Re: Number of GC servers

Are you using the Restricted Groups GPO?? If not set correctly, it will
remove all accounts from the local administrators group, other then the ones
you have indicated to leave in the policy.

I had problems setting this policy up when I first created our AD domain.

If you have the Group Policy Managment tool you can run the group policy
results wizard, on a specific machine & user account.

What that will tell you is what policies are affecting a user, on a machine.
That might give you an indication as to why labserver works on one server
(keeps admin rights) but does not on another server.

In my domain, I actually block the restricted group policy on all Domain
Controllers, and Member Servers. Restricted Groups is fine for PC's, but I
like to manage the servers myself...too many things can go wrong if not
configured correctly (ie. one of our sysadmins misconfigured it once, and
removed Domain Admins from all local admins groups....quite messy).



"Adrian Marsh (NNTP)" wrote:

Hi Hutch,

DNS is handled by corporate (non-microsoft) servers. I think these are
OK, as I've had major problems in the past, and have run every test
conceivable against them.

I found the GC tickbox, and then I've also added all the GC DNS entries
into the DNS servers for the new GC. I'm not quite sure how to test it
though.

I've rebooted both GCs (independently, 20 mins apart). But I still get
problems with the accounts.. For example:

If I logon to cmpq02,cmpq04, as "labserver" (a generic account, that is
part of the local Administrators group, set by GPO) via Terminal
Services, then I get told I told have that "You do not have access to
this logon session". If I logon at the console, I can login, but I
cannot shutdown the server. Its as though the user has lost the admin
rights.

On dell04, and cmpq06 however, I can login as labserver ok via TS, and
have no problems executing reboots. I see nothing in cmpq02/04s event
logs about netlogon.

I'm completely bemused as to what is causing it. I need a way to check
the status of the "labserver" userid within the GPO - I was thinking of
re-creating the account, but I'm not sure of the knock-on this might have.

A.

Hutch wrote:
There is one negative to have multiple GC's in the same location, and that is
replication traffic. However, I have 2 GC's in my main office, and have not
noticed anything major. I sleep better knowing that my GC is backed up,
especially since we did some custom schema modifications.

To make the other DC a GC...DO NOT dcpromo. Go to Active Directory Sites &
Services, select the DC you want to make a Global Catalog..go to it's NTDS
settings, right click, properties, put a check mark in Global Catalog. Once
there, it will automatically replicate with your other DC.

As for your other errors...that does sound like a DNS problem. When you do
a nslookup and type the name of your domain controller, what response do you
get??

I am also assuming your other DC has DNS running as well??

"Adrian Marsh (NNTP)" wrote:

Ok... that sounds good, as my main GC is now giving some strange errors
after a controlled power-down last night, and I've several client
(server class) machines that are giving very strange behaviours:

- Users that were admins before, now don't get admin rights
- Accessing the domain via "\\domain" no longer works internally (but
DNS is all ok)

DCDIAG checks out as all ok, but I now get the below message in the GCs
event log:

So - next question - how do I make my second DC a GC as well
(DCpromo??). I guess I need to update DNS (its a private/controlled
non-MS DNS system), and add A records for the new gc. What else should
I add? Does the original GC need to be 100% operational first ?

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 27/04/2006
Time: 11:50:58
User: NT AUTHORITY\SYSTEM
Computer: SWOCMPQ01
Description:
Windows cannot access the file gpt.ini for GPO The file must be present
at the location <>. (). Group Policy processing aborted.



Serkan Varoglu wrote:
All GC


.

Relevant Pages

  • Re: Please help - Cant join PC to new domain
    ... I installed a DC (Windows Server 2003 R2) and set up Active Directory ... Tried creating the computer account first and then adding it to the ... Your DNS domain name, "MYDOMAIN" is a single label name. ...
    (microsoft.public.windows.server.dns)
  • Re: Cannot Add Second Node to Cluster: Multiple DNS records were found for "MyServer.MyNet.local"
    ... MVP - Windows Server - Clustering ... I have identified and fixed the DNS problem: ... As for clustering DCs, I have now done it and it is working. ... think about how a service account gets ...
    (microsoft.public.windows.server.clustering)
  • Re: Getting desperate: GPO applying incorrectly, PLEASE HELP ME!!
    ... > the exception of placing the TS machine account into the security settings ... > I think you are on to something with the linking of the GPO. ... >> OU to which the loopback GPO is linked, ... >> OU you placed the TS server, and you set loopback on in replace ...
    (microsoft.public.windows.group_policy)
  • Re: Fake domain
    ... Here what I would do, schedule cutover on Friday, make sure all users popped into their external ISP and download all their e-mail to their outlook and they exported mail into "PST" file on same location each workstation. ... change MX record to point to new exchange server. ... Prepare document showing your users how to import existing PST into newly created mail account via outlook or you find a way to script it or do it manually (-: ... 1.- Create the domain contoso.com and copy all the "actual" DNS ...
    (microsoft.public.exchange.setup)
  • Ongoing DNS Issue? or something worse?
    ... has an issue with connecting to the SBS server correctly. ... see Help and Support Center at ... account, this may be a transient issue that doesn't require any action at ... The dynamic deletion of the DNS record 'WesternValve.local. ...
    (microsoft.public.windows.server.sbs)