>>Primary across the wan, secondary to itself? Yes.
- ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Thu, 14 Oct 2004 10:47:11 -0500, Rimmerman, Russ <[EMAIL PROTECTED]> wrote: > > Could it be because the domain controller at all our remote sites has their > network adapter properties set to the primary and secondary dns servers at > the headquarters site? How should the dns settings be on a DC that is > running DNS in a remote site? Primary across the wan, secondary to itself? > > > > ________________________________ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al > Sent: Thursday, October 14, 2004 10:36 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Still troubleshooting, still no resolution > > > > Russ, is server ldap/ccc.ourdomain.com your local DC in that site? > And is this the site name CN=CAM-DHQ of that site? > > > > > ________________________________ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ > Sent: Thursday, October 14, 2004 11:20 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Still troubleshooting, still no resolution > > > > I still have not found a resolution to my issue - our remote site's WAN link > went down for many hours. All the XP and 2000 desktops at that site could > not connect to their mapped drives (to the local file server), and if they > rebooted, they were totally toast. > > There is a Windows 2000 domain controller at the site, but we are in a > Win2003 AD domain. Any ideas??? > > Errors generated in the system event log on the desktop: > > 10/4/2004 10:27:58 AM Kerberos Error None 7 N/A CESVPL50835 The kerberos > subsystem encountered a PAC verification failure. This indicates that the > PAC from the client CESVPL50835$ in realm CCC.OURDOMAIN.COM had a PAC which > failed to verify or was modified. Contact your system administrator. > 10/4/2004 10:29:11 AM LSASRV Warning SPNEGO (Negotiator) 40961 N/A > CESVPL50835 The Security System could not establish a secured connection > with the server ldap/ccc.ourdomain.com. No authentication protocol was > available. > 10/4/2004 10:29:11 AM LSASRV Warning SPNEGO (Negotiator) 40960 N/A > CESVPL50835 "The Security System detected an attempted downgrade attack for > server ldap/ccc.ourdomain.com. The failure code from authentication > protocol Kerberos was ""There are currently no logon servers available to > service the logon request. > (0xc000005e)""." > > Errors generated in the desktop event log on the server: > > > The Directory Service consistency checker has noticed that 12 successive > replication attempts with CN=NTDS > Settings,CN=CAMDHQDC02,CN=Servers,CN=CAM-DHQ,CN=Sites,CN=Configuration,DC=ourdomain,DC=com > have failed over a period of 132 minutes. The connection object for this > server will be kept in place, and new temporary connections will established > to ensure that replication continues. The Directory Service will continue to > retry replication with CN=NTDS > Settings,CN=CAMDHQDC02,CN=Servers,CN=CAM-DHQ,CN=Sites,CN=Configuration,DC=ourdomain,DC=com; > once successful the temporary connection will be removed. > > All servers in site CN=CAM-DHQ,CN=Sites,CN=Configuration,DC=ourdomain,DC=com > that can replicate partition DC=ccc,DC=coopcam,DC=com over transport > CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=ourdomain,DC=com > are currently unavailable. > > The Directory Service consistency checker has determined that either (a) > there is not enough physical connectivity published via the Active Directory > Sites and Services Manager to create a spanning tree connecting all the > sites containing the Partition DC=ourdomain,DC=com, or (b) replication > cannot be performed with one or more critical servers in order for changes > to propagate across all sites (most often due to the servers being > unreachable). > > For (a), please use the Active Directory Sites and Services Manager to do > one of the following: > > 1. Publish sufficient site connectivity information such that the system can > infer a route by which this Partition can reach this site. This option is > preferred. > > 2. Add an ntdsConnection object to a Domain Controller that contains the > Partition DC=ourdomain,DC=com in this site from a Domain Controller that > contains the same Partition in another site. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
