WTF
is QIP anyway? I’ve heard of BIND and Windows DNS.
Thanks,
Brian
Desmond
[EMAIL PROTECTED]
c
- 312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe
Sent: Wednesday, June 07, 2006 10:54
PM
To: [email protected]
Subject: RE: [ActiveDir]
New DC can't find the machine account
I have
had really decent experiences with QIP. I have actually been happier with
deployments with QIP on UNIX than Windows DNS.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Al Mulnick
Sent: Friday, June 02, 2006 10:17
AM
To: [email protected]
Subject: Re: [ActiveDir]
New DC can't find the machine account
I find myself agreeing with Deji, but I'll go one or two or
three further.
1) QIP? My experience with QIP has not been favorable in past
accounts, but I'll assume it works for you. I've had way to much time
invested that I'll never get back with QIP/AD integration. I'm not saying
it won't work, because it can, but it's way more complex/expensive than it's
worth to me.
2) In the case of AD, unless you have a really good technical
and/or policy reason not to, do like Deji says and make your AD dependent on an
internal DNS host that supports what it needs. Like DDNS and permissions
(security). Best bet here is to make AD the master and let QIP be secodary
if a compromise is needed.
3) Get joe to send pictures of himself as a Cher
look-alike to Deji. Why? Just because I'm feeling particularly
mean this morning. I like Deji, but I think he needs some abuse for
not having been around for a while. (I know it's extreme, but it's for your
own good Deji.) <EG>
On 6/2/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
In this case, you want to point the new DC to an internal DNS
server
authoritative for the domain.
To close this - and answer joe's
question - yes, it's DNS, silly. It's always
DNS :). Slow startup, slow GP
processing, slow desktop showing up, slow
coffee maker, slow uplifting of
skirts - always DNS. Choose a working
INTERNAL DNS server, make netlogon
dependent on DNS and 99% of the trouble is
resolved
:o
Sincerely,
_____
(,
/ | /)
/) /)
/---|
(/_ ______ ___// _ // _
)
/ |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)
(/
Microsoft
MVP - Directory Services
www.readymaids.com <http://www.readymaids.com > -
we know IT
www.akomolafe.com <http://www.akomolafe.com>
Do you now
realize that Today is the Tomorrow you were worried about
Yesterday?
-anon
________________________________
From: [EMAIL PROTECTED]
on behalf of Al Lilianstrom
Sent: Thu 6/1/2006 7:52 PM
To: [email protected]
Subject:
Re: [ActiveDir] New DC can't find the machine account
[EMAIL PROTECTED] wrote:
> Mark:
why would this be "expected"?
> Al: Who is doing DNS for this DC in
question? If you ping a domain resource
> from that DNS server, does it
resolve correctly?
Deji,
DNS for this test domain is provided by
our datacom people. It's
Lucent's QIP server on a old slow NT box. According
to the guy who
manages it he's a couple of major releases behind on the
software. We're
also seeing some other issues with machines in the child
domain to this
domain having problems registering their DNS
records.
Machines Existing DCs can be resolved and accessed - which
confuses me
with the netlogon pausing as the DC when booting should, in my
mind,
query the other dc for it's account information - not itself.
al
>
>
>
________________________________
>
> From: [EMAIL PROTECTED]
on behalf of Mark Parris
> Sent: Thu 6/1/2006 7:11 AM
> To:
ActiveDir.org
> Subject: Re: [ActiveDir] New DC can't find the machine
account
>
>
>
> Did you see my post last night - this is
expected behaviour?
> -----Original Message-----
> From: Al
Lilianstrom <[EMAIL PROTECTED]>
>
Date: Thu, 01 Jun 2006 08:13:20
> To:[email protected]
> Subject: Re: [ActiveDir] New DC can't find the machine
account
>
> [EMAIL PROTECTED] wrote:
>> I
bet you one crate to a bottle of German beer that your DNS is out to
>
lunch.
>> Every time when I've seen this, it always goes away by
kicking a DNS
server
>> somewhere. Check your DNS
servers.
>
> I talked to the networking people and the DNS server
that is used for
> our test domains is a couple of major releases out of
date and running
> on really crap hardware.
>
> Building him a
new server...
>
> Thanks for all the
help.
>
> al
>
>>
Sincerely,
>> _____
>> (,
/ | /)
/) /)
>> /---|
(/_ ______ ___// _
// _
>> ) / |_/(__(_) //
(_(_)(/_(_(_/(__(/_
>>
(_/
/)
>> (/
>>
Microsoft MVP - Directory Services
>> www.readymaids.com <http://www.readymaids.com > -
we know IT
>> www.akomolafe.com
<http://www.akomolafe.com>
>> Do
you now realize that Today is the Tomorrow you were worried about
>>
Yesterday? -anon
>>
>>
>>
________________________________
>>
>> From: [EMAIL PROTECTED]
on behalf of Al Lilianstrom
>> Sent: Wed 5/31/2006 7:53 AM
>>
To: [email protected]
>>
Subject: Re: [ActiveDir] New DC can't find the machine account
>>
>>
>>
>> Almeida Pinto, Jorge de
wrote:
>>> see if the following helps:
>>>
>
http://www.eventid.net/display.asp?eventid=1097&eventno=2126&source=Userenv&p
>>
hase=1
>>
>> I had run across that page last
night.
>>
>> Time is ok (ntp to local time source)
>> I don't think that both computer accounts are corrupt as they were
ok as
>> simple servers
>> I enabled debug logging for the
netlogon service and at the same time I
>> get the userenv events I get
>>
>> 05/31 09:48:22 [CRITICAL] NetpDcHandlePingResponse: test.fnal.gov.:
>> Netlogon is paused
on the server.
0x14
>>
>>
al
>>
>>> Met vriendelijke groeten / Kind
regards,
>>> Ing. Jorge de Almeida Pinto
>>> Senior
Infrastructure Consultant
>>> MVP Windows Server - Directory
Services
>>>
>>> LogicaCMG Nederland B.V. (BU RTINC
Eindhoven)
>>> ( Tel :
+31-(0)40-29.57.777
>>> ( Mobile : +31-(0)6-26.26.62.80
>>> * E-mail :
<see sender address>
>>>
>>>
________________________________
>>>
>>> From: [EMAIL PROTECTED]
on behalf of Al Lilianstrom
>>> Sent: Wed 2006-05-31
15:37
>>> To: [email protected]
>>>
Subject: [ActiveDir] New DC can't find the machine
account
>>>
>>>
>>>
>>>
Hi,
>>>
>>> I have a Windows 2000 based AD (empty root
with 1 child domain) that I'm
>>> in the process of upgrading to
w2003r2 as a test for our production
>>> domain (same
configuration). The adprep went fine as well as the dcpromo
>>> of
the new DC. However when the new DC reboots I get the following
>>>
messages in the application log:
>>>
>>> EVENT
TYPE Error
>>>
SOURCE Userenv
>>> EVENT
ID 1097
>>> Windows
cannot find the machine account, The Local Security Authority
>>>
cannot be contacted .
>>>
>>>
and
>>>
>>> EVENT
TYPE Error
>>>
SOURCE Userenv
>>> EVENT
ID 1030
>>> Windows
cannot query for the list of Group Policy objects. Check the
>>>
event log for possible messages previously logged by the policy
engine
>>> that describes the reason for
this.
>>>
>>> Neither system has these messages when
they were simple servers in the
>>> domain. They were rebooted
several times before becoming DCs to make
>>> sure the event logs
were clean.
>>>
>>> They seem to be functioning as DCs.
File replication with the orginal
>>> w2k dc took a long time to
start up.
>>>
>>> I added a second w2k3 r2 DC and it is
showing the exact same messages.
>>> Both machines were created from
the same sysprep image - the machine
>>> that was built as the
basis for the sysprep image was never in
the
domain.
>>>
>>> I've been searching Microsoft and
came up with one or two applicable
>>> docs. One said to make sure
that services like netlogon were set to
>>> automatic (it is).
Another had settings for enabling debug on the
>>> netlogon service
which I implemented. All that I see in there is
>>> netlogon
pausing.
>>>
>>> Any ideas?
>>>
>>>
al
>>> --
List info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List
archive: http://www.activedir.org/ml/threads.aspx
List
info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List
archive: http://www.activedir.org/ml/threads.aspx
