Printable View
Hi,
I have installed windows 2003 server at home and configured it as domain
controller named contoso.com as per microsoft practice. The server is
connected to a ASDL broadband router, i am hoping to add a client PC to this
domain controller. Prior doing so, i did a dcdiag test and received error as
below:
C:\Documents and Settings\Administrator.GATEWAY>dcdiag
Domain Controller Diagnosis
"HawleyBeach" <HawleyBeach@discussions.microsoft.com> wrote in message
news:7ACECE40-63AC-4047-9146-E2530484FCA6@microsoft.com...
> Hi,
> I have installed windows 2003 server at home and configured it as domain
> controller named contoso.com as per microsoft practice.
What specifically did you configure "per Microsoft practice"?
(When you say such things we don't have a clue what you did.)
> The server is
> connected to a ASDL broadband router, i am hoping to add a client PC to
> this
> domain controller. Prior doing so, i did a dcdiag test and received error
> as
> below:
>
> C:\Documents and Settings\Administrator.GATEWAY>dcdiag
>
> Domain Controller Diagnosis
>
> Performing initial setup:
> [gateway] Directory Binding Error 1722:
> The RPC server is unavailable.
> This may limit some of the tests that can be performed.
> Done gathering initial info.
>
Chances are you didn't chose to install the DNS Server, or make
the DNS zone (for the domain), or make it dynamic, or you didn't
set the DC to use STRICTLY the DNS server which holds that
zone which supports AD.
You might have done this by making the DC a "DHCP client" and
getting its IP settings (with DNS) automatically.
[I am pretty sure I answered this exact question for you several days
ago too.]
You are likely to have a lot of trouble if you try run two NICs in
the DCs -- most people here recommend that you never multihome
DCs. It CAN be done successfully but it requires a lot of knowledge
and careful understaning and attention.
The Client as well must point STRICTLY to the internal DNS server
on the NIC->IP properties.
You will generally configure the DNS server for FORWARD (server
properties->Forwarding tab) to the Gateway or ISP address you
WOULD have used if you didn't have a domain or other internal
resources defined on an internal DNS server.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
Hi Martin,
Sorry for the confusion, I am attempting the practice in 70-290 ms press
training kit to join a client to domain. However, i do not have much
experience in networking to resolve this problem.
> > C:\Documents and Settings\Administrator.GATEWAY>dcdiag
> >
> > Domain Controller Diagnosis
> >
> > Performing initial setup:
> > [gateway] Directory Binding Error 1722:
> > The RPC server is unavailable.
> > This may limit some of the tests that can be performed.
> > Done gathering initial info.
> >
>
> Chances are you didn't chose to install the DNS Server, or make
> the DNS zone (for the domain), or make it dynamic, or you didn't
> set the DC to use STRICTLY the DNS server which holds that
> zone which supports AD.
>
I have checked DNS server service is started, I can see that DNS zone is
automatically configured when i use Active Directory installation wizard to
create the domain, the setting of DNS zone is as shown:
http://i132.photobucket.com/albums/q11/plee61/DNS.jpg. I am not sure how to
examine if the DNS zone is configured as dynamic.
> You might have done this by making the DC a "DHCP client" and
> getting its IP settings (with DNS) automatically.
>
On domain controller, I have already fixed the IP and DNS server address on
TCPIP setting as shown:
http://i132.photobucket.com/albums/q11/plee61/TCPIP.jpg
> [I am pretty sure I answered this exact question for you several days
> ago too.]
>
> You are likely to have a lot of trouble if you try run two NICs in
> the DCs -- most people here recommend that you never multihome
> DCs. It CAN be done successfully but it requires a lot of knowledge
> and careful understaning and attention.
>
I have only one NIC. When i go to control panel->network connections i can
only see local area connection.
> The Client as well must point STRICTLY to the internal DNS server
> on the NIC->IP properties.
>
I have already set the DNS server address of the client pointing to IP of
Domain controller. I am able to ping from client to DC and vice versa. When i
type ping contoso.com on client, i am getting the IP of DC.
> You will generally configure the DNS server for FORWARD (server
> properties->Forwarding tab) to the Gateway or ISP address you
> WOULD have used if you didn't have a domain or other internal
> resources defined on an internal DNS server.
>
Do you mean the forwarder tab when i right click on the DNS server in DNS
MMC? If so, is the configuration correct as shown:
http://i132.photobucket.com/albums/q11/plee61/DNS.jpg
i ran dcdiag on domain controller again, i still get Directory Binding Error
1722:
The RPC server is unavailable.
Thanks for your help.
"HawleyBeach" <HawleyBeach@discussions.microsoft.com> wrote in message
news:EBA81217-27E7-46F1-93DD-355550562BF0@microsoft.com...
> Hi Martin,
> Sorry for the confusion, I am attempting the practice in 70-290 ms press
> training kit to join a client to domain. However, i do not have much
> experience in networking to resolve this problem.
No apologizies necessary and I won't apologize for correcting your
mistakes or misunderstandings <grin>, ok?
>> > C:\Documents and Settings\Administrator.GATEWAY>dcdiag
>> >
>> > Domain Controller Diagnosis
>> >
>> > Performing initial setup:
>> > [gateway] Directory Binding Error 1722:
>> > The RPC server is unavailable.
>> > This may limit some of the tests that can be performed.
>> > Done gathering initial info.
>> >
>>
>> Chances are you didn't chose to install the DNS Server, or make
>> the DNS zone (for the domain), or make it dynamic, or you didn't
>> set the DC to use STRICTLY the DNS server which holds that
>> zone which supports AD.
>>
> I have checked DNS server service is started, I can see that DNS zone is
> automatically configured when i use Active Directory installation wizard
> to
> create the domain, the setting of DNS zone is as shown:
> http://i132.photobucket.com/albums/q11/plee61/DNS.jpg. I am not sure how
> to
> examine if the DNS zone is configured as dynamic.
Likely DNS services is correct since the _UNDERSCORE subdomains are there
but you have a multi-homed DC which is DIFFICULT to get correct -- most
people will tell you flat out "don't do that" but I am bit more flexible.
>> You might have done this by making the DC a "DHCP client" and
>> getting its IP settings (with DNS) automatically.
>>
> On domain controller, I have already fixed the IP and DNS server address
> on
> TCPIP setting as shown:
> http://i132.photobucket.com/albums/q11/plee61/TCPIP.jpg
For these settings the picture is a POOR choice; what I need is the
ACTUAL TEXT from running "IPConfig /all >File.txt".
Then I can see all of the IPs and DNS settings etc.
You are going to have to override (at a minimum) the DNS server
on those external NICs to point to ONLY your internal DNS if
this is a DC (or even a member machine.) Otherwise the machine
will -- sometimes -- go out to the Internet looking for internal DNS
and fail.
>> [I am pretty sure I answered this exact question for you several days
>> ago too.]
>>
>> You are likely to have a lot of trouble if you try run two NICs in
>> the DCs -- most people here recommend that you never multihome
>> DCs. It CAN be done successfully but it requires a lot of knowledge
>> and careful understaning and attention.
>>
> I have only one NIC. When i go to control panel->network connections i can
> only see local area connection.
Ok, but if you show me "IPconfig /all" I will see that too.
I see THREE IP address that this DNS server is "listening on" -- they
are in multiple subnets too so they stronly IMPLY multiple NICs but
don't guarantee that.
Why three IPs for this machine if it has one NIC? (Sometimes makes sense
but it is an advanced idea and you said you were new <grin>).
Also you named it "GATEWAY" which again strongly IMPLIES that it is
a multi-homed router. Why is it named GATEWAY? (It can be named
anything but this would confuse most people.<GRIN>)
>> The Client as well must point STRICTLY to the internal DNS server
>> on the NIC->IP properties.
>>
> I have already set the DNS server address of the client pointing to IP of
> Domain controller. I am able to ping from client to DC and vice versa.
> When i
> type ping contoso.com on client, i am getting the IP of DC.
Good, but this is a minimum. You must also NOT set anything that is an
EXTERNAL DNS.
Same goes for the DC as I mentioned above - DCs are internal DNS clients
too.
>> You will generally configure the DNS server for FORWARD (server
>> properties->Forwarding tab) to the Gateway or ISP address you
>> WOULD have used if you didn't have a domain or other internal
>> resources defined on an internal DNS server.
>>
> Do you mean the forwarder tab when i right click on the DNS server in DNS
> MMC?
Yes.
> If so, is the configuration correct as shown:
> http://i132.photobucket.com/albums/q11/plee61/DNS.jpg
Looks like you pasted same picture as you used for the Zone instead
of the Forwarder picture. (This another one that really requires the
picture but you don't really need me to look -- just fill in the ISP
DNS server[s] there and optionally select "Do Not user recursion.")
> i ran dcdiag on domain controller again, i still get Directory Binding
> Error
> 1722:
> The RPC server is unavailable.
Likely the CLIENT DNS Settings ON THE DC are still wrong but I need
that "IPConfig /all >file.txt".
> Thanks for your help.
Sure. We like helping people who are trying to learn.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
> > I have checked DNS server service is started, I can see that DNS zone is
> > automatically configured when i use Active Directory installation wizard
> > to
> > create the domain, the setting of DNS zone is as shown:
> > http://i132.photobucket.com/albums/q11/plee61/DNS.jpg. I am not sure how
> > to
> > examine if the DNS zone is configured as dynamic.
>
> Likely DNS services is correct since the _UNDERSCORE subdomains are there
> but you have a multi-homed DC which is DIFFICULT to get correct -- most
> people will tell you flat out "don't do that" but I am bit more flexible.
>
What do you mean multi-homed DC and how do you tell ? Should i better fix it
so that it is not multi-homed DC?
> >> You might have done this by making the DC a "DHCP client" and
> >> getting its IP settings (with DNS) automatically.
> >>
> > On domain controller, I have already fixed the IP and DNS server address
> > on
> > TCPIP setting as shown:
> > http://i132.photobucket.com/albums/q11/plee61/TCPIP.jpg
>
> For these settings the picture is a POOR choice; what I need is the
> ACTUAL TEXT from running "IPConfig /all >File.txt".
>
> Then I can see all of the IPs and DNS settings etc.
Windows IP Configuration ON DOMAIN CONTROLLER
Host Name . . . . . . . . . . . . : gateway
Primary Dns Suffix . . . . . . . : contoso.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : contoso.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NETGEAR FA311/FA312 PCI Adapter
Physical Address. . . . . . . . . : 00-0F-B5-FE-6A-D1
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.200
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
DNS Servers . . . . . . . . . . . : 127.0.0.1
> You are going to have to override (at a minimum) the DNS server
> on those external NICs to point to ONLY your internal DNS if
> this is a DC (or even a member machine.) Otherwise the machine
> will -- sometimes -- go out to the Internet looking for internal DNS
> and fail.
based on the ipconfig /all above, is the DNS server overriden correctly? If
no, where do i override external NIC as you mentioned with internal DNS?
>
> I see THREE IP address that this DNS server is "listening on" -- they
> are in multiple subnets too so they stronly IMPLY multiple NICs but
> don't guarantee that.
>
> Why three IPs for this machine if it has one NIC? (Sometimes makes sense
> but it is an advanced idea and you said you were new <grin>).
OK, should i remove ISP DNS address on DNS MMC (forwarder tab) and use only
internal DNS Server address?
> Also you named it "GATEWAY" which again strongly IMPLIES that it is
> a multi-homed router. Why is it named GATEWAY? (It can be named
> anything but this would confuse most people.<GRIN>)
I didn't know GATEWAY is used in TCPIP setting when i install Wins 2003 on
this computer ;-)
> > If so, is the configuration correct as shown:
> > http://i132.photobucket.com/albums/q11/plee61/DNS.jpg
>
> Looks like you pasted same picture as you used for the Zone instead
> of the Forwarder picture. (This another one that really requires the
> picture but you don't really need me to look -- just fill in the ISP
> DNS server[s] there and optionally select "Do Not user recursion.")
done, please have a look configuration on forwarders and interface:
http://i132.photobucket.com/albums/q.../forwarder.jpg
> > i ran dcdiag on domain controller again, i still get Directory Binding
> > Error
> > 1722:
> > The RPC server is unavailable.
>
> Likely the CLIENT DNS Settings ON THE DC are still wrong but I need
> that "IPConfig /all >file.txt".
>
already attached IPConfig /all above.
Hi Martin,
At this point on Domain controller, i have configured a fixed IP on TCPIP
setting and set the DNS Server address on NIC pointing to the same IP,
therefore making the DNS server internal.
I added primary and secondary DNS servers provided by ISP (external) to the
list of DNS MMC -> DNS Server -> property -> forwarder tab so that all DNS
queries that cannot be answered by internal DNS server will be forwarded to
the external DNS.
DNS Server addresses on TCPIP setting should not be set with external DNS
addresses to make sure all DNS queries are attended internally first. Am i
right?
Interface tab on DNS MMC -> DNS server -> property should always have the
same IP setting as DNS Server address on TCPIP. Am i right? If yes, what is
the purpose of having Interface tab?
Before i stop/start net logon, i added Internal and both external DNS server
addresses to trust on ZoneAlarm firewall. Then i stop, start net logon,
netdiag /fix. Below is the result of dcdiag i ran lastly, the Initial error
1722 RPC Server unavailable is resolved but fail test on netlogon access
denied etc:
C:\Documents and Settings\Administrator.GATEWAY>dcdiag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\GATEWAY
Starting test: Connectivity
......................... GATEWAY passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\GATEWAY
Starting test: Replications
......................... GATEWAY passed test Replications
Starting test: NCSecDesc
......................... GATEWAY passed test NCSecDesc
Starting test: NetLogons
[GATEWAY] An net use or LsaPolicy operation failed with error 5,
Access
is denied..
......................... GATEWAY failed test NetLogons
Starting test: Advertising
......................... GATEWAY passed test Advertising
Starting test: KnowsOfRoleHolders
......................... GATEWAY passed test KnowsOfRoleHolders
Starting test: RidManager
......................... GATEWAY passed test RidManager
Starting test: MachineAccount
Could not open pipe with [GATEWAY]:failed with 5: Access is denied.
Could not get NetBIOSDomainName
Failed can not test for HOST SPN
Failed can not test for HOST SPN
* Missing SPN :(null)
* Missing SPN :(null)
......................... GATEWAY failed test MachineAccount
Starting test: Services
Could not open Remote ipc to [GATEWAY]:failed with 5: Access is
denied.
......................... GATEWAY failed test Services
Starting test: ObjectsReplicated
......................... GATEWAY passed test ObjectsReplicated
Starting test: frssysvol
[GATEWAY] An net use or LsaPolicy operation failed with error 5,
Access
is denied..
......................... GATEWAY failed test frssysvol
Starting test: frsevent
......................... GATEWAY failed test frsevent
Starting test: kccevent
Failed to enumerate event log records, error Access is denied.
......................... GATEWAY failed test kccevent
Starting test: systemlog
Failed to enumerate event log records, error Access is denied.
......................... GATEWAY failed test systemlog
Starting test: VerifyReferences
......................... GATEWAY passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : contoso
Starting test: CrossRefValidation
......................... contoso passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... contoso passed test CheckSDRefDom
Running enterprise tests on : contoso.com
Starting test: Intersite
......................... contoso.com passed test Intersite
Starting test: FsmoCheck
......................... contoso.com passed test FsmoCheck
C:\Documents and Settings\Administrator.GATEWAY>
Hi Martin,
Thanks for the analogy of ports.
Unfortunately, the version of ZoneAlarm i have doesn't come with custom
setting for ports. I was trying out ISA server but encounter error (related
to domain controller) during installation. Beside, is ISA server 2006 the
right solution as a firewall?
Another question is, do i have to add an authorised server on DHCP MMC?
Thanks
"HawleyBeach" <HawleyBeach@discussions.microsoft.com> wrote in message
news:0E207A10-B425-4C85-8DCB-BB6C09105EEA@microsoft.com...
> Hi Martin,
> Thanks for the analogy of ports.
>
> Unfortunately, the version of ZoneAlarm i have doesn't come with custom
> setting for ports. I was trying out ISA server but encounter error
> (related
> to domain controller) during installation. Beside, is ISA server 2006 the
> right solution as a firewall?
Generally it is a good solutions for a "Router/NAT firewall" not for a
"personal" or "machine specific" firewall like a DC needs.
A DC really should not be a router, nor should it be directly on the
Internet -- the firewall (ISA, hardware, etc) for the router should be
on a separate box.
There is a a "BASIC/Firewall" in the RRAS component of the Server
product. You can use that; it is simple and probably sufficient IF you
keep this server behind a hardware firewall and take very good care
of it.
> Another question is, do i have to add an authorised server on DHCP MMC?
Last I checked: No, but you SHOULD authorize the DHCP server and then
they will ALL (running the Windows Server version) will require
authorization.
Authorizing the FIRST one will protect your from "rogue" DHCP servers
running on Windows Server (but not XP, 95, hardware, NT, Linux, etc.)
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
Hi Martin,
> > Unfortunately, the version of ZoneAlarm i have doesn't come with custom
> > setting for ports. I was trying out ISA server but encounter error
> > (related
> > to domain controller) during installation. Beside, is ISA server 2006 the
> > right solution as a firewall?
>
> Generally it is a good solutions for a "Router/NAT firewall" not for a
> "personal" or "machine specific" firewall like a DC needs.
>
> A DC really should not be a router, nor should it be directly on the
> Internet -- the firewall (ISA, hardware, etc) for the router should be
> on a separate box.
IPCONFIG /All shows that Enabled IP Routing is turned on, should i turn it
off (using registry)?
> There is a a "BASIC/Firewall" in the RRAS component of the Server
> product. You can use that; it is simple and probably sufficient IF you
> keep this server behind a hardware firewall and take very good care
> of it.
I have enabled RRAS with NAT/ Basic Firewall. As shown in the screen shot
http://i132.photobucket.com/albums/q11/plee61/RRAS.jpg
i have added some ports in Local Area connection interface. There is one
problem with private address on "Edit Server" tab, i am forced to enter a
valid IP, if i leave the private address blank or with 0.0.0.0 i will get
error 'invalid private address'.
Please advice if the configuration for opening these ports are correct.
Since i have enabled RRAS, does it mean i have enabled routing on this DC?
> > Another question is, do i have to add an authorised server on DHCP MMC?
>
> Last I checked: No, but you SHOULD authorize the DHCP server and then
> they will ALL (running the Windows Server version) will require
> authorization.
>
> Authorizing the FIRST one will protect your from "rogue" DHCP servers
> running on Windows Server (but not XP, 95, hardware, NT, Linux, etc.)
I have enabled DHCP server as
shown:http://i132.photobucket.com/albums/q11/plee61/DHCP.jpg
What do you mean the FIRST one? i have only one DHCP that is
gateway.contoso.com and is it not suppose to run on this Windows Server?
Having done all, i shutdown ZA and reboot server. Restart, ran dcdiag but
still get the same error with access denied on net logon:
Testing server: Default-First-Site-Name\GATEWAY
Starting test: Replications
......................... GATEWAY passed test Replications
Starting test: NCSecDesc
......................... GATEWAY passed test NCSecDesc
Starting test: NetLogons
[GATEWAY] An net use or LsaPolicy operation failed with error 5,
Access
is denied..
......................... GATEWAY failed test NetLogons
Starting test: Advertising
......................... GATEWAY passed test Advertising
Starting test: KnowsOfRoleHolders
......................... GATEWAY passed test KnowsOfRoleHolders
Starting test: RidManager
......................... GATEWAY passed test RidManager
Starting test: MachineAccount
Could not open pipe with [GATEWAY]:failed with 5: Access is denied.
Could not get NetBIOSDomainName
Failed can not test for HOST SPN
Failed can not test for HOST SPN
* Missing SPN :(null)
* Missing SPN :(null)
......................... GATEWAY failed test MachineAccount
Starting test: Services
Could not open Remote ipc to [GATEWAY]:failed with 5: Access is
denied.
......................... GATEWAY failed test Services
Starting test: ObjectsReplicated
......................... GATEWAY passed test ObjectsReplicated
Starting test: frssysvol
[GATEWAY] An net use or LsaPolicy operation failed with error 5,
Access
is denied..
......................... GATEWAY failed test frssysvol
Starting test: frsevent
......................... GATEWAY failed test frsevent
Starting test: kccevent
Failed to enumerate event log records, error Access is denied.
......................... GATEWAY failed test kccevent
Starting test: systemlog
Failed to enumerate event log records, error Access is denied.
......................... GATEWAY failed test systemlog
Starting test: VerifyReferences
......................... GATEWAY passed test VerifyReferences
On event viewer, error on Group policy related:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 19/01/2007
Time: 3:27:23 PM
User: NT AUTHORITY\SYSTEM
Computer: GATEWAY
Description:
Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this.
Many thanks to your patience!