Re: Very Critical issue
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Thu, 29 Jan 2009 16:45:02 -0000
Ok,
Since that you're able to recreate the trust that means that the DC that was used to create the trust is able to communicate and validate the trust. Go to each DC and make that they can validate the trust and that they can reach the other DC in the other forest.
Now, are the clients using that same DC/DNS or are they querying a different DC/DNS that may has issues in their DNS secondary Zone?
What changes did you made? When you did those changes, was at that time that the clients started with issues when trying to access to the other servers in the other forest? Did you enable any FW locally on the DCs?
Can you describe exactly how clients DNS are configured and how DC DNS are configured for that Zone?
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Sukhwinder Singh" <SukhwinderSingh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:B77FE02D-5621-403A-9148-76E4F5D013E4@xxxxxxxxxxxxxxxx
Dear Jorge,
We have recreated and reloaded the secondary zones and created Trust again
which shows that the Secondary zones were getting transferred properly.
We have recently changed some of the File permissions and registry
permissions on the Domain controllers in the users domain as per the
procedure of hardening Windows 2003 servers. Can you help me to find if the
problem happened due to those changes.
Thanks and Regards,
Sukhwinder Singh
"Jorge Silva" wrote:
Ok,
What are you saying... That after you create the stub zone the problem is
solved? If yes, that shows that you had DNS secondary zones outdated for
those DNS servers that were serving the clients request's. Remember that
secondary zones for domains that are outside of your forest need to be
explicitly authorized, if the zones were outdated that could be because you
either lost the permissions to zone transfers "and warning logs will be
recorded at the DNS server" or some FW is looking the TCP port 53 that is
used for zone transfer.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Sukhwinder Singh" <SukhwinderSingh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:89B79680-2B71-4679-B9CD-4F874F4BC684@xxxxxxxxxxxxxxxx
> Dear Jorge,
>
> Even after changing the Time in both the Domains and synchronising the
> issue
> was not resolved.
>
> We have deleted the secondary zones which were created for Trust > creation
> and created the stub zones in place of that and configured the DNS to
> replicate the stub zone to all Domain controllers after that the issue > is
> resolved.
>
> I need to find the Root Cause of the issue but not able to understand > what
> was the issue as the trust was working fine since last 4 months and > users
> were able to access all the shares. Suddenly on Monday morning the > issue
> started. We have created Stub zone as a workaround but can someone help > me
> to
> get to the root of the issue.
>
> I am in a real fix.
>
> Please Help!!!!!!
>
> Thanks and Regards,
>
> Sukhwinder Singh
>
> "Jorge Silva" wrote:
>
>> Correct, time is very important n AD environments to validate Kerberos
>> and
>> replication. Correct that and check if the same happens. Let's know >> the
>> results.
>>
>> -- >> I hope that the information above helps you.
>> Have a Nice day.
>>
>> Jorge Silva
>> MCSE, MVP Directory Services
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> "Sukhwinder Singh" <SukhwinderSingh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote >> in
>> message news:5724E9D1-5EEC-45BA-9070-BAA2A3984100@xxxxxxxxxxxxxxxx
>> >
>> > Hi Jorge,
>> >
>> > We do have WINS setup in both the domains. DNS is installed in all >> > the
>> > DC's
>> > and workstations are configured to connect to the local DNS servers >> > in
>> > site.
>> >
>> > When we Ping using netbios or host name we are getting proper >> > response.
>> >
>> > We have found one more thing that after logging to PDC in a.com and
>> > opening
>> > dsa.msc when we are trying to connect to b.com domain we are getting
>> > the
>> > error
>> >
>> > "windows cannot connect to the new domain no authority could be
>> > contacted
>> > for authentication"
>> >
>> > We have checked and found that there is time difference of more than >> > 5
>> > mins
>> > between both the domains.
>> >
>> > Please confirm if the issue can happen due to time difference in >> > both
>> > the
>> > domains as it is more than 5 mins.
>> >
>> > Sukhwinder Singh
>> >
>> >
>> >
>> >
>> > Regards,
>> > "Jorge Silva" wrote:
>> >
>> >> Hi
>> >> -Did you follow my last post?
>> >> -Do you have WINS? How DNS is configured in Workstations/Servers >> >> and
>> >> DCS?
>> >>
>> >> - If you ping that server using \\servername, what results do you >> >> get?
>> >> and
>> >> if you ping using the FQDN \\servername.domain.com what results do >> >> you
>> >> get?
>> >>
>> >>
>> >>
>> >> -- >> >> I hope that the information above helps you.
>> >> Have a Nice day.
>> >>
>> >> Jorge Silva
>> >> MCSE, MVP Directory Services
>> >>
>> >> Please no e-mails, any questions should be posted in the NewsGroup
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> rights.
>> >> "Sukhwinder Singh" <SukhwinderSingh@xxxxxxxxxxxxxxxxxxxxxxxxx> >> >> wrote
>> >> in
>> >> message news:B99556BD-761C-4DA8-8B4A-3FDBD8B516EF@xxxxxxxxxxxxxxxx
>> >> >
>> >> > Hi Jorge,
>> >> >
>> >> > We have checked DNS and Domain functionality using DCDIAG AND
>> >> > NETDIAG
>> >> > and
>> >> > could not find any error. In one of the servers the issue is
>> >> > resolved
>> >> > by
>> >> > restarting the file server.
>> >> > We have logged into another file server and checked the acl of >> >> > the
>> >> > shared
>> >> > folders. I was surprised to see that the acl contains some
>> >> > unresolved
>> >> > SID's
>> >> > from the other domain. We have previously done security >> >> > translation
>> >> > on
>> >> > these
>> >> > servers to add the users from both the domains.
>> >> >
>> >> > The users from the domain in which the server is added are >> >> > showinf
>> >> > fine
>> >> > but
>> >> > users from other domain are showing as unresolved SID's
>> >> >
>> >> > Will there be any issue with secure channel. Kindly let me know >> >> > how
>> >> > to
>> >> > verify secure channel in windows 2000 file server.
>> >> >
>> >> >
>> >> >
>> >> > "Jorge Silva" wrote:
>> >> >
>> >> >> Hi
>> >> >> This is generally caused by bad DNS configuration, make sure >> >> >> that
>> >> >> BOTH
>> >> >> ends
>> >> >> can resolve eachother by DNS, then do the test using
>> >> >> \\servername.domain.com. Also check WINS (assuming different
>> >> >> subnets)
>> >> >> when
>> >> >> using \\servername instead of \\servername.domain.com.
>> >> >>
>> >> >> -- >> >> >> I hope that the information above helps you.
>> >> >> Have a Nice day.
>> >> >>
>> >> >> Jorge Silva
>> >> >> MCSE, MVP Directory Services
>> >> >>
>> >> >> Please no e-mails, any questions should be posted in the >> >> >> NewsGroup
>> >> >> This posting is provided "AS IS" with no warranties, and confers >> >> >> no
>> >> >> rights.
>> >> >> "Sukhwinder Singh" <SukhwinderSingh@xxxxxxxxxxxxxxxxxxxxxxxxx>
>> >> >> wrote
>> >> >> in
>> >> >> message >> >> >> news:193C9E8A-E7EA-4B0A-AD78-64C8CC6E55E5@xxxxxxxxxxxxxxxx
>> >> >> > Dear All,
>> >> >> >
>> >> >> > We are facing serious issue in our Active Directory network. >> >> >> > We
>> >> >> > have
>> >> >> > 2
>> >> >> > forests and there is forest trust between both the forests. >> >> >> > There
>> >> >> > is
>> >> >> > a
>> >> >> > file
>> >> >> > server in domain a.com and the users are in domain b.com. When
>> >> >> > the
>> >> >> > users
>> >> >> > are
>> >> >> > trying to access the file server as \\servername they are >> >> >> > getting
>> >> >> > the
>> >> >> > error
>> >> >> > as below
>> >> >> >
>> >> >> > "\\servername is not accessible. You might not have permission >> >> >> > to
>> >> >> > use
>> >> >> > this
>> >> >> > network resource. Contact the administrator of this server to
>> >> >> > find
>> >> >> > out
>> >> >> > if
>> >> >> > you
>> >> >> > have access permissions.
>> >> >> >
>> >> >> > There are currently no logon servers available to service the
>> >> >> > logon
>> >> >> > request."
>> >> >> >
>> >> >> > This issue is very critical as no one is able to access the
>> >> >> > shared
>> >> >> > drives.
>> >> >> >
>> >> >> > We are in the process of domain consolidation, so many of the
>> >> >> > users
>> >> >> > have
>> >> >> > already been migrated to b.com domain but the servers are >> >> >> > still
>> >> >> > in
>> >> >> > a.com.
>> >> >> >
>> >> >> > Need urgent help on the same.
>> >> >> >
>> >> >> > Would be very grateful
>> >> >> >
>> >> >> > Sukhwinder singh
>> >> >> >
>> >> >> >
>> >> >>
>> >>
>>
.
- Follow-Ups:
- Re: Very Critical issue
- From: Sukhwinder Singh
- Re: Very Critical issue
- References:
- Very Critical issue
- From: Sukhwinder Singh
- Re: Very Critical issue
- From: Jorge Silva
- Re: Very Critical issue
- From: Sukhwinder Singh
- Re: Very Critical issue
- From: Jorge Silva
- Re: Very Critical issue
- From: Sukhwinder Singh
- Re: Very Critical issue
- From: Jorge Silva
- Re: Very Critical issue
- From: Sukhwinder Singh
- Re: Very Critical issue
- From: Jorge Silva
- Re: Very Critical issue
- From: Sukhwinder Singh
- Very Critical issue
- Prev by Date: Re: DSQEURY command does not fetch results
- Next by Date: Re: Very Critical issue
- Previous by thread: Re: Very Critical issue
- Next by thread: Re: Very Critical issue
- Index(es):
Relevant Pages
|
