Re: [ActiveDir] dcdiag.exe - Help!!!
Bryan, Ok, so the KCC is unable to create a rep. link between the two machines - underlying problem is that PDC is unable to contact PDC2 using RPC. Have you checked the dns setup on both machines? By this I mean, does the dns server that your PDC machine is registering with contain the correct records for PDC2? Are you able to browse PDC2 using explorer or net use ? In the first error message - PDC says, "The naming context is in the process of being removed or is not replicated from the specified server" PDC2 says "The following RPC server is not available" (RPC running as a service) A naming context is being removed -> what change did you make ? Was the PDC machine once a GC and you have removed this ? Once the RPC error message goes away the kcc will create a connections between each machine - inbound and outbound for replication. If you can't wait for a couple of kcc cycles to pass, create a manual connection object between each server using the Sites and Services mmc, sync the configuration replica using repadmin or replmon support tools. Neil. - Original Message - From: "Bryan Schlegel" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, November 02, 2001 5:19 AM Subject: [ActiveDir] dcdiag.exe - Help!!! Hi there, Inhereted from consultants and I know there is issues with the way they set up AD, so trying to back peddle here. I am hoping someone can help and looked through previous postings to no avail. Here are the specs, two servers. PDC and PDC2 (BDC). Both running AD windows server 2000 with SP 2 and updates. PDC has exhange 2000 with all service packs. I think it was set up using the AD tool. I ran dcdiag.exe on both machines and here were the results. When I try to replicate the NTDS settings to PDC2 I get an error. Both are added as servers in Default-First-Name in actived directory manager. PDC says, "The naming context is in the process of being removed or is not replicated from the specified server" PDC2 says "The following RPC server is not available" (RPC running as a service) Any advise on infastructure or what is going wrong, I would be great! Thanks! -b PDC test Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\PDC Starting test: Connectivity . PDC passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\PDC Starting test: Replications . PDC passed test Replications Starting test: NCSecDesc . PDC passed test NCSecDesc Starting test: NetLogons . PDC passed test NetLogons Starting test: Advertising . PDC passed test Advertising Starting test: KnowsOfRoleHolders . PDC passed test KnowsOfRoleHolders Starting test: RidManager . PDC passed test RidManager Starting test: MachineAccount . PDC passed test MachineAccount Starting test: Services . PDC passed test Services Starting test: ObjectsReplicated . PDC passed test ObjectsReplicated Starting test: frssysvol Error: No record of File Replication System, SYSVOL started. The Active Directory may be prevented from starting. . PDC passed test frssysvol Starting test: kcceven An Warning Event occured. EventID: 0x84F1 Time Generated: 11/01/2001 23:44:57 Event String: The attempt to establish a replication link with An Warning Event occured. EventID: 0x84F1 Time Generated: 11/01/2001 23:44:58 Event String: The attempt to establish a replication link with An Warning Event occured. EventID: 0x84F1 Time Generated: 11/01/2001 23:44:59 Event String: The attempt to establish a replication link with . PDC failed test kccevent Starting test: systemlog . PDC ARIS passed test systemlog Running enterprise tests on : domain.internal Starting test: Intersite . domain.internal passed test Intersite Starting test: FsmoCheck . domain.internal passed test FsmoCheck PDC2 (OR BDC) test Starting test: Services . PDC2 passed test Services Starting test: ObjectsReplicated . PDC2 passed test ObjectsReplicated Starting test: frssysvol Error: No record of File Replication System, SYSVOL started. The Active Directory may be prevented from starting. There are errors after the SYSVOL has been shared.
[ActiveDir] dcdiag.exe - Help!!!
Hi there, Inhereted from consultants and I know there is issues with the way they set up AD, so trying to back peddle here. I am hoping someone can help and looked through previous postings to no avail. Here are the specs, two servers. PDC and PDC2 (BDC). Both running AD windows server 2000 with SP 2 and updates. PDC has exhange 2000 with all service packs. I think it was set up using the AD tool. I ran dcdiag.exe on both machines and here were the results. When I try to replicate the NTDS settings to PDC2 I get an error. Both are added as servers in Default-First-Name in actived directory manager. PDC says, "The naming context is in the process of being removed or is not replicated from the specified server" PDC2 says "The following RPC server is not available" (RPC running as a service) Any advise on infastructure or what is going wrong, I would be great! Thanks! -b PDC test Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\PDC Starting test: Connectivity . PDC passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\PDC Starting test: Replications . PDC passed test Replications Starting test: NCSecDesc . PDC passed test NCSecDesc Starting test: NetLogons . PDC passed test NetLogons Starting test: Advertising . PDC passed test Advertising Starting test: KnowsOfRoleHolders . PDC passed test KnowsOfRoleHolders Starting test: RidManager . PDC passed test RidManager Starting test: MachineAccount . PDC passed test MachineAccount Starting test: Services . PDC passed test Services Starting test: ObjectsReplicated . PDC passed test ObjectsReplicated Starting test: frssysvol Error: No record of File Replication System, SYSVOL started. The Active Directory may be prevented from starting. . PDC passed test frssysvol Starting test: kcceven An Warning Event occured. EventID: 0x84F1 Time Generated: 11/01/2001 23:44:57 Event String: The attempt to establish a replication link with An Warning Event occured. EventID: 0x84F1 Time Generated: 11/01/2001 23:44:58 Event String: The attempt to establish a replication link with An Warning Event occured. EventID: 0x84F1 Time Generated: 11/01/2001 23:44:59 Event String: The attempt to establish a replication link with . PDC failed test kccevent Starting test: systemlog . PDC ARIS passed test systemlog Running enterprise tests on : domain.internal Starting test: Intersite . domain.internal passed test Intersite Starting test: FsmoCheck . domain.internal passed test FsmoCheck PDC2 (OR BDC) test Starting test: Services . PDC2 passed test Services Starting test: ObjectsReplicated . PDC2 passed test ObjectsReplicated Starting test: frssysvol Error: No record of File Replication System, SYSVOL started. The Active Directory may be prevented from starting. There are errors after the SYSVOL has been shared. The SYSVOL can prevent the AD from starting. . PDC passed test frssysvol Starting test: kccevent An Warning Event occured. EventID: 0x8443 Time Generated: 11/01/2001 23:53:57 Event String: The ntdsConnection object . PDC failed test kccevent Starting test: systemlog . PDC passed test systemlog Running enterprise tests on : domain.internal Starting test: Intersite . domain.internal passed test Intersite Starting test: FsmoCheck . domain.internal passed test FsmoCheck C:\test>dcdiag.exe Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\PDC2 Starting test: Connectivity . PDC2 passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\PDC2 Starting test: Replications . PDC2 passed test Replications Starting test: NCSecDesc . PDC2 passed test N
[ActiveDir] How do you set the reminder for users to set their password
I would like to change the default setting. To remind user to change their password to 10 days. __ Do You Yahoo!? Find a job, post your resume. http://careers.yahoo.com List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Account Lockout Problems:
All, I know this issue has been raised before, I even responded, but I have one user who in the last week (since a password change) persistently keeps getting locked out. It happens every hour and a half, DC synch time. I have re-imaged his PC, same image is on another 30 computers, complete computer name change as well.I have re-created his user account. On the PC in question there is only one "Error" in the event log (Application) Event ID: Event Type: ErrorEvent Source: SceCliEvent Category: NoneEvent ID: 1003Date: 2/11/2001Time: 7:36:41 AMUser: N/AComputer: BRI_TESTBED Description:Policy change from LSA/SAM can't be saved in the policy storage. Error 2 to save policy change in the local GPO database. This error is however on all PC's in our org. I have looked at TechNet (September 2001) and am currently in contact with Microsoft to resolve this issue as per Q272560. The only thing that I have not changed is his e-mail account, Exchange 5.5, had to re-link account to new name however. We have Group Policy in place, Domain policy is based on a basic security template, and his RSOP on machine and user account is such. Also effecting the user is a OU based Group Policy only effecting proxy settings. This issue has me absolutely stumped I am baffled, I have already spent far too much time on the issue and it is driving me nuts. If anyone out there has any advice, giving him a redundancy package is not an option, please advise. James
RE: [ActiveDir] Win 2k Network Load Balancing
Yea that's what I meant I think there is a reg hack out there to reduce the service probing time. I'll look around -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lensert, Chad Sent: Thursday, November 01, 2001 3:40 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Win 2k Network Load Balancing The documentation I found said that it shouldn't take over 10 seconds when the machine is offline. Once the IP address is gone it changes automatically, but the time from when the site stops to when it actually doesn't see the IP (i.e. the machine is off) is what I need to minimize. It has to shut everything down, etc. which takes time. The best I've got it so far is about a minute. This isn't that bad, but it just seems weird that it would have downtime at all, if the other machine is up and running and ready to server clients. That's what I'm trying to see if it's inherent in 2000, or if I'm missing something. -Chad -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 01, 2001 5:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Win 2k Network Load Balancing How long are you waiting for it to kick in. I remember seeing a reg hack somewhere to bump up the time -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lensert, Chad Sent: Thursday, November 01, 2001 3:21 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Win 2k Network Load Balancing Yep. It works fine. The Dfs is just to keep the web content the same on both machines. The load balancing does what it's supposed to if you turn the machine off or unplug it from the network. It's when something not so drastic happens like IIS stops responding or something like that. Then the load balancing should kick in, but it still thinks it's fine because it can see it on the network. It thinks that the machine is still good to go becuase it can see it, when in fact it's not serving web content and it should be failing over to the backup. It's an issue of how the NLB software recognizes a machine in a cluster. It does it by the "heartbeat" of the machine. I guess there's always a hack to write a script that will disable the NIC if something happens and then have it reboot. -Chad -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 01, 2001 5:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Win 2k Network Load Balancing Ok I noticed that you just said that you have set up to serve web content and a DFSnow I know this is kind of a stupid question but did you actually set up NLB? -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lensert, Chad Sent: Thursday, November 01, 2001 3:07 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Win 2k Network Load Balancing Kind of off the AD subject, but I'm trying to load balance two web servers, both running Adv. Server. I set them both up to serve web content with a Dfs and am running some tests on them to see what will happen if I take one offline. In theory, when one goes offline, the other one should take over for it and keep serving content. When I stop the web site for the Number 1 Priority server, the content that it was serving is not available to anyone via the web (404 error), and it doesn't roll over to the next machine. The reason is that it still has a heartbeat because it is on the network, and this is how load balancing detects if a machine is available to server content or not. If it can see it on the network, it thinks it can serve content, even though something software based might be screwing up. The only time it works how I want it to is when I either shut the machine down or unplug it from the network. And while it's shutting down the web content isn't available while it's shutting down, since the www service stops before the network connection dies. If I take a server down, or it fails, I'de like to keep downtime as transparent as possible to users. The best I can do right now is about 1 minute during a reboot while it shuts everyhing down. Is this just an inherent flaw in the design of network load balancing for 2000, or am I missing something? Chad Lensert Network Administrator Business Filings Incorporated Phone: (800) 981-7183 x253 Fax: (608) 827-5501 http://www.bizfilings.com List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm
RE: [ActiveDir] Win 2k Network Load Balancing
The documentation I found said that it shouldn't take over 10 seconds when the machine is offline. Once the IP address is gone it changes automatically, but the time from when the site stops to when it actually doesn't see the IP (i.e. the machine is off) is what I need to minimize. It has to shut everything down, etc. which takes time. The best I've got it so far is about a minute. This isn't that bad, but it just seems weird that it would have downtime at all, if the other machine is up and running and ready to server clients. That's what I'm trying to see if it's inherent in 2000, or if I'm missing something. -Chad -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 01, 2001 5:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Win 2k Network Load Balancing How long are you waiting for it to kick in. I remember seeing a reg hack somewhere to bump up the time -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lensert, Chad Sent: Thursday, November 01, 2001 3:21 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Win 2k Network Load Balancing Yep. It works fine. The Dfs is just to keep the web content the same on both machines. The load balancing does what it's supposed to if you turn the machine off or unplug it from the network. It's when something not so drastic happens like IIS stops responding or something like that. Then the load balancing should kick in, but it still thinks it's fine because it can see it on the network. It thinks that the machine is still good to go becuase it can see it, when in fact it's not serving web content and it should be failing over to the backup. It's an issue of how the NLB software recognizes a machine in a cluster. It does it by the "heartbeat" of the machine. I guess there's always a hack to write a script that will disable the NIC if something happens and then have it reboot. -Chad -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 01, 2001 5:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Win 2k Network Load Balancing Ok I noticed that you just said that you have set up to serve web content and a DFSnow I know this is kind of a stupid question but did you actually set up NLB? -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lensert, Chad Sent: Thursday, November 01, 2001 3:07 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Win 2k Network Load Balancing Kind of off the AD subject, but I'm trying to load balance two web servers, both running Adv. Server. I set them both up to serve web content with a Dfs and am running some tests on them to see what will happen if I take one offline. In theory, when one goes offline, the other one should take over for it and keep serving content. When I stop the web site for the Number 1 Priority server, the content that it was serving is not available to anyone via the web (404 error), and it doesn't roll over to the next machine. The reason is that it still has a heartbeat because it is on the network, and this is how load balancing detects if a machine is available to server content or not. If it can see it on the network, it thinks it can serve content, even though something software based might be screwing up. The only time it works how I want it to is when I either shut the machine down or unplug it from the network. And while it's shutting down the web content isn't available while it's shutting down, since the www service stops before the network connection dies. If I take a server down, or it fails, I'de like to keep downtime as transparent as possible to users. The best I can do right now is about 1 minute during a reboot while it shuts everyhing down. Is this just an inherent flaw in the design of network load balancing for 2000, or am I missing something? Chad Lensert Network Administrator Business Filings Incorporated Phone: (800) 981-7183 x253 Fax: (608) 827-5501 http://www.bizfilings.com List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Win 2k Network Load Balancing
Kind of off the AD subject, but I'm trying to load balance two web servers, both running Adv. Server. I set them both up to serve web content with a Dfs and am running some tests on them to see what will happen if I take one offline. In theory, when one goes offline, the other one should take over for it and keep serving content. When I stop the web site for the Number 1 Priority server, the content that it was serving is not available to anyone via the web (404 error), and it doesn't roll over to the next machine. The reason is that it still has a heartbeat because it is on the network, and this is how load balancing detects if a machine is available to server content or not. If it can see it on the network, it thinks it can serve content, even though something software based might be screwing up. The only time it works how I want it to is when I either shut the machine down or unplug it from the network. And while it's shutting down the web content isn't available while it's shutting down, since the www service stops before the network connection dies. If I take a server down, or it fails, I'de like to keep downtime as transparent as possible to users. The best I can do right now is about 1 minute during a reboot while it shuts everyhing down. Is this just an inherent flaw in the design of network load balancing for 2000, or am I missing something? Chad Lensert Network Administrator Business Filings Incorporated Phone: (800) 981-7183 x253 Fax: (608) 827-5501 http://www.bizfilings.com List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Login Script not working and another problem
Someone mentioned to me to run DcDiag here were the results: C:\Documents and Settings\Administrator.DELL>dcdiag DC Diagnosis Performing initial setup: Done gathering initial info. Doing initial non skippeable tests Testing server: Albany-Agency\DELL Starting test: Connectivity DELL's server GUID DNS name could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc Although the Guid DNS name (c461bee0-01e5-4393-9280-6685c4fc1d39._msdcs.AAII.albanyagency.com) couldn't be resolved, the server name (dell.AAII.albanyagency.com) resolved to the IP address (192.168.1.104) and was pingable. Check that the IP address is registered correctly with the DNS server. . DELL failed test Connectivity Doing primary tests Testing server: Albany-Agency\DELL Skipping all tests, because server DELL is not responding to directory service requests Running enterprise tests on : AAII.albanyagency.com Starting test: Intersite . AAII.albanyagency.com passed test Intersite Starting test: FsmoCheck . AAII.albanyagency.com passed test FsmoCheck C:\Documents and Settings\Administrator.DELL> -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, November 01, 2001 8:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Login Script not working and another problem Christopher, I suggest you go into %SystemRoot%\Security\Database and check the last time your security database was modified. I found mine had not be modified for around a month. I followed the article Q278316 and the errors vanished Robert Rutherford "Christopher Hummert" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent by: cc: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Login Script not working and another problem ivedir.org 01/11/2001 16:07 Please respond to ActiveDir Ok someone told me to mention that I only have one AD controller and one DNS server on this network (same machine) -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lensert, Chad Sent: Wednesday, October 31, 2001 1:59 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Login Script not working and another problem Check out http://support.microsoft.com/support/kb/articles/Q279/4/32.ASP for this article (Q279432) That should do it. -Chad -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 31, 2001 3:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Login Script not working and another problem Ok I did a little searching in my application log (told me to after I did the secedit command) and I'm finding the following errors: Event Type: Error Event Source:Userenv Event Category: None Event ID: 1000 Date: 10/31/2001 Time: 1:46:43 PM User: NT AUTHORITY\SYSTEM Computer: DELL Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332). Event Type: Warning Event Source:SceCli Event Category: None Event ID: 1202 Date: 10/31/2001 Time: 1:46:43 PM User: N/A Computer: DELL Description: Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done. Please look for more details in TroubleShooting section in Security Help. What do these mean? -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lensert, Chad Sent: Wednesday, October 31, 2001 1:31 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Login Script not working and another problem Chris, I haven't done much with Group Policies. Someone else out there might be able to get more specific on the subject, but this is how I'de attempt to do it. There is a setting inside of the Default Domain Policy/User Config/Admin Templates/Start Menu & Taskbar called "Add Logoff to Start Menu". Enable that, press apply and close out. How the Group Policy is applied throughout the domain is a little tricky. You can use secedit.exe to push a security policy update to a client manually (see end of this excerp). This is an excerp for what I was able to find from Technet: (Q277543) In Windows 2000, Group Policy updates are dynamic and occur at specific intervals. If there have been no changes to Group Policy, the client computer still refreshes
RE: [ActiveDir] Login Script not working and another problem
Christopher, I suggest you go into %SystemRoot%\Security\Database and check the last time your security database was modified. I found mine had not be modified for around a month. I followed the article Q278316 and the errors vanished Robert Rutherford "Christopher Hummert" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent by: cc: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Login Script not working and another problem ivedir.org 01/11/2001 16:07 Please respond to ActiveDir Ok someone told me to mention that I only have one AD controller and one DNS server on this network (same machine) -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lensert, Chad Sent: Wednesday, October 31, 2001 1:59 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Login Script not working and another problem Check out http://support.microsoft.com/support/kb/articles/Q279/4/32.ASP for this article (Q279432) That should do it. -Chad -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 31, 2001 3:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Login Script not working and another problem Ok I did a little searching in my application log (told me to after I did the secedit command) and I'm finding the following errors: Event Type: Error Event Source:Userenv Event Category: None Event ID: 1000 Date: 10/31/2001 Time: 1:46:43 PM User: NT AUTHORITY\SYSTEM Computer: DELL Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332). Event Type: Warning Event Source:SceCli Event Category: None Event ID: 1202 Date: 10/31/2001 Time: 1:46:43 PM User: N/A Computer: DELL Description: Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done. Please look for more details in TroubleShooting section in Security Help. What do these mean? -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lensert, Chad Sent: Wednesday, October 31, 2001 1:31 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Login Script not working and another problem Chris, I haven't done much with Group Policies. Someone else out there might be able to get more specific on the subject, but this is how I'de attempt to do it. There is a setting inside of the Default Domain Policy/User Config/Admin Templates/Start Menu & Taskbar called "Add Logoff to Start Menu". Enable that, press apply and close out. How the Group Policy is applied throughout the domain is a little tricky. You can use secedit.exe to push a security policy update to a client manually (see end of this excerp). This is an excerp for what I was able to find from Technet: (Q277543) In Windows 2000, Group Policy updates are dynamic and occur at specific intervals. If there have been no changes to Group Policy, the client computer still refreshes the security policy settings at regular intervals for the Group Policy object (GPO). If no changes are discovered, GPOs are not processed, but security policies are. For security policies, there is a value that sets a maximum limit of how long a client can function without reapplying non-changed GPOs. By default, this setting is every 16 hours plus the randomized offset of up to 30 minutes. Even when GPOs th
RE: [ActiveDir] Login Script not working and another problem
Ok someone told me to mention that I only have one AD controller and one DNS server on this network (same machine) -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lensert, Chad Sent: Wednesday, October 31, 2001 1:59 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Login Script not working and another problem Check out http://support.microsoft.com/support/kb/articles/Q279/4/32.ASP for this article (Q279432) That should do it. -Chad -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 31, 2001 3:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Login Script not working and another problem Ok I did a little searching in my application log (told me to after I did the secedit command) and I'm finding the following errors: Event Type: Error Event Source: Userenv Event Category: None Event ID: 1000 Date: 10/31/2001 Time: 1:46:43 PM User: NT AUTHORITY\SYSTEM Computer: DELL Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332). Event Type: Warning Event Source: SceCli Event Category: None Event ID: 1202 Date: 10/31/2001 Time: 1:46:43 PM User: N/A Computer: DELL Description: Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done. Please look for more details in TroubleShooting section in Security Help. What do these mean? -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lensert, Chad Sent: Wednesday, October 31, 2001 1:31 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Login Script not working and another problem Chris, I haven't done much with Group Policies. Someone else out there might be able to get more specific on the subject, but this is how I'de attempt to do it. There is a setting inside of the Default Domain Policy/User Config/Admin Templates/Start Menu & Taskbar called "Add Logoff to Start Menu". Enable that, press apply and close out. How the Group Policy is applied throughout the domain is a little tricky. You can use secedit.exe to push a security policy update to a client manually (see end of this excerp). This is an excerp for what I was able to find from Technet: (Q277543) In Windows 2000, Group Policy updates are dynamic and occur at specific intervals. If there have been no changes to Group Policy, the client computer still refreshes the security policy settings at regular intervals for the Group Policy object (GPO). If no changes are discovered, GPOs are not processed, but security policies are. For security policies, there is a value that sets a maximum limit of how long a client can function without reapplying non-changed GPOs. By default, this setting is every 16 hours plus the randomized offset of up to 30 minutes. Even when GPOs that contain security policy settings do not change, the policy is reapplied every 16 hours and the following event is logged in the Application event log: Event Type: Information Event Source: SceCli Event Category: None Event ID: 1704 Date: date Time: time User: N/A Computer: computer name Description: Security policy in the Group policy objects are applied successfully. To delay the security policy from being applied when no changes have been made in the GPO, you can configure the MaxNoGPOListChangesInterval registry value. This value specifies the maximum number of minutes the extension is to be skipped because the policy has not changed. This value is found in the follow registry setting: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F7 9F83 A} Value: MaxNoGPOListChangesInterval Data: Minutes of delay, entered in hexadecimal By default, this value is set to 0x3c0, (960 minutes or 16 hours). When you set this value to 0x2760, the client waits 7 days to refresh the policy when there have been no changes to the GPO. For additional information, check the articles below in the Microsoft Knowledge Base: Q203607 How to Modify the Default Group Policy Refresh Interval Q227302 Using SECEDIT to Force a Group Policy Refresh Immediately Hope this helps. -Chad -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 31, 2001 2:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Login Script not working and another problem Ok what about my problem where the logoff option isn't showing up in the start menu? -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lensert, Chad Sent: Wednesday, October 31, 2001 12:44 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Login Script not working and another problem Oops, I meant the netlogon share on the DC, sorry about that. You should be good, a
RE: [ActiveDir] Mixed ADS and NDS network
No synchronisation between the 2 systems, in fact there are no permissions set up between the 2. The reason for my question is just after I put the ADS system live the network slowed dramatically, could be just a coincidental problem. John -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: 01 November 2001 09:03 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Mixed ADS and NDS network Hi John I can't think of any reason why AD and NDS would communicate with each other spontaneously. Do you have any synchronisation configured? Tony -- Original Message -- From: "John Slack" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Wed, 31 Oct 2001 15:54:44 - Can anyone shed any light on this? If I run Advanced server using ADS on a WAN which also employs NDS will they talk to each other un necessarily. In other words will the amount of network traffic increase simply because of the ADS / NDS mixture? Regards John Slack List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Mixed ADS and NDS network
Hi John, We're running multiple NDS and ADS trees on the same LAN, traces show no communication between them, except where we've explicity set it up. cheers dave > -Original Message- > From: John Slack [mailto:[EMAIL PROTECTED]] > Sent: 31 October 2001 15:55 > To: ActiveDir > Subject: [ActiveDir] Mixed ADS and NDS network > > > Can anyone shed any light on this? > > If I run Advanced server using ADS on a WAN which also > employs NDS will > they talk to each other un necessarily. In other words will the amount > of network traffic increase simply because of the ADS / NDS mixture? > > > Regards > > John Slack > > List info: http://www.activedir.org/mail_list.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Mixed ADS and NDS network
Hi John I can't think of any reason why AD and NDS would communicate with each other spontaneously. Do you have any synchronisation configured? Tony -- Original Message -- From: "John Slack" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Wed, 31 Oct 2001 15:54:44 - Can anyone shed any light on this? If I run Advanced server using ADS on a WAN which also employs NDS will they talk to each other un necessarily. In other words will the amount of network traffic increase simply because of the ADS / NDS mixture? Regards John Slack List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/