game_over Posted September 16, 2009 Share Posted September 16, 2009 Users on my network have started complaining they are missing shared locations, can't access certain files and are getting permission errors when trying to access server resources. I have looked at everything on the server but i can't work out why it's happening, nothing has been changed on the server or workstations for months... it's totally random I have tried installing programs from a limited account run as an admin but get permission denied, i also get permission denied when running \\server It's only happening on some workstations and it's doing it on both XP and Vista. Any ideas why this might be happening? Maybe a reboot of the Server & Firewall would fix this? Link to comment Share on other sites More sharing options...
sc302 Veteran Posted September 16, 2009 Veteran Share Posted September 16, 2009 possibly a reboot (highly doubtful). Check your services on your server make sure that they are started properly (workstation and server services). Finally, check your share level and file level permissions make sure everything is still there that is supposed to be. I would be willing to bet that your services have stopped or someone has disabled them. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted September 16, 2009 MVC Share Posted September 16, 2009 You can run into crazy issues if the clients are imaged an you did not change the sids? You sure accounts are not getting locked out? You can have issues with users that change their passwords while disconnected from the network - say laptops not on wireless when they change or at home, etc. But as sc302 suggests double check the share and file permissions -- did the users get moved out of a group, or into a group that has deny, etc. You can only auth to a server with a specific account at a time.. So if you have any applications or something that are creating a connection with account A, if the user tries to then access a share off that server with their logged in account B they could be denied, etc. Link to comment Share on other sites More sharing options...
1337ish Posted September 16, 2009 Share Posted September 16, 2009 Also I would check dhcp/dns to ensure that they are accurate as AD depends on it in every way for normal operation. Link to comment Share on other sites More sharing options...
bobbba Posted September 18, 2009 Share Posted September 18, 2009 Are they getting "access denied" or "path not found"? Link to comment Share on other sites More sharing options...
game_over Posted September 22, 2009 Author Share Posted September 22, 2009 Access Denied...saying they don't have permissions. An example, All users have a drive W: that is mapped at logon, this gives them access to a shared location to access and save files. When they r going to open from MS Office.. they are getting the error 'W: is not accessible, the drive may be password protected...' No network shares are showing up under my computer. The strange thing is it's only happening to some accounts and nothing has been changed on the server. Actually, now i think about it, i added around 30 accounts a few weeks ago Link to comment Share on other sites More sharing options...
game_over Posted September 22, 2009 Author Share Posted September 22, 2009 the full error when trying to access the mapped w: drive : The folder 'w:' isn't accessible. The folder may be located in an unavailable location, protected with a password, or the filename contains a / or \. and when trying to access something like \\server from run we just get permission denied errors. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted September 22, 2009 Veteran Share Posted September 22, 2009 if all of your services are running, check your licenses under administrative tools. look in your event viewer on the server you should be getting ! or X messages when someone tries to map associated with what is going on with the server if all of the services are running. sparatic usually means licensing, completely down usually means services. also check your time, if more than 5 min off between workstation and server it could be an issue. I run NTP and sync my domain with tock.usno.navy.mil. Link to comment Share on other sites More sharing options...
bobbba Posted September 22, 2009 Share Posted September 22, 2009 "drive may be password protected" implies a workgroup server and not one in a domain. the doc applies to XP password based sharing and may help: Link Link to comment Share on other sites More sharing options...
game_over Posted September 22, 2009 Author Share Posted September 22, 2009 "drive may be password protected" implies a workgroup server and not one in a domain.the doc applies to XP password based sharing and may help: Link I'm not sure what you mean as we are in a domain, have been for several years and this has started as random. sc302, you mentioned time, funnily enough i also changed the time on the server a couple of days ago, as it seemed to be a few minutes off, although at the moment it is correct. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted September 22, 2009 Veteran Share Posted September 22, 2009 (edited) is the pc clock and server clock more than 5 min off from each other? what about the pc clock to the dc clock? easiest way to fix this is to use this method: http://www.articlesbase.com/networks-artic...ver-108481.html in short: regedit hklm\system\currentcontrolset\services\w32time\config announceflags 5 hklm\system\currentcontrolset\services\w32time\parameters ntpserver tock.usno.navy.mil,0x1 type NTP cmd net stop w32time net start w32time w32tm /resync /rediscover this will set your time to the us eastcoast navy atomic clock your workstations will then automatically pull the time from the DC with no configuration to them. here are ntp servers for the uk http://www.timetools.co.uk/info/ntp-server...k-stratum-2.htm using a fqdn you will need the ,0x1 at the end so it will look like fqdn,0x1 Edited September 22, 2009 by sc302 Link to comment Share on other sites More sharing options...
game_over Posted September 22, 2009 Author Share Posted September 22, 2009 Thanks, sc302 but that didn't fix it... i've went over the server i just can't see any reason why this would be happening. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted September 22, 2009 Veteran Share Posted September 22, 2009 so nothing in any of your event logs (server or pc), all of your services are started that are supposed to be on the server in question (comparing to other servers that are running), not a licensing issue, not a time issue. you did reboot after fixing the time right (if you did fix it)? Link to comment Share on other sites More sharing options...
game_over Posted September 22, 2009 Author Share Posted September 22, 2009 so nothing in any of your event logs (server or pc), all of your services are started that are supposed to be on the server in question (comparing to other servers that are running), not a licensing issue, not a time issue. you did reboot after fixing the time right (if you did fix it)? There is a DCOM error saying the service could not be started because it is disabled. Attempting to start the service BITS with arguments "" in order to run the server {...} BITS is disabled on both server and firewall. MrxSmb - the redirector was unable to initialize security context attributes. ^^ there is ALOT of those warnings. The rest of the services look fine. The Licensing service was disabled for some reason, i've now enabled that I didn't reboot after fixing time - will try that now. Thanks again for your replies. :) Link to comment Share on other sites More sharing options...
sc302 Veteran Posted September 22, 2009 Veteran Share Posted September 22, 2009 Leave licensing disabled unless you are managing it. Link to comment Share on other sites More sharing options...
game_over Posted September 22, 2009 Author Share Posted September 22, 2009 I've done a quick test after restarting and it seems to be working again... so the time thing must have fixed it. i had to quickly leave so i will test on more accounts & workstations tomorrow but hopefully that was it. thanks Link to comment Share on other sites More sharing options...
+BudMan MVC Posted September 22, 2009 MVC Share Posted September 22, 2009 As sc302 mentions -- yeah time being off between the client and the server can cause you lots of fun.. but all the members of the domain should be keeping in sync out of the box. Normally the DC that holds the pdc emulator role will be the master time server, in a forest all the sub domains will sync with pdc emulator role dc in the forest root. You can check all this stuff out with w32tm example from a client you can do w32tm /monitor this will point out all the DC in your domain, which one is the PDC and the other DCs syncing off of it -- ie Ref ID: here I snipped out the domain info on the output from this location d:\>w32tm /monitor S4DE8SSAAHE.snipped *** PDC *** [10.206.163.19]: ICMP: 122ms delay. NTP: +0.0000000s offset from S4DE8SSAAHE.snipped RefID: S4DE8PSAAQR.blf.snipped [10.151.164.4] s4mxpusyaav.snipped [10.58.222.11]: ICMP: 74ms delay. NTP: +0.0065214s offset from S4DE8SSAAHE.snipped RefID: S4DE9JSAAQD.mgb.snipped [10.125.189.13] s4usjvsyaav.snipped [10.56.144.11]: ICMP: 51ms delay. NTP: -0.0032134s offset from S4DE8SSAAHE.snipped RefID: S4DE9JSAAQD.mgb.snipped [10.125.189.13] s4usjvsyaaw.snipped [10.56.144.12]: ICMP: 58ms delay. NTP: +0.0005945s offset from S4DE8SSAAHE.snipped RefID: S4DE8SSAACJ.gppng.snipped [10.206.162.6] s4ushosyaav.snipped [10.56.18.11]: ICMP: 94ms delay. NTP: -0.0031219s offset from S4DE8SSAAHE.snipped RefID: S4DE8SSAACJ.gppng.snipped [10.206.162.6] w32tm is a very useful tool when troubleshooting time sync issues on your domain. Lots of great info you can get from it -- not as useful as ntpq but you work with what you got ;) But yeah time sync issues can cause you lots of grief!! You should make sure your domain is setup to sync time with a reliable outside source and you should never have to worry about time issues.. You should never have to manually adjust time on a server or even client in a domain.. It can cause you great grief ;) Link to comment Share on other sites More sharing options...
Joel Posted September 22, 2009 Share Posted September 22, 2009 You should never have to manually adjust time on a server or even client in a domain.. It can cause you great grief ;) I had a client who went around setting their time manually after noticing the servers and the workstations were off by an hour. Of course, had they checked the timezone settings on the servers, they could have saved themselves the trouble they found themselves in when I fixed the server times on 4 servers and watched their stations instantly become invalid clients. :laugh: BTW, I get 2 PDCs when I run that command. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted September 22, 2009 MVC Share Posted September 22, 2009 (edited) Hmmm - I don't belive its possible to have 2 DCs running the PDC emulator FSMO role in the same domain? Not sure on your setup, but sure each domain would have its own PDC emulator role. Would have to know more about your domain setup to understand what your seeing? Not exactly sure of how/where the command determines if the box is a PDC either? Hmmmm -- have to look into that ;) But from this http://support.microsoft.com/kb/324801 How to view and transfer FSMO roles in Windows Server 2003 "At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest." You might want to look into that ;) edit: If you don't mind could you post your w32tm /monitor output -- you can change info so its not actually telling anything about your domain. And then the output of this command will tell us who has your pdc role dsquery server -domain <<your domain name>> -hasfsmo pdc example d:\>dsquery server -domain domainname -hasfsmo pdc "CN=S4DE8SSAAHE,CN=Servers,CN=snipped,CN=Sites,CN=Configuration,DC=snipped,DC=snipped" Edited September 22, 2009 by BudMan Link to comment Share on other sites More sharing options...
Joel Posted September 22, 2009 Share Posted September 22, 2009 Microsoft Windows [Version 6.1.7100] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Joel>w32tm /monitor exchange.fq.dn *** PDC ***[192.168.0.3:123]: ICMP: 0ms delay NTP: +0.0000000s offset from exchange.fq.dn RefID: w2k3srv.fq.dn [192.168.0.4] Stratum: 3 w2k3srv.fq.dn *** PDC ***[192.168.0.4:123]: ICMP: 0ms delay NTP: +0.0148074s offset from exchange.fq.dn RefID: time-b.nist.gov [129.6.15.29] Stratum: 2 Warning: Reverse name resolution is best effort. It may not be correct since RefID field in time packets differs across NTP implementations and may not be using IP addresses. C:\Users\Joel> "CN=W2K3SRV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fq,DC=dn" Setup is: w2k3srv is the PDCE and all the rest of that fun stuff, exchange is also a catalog server (required). Both are DCs. Link to comment Share on other sites More sharing options...
game_over Posted September 22, 2009 Author Share Posted September 22, 2009 You should never have to manually adjust time on a server or even client in a domain.. It can cause you great grief ;) That's interesting, i didn't know that, i manually changed the time last week so i'm guessing thats the root cause of the problem. Looking forward to testing tomorrow. Thanks for the help guys. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted September 22, 2009 MVC Share Posted September 22, 2009 hmmm Joel, you got my curiosity peeked.. But off the top not sure why you would be seeing that.. I don't recall ever seeing anything like that before.. I just checked a few other domains I have access too.. And they were showing only 1 PDC with w32tm, had one domain not showing any.. forgot to do the dsquery to see who was listed as the pdc before I disconnected the vpn connection.. But that company is a big forest, etc.. will have to get with their admin -- other domains in their forest were all listing the pdc with the w32tm command for that domain in the forest.. But one of the sub domains did not.. hmmm Have to look into it some more, might have to do some digging on where/how w32tm determines if its a PDC or not, etc. Link to comment Share on other sites More sharing options...
game_over Posted September 23, 2009 Author Share Posted September 23, 2009 (edited) tested it on a few 'student' accounts earlier and it seemed to be working. a few hours later someone on a 'staff' account logged in and no network drives had mapped, when i tried to \\server i got a permission denied.... then on another account all network drives said disconnected from My Computer. [edit] just had a full class of students and most of them can't access the files or network shares [edit 2] after looking up the error MRxSmb - The redirector was unable to initialize security context or query context attributes. I was brought to this: http://support.microsoft.com/kb/263142 If your computer cannot connect to a resource on the network, you may see one or more warnings in the System event log with event ID 3034 and a source of MRxSmb (MRxSmb is the Server Message Block, or SMB, mini-redirector in Windows 2000, with secure SMB capabilities). thats exactly what my problem is and there are hundreds of MRxSmb errors how do these registry value's look.. reg.bmp Edited September 23, 2009 by forcer Link to comment Share on other sites More sharing options...
sc302 Veteran Posted September 23, 2009 Veteran Share Posted September 23, 2009 this is what your ntp settings should look like on your server but replacing tock.usno.navy.mil with a local ntp server to you. These registry settings are from a windows 2003 server. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted September 23, 2009 Veteran Share Posted September 23, 2009 (edited) http://www.eventid.net/display.asp?eventid...Smb&phase=1 if you imaged your pc's, did you sysprep them, or regenerate the SID, or did you just image and change the name? Edited September 23, 2009 by sc302 Link to comment Share on other sites More sharing options...
Recommended Posts