RE: All users denied access this morning ......

Hi John,

Thanks for posting here.

From your post, my understanding on this issue is: all of users cannot
access domain, and you receive Event ID 7011 and Event ID 7 error message.
If I am off base, please feel free to let me know.

Unfortunately, based on the information I have now, I am still a little
unclear about the exact nature of this issue. Please describe the issue to
me in further detail and I will research your issue promptly.

1. All our users were denied access to the domain this morning.

Please let me know whether all of users cannot login domain, or they can
login domain but cannot access resource in domain.

2. If all of users cannot login domain, please let me know what's happen
when they login, whether they get any error message.

From the post, I understand that you received the following error in Event
Log:

Source: Service Control Manager
Category: None
Event ID: 7011

Description:
Timeout (30000 milliseconds) waiting for a transaction response from the
NtFrs service.

In order to get more clues for this problem, please provide run the
following tools to gather some information from this server:

1. Run FRSDiag.exe:

File Replication Service Diagnostics Tool (FRSDiag.exe)
http://www.microsoft.com/downloads/details.aspx?FamilyId=43CB658E-8553-4DE7-
811A-562563EB5EBF&displaylang=en


2. Run Directory Services Edition (Mpsrpt_dirsvc.exe) of MPS Report.
818742.KB.EN-US Overview of the Microsoft Configuration Capture Utility
(MPS_REPORTS)
http://support.microsoft.com/default.aspx?scid=KB;EN-US;818742

Please send the above information to me at: v-stezhu@xxxxxxxxxxxxxx

For Event ID 7, the message appears to be the result of normal replication
latency in the
environment where the object guid (globally unique identifier) is found at
the
global catalog but has not yet replicated to the domain naming context. I
found a
similar message in some bug reports, but upon further review those bugs did
not
display the actual account name and instead showed question marks where the
account
name should appear. The message essentially indicates an "account not
found"
occurrence but our developers did not have a better way to express the
information
in the error message.

The problem should go away for that specific account once replication
between
domain controllers converge. It appears that this message is safe to
ignore, but I
am double-checking this for good measure. If this is the case and this is
a benign
error message, I will non-decrement this issue so that you are not charged
for a
support incident.

Please let me know the above information so that I can provide the further
assistance on this issue. I am looking forward to your reply.

Have a nice day.

Best Regards,

Steven Zhu
MCSE
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006.? Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================







.

Relevant Pages

  • Re: All users denied access this morning ......
    ... the message appears to be the result of normal replication ... display the actual account name and instead showed question marks where the ... Steven Zhu ... PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were ...
    (microsoft.public.windows.server.sbs)
  • RE: DCpromo issue. Health check on AD and group policy.
    ... Enterprise Admins group, or at the least a domain admin account of the domain ... Try running MS Sonar to check you SYSVOL replication status: ... Use sonar to check if the sysvols (File Replication Service) is replicating. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Cluster Resource replacing physical server
    ... regardless of the status of the AD replication. ... Create the virtual computer account manually if the Cluster service account ... Then connect to cluster administrator to Enable Kerberos on the network name ... Create cluster resource ...
    (microsoft.public.sqlserver.clustering)
  • Re: 2003 Server Client/Delegation and Data Issues
    ... Thank you Jorge. ... caused by the fact the replication didn't occured yet, ... I want to delegate the ability to unlock user accounts to 3 non-technical ... it shows an account as locked ...
    (microsoft.public.windows.server.active_directory)
  • Re: Userenv errors
    ... it seems like I'm getting these Userenv errors on several PCs, ... account in your domain? ... Windows 2000 Server and Windows ... PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were ...
    (microsoft.public.windows.server.sbs)
Loading