Re: RSOP Access denied at 1 of 5 DC's
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx>
- Date: Wed, 12 Oct 2005 11:32:55 -0500
Your netdiag results look great and the minor errors are not of
significance. The same goes for dcdiag. However you should further
investigate the errors in the system log at timestamps of 08:21 on 10/12 to
see if that is a continuing problem or not. Autoenrollment refers to a
certificate request that did not happen and most likely is not related.
Domain controllers use File Replication Service [ it needs to be running on
them] to replicate sysvol shares so that is something to look at further
though I don't know if it is related. I would also run the support tool
gpotool on that domain controller to see if it lists all the domain
controllers and shows that Group Policies are replicating properly. See if
the pdc fsmo can access the C$ administrative share on the domain controller
you are having a problem with. --- Steve
"hansi-os" <hansi-os@xxxxxxxxxxxxxxxx> wrote in message
news:A1C2031C-6465-43F5-932D-F8EEFEE2B9DA@xxxxxxxxxxxxxxxx
> Hello Steve
>
> Thank you for your very fast answer. Please look at the comments in your
> answer.
>
> "Steven L Umbach" schrieb:
>
>> First check the logs using Event Viewer to see if any general problems
>> are
>> reported for dns, replication, etc
>
> In the application Log, I have some Messages about problems with
> AutoEnrollment, but I think it's the same Problem beacuse it works at the
> other DC's:
> Automatic certificate enrollment for local system failed to enroll for one
> Domain Controller Authentication certificate (0x80070005). Access is
> denied.
>
> At the "File Replivation Service" Log I have some errors that were caused
> by
> DFS Replication, so I think they don't matter.
>
>> and then run the support tools netdiag
>> and dcdiag on that domain controller to check for general health of
>> network
>> connectivity and domain membership.
>
> Here the Results of NETDIAG:
>
> .........................................
>
> Computer Name: STFB-DC01
> DNS Host Name: stfb-dc01.nt.ntplus.de
> System info : Windows 2000 Server (Build 3790)
> Processor : x86 Family 6 Model 11 Stepping 1, GenuineIntel
> List of installed hotfixes :
> KB883939
> KB890046
> KB893756
> KB896358
> KB896422
> KB896428
> KB896727
> KB898715
> KB899587
> KB899588
> KB899591
> KB901214
> KB903235
> Q147222
>
>
> Netcard queries test . . . . . . . : Passed
> GetStats failed for 'Parallelanschluss (direkt)'. [ERROR_NOT_SUPPORTED]
> GetStats failed for 'WAN-Miniport (PPTP)'. [ERROR_NOT_SUPPORTED]
> GetStats failed for 'WAN-Miniport (PPPOE)'. [ERROR_NOT_SUPPORTED]
> [WARNING] The net card 'WAN-Miniport (IP)' may not be working because
> it
> has not received any packets.
> GetStats failed for 'WAN-Miniport (L2TP)'. [ERROR_NOT_SUPPORTED]
>
>
>
> Per interface results:
>
> Adapter : LAN-Verbindung
>
> Netcard queries test . . . : Passed
>
> Host Name. . . . . . . . . : stfb-dc01.nt.ntplus.de
> IP Address . . . . . . . . : 10.3.1.1
> Subnet Mask. . . . . . . . : 255.255.0.0
> Default Gateway. . . . . . : 10.3.0.1
> Primary WINS Server. . . . : 10.3.1.1
> Secondary WINS Server. . . : 10.1.1.30
> Dns Servers. . . . . . . . : 10.3.1.1
> 10.1.1.30
>
>
> AutoConfiguration results. . . . . . : Passed
>
> Default gateway test . . . : Passed
>
> NetBT name test. . . . . . : Passed
> [WARNING] At least one of the <00> 'WorkStation Service', <03>
> 'Messenger Service', <20> 'WINS' names is missing.
>
> WINS service test. . . . . : Passed
>
>
> Global results:
>
>
> Domain membership test . . . . . . : Passed
>
>
> NetBT transports test. . . . . . . : Passed
> List of NetBt transports currently configured:
> NetBT_Tcpip_{12B8D074-280C-4D45-85FB-1A6322FB6708}
> 1 NetBt transport currently configured.
>
>
> Autonet address test . . . . . . . : Passed
>
>
> IP loopback ping test. . . . . . . : Passed
>
>
> Default gateway test . . . . . . . : Passed
>
>
> NetBT name test. . . . . . . . . . : Passed
> [WARNING] You don't have a single interface with the <00> 'WorkStation
> Service', <03> 'Messenger Service', <20> 'WINS' names defined.
>
>
> Winsock test . . . . . . . . . . . : Passed
>
>
> DNS test . . . . . . . . . . . . . : Passed
> PASS - All the DNS entries for DC are registered on DNS server
> '10.3.1.1' and other DCs also have some of the names registered.
> PASS - All the DNS entries for DC are registered on DNS server
> '10.1.1.30' and other DCs also have some of the names registered.
>
>
> Redir and Browser test . . . . . . : Passed
> List of NetBt transports currently bound to the Redir
> NetBT_Tcpip_{12B8D074-280C-4D45-85FB-1A6322FB6708}
> The redir is bound to 1 NetBt transport.
>
> List of NetBt transports currently bound to the browser
> NetBT_Tcpip_{12B8D074-280C-4D45-85FB-1A6322FB6708}
> The browser is bound to 1 NetBt transport.
>
>
> DC discovery test. . . . . . . . . : Passed
>
>
> DC list test . . . . . . . . . . . : Passed
>
>
> Trust relationship test. . . . . . : Passed
> Secure channel for domain 'NT' is to '\\os-dc01.nt.ntplus.de'.
>
>
> Kerberos test. . . . . . . . . . . : Passed
>
>
> LDAP test. . . . . . . . . . . . . : Passed
>
>
> Bindings test. . . . . . . . . . . : Passed
>
>
> WAN configuration test . . . . . . : Skipped
> No active remote access connections.
>
>
> Modem diagnostics test . . . . . . : Passed
>
> IP Security test . . . . . . . . . : Skipped
>
> Note: run "netsh ipsec dynamic show /?" for more detailed information
>
>
> The command completed successfully
>
> Her are the results of DCDIAG:
>
> Domain Controller Diagnosis
>
> Performing initial setup:
> Done gathering initial info.
>
> Doing initial required tests
>
> Testing server: Staufenberg\STFB-DC01
> Starting test: Connectivity
> ......................... STFB-DC01 passed test Connectivity
>
> Doing primary tests
>
> Testing server: Staufenberg\STFB-DC01
> Starting test: Replications
> ......................... STFB-DC01 passed test Replications
> Starting test: NCSecDesc
> ......................... STFB-DC01 passed test NCSecDesc
> Starting test: NetLogons
> ......................... STFB-DC01 passed test NetLogons
> Starting test: Advertising
> ......................... STFB-DC01 passed test Advertising
> Starting test: KnowsOfRoleHolders
> ......................... STFB-DC01 passed test KnowsOfRoleHolders
> Starting test: RidManager
> ......................... STFB-DC01 passed test RidManager
> Starting test: MachineAccount
> ......................... STFB-DC01 passed test MachineAccount
> Starting test: Services
> ......................... STFB-DC01 passed test Services
> Starting test: ObjectsReplicated
> ......................... STFB-DC01 passed test ObjectsReplicated
> Starting test: frssysvol
> ......................... STFB-DC01 passed test frssysvol
> Starting test: frsevent
> There are warning or error events within the last 24 hours after
> the
>
> SYSVOL has been shared. Failing SYSVOL replication problems may
> cause
>
> Group Policy problems.
> ......................... STFB-DC01 failed test frsevent
> Starting test: kccevent
> ......................... STFB-DC01 passed test kccevent
> Starting test: systemlog
> An Error Event occured. EventID: 0x00000457
> Time Generated: 10/12/2005 08:21:00
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 10/12/2005 08:21:01
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 10/12/2005 08:21:02
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 10/12/2005 08:21:02
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 10/12/2005 08:21:03
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0xC0000037
> Time Generated: 10/12/2005 08:21:04
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0xC0000037
> Time Generated: 10/12/2005 08:21:04
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0xC0000037
> Time Generated: 10/12/2005 08:21:05
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0xC0000037
> Time Generated: 10/12/2005 08:21:06
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0xC0000037
> Time Generated: 10/12/2005 08:21:06
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0xC0000037
> Time Generated: 10/12/2005 08:21:07
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0xC0000037
> Time Generated: 10/12/2005 08:21:08
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0xC0000037
> Time Generated: 10/12/2005 08:21:09
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 10/12/2005 08:21:09
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 10/12/2005 08:21:10
> (Event String could not be retrieved)
> ......................... STFB-DC01 failed test systemlog
> Starting test: VerifyReferences
> ......................... STFB-DC01 passed test VerifyReferences
>
> Running partition tests on : ForestDnsZones
> Starting test: CrossRefValidation
> ......................... ForestDnsZones passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... ForestDnsZones passed test CheckSDRefDom
>
> Running partition tests on : DomainDnsZones
> Starting test: CrossRefValidation
> ......................... DomainDnsZones passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... DomainDnsZones passed test CheckSDRefDom
>
> Running partition tests on : Schema
> Starting test: CrossRefValidation
> ......................... Schema passed test CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... Schema passed test CheckSDRefDom
>
> Running partition tests on : Configuration
> Starting test: CrossRefValidation
> ......................... Configuration passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... Configuration passed test CheckSDRefDom
>
> Running partition tests on : nt
> Starting test: CrossRefValidation
> ......................... nt passed test CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... nt passed test CheckSDRefDom
>
> Running enterprise tests on : nt.ntplus.de
> Starting test: Intersite
> ......................... nt.ntplus.de passed test Intersite
> Starting test: FsmoCheck
> ......................... nt.ntplus.de passed test FsmoCheck
>
>> I would also check to see if the Windows
>> Firewall is enabled on the problem domain controller. If it is try
>> disabling
>> it temporarily to see if that makes a difference. If it does leave it
>> disabled or configure it to allow the necessary IP addresses, ports,
>> protocols, or applications.
>
> The Firewallservice is disabled.
>
>> By default when you run RSOP on a server it
>> will try to contact the PDC fsmo so make sure it can be reached by
>> verifying
>> connectivity by pinging it by name and IP address and verify that you can
>> access an administrative share such as C$ on the PDC fsmo. -- Steve
>>
>
> This connections seems to work because I am able to access \\os-dc01\c$
> without any problems. Do you have some other ideas ?
>
> Hans
>>
>> "hansi-os" <hansi-os@xxxxxxxxxxxxxxxx> wrote in message
>> news:DD5ED777-5A00-4CE2-B08E-E59FE2177FC4@xxxxxxxxxxxxxxxx
>> >I need help with a problem in an W2K3 domain. I have 5 DC's at 4 Sites,
>> >all
>> > W2K3 Server.
>> > Last weekend I made a new installation of on of these DC's, because the
>> > inplace Upgrade from W2k to W2K3 failed. I removed the "old" W2K-DC by
>> > using
>> > ntdsutil / metadata cleanup. After rejoinig the W2K3 Server to the
>> > domain
>> > as
>> > DC by using DCPROMO everything seems to work fine.
>> >
>> > The only thing that is wrong is if I try to run an RSOP at the GPMC
>> > against
>> > this DC from any other PC or Server in the network I get the Message
>> > "Access
>> > denied". On every other DC it works very fine. If I run this local at
>> > the
>> > DC
>> > it works, but if I try to run it against any other DC I get the same
>> > Message.
>> > All DC's are in the same OU "Domain Controllers" and of couse the
>> > Permissions
>> > to plan and view RSOP are given. Can anybody help me?
>> >
>> > I am from Germany so please sorry for my Englisch.
>> >
>> > Hans
>>
>>
>>
.
- Follow-Ups:
- Re: RSOP Access denied at 1 of 5 DC's
- From: hansi-os
- Re: RSOP Access denied at 1 of 5 DC's
- References:
- Re: RSOP Access denied at 1 of 5 DC's
- From: Steven L Umbach
- Re: RSOP Access denied at 1 of 5 DC's
- From: hansi-os
- Re: RSOP Access denied at 1 of 5 DC's
- Prev by Date: Enforce update on a remote computer?
- Next by Date: Re: password never expires script
- Previous by thread: Re: RSOP Access denied at 1 of 5 DC's
- Next by thread: Re: RSOP Access denied at 1 of 5 DC's
- Index(es):
Relevant Pages
|
