A disjoint namespace is when your machines don't have a domain suffix the same as the AD domain.
For instance, lets say I decide to incorporate joeware and set up offices around the country and run everything from the AD domain joeware.net. I have two options for the setup... 1. Take the MS default and every single machine everywhere in the country has a domain suffix of joeware.net because they are part of the AD Domain, joeware.net. 2. Choose to use geographic logical domain suffixes for the machines like sanfran.joeware.net, newyork.joeware.net, atlanta.joeware.net, miami.joeware.net, orlando.joeware.net, deanshouse.joeware.net, dallas.joeware.net, kalaheo.joeware.net). Now all of those machines would be in the joeware.net domain but would have a disjoint on the dns domain suffix. This is fully supported by Active Directory / Windows. Various programs have various levels of support for it due to <ahem> lack of testing on the part of the developers/vendors. If you use 2, you may have to modify permissions in Active Directory so that the machines can properly register their dNSHostName and servicePrincipalName. If they don't have that permission, the machines will not have correct SPN's and kerberos can choke. Actually EMC has a nice issue with that right now with the Celerras. Domain controllers don't have the problem because the localsystem account of a DC can write whatever the heck it wants to write in AD. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova Sent: Monday, May 17, 2004 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Hmmmm...I don't see any disjoint namespace...but don't know what do you mean under "proper permissions are not set on the computer object " But I've actually, took responsibility and done dcpromo now...so far everything looks normal... Maybe it was - a netdiag bug? [I hope it was!] Thanks for input. Lana -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 17 May 2004 21:50 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Do you have a disjoint name space? I have seen this when there is a disjoint namespace and the proper permissions are not set on the computer object so that it can update its own information properly. The UDP/TCP thing Al mentioned is a good thought too but usually when that is occurring you will see some hellacious slow downs. Like logons taking 30-40 minutes when they go fast. I have seen this occur when a Cisco CSM was throwing away fragmented kerberos packets because of too many group memberships and I have seen it when a NIC had bad configurations for (I think) max frame size. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova Sent: Monday, May 17, 2004 11:46 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] FATAL kerberos error on W2K3 server Hello , I wonder if anyone seen this before: W2K active directory, few W2K3 member servers. All of them display kerberos error message when running netdiag kerberos test: "[FATAL] Kerberos does not have a ticket for host/domain.com" I am not receiving any errors or warnings in event logs; replication in AD is fine and no W2K domain controllers show this problem. Run Kerbtray - all tickets seems to be there. DC list test and all the rest of netdiag tests - "passed". Also some of W2K3 servers are happily running applications with no problems. The intention is to make W2K3 domain controller, but with this kind of error seems a little risky, unless this is a "feature by design" in W2K3... Thanks in advance for any ideas shared Lana List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
