what's the primary suffix of your clients? and how are the search suffixes configured? or WINS?
also, did you not only check that you're service records in DNS exist, but that they're also registered by the right machines? It's potentially possible, that other non-DC clients could have registered DC/GC records (could also happen via some mean script) that are causing you issues. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Mittwoch, 19. Mai 2004 18:16 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ms04-011 here's some more weirdness- now when i want to join a pc to a domain, i have to enter the fqdn. before i would just enter domainname. now i have to enter domainname.parentdomain.rootdomain. when i just enter the domainname and do a trace, i see in dns that the srv_msdc_ldap.domainname cannot be found. also when i do a trace on the dns/dc i get weird dns requests for legtimate domains as srv records as in srv_ldap_yahho.com strange -----Original Message----- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 19, 2004 12:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ms04-011 My immediate reaction is that this is a GC issue. Missing GC DNS records? Mike Thommes -----Original Message----- From: Eric Fleischman [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 19, 2004 10:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ms04-011 Yup that's what I meant, we'd want to do that logging on affected client. And network trace of that client (perhaps from second box on a simple little hub) of the boot/logon would also be telling if the userenv doesn't give us the answer (could go either way). -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, May 19, 2004 10:04 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ms04-011 I believe Eric meant the client experiencing the slowness. You will note that the DC seems to be having no issues as that ripped through the process in like half a second according to the logs. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, May 19, 2004 10:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ms04-011 this is the output of my userenv.log on my fsmo pdc. SERENV(e4.34c) 10:45:11:343 ProcessGPOs: USERENV(e4.34c) 10:45:11:343 ProcessGPOs: USERENV(e4.34c) 10:45:11:343 ProcessGPOs: Starting computer Group Policy processing... USERENV(e4.34c) 10:45:11:343 ProcessGPOs: USERENV(e4.34c) 10:45:11:343 ProcessGPOs: USERENV(e4.34c) 10:45:11:359 EnterCriticalPolicySection: Machine critical section has been claimed. Handle = 0x74 USERENV(e4.34c) 10:45:11:359 ProcessGPOs: Machine role is 3. USERENV(e4.34c) 10:45:11:359 PingComputer: PingBufferSize set as 2048 USERENV(e4.34c) 10:45:11:359 PingComputer: First time: 0 USERENV(e4.34c) 10:45:11:375 PingComputer: Fast link. Exiting. USERENV(e4.34c) 10:45:11:375 ProcessGPOs: User name is: CN=ADSERVER1,OU=Domain Controllers,DC=CHARMERNYDOM,DC=CSG-IT,DC=NET, Domain name is: CHARMERNYDOM USERENV(e4.34c) 10:45:11:375 ProcessGPOs: Domain controller is: \\adserver1.CHARMERNYDOM.CSG-IT.NET Domain DN is CHARMERNYDOM.CSG-IT.NET USERENV(e4.34c) 10:45:11:375 ProcessGPOs: Calling GetGPOInfo for normal policy mode USERENV(e4.34c) 10:45:11:375 GetGPOInfo: ******************************** USERENV(e4.34c) 10:45:11:390 GetGPOInfo: Entering... USERENV(e4.34c) 10:45:11:390 GetGPOInfo: Server connection established. USERENV(e4.34c) 10:45:11:406 GetGPOInfo: Bound successfully. USERENV(e4.34c) 10:45:11:406 SearchDSObject: Searching <OU=Domain Controllers,DC=CHARMERNYDOM,DC=CSG-IT,DC=NET> USERENV(e4.34c) 10:45:11:406 SearchDSObject: Found GPO(s): <[LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System ,DC= CHARMERNYDOM,DC=CSG-IT,DC=NET;0]> USERENV(e4.34c) 10:45:11:421 ProcessGPO: ============================== USERENV(e4.34c) 10:45:11:421 ProcessGPO: Deferring search for <LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System, DC=C HARMERNYDOM,DC=CSG-IT,DC=NET> USERENV(e4.34c) 10:45:11:421 SearchDSObject: Searching <DC=CHARMERNYDOM,DC=CSG-IT,DC=NET> USERENV(e4.34c) 10:45:11:421 SearchDSObject: Found GPO(s): <[LDAP://CN={776B44AB-9D12-4BE6-84D3-EB26EA1DD649},CN=Policies,CN=System ,DC= CHARMERNYDOM,DC=CSG-IT,DC=NET;0][LDAP://CN={276E7B50-A050-497E-8996-BB4A 2562 2B20},CN=Policies,CN=System,DC=CHARMERNYDOM,DC=CSG-IT,DC=NET;0][LDAP://C N={3 1B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=CHARMERNYD OM,D C=CSG-IT,DC=NET;0]> USERENV(e4.34c) 10:45:11:437 ProcessGPO: ============================== USERENV(e4.34c) 10:45:11:437 ProcessGPO: Deferring search for <LDAP://CN={776B44AB-9D12-4BE6-84D3-EB26EA1DD649},CN=Policies,CN=System, DC=C HARMERNYDOM,DC=CSG-IT,DC=NET> USERENV(e4.34c) 10:45:11:437 ProcessGPO: ============================== USERENV(e4.34c) 10:45:11:437 ProcessGPO: Deferring search for <LDAP://CN={276E7B50-A050-497E-8996-BB4A25622B20},CN=Policies,CN=System, DC=C HARMERNYDOM,DC=CSG-IT,DC=NET> USERENV(e4.34c) 10:45:11:453 ProcessGPO: ============================== USERENV(e4.34c) 10:45:11:453 ProcessGPO: Deferring search for <LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System, DC=C HARMERNYDOM,DC=CSG-IT,DC=NET> USERENV(e4.34c) 10:45:11:468 SearchDSObject: Searching <CN=CHARMER-ASTORIA,CN=Sites,CN=Configuration,DC=CSG-IT,DC=NET> USERENV(e4.34c) 10:45:11:468 SearchDSObject: No GPO(s) for this object. USERENV(e4.34c) 10:45:11:468 EvaluateDeferredGPOs: Searching for GPOs in cn=policies,cn=system,DC=CHARMERNYDOM,DC=CSG-IT,DC=NET USERENV(e4.34c) 10:45:11:484 ProcessGPO: ============================== USERENV(e4.34c) 10:45:11:484 ProcessGPO: Searching <CN={776B44AB-9D12-4BE6-84D3-EB26EA1DD649},CN=Policies,CN=System,DC=CHAR MERN YDOM,DC=CSG-IT,DC=NET> USERENV(e4.34c) 10:45:11:484 ProcessGPO: Machine has access to this GPO. USERENV(e4.34c) 10:45:11:500 ProcessGPO: Found functionality version of: 2 USERENV(e4.34c) 10:45:11:500 ProcessGPO: Found file system path of: <\\CHARMERNYDOM.CSG-IT.NET\SysVol\CHARMERNYDOM.CSG-IT.NET\Policies\{776B 44AB -9D12-4BE6-84D3-EB26EA1DD649}> USERENV(e4.34c) 10:45:11:515 ProcessGPO: Found common name of: <{776B44AB-9D12-4BE6-84D3-EB26EA1DD649}> USERENV(e4.34c) 10:45:11:515 ProcessGPO: Found display name of: <IE Policy> USERENV(e4.34c) 10:45:11:515 ProcessGPO: Found machine version of: GPC is 0, GPT is 0 USERENV(e4.34c) 10:45:11:531 ProcessGPO: Found flags of: 0 USERENV(e4.34c) 10:45:11:531 ProcessGPO: No client-side extensions for this object. USERENV(e4.34c) 10:45:11:531 ProcessGPO: GPO IE Policy doesn't contain any data since the version number is 0. It will be skipped. USERENV(e4.34c) 10:45:11:531 ProcessGPO: ============================== USERENV(e4.34c) 10:45:11:546 ProcessGPO: ============================== USERENV(e4.34c) 10:45:11:546 ProcessGPO: Searching <CN={276E7B50-A050-497E-8996-BB4A25622B20},CN=Policies,CN=System,DC=CHAR MERN YDOM,DC=CSG-IT,DC=NET> USERENV(e4.34c) 10:45:11:546 ProcessGPO: Machine does not have access to the GPO and so will not be applied. USERENV(e4.34c) 10:45:11:546 ProcessGPO: ============================== USERENV(e4.34c) 10:45:11:562 ProcessGPO: ============================== USERENV(e4.34c) 10:45:11:562 ProcessGPO: Searching <CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=CHAR MERN YDOM,DC=CSG-IT,DC=NET> USERENV(e4.34c) 10:45:11:562 ProcessGPO: Machine has access to this GPO. USERENV(e4.34c) 10:45:11:562 ProcessGPO: Found functionality version of: 2 USERENV(e4.34c) 10:45:11:578 ProcessGPO: Found file system path of: <\\CHARMERNYDOM.CSG-IT.NET\sysvol\CHARMERNYDOM.CSG-IT.NET\Policies\{31B2 F340 -016D-11D2-945F-00C04FB984F9}> USERENV(e4.34c) 10:45:11:578 ProcessGPO: Found common name of: <{31B2F340-016D-11D2-945F-00C04FB984F9}> USERENV(e4.34c) 10:45:11:578 ProcessGPO: Found display name of: <Default Domain Policy> USERENV(e4.34c) 10:45:11:593 ProcessGPO: Found machine version of: GPC is 72, GPT is 72 USERENV(e4.34c) 10:45:11:593 ProcessGPO: Found flags of: 0 USERENV(e4.34c) 10:45:11:593 ProcessGPO: Found extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F875 71E3 }{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F 79F8 3A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C0 4F79 F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{C6DC5466-785A-11D2-84D0-00 C04F B169F7}{942A8E4F-A261-11D1-A760-00C04FB9603F}] USERENV(e4.34c) 10:45:11:593 ProcessGPO: ============================== USERENV(e4.34c) 10:45:11:625 ProcessGPO: ============================== USERENV(e4.34c) 10:45:11:625 ProcessGPO: Searching <CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=CHAR MERN YDOM,DC=CSG-IT,DC=NET> USERENV(e4.34c) 10:45:11:640 ProcessGPO: Machine has access to this GPO. USERENV(e4.34c) 10:45:11:640 ProcessGPO: Found functionality version of: 2 USERENV(e4.34c) 10:45:11:640 ProcessGPO: Found file system path of: <\\CHARMERNYDOM.CSG-IT.NET\sysvol\CHARMERNYDOM.CSG-IT.NET\Policies\{6AC1 786C -016F-11D2-945F-00C04fB984F9}> USERENV(e4.34c) 10:45:11:656 ProcessGPO: Found common name of: <{6AC1786C-016F-11D2-945F-00C04fB984F9}> USERENV(e4.34c) 10:45:11:656 ProcessGPO: Found display name of: <Default Domain Controllers Policy> USERENV(e4.34c) 10:45:11:656 ProcessGPO: Found machine version of: GPC is 22, GPT is 22 USERENV(e4.34c) 10:45:11:656 ProcessGPO: Found flags of: 0 USERENV(e4.34c) 10:45:11:671 ProcessGPO: Found extensions: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F 574B }] USERENV(e4.34c) 10:45:11:671 ProcessGPO: ============================== USERENV(e4.34c) 10:45:11:687 GetGPOInfo: Leaving with 1 USERENV(e4.34c) 10:45:11:687 GetGPOInfo: ******************************** USERENV(e4.34c) 10:45:11:687 ProcessGPOs: OpenThreadToken failed with error 1008, assuming thread is not impersonating USERENV(e4.34c) 10:45:11:687 ProcessGPOs: ----------------------- USERENV(e4.34c) 10:45:11:703 ProcessGPOs: Processing extension Registry USERENV(e4.34c) 10:45:11:703 CompareGPOLists: The lists are the same. USERENV(e4.34c) 10:45:11:703 CheckGPOs: No GPO changes and no security group membership change and extension Registry has NoGPOChanges set. USERENV(e4.34c) 10:45:11:703 ProcessGPOs: ----------------------- USERENV(e4.34c) 10:45:11:718 ProcessGPOs: ----------------------- USERENV(e4.34c) 10:45:11:718 ProcessGPOs: Processing extension Folder Redirection USERENV(e4.34c) 10:45:11:718 ProcessGPOs: Extension Folder Redirection skipped with flags 0x10007. USERENV(e4.34c) 10:45:11:718 ProcessGPOs: ----------------------- USERENV(e4.34c) 10:45:11:734 ProcessGPOs: Processing extension Microsoft Disk Quota USERENV(e4.34c) 10:45:11:734 ProcessGPOs: Extension Microsoft Disk Quota skipped with flags 0x10007. USERENV(e4.34c) 10:45:11:734 ProcessGPOs: ----------------------- USERENV(e4.34c) 10:45:11:734 ProcessGPOs: Processing extension Scripts USERENV(e4.34c) 10:45:11:750 CompareGPOLists: The lists are the same. USERENV(e4.34c) 10:45:11:750 CheckGPOs: No GPO changes but couldn't read extension Scripts's status or policy time. USERENV(e4.34c) 10:45:11:750 ProcessGPOs: Extension Scripts skipped because both deleted and changed GPO lists are empty. USERENV(e4.34c) 10:45:11:750 ProcessGPOs: ----------------------- USERENV(e4.34c) 10:45:11:765 ProcessGPOs: Processing extension Security USERENV(e4.34c) 10:45:11:765 CompareGPOLists: The lists are the same. USERENV(e4.34c) 10:45:11:765 CheckGPOs: No GPO changes and no security group membership change and extension Security has NoGPOChanges set. USERENV(e4.34c) 10:45:11:781 ProcessGPOs: ----------------------- USERENV(e4.34c) 10:45:11:781 ProcessGPOs: ----------------------- USERENV(e4.34c) 10:45:11:781 ProcessGPOs: Processing extension Internet Explorer Branding USERENV(e4.34c) 10:45:11:781 ProcessGPOs: Extension Internet Explorer Branding skipped with flags 0x10007. USERENV(e4.34c) 10:45:11:796 ProcessGPOs: ----------------------- USERENV(e4.34c) 10:45:11:796 ProcessGPOs: Processing extension EFS recovery USERENV(e4.34c) 10:45:11:796 CompareGPOLists: The lists are the same. USERENV(e4.34c) 10:45:11:796 CheckGPOs: No GPO changes and no security group membership change and extension EFS recovery has NoGPOChanges set. USERENV(e4.34c) 10:45:11:812 ProcessGPOs: ----------------------- USERENV(e4.34c) 10:45:11:812 ProcessGPOs: ----------------------- USERENV(e4.34c) 10:45:11:812 ProcessGPOs: Processing extension Application Management USERENV(e4.34c) 10:45:11:812 ProcessGPOs: Extension Application Management skipped with flags 0x10007. USERENV(e4.34c) 10:45:11:828 ProcessGPOs: ----------------------- USERENV(e4.34c) 10:45:11:828 ProcessGPOs: Processing extension IP Security USERENV(e4.34c) 10:45:11:828 CompareGPOLists: The lists are the same. USERENV(e4.34c) 10:45:11:828 CheckGPOs: No GPO changes but couldn't read extension IP Security's status or policy time. USERENV(e4.34c) 10:45:11:843 ProcessGPOs: Extension IP Security skipped because both deleted and changed GPO lists are empty. USERENV(e4.34c) 10:45:11:843 LeaveCriticalPolicySection: Critical section 0x74 has been released. USERENV(e4.34c) 10:45:11:859 ProcessGPOs: Computer Group Policy has been applied. USERENV(e4.34c) 10:45:11:859 ProcessGPOs: Leaving with 1. USERENV(e4.34c) 10:45:11:859 GPOThread: Next refresh will happen in 5 minutes -----Original Message----- From: Eric Fleischman [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 19, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ms04-011 I'll take a swing at this..... By chance do you have a single label domain name (IE the name of your domain does not have a dot in it)? Just thought I'd take a swing at the easiest answer. ;) In the absence of that, I usually get a userenv log (set userenvdebuglevel to 10002, or 30002 if you are kernel debugging at the same time....) and a trace of the slow logon. How long did you let it sit there for? I wonder if it would clear in 30-60 mins. Either way, unacceptable, so the trace and userenv.log would tell us what's going on most probably. ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Singler Sent: Wednesday, May 19, 2004 8:35 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] ms04-011 forgot about the 2nd part of yr. question.... see this thread: http://www.mail-archive.com/[EMAIL PROTECTED]/msg15769.html Kern, Tom wrote: > i know this has been sopken of before, but i can't seem to find a pertinet email in the archives, so i apologize for this retread. > what are the issuses with ms04-011 hot fix? > i ask because i have some clients that are preptually stuck at the "applying security settings" screen and never log on. > also, i have on e newly formated client that i can't join to the domain, because it can't contact the domain. this client(win2k) does not have the hotfix installed yet, but my dns server does. > is there a know issue with this fix affecting dns? i know about the dltape and ipsec issues already, but i don't have these drivers loaded. > thanks, and sorry for the rehash. > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > -- John Singler Systems Administrator School of Veterinary Medicine, University of Pennsylvania 3800 Spruce Street Philadelphia, PA 19104-6044 "life is a killer" -- John Giorno List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/