Re: Unable to create AD objects...

---

• From: Steven Sinclair <StevenSinclair@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 19 Jun 2008 12:40:00 -0700

---

Here's something really interesting...

I restarted the server, and now I'm able to create user objects.

Why would a simple restart correct the problem?

Thanx.



"Steven Sinclair" wrote:

No errors in any of the event logs until yesterday (around the time I ran the
DCDIAG commands). The event was in the system event log as follows:

Date: 6/18/2008 Source: SceSrv
Time: 12:20:43 PM Category: None
Type: Error Event ID: 1003
User: N/A
Computer: MCP01

Description:
Notification of policy change from LSA/SAM has been retried and failed.
Error 4312 to save policy change for account
S-1-5-21-3402352517-712457843-1199885889-1632 in the default GPOs. For more
debugging information, please look security\logs\scepol.log under Windows
root.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Thanx again.



"Jorge de Almeida Pinto [MVP - DS]" wrote:

any event IDs with errors?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Steven Sinclair" <StevenSinclair@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:65F69275-0506-4462-803A-C5992C77C0DA@xxxxxxxxxxxxxxxx

Yes, sorry, I did mention them both a PDC and a BDC in that original
thread.

Since I'm unaware of how to "attach" the DCDIAG output, I'll simply insert
it here...

---------------
Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine mcp01, is a DC.
* Connecting to directory service on server mcp01.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\MCP01
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... MCP01 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\MCP01
Starting test: Replications
* Replications Check
* Replication Latency Check
......................... MCP01 passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
DC=ForestDnsZones,DC=mydomain,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
DC=DomainDnsZones,DC=mydomain,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=mydomain,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Configuration,DC=mydomain,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=mydomain,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... MCP01 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
DC=ForestDnsZones,DC=mydomain,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=DomainDnsZones,DC=mydomain,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Schema,CN=Configuration,DC=mydomain,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Configuration,DC=mydomain,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=mydomain,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... MCP01 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC MCP01.
* Security Permissions Check for
DC=ForestDnsZones,DC=mydomain,DC=com
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=mydomain,DC=com
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=mydomain,DC=com
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=mydomain,DC=com
(Configuration,Version 2)
* Security Permissions Check for
DC=mydomain,DC=com
(Domain,Version 2)
......................... MCP01 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\MCP01\netlogon)
[MCP01] An net use or LsaPolicy operation failed with error 1203,
No network provider accepted the given network path..
......................... MCP01 failed test NetLogons
Starting test: Advertising
The DC MCP01 is advertising itself as a DC and having a DS.
The DC MCP01 is advertising as an LDAP server
The DC MCP01 is advertising as having a writeable directory
The DC MCP01 is advertising as a Key Distribution Center
The DC MCP01 is advertising as a time server
The DS MCP01 is advertising as a GC.
......................... MCP01 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
Role Domain Owner = CN=NTDS
Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
Role PDC Owner = CN=NTDS
Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
Role Rid Owner = CN=NTDS
Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
......................... MCP01 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 2104 to 1073741823
* mcp01.mydomain.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1604 to 2103
* rIDPreviousAllocationPool is 1604 to 2103
* rIDNextRID: 1635
......................... MCP01 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC MCP01 on DC MCP01.
* SPN found :LDAP/mcp01.mydomain.com/mydomain.com
* SPN found :LDAP/mcp01.mydomain.com
* SPN found :LDAP/MCP01
* SPN found :LDAP/mcp01.mydomain.com/PMHPRINEVILLE
* SPN found
:LDAP/17612149-47c5-4544-a68e-777e3207dc1a._msdcs.mydomain.com
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/17612149-47c5-4544-a68e-777e3207dc1a/mydomain.com
* SPN found :HOST/mcp01.mydomain.com/mydomain.com
* SPN found :HOST/mcp01.mydomain.com
* SPN found :HOST/MCP01
* SPN found :HOST/mcp01.mydomain.com/PMHPRINEVILLE
* SPN found :GC/mcp01.mydomain.com/mydomain.com
......................... MCP01 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... MCP01 passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... MCP01 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
MCP01 is in domain DC=mydomain,DC=com
Checking for CN=MCP01,OU=Domain Controllers,DC=mydomain,DC=com in
domain DC=mydomain,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
in domain CN=Configuration,DC=mydomain,DC=com on 1 servers
Object is up-to-date on all servers.
......................... MCP01 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... MCP01 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... MCP01 passed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15
minutes.
......................... MCP01 passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40011006
Time Generated: 06/18/2008 13:28:21
Event String: The connection was aborted by the remote WINS.

Remote WINS may not be configured to replicate

with the server.
......................... MCP01 failed test systemlog
Starting test: VerifyReplicas
......................... MCP01 passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)

CN=MCP01,OU=Domain Controllers,DC=mydomain,DC=com and backlink

on


CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com

are correct.
The system object reference (frsComputerReferenceBL)

CN=MCP01,CN=Domain System Volume (SYSVOL share),CN=File
Replication
Service,CN=System,DC=mydomain,DC=com

and backlink on

CN=MCP01,OU=Domain Controllers,DC=mydomain,DC=com are correct.

The system object reference (serverReferenceBL)

CN=MCP01,CN=Domain System Volume (SYSVOL share),CN=File
Replication
Service,CN=System,DC=mydomain,DC=com

and backlink on

CN=NTDS
Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com

are correct.
......................... MCP01 passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
......................... MCP01 passed test
VerifyEnterpriseReferences
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC MCP01 for domain mydomain.com in site
Default-First-Site-Name
Checking machine account for DC MCP01 on DC MCP01.
* SPN found :LDAP/mcp01.mydomain.com/mydomain.com
* SPN found :LDAP/mcp01.mydomain.com
* SPN found :LDAP/MCP01
* SPN found :LDAP/mcp01.mydomain.com/PMHPRINEVILLE
* SPN found
:LDAP/17612149-47c5-4544-a68e-777e3207dc1a._msdcs.mydomain.com
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/17612149-47c5-4544-a68e-777e3207dc1a/mydomain.com
* SPN found :HOST/mcp01.mydomain.com/mydomain.com
* SPN found :HOST/mcp01.mydomain.com
* SPN found :HOST/MCP01
* SPN found :HOST/mcp01.mydomain.com/PMHPRINEVILLE
* SPN found :GC/mcp01.mydomain.com/mydomain.com
[MCP01] No security related replication errors were found on this

.

---

• Follow-Ups:
  • Re: Unable to create AD objects...
    • From: Jorge de Almeida Pinto [MVP - DS]

• References:
  • Re: Unable to create AD objects...
    • From: Jorge de Almeida Pinto [MVP - DS]
  • Re: Unable to create AD objects...
    • From: Steven Sinclair
  • Re: Unable to create AD objects...
    • From: Jorge de Almeida Pinto [MVP - DS]
  • Re: Unable to create AD objects...
    • From: Steven Sinclair
  • Re: Unable to create AD objects...
    • From: Jorge de Almeida Pinto [MVP - DS]
  • Re: Unable to create AD objects...
    • From: Steven Sinclair

• Prev by Date: Re: Password Length
• Next by Date: Re: Unable to create AD objects...
• Previous by thread: Re: Unable to create AD objects...
• Next by thread: Re: Unable to create AD objects...
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: GPO update issue, \domain.netsysvol not accesible ... Connecting to directory service on server sun. ... Performing upstream analysis. ... Performing downstream (of target) analysis. ... (microsoft.public.win2000.active_directory) Re: Unable to create AD objects... ... Verifying that the local machine mcp01, ... Replication Latency Check ... Performing upstream analysis. ... Performing downstream (of target) analysis. ... (microsoft.public.windows.server.active_directory) Re: replication failed access denied ... and the server having the problem can't get changes from the DC. ... The target name used was. ... Replication Site Latency Check ... Performing upstream analysis. ... (microsoft.public.windows.server.active_directory) Re: GPO update issue, \domain.netsysvol not accesible ... Connecting to directory service on server sun. ... Performing upstream analysis. ... Performing downstream (of target) analysis. ... (microsoft.public.win2000.active_directory) GPO update issue, \domain.netsysvol not accesible ... Connecting to directory service on server sun. ... Performing upstream analysis. ... Performing downstream (of target) analysis. ... (microsoft.public.win2000.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2008-06