Unfortunately, in this case, I can't give any better answer than the MS Engineer in the "that is just the way it works" as I indicated below. I would loop in ~Eric on this one but I don't think he would know either, this isn't an AD thing, it is a Windows Secure Channel thing that has been around since before AD.
So removing that one DC allows adfind to properly enumerate the info with referrals working as normal? joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, June 10, 2005 6:34 AM To: [email protected] Subject: RE: [ActiveDir] nltest, adfind errors Hi joe, Yep, the lack of a SC back to the PDC is puzzling. The MS analyst I was working with said, "That's just the way it is!". <sigh>. All DCs are running 2003/SP1. Regarding my issue, we determined that one of the two child domain DCs was really just unfixable, and it's state was certainly having a negative impact on the other child DC. We ended up just disconnecting this "bad boy" from the network (with intent to just shut it down) and brought up a new DC. Replication seems to be working once again, with all players happy. I will settle for this situation and take my lumps doing an AD metadata cleanup of the old DC, just to get things working again. Thanks for the input! Mike Thommes ________________________________ From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 6/9/2005 10:08 PM To: [email protected] Subject: RE: [ActiveDir] nltest, adfind errors It looks like anl.gov is your root domain. Are tiger201, hippo308, bison752 all DCs for anl.gov? If so, the NLTEST results are all normal. You will find that in any domain you do that to. The PDC does not have a secure channel for its own domain to any other DC, while the non-PDCs will have secure channels back to the PDC. Why? I don't know. It is just the way I have always seen it. If those DCs are DCs for the child domain bio.anl.gov then that is also fine because it just means the secure channel for the trust is from the DC to the PDC of anl.gov. The ADFIND issue is that it isn't following referrals. That is odd, adfind is configured to follow referrals by default or at least it uses the system default and the system default is to follow referrals. I can not duplicate this not following of referrals unless I set adfind to not follow referrals with -nr. Does this have SP1 loaded? I haven't done extensive testing with SP1 yet with adfind. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, June 08, 2005 11:27 AM To: [email protected] Subject: [ActiveDir] nltest, adfind errors Running these commands on a child domain controller: nltest /sc_query:anl.gov /server:rhino221 I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN nltest /sc_query:anl.gov /server:tiger201 Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\rhino221.anl.gov Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully nltest /sc_query:anl.gov /server:hippo308 Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\rhino221.anl.gov Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully nltest /sc_query:anl.gov /server:bison752 Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\rhino221.anl.gov Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully Rhino221 holds the FSMO roles. DNS A and SRV records seem to be OK. joe's adfind tool works fine from a non-privileged account on a workstation to the child domain in searching for accounts named admin* , yet fails when the same adfind command is run from a root DC: C:\SYSMGR\bin>adfind -b dc=bio,dc=anl,dc=gov -f samaccountname=admin* AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: rhino221.anl.gov Directory: Windows Server 2003 ldap_get_next_page_s: [rhino221.anl.gov] Error 0xa (10) - Referral REFERRAL: ldap://bio.anl.gov/dc=bio,dc=anl,dc=gov 0 Objects returned I am stumped! Any thoughts out there? Thanks. Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
