In fact the root cause of this issue is/was objects with a NULL security descriptor.
The newly built DCs would not replicate in these objects and so replication stalled, AD was not available, ADI zones were not available etc etc. We executed sdprop on all DCs in the domain and 'fixed' the above objects. We are now able to build DCs :) We believe these objects originated via the ADC and have thus disabled certain connection agreements so as to eliminate the issue at its source. Hopefully a KB will be created from our discoveries :) neil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: 13 July 2005 10:18 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Issues with newly built w2k3 DCs Additional info - DCs in another domain (the empty root domain) have built fine. It's just the child domain where we see these issues. neil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 12 July 2005 16:14 To: ActiveDir.org Subject: Re: [ActiveDir] Issues with newly built w2k3 DCs Sorry, Pushed send too quickly, I found clearing the MUP cache made the errors go away, additionally are you using 127.0.0.1 or the dc's ip address for DNS and is the secondary DNS address utilised? -----Original Message----- From: "Mark Parris" <[EMAIL PROTECTED]> Date: Tue, 12 Jul 2005 15:08:15 To:"ActiveDir.org" <ActiveDir@mail.activedir.org> Subject: Re: [ActiveDir] Issues with newly built w2k3 DCs Neil, I have had this issue too, Have you seen 842804? Mark -----Original Message----- From: "Ruston, Neil" <[EMAIL PROTECTED]> Date: Tue, 12 Jul 2005 13:48:57 To:"'ActiveDir@mail.activedir.org'" <ActiveDir@mail.activedir.org> Subject: [ActiveDir] Issues with newly built w2k3 DCs I'm seeing the following errors on newly built w2k3 DCs (w2k native mode domain): Source: userenv; ID:1030 Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by this policy engine. Source: userenv; ID: 1097 Windows cannot find the machine account, The Local Security Authority cannot be contacted . The above occur in pairs every 5 mins. All existing w2k DCs are fine. Other symptoms: DNS service cannot be managed on the DC (server shown with red cross indicating DNS server not contactable). Time and DNS resolution all appear fine. Any ideas anyone? Google shows this to be quite common but with no specific solution / root cause. Thanks, neil ============================================================================== Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ============================================================================== List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ============================================================================== Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ============================================================================== List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ============================================================================== Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ============================================================================== List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/