| Author | Messages | |
dharding
Posts:24
 | | 11/17/2005 1:47 AM |
| I have 15 child domains in my AD forest. When using IAS (Nortel
VPN) as a Radius server on my root AD server, I can get clients to successfully
authenticate against all domains but 2. On these two domains, I get an IAS
event id error of 5052, ˜There is no domain controller available for
domain SWSNM™. I™ve ran DCDIAG and NETDIAG against these domain
and the tests passes. How does IAS locate domain controllers for
authentication? How can I troubleshoot this?
Devon Harding
Windows Systems Engineer
Southern Wine & Spirits
- BSG
954-602-2469
__________________________________This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You. | | | |
| joepochedley
Posts:6
| | 11/17/2005 2:52 AM |
| DC's are located by querying DNS. Check and make sure the proper
SRV records for the two domains in question appears on the server that your IAS
is using for DNS. DNSLint may help you with this task.
Joe
Pochedley A computer terminal is not some clunky old television
with a typewriter in
front of it. It is an interface where the mind and body can connect with the
universe and move bits of it about. -Douglas Adams
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding,
DevonSent: Thursday, November 17, 2005 8:47 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] IAS, Radius &
AD
I have 15 child domains in my AD
forest. When using IAS (Nortel VPN) as a Radius server on my root AD
server, I can get clients to successfully authenticate against all domains but
2. On these two domains, I get an IAS event id error of 5052, ˜There is no
domain controller available for domain SWSNM™. I™ve ran DCDIAG and NETDIAG
against these domain and the tests passes. How does IAS locate
domain controllers for authentication? How can I troubleshoot
this?
Devon
Harding
Windows Systems
Engineer
Southern Wine & Spirits
- BSG
954-602-2469
__________________________________This message and any
attachments are solely for the intended recipientand may contain
confidential or privileged information. If you are notthe intended
recipient, any disclosure, copying, use or distribution ofthe information
included in the message and any attachments isprohibited. If you have
received this communication in error, pleasenotify us by reply e-mail and
immediately and permanently delete thismessage and any attachments. Thank
You. | | | |
| dharding
Posts:24
| | 11/17/2005 3:51 AM |
| I ran DNSLint and it returned SRV records
for all DC™s in that domain. I also ran ntdsutil to do a metadata
cleanup of any possible orphaned server an noticed that I get the following RPC
error when trying to connect to one of the existing DCs: ˜DsBindW error
0x6ba(The RPC server is unavailable.)™
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Joe Pochedley
Sent: Thursday, November 17, 2005
9:47 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
DC's are located by querying
DNS. Check and make sure the proper SRV records for the two domains in
question appears on the server that your IAS is using for DNS. DNSLint
may help you with this task.
Joe
Pochedley
A computer
terminal is not some clunky old television
with a
typewriter in front of it. It is an interface
where the mind
and body can connect with the universe
and move bits
of it about. -Douglas Adams
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding,
Devon
Sent: Thursday, November 17, 2005
8:47 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] IAS, Radius
& AD
I have 15 child domains in my AD
forest. When using IAS (Nortel VPN) as a Radius server on my root AD
server, I can get clients to successfully authenticate against all domains but
2. On these two domains, I get an IAS event id error of 5052,
˜There is no domain controller available for domain SWSNM™.
I™ve ran DCDIAG and NETDIAG against these domain and the tests
passes. How does IAS locate domain controllers for
authentication? How can I troubleshoot this?
Devon Harding
Windows
Systems Engineer
Southern
Wine & Spirits - BSG
954-602-2469
__________________________________
This message and any attachments are
solely for the intended recipient
and may contain confidential or
privileged information. If you are not
the intended recipient, any disclosure,
copying, use or distribution of
the information included in the message
and any attachments is
prohibited. If you have received this
communication in error, please
notify us by reply e-mail and
immediately and permanently delete this
message and any attachments. Thank You. | | | |
| joepochedley
Posts:6
| | 11/17/2005 4:25 AM |
| Hmm... Any replication problems with those servers in the past (or
currently)? Any Kerberos errors?
Joe
Pochedley A computer terminal is not some clunky old television
with a typewriter in
front of it. It is an interface where the mind and body can connect with the
universe and move bits of it about. -Douglas Adams
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding,
DevonSent: Thursday, November 17, 2005 10:50 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] IAS, Radius
& AD
I ran DNSLint and it
returned SRV records for all DC™s in that domain. I also ran ntdsutil to
do a metadata cleanup of any possible orphaned server an noticed that I get the
following RPC error when trying to connect to one of the existing DCs: ˜DsBindW
error 0x6ba(The RPC server is unavailable.)™
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Joe
PochedleySent: Thursday,
November 17, 2005 9:47 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] IAS, Radius &
AD
DC's are located by querying
DNS. Check and make sure the proper SRV records for the two domains in
question appears on the server that your IAS is using for DNS. DNSLint may
help you with this task.
Joe
Pochedley A computer terminal is not some
clunky old television with a typewriter in front of it. It
is an interface where the mind and body can connect
with the universe and move bits of it about. -Douglas
Adams
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Harding, DevonSent: Thursday, November 17, 2005 8:47
AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] IAS, Radius &
AD
I have 15 child domains in my AD
forest. When using IAS (Nortel VPN) as a Radius server on my root AD
server, I can get clients to successfully authenticate against all domains but
2. On these two domains, I get an IAS event id error of 5052, ˜There is no
domain controller available for domain SWSNM™. I™ve ran DCDIAG and NETDIAG
against these domain and the tests passes. How does IAS locate
domain controllers for authentication? How can I troubleshoot
this?
Devon
Harding
Windows
Systems Engineer
Southern Wine
& Spirits - BSG
954-602-2469
__________________________________This
message and any attachments are solely for the intended
recipientand may
contain confidential or privileged information. If you are
notthe intended
recipient, any disclosure, copying, use or distribution
ofthe
information included in the message and any attachments
isprohibited. If
you have received this communication in error,
pleasenotify us
by reply e-mail and immediately and permanently delete
thismessage and
any attachments. Thank You. | | | |
| dharding
Posts:24
| | 11/17/2005 6:16 AM |
| No replication errors at all. Directory
Service logs are clean.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Joe Pochedley
Sent: Thursday, November 17, 2005
11:24 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
Hmm... Any replication
problems with those servers in the past (or currently)? Any Kerberos
errors?
Joe
Pochedley
A computer
terminal is not some clunky old television
with a
typewriter in front of it. It is an interface
where the mind
and body can connect with the universe
and move bits
of it about. -Douglas Adams
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding,
Devon
Sent: Thursday, November 17, 2005
10:50 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
I ran DNSLint and it
returned SRV records for all DC™s in that domain. I also ran
ntdsutil to do a metadata cleanup of any possible orphaned server an noticed
that I get the following RPC error when trying to connect to one of the
existing DCs: ˜DsBindW error 0x6ba(The RPC server is unavailable.)™
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Joe Pochedley
Sent: Thursday, November 17, 2005
9:47 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
DC's are located by querying
DNS. Check and make sure the proper SRV records for the two domains in
question appears on the server that your IAS is using for DNS. DNSLint
may help you with this task.
Joe
Pochedley
A computer
terminal is not some clunky old television
with a
typewriter in front of it. It is an interface
where the mind
and body can connect with the universe
and move bits
of it about. -Douglas Adams
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding,
Devon
Sent: Thursday, November 17, 2005
8:47 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] IAS, Radius
& AD
I have 15 child domains in my AD forest.
When using IAS (Nortel VPN) as a Radius server on my root AD server, I can get
clients to successfully authenticate against all domains but 2. On these
two domains, I get an IAS event id error of 5052, ˜There is no domain
controller available for domain SWSNM™. I™ve ran DCDIAG and
NETDIAG against these domain and the tests passes. How does IAS
locate domain controllers for authentication? How can I troubleshoot
this?
Devon Harding
Windows
Systems Engineer
Southern
Wine & Spirits - BSG
954-602-2469
__________________________________
This message and any attachments are
solely for the intended recipient
and may contain confidential or
privileged information. If you are not
the intended recipient, any disclosure,
copying, use or distribution of
the information included in the message
and any attachments is
prohibited. If you have received this
communication in error, please
notify us by reply e-mail and
immediately and permanently delete this
message and any attachments. Thank You. | | | |
| activedir3
Posts:0
| | 11/17/2005 9:57 AM |
| Are members in those 2 domains having UPN
suffix no in the namespace of the forest root ?
Example:
Forest root suffixes: @company.net
Child suffixes: @child.forest.com
Are the users trying to logon using UPN or
domain\samaccountname ?
Have you tried implicit Kerberos principal
(samaccountname@xxxxxxxxxxxxxxxxxxxxxxx)
IAS is rather touchy when it comes to
mapping UPNs to correct domains¦
You can also enable IAS debugging by
issuing on the IAS server:
netsh ras tracing * ENABLED
You will find detailed logs at %SystemRoot%\Tracing
Guy
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding, Devon
Sent: Thursday, November 17, 2005
20:15
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
No replication errors at all.
Directory Service logs are clean.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Joe Pochedley
Sent: Thursday, November 17, 2005
11:24 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
Hmm... Any replication
problems with those servers in the past (or currently)? Any Kerberos
errors?
Joe
Pochedley
A computer
terminal is not some clunky old television
with a
typewriter in front of it. It is an interface
where the mind
and body can connect with the universe
and move bits
of it about. -Douglas Adams
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding,
Devon
Sent: Thursday, November 17, 2005
10:50 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
I ran DNSLint and it
returned SRV records for all DC™s in that domain. I also ran
ntdsutil to do a metadata cleanup of any possible orphaned server an noticed
that I get the following RPC error when trying to connect to one of the
existing DCs: ˜DsBindW error 0x6ba(The RPC server is unavailable.)™
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Joe Pochedley
Sent: Thursday, November 17, 2005
9:47 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
DC's are located by querying
DNS. Check and make sure the proper SRV records for the two domains in
question appears on the server that your IAS is using for DNS. DNSLint
may help you with this task.
Joe
Pochedley
A computer
terminal is not some clunky old television
with a
typewriter in front of it. It is an interface
where the mind
and body can connect with the universe
and move bits
of it about. -Douglas Adams
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding,
Devon
Sent: Thursday, November 17, 2005
8:47 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] IAS, Radius
& AD
I have 15 child domains in my AD
forest. When using IAS (Nortel VPN) as a Radius server on my root AD
server, I can get clients to successfully authenticate against all domains but
2. On these two domains, I get an IAS event id error of 5052,
˜There is no domain controller available for domain SWSNM™.
I™ve ran DCDIAG and NETDIAG against these domain and the tests
passes. How does IAS locate domain controllers for
authentication? How can I troubleshoot this?
Devon Harding
Windows
Systems Engineer
Southern
Wine & Spirits - BSG
954-602-2469
__________________________________
This message and any attachments are
solely for the intended recipient
and may contain confidential or
privileged information. If you are not
the intended recipient, any disclosure,
copying, use or distribution of
the information included in the message
and any attachments is
prohibited. If you have received this
communication in error, please
notify us by reply e-mail and
immediately and permanently delete this
message and any attachments. Thank You. | | | |
| dharding
Posts:24
| | 11/17/2005 10:34 AM |
| The problem is the IAS server cannot find
any DCs in those domains. Also, I get the following error with the netsh
command:
C:\>netsh ras tracing * ENABLED
The following command was not found: ras
tracing * ENABLED.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Guy Teverovsky
Sent: Thursday, November 17, 2005
4:51 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
Are members in those 2
domains having UPN suffix no in the namespace of the forest root ?
Example:
Forest root
suffixes: @company.net
Child suffixes:
@child.forest.com
Are the users trying to
logon using UPN or domain\samaccountname ?
Have you tried implicit
Kerberos principal (samaccountname@xxxxxxxxxxxxxxxxxxxxxxx)
IAS is rather touchy when
it comes to mapping UPNs to correct domains¦
You can also enable IAS
debugging by issuing on the IAS server:
netsh ras tracing *
ENABLED
You will find detailed
logs at %SystemRoot%\Tracing
Guy
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding,
Devon
Sent: Thursday, November 17, 2005
20:15
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
No replication errors at
all. Directory Service logs are clean.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Joe Pochedley
Sent: Thursday, November 17, 2005
11:24 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
Hmm... Any replication
problems with those servers in the past (or currently)? Any Kerberos
errors?
Joe
Pochedley
A computer
terminal is not some clunky old television
with a
typewriter in front of it. It is an interface
where the mind
and body can connect with the universe
and move bits
of it about. -Douglas Adams
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Harding, Devon
Sent: Thursday, November 17, 2005
10:50 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
I ran
DNSLint and it returned SRV records for all DC™s in that domain. I
also ran ntdsutil to do a metadata cleanup of any possible orphaned server an
noticed that I get the following RPC error when trying to connect to one of the
existing DCs: ˜DsBindW error 0x6ba(The RPC server is unavailable.)™
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Joe Pochedley
Sent: Thursday, November 17, 2005
9:47 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
DC's are located by querying
DNS. Check and make sure the proper SRV records for the two domains in
question appears on the server that your IAS is using for DNS. DNSLint
may help you with this task.
Joe
Pochedley
A computer
terminal is not some clunky old television
with a
typewriter in front of it. It is an interface
where the mind
and body can connect with the universe
and move bits
of it about. -Douglas Adams
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding,
Devon
Sent: Thursday, November 17, 2005
8:47 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] IAS, Radius
& AD
I have 15 child domains in my AD
forest. When using IAS (Nortel VPN) as a Radius server on my root AD server,
I can get clients to successfully authenticate against all domains but 2.
On these two domains, I get an IAS event id error of 5052, ˜There is no
domain controller available for domain SWSNM™. I™ve ran
DCDIAG and NETDIAG against these domain and the tests passes. How
does IAS locate domain controllers for authentication? How can I
troubleshoot this?
Devon Harding
Windows
Systems Engineer
Southern
Wine & Spirits - BSG
954-602-2469
__________________________________
This message and any attachments are
solely for the intended recipient
and may contain confidential or
privileged information. If you are not
the intended recipient, any disclosure,
copying, use or distribution of
the information included in the message
and any attachments is
prohibited. If you have received this
communication in error, please
notify us by reply e-mail and
immediately and permanently delete this
message and any attachments. Thank You. | | | |
| activedir3
Posts:0
| | 11/18/2005 1:30 AM |
| Sorry, that should be:
netsh ras set tracing * ENABLED
Also take a look at the authentication flow
over here: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url="">
(it's W2K specific, but from my experience
is not different from W2K3)
It will help you correlate the logs with what
is going on.
The error you are getting is quite generic
“ several times I have seen IAS trying to look for a non-existing domain (based
on incorrect mapping of user account to account's domain) and resulting in this
exact error.
Remember that IAS receives a RADIUS
authentication request, which (depending on the auth method: MSCHAPv2, EAP-TLS,
PEAP, PAP, CHAP, etc¦) might have the user/account pair in different
forms. The result is that IAS needs to apply additional logic to figure out the
account's domain.
Have you tried to authenticate with UPN or
Kerb principal instead of domain\username ?
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding, Devon
Sent: Friday, November 18, 2005
00:32
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
The problem is the IAS server cannot find
any DCs in those domains. Also, I get the following error with the netsh
command:
C:\>netsh ras tracing * ENABLED
The following command was not found: ras
tracing * ENABLED.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Guy
Teverovsky
Sent: Thursday, November 17, 2005
4:51 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
Are members in those 2 domains
having UPN suffix no in the namespace of the forest root ?
Example:
Forest root
suffixes: @company.net
Child suffixes:
@child.forest.com
Are the users trying to
logon using UPN or domain\samaccountname ?
Have you tried implicit
Kerberos principal (samaccountname@xxxxxxxxxxxxxxxxxxxxxxx)
IAS is rather touchy when
it comes to mapping UPNs to correct domains¦
You can also enable IAS
debugging by issuing on the IAS server:
netsh ras tracing *
ENABLED
You will find detailed
logs at %SystemRoot%\Tracing
Guy
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding,
Devon
Sent: Thursday, November 17, 2005
20:15
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
No replication errors at
all. Directory Service logs are clean.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Joe Pochedley
Sent: Thursday, November 17, 2005
11:24 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
Hmm... Any replication
problems with those servers in the past (or currently)? Any Kerberos
errors?
Joe
Pochedley
A computer terminal
is not some clunky old television
with a
typewriter in front of it. It is an interface
where the mind
and body can connect with the universe
and move bits
of it about. -Douglas Adams
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding,
Devon
Sent: Thursday, November 17, 2005
10:50 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
I ran
DNSLint and it returned SRV records for all DC™s in that domain. I
also ran ntdsutil to do a metadata cleanup of any possible orphaned server an
noticed that I get the following RPC error when trying to connect to one of the
existing DCs: ˜DsBindW error 0x6ba(The RPC server is unavailable.)™
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Joe Pochedley
Sent: Thursday, November 17, 2005
9:47 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
DC's are located by querying
DNS. Check and make sure the proper SRV records for the two domains in
question appears on the server that your IAS is using for DNS. DNSLint
may help you with this task.
Joe
Pochedley
A computer
terminal is not some clunky old television
with a
typewriter in front of it. It is an interface
where the mind
and body can connect with the universe
and move bits
of it about. -Douglas Adams
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding,
Devon
Sent: Thursday, November 17, 2005
8:47 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] IAS, Radius
& AD
I have 15 child domains in my AD
forest. When using IAS (Nortel VPN) as a Radius server on my root AD
server, I can get clients to successfully authenticate against all domains but
2. On these two domains, I get an IAS event id error of 5052,
˜There is no domain controller available for domain SWSNM™.
I™ve ran DCDIAG and NETDIAG against these domain and the tests
passes. How does IAS locate domain controllers for
authentication? How can I troubleshoot this?
Devon Harding
Windows
Systems Engineer
Southern
Wine & Spirits - BSG
954-602-2469
__________________________________
This message and any attachments are
solely for the intended recipient
and may contain confidential or
privileged information. If you are not
the intended recipient, any disclosure,
copying, use or distribution of
the information included in the message
and any attachments is
prohibited. If you have received this
communication in error, please
notify us by reply e-mail and
immediately and permanently delete this
message and any attachments. Thank You. | | | |
| dharding
Posts:24
| | 11/18/2005 3:10 AM |
| Well, first, we get this error stating that
IAS could not find any DC for the specified domain:
Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 5052
Date: 11/18/2005
Time: 9:44:29
AM
User: N/A
Computer: SWSAD1
Description:
There is no domain controller available for domain SWSNM.
Then, this is the next error for the
username in UPN form:
Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 3
Date: 11/18/2005
Time: 9:44:29
AM
User: N/A
Computer: SWSAD1
Description:
Access request for user gstest-nm@xxxxxxxxxxxxxxxx was
discarded.
Fully-Qualified-User-Name = SWSNM\gstest-nm
NAS-IP-Address = 10.10.15.11
NAS-Identifier =
Called-Station-Identifier =
Calling-Station-Identifier =
Client-Friendly-Name = v1.domain.com
Client-IP-Address = 10.1.1.11
NAS-Port-Type = Virtual
NAS-Port = 5765
Proxy-Policy-Name = Use Windows authentication for all
users
Authentication-Provider = Windows
Authentication-Server =
Reason-Code = 6
Reason = The server is unavailable.
I need to figure out why the IAS can™t
find the DC™s. All the DNS entries are correct, DCDIAG, NETDIAG
& DNSLint all come out clean. Just doesn™t make any sense.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Guy Teverovsky
Sent: Friday, November 18, 2005
8:27 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
Sorry, that should be:
netsh ras set tracing * ENABLED
Also take a look at the
authentication flow over here: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url="">
(it's W2K specific, but
from my experience is not different from W2K3)
It will help you
correlate the logs with what is going on.
The error you are getting
is quite generic “ several times I have seen IAS trying to look for a
non-existing domain (based on incorrect mapping of user account to account's
domain) and resulting in this exact error.
Remember that IAS
receives a RADIUS authentication request, which (depending on the auth method:
MSCHAPv2, EAP-TLS, PEAP, PAP, CHAP, etc¦) might have the user/account
pair in different forms. The result is that IAS needs to apply additional logic
to figure out the account's domain.
Have you tried to
authenticate with UPN or Kerb principal instead of domain\username ?
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding,
Devon
Sent: Friday, November 18, 2005
00:32
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
The problem is the IAS
server cannot find any DCs in those domains. Also, I get the following
error with the netsh command:
C:\>netsh ras tracing
* ENABLED
The following command was
not found: ras tracing * ENABLED.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Guy
Teverovsky
Sent: Thursday, November 17, 2005
4:51 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
Are
members in those 2 domains having UPN suffix no in the namespace of the forest
root ?
Example:
Forest root
suffixes: @company.net
Child
suffixes: @child.forest.com
Are the
users trying to logon using UPN or domain\samaccountname ?
Have you
tried implicit Kerberos principal (samaccountname@xxxxxxxxxxxxxxxxxxxxxxx)
IAS is
rather touchy when it comes to mapping UPNs to correct domains¦
You can
also enable IAS debugging by issuing on the IAS server:
netsh
ras tracing * ENABLED
You will
find detailed logs at %SystemRoot%\Tracing
Guy
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding,
Devon
Sent: Thursday, November 17, 2005
20:15
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
No
replication errors at all. Directory Service logs are clean.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Joe Pochedley
Sent: Thursday, November 17, 2005
11:24 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
Hmm... Any replication problems
with those servers in the past (or currently)? Any Kerberos errors?
Joe
Pochedley
A computer
terminal is not some clunky old television
with a
typewriter in front of it. It is an interface
where the mind
and body can connect with the universe
and move bits
of it about. -Douglas Adams
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding,
Devon
Sent: Thursday, November 17, 2005
10:50 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
I ran
DNSLint and it returned SRV records for all DC™s in that domain. I
also ran ntdsutil to do a metadata cleanup of any possible orphaned server an
noticed that I get the following RPC error when trying to connect to one of the
existing DCs: ˜DsBindW error 0x6ba(The RPC server is unavailable.)™
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Joe Pochedley
Sent: Thursday, November 17, 2005
9:47 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] IAS,
Radius & AD
DC's are located by querying
DNS. Check and make sure the proper SRV records for the two domains in
question appears on the server that your IAS is using for DNS. DNSLint
may help you with this task.
Joe
Pochedley
A computer
terminal is not some clunky old television
with a
typewriter in front of it. It is an interface
where the mind
and body can connect with the universe
and move bits
of it about. -Douglas Adams
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding,
Devon
Sent: Thursday, November 17, 2005
8:47 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] IAS, Radius
& AD
I have 15 child domains in my AD
forest. When using IAS (Nortel VPN) as a Radius server on my root AD
server, I can get clients to successfully authenticate against all domains but
2. On these two domains, I get an IAS event id error of 5052,
˜There is no domain controller available for domain SWSNM™.
I™ve ran DCDIAG and NETDIAG against these domain and the tests
passes. How does IAS locate domain controllers for
authentication? How can I troubleshoot this?
Devon Harding
Windows
Systems Engineer
Southern
Wine & Spirits - BSG
954-602-2469
__________________________________
This message and any attachments are
solely for the intended recipient
and may contain confidential or
privileged information. If you are not
the intended recipient, any disclosure,
copying, use or distribution of
the information included in the message
and any attachments is
prohibited. If you have received this
communication in error, please
notify us by reply e-mail and
immediately and permanently delete this
message and any attachments. Thank You. | | | |
|
|