DNS, Intersite Messaging, Global Catalog, NTFRS, and "Invalid Credentials" Error Messages on Domain Controller


This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.

Symptoms


On a domain controller that runs Windows 2000, Event Viewer may log the following Domain Name System (DNS) events every 12 to 15 minutes:

Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4000
Description: The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
Data: 0000: f5 25 00 00


Event Type: Warning
Event Source: DNS
Event Category:None
Event ID: 4013
Description: The DNS server was unable to open the Active Directory. This DNS server is configured to use directory service information and cannot operate without access to the directory. The DNS server will wait for the directory to start. If the DNS server is started but the appropriate event has not been logged, then the DNS server is still waiting for the directory to start.
Data: 0000: f5 25 00 00


These events are logged even though Active Directory (AD) appears to be running, logons are successful, and various AD tools work.

When you try to move a DNS zone, you may receive an error message that says, "The data on the Primary zone failed to set; AD service is not available."

If you run the command DCDiag /test:services /v, you may find that the Intersite Messaging Service is not started.

In addition, Event Viewer may record the following Directory Service events:

Event Type: Warning
Event Source: NTDS Intersite Messaging
Event Category: Intersite Messaging
Event ID: 1473
Description: The Intersite Messaging Service failed to read the configuration of the Intersite Transports out of the Directory. The error message is as follows:

Unable to update the password. The value provided as the current password is incorrect.

The service has stopped. It will be necessary to correct the problem and restart the service in order for intersite communication to occur. The KCC will be unable to calculate intersite topology without this service. There may be a problem retrieving data from the LDAP server. Please verify that LDAP queries are succeeding on this machine. You may also wish to try restarting the Intersite Messaging Service manually. The record data is the status code.
Data: 0000: 2b 05 00 00


Event Type: Error
Event Source: NTDS Intersite Messaging
Event Category:Internal Processing
Event ID: 1168
Description: Error 997(3e5) has occurred (Internal ID 11000252). Please contact Microsoft Product Support Services for assistance.

Event Type: Error
Event Source: NTDS Intersite Messaging
Event Category:Internal Processing
Event ID: 1168
Description: Error 49(31) has occurred (Internal ID 11000251). Please contact Microsoft Product Support Services for assistance.

Event Type: Error
Event Source: NTDS Intersite Messaging
Event Category:Internal Processing
Event ID: 1168
Description: Error 49(31) has occurred (Internal ID 11000250). Please contact Microsoft Product Support Services for assistance.
The Application Log for the Intersite Messaging service may record the following event:

Event Type: Error
Event Source: Service Control Manager
Event Category:None
Event ID: 7023
Description: The Intersite Messaging service terminated with the following error:

Unable to update the password. The value provided as the current password is incorrect.


The following events that pertain to communication with the global catalog may also be recorded:

Event Type: Warning
Event Source: NTDS General
Event Category:Global Catalog
Event ID: 1655
Description: The attempt to communicate with global catalog \\computername.SoftwareManager.TheSoftwareManager.com failed with the following status:

Access is denied.

The operation in progress might be unable to continue. The directory service will use the locator to try to find an available global catalog server for the next operation that requires one.

The record data is the status code.
Data: 0000: 05 00 00 00


Event Type: Error
Event Source: NTDS General
Event Category:Global Catalog
Event ID: 1126
User: Everyone
Description: Unable to establish connection with global catalog.


Event Type: Error
Event Source: Userenv
Event Category:None
Event ID: 1000
User: NT AUTHORITY\SYSTEM
Description: Windows cannot determine the user or computer name. Return value (5).


There are no events in the File Replication service (FRS) to show that Active Directory is up and ready, and running DCDiag for the FRSSysVol test may not succeed.

If you run the command ntfrsutl sets, you may find that nothing is listed in active replica sets.

If LDAP binds in the system context by using Kerbos, the binds may not work. However, the binds may succeed with NTLM. A network trace reveals a failed LDAP bind, and you receive the following error message:
W8009030C LdapErr: DSID-0C0903E2, comment: AcceptSecurityContext error, data 52f, v893.
Finally, running the command ntfrsutl DS may result in an error on ldap_open, along with the following error message:

Error: 0x00000031 = Invalid Credentials.

Cause


This behavior can occur if you lock the system partition and remove the Everyone group from various locations.

Resolution


To resolve the behavior, reset system default file permissions:

  1. Set environment variables as follows:
    1. At a command prompt, type net share sysvol, and then press ENTER. Notice the path that is returned.
    2. Right-click My Computer, and then click Properties.
    3. On the Advanced tab, click Environment Variables.
    4. In the System Variables section, click New.
    5. In the Variable Name box, type Sysvol.
    6. In the Variable Value box, type the path that you noted in step a without the last \sysvol item.
    7. Repeat these steps to create the %DSDIT% variable and the %DSLOG% variable.

      To view the path for these variables, examine these variables in the registry under the following key:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
      .For example, the default location for the Database log files path and for the DSA Working Directory is the following:
      C:\WINNT\NTDS
  2. At a command prompt, run the following commands:
    cd \winnt\security\templates
    secedit /configure /cfg "setup security.inf" /db ss.sdb /log ss.log /verbose
    secedit /configure /cfg basicdc.inf /db basicdc.sdb /log basicdc.log /verbose
  3. Restart the computer.