| Author |
 Topic  |
|
|
Mamba
Welcome Newcomer
19 Posts
Status: offline |
 Posted - 02/13/2008 : 4:48:41 PM
|
Hi all,
I recently started as a Windows SA at a new job (smallish research lab, about 200 devices). Their (2003 Domain and Forest functional level) AD was already in place, single domain, single site, 2 DCs, using external DNS (Linux, BIND 9.2.4) primary and secondary servers. They use static IPs and manual DNS updates; WINS server is enabled on both DCs. DNS clients are configured to point directly to the two external DNS servers. The two DCs run DNS server service, configured to forward "All other DNS domains" to the two external DNS servers.
I noticed that the DCs and a few other servers were logging many 1053 Application errors (see below) along with other problem events (time, browser, netlogon, etc). After applying MS937535 (http://support.microsoft.com/kb/937535) and rebooting, the events have not returned. However I'm still seeing the following on a lot of our XP Pro client systems (see list below). I'd hate to have to apply the MS937535 fix to all the systems, plus I think this fix is a band-aid and would rather determine/correct the source issue. Note that not all clients exhibit all the events below; seems to happen more on the ones with a lot of network activity. Periodically the systems require a reboot to fix related communication/resource problems, as you might expect.
Would appreciate any constructive feedback.
TIA,
M
Event occurs on: DCs and clients (now fixed on DCs and servers via MS937535)
Event Type: Error
Event Source: Userenv
Event ID: 1053
Description:
Windows cannot determine the user or computer name. (Not enough storage is available to complete this operation. ). Group Policy processing aborted.
Event occurs on: Clients Every 60-90min
Event Type: Warning
Event Source: LSASRV
Event ID: 40961
Description:
The Security System could not establish a secured connection with the server ldap/ourDC/ourFQDN@ourFQDN. No authentication protocol was available.
Event occurs on: Clients occasional
Event Type: Error
Event Source: Userenv
Event ID: 1030
Description:
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.
Event occurs on: Clients occasional
Event Type: Error
Event Source: Userenv
Event ID: 1054
Description:
Windows cannot obtain the domain controller name for your computer network. (A socket operation was attempted to an unreachable host. ). Group Policy processing aborted.
Event occurs on: Clients occasional
Event Type: Error
Event Source: NETLOGON
Event ID: 5719
Description:
No Domain Controller is available for domain AD due to the following:
Not enough storage is available to process this command.
|
|
|
Bjorn_dewaele
Welcome Newcomer
20 Posts
Status: offline |
Posted - 02/13/2008 : 5:12:30 PM
|
Hello Mamba,
please implement DHCP as soon as possible.
The clients need to point to the internal DNS server and the external DNS server need to be on the forwarders zone tab in DNS on the domain controllers.
Please do a test first and point a client to the internal DNS servers (DC's). I guess this will solve lots of problems for you !
Kind regards
Bjorn |
 |
|
|
Mamba
Welcome Newcomer
19 Posts
Status: offline |
Posted - 02/13/2008 : 7:19:36 PM
|
Yes, DHCP and DDNS is in the plans but not right away.
>The clients need to point to the internal DNS server
I wondered about that but would like to understand why?
>external DNS server need to be on the forwarders zone tab in DNS
Is that somewhere besides the forwarder tab I mentioned above? |
|
|
|
Bjorn_dewaele
Welcome Newcomer
20 Posts
Status: offline |
Posted - 02/14/2008 : 04:02:35 AM
|
I wondered about that but would like to understand why?
Your internal DNS servers contain special records to find domain controllers for authentication. External DNS servers are not aware of those records.
Is that somewhere besides the forwarder tab I mentioned above?
Indeed, didn't read that part too well :)
|
|
|
|
joe_elway
Honorable But Hopeless Addict
Ireland
6673 Posts
Status: offline |
Posted - 02/14/2008 : 04:25:26 AM
|
| Domain controllers will try to publish SRV records to advertise the ports and servers that host services such as Kerberos and Global Catalog. These are pretty important so they shouldn't be on an externally accessible DNS. The norm is to use AD integrated DNS onthe domain controllers with secure dynamic updates enabled. This allows the DC's to register these records themselves in a secure manner - no admin required unless something goes wrong. Clients can then look up this DNS to resolve AD related service locations. |
Aidan Finn
MCSE, MVP (Virtual Machine: Systems Administration)
IT Blog: http://www.aidanfinn.com
My Photography: http://www.aidanfinnphoto.com/
My Hyper-V Book: Mastering Hyper-V Deployment
Twitter: http://twitter.com/joe_elway |
|
|
|
Mamba
Welcome Newcomer
19 Posts
Status: offline |
Posted - 02/14/2008 : 10:28:47 AM
|
Bjorn said:
Your internal DNS servers contain special records
Ah, SRV records, that makes sense...thanks.
joe_elway said:
..shouldn't be on an externally accessible DNS.
Thanks. To clarify, I meant external to AD not internet-facing...but I get the point; they wouldn't have the SRV records. As for DDNS, there shouldn't be any issue not using that (other than admin work) I assume? It'll still be awhile before we're ready for DHCP (internal politics).
Edit:
I just ran a SRV response comparison between the Linux and the AD DNS servers. Both resolved all entries found in the netlogon.dns file on the AD DC, so I'm still confused about this. Some responses from the Linux servers were "non-authoritative"....would that matter?
|
Edited by - Mamba on 02/14/2008 11:25:05 AM |
|
|
|
aval
Honorable But Hopeless Addict
USA
2089 Posts
Status: offline |
Posted - 02/14/2008 : 12:37:50 PM
|
I believe "non-authoritative" means that the Linux-BIND DNS servers are not hosting a copy of the DNS zone you have set up for your Windows network.
quote:
The two DCs run DNS server service, configured to forward "All other DNS domains" to the two external DNS servers.
In other words, the Linux-BIND servers don't hold a copy of the DNS domain that you distingushed from "All other DNS domains" when you set up DNS on the domain controllers.
BIND currently does support SRV records - since version 5 (???) - so it can work with them. Even so, you should have the clients pointing to the internal Windows DNS servers as the other posters have said. |
|
|
|
Mamba
Welcome Newcomer
19 Posts
Status: offline |
Posted - 02/14/2008 : 12:54:59 PM
|
aval said:
..you should have the clients pointing to the internal Windows DNS servers
I suspected BIND was supporting the SRV records; else problems would be much worse. Is ^that "should" just best practice or are there technical reasons? I'm not picking nits...I'm trying to determine root cause for the earlier listed event IDs.
Meanwhile I am testing this out as a solution on one of the problem PCs which consistently logs 40961 warnings. |
|
|
|
aval
Honorable But Hopeless Addict
USA
2089 Posts
Status: offline |
Posted - 02/14/2008 : 1:49:51 PM
|
quote:
Is ^that "should" just best practice or are there technical reasons?
The reasons I can think of could probably be both.
But when you say "external" do you mean ISP or another section of the company? The risks and problems would be more or less serious depending on that.
- Security - having all your DNS records available externally.
- Resolution time - if path to external DNS servers is a slow link.
- Reliability - if link is not consistently available.
Otherwise, if the non Windows DNS server meets the following criteria, it COULD, technically, work with Active Directory:
1. Supports underscore character
2. Supports SRV records
3. Supports Dynamic Updates.
Now, I think you can make it work without # 3 but you're really making work for yourself.
You have how many computers? Around 200? That would be a lot of manual DNS registrations to do. |
|
|
|
Mamba
Welcome Newcomer
19 Posts
Status: offline |
Posted - 02/14/2008 : 2:18:54 PM
|
>That would be a lot of manual DNS registrations
The environment here is very static, plus it's the *nix team that handles the IP assignments and DNS updates so not my worry. And as I mentioned earlier, "external" just means not part of AD.
Changing the DNS IPs to point to the DCs (and flushing the cache) on that test client I mentioned hasn't made any improvement...it's still logging 40961 warnings. Unless a reboot is needed, but DNS changes should be dynamic. |
|
|
|
Mamba
Welcome Newcomer
19 Posts
Status: offline |
|
|
Mamba
Welcome Newcomer
19 Posts
Status: offline |
Posted - 07/21/2008 : 4:21:18 PM
|
| Just FYI the KB885887 hotfix did fix the problems, and is included in XP SP3 which we rolled out on release. |
|
|
|
Mark Minasi
Chief cook and bottle washer
USA
9543 Posts
Status: online |
Posted - 07/25/2008 : 09:49:21 AM
|
| In case it's helpful, in Newsletter #30 I discuss the whys of how you set up an internal-only DNS zone like the one that you need for your AD. |
Mark
tweetin' at mminasi |
|
|
| |
Topic |
|
DNS and/or Kerberos problems?
