Can't Connect to Shared Drives

[AngelicKnight]

Ok, now it's getting interesting.

I just ran browmon on this suspicious BDC, and sure enough the results are...odd.

It shows the proper PDC (note I say "PDC" here somewhat lightly, as according to M$, W2k doesn't assign a PDC...but you guys know what I mean -- the equivalent master role assigned this server), with it's state as online. Ok, all is well. But the next few collumns just don't make sense:

Type: Unknown
Servers: Unknown
Domains: Unknown

It lists two other W2k servers and identifies them as type Windows NT 5.0, 27 servers, 3 domains, but for some reason this all comes back as "unknown" for the PDC.

Note this BDC in question is fully patched.

[morganlefay]

Sorry Angelic if I missed it somewhere...are all the servers W2K???

The data server is a member server?? SP level?

What SP is the DC ??

What SP is the BDC??

The problem is if the PDC is doing the authentication using the updates...they are not being replicated or passed on properly.

Also...after you removed the updates ...did you reinstall the SP and other updates...I have one 2k server...that every so often a database update knocks the SP level down a notch...and the SP needs to be reapplied...must be a lanman thing.

Although I have never figures it out...I just reapply the SP and it all works again.

You know...cause this all started with a security patch update...you may be able to get free support from MS

http://support.microsoft.com/gp/securityitpro

No-Charge Support
1-866-PCSAFETY
or
1-866-727-2338
This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada.

They may have a work around for you?

MLF

[AngelicKnight]

Heh, boss won't let me call MS because we have "licensing" issues.

Yes, the entire network is nothing but W2k.

Let me take a look at those SP levels...Ok, everything looks to be SP4, even the servers missing hotfix patches.

[AngelicKnight]

Ok, just ran browstat on the BDC in question. It identifies the PDC no problem, as well as BDCs, but then check this out:

Could not connect to registry, error = 5
Unable to determine build of browser master: 5
Unable to determine server information for browser master: 5
Unable to retrieve server list from [PDC]: 64

That tell you anything?

<edit> Found this googling:

The error 5 is "access denied". You have to have administrative access to open
the registry (determine build) across the network.

Odd thing is, this IS with administrative access!

<edit 2> More googling uncovered that the error 64 message means "The specified network name is no longer available."

What the?!

[sec_ware]

Hi

I still cannot provide very constructive ideas, but your error message 5 sounds like
you have no access to the master browser from your "BDC" (remote registry),
which might also be reflected by the behaviour of the browser service.
/edit: ie: your bdc cannot obtain a proper browser list, and therefore, the
network neighborhood cannot be used, however you can connect doing a map
manually using the IP number. The problematic workstation seems to connect to
the "BDC", and therefore also suffers of this. Now, what causes this problem...

Just a thought: Might be something messed up with the ACL's while installing the
patches ?!

Just a reader: I have found 2 interesting resources, which however, might not
be of interest anymore...

[1] sequence for name lookups
[2] browser service resources

/edit.
oups, to quote morganlefay

The problem is if the PDC is doing the authentication using the updates...they are not being replicated or passed on properly.

Cheers

[1] http://expertanswercenter.techtarget...975461,00.html
[2] http://labmice.techtarget.com/networ...rowsersrvc.htm

[morganlefay]

AK

One thing we used to do to resolve outlook connectivity issues in NT4 ...was to edit the HOSTS file on the client and add the IP address and server name

127.0.0.1 LOCALHOST
xxx.xx.xx.x SERVERNAME

Maybe worth a try?? on the client and BDC...just map all your servers in there...you can always change it back.
It required a reboot in NT4 ....not sure bout w2k


Maybe worth a try...although I think that the credentials are getting F&%ked do to the patch levels not being the same

MLF

EDIT\ make sure you save the file with no extension just HOSTS
Default location C:\winnt\system32\drivers\etc

[AngelicKnight]

Just a thought: Might be something messed up with the ACL's while installing the
patches ?!

Good idea...I checked out permissions in the PDC's AD regarding access to this particular BDC, and it turns out the net admin user group (which I'm logged in under when running these tests) did not have full permissions, specifically lacking permission to alter the subtree. I'm not sure if that's related, but it's worth a shot, so I allowed permission there, and I'm about to see what happens next...

<edit> Didn't see your post there, Morgan. I'll look into that.

[AngelicKnight]

Bingo.

Whoever suggested a replication error (was it RoadClosed?) looks to have been right on the money.

One of our BDCs keeps mysteriously being promoted to PDC and kicking the PDC back down to BDC. So, I tried demoting this particular BDC to resolve that. Guess what? Demotion failed because of a replication error.

That's gotta be it. I've had similar replication problems with the global catalog before, and I never could figure out what was causing it. So I bet this is our gremlin.

<edit> Might there be a manual (alternative) process by which means to bypass the replication problem and demote the server anyway?

[AngelicKnight]

Ok, here's the next piece to the puzzle:

I read this here:

As part of the demotion process, the DCPROMO utility removes the configuration data for the domain controller from the Active Directory. This data takes the form of an "NTDS Settings" object, which exists as a child to the server object in the Active Directory Sites and Services Manager.

The information is in the following location in the Active Directory:

CN=NTDS Settings,CN=&lt;servername&gt;,
CN=Servers,CN=&lt;sitename&gt;,CN=Sites,
CN=Configuration,DC=&lt;domain&gt;...

But in my AD, in the specified location, I only see this:

Name: &lt;automatically generated&gt;
From server: (PDC name)
From site: Default-First-Site-Name
Type: Connection

And that's it. No other entries. I then right-click that and select "replicate now" and then I get the following error:

The target principal name is incorrect.

[morganlefay]

IMHO

You can bandaid your setup...and maybe it will work ...for now

But you will continue to have problems until you can bring all the servers up to the same patch level

Oh and by the way

Whoever suggested a replication error (was it RoadClosed?) looks to have been right on the money.

That was me

The problem is if the PDC is doing the authentication using the updates...they are not being replicated or passed on properly.

MLF