The DC gives me a permissions error when opening Domain Controller Security Policy. I log onto the DC as the admin of root.com or plant.root.com and get the same error: Failed to open Group Policy Object, you may not have appropriate rights. Details: the specified domain does not exist or cannot be contacted.
What did I not do? Joe Pelle Systems Administrator Information Technology Valassis / Targeted Print & Media Solutions 35955 Schoolcraft Rd. Livonia, MI 48150 Tel 734.632.3753 Fax 734.632.6240 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 10:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD, DNS, Errors - THE WORKS Resend - last was bounced. No idea why.... ================================================ Joe, Check Local Policy on each of the DCs. If any of these was an upgrade (and sometimes, not) of a member that was in a service position before becoming a DC, there are times when a program or application will get installed by a SID that doesn't exist after the machine becomes a DC. This user account had rights (logon locally, etc.) that no longer exist. Typically, you'll want to look for, oh, say.... Power User. This user has a tendency to get stuck in the Local Policy of a DC, and given that the Power User cannot exist on a DC, this is the message that you're going to see (and I've seen it alot.....). Look her for more info: http://support.microsoft.com/default.aspx?scid=kb;en-us;247482 Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Pelle, Joe > Sent: Monday, December 23, 2002 3:14 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] AD, DNS, Errors - THE WORKS > > > Just like you say, " Are they root.com, hq.root.com and > plant.root.com" > > Also, I just noticed that there was a delegation set up from > root.com to hq.root.com but not to plant.root.com from > root.com (is that what you meant by, did you delegate both > subdomains from the root?)... I just set that up and cleared > the event logs.... waiting to see what happens. > > Still getting the same event log messages... > > > > Joe Pelle > > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED]] > Sent: Monday, December 23, 2002 2:42 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] AD, DNS, Errors - THE WORKS > > Hmm. My first inclination is that your child domain's don't > know about the empty root. How are the DNS configs done? Are > they root.com, hq.root.com and plant.root.com, or is it a > discontiguous namespace? > > If its contiguous, did you delegate both subdomains from the root? > > It smells of DNS issues, though, so definitely work that angle. > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: Pelle, Joe [mailto:[EMAIL PROTECTED]] > > Sent: Monday, December 23, 2002 2:24 PM > > To: '[EMAIL PROTECTED]' > > Subject: [ActiveDir] AD, DNS, Errors - THE WORKS > > > > > > Hello! I have a question about setting up DNS in AD... The > > following is my environment (so far): > > > > Empty Root (2 DC's) > > > > Child Domain of Empty Root at HQ (2 DC's) DNS, WINS, DHCP > > > > Child Domain of Empty Root at 'The Plant' (for now, 1 DC's) DNS > > > > DNS is running on all the servers...Every 5 minutes I am > > getting a warning followed by an error on both Child Domain > > servers at HQ and The Plant: > > > > Warning: SceCli 1202 > > > > Security policies are propagated with warning. 0x534 : No > > mapping between account names and security IDs was done. > > > > Please look for more details in TroubleShooting section in > > Security Help. > > > > Error: Userenv 1000 > > > > The Group Policy client-side extension Security was passed > > flags (17) and returned a failure status code of (1332). > > > > The DC/DNS server at HQ delegates to The Plant's DNS zone. I > > don't have the opposite setup... Should I? Basically, I want > > DHCP clients in The Plant to have access to resources at HQ > > (or vice versa) or another location without having to go up > > the tree to go back down... > > > > > > Any thoughts, suggestions, comments are greatly appreciated! > > > > Thanks! > > > > Joe Pelle > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
