I don't think that those errors are related to DNS. The error " 0x534 : No mapping between account names and security IDs was done." usually means that you have a group policy that is assigning a right to a user account or group that no longer exists. You will have to enable security process logging and review the winlogon file to determine what account is causing this error. Once you find the account you can remove it from the policy. See http://support.microsoft.com/default.aspx?scid=kb;en-us;245422 for the steps to enable logging.
Tim Hines, MCSA, MCSE (2000 & NT4) MVP - Active Directory ----- Original Message ----- From: "Pelle, Joe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, December 23, 2002 4:14 PM Subject: RE: [ActiveDir] AD, DNS, Errors - THE WORKS > Just like you say, " Are they root.com, hq.root.com and > plant.root.com" > > Also, I just noticed that there was a delegation set up from root.com to > hq.root.com but not to plant.root.com from root.com (is that what you meant > by, did you delegate both subdomains from the root?)... I just set that up > and cleared the event logs.... waiting to see what happens. > > Still getting the same event log messages... > > > > Joe Pelle > > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED]] > Sent: Monday, December 23, 2002 2:42 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] AD, DNS, Errors - THE WORKS > > Hmm. My first inclination is that your child domain's don't know about the > empty root. How are the DNS configs done? Are they root.com, hq.root.com and > plant.root.com, or is it a discontiguous namespace? > > If its contiguous, did you delegate both subdomains from the root? > > It smells of DNS issues, though, so definitely work that angle. > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: Pelle, Joe [mailto:[EMAIL PROTECTED]] > > Sent: Monday, December 23, 2002 2:24 PM > > To: '[EMAIL PROTECTED]' > > Subject: [ActiveDir] AD, DNS, Errors - THE WORKS > > > > > > Hello! I have a question about setting up DNS in AD... The > > following is my environment (so far): > > > > Empty Root (2 DC's) > > > > Child Domain of Empty Root at HQ (2 DC's) DNS, WINS, DHCP > > > > Child Domain of Empty Root at 'The Plant' (for now, 1 DC's) DNS > > > > DNS is running on all the servers...Every 5 minutes I am > > getting a warning followed by an error on both Child Domain > > servers at HQ and The Plant: > > > > Warning: SceCli 1202 > > > > Security policies are propagated with warning. 0x534 : No > > mapping between account names and security IDs was done. > > > > Please look for more details in TroubleShooting section in > > Security Help. > > > > Error: Userenv 1000 > > > > The Group Policy client-side extension Security was passed > > flags (17) and returned a failure status code of (1332). > > > > The DC/DNS server at HQ delegates to The Plant's DNS zone. I > > don't have the opposite setup... Should I? Basically, I want > > DHCP clients in The Plant to have access to resources at HQ > > (or vice versa) or another location without having to go up > > the tree to go back down... > > > > > > Any thoughts, suggestions, comments are greatly appreciated! > > > > Thanks! > > > > Joe Pelle > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
