RE: [ActiveDir] Group Policy issues
Title: Group Policy issues Do the settings for Windows Update appear set correctly when you logon to the workstation with an account that has local Admin? Cheers, Matty From: Lucas Garlepp [mailto:[EMAIL PROTECTED] Sent: 06 February 2004 05:30 To: [EMAIL PROTECTED] Subject: [ActiveDir] Group Policy issues I’m having a serious issue with group policy. I’m reasonably new to setting it up, however it seems not to work as it should. Using the word 2002 administrative template I’ve set the auto recover data setting (how often word background saves in case of crash) to 10 minutes. However when I apply the policy, on the workstations in the word tools - options tab where this setting is located it changes to 266 minutes (which is outside the allowed settings in any case). Further, when trying to use the windows update policy, setting the time for update and other details it simply does not work, even though the policy settings for the policy are found in the registry of the workstation. This does not seem to make sense. Other policy settings work fine. Can anyone help? Lucas Garlepp IT Manager Wisewoulds | Lawyers Tel: +61 3 9612 7218 Fax: +61 3 9629 4035 Eml: [EMAIL PROTECTED] Web: http://www.wisewoulds.com.au * If you are NOT AN AUTHORISED RECIPIENT of this e-mail,please contact Wisewoulds Lawyers by return e-mail or by telephone on +613 9629 8333. In this case, you should not read, print, re-transmit,store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. This e-mail and any attachments are confidential and may contain legally privileged information and/or copyright material of Wisewoulds Lawyers or third parties. You should only re-transmit, distribute or commercialise the material if you are authorised to do so. Wisewoulds Lawyers accepts no responsibility for any viruses this e-mail may contain. This notice should not be removed. *
RE: [ActiveDir] Windows 2000 startup screen
Title: Message I believe its got to be a BMP -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 6:45 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Windows 2000 startup screen That's legal notice caption text which our top execs didn't like because they had to click "OK" (its so difficult!) So now we're replacing the startup splashscreen with a legal notice BMP. I know which registry key does it now in Winxp and win2k, but I am trying to see if I can use a JPG or if it MUST be a BMP. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Thursday, February 05, 2004 5:36 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 startup screen Russ, As Kathrine advised or registry entry, see below...your choice: Windows Registry Editor Version 5.00 ; Add Legal Notice Caption & Legal Notice[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"LegalNoticeCaption"="WARNING - DODGY AUTHORISED USERS ONLY ""LegalNoticeText"="Any unauthorised access or use of this workstation is prohibited and could be subject to claims for damages and/or penalties at law. To protect this system from unauthorised use and to ensure that it is functioning properly, activities on it are monitored and recorded and subject to audit. ALL software in DODGY is to be AUTHORISED prior to purchase using the normal acquisition and purchasing rules that apply at these sites. ANY software installation is to be performed by DODGY IT or personnel NOMINATED by DODGY IT. Use of this system is express consent to such monitoring, recording and conditions. To protect from unauthorised access once logged in users should press CTRL+ALT+DEL then "Lock Computer" when away from their workstations for extended periods of time." James --Original Message-From: Katherine Coombs [mailto:[EMAIL PROTECTED] Sent: Friday, 6 February 2004 9:02 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 startup screen Russ, You can do this through GPO by changing the following settings: Interactive logon: message text for users attempting to logon Interactive logon: message title for users attempting to logon The are found in the following location within the GPO editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options HTH, Katherine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, Russ Sent: Friday, 6 February 2004 1:51 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 2000 startup screen Thanks to all who helped me with the GC Disaster recovery issue!!! Now, I've been asked to replace all the Windows 2000 and XP startup splash screens (the one you see in the background when you hit ctrl-alt-del. We're going to have our legal notice there since our top dogs don't like the legal notice GPO. Question is, is there a GPO for this, and if not, is there a registry entry or something we can automate on login? I know XP's solution is here http://www.updatexp.com/tip12.html What about Win2000? Any easy ways to do this? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
[ActiveDir] computer account issues
good morning list, I am getting a weird problem lately. Our AD architecture is made of 1 forest, 1 domain, 4 sites spanned through WAN links. There are approx. 2500 nodes in the forest, there are 2 DCs at each site, a DC is configured as GC at each site. Randomly, with no apparent recurrent pattern, we get the eventID 5723(netlogon) error from some machines (i would say some 4-5 a day). -- The session setup from the computer failed because there is no trust account in the security database for this computer. The name of the account referenced in the security database is $. The error code is 0xC18B -- The client is not able to authenticate to the DC anymore. The only (to me) known resolution is to rejoin the machine to the domain. Would anyone suggest me a resolution, or correct steps for troubleshooting? I've already checked on eventid.net, and looks like none of the suggestion is relevant with my architecture. We're running a native mode windows 2000 domain. The error code states that the computer account has been deleted. How can it this happen? How can i audit operation attempts on computer accounts? Thanks!! Alex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Computer Migration Issues with ADMT
Title: RE: [ActiveDir] Computer Migration Issues with ADMT Santosh, I moved a total of 3 machines yesterday in our lab and was able to get them to reboot successfully. Instead of changing the time to 1 minute I left it at 5. Those machines rebooted without issue. I then tried again changing the time to 1 minute. Those machines would not reboot. It seems if you change the time to less than 5 minutes it does not issue a reboot. As for the below error messages you will see them in the logs if you just do a test and not a migration. Every test I've done using ADMT displays the 2nd error message in the logs. Mike From: Sudhir Kaushal [mailto:[EMAIL PROTECTED] Sent: Friday, February 06, 2004 12:17 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Hi Santosh, It is true that account is created but the machines just dont reboot. In my case i tried even changing the time from 1 min to 5 min. But the machines just dont reboot. Even after rebooting the machines manually, the domain name remained the same. After checking the logs on c:\temp on the clients machine i found this error "failed to change the domain affiliation (hr=8007054b), the specified domain does not exist or could not be contacted" . Because of this i concluded that account creation on the Target domain is may be because of ADMT agent, which gets properly installed on the client machine and do the necessary changes, but client is not able to contact the Target domain and hence dont reboot on their own. The other most common error i have seen in the logs is that "hr=800706fb The security database on the server does not have a computer account for this workstation trust relationship". Again I guess this is related with the Administrative permission in the domain. Santosh what error you are getting in the logs? Regards, Sudhir Kaushal Systems Administrator ( Hosted Team ) eGain Communications Pvt. Ltd. Hello - (+91 20) 4222812, (+91 20) 4228607, Ext-126 -Original Message-From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED]Sent: Thursday, February 05, 2004 7:31 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Yes. you are right mike. I don't think it is due to name resolution problem. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Celone, MikeSent: Thursday, February 05, 2004 7:38 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Computer Migration Issues with ADMT So your saying that the machines won't reboot because they can't resolve the target domain? This can't be true because all the machines I tried it on join to the target domain (I see the account created) but just don't reboot. After I reboot them manually they log into the new domain without any issues. Why would the machine have to resolve the target domain to reboot anyways? Mike Celone Systems Specialist Radio Frequency Systems v 203-630-3311 x1031 f 203-634-2027 m 203-537-2406 From: Sudhir Kaushal [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 1:29 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Hi Santosh, I had this problem while migrating the computer accounts and the things i concluded are as follows: This error is because the ADMT agent on the source domain clients is not able to resolve the target domain. I tried first creating static WINS record of the target domain in the source domain WINS server. Though MIcrosoft dont recommend it. It didn't worked out for me, may be for the simple fact that WINS resolution is not supported when ur target Win2K domain is using DNS for the name resolution. I was migrating from NT 4.0 to Win2K. If you r using DNS in the source domain and if it doesn't have resource record of Target domain, then create it. so that ADMT agent should be able to resolve the Target domain name from the source domain DNS. Like "Targetdomain.com" . If u r using only WINS in the source domain, then make sure that u have the WINS record of the target domain in the source domain WINS server. If u r using DHCP then u can make all ur source domain clients to use DNS of Target domain by making the configuration for DNS in DHCP . So that ADMT agent could able to resolve the target domain name from Target domain DNS server only. For me the first one worked out. I hope it works for u too. Regards, Sudhir Kaushal Systems Administrator ( Hosted Team ) eGain Communications Pvt. Ltd. Hello - (+91 20) 4222812, (+91 20) 4228607, Ext-126 -Original Message- From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 05, 2004 4:18 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Computer Migration Issue
RE: [ActiveDir] computer account issues
A little bit unclear, but I have browsed through the Microsoft KB regarding that event id and this article was a match. http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 Search in the page for "5723" (without quotes). It is under the digitally sign communication (always) category. That may be a first step to determining the cause? I also noticed that this error can be generated by SQL Server. Is this error being generated in the event log on the server? Or on the machine itself? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J0mb Sent: Friday, February 06, 2004 8:43 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] computer account issues good morning list, I am getting a weird problem lately. Our AD architecture is made of 1 forest, 1 domain, 4 sites spanned through WAN links. There are approx. 2500 nodes in the forest, there are 2 DCs at each site, a DC is configured as GC at each site. Randomly, with no apparent recurrent pattern, we get the eventID 5723(netlogon) error from some machines (i would say some 4-5 a day). -- The session setup from the computer failed because there is no trust account in the security database for this computer. The name of the account referenced in the security database is $. The error code is 0xC18B -- The client is not able to authenticate to the DC anymore. The only (to me) known resolution is to rejoin the machine to the domain. Would anyone suggest me a resolution, or correct steps for troubleshooting? I've already checked on eventid.net, and looks like none of the suggestion is relevant with my architecture. We're running a native mode windows 2000 domain. The error code states that the computer account has been deleted. How can it this happen? How can i audit operation attempts on computer accounts? Thanks!! Alex List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Computer Migration Issues with ADMT
Title: RE: [ActiveDir] Computer Migration Issues with ADMT Thanks Sudhir. I am not getting any error message. But it won’t restart the computer automatically. I have to manually restart the computer! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sudhir Kaushal Sent: Thursday, February 05, 2004 11:17 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Hi Santosh, It is true that account is created but the machines just dont reboot. In my case i tried even changing the time from 1 min to 5 min. But the machines just dont reboot. Even after rebooting the machines manually, the domain name remained the same. After checking the logs on c:\temp on the clients machine i found this error "failed to change the domain affiliation (hr=8007054b), the specified domain does not exist or could not be contacted" . Because of this i concluded that account creation on the Target domain is may be because of ADMT agent, which gets properly installed on the client machine and do the necessary changes, but client is not able to contact the Target domain and hence dont reboot on their own. The other most common error i have seen in the logs is that "hr=800706fb The security database on the server does not have a computer account for this workstation trust relationship". Again I guess this is related with the Administrative permission in the domain. Santosh what error you are getting in the logs? Regards, Sudhir Kaushal Systems Administrator ( Hosted Team ) eGain Communications Pvt. Ltd. Hello - (+91 20) 4222812, (+91 20) 4228607, Ext-126 -Original Message- From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 7:31 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Yes. you are right mike. I don’t think it is due to name resolution problem. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Celone, Mike Sent: Thursday, February 05, 2004 7:38 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Computer Migration Issues with ADMT So your saying that the machines won't reboot because they can't resolve the target domain? This can't be true because all the machines I tried it on join to the target domain (I see the account created) but just don't reboot. After I reboot them manually they log into the new domain without any issues. Why would the machine have to resolve the target domain to reboot anyways? Mike Celone Systems Specialist Radio Frequency Systems v 203-630-3311 x1031 f 203-634-2027 m 203-537-2406 From: Sudhir Kaushal [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 1:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Hi Santosh, I had this problem while migrating the computer accounts and the things i concluded are as follows: This error is because the ADMT agent on the source domain clients is not able to resolve the target domain. I tried first creating static WINS record of the target domain in the source domain WINS server. Though MIcrosoft dont recommend it. It didn't worked out for me, may be for the simple fact that WINS resolution is not supported when ur target Win2K domain is using DNS for the name resolution. I was migrating from NT 4.0 to Win2K. If you r using DNS in the source domain and if it doesn't have resource record of Target domain, then create it. so that ADMT agent should be able to resolve the Target domain name from the source domain DNS. Like "Targetdomain.com" . If u r using only WINS in the source domain, then make sure that u have the WINS record of the target domain in the source domain WINS server. If u r using DHCP then u can make all ur source domain clients to use DNS of Target domain by making the configuration for DNS in DHCP . So that ADMT agent could able to resolve the target domain name from Target domain DNS server only. For me the first one worked out. I hope it works for u too. Regards, Sudhir Kaushal Systems Administrator ( Hosted Team ) eGain Communications Pvt. Ltd. Hello - (+91 20) 4222812, (+91 20) 4228607, Ext-126 -Original Message- From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 05, 2004 4:18 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Computer Migration Issues with ADMT I remember someone posted a message here 3 or 4 weeks ago with an ADMT and computer migration question. I have the same problem in the lab. After the computer migration, it won't restart automatically. I have to manually restart the computer. Does anyone remember that question? If you still have a copy of that email thread could you forward it to me? Thanks, Santhosh List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://w
RE: [ActiveDir] Computer Migration Issues with ADMT
Title: RE: [ActiveDir] Computer Migration Issues with ADMT Thanks Mike. I am going to test your solution in the lab today! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Celone, Mike Sent: Friday, February 06, 2004 7:42 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Santosh, I moved a total of 3 machines yesterday in our lab and was able to get them to reboot successfully. Instead of changing the time to 1 minute I left it at 5. Those machines rebooted without issue. I then tried again changing the time to 1 minute. Those machines would not reboot. It seems if you change the time to less than 5 minutes it does not issue a reboot. As for the below error messages you will see them in the logs if you just do a test and not a migration. Every test I've done using ADMT displays the 2nd error message in the logs. Mike From: Sudhir Kaushal [mailto:[EMAIL PROTECTED] Sent: Friday, February 06, 2004 12:17 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Hi Santosh, It is true that account is created but the machines just dont reboot. In my case i tried even changing the time from 1 min to 5 min. But the machines just dont reboot. Even after rebooting the machines manually, the domain name remained the same. After checking the logs on c:\temp on the clients machine i found this error "failed to change the domain affiliation (hr=8007054b), the specified domain does not exist or could not be contacted" . Because of this i concluded that account creation on the Target domain is may be because of ADMT agent, which gets properly installed on the client machine and do the necessary changes, but client is not able to contact the Target domain and hence dont reboot on their own. The other most common error i have seen in the logs is that "hr=800706fb The security database on the server does not have a computer account for this workstation trust relationship". Again I guess this is related with the Administrative permission in the domain. Santosh what error you are getting in the logs? Regards, Sudhir Kaushal Systems Administrator ( Hosted Team ) eGain Communications Pvt. Ltd. Hello - (+91 20) 4222812, (+91 20) 4228607, Ext-126 -Original Message- From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 7:31 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Yes. you are right mike. I don't think it is due to name resolution problem. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Celone, Mike Sent: Thursday, February 05, 2004 7:38 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Computer Migration Issues with ADMT So your saying that the machines won't reboot because they can't resolve the target domain? This can't be true because all the machines I tried it on join to the target domain (I see the account created) but just don't reboot. After I reboot them manually they log into the new domain without any issues. Why would the machine have to resolve the target domain to reboot anyways? Mike Celone Systems Specialist Radio Frequency Systems v 203-630-3311 x1031 f 203-634-2027 m 203-537-2406 From: Sudhir Kaushal [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 1:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Hi Santosh, I had this problem while migrating the computer accounts and the things i concluded are as follows: This error is because the ADMT agent on the source domain clients is not able to resolve the target domain. I tried first creating static WINS record of the target domain in the source domain WINS server. Though MIcrosoft dont recommend it. It didn't worked out for me, may be for the simple fact that WINS resolution is not supported when ur target Win2K domain is using DNS for the name resolution. I was migrating from NT 4.0 to Win2K. If you r using DNS in the source domain and if it doesn't have resource record of Target domain, then create it. so that ADMT agent should be able to resolve the Target domain name from the source domain DNS. Like "Targetdomain.com" . If u r using only WINS in the source domain, then make sure that u have the WINS record of the target domain in the source domain WINS server. If u r using DHCP then u can make all ur source domain clients to use DNS of Target domain by making the configuration for DNS in DHCP . So that ADMT agent could able to resolve the target domain name from Target domain DNS server only. For me the first one worked out. I hope it works for u too. Regards, Sudhir Kaushal Systems Administrator ( Hosted Team ) eGain Communications Pvt. Ltd. Hello - (+91 20) 4222812, (+91 20) 4228607, Ext-126 -Original Message- From: Santhosh
[ActiveDir] Moved DC out of DMZ
One more questions guys.. As you know, I successfully moved a DC out of the DMZ. I have other 2000 servers sitting in the DMZ that no longer can see a DC. How do I force them to see the DC that is on the inside now that there is no longer a DC in the DMZ? TIA List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
R: [ActiveDir] computer account issues
thanks for reply and sorry for being unclear. The eventID 5723 as per my previous post is generated on the domain controller. These are the events generated on the client side: (please note they were translated from a non-english system, hopefully they're clear enough: Source: LSASRV Category: SPNEGO EventID: 40961 Protection System could not establish a secured connection with server cifs/dc.domain.local. No authentication protocol was available Source: NETLOGON Category: None EventID: 5721 Session installation on Windows NT or Windows 2000 domain controller \\dc.domain.local was unsuccesful because domain controller has no computer account for the computer "computername" Source: W32time Category: none EventID: 18 NtpClient time provider was unable to establish a trust relation from this machine to domain domain.local in order to syncronize time in protected mode. Trust relation between this workstation and the primary domain was unsuccesful (0x800706FD). One of the DCs has a SQL server to support a SMS 2.0 installation but i can't figure any interactions with a client authentication. I am about to thoroughly read the Q article you suggested me. From a quick check, the only relevant policy i could find is "microsoft network server: digitally sign up communication if client agrees" set ENABLED on the default DC policy. I have been working on this issue for a short time. People working here for longer says this might have happened exclusively (or mainly) on winXP workstations, but take this as an unreliable piece of information. Please let me know if you need more detailed information. I appreciate your support. Thanks!! > -Messaggio originale- > Da: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Per conto di > Michael Wassell > Inviato: venerdì 6 febbraio 2004 15.09 > A: [EMAIL PROTECTED] > Oggetto: RE: [ActiveDir] computer account issues > > A little bit unclear, but I have browsed through the > Microsoft KB regarding that event id and this article was a match. > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 > > Search in the page for "5723" (without quotes). It is under > the digitally sign communication (always) category. That may > be a first step to determining the cause? > > I also noticed that this error can be generated by SQL Server. > > Is this error being generated in the event log on the server? > Or on the machine itself? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of J0mb > Sent: Friday, February 06, 2004 8:43 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] computer account issues > > good morning list, > > I am getting a weird problem lately. Our AD architecture is > made of 1 forest, 1 domain, 4 sites spanned through WAN > links. There are approx. > 2500 nodes in the forest, there are 2 DCs at each site, a DC > is configured as GC at each site. > > Randomly, with no apparent recurrent pattern, we get the eventID > 5723(netlogon) error from some machines (i would say some 4-5 a day). > > -- > > The session setup from the computer failed > because there is no trust account in the security database > for this computer. The name of the account referenced in the > security database is $. > > The error code is 0xC18B > > -- > > The client is not able to authenticate to the DC anymore. The only (to > me) known resolution is to rejoin the machine to the domain. > > Would anyone suggest me a resolution, or correct steps for > troubleshooting? > > I've already checked on eventid.net, and looks like none of > the suggestion is relevant with my architecture. We're > running a native mode windows 2000 domain. > > The error code states that the computer account has been > deleted. How can it this happen? How can i audit operation > attempts on computer accounts? > > Thanks!! > > Alex > > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moved DC out of DMZ
Never mind... duh. I figured it out. (It's a 2 cup morning...) :^) -Original Message- From: Frank Buechler Sent: Friday, February 06, 2004 9:46 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Moved DC out of DMZ One more questions guys.. As you know, I successfully moved a DC out of the DMZ. I have other 2000 servers sitting in the DMZ that no longer can see a DC. How do I force them to see the DC that is on the inside now that there is no longer a DC in the DMZ? TIA List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moved DC out of DMZ
Sounds like you're doing pretty well over there, well done. And you thought you'd be spending the weekend on it :) -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Friday, February 06, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moved DC out of DMZ Never mind... duh. I figured it out. (It's a 2 cup morning...) :^) -Original Message- From: Frank Buechler Sent: Friday, February 06, 2004 9:46 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Moved DC out of DMZ One more questions guys.. As you know, I successfully moved a DC out of the DMZ. I have other 2000 servers sitting in the DMZ that no longer can see a DC. How do I force them to see the DC that is on the inside now that there is no longer a DC in the DMZ? TIA List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] computer account issues
>From reading the detailed error messages it would seem that the workstations are >timing out for one reason or another when synchronizing, you may want to research >increasing timeout values for network services (Browser service, Server service >etc.). Also, have you attempted to verify server communication via the WAN links to >verify that there are no timeout issues occuring? Try pinging with an -l switch to >increase the ICMP data being sent with the -t switch and watch for any timeouts or >significant ping response time increases. Something you might want to consider is implementing independent child domains for each of your sites. I believe it would significantly decrease your network traffic across your WAN links to allow for more prioritized processing of network traffic to take place. However, that would likely be a large project so a more temporary solution would be to determine the cause of the current issue. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J0mb Sent: Friday, February 06, 2004 10:00 AM To: [EMAIL PROTECTED] Subject: R: [ActiveDir] computer account issues thanks for reply and sorry for being unclear. The eventID 5723 as per my previous post is generated on the domain controller. These are the events generated on the client side: (please note they were translated from a non-english system, hopefully they're clear enough: Source: LSASRV Category: SPNEGO EventID: 40961 Protection System could not establish a secured connection with server cifs/dc.domain.local. No authentication protocol was available Source: NETLOGON Category: None EventID: 5721 Session installation on Windows NT or Windows 2000 domain controller \\dc.domain.local was unsuccesful because domain controller has no computer account for the computer "computername" Source: W32time Category: none EventID: 18 NtpClient time provider was unable to establish a trust relation from this machine to domain domain.local in order to syncronize time in protected mode. Trust relation between this workstation and the primary domain was unsuccesful (0x800706FD). One of the DCs has a SQL server to support a SMS 2.0 installation but i can't figure any interactions with a client authentication. I am about to thoroughly read the Q article you suggested me. From a quick check, the only relevant policy i could find is "microsoft network server: digitally sign up communication if client agrees" set ENABLED on the default DC policy. I have been working on this issue for a short time. People working here for longer says this might have happened exclusively (or mainly) on winXP workstations, but take this as an unreliable piece of information. Please let me know if you need more detailed information. I appreciate your support. Thanks!! > -Messaggio originale- > Da: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Per conto di Michael > Wassell > Inviato: venerdì 6 febbraio 2004 15.09 > A: [EMAIL PROTECTED] > Oggetto: RE: [ActiveDir] computer account issues > > A little bit unclear, but I have browsed through the Microsoft KB > regarding that event id and this article was a match. > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 > > Search in the page for "5723" (without quotes). It is under the > digitally sign communication (always) category. That may be a first > step to determining the cause? > > I also noticed that this error can be generated by SQL Server. > > Is this error being generated in the event log on the server? > Or on the machine itself? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of J0mb > Sent: Friday, February 06, 2004 8:43 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] computer account issues > > good morning list, > > I am getting a weird problem lately. Our AD architecture is made of 1 > forest, 1 domain, 4 sites spanned through WAN links. There are approx. > 2500 nodes in the forest, there are 2 DCs at each site, a DC is > configured as GC at each site. > > Randomly, with no apparent recurrent pattern, we get the eventID > 5723(netlogon) error from some machines (i would say some 4-5 a day). > > -- > > The session setup from the computer failed because > there is no trust account in the security database for this computer. > The name of the account referenced in the security database is > $. > > The error code is 0xC18B > > -- > > The client is not able to authenticate to the DC anymore. The only (to > me) known resolution is to rejoin the machine to the domain. > > Would anyone suggest me a resolution, or correct steps for > troubleshooting? > > I've already checked on eventid.net, and looks like none of the > suggestion is relevant with my architecture. We're running a native > mode windows 2000 domain. > > The error code states that the computer account has been deleted. How > can it this happen
RE: [ActiveDir] Moved DC out of DMZ
Yep! Thanks Rich! Now I can focus my weekend plans on something a little more relaxing.. namely drinking beer! :^) -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Friday, February 06, 2004 10:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moved DC out of DMZ Sounds like you're doing pretty well over there, well done. And you thought you'd be spending the weekend on it :) -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Friday, February 06, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moved DC out of DMZ Never mind... duh. I figured it out. (It's a 2 cup morning...) :^) -Original Message- From: Frank Buechler Sent: Friday, February 06, 2004 9:46 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Moved DC out of DMZ One more questions guys.. As you know, I successfully moved a DC out of the DMZ. I have other 2000 servers sitting in the DMZ that no longer can see a DC. How do I force them to see the DC that is on the inside now that there is no longer a DC in the DMZ? TIA List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moved DC out of DMZ
Speaking of beer.. a sampler platter tonight at Applebee's sounds great! I really love those riblets!! -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Friday, February 06, 2004 10:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moved DC out of DMZ Sounds like you're doing pretty well over there, well done. And you thought you'd be spending the weekend on it :) -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Friday, February 06, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moved DC out of DMZ Never mind... duh. I figured it out. (It's a 2 cup morning...) :^) -Original Message- From: Frank Buechler Sent: Friday, February 06, 2004 9:46 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Moved DC out of DMZ One more questions guys.. As you know, I successfully moved a DC out of the DMZ. I have other 2000 servers sitting in the DMZ that no longer can see a DC. How do I force them to see the DC that is on the inside now that there is no longer a DC in the DMZ? TIA List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
R: [ActiveDir] computer account issues
Michael, Admittely, WAN links are not extremely reliable and tend to be dropped out at times. However, i can't explain how this can be related to my problem. Would you like to further explain this point please? Can WAN links be related to my problem? Has it something to do with replication? This what it happens: the client, all of a sudden cannot authenticate anymore. We check on the DCs and the computer account is gone...lost, as if someone deleted it (but auditings show no sign of manual deletions from privileged users). We have at least 2 DCs at each site and we verified that each client will authenticate from a DC in its local site. Each site has its own DCs and i verified that each client will authenticate from the correct DC in its own site. From my point of view, it doesn't look like a WAN links issue. As for architectural changes: they can't be performed for a number of reasons. Hovever i still wonder how this issue may be related to WAN traffic. Thanks for your time Alex. > -Messaggio originale- > Da: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Per conto di > Michael Wassell > Inviato: venerdì 6 febbraio 2004 16.25 > A: [EMAIL PROTECTED] > Oggetto: RE: [ActiveDir] computer account issues > > >From reading the detailed error messages it would seem that > the workstations are timing out for one reason or another > when synchronizing, you may want to research increasing > timeout values for network services (Browser service, Server > service etc.). Also, have you attempted to verify server > communication via the WAN links to verify that there are no > timeout issues occuring? Try pinging with an -l switch to > increase the ICMP data being sent with the -t switch and > watch for any timeouts or significant ping response time increases. > > Something you might want to consider is implementing > independent child domains for each of your sites. I believe > it would significantly decrease your network traffic across > your WAN links to allow for more prioritized processing of > network traffic to take place. However, that would likely be > a large project so a more temporary solution would be to > determine the cause of the current issue. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of J0mb > Sent: Friday, February 06, 2004 10:00 AM > To: [EMAIL PROTECTED] > Subject: R: [ActiveDir] computer account issues > > thanks for reply and sorry for being unclear. > The eventID 5723 as per my previous post is generated on the > domain controller. > These are the events generated on the client side: (please > note they were translated from a non-english system, > hopefully they're clear enough: > > Source: LSASRV > Category: SPNEGO > EventID: 40961 > Protection System could not establish a secured connection > with server cifs/dc.domain.local. No authentication protocol > was available > > Source: NETLOGON > Category: None > EventID: 5721 > Session installation on Windows NT or Windows 2000 domain > controller \\dc.domain.local was unsuccesful because domain > controller has no computer account for the computer "computername" > > Source: W32time > Category: none > EventID: 18 > NtpClient time provider was unable to establish a trust > relation from this machine to domain domain.local in order to > syncronize time in protected mode. Trust relation between > this workstation and the primary domain was unsuccesful (0x800706FD). > > One of the DCs has a SQL server to support a SMS 2.0 > installation but i can't figure any interactions with a > client authentication. > I am about to thoroughly read the Q article you suggested me. > From a quick check, the only relevant policy i could find is > "microsoft network server: > digitally sign up communication if client agrees" set ENABLED > on the default DC policy. > I have been working on this issue for a short time. People > working here for longer says this might have happened > exclusively (or mainly) on winXP workstations, but take this > as an unreliable piece of information. > Please let me know if you need more detailed information. I > appreciate your support. > Thanks!! > > > > > > > -Messaggio originale- > > Da: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Per conto di Michael > > Wassell > > Inviato: venerdì 6 febbraio 2004 15.09 > > A: [EMAIL PROTECTED] > > Oggetto: RE: [ActiveDir] computer account issues > > > > A little bit unclear, but I have browsed through the Microsoft KB > > regarding that event id and this article was a match. > > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 > > > > Search in the page for "5723" (without quotes). It is under the > > digitally sign communication (always) category. That may > be a first > > step to determining the cause? > > > > I also noticed that this error can be generated by SQL Server. > > > > Is this error being generated in the event log on the server?
RE: [ActiveDir] Moved DC out of DMZ
Not a bad idea... lol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Friday, February 06, 2004 10:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moved DC out of DMZ Speaking of beer.. a sampler platter tonight at Applebee's sounds great! I really love those riblets!! -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Friday, February 06, 2004 10:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moved DC out of DMZ Sounds like you're doing pretty well over there, well done. And you thought you'd be spending the weekend on it :) -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Friday, February 06, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moved DC out of DMZ Never mind... duh. I figured it out. (It's a 2 cup morning...) :^) -Original Message- From: Frank Buechler Sent: Friday, February 06, 2004 9:46 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Moved DC out of DMZ One more questions guys.. As you know, I successfully moved a DC out of the DMZ. I have other 2000 servers sitting in the DMZ that no longer can see a DC. How do I force them to see the DC that is on the inside now that there is no longer a DC in the DMZ? TIA List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Restricting Administrative Permissions
Title: [ActiveDir] Restricting Administrative Permissions Hi All, I know that you can limit who can add workstations to a domain via Group Policy. Is there a way that you can allow someone to create users, but not change their passwords or group memberships, etc? Thanks! Cory --- Cory G. Stuart Network Administrator Nuclear Engineering Division Argonne National Laboratory ---
RE: [ActiveDir] Restricting Administrative Permissions
Title: [ActiveDir] Restricting Administrative Permissions You can set assign pretty granular permissions in AD. If you view Advanced options in the ADUC, you can get to the security tab and assign permissions for just about any action, say for a group that you want to give this access to. Have a look and see if this meets your needs. Rich From: Stuart, Cory G. [mailto:[EMAIL PROTECTED] Sent: Friday, February 06, 2004 10:01 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Restricting Administrative Permissions Hi All, I know that you can limit who can add workstations to a domain via Group Policy. Is there a way that you can allow someone to create users, but not change their passwords or group memberships, etc? Thanks! Cory --- Cory G. Stuart Network Administrator Nuclear Engineering Division Argonne National Laboratory --- ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] Computer Migration Issues with ADMT - FIXED :- )
Mike & Sudhir, My computer migration problem has been fixed! I learned something today, Be patient. Here is the time calculation according to my testing. If you select the 5 minutes option during the computer migration, the actual restart time = 7min + selected 5 min is a total of 12 min. If you select 1 min, the restart time = 7 min + 1 min. 7 min is a fixed time for ADMT to issue a message to the workstation. After that 7 min you will see the shutdown message and it will give you the selected time during the computer migration(5, 1 etc). 7 min is according to my testing in the lab but I think the MS actual value is 5 min. Mike, I would recommend you test in the lab with a 1 min option and wait for 8 min. You will see the restart message on the workstation. Good luck and be patient :- ) Thanks, Santhosh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan Sent: Friday, February 06, 2004 8:43 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Thanks Mike. I am going to test your solution in the lab today! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Celone, Mike Sent: Friday, February 06, 2004 7:42 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Santosh, I moved a total of 3 machines yesterday in our lab and was able to get them to reboot successfully. Instead of changing the time to 1 minute I left it at 5. Those machines rebooted without issue. I then tried again changing the time to 1 minute. Those machines would not reboot. It seems if you change the time to less than 5 minutes it does not issue a reboot. As for the below error messages you will see them in the logs if you just do a test and not a migration. Every test I've done using ADMT displays the 2nd error message in the logs. Mike From: Sudhir Kaushal [mailto:[EMAIL PROTECTED] Sent: Friday, February 06, 2004 12:17 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Hi Santosh, It is true that account is created but the machines just dont reboot. In my case i tried even changing the time from 1 min to 5 min. But the machines just dont reboot. Even after rebooting the machines manually, the domain name remained the same. After checking the logs on c:\temp on the clients machine i found this error "failed to change the domain affiliation (hr=8007054b), the specified domain does not exist or could not be contacted" . Because of this i concluded that account creation on the Target domain is may be because of ADMT agent, which gets properly installed on the client machine and do the necessary changes, but client is not able to contact the Target domain and hence dont reboot on their own. The other most common error i have seen in the logs is that "hr=800706fb The security database on the server does not have a computer account for this workstation trust relationship". Again I guess this is related with the Administrative permission in the domain. Santosh what error you are getting in the logs? Regards, Sudhir Kaushal Systems Administrator ( Hosted Team ) eGain Communications Pvt. Ltd. Hello - (+91 20) 4222812, (+91 20) 4228607, Ext-126 -Original Message- From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 7:31 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Yes. you are right mike. I don't think it is due to name resolution problem. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Celone, Mike Sent: Thursday, February 05, 2004 7:38 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Computer Migration Issues with ADMT So your saying that the machines won't reboot because they can't resolve the target domain? This can't be true because all the machines I tried it on join to the target domain (I see the account created) but just don't reboot. After I reboot them manually they log into the new domain without any issues. Why would the machine have to resolve the target domain to reboot anyways? Mike Celone Systems Specialist Radio Frequency Systems v 203-630-3311 x1031 f 203-634-2027 m 203-537-2406 From: Sudhir Kaushal [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 1:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Hi Santosh, I had this problem while migrating the computer accounts and the things i concluded are as follows: This error is because the ADMT agent on the source domain clients is not able to resolve the target domain. I tried first creating static WINS record of the target domain in the source domain WINS server. Though MIcrosoft dont recommend it. It didn't worked out for m
RE: [ActiveDir] Integrate Linux with AD
> > Hot off the press. > > Solution Guide for Windows Security and Directory Services > for UNIX Using Active Directory and Kerberos for > authentication and identity store in a heterogeneous UNIX and > Windows IT environment. > > http://www.microsoft.com/downloads/details.aspx?FamilyId=144F7 > B82-65CF-4105- > B60C-44515299797D&displaylang=en > Could I use Services for Unix? Would that work instead of buying VAS? Jennifer List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: RE: [ActiveDir] Integrate Linux with AD
Jennifer, The first solution that was presented to you by Tom [AD4Unix] is a solution that we've implemented in the past. It uses the schema extensions from SFU, and it's a fairly easy to manage and easy to install solution. Not lots of bells and whistles, and does require that all of your systems are a part of NIS - which can be arbitrarilly defined. IOW, it doesn't have to be an official and stringent NIS, just something for AD to know who is and who isn't playing in your ballpark. As to SFU 3.5, I believe that Rod Trent or Jackson suggested it, and you can certainly use it to great advantage as well. The VAS solution is a fantastic product, but many folks are put off by the cost. It all depends on how 'seamless' you want the solution, obviously offset by the 'pocket book' factor. Good luck! Rick Kingslan Microsoft MVP - Active Directory > > From: "Jennifer Fountain" <[EMAIL PROTECTED]> > Date: 2004/02/06 Fri PM 05:11:49 EST > To: <[EMAIL PROTECTED]> > Subject: RE: [ActiveDir] Integrate Linux with AD > > > > > Hot off the press. > > > > Solution Guide for Windows Security and Directory Services > > for UNIX Using Active Directory and Kerberos for > > authentication and identity store in a heterogeneous UNIX and > > Windows IT environment. > > > > http://www.microsoft.com/downloads/details.aspx?FamilyId=144F7 > > B82-65CF-4105- > > B60C-44515299797D&displaylang=en > > > > Could I use Services for Unix? Would that work instead of buying VAS? > > Jennifer > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Integrate Linux with AD
Depends on what you want to do. As far as allowing Linux clients to authenticate against AD, SFU doesn't do everything. The solutions guide is ok, but don't give it to any of your Linux/UNIX people to read ;-) Regards, Robbie Allen http://www.rallenhome.com/ > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Jennifer Fountain > Sent: Friday, February 06, 2004 5:12 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Integrate Linux with AD > > > > > Hot off the press. > > > > Solution Guide for Windows Security and Directory Services > > for UNIX Using Active Directory and Kerberos for > > authentication and identity store in a heterogeneous UNIX and > > Windows IT environment. > > > > http://www.microsoft.com/downloads/details.aspx?FamilyId=144F7 > > B82-65CF-4105- > > B60C-44515299797D&displaylang=en > > > > Could I use Services for Unix? Would that work instead of buying VAS? > > Jennifer > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: RE: [ActiveDir] Integrate Linux with AD
You might also want to look at the following solution: http://laaad.sourceforge.net/en/index.html The idea behind the project is to apply SFU schema extensions, and making the clients authenticate using LDAP/SSL instead of NIS as opposed to vanilla SFU. if you want, you can also make clients authenticate against AD's Kerberos realm. Actually the problem is not authentication, but having a single store for user account properties in AD (Posix account properties in the case of Linux/Unix) and that is what SFU schema extensions do in this case. Guy On Sat, 2004-02-07 at 02:27, [EMAIL PROTECTED] wrote: > Jennifer, > > The first solution that was presented to you by Tom [AD4Unix] is a solution that > we've implemented in the past. It uses the schema extensions from SFU, and it's a > fairly easy to manage and easy to install solution. Not lots of bells and whistles, > and does require that all of your systems are a part of NIS - which can be > arbitrarilly defined. IOW, it doesn't have to be an official and stringent NIS, > just something for AD to know who is and who isn't playing in your ballpark. > > As to SFU 3.5, I believe that Rod Trent or Jackson suggested it, and you can > certainly use it to great advantage as well. The VAS solution is a fantastic > product, but many folks are put off by the cost. It all depends on how 'seamless' > you want the solution, obviously offset by the 'pocket book' factor. > > Good luck! > > Rick Kingslan > Microsoft MVP - Active Directory > > > > > From: "Jennifer Fountain" <[EMAIL PROTECTED]> > > Date: 2004/02/06 Fri PM 05:11:49 EST > > To: <[EMAIL PROTECTED]> > > Subject: RE: [ActiveDir] Integrate Linux with AD > > > > > > > > Hot off the press. > > > > > > Solution Guide for Windows Security and Directory Services > > > for UNIX Using Active Directory and Kerberos for > > > authentication and identity store in a heterogeneous UNIX and > > > Windows IT environment. > > > > > > http://www.microsoft.com/downloads/details.aspx?FamilyId=144F7 > > > B82-65CF-4105- > > > B60C-44515299797D&displaylang=en > > > > > > > Could I use Services for Unix? Would that work instead of buying VAS? > > > > Jennifer > > List info : http://www.activedir.org/mail_list.htm > > List FAQ: http://www.activedir.org/list_faq.htm > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Computer Migration Issues with ADMT - FIXED :- )
Santosh/Mike, We successfully migrated about 6000 computers using ADMT ver.2 set to reboot 1 min. after completion. Santosh, I'm not sure where you are getting the 7 min. from. ADMT issues a message to the workstation to start ADMTagent.exe, immediately after you click the close button. You can verify this by looking in Task Manager on the machine you are trying to migrate, you should see ADMTagent listed in the active processes. It could actually take much longer or much shorter depending on the amount of data and profiles that are on the machine which you are trying to migrate. The more data the longer it will take. We migrated a 2TB file server and it took about an hour. HTH, -Tim -Original Message- From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Friday, February 06, 2004 12:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Computer Migration Issues with ADMT - FIXED :- ) Mike & Sudhir, My computer migration problem has been fixed! I learned something today, "Be patient". Here is the time calculation according to my testing. If you select the 5 minutes option during the computer migration, the actual restart time = 7min + selected 5 min is a total of 12 min. If you select 1 min, the restart time = 7 min + 1 min. 7 min is a fixed time for ADMT to issue a message to the workstation. After that 7 min you will see the shutdown message and it will give you the selected time during the computer migration(5, 1 etc). 7 min is according to my testing in the lab but I think the MS actual value is 5 min. Mike, I would recommend you test in the lab with a 1 min option and wait for 8 min. You will see the restart message on the workstation. Good luck and be patient :- ) Thanks, Santhosh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan Sent: Friday, February 06, 2004 8:43 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Thanks Mike. I am going to test your solution in the lab today! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Celone, Mike Sent: Friday, February 06, 2004 7:42 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Santosh, I moved a total of 3 machines yesterday in our lab and was able to get them to reboot successfully. Instead of changing the time to 1 minute I left it at 5. Those machines rebooted without issue. I then tried again changing the time to 1 minute. Those machines would not reboot. It seems if you change the time to less than 5 minutes it does not issue a reboot. As for the below error messages you will see them in the logs if you just do a test and not a migration. Every test I've done using ADMT displays the 2nd error message in the logs. Mike From: Sudhir Kaushal [mailto:[EMAIL PROTECTED] Sent: Friday, February 06, 2004 12:17 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Hi Santosh, It is true that account is created but the machines just dont reboot. In my case i tried even changing the time from 1 min to 5 min. But the machines just dont reboot. Even after rebooting the machines manually, the domain name remained the same. After checking the logs on c:\temp on the clients machine i found this error "failed to change the domain affiliation (hr=8007054b), the specified domain does not exist or could not be contacted" . Because of this i concluded that account creation on the Target domain is may be because of ADMT agent, which gets properly installed on the client machine and do the necessary changes, but client is not able to contact the Target domain and hence dont reboot on their own. The other most common error i have seen in the logs is that "hr=800706fb The security database on the server does not have a computer account for this workstation trust relationship". Again I guess this is related with the Administrative permission in the domain. Santosh what error you are getting in the logs? Regards, Sudhir Kaushal Systems Administrator ( Hosted Team ) eGain Communications Pvt. Ltd. Hello - (+91 20) 4222812, (+91 20) 4228607, Ext-126 -Original Message- From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 7:31 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Computer Migration Issues with ADMT Yes. you are right mike. I don't think it is due to name resolution problem. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Celone, Mike Sent: Thursday, February 05, 2004 7:38 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Computer Migration Issues with ADMT So your saying that the machines won't reboot because they can't resolve the target domain? This can't be true because all the machines I tried it on join to t
RE: [ActiveDir] Windows 2000 startup screen
Title: Message James, That is an interesting approach to the problem. The only thing I see in Russ’s case is that if the execs don’t like having to click ok to the Legal notice, then they must surely have had him disable the CTRL + ALT + DELETE requirement since that is 3 times as much work as having to click “ok” 8-p -Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 7:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2000 startup screen Russ, Sorry about that...an idea...you can have a legal message integrated into the CTRL+ALT+DEL bitmap... What you could do is use reshacker http://www.users.on.net/johnson/resourcehacker/ , get an MSGINA.DLL from a machine of the same type and service pack that you are using and amend the: "bitmap file 1033 image". You then need to intergrate the "new" msgina.dll file into your install i386 dir, you may have to extract and compress cab files here. If you want to head down this path ping me off list and I can help you out... James -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, 6 February 2004 9:45 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 2000 startup screen That's legal notice caption text which our top execs didn't like because they had to click "OK" (its so difficult!) So now we're replacing the startup splashscreen with a legal notice BMP. I know which registry key does it now in Winxp and win2k, but I am trying to see if I can use a JPG or if it MUST be a BMP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED] Sent: Thursday, February 05, 2004 5:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2000 startup screen Russ, As Kathrine advised or registry entry, see below...your choice: Windows Registry Editor Version 5.00 ; Add Legal Notice Caption & Legal Notice [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "LegalNoticeCaption"="WARNING - DODGY AUTHORISED USERS ONLY " "LegalNoticeText"="Any unauthorised access or use of this workstation is prohibited and could be subject to claims for damages and/or penalties at law. To protect this system from unauthorised use and to ensure that it is functioning properly, activities on it are monitored and recorded and subject to audit. ALL software in DODGY is to be AUTHORISED prior to purchase using the normal acquisition and purchasing rules that apply at these sites. ANY software installation is to be performed by DODGY IT or personnel NOMINATED by DODGY IT. Use of this system is express consent to such monitoring, recording and conditions. To protect from unauthorised access once logged in users should press CTRL+ALT+DEL then "Lock Computer" when away from their workstations for extended periods of time." James --Original Message- From: Katherine Coombs [mailto:[EMAIL PROTECTED] Sent: Friday, 6 February 2004 9:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2000 startup screen Russ, You can do this through GPO by changing the following settings: Interactive logon: message text for users attempting to logon Interactive logon: message title for users attempting to logon The are found in the following location within the GPO editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options HTH, Katherine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, Russ Sent: Friday, 6 February 2004 1:51 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 2000 startup screen Thanks to all who helped me with the GC Disaster recovery issue!!! Now, I've been asked to replace all the Windows 2000 and XP startup splash screens (the one you see in the background when you hit ctrl-alt-del. We're going to have our legal notice there since our top dogs don't like the legal notice GPO. Question is, is there a GPO for this, and if not, is there a registry entry or something we can automate on login? I know XP's solution is here http://www.updatexp.com/tip12.html What about Win2000? Any easy ways to do this? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
