Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Domain controller is not functioning correctly
Article ID: 837513 - View products that this article applies to.
When you run the Dcdiag tool on a Microsoft Windows 2000-Server based domain controller or on a Windows Server 2003-based domain controller, you may receive the following error message:
When you run the REPADMIN /SHOWREPS utility locally on a domain controller, you may receive one of the following error messages:
Performing initial setup:
[DC1] LDAP bind failed with error 31
[D:\nt\private\ds\src\util\repadmin\repinfo.c, 389] LDAP error 82 (Local Error).
Last attempt @ yyyy-mm-dd hh:mm.ss failed, result 1753: There are no more endpoints available from the endpoint mapper.
If you use Active Directory Sites and Services to trigger replication, you may receive a message that indicates that access is denied.
Last attempt @ yyyy-mm-dd hh:mm.ss failed, result 5: Access is denied.
When you try to use network resources from the console of an affected domain controller, including Universal Naming Convention (UNC) resources or mapped network drives, you may receive the following error message:
If you start any Active Directory administrative tools from the console of an affected domain controller, including Active Directory Sites and Services and Active Directory Users and Computers, you may receive one of the following error messages:
No logon servers available (c000005e = "STATUS_NO_LOGON_SERVERS")
Naming information cannot be located because: No authority could be contacted for authentication. Contact your system administrator to verify that your domain is properly configured and is currently online.
Microsoft Outlook clients that are connected to Microsoft Exchange Server computers that are using affected domain controllers for authentication may be prompted for logon credentials, even though there is successful logon authentication from other domain controllers.
Naming information cannot be located because: Target account name is incorrect. Contact your system administrator to verify that your domain is properly configured and is currently online.
The Netdiag tool may display the following error messages:
The following event may be logged in the system event log of the affected domain controller:
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to <servername>.<fqdn> (<ip address>). [ERROR_DOMAIN_CONTROLLER_NOT_FOUND]
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for krbtgt/<fqdn>.
[FATAL] Kerberos does not have a ticket for <hostname>.
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC <hostname>\<fqdn>
Event Type: Error
There are several resolutions for these symptoms. The following is a list of methods to try. The list is followed by steps to perform each method. Try each method until the problem is resolved. Microsoft Knowledge Base articles that describe less common fixes for these symptoms are listed later.
Method 1: Fix DNS errors
(http://support.microsoft.com/kb/291382/ )Frequently asked questions about Windows 2000 DNS and Windows Server 2003 DNS
(http://support.microsoft.com/kb/237675/ )Setting up the Domain Name System for Active Directory
(http://support.microsoft.com/kb/254680/ )DNS namespace planning
(http://support.microsoft.com/kb/255248/ )How to create a child domain in Active Directory and delegate the DNS namespace to the child domain
Method 2: Synchronize the time between computersVerify that the time is correctly synchronized between domain controllers. Additionally, verify that the time is correctly synchronized between client computers and domain controllers.
For more information about how to configure the Windows Time service, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/258059/ )How to synchronize the time on a Windows 2000-based computer in a Windows NT 4.0 domain
(http://support.microsoft.com/kb/216734/ )How to configure an authoritative time server in Windows 2000
Method 3: Check the "Access this computer from the network" user rightsModify the Gpttmpl.inf file to confirm that the appropriate users have the Access this computer from the network user right on the domain controller. To do this, follow these steps:
Method 4: Verify that the domain controller's userAccountControl attribute is 532480
Method 5: Fix the Kerberos realm (confirm that the PolAcDmN registry key and the PolPrDmN registry key match)Note This method is valid only for Windows 2000 Server.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
Method 6: Reset the machine account password, and then obtain a new Kerberos ticket
For more information about this issue, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/325322/ )"The server is not operational" error message when you try to open Exchange System Manager
(http://support.microsoft.com/kb/284929/ )Cannot start Active Directory snap-ins; error message states that no authority could be contacted for authentication
(http://support.microsoft.com/kb/257623/ )The DNS suffix of the computer name of a new domain controller may not match the name of the domain after you install upgrade a Windows NT 4.0 Primary domain controller to Windows 2000
(http://support.microsoft.com/kb/257346/ )"Access This Computer from the Network" user right causes tools not to work
(http://support.microsoft.com/kb/316710/ )Disabled Kerberos key distribution prevents Exchange services from starting
(http://support.microsoft.com/kb/329642/ )Error messages when you open Active Directory snap-ins and Exchange System Manager
(http://support.microsoft.com/kb/272686/ )Error messages occur when Active Directory Users and Computers snap-in is opened
(http://support.microsoft.com/kb/323542/ )You cannot start the Active Directory Users and Computers tool because the server is not operational
(http://support.microsoft.com/kb/329887/ )You cannot interact with Active Directory MMC snap-ins
(http://support.microsoft.com/kb/325465/ )Windows 2000 domain controllers require SP3 or later when using Windows Server 2003 administration tools
(http://support.microsoft.com/kb/322267/ )Removing Client for Microsoft Networks removes other services
(http://support.microsoft.com/kb/297234/ )Time difference exists between the client and the server
(http://support.microsoft.com/kb/247151/ )Down-level domain users may receive an error message when starting MMC snap-ins
(http://support.microsoft.com/kb/280833/ )Failure to specify all DNS zones in proxy client leads to DNS failures that are difficult to track
(http://support.microsoft.com/kb/322307/ )Cannot start Exchange Services or Active Directory snap-ins after you install Service Pack 2 (SP2) for Windows 2000
Article ID: 837513 - Last Review: April 25, 2007 - Revision: 2.3