Pages

Cannot connect this computer to the network, Windows SBS 2011 Essentials

Today I was getting an error “an unknown error has occurred” when trying to use the SBS 2011 Essentials connector to add a computer to the console. In this particular setup, the customer was migrating from Windows 2003 to Windows SBS 2011 Essentials.

image

 

Troubleshooting

First thing to check are the logs. I looked at http://blogs.technet.com/b/sbs/archive/2012/05/02/key-small-business-server-2011-essentials-log-files.aspx to find the exact location of the files. When I looked at the ClientDeploy.log file, I see the error

[4284] 120810.150151.4347: ClientSetup: Start of ClientDeploy
[4284] 120810.150152.2147: General: Initializing…C:\Windows\Temp\Client Deployment Files\ClientDeploy.exe
[4284] 120810.150152.2459: ClientSetup: Loading Wizard Data
[4284] 120810.150154.0399: ClientSetup: Current DeploymentStatus=Running
[4284] 120810.150205.5059: ClientSetup: Showing the Client Deployment Wizard
[4284] 120810.150206.6447: ClientSetup: Adding Server Info data in the Product Registry
[4284] 120810.150206.8943: ClientSetup: Set the Deployment Sync Event
[4760] 120810.150219.6707: ClientSetup: Running ValidateUser Tasks at WizardPage DomainUserCred
[4760] 120810.150219.7019: ClientSetup: Entering ConnectorWizardForm.RunTasks
[4760] 120810.150219.7019: ClientSetup: Running Task with Id=ClientDeploy.ValidateUser
[4760] 120810.150219.8267: ClientSetup: Entering ValidateUserTask.Run
[4760] 120810.150219.9047: ClientSetup: Install root cert to local trusted store
[4760] 120810.150219.9671: ClientSetup: Validating User
[4760] 120810.150219.9671: ClientSetup: Call MachineIdentityManager.GetMachineStatus
[4760] 120810.150231.2459: ClientSetup: MachineIdentityManager.GetMachineStatus had errors: ErrorCatalog:OtherError ErrorCode:-2146233087
BaseException: Microsoft.WindowsServerSolutions.Devices.Identity.MachineIdentityException: MachineIdentityManager.GetMachineStatus
   at Microsoft.WindowsServerSolutions.Devices.Identity.MachineIdentityManager.GetMachineStatus(String serverName, String userName, String password, String machineName, Boolean& isAdmin)
   at Microsoft.WindowsServerSolutions.ClientSetup.ClientDeploy.ValidateUserTask.Run(WizData data)
[4760] 120810.150231.2459: ClientSetup: Exiting ValidateUserTask.Run
[4760] 120810.150231.2459: ClientSetup: Task with Id=ClientDeploy.ValidateUser has TaskStatus=Failed
[4760] 120810.150231.2459: ClientSetup: Task with Id=ClientDeploy.ValidateUser has RebootStatus=NoReboot
[4760] 120810.150231.2459: ClientSetup: Exting ConnectorWizardForm.RunTasks
[4284] 120810.150231.2615: ClientSetup: JoinNetwork Tasks returned TaskStatus=Failed
[4284] 120810.150233.7887: ClientSetup: Back from the Client Deployment Wizard
[4284] 120810.150233.8043: ClientSetup: Saving Wizard Data
[4284] 120810.150233.8043: ClientSetup: End of ClientDeploy: ErrorCode=1603

So now I know the error is MachineIdentityManager.GetMachineStatus had errors: ErrorCatalog:OtherError ErrorCode:-2146233087 

Let’s get to troubleshooting this issue.

Per other articles and forum posts I read, it was recommended to re-run the wizard a second time. I went ahead and did that, same issue in my case. It was also suggested to run the wizard while logged in as a local admin, non domain joined and I got the same results.

I noticed that when I restarted the new SBS 2011 Essentials server that it would take a very long time till I got a CTRL-ALT-DELETE login screen, basically just sitting there “applying settings”. At first I thought it was caused by my NIC being teamed, but after disabling the team I had the same results. So I can rule out teaming being my issue.

I then took a look at the event logs on the client machine. I did not see any issues related. I thought it might be .NET 4, but I verified I didn’t even have it installed before I ran the wizard. Other postings indicated it could be a .NET issue.

I then attempted to connect to the new server by doing https://SBS-11E:65515/connect and did not get any certificate errors.

The next step was to look at the server being the issue. I logged in to my existing 2003 Domain Controller and looked at the event logs. I saw NTFRS replication was failing.

image

So this is a problem. To fix it, I went ahead and attempted to ping the new SBS 2011 Essentials server by FQDN. This failed, so I opened up DNS.  I expanded the nodes under the AD zone, looking specifically at _msdcs stub. In that stub, I found references to my SBS 2011 Essentials sever with the wrong IP address, as well as additional entries with the correct IP. I deleted all the ones with the invalid IP address.

The next step was to examine the Reverse DNS entries. In this particular customers case, no Reverse DNS was setup.

I then opened a command prompt on the 2003 server and typed in NET STOP NETLOGON & NET START NETLOGON and pressed enter.

The NETLOGON service restarted. I then tried to ping the SBS 2011 Essentials server by FQDN, for example ping SERVER-SBS11E.internaldomain.local which it now was able to resolve.

I then re-ran the wizard, and this time it stopped me and gave me a warning that I was using my Domain Admin account. I didn’t really care in this case, and proceeded on. The wizard worked correctly and  believed I had solved the issue……… in fact, I was so happy to solve it that I updated the Microsoft Forums with my resolution.

After visiting other computers in this clients office and running the wizard, I kept seeing errors in the event log about Group Policies. I thought something was still not fixed, and it might be my Active Directory being damaged. The reason I came to that conclusion was when I first did my site evaluation at this client I noticed if I edited the existing login script by going to \\domain\netlogon that the changes I made never seemed to actually take place when the user logged in.  I didn’t think much of it at the time, and was able to resolve my edit by going to the SYSVOL folder and finding the login batch file and editing it.

I went ahead and rebooted the new SBS 2011 Essentials server to see if the startup still hung for a long time, or was now fixed since I fixed the bad DNS issues. The server hung for a long time, so that was not fixed.

Going back to the workstation, I performed a GPUPDATE /FORCE. The results of that were that the workstation could not determine what domain or forest I was in. This was a serious issue that I needed to deal with. Since I thought that AD might be damaged, I did the following:

On the Windows 2003 server, I saw in the Applications event viewer the following error, MS DTC could not correctly process a DC Promotion/Demotion event.

image

The first thing for me to check was the health of Active Directory. I needed to perform a semantic database check for errors.

On the SBS 2011 Essentials server, I went to the  Administrative command prompt  and typed NET STOP NTDS since this server is running Windows Server 2008, I can stop the directory services without rebooting to safe mode. For full instructions of this procedure, see http://technet.microsoft.com/en-us/library/cc816754(v=ws.10)

Type Y to agree to stop additional services, and then press ENTER.

At the command prompt, type ntdsutil, and then press ENTER.

At the ntdsutil: prompt, type activate instance ntds, and then press ENTER.

At the ntdsutil: prompt, type semantic database analysis, and then press ENTER.

At the semantic checker: prompt, type verbose on, and then press ENTER.

At the semantic checker: prompt, type go fixup, and then press ENTER.

in my case, I found no errors as I received the following:

image

that is a great thing to have no corruption! Next, type quit, and quit to return you back to a command prompt.

Now we need to start our directory services back up. at the command prompt, type NET START NTDS

I opened up the event viewer on the SBS 2011 Essentials server, and looking under system, I saw an error showing “The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.”

 

image

and

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

image

along with

The "Windows default" Policy Module "Initialize" method returned an error. The specified domain either does not exist or could not be contacted. The returned status code is 0x8007054b (1355).  The Active Directory containing the Certification Authority could not be contacted.

image

and

Active Directory Certificate Services for MCG-SBS11E-CA was started.  DC=

image

do you see how DC= nothing above? This is caused when certificate services cannot figure out who is a domain controller.

And finally, this event log error

Dynamic registration or deletion of one or more DNS records associated with DNS domain ‘mcg.local.’ failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition). 

image

So my issue still exists. It is not corrupted Active Directory, and still is pointing me to DNS as the bottom line.

Here is how I fixed it.

First, I opened up DNS on the SBS 2011 Essentials server.  I right clicked on my server and went to properties. I then selected the Forwards TAB.

image

I noticed that the first entry, 10.1.1.1 was invalid as this is my gateway, and the customer was currently using a home router which didn’t do anything for DNS related actions. My second server, being the old Windows 2003 server was listed, and my end goal once the migration was done was to turn off forwards. I went ahead and removed the 10.1.1.1 server.

I then went to command prompt and typed in nltest.exe /dsregdns  . I restarted the DNS service by typing NET STOP DNS & NET START DNS  followed by IPCONFIG /RegisterDNS

I then decided to reboot and see if I still had my slow startup issue. After rebooting, it went right to the CTRL-ALT-DELETE screen, no more delay.

I looked at the event logs and now see that my DC= is filled in with the proper information. This is a very good thing!

image

I reran the wizard, and now I get

image

Comments are closed.