Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
Can't add new domain user to CRM 2011 RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I used to be able to go to add user, and in the first line enter domain\username and hit tab and the interface would talk to AD and pull out the information about the user.  It's not working anymore. It pauses for about 6-8 seconds when i hit tab, like it's trying, but then gives up and i'm at the first name field when that should be auto-populated.

    I can't seem to find any setting that tests domain connectivity.

    It's letting me in the system so i know it can talk to the domain in some capacity.  I also added a deployment administrator in the deployment manager, and it looked him up just fine.

    This is a relatively new deployment.  I built the system, then imported the DB from our old CRM4 deployment.

    This deployment uses a new service account that's not a domain admin.

    I can't find any place in any configuration the specifies domain connectivity.

    I do have this error..

    This computer was not able to set up a secure session with a domain controller in domain domain due to the following:
    There are currently no logon servers available to service the logon request.
    This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. 

    ADDITIONAL INFO
    If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

    Name resolution for the name _kerberos._tcp.dc._msdcs.domain.org timed out after none of the configured DNS servers responded.

    Firewall issue?  I'm really starting to hate 2008 R2

    Any help is greatly appreciated.

    Monday, December 12, 2011 9:10 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    I fixed it!  I can't believe it.

    So my Wireshark snipit showed that my server was querying for the following..

     

    37    5.071645    192.168.25.33    192.168.25.2    DNS    73    Standard query A domain.domain.org

    38    5.071987    192.168.25.2    192.168.25.33    DNS    89    Standard query response A 192.168.25.107

    39    5.074448    192.168.25.33    192.168.25.2    DNS    99    Standard query SRV _ldap._tcp.Ashburn._sites.domain.domain.org

    40    5.074697    192.168.25.2    192.168.25.33    DNS    163    Standard query response, No such name

    41    5.075007    192.168.25.33    192.168.25.2    DNS    84    Standard query SRV _ldap._tcp.domain.domain.org

    42    5.075294    192.168.25.2    192.168.25.33    DNS    148    Standard query response, No such name

    43    5.075462    192.168.25.33    192.168.25.2    NBNS    92    Name query NB domain.domain.ORG<1c>

     

    I'm like "what is this domain.domain.org entry in DNS?"

    I check it out and it doesn't ping.  This is leftover DNS trash from my predecessors.  I removed the DNS entry A record, replicated AD, then tried to add a user and it works fine now.  WHEW!

    I still don't really understand why my server was querying for domain.domain.org in the first place, then tacking the extra domain on to future queries.

    • Marked as answer by Statistic Monday, December 19, 2011 9:52 PM
    Monday, December 19, 2011 9:52 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    I restarted the Netlogon service on the server and it seems fine.  All information including a successful group policy update.  Is there a log where i can see what's happening when i add a new user?
    Monday, December 12, 2011 9:30 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    What happens if you choose add multiple users instead of the one and specify the organisation unit the user is within?

    Monday, December 12, 2011 11:03 PM
  • Question
    Sign in to vote
    1
    Sign in to vote
    The CRM trace log is the best place to see what's happening from the CRM end - if you temporarily enable verbose logging you should get a fair bit of information about what CRM is doing. Beyond that, I'm not sure if there are any useful Kerberos or DNS logs beyond what you see in the event logs
    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    Tuesday, December 13, 2011 10:24 AM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    When i add multiple users using the expansion trees it works just fine. I added one user and then opened that user and the information, like phone and email addy, were there.  It seems to be the single user that's not working.  It used to be when I entered the domain and username at the top then hit tab, it reached out to the domain then grabbed that same information.

    Now it's just sitting there and thinking for about 15 seconds, then finally releases without showing any specific information.

    Tuesday, December 13, 2011 5:22 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    This is what the trace log captured when i tried to use the single user add method.

     

    Not an error. System LabelDictionary was loaded for language 0 from organization {FAA8E6A1-CCB2-DE11-99B7-001517A8E025} with 0 labels
    [2011-12-13 13:21:22.893] Process: w3wp |Organization:faa8e6a1-ccb2-de11-99b7-001517a8e025 |Thread:   66 |Category: Application |User: 00000000-0000-0000-0000-000000000000 |Level: Error | ActiveDirectoryUtility.FindUser
    >Unable to get find user ibts\ssands: System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational.
    >
    >   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
    >   at System.DirectoryServices.DirectoryEntry.Bind()
    >   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
    >   at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
    >   at System.DirectoryServices.DirectorySearcher.FindOne()
    >   at Microsoft.Crm.Application.Utility.ActiveDirectoryUtility.FindUser(String domainAccountName)

    Tuesday, December 13, 2011 6:24 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Is this an IIS error?
    Wednesday, December 14, 2011 6:53 PM
  • Question
    Sign in to vote
    1
    Sign in to vote

    Nah, the crm server is basically asking AD to find your specified user and, to me it looks like its struggling to actually locate AD. Do you know if there has been any changes to the server recently. Has anyone changed its name? moved it to a new box?

     

    Theres a chap in who had the same issue as you and it was a change to AD that caused his problem

    http://social.microsoft.com/Forums/en/crmdeployment/thread/9cc531a8-6dcb-488a-878e-f48dab649d2f

    Wednesday, December 14, 2011 8:46 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    We've had ALLOT of changes recently.  We moved our entire org to a new location, new subnet.  The FSMO roles changed, then changed back.  I've checked everything I can think of.  I'm getting these 3 error after any reboot.

     

    Name resolution for the name _ldap._tcp.Ashburn._sites.dc._msdcs.domain.org timed out after none of the configured DNS servers responded.

    This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following:
    There are currently no logon servers available to service the logon request.
    This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. 

    ADDITIONAL INFO
    If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

    The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
    a) Name Resolution failure on the current domain controller.
    b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

    The thing is, I control the domain/controllers.  I can find no problems with them.  I removed the computer from the domain, deleted the computer account, then checked the dc's to makre sure they replicated.

    Also dns to make sure it was gone.

     

    Then I readded it to the domain, and readded it to the sql and priv etc groups it was in.

     

    Then I reboot and same error.

    Wednesday, December 14, 2011 9:17 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Erk! now we are getting somewhere. Normally what I would sugest to a company that is moving / heavily altering AD servers is to.

    Take a backup of your CRM database.

    Move the CRM on to the new domain.

    Reinstall CRM and rollup to the version the database backup is.

    Use deployment manager to create a new organisation based on the database backup.

    Map users through deployment manager.

    Hopefully then everything with AD should be pointing correctly.

     

    Maybe this is something to fall back on if you can't get the relevant things pointing correctly?

     

    My personal MSCRM website/blog at CRM Codex
    Wednesday, December 14, 2011 9:35 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    My boss doesn't want me to reinstall the whole thing.  I'm really not sure what to do now.

     

    There is no new domain, we just moved our entire infrastructure to a new physical site, and changed the subnet that everything is on.

     

    So, the server is in the same network segment as the DC's, and in the same domain.  This one function of adding a single user isn't working right, but when I use all multiple users, it taps the domain just fine.

    The DNS and netlogon errors only happen upon reboot, and restarting the netlogon service and doing DNS queries work fine.  After research I found that this is usually caused by those services activating before the network (usually local NIC) is ready to pass on the request.
    • Edited by Statistic Monday, December 19, 2011 8:42 PM
    Monday, December 19, 2011 8:35 PM
  • Question
    Sign in to vote
    1
    Sign in to vote

     

    Hi Statistic,

    I think you have a common authentication or DNS issue.

    My first suggestion is that you run wireshark from the server and capture all packets from the server when you try to add the user account. what you will see is the server trying to query DNS servers for SRV records, if you can't see a reply, try resolving the same queries on the command prompt and see what happens. you can run nslookup from the command prompt and query for SRV records.

    A few other questions:

    1. How many DCs & DNS's servers do you have?

    2. Can you try add the registry key: PreferredDC and enter a DC that you know it works and is a Global catalogue. The key is string type.

    3. Do you have a role based CRM deployment?

    4. Are the servers members of the AD CRM Groups?

    Your problem is definitely with AD and your network, the question is now how to establish that link between CRM and AD again.

    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com
    • Proposed as answer by nrodri Monday, December 19, 2011 9:11 PM
    Monday, December 19, 2011 8:49 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I always shy away from Wireshark, because the few times I've used it I get lost in the sea of data.

     

    But I went ahead and tried it and I found the problem.

     

    So here is the scenario.  We have CRM 4 on a working server.

     

    I built this 2011 server to migrate too.  I successfully migrated the DB from CRM4 to CRM 11.

    Wireshark is showing me that my new server is now trying to reach out to an old DC that doesn't exist anymore.

    That config had to come with the database but I have no idea how to go fix it.

    Monday, December 19, 2011 9:01 PM
  • Question
    Sign in to vote
    1
    Sign in to vote

    Statistic,

    To fix it you can use the registry key PreferredDC as I suggested, this will force your CRM server to query the server you want.

    Now the reason behind trying to reach the old DC is because that record still exists somewhere in your DNS servers or the server cache, flush the dns cache by running ipconfig /flushdns and make sure your DNS servers don't hold old tombstone records. Many times upgrading/moving DC's ends up like that a bunch of tombstone records that need to be cleaned.

    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com
    Monday, December 19, 2011 9:05 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    That server was demoted and renamed months before this server was even built.  So i'm a little confused on that but at least I have something to look for.
    Monday, December 19, 2011 9:08 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I fixed it!  I can't believe it.

    So my Wireshark snipit showed that my server was querying for the following..

     

    37    5.071645    192.168.25.33    192.168.25.2    DNS    73    Standard query A domain.domain.org

    38    5.071987    192.168.25.2    192.168.25.33    DNS    89    Standard query response A 192.168.25.107

    39    5.074448    192.168.25.33    192.168.25.2    DNS    99    Standard query SRV _ldap._tcp.Ashburn._sites.domain.domain.org

    40    5.074697    192.168.25.2    192.168.25.33    DNS    163    Standard query response, No such name

    41    5.075007    192.168.25.33    192.168.25.2    DNS    84    Standard query SRV _ldap._tcp.domain.domain.org

    42    5.075294    192.168.25.2    192.168.25.33    DNS    148    Standard query response, No such name

    43    5.075462    192.168.25.33    192.168.25.2    NBNS    92    Name query NB domain.domain.ORG<1c>

     

    I'm like "what is this domain.domain.org entry in DNS?"

    I check it out and it doesn't ping.  This is leftover DNS trash from my predecessors.  I removed the DNS entry A record, replicated AD, then tried to add a user and it works fine now.  WHEW!

    I still don't really understand why my server was querying for domain.domain.org in the first place, then tacking the extra domain on to future queries.

    • Marked as answer by Statistic Monday, December 19, 2011 9:52 PM
    Monday, December 19, 2011 9:52 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Statistic,

    Great to hear my posts were very helpful :)

    If you can, please mark my answer as helpful or as the answer aswell, it helps others to follow the same type of troubleshooting when they search for answers to their problems.

    Regards

     

    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com
    Tuesday, December 20, 2011 9:15 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Fantastic I'm glad you sorted it!
    My personal MSCRM website/blog at CRM Codex
    Follow me on Twitter
    Follow me on LinkedIn
    Tuesday, December 20, 2011 6:40 PM