When you run the Dcdiag tool on a Microsoft Windows
2000-Server based domain controller or on a Windows Server 2003-based domain
controller, you may receive the following error message:
Performing initial setup:
[DC1] LDAP bind
failed with error 31
When you run the REPADMIN /SHOWREPS utility
locally on a domain controller, you may receive one of the following error messages:
[D:\nt\private\ds\src\util\repadmin\repinfo.c, 389] LDAP
error 82 (Local Error).
Last attempt @ yyyy-mm-dd hh:mm.ss failed, result 1753: There are no more endpoints available from the endpoint mapper.
Last attempt @ yyyy-mm-dd hh:mm.ss failed, result 5: Access is denied.
If you use Active Directory Sites and Services to trigger replication, you may receive a message that indicates that access is denied.
When you try to use network resources
from the console of an affected domain controller, including Universal Naming
Convention (UNC) resources or mapped network drives, you may receive the
following error message:
No logon servers available
(c000005e = "STATUS_NO_LOGON_SERVERS")
If you start any Active
Directory administrative tools from the console of an affected domain
controller, including Active Directory Sites and Services and Active Directory
Users and Computers, you may receive one of the following error messages:
Naming information cannot be located because: No
authority could be contacted for authentication. Contact your system
administrator to verify that your domain is properly configured and is
Naming information cannot be
located because: Target account name is incorrect. Contact your system
administrator to verify that your domain is properly configured and is
Microsoft Outlook clients that are connected to
Microsoft Exchange Server computers that are using affected domain controllers
for authentication may be prompted for logon credentials, even though there is
successful logon authentication from other domain controllers.
Netdiag tool may display the following error messages:
list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to
<servername>.<fqdn> (<ip address>).
Kerberos test. . . . . . . . . . . :
[FATAL] Kerberos does not have a ticket for krbtgt/<fqdn>.
[FATAL] Kerberos does not have a ticket for <hostname>.
test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN
registration on DC <hostname>\<fqdn>
following event may be logged in the system event log of the affected domain
Event Type: Error
Source: Service Control Manager
Event ID: 7023
Kerberos Key Distribution Center service terminated with the following error:
The security account manager (SAM) or local security authority (LSA) server was
in the wrong state to perform the security operation.
There are several resolutions for these symptoms. The
following is a list of methods to try. The list is followed by steps to perform
each method. Try each method until the problem is resolved. Microsoft Knowledge
Base articles that describe less common fixes for these symptoms are listed
- Method 1: Fix Domain Name System (DNS) errors.
- Method 2: Synchronize the time between
- Method 3: Check the Access this computer from the
network user rights.
- Method 4: Verify that the domain controller's
userAccountControl attribute is 532480.
- Method 5: Fix the Kerberos realm (confirm that the PolAcDmN
registry key and the PolPrDmN registry key match).
- Method 6: Reset the machine account password, and then
obtain a new Kerberos ticket.
Method 1: Fix DNS errors
- At a command prompt, run the netdiag -v command. This command creates a Netdiag.log file in the folder
where the command was run.
- Resolve any DNS errors in the Netdiag.log file before you
continue. The Netdiag tool is in the Windows 2000 Server Support Tools on the
Windows 2000 Server CD-ROM or as a download. To download the Windows 2000
Server Support Tools, visit the following Microsoft Web site:
- Make sure that DNS is configured correctly. One of the most
common DNS mistakes is to point the domain controller to an Internet Service
Provider (ISP) for DNS instead of pointing DNS to itself or to another DNS
server that supports dynamic updates and SRV records. We recommend that you
point the domain controller to itself or to another DNS server that supports
dynamic updates and SRV records. We recommend that you set up forwarders to the
ISP for name resolution on the Internet.
For more information
about configuring DNS for Active Directory directory service, click the
following article numbers to view the articles in the Microsoft Knowledge Base:
Frequently asked questions about Windows 2000 DNS and Windows Server 2003 DNS
Setting up the Domain Name System for Active Directory
DNS namespace planning
How to create a child domain in Active Directory and delegate the DNS namespace to the child domain
Method 2: Synchronize the time
Verify that the time is correctly synchronized between domain
controllers. Additionally, verify that the time is correctly synchronized
between client computers and domain controllers.
For more information about how to configure
the Windows Time service, click the following article numbers to view the
articles in the Microsoft Knowledge Base:
How to synchronize the time on a Windows 2000-based computer in a Windows NT 4.0 domain
How to configure an authoritative time server in Windows 2000
Method 3: Check the "Access this computer from the network" user rights
Modify the Gpttmpl.inf file to confirm that the appropriate users
have the Access this computer from the network
user right on
the domain controller. To do this, follow these steps:
- Modify the Gpttmpl.inf file for the Default Domain
Controllers Policy. By default, the Default Domain Controllers Policy is where
user rights are defined for a domain controller. By default, the Gpttmpl.inf
file for the Default Domain Controllers Policy is located in the following
Note Sysvol may be in a different location, but the path for the
Gpttmpl.inf file will be the same.
For Windows Server 2003 domain
For Windows 2000 Server domain controllers:
- To the right of the SeNetworkLogonRight entry, add the
security identifiers for Administrators, for Authenticated Users, and for
Everyone. See the following examples.
For Windows Server 2003 domain
2000 Server domain controllers:
Note Administrators (S-1-5-32-544), Authenticated Users (S-1-5-11),
Everyone (S-1-1-0), and Enterprise Controllers (S-1-5-9) use well-known
security identifiers that are the same in every domain.
- Remove any entries to the right of the
SeDenyNetworkLogonRight entry (Deny access to this computer
from the network) to match the following
Note The example is the same for Windows 2000 Server and for Windows
By default , Windows 2000 Server has no entries in the
SeDenyNetworkLogonRight entry. By default, Windows Server 2003 has only the
Support_random string account in the
SeDenyNetworkLogonRight entry. (The Support_random
string account is used by Remote Assistance.) Because the
Support_random string account uses a different
security identifier (SID) in every domain, the account is not easily
distinguishable from a typical user account just by looking at the SID. You may
want to copy the SID to another text file, and then remove the SID from the
SeDenyNetworkLogonRight entry. That way, you can put it back when you are
finished troubleshooting the problem.
SeDenyNetworkLogonRight can be defined in any policy. If the previous steps do
not resolve the issue, check the Gpttmpl.inf file in other policies in Sysvol
to confirm that the user rights are not also being defined there. If a
Gpttmpl.inf file contains no reference to SeNetworkLogonRight or to
SeDenyNetworkLogonRight, those settings are not defined in the policy and that
policy is not causing this issue. If those entries do exist, make sure that
they match the settings listed earlier for the Default Domain Controller
Method 4: Verify that the domain controller's userAccountControl attribute is 532480
- Click Start, click Run,
and then type adsiedit.msc.
- Expand Domain NC, expand
DC=domain, and then expand
- Right-click the affected domain controller, and then click
- In Windows Server 2003, click to select the Show
mandatory attributes check box and the Show optional
attributes check box on the Attribute Editor tab. In
Windows 2000 Server, click Both in the Select which
properties to view box.
- In Windows Server 2003, click
userAccountControl in the Attributes box. In
Windows 2000 Server, click userAccountControl in the
Select a property to view box.
- If the value is not 532480, type
532480 in the Edit Attribute box, click
Set, click Apply, and then click
- Quit ADSI Edit.
Method 5: Fix the Kerberos realm (confirm that the PolAcDmN registry key and the PolPrDmN registry key match)Note
This method is valid only for Windows 2000
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows
- Start Registry Editor.
- In the left pane, expand
- On the Security menu, click
Permissions to grant the Administrators local group Full
Control of the SECURITY hive and its child containers and objects.
- Locate the HKEY_LOCAL_MACHINE\SECURITY\Policy\PolPrDmN
- In the right pane of Registry Editor, click the
<No Name>: REG_NONE entry one time.
- On the View menu, click Display
Binary Data. In the Format section of the dialog box,
- The domain name appears as a string in the right side of
the Binary Data dialog box. The domain name is the same as the
- Locate the HKEY_LOCAL_MACHINE\SECURITY\Policy\PolACDmN
- In the right pane of Registry Editor, double-click the
<No Name>: REG_NONE entry.
- In the Binary Editor dialog box, paste the
value from PolPrDmN. (The value from PolPrDmN will be the NetBIOS domain
- Restart the domain controller.
Method 6: Reset the machine account password, and then obtain a new Kerberos ticket
- Stop the Kerberos Key Distribution Center service, and then
set the startup value to Manual.
- Use the Netdom tool from the Windows 2000 Server Support
Tools or from the Windows Server 2003 Support Tools to reset the domain
controller's machine account password:
/server:another domain controller
Make sure that the netdom command
is returned as completed successfully. If it is not, the command did not work.
For the domain Contoso, where the affected domain controller is DC1, and a
working domain controller is DC2, you run the following netdom command from the console of DC1:
resetpwd /server:DC2 /userd:contoso\administrator
- Restart the affected domain controller.
- Start the Kerberos Key Distribution Center service, and
then set the startup setting to Automatic.
For more information about this issue,
click the following article numbers to view the articles in the Microsoft
"The server is not operational" error message when you try to open Exchange System Manager
Cannot start Active Directory snap-ins; error message states that no authority could be contacted for authentication
The DNS suffix of the computer name of a new domain controller may not match the name of the domain after you install upgrade a Windows NT 4.0 Primary domain controller to Windows 2000
"Access This Computer from the Network" user right causes tools not to work
Disabled Kerberos key distribution prevents Exchange services from starting
Error messages when you open Active Directory snap-ins and Exchange System Manager
Error messages occur when Active Directory Users and Computers snap-in is opened
You cannot start the Active Directory Users and Computers tool because the server is not operational
You cannot interact with Active Directory MMC snap-ins
Windows 2000 domain controllers require SP3 or later when using Windows Server 2003 administration tools
Removing Client for Microsoft Networks removes other services
Time difference exists between the client and the server
Down-level domain users may receive an error message when starting MMC snap-ins
Failure to specify all DNS zones in proxy client leads to DNS failures that are difficult to track
Cannot start Exchange Services or Active Directory snap-ins after you install Service Pack 2 (SP2) for Windows 2000