It looks like anl.gov is your root domain. Are tiger201, hippo308, bison752 all DCs for anl.gov? If so, the NLTEST results are all normal. You will find that in any domain you do that to. The PDC does not have a secure channel for its own domain to any other DC, while the non-PDCs will have secure channels back to the PDC. Why? I don't know. It is just the way I have always seen it.
If those DCs are DCs for the child domain bio.anl.gov then that is also fine because it just means the secure channel for the trust is from the DC to the PDC of anl.gov. The ADFIND issue is that it isn't following referrals. That is odd, adfind is configured to follow referrals by default or at least it uses the system default and the system default is to follow referrals. I can not duplicate this not following of referrals unless I set adfind to not follow referrals with -nr. Does this have SP1 loaded? I haven't done extensive testing with SP1 yet with adfind. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, June 08, 2005 11:27 AM To: [email protected] Subject: [ActiveDir] nltest, adfind errors Running these commands on a child domain controller: nltest /sc_query:anl.gov /server:rhino221 I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN nltest /sc_query:anl.gov /server:tiger201 Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\rhino221.anl.gov Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully nltest /sc_query:anl.gov /server:hippo308 Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\rhino221.anl.gov Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully nltest /sc_query:anl.gov /server:bison752 Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\rhino221.anl.gov Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully Rhino221 holds the FSMO roles. DNS A and SRV records seem to be OK. joe's adfind tool works fine from a non-privileged account on a workstation to the child domain in searching for accounts named admin* , yet fails when the same adfind command is run from a root DC: C:\SYSMGR\bin>adfind -b dc=bio,dc=anl,dc=gov -f samaccountname=admin* AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: rhino221.anl.gov Directory: Windows Server 2003 ldap_get_next_page_s: [rhino221.anl.gov] Error 0xa (10) - Referral REFERRAL: ldap://bio.anl.gov/dc=bio,dc=anl,dc=gov 0 Objects returned I am stumped! Any thoughts out there? Thanks. Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
