.840.113556.1.4.319
Val: 22 1.2.840.113556.1.4.801
Val: 22 1.2.840.113556.1.4.473
Val: 22 1.2.840.113556.1.4.528
Val: 22 1.2.840.113556.1.4.417
Val: 22 1.2.840.113556.1.4.619
Val: 22 1.2.840.113556.1.4.841
Val: 22 1.2.840.113556.1.4.529
Val: 22 1.2.840.113556.1.4.805
Val: 22 1.2.840.113556.1.4.521
Val: 22 1.2.840.113556.1.4.970
Val: 23 1.2.840.113556.1.4.1338
Val: 22 1.2.840.113556.1.4.474
Val: 23 1.2.840.113556.1.4.1339
Val: 23 1.2.840.113556.1.4.1340
Val: 23 1.2.840.113556.1.4.1413
Val: 23 2.16.840.1.113730.3.4.9
Val: 24 2.16.840.1.113730.3.4.10
Val: 23 1.2.840.113556.1.4.1504
Val: 23 1.2.840.113556.1.4.1852
Val: 22 1.2.840.113556.1.4.802
Attr: supportedLDAPVersion
Val: 1 3
Val: 1 2
Attr: supportedLDAPPolicies
Val: 14 MaxPoolThreads
Val: 15 MaxDatagramRecv
Val: 16 MaxReceiveBuffer
Val: 15 InitRecvTimeout
Val: 14 MaxConnections
Val: 15 MaxConnIdleTime
Val: 11 MaxPageSize
Val: 16 MaxQueryDuration
Val: 16 MaxTempTableSize
Val: 16 MaxResultSetSize
Val: 22 MaxNotificationPerConn
Val: 11 MaxValRange
Attr: highestCommittedUSN
Val: 7 1796838
Attr: supportedSASLMechanisms
Val: 6 GSSAPI
Val: 10 GSS-SPNEGO
Val: 8 EXTERNAL
Val: 10 DIGEST-MD5
Attr: dnsHostName
Val: 31 SERVER01.main.DOMAIN.com
Attr: ldapServiceName
Val: 52 main.DOMAIN.com:SERVER01$@MAIN.DOMAIN.COM
Attr: serverName
Val: 107 CN=SERVER01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=main,DC=DOMAIN,DC=com
Attr: supportedCapabilities
Val: 22 1.2.840.113556.1.4.800
Val: 23 1.2.840.113556.1.4.1670
Val: 23 1.2.840.113556.1.4.1791
Attr: isSynchronized
Val: 4 TRUE
Attr: isGlobalCatalogReady
Val: 4 TRUE
Attr: domainFunctionality
Val: 1 0
Attr: forestFunctionality
Val: 1 0
Attr: domainControllerFunctionality
Val: 1 2
Do Negotiate authenticated LDAP call to 'SERVER01.main.DOMAIN.com'.
Found 1 entries:
Attr: currentTime
Val: 17 20050225203037.0Z
Attr: subschemaSubentry
Val: 68 CN=Aggregate,CN=Schema,CN=Configuration,DC=main,DC=DOMAIN,DC=com
Attr: dsServiceName
Val: 124 CN=NTDS Settings,CN=SERVER01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=main,DC=DOMAIN,DC=com
Attr: namingContexts
Val: 28 DC=main,DC=DOMAIN,DC=com
Val: 45 CN=Configuration,DC=main,DC=DOMAIN,DC=com
Val: 55 CN=Schema,CN=Configuration,DC=main,DC=DOMAIN,DC=com
Val: 46 DC=DomainDnsZones,DC=main,DC=DOMAIN,DC=com
Val: 46 DC=ForestDnsZones,DC=main,DC=DOMAIN,DC=com
Attr: defaultNamingContext
Val: 28 DC=main,DC=DOMAIN,DC=com
Attr: schemaNamingContext
Val: 55 CN=Schema,CN=Configuration,DC=main,DC=DOMAIN,DC=com
Attr: configurationNamingContext
Val: 45 CN=Configuration,DC=main,DC=DOMAIN,DC=com
Attr: rootDomainNamingContext
Val: 28 DC=main,DC=DOMAIN,DC=com
Attr: supportedControl
Val: 22 1.2.840.113556.1.4.319
Val: 22 1.2.840.113556.1.4.801
Val: 22 1.2.840.113556.1.4.473
Val: 22 1.2.840.113556.1.4.528
Val: 22 1.2.840.113556.1.4.417
Val: 22 1.2.840.113556.1.4.619
Val: 22 1.2.840.113556.1.4.841
Val: 22 1.2.840.113556.1.4.529
Val: 22 1.2.840.113556.1.4.805
Val: 22 1.2.840.113556.1.4.521
Val: 22 1.2.840.113556.1.4.970
Val: 23 1.2.840.113556.1.4.1338
Val: 22 1.2.840.113556.1.4.474
Val: 23 1.2.840.113556.1.4.1339
Val: 23 1.2.840.113556.1.4.1340
Val: 23 1.2.840.113556.1.4.1413
Val: 23 2.16.840.1.113730.3.4.9
Val: 24 2.16.840.1.113730.3.4.10
Val: 23 1.2.840.113556.1.4.1504
Val: 23 1.2.840.113556.1.4.1852
Val: 22 1.2.840.113556.1.4.802
Attr: supportedLDAPVersion
Val: 1 3
Val: 1 2
Attr: supportedLDAPPolicies
Val: 14 MaxPoolThreads
Val: 15 MaxDatagramRecv
Val: 16 MaxReceiveBuffer
Val: 15 InitRecvTimeout
Val: 14 MaxConnections
Val: 15 MaxConnIdleTime
Val: 11 MaxPageSize
Val: 16 MaxQueryDuration
Val: 16 MaxTempTableSize
Val: 16 MaxResultSetSize
Val: 22 MaxNotificationPerConn
Val: 11 MaxValRange
Attr: highestCommittedUSN
Val: 7 1796838
Attr: supportedSASLMechanisms
Val: 6 GSSAPI
Val: 10 GSS-SPNEGO
Val: 8 EXTERNAL
Val: 10 DIGEST-MD5
Attr: dnsHostName
Val: 31 SERVER01.main.DOMAIN.com
Attr: ldapServiceName
Val: 52 main.DOMAIN.com:SERVER01$@MAIN.DOMAIN.COM
Attr: serverName
Val: 107 CN=SERVER01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=main,DC=DOMAIN,DC=com
Attr: supportedCapabilities
Val: 22 1.2.840.113556.1.4.800
Val: 23 1.2.840.113556.1.4.1670
Val: 23 1.2.840.113556.1.4.1791
Attr: isSynchronized
Val: 4 TRUE
Attr: isGlobalCatalogReady
Val: 4 TRUE
Attr: domainFunctionality
Val: 1 0
Attr: forestFunctionality
Val: 1 0
Attr: domainControllerFunctionality
Val: 1 2
[WARNING] Failed to query SPN registration on DC 'SERVER01.main.DOMAIN.com'.
Routing table test . . . . . . . . : Passed
Active Routes :
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.241 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.241 192.168.0.241 20
192.168.0.241 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.241 192.168.0.241 20
224.0.0.0 240.0.0.0 192.168.0.241 192.168.0.241 20
255.255.255.255 255.255.255.255 192.168.0.241 192.168.0.241 1
No persistent route entries.
Netstat information test . . . . . : Passed
Interface Statistics
Received Sent
Unicast Packets 2354397438 126652165
Non-unicast packets 76761 5920
Discards 0 0
Errors 0 0
Unknown protocols 102660 458284
Interface index = 1
Description = MS TCP Loopback interface
Type = 24
MTU = 1520
Speed = 10000000
Physical Address = 00-00-00-00-00-00
Administrative Status = 1
Operational Status = 1
Last Changed = 4013448623
Output Queue Length = 0
Interface index = 65539
Description = 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
Type = 6
MTU = 1500
Speed = 100000000
Physical Address = 00-0A-48-11-02-A5
Administrative Status = 1
Operational Status = 1
Last Changed = 4013448665
Output Queue Length = 0
Active Connections
Proto Local Address Foreign Address State
TCP SERVER02:kerberos SERVER02.main.DOMAIN.com:18490 LISTENING
TCP SERVER02:epmap SERVER02.main.DOMAIN.com:43166 LISTENING
TCP SERVER02:ldap SERVER02.main.DOMAIN.com:38937 LISTENING
TCP SERVER02:microsoft-ds SERVER02.main.DOMAIN.com:43102 LISTENING
TCP SERVER02:kpasswd SERVER02.main.DOMAIN.com:24664 LISTENING
TCP SERVER02:593 SERVER02.main.DOMAIN.com:4318 LISTENING
TCP SERVER02:ldaps SERVER02.main.DOMAIN.com:netbios-ns LISTENING
TCP SERVER02:1025 SERVER02.main.DOMAIN.com:230 LISTENING
TCP SERVER02:1026 SERVER02.main.DOMAIN.com:49321 LISTENING
TCP SERVER02:1028 SERVER02.main.DOMAIN.com:4163 LISTENING
TCP SERVER02:1247 SERVER02.main.DOMAIN.com:4180 LISTENING
TCP SERVER02:2467 SERVER02.main.DOMAIN.com:43134 LISTENING
TCP SERVER02:6101 SERVER02.main.DOMAIN.com:51260 LISTENING
TCP SERVER02:6106 SERVER02.main.DOMAIN.com:28747 LISTENING
TCP SERVER02:10000 SERVER02.main.DOMAIN.com:63628 LISTENING
TCP SERVER02:ldap SERVER02.main.DOMAIN.com:1088 ESTABLISHED
TCP SERVER02:ldap SERVER02.main.DOMAIN.com:1089 ESTABLISHED
TCP SERVER02:ldap SERVER02.main.DOMAIN.com:1090 ESTABLISHED
TCP SERVER02:1088 SERVER02.main.DOMAIN.com:ldap ESTABLISHED
TCP SERVER02:1089 SERVER02.main.DOMAIN.com:ldap ESTABLISHED
TCP SERVER02:1090 SERVER02.main.DOMAIN.com:ldap ESTABLISHED
TCP SERVER02:netbios-ssn SERVER02.main.DOMAIN.com:24818 LISTENING
TCP SERVER02:netbios-ssn JOHN:4976 ESTABLISHED
TCP SERVER02:netbios-ssn TUBALPURCH1:1164 ESTABLISHED
TCP SERVER02:netbios-ssn KIP-PPC:1031 ESTABLISHED
TCP SERVER02:netbios-ssn TUBSVR1:3478 ESTABLISHED
TCP SERVER02:ldap SERVER02.main.DOMAIN.com:4072 TIME_WAIT
TCP SERVER02:4063 SERVER01:epmap TIME_WAIT
TCP SERVER02:4069 SERVER01:epmap TIME_WAIT
TCP SERVER02:4070 SERVER01:1025 TIME_WAIT
TCP SERVER02:4071 SERVER01:1025 TIME_WAIT
TCP SERVER02:4073 SERVER02.main.DOMAIN.com:ldap TIME_WAIT
TCP SERVER02:4074 SERVER01:epmap TIME_WAIT
TCP SERVER02:4075 SERVER01:1025 TIME_WAIT
TCP SERVER02:4076 SERVER01:1025 TIME_WAIT
TCP SERVER02:4079 SERVER01:epmap TIME_WAIT
TCP SERVER02:4080 SERVER01:1025 TIME_WAIT
TCP SERVER02:4081 SERVER02.main.DOMAIN.com:ldap TIME_WAIT
TCP SERVER02:4082 SERVER01:netbios-ssn TIME_WAIT
TCP SERVER02:4083 SERVER01:1025 TIME_WAIT
TCP SERVER02:4084 SERVER01:1025 TIME_WAIT
TCP SERVER02:4085 SERVER01:epmap ESTABLISHED
TCP SERVER02:4086 SERVER01:1025 TIME_WAIT
TCP SERVER02:4087 SERVER01:1025 TIME_WAIT
TCP SERVER02:4090 SERVER01:1025 TIME_WAIT
TCP SERVER02:4091 SERVER01:1025 TIME_WAIT
TCP SERVER02:4092 SERVER01:1025 TIME_WAIT
TCP SERVER02:4095 SERVER01:1025 TIME_WAIT
TCP SERVER02:4096 SERVER01:1025 TIME_WAIT
TCP SERVER02:4097 SERVER01:1025 TIME_WAIT
TCP SERVER02:4100 SERVER01:1025 TIME_WAIT
TCP SERVER02:4101 SERVER01:1025 TIME_WAIT
TCP SERVER02:4102 SERVER01:1025 TIME_WAIT
TCP SERVER02:4106 SERVER01:1025 TIME_WAIT
TCP SERVER02:4107 SERVER01:epmap ESTABLISHED
TCP SERVER02:4108 SERVER01:1025 TIME_WAIT
TCP SERVER02:4109 SERVER01:1025 TIME_WAIT
TCP SERVER02:4132 SERVER01:microsoft-ds TIME_WAIT
TCP SERVER02:4137 SERVER01:microsoft-ds TIME_WAIT
TCP SERVER02:4141 SERVER01:microsoft-ds TIME_WAIT
TCP SERVER02:4145 SERVER01:microsoft-ds TIME_WAIT
TCP SERVER02:4150 SERVER01:microsoft-ds TIME_WAIT
TCP SERVER02:4154 SERVER01:microsoft-ds TIME_WAIT
TCP SERVER02:4156 SERVER01:epmap TIME_WAIT
TCP SERVER02:4157 SERVER01:1025 TIME_WAIT
TCP SERVER02:4158 SERVER01:microsoft-ds ESTABLISHED
TCP SERVER02:4161 SERVER01:ldap TIME_WAIT
TCP SERVER02:4162 SERVER01:ldap TIME_WAIT
TCP SERVER02:4163 SERVER01:ldap ESTABLISHED
TCP SERVER02:4164 SERVER01:ldap TIME_WAIT
UDP SERVER02:microsoft-ds *:*
UDP SERVER02:isakmp *:*
UDP SERVER02:1030 *:*
UDP SERVER02:1032 *:*
UDP SERVER02:1033 *:*
UDP SERVER02:1087 *:*
UDP SERVER02:1251 *:*
UDP SERVER02:1264 *:*
UDP SERVER02:ms-sql-m *:*
UDP SERVER02:1630 *:*
UDP SERVER02:1733 *:*
UDP SERVER02:2967 *:*
UDP SERVER02:4160 *:*
UDP SERVER02:4500 *:*
UDP SERVER02:ntp *:*
UDP SERVER02:kerberos *:*
UDP SERVER02:ntp *:*
UDP SERVER02:netbios-ns *:*
UDP SERVER02:netbios-dgm *:*
UDP SERVER02:389 *:*
UDP SERVER02:kpasswd *:*
IP Statistics
Packets Received = 14,859,441
Received Header Errors = 0
Received Address Errors = 0
Datagrams Forwarded = 0
Unknown Protocols Received = 0
Received Packets Discarded = 0
Received Packets Delivered = 14,859,441
Output Requests = 11,047,872
Routing Discards = 0
Discarded Output Packets = 0
Output Packet No Route = 0
Reassembly Required = 0
Reassembly Successful = 0
Reassembly Failures = 0
Datagrams successfully fragmented = 0
Datagrams failing fragmentation = 0
Fragments Created = 0
Forwarding = 2
Default TTL = 128
Reassembly timeout = 60
TCP Statistics
Active Opens = 123,981
Passive Opens = 5,794
Failed Connection Attempts = 256
Reset Connections = 465
Current Connections = 14
Received Segments = 14,686,793
Segment Sent = 10,908,972
Segment Retransmitted = 6,043
Retransmission Timeout Algorithm = vanj
Minimum Retransmission Timeout = 300
Maximum Retransmission Timeout = 120,000
Maximum Number of Connections = -1
UDP Statistics
Datagrams Received = 136,133
No Ports = 21,124
Receive Errors = 0
Datagrams Sent = 96,950
ICMP Statistics
Received Sent
Messages 35,903 35,903
Errors 0 0
Destination Unreachable 20 20
Time Exceeded 0 0
Parameter Problems 0 0
Source Quenchs 0 0
Redirects 0 0
Echos 15,391 15,391
Echo Replies 20,492 20,492
Timestamps 0 0
Timestamp Replies 0 0
Address Masks 0 0
Address Mask Replies 0 0
Bindings test. . . . . . . . . . . : Passed
Component Name : NDIS Usermode I/O Protocol
Bind Name: Ndisuio
Binding Paths:
Owner of the binding path : NDIS Usermode I/O Protocol
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndis5
Upper Component: NDIS Usermode I/O Protocol
Lower Component: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
Component Name : Point to Point Protocol Over Ethernet
Bind Name: RasPppoe
Binding Paths:
Owner of the binding path : Point to Point Protocol Over Ethernet
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndis5
Upper Component: Point to Point Protocol Over Ethernet
Lower Component: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
Component Name : Point to Point Tunneling Protocol
Bind Name: mspptp
Binding Paths:
Component Name : Layer 2 Tunneling Protocol
Bind Name: msl2tp
Binding Paths:
Component Name : Remote Access NDIS WAN Driver
Bind Name: NdisWan
Binding Paths:
Owner of the binding path : Remote Access NDIS WAN Driver
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndiscowan
Upper Component: Remote Access NDIS WAN Driver
Lower Component: Direct Parallel
Owner of the binding path : Remote Access NDIS WAN Driver
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndiswan
Upper Component: Remote Access NDIS WAN Driver
Lower Component: WAN Miniport (PPPOE)
Owner of the binding path : Remote Access NDIS WAN Driver
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndiswan
Upper Component: Remote Access NDIS WAN Driver
Lower Component: WAN Miniport (PPTP)
Owner of the binding path : Remote Access NDIS WAN Driver
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndiscowan
Upper Component: Remote Access NDIS WAN Driver
Lower Component: WAN Miniport (L2TP)
Owner of the binding path : Remote Access NDIS WAN Driver
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndiswanasync
Upper Component: Remote Access NDIS WAN Driver
Lower Component: RAS Async Adapter
Component Name : Message-oriented TCP/IP Protocol (SMB session)
Bind Name: NetbiosSmb
Binding Paths:
Component Name : WINS Client(TCP/IP) Protocol
Bind Name: NetBT
Binding Paths:
Owner of the binding path : WINS Client(TCP/IP) Protocol
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndis5
Upper Component: Internet Protocol (TCP/IP)
Lower Component: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
Owner of the binding path : WINS Client(TCP/IP) Protocol
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndiswanip
Upper Component: Internet Protocol (TCP/IP)
Lower Component: WAN Miniport (IP)
Component Name : Internet Protocol (TCP/IP)
Bind Name: Tcpip
Binding Paths:
Owner of the binding path : Internet Protocol (TCP/IP)
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndis5
Upper Component: Internet Protocol (TCP/IP)
Lower Component: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
Owner of the binding path : Internet Protocol (TCP/IP)
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndiswanip
Upper Component: Internet Protocol (TCP/IP)
Lower Component: WAN Miniport (IP)
Component Name : Client for Microsoft Networks
Bind Name: LanmanWorkstation
Binding Paths:
Owner of the binding path : Client for Microsoft Networks
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios_smb
Upper Component: Client for Microsoft Networks
Lower Component: Message-oriented TCP/IP Protocol (SMB session)
Owner of the binding path : Client for Microsoft Networks
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios
Upper Component: Client for Microsoft Networks
Lower Component: WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndis5
Upper Component: Internet Protocol (TCP/IP)
Lower Component: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
Owner of the binding path : Client for Microsoft Networks
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios
Upper Component: Client for Microsoft Networks
Lower Component: WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndiswanip
Upper Component: Internet Protocol (TCP/IP)
Lower Component: WAN Miniport (IP)
Component Name : WebClient
Bind Name: WebClient
Binding Paths:
Component Name : Wireless Configuration
Bind Name: wzcsvc
Binding Paths:
Component Name : Network Load Balancing
Bind Name: Wlbs
Binding Paths:
Owner of the binding path : Network Load Balancing
Binding Enabled: No
Interfaces of the binding path:
-Interface Name: ndis5
Upper Component: Network Load Balancing
Lower Component: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
Component Name : Steelhead
Bind Name: RemoteAccess
Binding Paths:
Component Name : Dial-Up Server
Bind Name: msrassrv
Binding Paths:
Component Name : Remote Access Connection Manager
Bind Name: RasMan
Binding Paths:
Component Name : Dial-Up Client
Bind Name: msrascli
Binding Paths:
Component Name : File and Printer Sharing for Microsoft Networks
Bind Name: LanmanServer
Binding Paths:
Owner of the binding path : File and Printer Sharing for Microsoft Networks
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios_smb
Upper Component: File and Printer Sharing for Microsoft Networks
Lower Component: Message-oriented TCP/IP Protocol (SMB session)
Owner of the binding path : File and Printer Sharing for Microsoft Networks
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios
Upper Component: File and Printer Sharing for Microsoft Networks
Lower Component: WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndis5
Upper Component: Internet Protocol (TCP/IP)
Lower Component: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
Owner of the binding path : File and Printer Sharing for Microsoft Networks
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios
Upper Component: File and Printer Sharing for Microsoft Networks
Lower Component: WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndiswanip
Upper Component: Internet Protocol (TCP/IP)
Lower Component: WAN Miniport (IP)
Component Name : NetBIOS Interface
Bind Name: NetBIOS
Binding Paths:
Owner of the binding path : NetBIOS Interface
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios
Upper Component: NetBIOS Interface
Lower Component: WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndis5
Upper Component: Internet Protocol (TCP/IP)
Lower Component: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
Owner of the binding path : NetBIOS Interface
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios
Upper Component: NetBIOS Interface
Lower Component: WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndiswanip
Upper Component: Internet Protocol (TCP/IP)
Lower Component: WAN Miniport (IP)
Component Name : Generic Packet Classifier
Bind Name: Gpc
Binding Paths:
Component Name : Application Layer Gateway
Bind Name: ALG
Binding Paths:
Component Name : WAN Miniport (IP)
Bind Name: NdisWanIp
Binding Paths:
Component Name : Direct Parallel
Bind Name: {33E3868D-8CF9-404B-9EB8-54C372BC6144}
Binding Paths:
Component Name : WAN Miniport (PPPOE)
Bind Name: {89B6F702-BA07-46B2-94F3-6E7C0FABCAD4}
Binding Paths:
Component Name : WAN Miniport (PPTP)
Bind Name: {6F8917FB-F210-4DD5-B91D-DD57ECBBFE0A}
Binding Paths:
Component Name : WAN Miniport (L2TP)
Bind Name: {299E801B-71B1-45A7-AF5A-B7BCF864C9CC}
Binding Paths:
Component Name : RAS Async Adapter
Bind Name: {6031D996-86C9-4FB4-953E-E065E4B4E1BF}
Binding Paths:
Component Name : 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
Bind Name: {DD14D08A-1322-468E-8374-544C433785C6}
Binding Paths:
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
|
|
|
|
ptwilliams
Moderator
United Kingdom
4401 Posts
Status: offline |
Posted - 02/26/2005 : 07:34:09 AM
|
You're half way there. You've registered DNS correctly on 192.168.0.240; you just need to be able to replicate that data and you're done.
-- Start\ Run\ replmon
-- Right-click on Monitored Servers and choose Add server to monitor.
-- Next, and enter the name for 192.168.0.240 and choose finish.
-- View, Options, Cache. Reset. OK.
-- Right-click on <DC Name> and choose Synchronise Each directory partition with all servers
-- Check Push mode and Cross Site... and choose OK.
-- Answer yes to the dialog about waiting to cross sites...
-- Make a cup of coffee and then...
-- View\ Refresh.
Basically, DNS is correct on one DC and not on the other; replication will fix this. You just have to replicate.
Hope this helps...
|
|
|
|
Jenna
Seasoned But Casual Onlooker
41 Posts
Status: offline |
Posted - 02/28/2005 : 08:51:37 AM
|
Thanks again for your help. I followed your instructions logged in as admin but I get an error message for each partition (same basic message 4 or 5 times)
"The synchronization of the directory partition (DC=main, DC=domain, ...) failed. This may be because you have insufficient credentials."
|
|
|
|
ptwilliams
Moderator
United Kingdom
4401 Posts
Status: offline |
Posted - 02/28/2005 : 09:50:54 AM
|
Yep, that'll cause it to fail 
Is this a child domain? It looks like it is. You will need to be delegated permissions to replicate enterprise partitions.
Or, are you able to logon as EA?
If you have administrative access in the parent domain this won't be an issue.
|
|
|
|
Jenna
Seasoned But Casual Onlooker
41 Posts
Status: offline |
Posted - 03/01/2005 : 11:38:27 PM
|
quote:
Originally posted by ptwilliams
Yep, that'll cause it to fail
Hehe
Thanks for pointing me toward the aspects I should be researching. I'm familiar with basic networking, but a lil' out of my league here. I'm still trying to familiarize myself with the concepts mentioned here as well as basic DNS and AD structure.
As far as if it is a child domain,I don't really know. We have internet service through a smallish local ISP which also hosts the company's website (which shares the same name as the <domaian.com> part of main.domain.com in all of my posts). <whew> Also, my AD object is an enterprise admin if that is what you mean.
<back to the books>
Thanks again.
Jen |
|
|
|
ptwilliams
Moderator
United Kingdom
4401 Posts
Status: offline |
Posted - 03/02/2005 : 05:51:12 AM
|
Copy and paste the following into a text editor and save it with a .vbs extension:
set objRootDse=getObject("LDAP://RootDSE")
wscript.echo objRootDse.get("rootDomainNamingContext")
Run it by double-clicking. Note down the root domain.
You can then see if you're root domain is simply main.domain.com or if you have a root domain called domain.com and you are administering the child main.domain.com.
If you are an EA, you shouldn't really be having permissions problems replicating partitions.
However, you might be having some DNS troubles if you do have a child domain...
|
|
|
|
Jenna
Seasoned But Casual Onlooker
41 Posts
Status: offline |
Posted - 03/02/2005 : 08:37:51 AM
|
Running the script tells me that main.domain.com is indeed the root domain.
Argh, It feels like a Monday. Off to make some tea.  |
|
|
|
ptwilliams
Moderator
United Kingdom
4401 Posts
Status: offline |
Posted - 03/02/2005 : 09:04:36 AM
|
I missed a couple of things from the diagnostics dump (the info the script pulled is in there for one ;-)
> DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to SERVER01.main.DOMAIN.com (192.168.0.240). [SEC_E_WRONG_PRINCIPAL]
List of DCs in Domain 'MAIN-DOMAIN':
SERVER01.main.DOMAIN.com
Trust relationship test. . . . . . : Failed
Test to ensure DomainSid of domain 'MAIN-DOMAIN' is correct.
[FATAL] Secure channel to domain 'MAIN-DOMAIN' is broken. [ERROR_ACCESS_DENIED]
These machines have been out-of-sync for some time by the looks of things. I hope no longer than 60 days.
Anyway, you'll need to reset the secure channel. You do this with either netdom or nltest. I prefer nltest...
C:\>nltest /sc_reset:main.domain.com |
|
|
|
Jenna
Seasoned But Casual Onlooker
41 Posts
Status: offline |
Posted - 03/02/2005 : 09:25:29 AM
|
 This looks like bad news and reaffirms my feelings of Monday'ness:
I_NetLogonControl failed: Status=5 0X5 ERROR_ACCESS_DENIED
I'm almost afraid to ask,but what happens after 60 days? |
|
|
|
ptwilliams
Moderator
United Kingdom
4401 Posts
Status: offline |
Posted - 03/02/2005 : 1:00:38 PM
|
Hmmm...try it the other way (from the working server), and try it with the \DCName on the end of the DNS name.
> I'm almost afraid to ask,but what happens after 60 days?
After 60 days the tombstone lifetime has expired and the DC is then in an unreliable state. That is, if you bring it on line and it replicates, you might see spurious issues further down the line with lurking objects, ghosts, etc.
If a DC has passed it's tombstone lifetime, the best thing to do is forcefully demote it, metadata cleanup, and then repromote again.
(nothing to worry about, but fun nonetheless)
|
|
|
|
Jenna
Seasoned But Casual Onlooker
41 Posts
Status: offline |
Posted - 03/02/2005 : 1:56:01 PM
|
With the /server:SERVER02 flag I get the same error.
Without it I get 1355 0x54b ERROR_NO_SUCH_DOMAIN
|
|
|
|
ptwilliams
Moderator
United Kingdom
4401 Posts
Status: offline |
Posted - 03/02/2005 : 2:05:40 PM
|
No, I mean nltest /sc_reset:domain-name.com\DCNAME
Try this from the working server and direct it at the non-working server.
|
|
|
|
Jenna
Seasoned But Casual Onlooker
41 Posts
Status: offline |
Posted - 03/02/2005 : 2:22:28 PM
|
Ok. Using that syntax I get
I_NetLogonControl failed: Status=1355 0x54b ERROR_NO_SUCH_DOMAIN
Now I'm really scared  |
|
|
|
ptwilliams
Moderator
United Kingdom
4401 Posts
Status: offline |
|
|
ptwilliams
Moderator
United Kingdom
4401 Posts
Status: offline |
Posted - 03/02/2005 : 4:01:48 PM
|
You could also try netdom (Google netdom secure channel reset site:support.microsoft.com) or this:
strComputerName="COMPUTERNAMEGOESHERE"
set objRootDSE=getObject("LDAP://RootDSE")
set objComputer=getObject("LDAP://CN="&strComputerName&objRootDSE.get("defaultNamingContext"))
objComputer.setPassword strComputerName&"$"
|
|
|
|
Jenna
Seasoned But Casual Onlooker
41 Posts
Status: offline |
Posted - 03/04/2005 : 08:51:57 AM
|
At this point I'm thinking it's been longer than 60 days, so I'm planning a demote/cleanup/promote day for next Saturday or the next (depending on how quickly I can build my confidence...hehe). Do you think this will resolve the secure channel issue as well or is that something entirely different to be concerned about?
Thanks immensely for all your help.
Jenna |
|
|
|
ptwilliams
Moderator
United Kingdom
4401 Posts
Status: offline |
Posted - 03/04/2005 : 10:08:27 AM
|
> Do you think this will resolve the secure channel issue as well or is that something entirely different to be concerned about?
That'll probably sort it
Otherwise, just dis-join from the domain after demoting...
> At this point I'm thinking it's been longer than 60 days, so I'm planning a demote/cleanup/promote day for next Saturday or the next (depending on how quickly I can build my confidence...hehe).
Good call.
Right then, there are a number of things you need to consider - DNS being at the forefront. Have a look at this for a little bit of help:
-- http://www.msresource.net/content/view/24/47/
Basically, you forecefully demote.
Disjoin.
Metadata cleanup (http://support.microsoft.com/?id=216498)
Join.
Promote.
Monitor the event logs so this doesn't happen again...
> Thanks immensely for all your help.
Anytime!!! 
|
|
|
|
Jenna
Seasoned But Casual Onlooker
41 Posts
Status: offline |
Posted - 03/04/2005 : 3:52:52 PM
|
quote:
Originally posted by ptwilliams
Anytime!!!
Oh, I hope you mean that...
Thanks for the links. I've been studying DNS all day and I found that there are no Reverse Lookup Zones set up on the DNS server. Does that seem odd? I'm trying to find out what the norm is, but without much luck.
Thanks.
Jennifer |
|
|
|
ptwilliams
Moderator
United Kingdom
4401 Posts
Status: offline |
Posted - 03/05/2005 : 08:15:35 AM
|
Reverse lookup zones aren't essential. They're just helpful. AD will run fine without them. The only app I've come across that requires them is HP OVOW.
I, personally, would create Reverse Lookup Zones. It gives you a bit more help when troubleshooting connectivity problems, and if your environment is large, helps you find out what the hell's what.
I would create a high-level one, e.g. 10. which will then cover all subnets you've got, even if you *just* use 24-bit nets, like 10.0.0.1 and 10.0.0.100, etc.
|
|
|
|
Jenna
Seasoned But Casual Onlooker
41 Posts
Status: offline |
Posted - 03/09/2005 : 10:42:41 AM
|
Friendly update for anyone who is curious...
Unfortunately, a hard drive in the server with AD issues died on Monday. The disaster recover went well, however, and there was almost zero data loss. Reinstalling the OS seemed to fix the AD issue as well
Thanks again for all the help.
Jen |
|
|
|
ptwilliams
Moderator
United Kingdom
4401 Posts
Status: offline |
Posted - 03/09/2005 : 11:47:47 AM
|
Greate news!!!
Demoting and promoting's the way, eh?!?
|
|
|
|
gmagerr
Seasoned But Casual Onlooker
26 Posts
Status: offline |
Posted - 08/12/2006 : 7:57:21 PM
|
ptwilliams
When you say create one high level reverse lookup zone, what do you mean? i admin a 10.30.0.0 network and would love to set one reverse lookup zone to cover it. i have to set a seperate one for each octet increment. For example I have to set one op for 10.30.1.0, 10.30.2.0 etc etc etc... So if i could have one, that would be great. Thanks. |
|
|
|
clarinathan
Moderator
United Kingdom
4774 Posts
Status: offline |
|
|
Ahabashy
Welcome Newcomer
2 Posts
Status: offline |
Posted - 02/20/2007 : 02:55:58 AM
|
Hello Guys;
i'm facing the same problem: [FATAL] Secure channel to domain 'MYDOM' is broken. [ERROR_ACCESS_DENIED]
i did exhaust all the possibilities, but with no luck.
so, it seems that the only remaining solution is to disjoin the machine fromdomain and re-join, but the question here is : what are the consequences of doing so? loosing permissions on directories? loosing permissions given to in-house application? loosing rights assigned to users or application services?
Please help or advice.
Thanks |
|
|
|
wkasdo
Moderator
Netherlands
6140 Posts
Status: offline |
Posted - 02/20/2007 : 04:09:02 AM
|
permissions on directories? loosing permissions given to in-house application? loosing rights assigned to users or application services?
No, no, and no. Rejoining is a low-impact operation that has NO impact on user permissions. Depending on how you do it, it may impact computer permissions; usually, software distribution is mostly affected although there are other possibilities. |
|
|
|
Ahabashy
Welcome Newcomer
2 Posts
Status: offline |
Posted - 02/21/2007 : 03:13:02 AM
|
"Depending on how you do it, it may impact computer permissions"
Please, can you clarify this in more details!
Thanks |
|
|
|
Topic |
|
|
|
Active directory/ DNS issue
