RE: [ActiveDir] Still troubleshooting, still no resolution

Rimmerman, Russ Thu, 14 Oct 2004 11:00:14 -0700

But if primary is itself, what about the old "DNS islanding" issue?

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Thursday, October 14, 2004 12:15 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Still troubleshooting, still no resolution

Didn't we have this conversation once before? :)

Think about that. If the remote DC has a replica of the DNS entries it needs, why is it going across a WAN link? It doesn't make sense since it already knows how to find everything it needs.

IMHO, primary should be itself. Secondary? Not sure it really needs one (check itself and if that fails check someone else that has the same information?), but you *could* put the remote DNS host there.

It would be good for you to test this scenario in your lab before relying on it in the future as well.

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Thursday, October 14, 2004 11:47 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Still troubleshooting, still no resolution

Could it be because the domain controller at all our remote sites has their network adapter properties set to the primary and secondary dns servers at the headquarters site? How should the dns settings be on a DC that is running DNS in a remote site? Primary across the wan, secondary to itself?

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Thursday, October 14, 2004 10:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Still troubleshooting, still no resolution

Russ, is server ldap/ccc.ourdomain.com your local DC in that site?

And is this the site name CN=CAM-DHQ of that site?

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Thursday, October 14, 2004 11:20 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Still troubleshooting, still no resolution

I still have not found a resolution to my issue - our remote site's WAN link went down for many hours. All the XP and 2000 desktops at that site could not connect to their mapped drives (to the local file server), and if they rebooted, they were totally toast.

There is a Windows 2000 domain controller at the site, but we are in a Win2003 AD domain. Any ideas???

Errors generated in the system event log on the desktop:

10/4/2004 10:27:58 AM Kerberos Error None 7 N/A CESVPL50835 The kerberos subsystem encountered a PAC verification failure. This indicates that the PAC from the client CESVPL50835$ in realm CCC.OURDOMAIN.COM had a PAC which failed to verify or was modified. Contact your system administrator.

10/4/2004 10:29:11 AM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CESVPL50835 The Security System could not establish a secured connection with the server ldap/ccc.ourdomain.com. No authentication protocol was available.
10/4/2004 10:29:11 AM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CESVPL50835 "The Security System detected an attempted downgrade attack for server ldap/ccc.ourdomain.com. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request.
(0xc000005e)""."

Errors generated in the desktop event log on the server:

The Directory Service consistency checker has noticed that 12 successive replication attempts with CN=NTDS Settings,CN=CAMDHQDC02,CN=Servers,CN=CAM-DHQ,CN=Sites,CN=Configuration,DC=ourdomain,DC=com have failed over a period of 132 minutes. The connection object for this server will be kept in place, and new temporary connections will established to ensure that replication continues. The Directory Service will continue to retry replication with CN=NTDS Settings,CN=CAMDHQDC02,CN=Servers,CN=CAM-DHQ,CN=Sites,CN=Configuration,DC=ourdomain,DC=com; once successful the temporary connection will be removed.

All servers in site CN=CAM-DHQ,CN=Sites,CN=Configuration,DC=ourdomain,DC=com that can replicate partition DC=ccc,DC=coopcam,DC=com over transport CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=ourdomain,DC=com are currently unavailable.

The Directory Service consistency checker has determined that either (a) there is not enough physical connectivity published via the Active Directory Sites and Services Manager to create a spanning tree connecting all the sites containing the Partition DC=ourdomain,DC=com, or (b) replication cannot be performed with one or more critical servers in order for changes to propagate across all sites (most often due to the servers being unreachable).

For (a), please use the Active Directory Sites and Services Manager to do one of the following:

1. Publish sufficient site connectivity information such that the system can infer a route by which this Partition can reach this site. This option is preferred.

2. Add an ntdsConnection object to a Domain Controller that contains the Partition DC=ourdomain,DC=com in this site from a Domain Controller that contains the same Partition in another site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

RE: [ActiveDir] Still troubleshooting, still no resolution

Reply via email to