problem browsing active directory resources on remote domains

Dear All,
I have the following problem and I hope you can give me some tips to solve
it.
I administer a child domain of an Active Directory forest.
In this forest there is a root domain connected to other 10 child domains at
the same level. All the child domains are connected to the root domain with
a VPN tunnel.

The problem is that when I try to browse the AD resources from ADUC of a
specific child domain I can't and I receive the following error, please note
that I can Ping the domain controller of this child domain. This problem is
only with a specific domain, and it's working with all other 8 domains.

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 4/17/2009
Time: 4:59:05 PM
User: N/A
Computer: DOMAINCONTROLLERCENTER1
Description:
The Security System detected an authentication error for the server
ldap/domaincontrollerCENTER2.xx.yyy.ORG/yy.yyy.ORG@xx.yyy.ORG. The failure
code from authentication protocol Kerberos was "There are currently no logon
servers available to service the logon request.
(0xc000005e)".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0 ^..À


Thank you for your help.
Carlo

Hello Carlettus,

It seems like there is DNS related issue here. How is your dns configured?
Does the child domain have its own dns servers?

--
Isaac Oben [MCTIP:EA, MCSE]
"Carlettus" <bionews@community.nospam> wrote in message
news:%230L9J72vJHA.3676@TK2MSFTNGP06.phx.gbl...
> Dear All,
> I have the following problem and I hope you can give me some tips to solve
> it.
> I administer a child domain of an Active Directory forest.
> In this forest there is a root domain connected to other 10 child domains
> at the same level. All the child domains are connected to the root domain
> with a VPN tunnel.
>
> The problem is that when I try to browse the AD resources from ADUC of a
> specific child domain I can't and I receive the following error, please
> note that I can Ping the domain controller of this child domain. This
> problem is only with a specific domain, and it's working with all other 8
> domains.
>
> Event Type: Warning
> Event Source: LSASRV
> Event Category: SPNEGO (Negotiator)
> Event ID: 40960
> Date: 4/17/2009
> Time: 4:59:05 PM
> User: N/A
> Computer: DOMAINCONTROLLERCENTER1
> Description:
> The Security System detected an authentication error for the server
> ldap/domaincontrollerCENTER2.xx.yyy.ORG/yy.yyy.ORG@xx.yyy.ORG. The
> failure code from authentication protocol Kerberos was "There are
> currently no logon servers available to service the logon request.
> (0xc000005e)".
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 5e 00 00 c0 ^..À
>
>
> Thank you for your help.
> Carlo
>

Hello Carlettus

Cab be DNS, but you can ping DCNAME.FQDN?? Can you telnet to port 135, 445
on the PDC emulator on the problem domain, maybe the VPN id blocking the
ports required for comms.

Cheers


--
Garry Starck
MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA


"Carlettus" wrote:

> Dear All,
> I have the following problem and I hope you can give me some tips to solve
> it.
> I administer a child domain of an Active Directory forest.
> In this forest there is a root domain connected to other 10 child domains at
> the same level. All the child domains are connected to the root domain with
> a VPN tunnel.
>
> The problem is that when I try to browse the AD resources from ADUC of a
> specific child domain I can't and I receive the following error, please note
> that I can Ping the domain controller of this child domain. This problem is
> only with a specific domain, and it's working with all other 8 domains.
>
> Event Type: Warning
> Event Source: LSASRV
> Event Category: SPNEGO (Negotiator)
> Event ID: 40960
> Date: 4/17/2009
> Time: 4:59:05 PM
> User: N/A
> Computer: DOMAINCONTROLLERCENTER1
> Description:
> The Security System detected an authentication error for the server
> ldap/domaincontrollerCENTER2.xx.yyy.ORG/yy.yyy.ORG@xx.yyy.ORG. The failure
> code from authentication protocol Kerberos was "There are currently no logon
> servers available to service the logon request.
> (0xc000005e)".
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 5e 00 00 c0 ^..À
>
>
> Thank you for your help.
> Carlo
>
>

Hello Carlettus,

Make sure that the time is not ouf of sync with the PDCEmulator over 5 minutes.
Also check this one:
http://support.microsoft.com/kb/325850

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Dear All,
> I have the following problem and I hope you can give me some tips to
> solve
> it.
> I administer a child domain of an Active Directory forest.
> In this forest there is a root domain connected to other 10 child
> domains at
> the same level. All the child domains are connected to the root domain
> with
> a VPN tunnel.
> The problem is that when I try to browse the AD resources from ADUC of
> a specific child domain I can't and I receive the following error,
> please note that I can Ping the domain controller of this child
> domain. This problem is only with a specific domain, and it's working
> with all other 8 domains.
>
> Event Type: Warning
> Event Source: LSASRV
> Event Category: SPNEGO (Negotiator)
> Event ID: 40960
> Date: 4/17/2009
> Time: 4:59:05 PM
> User: N/A
> Computer: DOMAINCONTROLLERCENTER1
> Description:
> The Security System detected an authentication error for the server
> ldap/domaincontrollerCENTER2.xx.yyy.ORG/yy.yyy.ORG@xx.yyy.ORG. The
> failure
> code from authentication protocol Kerberos was "There are currently no
> logon
> servers available to service the logon request.
> (0xc000005e)".
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 5e 00 00 c0 ^..À
> Thank you for your help.
> Carlo

Dear All,
thank you for your emails.
I can ping both DCNAME.FQDN at the remote site and got the telnet working.
I'll ask the administrator of the remote domain to check if there are any
sync issue at his side.
Thank you for your kind help

Carlo



"Garry Starck - MCITP" <vjsparx@REMOVE_CAPS_INVALIDhotmail.com> wrote in
message news:4782AA8F-7629-428B-BF59-DF9021802115@microsoft.com...
> Hello Carlettus
>
> Cab be DNS, but you can ping DCNAME.FQDN?? Can you telnet to port 135, 445
> on the PDC emulator on the problem domain, maybe the VPN id blocking the
> ports required for comms.
>
> Cheers
>
>
> --
> Garry Starck
> MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA
>
>
> "Carlettus" wrote:
>
>> Dear All,
>> I have the following problem and I hope you can give me some tips to
>> solve
>> it.
>> I administer a child domain of an Active Directory forest.
>> In this forest there is a root domain connected to other 10 child domains
>> at
>> the same level. All the child domains are connected to the root domain
>> with
>> a VPN tunnel.
>>
>> The problem is that when I try to browse the AD resources from ADUC of a
>> specific child domain I can't and I receive the following error, please
>> note
>> that I can Ping the domain controller of this child domain. This problem
>> is
>> only with a specific domain, and it's working with all other 8 domains.
>>
>> Event Type: Warning
>> Event Source: LSASRV
>> Event Category: SPNEGO (Negotiator)
>> Event ID: 40960
>> Date: 4/17/2009
>> Time: 4:59:05 PM
>> User: N/A
>> Computer: DOMAINCONTROLLERCENTER1
>> Description:
>> The Security System detected an authentication error for the server
>> ldap/domaincontrollerCENTER2.xx.yyy.ORG/yy.yyy.ORG@xx.yyy.ORG. The
>> failure
>> code from authentication protocol Kerberos was "There are currently no
>> logon
>> servers available to service the logon request.
>> (0xc000005e)".
>>
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>> Data:
>> 0000: 5e 00 00 c0 ^..À
>>
>>
>> Thank you for your help.
>> Carlo
>>
>>

Hi Carlo,

Thank you for posting in Newsgroup.

According to your description, I understand that you are an administrator
of a child domain of an Active Directory forest and you find that you
cannot connect to another child domain from your child domain.

Based on the failure code "There are currently no logon servers available
to service the logon request.", the possible cause could be:

" The SRV records are not correct.

I understand that you can ping the DCNAME.FQDN, but it just indicates that
the A record of the domain controller is correct.

" The required port are blocked by firewall.

Service overview and network port requirements for the Windows Server system
http://support.microsoft.com/default.aspx/kb/832017

Please run the following command on the computer where you run the ADUC
console, and let me know the result:

Nltest /dsgetdc:childdomain /force

Note: Please replace the "childdomain" with the exact name of the child
domain that you fail to connect.

Sincerely,
Joson Zhou
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Carlo,

How are you?

I wan to check the current status of issue. Has it been resolved? Please
feel free to respond to the newsgroups if I can assist further.

Sincerely,
Joson Zhou
Microsoft Online Support
Microsoft Global Technical Support Center

Dear Joson and All of you ,
thank you again for your help.
The problem was that the administrator of the other domain had blocked the
following ports on the VPN tunnel:
Port # 88
Port # 3269.
port # 636

Now, after a short discussion and action, I can browse the ad resources on
the other domain.
Thank you again I really appreciate your help.

Glad to hear that. Have a nice day.

Joson