Re: Unable to create AD objects...
- From: "Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
- Date: Thu, 19 Jun 2008 21:48:10 +0200
what was the moment you were not able to create users anymore? Was it possible, and it then suddenly stopped?
> * Network Logons Privileges Check
> Unable to connect to the NETLOGON share! (\\MCP01\netlogon)
> [MCP01] An net use or LsaPolicy operation failed with error > 1203,
> No network provider accepted the given network path..
> ......................... MCP01 failed test NetLogons
this one also worries me....
do a NET SHARE to see if the SYSVOL and NETLOGON share exist
use the following command to see what account belongs to the SID: S-1-5-21-3402352517-712457843-1199885889-1632
sidtoname S-1-5-21-3402352517-712457843-1199885889-1632
you can get sidtoname from joeware.net
then check the default domain controller GPO and the default domain GPO to see where the account is configured
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Steven Sinclair" <StevenSinclair@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:0C1F2679-A303-4C7A-A6F5-F6754304B395@xxxxxxxxxxxxxxxx
No errors in any of the event logs until yesterday (around the time I ran the
DCDIAG commands). The event was in the system event log as follows:
Date: 6/18/2008 Source: SceSrv
Time: 12:20:43 PM Category: None
Type: Error Event ID: 1003
User: N/A
Computer: MCP01
Description:
Notification of policy change from LSA/SAM has been retried and failed.
Error 4312 to save policy change for account
S-1-5-21-3402352517-712457843-1199885889-1632 in the default GPOs. For more
debugging information, please look security\logs\scepol.log under Windows
root.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Thanx again.
"Jorge de Almeida Pinto [MVP - DS]" wrote:
any event IDs with errors?
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Steven Sinclair" <StevenSinclair@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:65F69275-0506-4462-803A-C5992C77C0DA@xxxxxxxxxxxxxxxx
> Yes, sorry, I did mention them both a PDC and a BDC in that original
> thread.
>
> Since I'm unaware of how to "attach" the DCDIAG output, I'll simply > insert
> it here...
>
> ---------------
> Domain Controller Diagnosis
>
> Performing initial setup:
> * Verifying that the local machine mcp01, is a DC.
> * Connecting to directory service on server mcp01.
> * Collecting site info.
> * Identifying all servers.
> * Identifying all NC cross-refs.
> * Found 1 DC(s). Testing 1 of them.
> Done gathering initial info.
>
> Doing initial required tests
>
> Testing server: Default-First-Site-Name\MCP01
> Starting test: Connectivity
> * Active Directory LDAP Services Check
> * Active Directory RPC Services Check
> ......................... MCP01 passed test Connectivity
>
> Doing primary tests
>
> Testing server: Default-First-Site-Name\MCP01
> Starting test: Replications
> * Replications Check
> * Replication Latency Check
> ......................... MCP01 passed test Replications
> Starting test: Topology
> * Configuration Topology Integrity Check
> * Analyzing the connection topology for
> DC=ForestDnsZones,DC=mydomain,DC=com.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the connection topology for
> DC=DomainDnsZones,DC=mydomain,DC=com.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the connection topology for
> CN=Schema,CN=Configuration,DC=mydomain,DC=com.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the connection topology for
> CN=Configuration,DC=mydomain,DC=com.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the connection topology for DC=mydomain,DC=com.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> ......................... MCP01 passed test Topology
> Starting test: CutoffServers
> * Configuration Topology Aliveness Check
> * Analyzing the alive system replication topology for
> DC=ForestDnsZones,DC=mydomain,DC=com.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the alive system replication topology for
> DC=DomainDnsZones,DC=mydomain,DC=com.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the alive system replication topology for
> CN=Schema,CN=Configuration,DC=mydomain,DC=com.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the alive system replication topology for
> CN=Configuration,DC=mydomain,DC=com.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the alive system replication topology for
> DC=mydomain,DC=com.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> ......................... MCP01 passed test CutoffServers
> Starting test: NCSecDesc
> * Security Permissions check for all NC's on DC MCP01.
> * Security Permissions Check for
> DC=ForestDnsZones,DC=mydomain,DC=com
> (NDNC,Version 2)
> * Security Permissions Check for
> DC=DomainDnsZones,DC=mydomain,DC=com
> (NDNC,Version 2)
> * Security Permissions Check for
> CN=Schema,CN=Configuration,DC=mydomain,DC=com
> (Schema,Version 2)
> * Security Permissions Check for
> CN=Configuration,DC=mydomain,DC=com
> (Configuration,Version 2)
> * Security Permissions Check for
> DC=mydomain,DC=com
> (Domain,Version 2)
> ......................... MCP01 passed test NCSecDesc
> Starting test: NetLogons
> * Network Logons Privileges Check
> Unable to connect to the NETLOGON share! (\\MCP01\netlogon)
> [MCP01] An net use or LsaPolicy operation failed with error > 1203,
> No network provider accepted the given network path..
> ......................... MCP01 failed test NetLogons
> Starting test: Advertising
> The DC MCP01 is advertising itself as a DC and having a DS.
> The DC MCP01 is advertising as an LDAP server
> The DC MCP01 is advertising as having a writeable directory
> The DC MCP01 is advertising as a Key Distribution Center
> The DC MCP01 is advertising as a time server
> The DS MCP01 is advertising as a GC.
> ......................... MCP01 passed test Advertising
> Starting test: KnowsOfRoleHolders
> Role Schema Owner = CN=NTDS
> Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
> Role Domain Owner = CN=NTDS
> Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
> Role PDC Owner = CN=NTDS
> Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
> Role Rid Owner = CN=NTDS
> Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
> Role Infrastructure Update Owner = CN=NTDS
> Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
> ......................... MCP01 passed test KnowsOfRoleHolders
> Starting test: RidManager
> * Available RID Pool for the Domain is 2104 to 1073741823
> * mcp01.mydomain.com is the RID Master
> * DsBind with RID Master was successful
> * rIDAllocationPool is 1604 to 2103
> * rIDPreviousAllocationPool is 1604 to 2103
> * rIDNextRID: 1635
> ......................... MCP01 passed test RidManager
> Starting test: MachineAccount
> Checking machine account for DC MCP01 on DC MCP01.
> * SPN found :LDAP/mcp01.mydomain.com/mydomain.com
> * SPN found :LDAP/mcp01.mydomain.com
> * SPN found :LDAP/MCP01
> * SPN found :LDAP/mcp01.mydomain.com/PMHPRINEVILLE
> * SPN found
> :LDAP/17612149-47c5-4544-a68e-777e3207dc1a._msdcs.mydomain.com
> * SPN found
> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/17612149-47c5-4544-a68e-777e3207dc1a/mydomain.com
> * SPN found :HOST/mcp01.mydomain.com/mydomain.com
> * SPN found :HOST/mcp01.mydomain.com
> * SPN found :HOST/MCP01
> * SPN found :HOST/mcp01.mydomain.com/PMHPRINEVILLE
> * SPN found :GC/mcp01.mydomain.com/mydomain.com
> ......................... MCP01 passed test MachineAccount
> Starting test: Services
> * Checking Service: Dnscache
> * Checking Service: NtFrs
> * Checking Service: IsmServ
> * Checking Service: kdc
> * Checking Service: SamSs
> * Checking Service: LanmanServer
> * Checking Service: LanmanWorkstation
> * Checking Service: RpcSs
> * Checking Service: w32time
> * Checking Service: NETLOGON
> ......................... MCP01 passed test Services
> Starting test: OutboundSecureChannels
> * The Outbound Secure Channels test
> ** Did not run Outbound Secure Channels test
> because /testdomain: was not entered
> ......................... MCP01 passed test > OutboundSecureChannels
> Starting test: ObjectsReplicated
> MCP01 is in domain DC=mydomain,DC=com
> Checking for CN=MCP01,OU=Domain Controllers,DC=mydomain,DC=com > in
> domain DC=mydomain,DC=com on 1 servers
> Object is up-to-date on all servers.
> Checking for CN=NTDS
> Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
> in domain CN=Configuration,DC=mydomain,DC=com on 1 servers
> Object is up-to-date on all servers.
> ......................... MCP01 passed test ObjectsReplicated
> Starting test: frssysvol
> * The File Replication Service SYSVOL ready test
> File Replication Service's SYSVOL is ready
> ......................... MCP01 passed test frssysvol
> Starting test: frsevent
> * The File Replication Service Event log test
> ......................... MCP01 passed test frsevent
> Starting test: kccevent
> * The KCC Event log test
> Found no KCC errors in Directory Service Event log in the last > 15
> minutes.
> ......................... MCP01 passed test kccevent
> Starting test: systemlog
> * The System Event log test
> An Error Event occured. EventID: 0x40011006
> Time Generated: 06/18/2008 13:28:21
> Event String: The connection was aborted by the remote WINS.
>
> Remote WINS may not be configured to replicate
>
> with the server.
> ......................... MCP01 failed test systemlog
> Starting test: VerifyReplicas
> ......................... MCP01 passed test VerifyReplicas
> Starting test: VerifyReferences
> The system object reference (serverReference)
>
> CN=MCP01,OU=Domain Controllers,DC=mydomain,DC=com and backlink
>
> on
>
>
> CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
>
> are correct.
> The system object reference (frsComputerReferenceBL)
>
> CN=MCP01,CN=Domain System Volume (SYSVOL share),CN=File
> Replication
> Service,CN=System,DC=mydomain,DC=com
>
> and backlink on
>
> CN=MCP01,OU=Domain Controllers,DC=mydomain,DC=com are correct.
>
> The system object reference (serverReferenceBL)
>
> CN=MCP01,CN=Domain System Volume (SYSVOL share),CN=File
> Replication
> Service,CN=System,DC=mydomain,DC=com
>
> and backlink on
>
> CN=NTDS
> Settings,CN=MCP01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
>
> are correct.
> ......................... MCP01 passed test VerifyReferences
> Starting test: VerifyEnterpriseReferences
> ......................... MCP01 passed test
> VerifyEnterpriseReferences
> Starting test: CheckSecurityError
> * Dr Auth: Beginning security errors check!
> Found KDC MCP01 for domain mydomain.com in site
> Default-First-Site-Name
> Checking machine account for DC MCP01 on DC MCP01.
> * SPN found :LDAP/mcp01.mydomain.com/mydomain.com
> * SPN found :LDAP/mcp01.mydomain.com
> * SPN found :LDAP/MCP01
> * SPN found :LDAP/mcp01.mydomain.com/PMHPRINEVILLE
> * SPN found
> :LDAP/17612149-47c5-4544-a68e-777e3207dc1a._msdcs.mydomain.com
> * SPN found
> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/17612149-47c5-4544-a68e-777e3207dc1a/mydomain.com
> * SPN found :HOST/mcp01.mydomain.com/mydomain.com
> * SPN found :HOST/mcp01.mydomain.com
> * SPN found :HOST/MCP01
> * SPN found :HOST/mcp01.mydomain.com/PMHPRINEVILLE
> * SPN found :GC/mcp01.mydomain.com/mydomain.com
> [MCP01] No security related replication errors were found on > this
> DC! To target the connection to a specific source DC use
> /ReplSource:<DC>.
> ......................... MCP01 passed test CheckSecurityError
>
> DNS Tests are running and not hung. Please wait a few minutes...
>
> Running partition tests on : ForestDnsZones
> Starting test: CrossRefValidation
> ......................... ForestDnsZones passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... ForestDnsZones passed test > CheckSDRefDom
>
> Running partition tests on : DomainDnsZones
> Starting test: CrossRefValidation
> ......................... DomainDnsZones passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... DomainDnsZones passed test > CheckSDRefDom
>
> Running partition tests on : Schema
> Starting test: CrossRefValidation
> ......................... Schema passed test CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... Schema passed test CheckSDRefDom
.
- Follow-Ups:
- Re: Unable to create AD objects...
- From: Steven Sinclair
- Re: Unable to create AD objects...
- References:
- Re: Unable to create AD objects...
- From: Jorge de Almeida Pinto [MVP - DS]
- Re: Unable to create AD objects...
- From: Steven Sinclair
- Re: Unable to create AD objects...
- From: Jorge de Almeida Pinto [MVP - DS]
- Re: Unable to create AD objects...
- From: Steven Sinclair
- Re: Unable to create AD objects...
- From: Jorge de Almeida Pinto [MVP - DS]
- Re: Unable to create AD objects...
- From: Steven Sinclair
- Re: Unable to create AD objects...
- Prev by Date: Re: Unable to create AD objects...
- Next by Date: Re: Filtered Sid
- Previous by thread: Re: Unable to create AD objects...
- Next by thread: Re: Unable to create AD objects...
- Index(es):
Relevant Pages
|
