| Author | Messages | |
AD00000149
Posts:0
 | | 09/07/2005 3:10 AM |
| Good Morning. I'm brand new to the list and am seeking assistance out
of desperation/frustration. I think that I should preface my story with
the statement that I am not an experienced Microsoft admin, but am
partially filling a void in our organization. Most of my experience is
Unix/Linux, but my Microsoft experience has been trial by fire...
OK, here's the deal: Over the past few weeks I have been seeing some
strange behavior with our PDC. After applying MS security updates 3
weeks ago, I have had some interesting issues related to authentication
and DNS. It started with our Sophos (AV) Console not being able to
'push' software out to new workstations due to invalid credentials, even
though we were using a domain admin account. After some research, I
thought that I had nailed it down to Hotfix KB899587, which was a
security patch for Kerbos. I removed the hotfix, but after several days
put it back as it appeared to make things worse.
As of late I have had issues with NT workstations suddenly not being
able to authenticate or just not being able to see other workstation's
shares. I thought (again) that I had narrowed it down to DNS, but, even
though I was able to fix a few minor issues with PTR records, the
problem still exists. Here are a few examples of what I am seeing:
Scenario #1: NT Workstation
Original issue was that the user could not log on using her domain
account. I removed, then rejoined the workstation to the domain
(several times). Domain authentication now works, but when browsing the
network shares, that workstation cannot 'see' the PDC's shares (access
denied), but I can see all of the other shares, including the BDC's. I
verified the share permissions were OK. Also, when joining it to the
domain, I had to create the computer in AD prior to joining. It would
not allow me to create the object using the check box at the bottom.
Scenario #2: XP workstation
This morning, following the change of the PTR records that were in
error, a user complained that she could no longer log onto her
workstation using her domain account. There errors that I see are NET
LOGON 5790 "unable to locate a suitable domain controller". This one
just happened, but there have been multiple issues across the network.
I would greatly appreciate some insight. I'm not sure what I can
provide to assist...
Thanks,
--
Brian
"An adventure is never an adventure
when it's happening. Challenging
experiences need time to ferment,
and an adventure is simply physical
and emotional discomfort recollected
in tranquility." -- Tim Cahill
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| Alm@xxxx.yyy
| | 09/07/2005 3:26 AM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Brian Atkins
Sent: Wed 9/7/2005 10:56 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Where to begin...
Good Morning. I'm brand new to the list and am seeking assistance out
of desperation/frustration. I think that I should preface my story with
the statement that I am not an experienced Microsoft admin, but am
partially filling a void in our organization. Most of my experience is
Unix/Linux, but my Microsoft experience has been trial by fire...
OK, here's the deal: Over the past few weeks I have been seeing some
strange behavior with our PDC. After applying MS security updates 3
weeks ago, I have had some interesting issues related to authentication
and DNS. It started with our Sophos (AV) Console not being able to
'push' software out to new workstations due to invalid credentials, even
though we were using a domain admin account. After some research, I
thought that I had nailed it down to Hotfix KB899587, which was a
security patch for Kerbos. I removed the hotfix, but after several days
put it back as it appeared to make things worse.
As of late I have had issues with NT workstations suddenly not being
able to authenticate or just not being able to see other workstation's
shares. I thought (again) that I had narrowed it down to DNS, but, even
though I was able to fix a few minor issues with PTR records, the
problem still exists. Here are a few examples of what I am seeing:
Scenario #1: NT Workstation
Original issue was that the user could not log on using her domain
account. I removed, then rejoined the workstation to the domain
(several times). Domain authentication now works, but when browsing the
network shares, that workstation cannot 'see' the PDC's shares (access
denied), but I can see all of the other shares, including the BDC's. I
verified the share permissions were OK. Also, when joining it to the
domain, I had to create the computer in AD prior to joining. It would
not allow me to create the object using the check box at the bottom.
Scenario #2: XP workstation
This morning, following the change of the PTR records that were in
error, a user complained that she could no longer log onto her
workstation using her domain account. There errors that I see are NET
LOGON 5790 "unable to locate a suitable domain controller". This one
just happened, but there have been multiple issues across the network.
I would greatly appreciate some insight. I'm not sure what I can
provide to assist...
Thanks,
--
Brian
"An adventure is never an adventure
when it's happening. Challenging
experiences need time to ferment,
and an adventure is simply physical
and emotional discomfort recollected
in tranquility." -- Tim Cahill
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| CreamerM@xxxx.yyy
| | 09/07/2005 3:38 AM |
| Are you running AD on Windows 2000 or 2003? Windows DNS or BIND?
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
Brian Atkins
Sent: Wednesday, September 07, 2005 10:57 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Where to begin...
Good Morning. I'm brand new to the list and am seeking assistance out
of desperation/frustration. I think that I should preface my story with
the statement that I am not an experienced Microsoft admin, but am
partially filling a void in our organization. Most of my experience is
Unix/Linux, but my Microsoft experience has been trial by fire...
OK, here's the deal: Over the past few weeks I have been seeing some
strange behavior with our PDC. After applying MS security updates 3
weeks ago, I have had some interesting issues related to authentication
and DNS. It started with our Sophos (AV) Console not being able to
'push' software out to new workstations due to invalid credentials, even
though we were using a domain admin account. After some research, I
thought that I had nailed it down to Hotfix KB899587, which was a
security patch for Kerbos. I removed the hotfix, but after several days
put it back as it appeared to make things worse.
As of late I have had issues with NT workstations suddenly not being
able to authenticate or just not being able to see other workstation's
shares. I thought (again) that I had narrowed it down to DNS, but, even
though I was able to fix a few minor issues with PTR records, the
problem still exists. Here are a few examples of what I am seeing:
Scenario #1: NT Workstation
Original issue was that the user could not log on using her domain
account. I removed, then rejoined the workstation to the domain
(several times). Domain authentication now works, but when browsing the
network shares, that workstation cannot 'see' the PDC's shares (access
denied), but I can see all of the other shares, including the BDC's. I
verified the share permissions were OK. Also, when joining it to the
domain, I had to create the computer in AD prior to joining. It would
not allow me to create the object using the check box at the bottom.
Scenario #2: XP workstation
This morning, following the change of the PTR records that were in
error, a user complained that she could no longer log onto her
workstation using her domain account. There errors that I see are NET
LOGON 5790 "unable to locate a suitable domain controller". This one
just happened, but there have been multiple issues across the network.
I would greatly appreciate some insight. I'm not sure what I can
provide to assist...
Thanks,
--
Brian
"An adventure is never an adventure
when it's happening. Challenging
experiences need time to ferment,
and an adventure is simply physical
and emotional discomfort recollected
in tranquility." -- Tim Cahill
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| pjessop@xxxx.yyy
| | 09/07/2005 3:50 AM |
| I think that the problems you have may be DNS related and you need to
check both the DNS servers themselves and the client configurations.
You mentioned that you had corrected issues with the pointer records.
This should not be necessary as the clients should register these
dynamically. You should check that this is being done properly. The
domain controllers are themselves DNS clients and it is imperative that
they register their services correctly.
The first rule of Windows administration is 'Look in the event log' both on the DCs and clients.
Also run dcdiag. Tell us more about the set up. e.g. is DNS AD integrated, client configuration etc..
Windows networks are very stable when set up properly. Unfortunately they are often not.
Good luck
Peter Jessop | | | |
| prenouf
Posts:1
| | 09/07/2005 4:26 AM |
| If it is Active Directory then in addition to the other good suggestions I would like to see what DNSLint says.
Phil
On 9/7/05, Peter Jessop wrote:
BrianI think that the problems you have may be DNS related and you need to check both the DNS servers themselves and the client configurations.
You mentioned that you had corrected issues with the pointer records. This should not be necessary as the clients should register these dynamically. You should check that this is being done properly. The domain controllers are themselves DNS clients and it is imperative that they register their services correctly.
The first rule of Windows administration is 'Look in the event log' both on the DCs and clients.Also run dcdiag. Tell us more about the set up. e.g. is DNS AD integrated, client configuration etc..Windows networks are very stable when set up properly. Unfortunately they are often not.
Good luckPeter Jessop | | | |
| AD00000149
Posts:0
| | 09/07/2005 5:07 AM |
| To answer many of the questions that I have received thus far:
This is an AD domain running on Server 2K. The hardware is to
antiquated to support 2K3 (don't ask why...).
The PDC is running MS DNS, but is only the SOA for the local domain -
UNICITY. The primary DNS server(s) for our company are BIND.
Thanks, Al for the dcdiag and netdiag commands. I found a few WINS
references that were out of whack when I ran dcdiag. I'll check out the
output of netdiag and post the results.
Brian
Phil Renouf wrote:
> I think it important to understand what type of domain is running
> here. Is it an NT4 domain, or is it Windows 2000/2003? I am assuming
> it is an Active Directory domain, but with the use of the PDC/BDC
> terminology I want to make sure.
>
> If it is Active Directory then in addition to the other good
> suggestions I would like to see what DNSLint says.
>
> Phil
>
>
> On 9/7/05, *Peter Jessop* > wrote:
>
> Brian
>
> I think that the problems you have may be DNS related and you need
> to check both the DNS servers themselves and the client
> configurations.
> You mentioned that you had corrected issues with the pointer
> records. This should not be necessary as the clients should
> register these dynamically. You should check that this is being
> done properly. The domain controllers are themselves DNS clients
> and it is imperative that they register their services correctly.
>
> The first rule of Windows administration is 'Look in the event
> log' both on the DCs and clients.
> Also run dcdiag. Tell us more about the set up. e.g. is DNS AD
> integrated, client configuration etc..
>
> Windows networks are very stable when set up properly.
> Unfortunately they are often not.
>
> Good luck
>
> Peter Jessop
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD00000149
Posts:0
| | 09/07/2005 6:23 AM |
| I corrected the minor WINS issues, but I still have these outstanding:
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes All
access rights for the naming context:
CN=Schema,CN=Configuration,DC=unicity,DC=tlcdelivers,DC=com
Error BUILTIN\Administrators doesn't have
Replicating Directory Changes All
access rights for the naming context:
CN=Schema,CN=Configuration,DC=unicity,DC=tlcdelivers,DC=com
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes All
access rights for the naming context:
CN=Configuration,DC=unicity,DC=tlcdelivers,DC=com
Error BUILTIN\Administrators doesn't have
Replicating Directory Changes All
access rights for the naming context:
CN=Configuration,DC=unicity,DC=tlcdelivers,DC=com
Error UNICITY\Domain Controllers doesn't have
Replicating Directory Changes All
access rights for the naming context:
DC=unicity,DC=tlcdelivers,DC=com
......................... TLCDCM failed test NCSecDesc
I reviewed the properties for the domain in "Users adn Computers"
manager and everything appears to be OK, though I can't seem to locate
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS. I have an ENTERPRISE DOMAIN
CONTROLLERS listed and a Pre-Windows 2000 Compatible Access, to which
are they referring? Or, am I just not looking in the correct place?
Thanks,
Brian
Brian Atkins wrote:
>To answer many of the questions that I have received thus far:
>
>This is an AD domain running on Server 2K. The hardware is to
>antiquated to support 2K3 (don't ask why...).
>
>The PDC is running MS DNS, but is only the SOA for the local domain -
>UNICITY. The primary DNS server(s) for our company are BIND.
>
>Thanks, Al for the dcdiag and netdiag commands. I found a few WINS
>references that were out of whack when I ran dcdiag. I'll check out the
>output of netdiag and post the results.
>
>Brian
>
>
>Phil Renouf wrote:
>
>
>
>>I think it important to understand what type of domain is running
>>here. Is it an NT4 domain, or is it Windows 2000/2003? I am assuming
>>it is an Active Directory domain, but with the use of the PDC/BDC
>>terminology I want to make sure.
>>
>>If it is Active Directory then in addition to the other good
>>suggestions I would like to see what DNSLint says.
>>
>>Phil
>>
>>
>>On 9/7/05, *Peter Jessop* >> wrote:
>>
>> Brian
>>
>> I think that the problems you have may be DNS related and you need
>> to check both the DNS servers themselves and the client
>> configurations.
>> You mentioned that you had corrected issues with the pointer
>> records. This should not be necessary as the clients should
>> register these dynamically. You should check that this is being
>> done properly. The domain controllers are themselves DNS clients
>> and it is imperative that they register their services correctly.
>>
>> The first rule of Windows administration is 'Look in the event
>> log' both on the DCs and clients.
>> Also run dcdiag. Tell us more about the set up. e.g. is DNS AD
>> integrated, client configuration etc..
>>
>> Windows networks are very stable when set up properly.
>> Unfortunately they are often not.
>>
>> Good luck
>>
>> Peter Jessop
>>
>>
>>
>>
>
>List info : http://www.activedir.org/List.aspx
>List FAQ : http://www.activedir.org/ListFAQ.aspx
>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| bdesmond
Posts:416
| | 09/07/2005 6:41 AM |
| Pull up ADSIEdit (start>run>adsiedit.msc after you install the stuff in the
support folder of the CD). Right click on the nc head for the partitions
listed below and pull up the security tab there.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian Atkins
Sent: Wednesday, September 07, 2005 2:12 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Where to begin...
I corrected the minor WINS issues, but I still have these outstanding:
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes All
access rights for the naming context:
CN=Schema,CN=Configuration,DC=unicity,DC=tlcdelivers,DC=com
Error BUILTIN\Administrators doesn't have
Replicating Directory Changes All
access rights for the naming context:
CN=Schema,CN=Configuration,DC=unicity,DC=tlcdelivers,DC=com
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes All
access rights for the naming context:
CN=Configuration,DC=unicity,DC=tlcdelivers,DC=com
Error BUILTIN\Administrators doesn't have
Replicating Directory Changes All
access rights for the naming context:
CN=Configuration,DC=unicity,DC=tlcdelivers,DC=com
Error UNICITY\Domain Controllers doesn't have
Replicating Directory Changes All
access rights for the naming context:
DC=unicity,DC=tlcdelivers,DC=com
......................... TLCDCM failed test NCSecDesc
I reviewed the properties for the domain in "Users adn Computers"
manager and everything appears to be OK, though I can't seem to locate
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS. I have an ENTERPRISE DOMAIN
CONTROLLERS listed and a Pre-Windows 2000 Compatible Access, to which
are they referring? Or, am I just not looking in the correct place?
Thanks,
Brian
Brian Atkins wrote:
>To answer many of the questions that I have received thus far:
>
>This is an AD domain running on Server 2K. The hardware is to
>antiquated to support 2K3 (don't ask why...).
>
>The PDC is running MS DNS, but is only the SOA for the local domain -
>UNICITY. The primary DNS server(s) for our company are BIND.
>
>Thanks, Al for the dcdiag and netdiag commands. I found a few WINS
>references that were out of whack when I ran dcdiag. I'll check out the
>output of netdiag and post the results.
>
>Brian
>
>
>Phil Renouf wrote:
>
>
>
>>I think it important to understand what type of domain is running
>>here. Is it an NT4 domain, or is it Windows 2000/2003? I am assuming
>>it is an Active Directory domain, but with the use of the PDC/BDC
>>terminology I want to make sure.
>>
>>If it is Active Directory then in addition to the other good
>>suggestions I would like to see what DNSLint says.
>>
>>Phil
>>
>>
>>On 9/7/05, *Peter Jessop* >> wrote:
>>
>> Brian
>>
>> I think that the problems you have may be DNS related and you need
>> to check both the DNS servers themselves and the client
>> configurations.
>> You mentioned that you had corrected issues with the pointer
>> records. This should not be necessary as the clients should
>> register these dynamically. You should check that this is being
>> done properly. The domain controllers are themselves DNS clients
>> and it is imperative that they register their services correctly.
>>
>> The first rule of Windows administration is 'Look in the event
>> log' both on the DCs and clients.
>> Also run dcdiag. Tell us more about the set up. e.g. is DNS AD
>> integrated, client configuration etc..
>>
>> Windows networks are very stable when set up properly.
>> Unfortunately they are often not.
>>
>> Good luck
>>
>> Peter Jessop
>>
>>
>>
>>
>
>List info : http://www.activedir.org/List.aspx
>List FAQ : http://www.activedir.org/ListFAQ.aspx
>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| Alm@xxxx.yyy
| | 09/07/2005 7:20 AM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Brian Atkins
Sent: Wed 9/7/2005 2:12 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Where to begin...
I corrected the minor WINS issues, but I still have these outstanding:
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes All
access rights for the naming context:
CN=Schema,CN=Configuration,DC=unicity,DC=tlcdelivers,DC=com
Error BUILTIN\Administrators doesn't have
Replicating Directory Changes All
access rights for the naming context:
CN=Schema,CN=Configuration,DC=unicity,DC=tlcdelivers,DC=com
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes All
access rights for the naming context:
CN=Configuration,DC=unicity,DC=tlcdelivers,DC=com
Error BUILTIN\Administrators doesn't have
Replicating Directory Changes All
access rights for the naming context:
CN=Configuration,DC=unicity,DC=tlcdelivers,DC=com
Error UNICITY\Domain Controllers doesn't have
Replicating Directory Changes All
access rights for the naming context:
DC=unicity,DC=tlcdelivers,DC=com
......................... TLCDCM failed test NCSecDesc
I reviewed the properties for the domain in "Users adn Computers"
manager and everything appears to be OK, though I can't seem to locate
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS. I have an ENTERPRISE DOMAIN
CONTROLLERS listed and a Pre-Windows 2000 Compatible Access, to which
are they referring? Or, am I just not looking in the correct place?
Thanks,
Brian
Brian Atkins wrote:
>To answer many of the questions that I have received thus far:
>
>This is an AD domain running on Server 2K. The hardware is to
>antiquated to support 2K3 (don't ask why...).
>
>The PDC is running MS DNS, but is only the SOA for the local domain -
>UNICITY. The primary DNS server(s) for our company are BIND.
>
>Thanks, Al for the dcdiag and netdiag commands. I found a few WINS
>references that were out of whack when I ran dcdiag. I'll check out the
>output of netdiag and post the results.
>
>Brian
>
>
>Phil Renouf wrote:
>
>
>
>>I think it important to understand what type of domain is running
>>here. Is it an NT4 domain, or is it Windows 2000/2003? I am assuming
>>it is an Active Directory domain, but with the use of the PDC/BDC
>>terminology I want to make sure.
>>
>>If it is Active Directory then in addition to the other good
>>suggestions I would like to see what DNSLint says.
>>
>>Phil
>>
>>
>>On 9/7/05, *Peter Jessop* >> wrote:
>>
>> Brian
>>
>> I think that the problems you have may be DNS related and you need
>> to check both the DNS servers themselves and the client
>> configurations.
>> You mentioned that you had corrected issues with the pointer
>> records. This should not be necessary as the clients should
>> register these dynamically. You should check that this is being
>> done properly. The domain controllers are themselves DNS clients
>> and it is imperative that they register their services correctly.
>>
>> The first rule of Windows administration is 'Look in the event
>> log' both on the DCs and clients.
>> Also run dcdiag. Tell us more about the set up. e.g. is DNS AD
>> integrated, client configuration etc..
>>
>> Windows networks are very stable when set up properly.
>> Unfortunately they are often not.
>>
>> Good luck
>>
>> Peter Jessop
>>
>>
>>
>>
>
>List info : http://www.activedir.org/List.aspx
>List FAQ : http://www.activedir.org/ListFAQ.aspx
>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| AD00000149
Posts:0
| | 09/12/2005 4:27 AM |
| Al,
Sorry for the delay in response. I got really, really sick last week
and am just coming back online.
To answer your questions, I have a total of three AD servers, though I
may just drop back to two. All three are running DNS.
Since conversing last, I have been able to partially resolving my
issue(s). Part of it was related to domain controller security policy.
I also found some mis-matches between the server (service)
authentication policy and the workstation (service) authentication
policy. Once I made the changes locally on the PDC, I had to push out a
new group policy. So far, the workstations that have since been
rebooted do not appear to be having the same issues as before. I
haven't had a chance to dig into it more thoroughly, yet, but I will
take a look today and post whatever results I have.
Brian
Al Mulnick wrote:
>The error you're showing is often associated with a mismatch in dcdiag versions being used.
>If you did not run this directly on the server console, this might be easily corrected.
>
>As for DNS, I'm guessing that you have the unicity zone delegated then?
>How many servers is this in the AD environment? And how many have DNS running on them?
>
>Al
>
>
>
>
>________________________________
>
>From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Brian Atkins
>Sent: Wed 9/7/2005 2:12 PM
>To: ActiveDir@xxxxxxxxxxxxxxxxxx
>Subject: Re: [ActiveDir] Where to begin...
>
>
>
>I corrected the minor WINS issues, but I still have these outstanding:
>
> Starting test: NCSecDesc
> Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
> Replicating Directory Changes All
> access rights for the naming context:
> CN=Schema,CN=Configuration,DC=unicity,DC=tlcdelivers,DC=com
> Error BUILTIN\Administrators doesn't have
> Replicating Directory Changes All
> access rights for the naming context:
> CN=Schema,CN=Configuration,DC=unicity,DC=tlcdelivers,DC=com
> Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
> Replicating Directory Changes All
> access rights for the naming context:
> CN=Configuration,DC=unicity,DC=tlcdelivers,DC=com
> Error BUILTIN\Administrators doesn't have
> Replicating Directory Changes All
> access rights for the naming context:
> CN=Configuration,DC=unicity,DC=tlcdelivers,DC=com
> Error UNICITY\Domain Controllers doesn't have
> Replicating Directory Changes All
> access rights for the naming context:
> DC=unicity,DC=tlcdelivers,DC=com
> ......................... TLCDCM failed test NCSecDesc
>
>I reviewed the properties for the domain in "Users adn Computers"
>manager and everything appears to be OK, though I can't seem to locate
>NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS. I have an ENTERPRISE DOMAIN
>CONTROLLERS listed and a Pre-Windows 2000 Compatible Access, to which
>are they referring? Or, am I just not looking in the correct place?
>
>Thanks,
>
>Brian
>
>Brian Atkins wrote:
>
>
>
>>To answer many of the questions that I have received thus far:
>>
>>This is an AD domain running on Server 2K. The hardware is to
>>antiquated to support 2K3 (don't ask why...).
>>
>>The PDC is running MS DNS, but is only the SOA for the local domain -
>>UNICITY. The primary DNS server(s) for our company are BIND.
>>
>>Thanks, Al for the dcdiag and netdiag commands. I found a few WINS
>>references that were out of whack when I ran dcdiag. I'll check out the
>>output of netdiag and post the results.
>>
>>Brian
>>
>>
>>Phil Renouf wrote:
>>
>>
>>
>>
>>
>>>I think it important to understand what type of domain is running
>>>here. Is it an NT4 domain, or is it Windows 2000/2003? I am assuming
>>>it is an Active Directory domain, but with the use of the PDC/BDC
>>>terminology I want to make sure.
>>>
>>>If it is Active Directory then in addition to the other good
>>>suggestions I would like to see what DNSLint says.
>>>
>>>Phil
>>>
>>>
>>>On 9/7/05, *Peter Jessop* >>> wrote:
>>>
>>> Brian
>>>
>>> I think that the problems you have may be DNS related and you need
>>> to check both the DNS servers themselves and the client
>>> configurations.
>>> You mentioned that you had corrected issues with the pointer
>>> records. This should not be necessary as the clients should
>>> register these dynamically. You should check that this is being
>>> done properly. The domain controllers are themselves DNS clients
>>> and it is imperative that they register their services correctly.
>>>
>>> The first rule of Windows administration is 'Look in the event
>>> log' both on the DCs and clients.
>>> Also run dcdiag. Tell us more about the set up. e.g. is DNS AD
>>> integrated, client configuration etc..
>>>
>>> Windows networks are very stable when set up properly.
>>> Unfortunately they are often not.
>>>
>>> Good luck
>>>
>>> Peter Jessop
>>>
>>>
>>>
>>>
>>>
>>>
>>List info : http://www.activedir.org/List.aspx
>>List FAQ : http://www.activedir.org/ListFAQ.aspx
>>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>>
>>
>>
>>
>List info : http://www.activedir.org/List.aspx
>List FAQ : http://www.activedir.org/ListFAQ.aspx
>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
>
--
Brian Atkins
IT Services
The Library Corporation
http://TLCdelivers.com
Ph: 800.624.0559
Fx: 304.229.0295
"An adventure is never an adventure
when it's happening. Challenging
experiences need time to ferment,
and an adventure is simply physical
and emotional discomfort recollected
in tranquility." -- Tim Cahill
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|