Sounds like a DNS problem. The "permissions" message is a canard; the interesting point is that the domain cannot be contacted.
Check the DNS config on the DC (make sure its resolver is the one you think it is), check the SRV records in DNS for the domain in question (DCDIAG), and flush the cache (ipconfig /flushdns). -gil -----Original Message----- From: Pelle, Joe [mailto:[EMAIL PROTECTED]] Sent: Monday, December 30, 2002 10:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD, DNS, Errors - THE WORKS The DC gives me a permissions error when opening Domain Controller Security Policy. I log onto the DC as the admin of root.com or plant.root.com and get the same error: Failed to open Group Policy Object, you may not have appropriate rights. Details: the specified domain does not exist or cannot be contacted. What did I not do? Joe Pelle Systems Administrator Information Technology Valassis / Targeted Print & Media Solutions 35955 Schoolcraft Rd. Livonia, MI 48150 Tel 734.632.3753 Fax 734.632.6240 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 10:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD, DNS, Errors - THE WORKS Resend - last was bounced. No idea why.... ================================================ Joe, Check Local Policy on each of the DCs. If any of these was an upgrade (and sometimes, not) of a member that was in a service position before becoming a DC, there are times when a program or application will get installed by a SID that doesn't exist after the machine becomes a DC. This user account had rights (logon locally, etc.) that no longer exist. Typically, you'll want to look for, oh, say.... Power User. This user has a tendency to get stuck in the Local Policy of a DC, and given that the Power User cannot exist on a DC, this is the message that you're going to see (and I've seen it alot.....). Look her for more info: http://support.microsoft.com/default.aspx?scid=kb;en-us;247482 Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Pelle, Joe > Sent: Monday, December 23, 2002 3:14 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] AD, DNS, Errors - THE WORKS > > > Just like you say, " Are they root.com, hq.root.com and > plant.root.com" > > Also, I just noticed that there was a delegation set up from > root.com to hq.root.com but not to plant.root.com from > root.com (is that what you meant by, did you delegate both > subdomains from the root?)... I just set that up and cleared > the event logs.... waiting to see what happens. > > Still getting the same event log messages... > > > > Joe Pelle > > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED]] > Sent: Monday, December 23, 2002 2:42 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] AD, DNS, Errors - THE WORKS > > Hmm. My first inclination is that your child domain's don't > know about the empty root. How are the DNS configs done? Are > they root.com, hq.root.com and plant.root.com, or is it a > discontiguous namespace? > > If its contiguous, did you delegate both subdomains from the root? > > It smells of DNS issues, though, so definitely work that angle. > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: Pelle, Joe [mailto:[EMAIL PROTECTED]] > > Sent: Monday, December 23, 2002 2:24 PM > > To: '[EMAIL PROTECTED]' > > Subject: [ActiveDir] AD, DNS, Errors - THE WORKS > > > > > > Hello! I have a question about setting up DNS in AD... The > > following is my environment (so far): > > > > Empty Root (2 DC's) > > > > Child Domain of Empty Root at HQ (2 DC's) DNS, WINS, DHCP > > > > Child Domain of Empty Root at 'The Plant' (for now, 1 DC's) DNS > > > > DNS is running on all the servers...Every 5 minutes I am getting a > > warning followed by an error on both Child Domain servers at HQ and > > The Plant: > > > > Warning: SceCli 1202 > > > > Security policies are propagated with warning. 0x534 : No mapping > > between account names and security IDs was done. > > > > Please look for more details in TroubleShooting section in Security > > Help. > > > > Error: Userenv 1000 > > > > The Group Policy client-side extension Security was passed flags > > (17) and returned a failure status code of (1332). > > > > The DC/DNS server at HQ delegates to The Plant's DNS zone. I don't > > have the opposite setup... Should I? Basically, I want DHCP clients > > in The Plant to have access to resources at HQ (or vice versa) or > > another location without having to go up the tree to go back down... > > > > > > Any thoughts, suggestions, comments are greatly appreciated! > > > > Thanks! > > > > Joe Pelle > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
