RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
Test came up clean. Thanks for the link as that may come in handy in the future! I've been doing random gpupdate commands since the last userenv error at 2:51PM EST and I haven't gotten a single 1054 error since so I'm crossing my fingers that the DisableDHCPMediaSense works with this new Intel card. Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, January 19, 2007 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) You might want to test the network connection. We have a public tester at http://miranda.ctd.anl.gov:7123/ that might detect duplex mismatches or faulty cables. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, January 19, 2007 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Given the fact that its intermittent, that its just this one server, that you've already replaced the NIC and that the error is "an unexpected network error occurred", there's not much else to do I think, other than get MS involved. Either its something in the OS or the network switch you're using is flaky. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Friday, January 19, 2007 11:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I spoke too soon in regards to it being fixed. Apparently it is now intermittent and I can't make the 1054 error come up consistently. The logging has been set to 0x00030002 for some time but I haven't been able to catch anything beyond the 59 error. I did a gpupdate about 5 minutes ago and it showed the 1054 error but then when I waited a couple of minutes (not changing anything at all) it did not show up after doing a gpupdate and the userenv log showed nothing out of whack (no 59 errors). Any ideas to what could be the cause of intermittent issues? After over a week with this issue I'm losing my hair, and I don't have much more to lose. 8-( Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, January 19, 2007 1:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) http://support.microsoft.com/kb/221833/en-us Up the debugging Set to 0x00030002 what's the log say? Donavon Yelton wrote: > Well, I did as you and other suggested, install an Intel NIC card in > the system. I purchased an NC360T Intel chipset card. So after a > $300 NIC card was installed in the system I boot it up, run gpupdate > and bam, I get a 1054 userenv error (same one I was getting with the Broadcom's). > > Any further suggestions before I call Microsoft? > > Donavon Yelton > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Susan > Bradley, CPA aka Ebitz - SBS Rocks [MVP] > Sent: Monday, January 15, 2007 4:07 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group > Policy) > > And if you like I'll ping you up with Les, Nick and others who ..yes > ...brand spanking new server... brand spanking new machines and they > would not/could not do what they were supposed to do. > > Put in Intels and all was well. > > If you'd like to get a similar dent in your head feel free. All I can > say is, these days the minute we start having weird issues and there's > a Broadcom on the box, we're not wasting the time on them anymore. > > Donavon Yelton wrote: > >> I'm not about to give up on the Broadcom NICs as this is a brand new >> server that cost as much as a Honda Accord. I'm not sure I can >> believe that HP would put a defective card in such a machine. You'd >> think others would have the same issues in mass quantity if that were >> the case. I'm also using Broadcoms in other HP servers here >> (including the two DCs) and they have not had any issues. It is all >> too easy to chalk up a problem like this to network cards, but I >> don't >> > > >> think it explains why the GPO is applied successfully without issues >> within the first 15 minutes or so after a reboot. There are no other >> problems cropping up from these Broadcoms either. >> >> Now for a question, how do I disable slow link detection for all >> terminal service users on this problem server since
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
I spoke too soon in regards to it being fixed. Apparently it is now intermittent and I can't make the 1054 error come up consistently. The logging has been set to 0x00030002 for some time but I haven't been able to catch anything beyond the 59 error. I did a gpupdate about 5 minutes ago and it showed the 1054 error but then when I waited a couple of minutes (not changing anything at all) it did not show up after doing a gpupdate and the userenv log showed nothing out of whack (no 59 errors). Any ideas to what could be the cause of intermittent issues? After over a week with this issue I'm losing my hair, and I don't have much more to lose. 8-( Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, January 19, 2007 1:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) http://support.microsoft.com/kb/221833/en-us Up the debugging Set to 0x00030002 what's the log say? Donavon Yelton wrote: > Well, I did as you and other suggested, install an Intel NIC card in > the system. I purchased an NC360T Intel chipset card. So after a > $300 NIC card was installed in the system I boot it up, run gpupdate > and bam, I get a 1054 userenv error (same one I was getting with the Broadcom's). > > Any further suggestions before I call Microsoft? > > Donavon Yelton > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Susan > Bradley, CPA aka Ebitz - SBS Rocks [MVP] > Sent: Monday, January 15, 2007 4:07 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group > Policy) > > And if you like I'll ping you up with Les, Nick and others who ..yes > ...brand spanking new server... brand spanking new machines and they > would not/could not do what they were supposed to do. > > Put in Intels and all was well. > > If you'd like to get a similar dent in your head feel free. All I can > say is, these days the minute we start having weird issues and there's > a Broadcom on the box, we're not wasting the time on them anymore. > > Donavon Yelton wrote: > >> I'm not about to give up on the Broadcom NICs as this is a brand new >> server that cost as much as a Honda Accord. I'm not sure I can >> believe that HP would put a defective card in such a machine. You'd >> think others would have the same issues in mass quantity if that were >> the case. I'm also using Broadcoms in other HP servers here >> (including the two DCs) and they have not had any issues. It is all >> too easy to chalk up a problem like this to network cards, but I >> don't >> > > >> think it explains why the GPO is applied successfully without issues >> within the first 15 minutes or so after a reboot. There are no other >> problems cropping up from these Broadcoms either. >> >> Now for a question, how do I disable slow link detection for all >> terminal service users on this problem server since that seems to >> have >> > > >> fixed the issue? I need to make the change in the registry on the >> problem server apparently as making the switch in the GPO itself >> seems >> > > >> to not have any effect. >> >> Donavon >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Susan >> Bradley, CPA aka Ebitz - SBS Rocks [MVP] >> Sent: Monday, January 15, 2007 3:09 PM >> To: ActiveDir@mail.activedir.org >> Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - >> Group >> Policy) >> >> Dump the broadcoms and get Intel. >> http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-netw >> o >> rk >> -cards-are-evil.aspx >> >> We've had no end of weirdness with those suckers. >> Even the latest drivers don't work. >> Donavon Yelton wrote: >> >> >>> Yes, these are Broadcom NICs. I want to go back to the last >>> question >>> > > >>> that was asked (if my network card drivers were up to date) and >>> change >>> >>> >> >> >>> my answer. I had ran the HP update package for the NC series cards >>> in >>> >>> >> >> >>> the server and it showed as updated (even if I run it at the moment >>> it >>> >>&g
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
Well, I disabled media sensing again (first time for this Intel card though, disabling didn't work with the Broadcoms) and it actually may have worked this time around. I'll watch it and do some testing but for now consider it fixed pending. 8-) Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, January 19, 2007 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Did you try disabling media sense that someone suggested, in this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;239924? Also, try the reg hack described in this article, just for giggles: http://support.microsoft.com/default.aspx?scid=kb;en-us;840669 I don't recall seeing it, but did you try a different switch port? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Friday, January 19, 2007 10:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Well, I did as you and other suggested, install an Intel NIC card in the system. I purchased an NC360T Intel chipset card. So after a $300 NIC card was installed in the system I boot it up, run gpupdate and bam, I get a 1054 userenv error (same one I was getting with the Broadcom's). Any further suggestions before I call Microsoft? Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 4:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) And if you like I'll ping you up with Les, Nick and others who ..yes ...brand spanking new server... brand spanking new machines and they would not/could not do what they were supposed to do. Put in Intels and all was well. If you'd like to get a similar dent in your head feel free. All I can say is, these days the minute we start having weird issues and there's a Broadcom on the box, we're not wasting the time on them anymore. Donavon Yelton wrote: > I'm not about to give up on the Broadcom NICs as this is a brand new > server that cost as much as a Honda Accord. I'm not sure I can > believe that HP would put a defective card in such a machine. You'd > think others would have the same issues in mass quantity if that were > the case. I'm also using Broadcoms in other HP servers here > (including the two DCs) and they have not had any issues. It is all > too easy to chalk up a problem like this to network cards, but I don't > think it explains why the GPO is applied successfully without issues > within the first 15 minutes or so after a reboot. There are no other > problems cropping up from these Broadcoms either. > > Now for a question, how do I disable slow link detection for all > terminal service users on this problem server since that seems to have > fixed the issue? I need to make the change in the registry on the > problem server apparently as making the switch in the GPO itself seems > to not have any effect. > > Donavon > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Susan > Bradley, CPA aka Ebitz - SBS Rocks [MVP] > Sent: Monday, January 15, 2007 3:09 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group > Policy) > > Dump the broadcoms and get Intel. > http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-netwo > rk > -cards-are-evil.aspx > > We've had no end of weirdness with those suckers. > Even the latest drivers don't work. > Donavon Yelton wrote: > >> Yes, these are Broadcom NICs. I want to go back to the last question >> that was asked (if my network card drivers were up to date) and >> change >> > > >> my answer. I had ran the HP update package for the NC series cards >> in >> > > >> the server and it showed as updated (even if I run it at the moment >> it >> > > >> tells me that the drivers are up to date) with version 2.8.22.0. The >> problem is that when I look at the actual driver version by going to >> the device manager and viewing properties it shows a version of >> > 2.8.13.0. > >> On that note, in looking back at HP's revision history for their >> driver for this card it has no mention of version 2.8.13.0 so is it >> possible that this is the driver that came with Windows? If so, how >> can I go about getting rid of that driver and install
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
Well, I did as you and other suggested, install an Intel NIC card in the system. I purchased an NC360T Intel chipset card. So after a $300 NIC card was installed in the system I boot it up, run gpupdate and bam, I get a 1054 userenv error (same one I was getting with the Broadcom's). Any further suggestions before I call Microsoft? Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 4:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) And if you like I'll ping you up with Les, Nick and others who ..yes ...brand spanking new server... brand spanking new machines and they would not/could not do what they were supposed to do. Put in Intels and all was well. If you'd like to get a similar dent in your head feel free. All I can say is, these days the minute we start having weird issues and there's a Broadcom on the box, we're not wasting the time on them anymore. Donavon Yelton wrote: > I'm not about to give up on the Broadcom NICs as this is a brand new > server that cost as much as a Honda Accord. I'm not sure I can > believe that HP would put a defective card in such a machine. You'd > think others would have the same issues in mass quantity if that were > the case. I'm also using Broadcoms in other HP servers here > (including the two DCs) and they have not had any issues. It is all > too easy to chalk up a problem like this to network cards, but I don't > think it explains why the GPO is applied successfully without issues > within the first 15 minutes or so after a reboot. There are no other > problems cropping up from these Broadcoms either. > > Now for a question, how do I disable slow link detection for all > terminal service users on this problem server since that seems to have > fixed the issue? I need to make the change in the registry on the > problem server apparently as making the switch in the GPO itself seems > to not have any effect. > > Donavon > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Susan > Bradley, CPA aka Ebitz - SBS Rocks [MVP] > Sent: Monday, January 15, 2007 3:09 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group > Policy) > > Dump the broadcoms and get Intel. > http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-netwo > rk > -cards-are-evil.aspx > > We've had no end of weirdness with those suckers. > Even the latest drivers don't work. > Donavon Yelton wrote: > >> Yes, these are Broadcom NICs. I want to go back to the last question >> that was asked (if my network card drivers were up to date) and >> change >> > > >> my answer. I had ran the HP update package for the NC series cards >> in >> > > >> the server and it showed as updated (even if I run it at the moment >> it >> > > >> tells me that the drivers are up to date) with version 2.8.22.0. The >> problem is that when I look at the actual driver version by going to >> the device manager and viewing properties it shows a version of >> > 2.8.13.0. > >> On that note, in looking back at HP's revision history for their >> driver for this card it has no mention of version 2.8.13.0 so is it >> possible that this is the driver that came with Windows? If so, how >> can I go about getting rid of that driver and installing this new >> > driver from HP. > >> Updating the driver and choosing the new driver explicitly doesn't >> work and running HP's update package for the driver obviously fails >> to >> > > >> really update the driver. >> >> I can't say that this driver version is the root cause of the issue >> but I do need the drivers updated to have a place to start from. >> >> Susan, is there a known issue with Broadcom's that could possibly >> affect the problem I'm having? Thanks for the assistance! >> >> Donavon >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Susan >> Bradley, CPA aka Ebitz - SBS Rocks [MVP] >> Sent: Monday, January 15, 2007 1:39 PM >> To: ActiveDir@mail.activedir.org >> Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - >> Group >> Policy) >> >> These aren't broadcom nics are they? >> >> (Broadcoms are evil) >> &g
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
Considering a HP NC360T card for my problem server. Anyone have any objections to using this card? It is Intel based (Intel 82571EB). Thanks for all of the help! Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Tuesday, January 16, 2007 8:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I moved to another switch and I still get the same issue and I can't go any further with drivers. I suppose the step I need to take now is to purchase a new NIC. Since everyone has strong feelings for Intel I wanted to ask what you guys suggest. This is a HP DL585 G2 server (rackmount) with PCI-X slots. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Monday, January 15, 2007 9:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I've seen errors like this on a server that either had a back NIC, bad drivers or was connected to a bad port on a switch. The only way I was able to correct it was to switch the primary IP address to another NIC in the server what was connected but not configured. It was an interesting exercise at the time since I couldn't get to the console. In my experience, that kind of DNS response is indicative of packet corruption of some sort. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 1:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Well, in doing that it did pop up a couple of things. I'm certainly nowhere close to an advisor on this so if one of you more familiar could help me out on deciphering the code on a couple of things. Are the following two items normal (they didn't look right to me): 1) DNS: Question Section: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN. of type Unknown Type on class Unknown Class DNS: 0x32E3:Std Qry Resp. for [EMAIL PROTECTED] 2) DNS: Question Section: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain. of type Unknown Type on class Unknown Class DNS: 0xB4E5:Std Qry Resp. for . of type Unknown Type on class Unknown Class You may need more information so if I can get you anything else let me know. These entries just seem out of place to me, especially the one that has been displayed as "[EMAIL PROTECTED]" Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 15, 2007 4:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) The other thing that would probably be worthwhile is to do a sniffer trace from this server during the GP processing cycle. That may point out some network issues that are not coming out of the userenv log. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 15, 2007 12:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Sorry, just catching up here. In terms of updating the driver, if it's a MS provided driver, I think it would say it in the Driver Details. You might want to run Windows Update and see if there are any optional updates for that NIC driver--if MS provided it originally they may have a Windows Update way of getting it. In terms of disabling slow link for all users, that's a toughie, because that key is in HKEY_CURRENT_USER, which means a user has to be logged on to deliver it, but its also in the policies key, which is permissioned away from regular users by default. If you can get GP to process at least once when the user logs on, then you can deliver it using the User Configuration GP setting. However, if per-user GP processing is not working, its kinda of a chicken-and-egg thing. The not-so-fun way of doing this would be to temporarily make all users logging into that MS a member of the local Administrators group, and then deliver the slow link disabling registry entry via logon script. But, that is not ideal of course. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 12:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I'm not about to give up on the Broadcom NICs as this is a brand new server that cost as much as a Honda Accord. I'm not sure I can believe that HP would put a defective card in such a machine. You'd think others would have the same issues in mass quantity if that were the case. I'm also
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
I moved to another switch and I still get the same issue and I can't go any further with drivers. I suppose the step I need to take now is to purchase a new NIC. Since everyone has strong feelings for Intel I wanted to ask what you guys suggest. This is a HP DL585 G2 server (rackmount) with PCI-X slots. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Monday, January 15, 2007 9:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I've seen errors like this on a server that either had a back NIC, bad drivers or was connected to a bad port on a switch. The only way I was able to correct it was to switch the primary IP address to another NIC in the server what was connected but not configured. It was an interesting exercise at the time since I couldn't get to the console. In my experience, that kind of DNS response is indicative of packet corruption of some sort. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 1:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Well, in doing that it did pop up a couple of things. I'm certainly nowhere close to an advisor on this so if one of you more familiar could help me out on deciphering the code on a couple of things. Are the following two items normal (they didn't look right to me): 1) DNS: Question Section: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN. of type Unknown Type on class Unknown Class DNS: 0x32E3:Std Qry Resp. for [EMAIL PROTECTED] 2) DNS: Question Section: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain. of type Unknown Type on class Unknown Class DNS: 0xB4E5:Std Qry Resp. for . of type Unknown Type on class Unknown Class You may need more information so if I can get you anything else let me know. These entries just seem out of place to me, especially the one that has been displayed as "[EMAIL PROTECTED]" Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 15, 2007 4:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) The other thing that would probably be worthwhile is to do a sniffer trace from this server during the GP processing cycle. That may point out some network issues that are not coming out of the userenv log. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 15, 2007 12:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Sorry, just catching up here. In terms of updating the driver, if it's a MS provided driver, I think it would say it in the Driver Details. You might want to run Windows Update and see if there are any optional updates for that NIC driver--if MS provided it originally they may have a Windows Update way of getting it. In terms of disabling slow link for all users, that's a toughie, because that key is in HKEY_CURRENT_USER, which means a user has to be logged on to deliver it, but its also in the policies key, which is permissioned away from regular users by default. If you can get GP to process at least once when the user logs on, then you can deliver it using the User Configuration GP setting. However, if per-user GP processing is not working, its kinda of a chicken-and-egg thing. The not-so-fun way of doing this would be to temporarily make all users logging into that MS a member of the local Administrators group, and then deliver the slow link disabling registry entry via logon script. But, that is not ideal of course. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 12:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I'm not about to give up on the Broadcom NICs as this is a brand new server that cost as much as a Honda Accord. I'm not sure I can believe that HP would put a defective card in such a machine. You'd think others would have the same issues in mass quantity if that were the case. I'm also using Broadcoms in other HP servers here (including the two DCs) and they have not had any issues. It is all too easy to chalk up a problem like this to network cards, but I don't think it explains why the GPO is applied successfully without issues within the first 15 minutes or so after a reboot. There are no other problems cropping up from these Broadcoms either. Now for a question, how do I disable slow link detec
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
Well, in doing that it did pop up a couple of things. I'm certainly nowhere close to an advisor on this so if one of you more familiar could help me out on deciphering the code on a couple of things. Are the following two items normal (they didn't look right to me): 1) DNS: Question Section: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN. of type Unknown Type on class Unknown Class DNS: 0x32E3:Std Qry Resp. for [EMAIL PROTECTED] 2) DNS: Question Section: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain. of type Unknown Type on class Unknown Class DNS: 0xB4E5:Std Qry Resp. for . of type Unknown Type on class Unknown Class You may need more information so if I can get you anything else let me know. These entries just seem out of place to me, especially the one that has been displayed as "[EMAIL PROTECTED]" Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 15, 2007 4:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) The other thing that would probably be worthwhile is to do a sniffer trace from this server during the GP processing cycle. That may point out some network issues that are not coming out of the userenv log. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 15, 2007 12:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Sorry, just catching up here. In terms of updating the driver, if it's a MS provided driver, I think it would say it in the Driver Details. You might want to run Windows Update and see if there are any optional updates for that NIC driver--if MS provided it originally they may have a Windows Update way of getting it. In terms of disabling slow link for all users, that's a toughie, because that key is in HKEY_CURRENT_USER, which means a user has to be logged on to deliver it, but its also in the policies key, which is permissioned away from regular users by default. If you can get GP to process at least once when the user logs on, then you can deliver it using the User Configuration GP setting. However, if per-user GP processing is not working, its kinda of a chicken-and-egg thing. The not-so-fun way of doing this would be to temporarily make all users logging into that MS a member of the local Administrators group, and then deliver the slow link disabling registry entry via logon script. But, that is not ideal of course. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 12:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I'm not about to give up on the Broadcom NICs as this is a brand new server that cost as much as a Honda Accord. I'm not sure I can believe that HP would put a defective card in such a machine. You'd think others would have the same issues in mass quantity if that were the case. I'm also using Broadcoms in other HP servers here (including the two DCs) and they have not had any issues. It is all too easy to chalk up a problem like this to network cards, but I don't think it explains why the GPO is applied successfully without issues within the first 15 minutes or so after a reboot. There are no other problems cropping up from these Broadcoms either. Now for a question, how do I disable slow link detection for all terminal service users on this problem server since that seems to have fixed the issue? I need to make the change in the registry on the problem server apparently as making the switch in the GPO itself seems to not have any effect. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Dump the broadcoms and get Intel. http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-network -cards-are-evil.aspx We've had no end of weirdness with those suckers. Even the latest drivers don't work. Donavon Yelton wrote: > Yes, these are Broadcom NICs. I want to go back to the last question > that was asked (if my network card drivers were up to date) and change > my answer. I had ran the HP update package for the NC series cards in > the server and it showed as updated (even if I run it at the moment it > tells me that the drivers are up to date) with version 2.8.22.0. The > problem is that when I look at the actual driver version by going to > the device manager and viewing propert
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
After some investigating I am apparently running the latest drivers for my NICs. The only updated files since 2.8.13.0 are for things like iSCSI which I do not use. I wish driver numbers would correspond though. So now that I know I'm running the latest version I'm stumped. Disabling slow link detection fixes the userenv errors but I still need the fix for that to carry over to my TS users on that server. And of course this doesn't fix the root cause which forces me to disable the slow link detection either. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 3:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I'm not about to give up on the Broadcom NICs as this is a brand new server that cost as much as a Honda Accord. I'm not sure I can believe that HP would put a defective card in such a machine. You'd think others would have the same issues in mass quantity if that were the case. I'm also using Broadcoms in other HP servers here (including the two DCs) and they have not had any issues. It is all too easy to chalk up a problem like this to network cards, but I don't think it explains why the GPO is applied successfully without issues within the first 15 minutes or so after a reboot. There are no other problems cropping up from these Broadcoms either. Now for a question, how do I disable slow link detection for all terminal service users on this problem server since that seems to have fixed the issue? I need to make the change in the registry on the problem server apparently as making the switch in the GPO itself seems to not have any effect. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Dump the broadcoms and get Intel. http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-network -cards-are-evil.aspx We've had no end of weirdness with those suckers. Even the latest drivers don't work. Donavon Yelton wrote: > Yes, these are Broadcom NICs. I want to go back to the last question > that was asked (if my network card drivers were up to date) and change > my answer. I had ran the HP update package for the NC series cards in > the server and it showed as updated (even if I run it at the moment it > tells me that the drivers are up to date) with version 2.8.22.0. The > problem is that when I look at the actual driver version by going to > the device manager and viewing properties it shows a version of 2.8.13.0. > > On that note, in looking back at HP's revision history for their > driver for this card it has no mention of version 2.8.13.0 so is it > possible that this is the driver that came with Windows? If so, how > can I go about getting rid of that driver and installing this new driver from HP. > Updating the driver and choosing the new driver explicitly doesn't > work and running HP's update package for the driver obviously fails to > really update the driver. > > I can't say that this driver version is the root cause of the issue > but I do need the drivers updated to have a place to start from. > > Susan, is there a known issue with Broadcom's that could possibly > affect the problem I'm having? Thanks for the assistance! > > Donavon > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Susan > Bradley, CPA aka Ebitz - SBS Rocks [MVP] > Sent: Monday, January 15, 2007 1:39 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group > Policy) > > These aren't broadcom nics are they? > > (Broadcoms are evil) > > Darren Mar-Elia wrote: > >> Does this server have the same NIC driver as other servers? Or, have >> you tried updating this server's NIC driver? >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Donavon >> Yelton >> Sent: Monday, January 15, 2007 10:11 AM >> To: ActiveDir@mail.activedir.org >> Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - >> Group >> Policy) >> >> This appears to be the only system on the network having this issue. >> I connected to another Windows 2003 Standard member server and did a >> gpupdate and then looked at the event log and it appears clean after >> the gpupdate command was ran. Slow link detection has not been >> disabled on that machin
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
I'm not about to give up on the Broadcom NICs as this is a brand new server that cost as much as a Honda Accord. I'm not sure I can believe that HP would put a defective card in such a machine. You'd think others would have the same issues in mass quantity if that were the case. I'm also using Broadcoms in other HP servers here (including the two DCs) and they have not had any issues. It is all too easy to chalk up a problem like this to network cards, but I don't think it explains why the GPO is applied successfully without issues within the first 15 minutes or so after a reboot. There are no other problems cropping up from these Broadcoms either. Now for a question, how do I disable slow link detection for all terminal service users on this problem server since that seems to have fixed the issue? I need to make the change in the registry on the problem server apparently as making the switch in the GPO itself seems to not have any effect. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Dump the broadcoms and get Intel. http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-network -cards-are-evil.aspx We've had no end of weirdness with those suckers. Even the latest drivers don't work. Donavon Yelton wrote: > Yes, these are Broadcom NICs. I want to go back to the last question > that was asked (if my network card drivers were up to date) and change > my answer. I had ran the HP update package for the NC series cards in > the server and it showed as updated (even if I run it at the moment it > tells me that the drivers are up to date) with version 2.8.22.0. The > problem is that when I look at the actual driver version by going to > the device manager and viewing properties it shows a version of 2.8.13.0. > > On that note, in looking back at HP's revision history for their > driver for this card it has no mention of version 2.8.13.0 so is it > possible that this is the driver that came with Windows? If so, how > can I go about getting rid of that driver and installing this new driver from HP. > Updating the driver and choosing the new driver explicitly doesn't > work and running HP's update package for the driver obviously fails to > really update the driver. > > I can't say that this driver version is the root cause of the issue > but I do need the drivers updated to have a place to start from. > > Susan, is there a known issue with Broadcom's that could possibly > affect the problem I'm having? Thanks for the assistance! > > Donavon > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Susan > Bradley, CPA aka Ebitz - SBS Rocks [MVP] > Sent: Monday, January 15, 2007 1:39 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group > Policy) > > These aren't broadcom nics are they? > > (Broadcoms are evil) > > Darren Mar-Elia wrote: > >> Does this server have the same NIC driver as other servers? Or, have >> you tried updating this server's NIC driver? >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Donavon >> Yelton >> Sent: Monday, January 15, 2007 10:11 AM >> To: ActiveDir@mail.activedir.org >> Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - >> Group >> Policy) >> >> This appears to be the only system on the network having this issue. >> I connected to another Windows 2003 Standard member server and did a >> gpupdate and then looked at the event log and it appears clean after >> the gpupdate command was ran. Slow link detection has not been >> disabled on that machine (or any on my network for that matter, with >> the exception of this new problem server now). >> >> ICMP is not being blocked. Windows firewall is turned off on all >> servers on the network (including the two DC's and this problem >> member >> > > >> server). To my knowledge there is nothing on the network limiting >> ICMP packet size. I certainly haven't done anything to limit it. >> >> For an update on the current status of disabling slow link detection. >> It has been roughly 30 minutes or so and no event log error shows >> after running gpupdate on the member server. When doing a gpresult >> everything appears to process correctly. This problem server is a >>
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
Yes, these are Broadcom NICs. I want to go back to the last question that was asked (if my network card drivers were up to date) and change my answer. I had ran the HP update package for the NC series cards in the server and it showed as updated (even if I run it at the moment it tells me that the drivers are up to date) with version 2.8.22.0. The problem is that when I look at the actual driver version by going to the device manager and viewing properties it shows a version of 2.8.13.0. On that note, in looking back at HP's revision history for their driver for this card it has no mention of version 2.8.13.0 so is it possible that this is the driver that came with Windows? If so, how can I go about getting rid of that driver and installing this new driver from HP. Updating the driver and choosing the new driver explicitly doesn't work and running HP's update package for the driver obviously fails to really update the driver. I can't say that this driver version is the root cause of the issue but I do need the drivers updated to have a place to start from. Susan, is there a known issue with Broadcom's that could possibly affect the problem I'm having? Thanks for the assistance! Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 1:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) These aren't broadcom nics are they? (Broadcoms are evil) Darren Mar-Elia wrote: > Does this server have the same NIC driver as other servers? Or, have > you tried updating this server's NIC driver? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Donavon > Yelton > Sent: Monday, January 15, 2007 10:11 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group > Policy) > > This appears to be the only system on the network having this issue. > I connected to another Windows 2003 Standard member server and did a > gpupdate and then looked at the event log and it appears clean after > the gpupdate command was ran. Slow link detection has not been > disabled on that machine (or any on my network for that matter, with > the exception of this new problem server now). > > ICMP is not being blocked. Windows firewall is turned off on all > servers on the network (including the two DC's and this problem member > server). To my knowledge there is nothing on the network limiting > ICMP packet size. I certainly haven't done anything to limit it. > > For an update on the current status of disabling slow link detection. > It has been roughly 30 minutes or so and no event log error shows > after running gpupdate on the member server. When doing a gpresult > everything appears to process correctly. This problem server is a new > terminal server and when I logon as a TS user to this computer it > still shows a > 1054 error and the same 59 errors in the userenv log file. The only > exception is when I login as the network admin account through remote > desktops (the account I made the registry edit for > GroupPolicyMinTransferRate under). > > Donavon > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Darren > Mar-Elia > Sent: Monday, January 15, 2007 12:52 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group > Policy) > > Is this the only system that is having this problem? Are you doing > anything on your network to limit ICMP packet size? > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Donavon > Yelton > Sent: Monday, January 15, 2007 9:39 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group > Policy) > > In further testing today I did end up finding the location to add the > GroupPolicyMinTransferRate DWORD value to the registry of the problem > server. About 5 minutes ago I added that key with a value of 0 to > HKLM and HKCU and when running a gpupdate I do not get the error and > when looking at the userenv log I do not see the error 59 or any error > that it cannot contact the DC. I do not want to say that this is it > for sure but for the moment it does appear to be working. > > Now I suppose I should ask that since this was simply a > troubleshooting step, what would I need to do in order to investigate > a long-term solution to the problem? Thanks for all of the help! > > Donavon > > -Original Message- > From:
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
I have updated this server's NIC drivers and firmware. The server in question is a HP DL585 G2 and I am using one embedded gigabit nic (the other is identical but disabled). I have also made sure that the NIC I am using is at the top of the stack in adapters and binding. The network card in the problem server is a HP NC371i. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 15, 2007 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Does this server have the same NIC driver as other servers? Or, have you tried updating this server's NIC driver? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 10:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) This appears to be the only system on the network having this issue. I connected to another Windows 2003 Standard member server and did a gpupdate and then looked at the event log and it appears clean after the gpupdate command was ran. Slow link detection has not been disabled on that machine (or any on my network for that matter, with the exception of this new problem server now). ICMP is not being blocked. Windows firewall is turned off on all servers on the network (including the two DC's and this problem member server). To my knowledge there is nothing on the network limiting ICMP packet size. I certainly haven't done anything to limit it. For an update on the current status of disabling slow link detection. It has been roughly 30 minutes or so and no event log error shows after running gpupdate on the member server. When doing a gpresult everything appears to process correctly. This problem server is a new terminal server and when I logon as a TS user to this computer it still shows a 1054 error and the same 59 errors in the userenv log file. The only exception is when I login as the network admin account through remote desktops (the account I made the registry edit for GroupPolicyMinTransferRate under). Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 15, 2007 12:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Is this the only system that is having this problem? Are you doing anything on your network to limit ICMP packet size? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 9:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) In further testing today I did end up finding the location to add the GroupPolicyMinTransferRate DWORD value to the registry of the problem server. About 5 minutes ago I added that key with a value of 0 to HKLM and HKCU and when running a gpupdate I do not get the error and when looking at the userenv log I do not see the error 59 or any error that it cannot contact the DC. I do not want to say that this is it for sure but for the moment it does appear to be working. Now I suppose I should ask that since this was simply a troubleshooting step, what would I need to do in order to investigate a long-term solution to the problem? Thanks for all of the help! Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 11:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) In addition to my last response I have noticed that when I reboot the problem server it will apparently apply the group policy without issues for 15 minutes or so and then will fail to do so from that point forward. When viewing the userenv log file after a reboot and after giving the gpupdate command, it shows no 59 errors and nothing shows up in the event log. Wait about 15 minutes or so and the event log shows the 1054 error and the userenv log shows the 59 error. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Hi Steve, When running nltest /dsgetdc: on the problem member server I get the following (NOTE: I ran it twice, once for DOMAIN and again for DOMAIN.LOCAL which is the full name. I noticed that the flags for each are different): C:\Documents and Settings\supervisor>nltest /dsgetdc:domain DC: \\ATHENA Address: \\192.168.1.6 Dom Guid: 0c93e47c-f1a8-4e05-916c-d6e6670f2c96 Dom Name: DOMAIN Forest Name: dom
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
This appears to be the only system on the network having this issue. I connected to another Windows 2003 Standard member server and did a gpupdate and then looked at the event log and it appears clean after the gpupdate command was ran. Slow link detection has not been disabled on that machine (or any on my network for that matter, with the exception of this new problem server now). ICMP is not being blocked. Windows firewall is turned off on all servers on the network (including the two DC's and this problem member server). To my knowledge there is nothing on the network limiting ICMP packet size. I certainly haven't done anything to limit it. For an update on the current status of disabling slow link detection. It has been roughly 30 minutes or so and no event log error shows after running gpupdate on the member server. When doing a gpresult everything appears to process correctly. This problem server is a new terminal server and when I logon as a TS user to this computer it still shows a 1054 error and the same 59 errors in the userenv log file. The only exception is when I login as the network admin account through remote desktops (the account I made the registry edit for GroupPolicyMinTransferRate under). Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 15, 2007 12:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Is this the only system that is having this problem? Are you doing anything on your network to limit ICMP packet size? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 9:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) In further testing today I did end up finding the location to add the GroupPolicyMinTransferRate DWORD value to the registry of the problem server. About 5 minutes ago I added that key with a value of 0 to HKLM and HKCU and when running a gpupdate I do not get the error and when looking at the userenv log I do not see the error 59 or any error that it cannot contact the DC. I do not want to say that this is it for sure but for the moment it does appear to be working. Now I suppose I should ask that since this was simply a troubleshooting step, what would I need to do in order to investigate a long-term solution to the problem? Thanks for all of the help! Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 11:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) In addition to my last response I have noticed that when I reboot the problem server it will apparently apply the group policy without issues for 15 minutes or so and then will fail to do so from that point forward. When viewing the userenv log file after a reboot and after giving the gpupdate command, it shows no 59 errors and nothing shows up in the event log. Wait about 15 minutes or so and the event log shows the 1054 error and the userenv log shows the 59 error. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Hi Steve, When running nltest /dsgetdc: on the problem member server I get the following (NOTE: I ran it twice, once for DOMAIN and again for DOMAIN.LOCAL which is the full name. I noticed that the flags for each are different): C:\Documents and Settings\supervisor>nltest /dsgetdc:domain DC: \\ATHENA Address: \\192.168.1.6 Dom Guid: 0c93e47c-f1a8-4e05-916c-d6e6670f2c96 Dom Name: DOMAIN Forest Name: domain.local Dc Site Name: Default-First-Site-Name Our Site Name: Default-First-Site-Name Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_S ITE The command completed successfully C:\Documents and Settings\supervisor>nltest /dsgetdc:domain.local DC: \\athena.domain.local Address: \\192.168.1.6 Dom Guid: 0c93e47c-f1a8-4e05-916c-d6e6670f2c96 Dom Name: domain.local Forest Name: domain.local Dc Site Name: Default-First-Site-Name Our Site Name: Default-First-Site-Name Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE The command completed successfully I have already tried to disable slow link detection on the problem member server however I had to do so by going into gpedit.msc and setting it to 0 as that registry location doesn't exist on Windows 2003 Server R2 x64 (when searching on Google I could not find the location of this key in this version
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
In further testing today I did end up finding the location to add the GroupPolicyMinTransferRate DWORD value to the registry of the problem server. About 5 minutes ago I added that key with a value of 0 to HKLM and HKCU and when running a gpupdate I do not get the error and when looking at the userenv log I do not see the error 59 or any error that it cannot contact the DC. I do not want to say that this is it for sure but for the moment it does appear to be working. Now I suppose I should ask that since this was simply a troubleshooting step, what would I need to do in order to investigate a long-term solution to the problem? Thanks for all of the help! Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 11:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) In addition to my last response I have noticed that when I reboot the problem server it will apparently apply the group policy without issues for 15 minutes or so and then will fail to do so from that point forward. When viewing the userenv log file after a reboot and after giving the gpupdate command, it shows no 59 errors and nothing shows up in the event log. Wait about 15 minutes or so and the event log shows the 1054 error and the userenv log shows the 59 error. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Hi Steve, When running nltest /dsgetdc: on the problem member server I get the following (NOTE: I ran it twice, once for DOMAIN and again for DOMAIN.LOCAL which is the full name. I noticed that the flags for each are different): C:\Documents and Settings\supervisor>nltest /dsgetdc:domain DC: \\ATHENA Address: \\192.168.1.6 Dom Guid: 0c93e47c-f1a8-4e05-916c-d6e6670f2c96 Dom Name: DOMAIN Forest Name: domain.local Dc Site Name: Default-First-Site-Name Our Site Name: Default-First-Site-Name Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_S ITE The command completed successfully C:\Documents and Settings\supervisor>nltest /dsgetdc:domain.local DC: \\athena.domain.local Address: \\192.168.1.6 Dom Guid: 0c93e47c-f1a8-4e05-916c-d6e6670f2c96 Dom Name: domain.local Forest Name: domain.local Dc Site Name: Default-First-Site-Name Our Site Name: Default-First-Site-Name Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE The command completed successfully I have already tried to disable slow link detection on the problem member server however I had to do so by going into gpedit.msc and setting it to 0 as that registry location doesn't exist on Windows 2003 Server R2 x64 (when searching on Google I could not find the location of this key in this version of windows). Also of note is that I have went so far as forcing 100Mb connection on the active NIC on the problem member server but it also did not solve the issue so I set it back to auto. The NIC in the machine is a 1Gb card. This morning I removed it from the domain and added it back. The group policy seemed to work for a bit but after about 15 minutes of tests I got the 1054 error again. Strangely if I do a gpupdate /force I don't get the 1054 error in the event log and instead get a 1704 (Security policy in the Group policy objects has been applied successfully). Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Monday, January 15, 2007 10:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) It appears that you are having problems with slow link detection from the log below. You can try disabling it on the client to see if that corrects the problem by following the steps in this article for disabling slow link detection: http://support.microsoft.com/kb/910206/en-us. I would not recommend this as a long term solution but simply a troubleshooting step to see if it is indeed a problem with Slow link detection. I believe the LDAP error 59 later in the log is spurious and caused by the abortion of slow link detection. However just in case you can also validate that you can successfully make a DSGetDCName() call by using nltest /dsgetdc: and see if it returns the same error on the machine in question? Let us know the results of each test an maybe we can provide some additional insight. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Donavon Yelton [EMAIL PROTECTED] Sent: Monday, January 15, 2007 6:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 105
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
In addition to my last response I have noticed that when I reboot the problem server it will apparently apply the group policy without issues for 15 minutes or so and then will fail to do so from that point forward. When viewing the userenv log file after a reboot and after giving the gpupdate command, it shows no 59 errors and nothing shows up in the event log. Wait about 15 minutes or so and the event log shows the 1054 error and the userenv log shows the 59 error. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Hi Steve, When running nltest /dsgetdc: on the problem member server I get the following (NOTE: I ran it twice, once for DOMAIN and again for DOMAIN.LOCAL which is the full name. I noticed that the flags for each are different): C:\Documents and Settings\supervisor>nltest /dsgetdc:domain DC: \\ATHENA Address: \\192.168.1.6 Dom Guid: 0c93e47c-f1a8-4e05-916c-d6e6670f2c96 Dom Name: DOMAIN Forest Name: domain.local Dc Site Name: Default-First-Site-Name Our Site Name: Default-First-Site-Name Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_S ITE The command completed successfully C:\Documents and Settings\supervisor>nltest /dsgetdc:domain.local DC: \\athena.domain.local Address: \\192.168.1.6 Dom Guid: 0c93e47c-f1a8-4e05-916c-d6e6670f2c96 Dom Name: domain.local Forest Name: domain.local Dc Site Name: Default-First-Site-Name Our Site Name: Default-First-Site-Name Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE The command completed successfully I have already tried to disable slow link detection on the problem member server however I had to do so by going into gpedit.msc and setting it to 0 as that registry location doesn't exist on Windows 2003 Server R2 x64 (when searching on Google I could not find the location of this key in this version of windows). Also of note is that I have went so far as forcing 100Mb connection on the active NIC on the problem member server but it also did not solve the issue so I set it back to auto. The NIC in the machine is a 1Gb card. This morning I removed it from the domain and added it back. The group policy seemed to work for a bit but after about 15 minutes of tests I got the 1054 error again. Strangely if I do a gpupdate /force I don't get the 1054 error in the event log and instead get a 1704 (Security policy in the Group policy objects has been applied successfully). Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Monday, January 15, 2007 10:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) It appears that you are having problems with slow link detection from the log below. You can try disabling it on the client to see if that corrects the problem by following the steps in this article for disabling slow link detection: http://support.microsoft.com/kb/910206/en-us. I would not recommend this as a long term solution but simply a troubleshooting step to see if it is indeed a problem with Slow link detection. I believe the LDAP error 59 later in the log is spurious and caused by the abortion of slow link detection. However just in case you can also validate that you can successfully make a DSGetDCName() call by using nltest /dsgetdc: and see if it returns the same error on the machine in question? Let us know the results of each test an maybe we can provide some additional insight. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Donavon Yelton [EMAIL PROTECTED] Sent: Monday, January 15, 2007 6:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I have a new member server (Windows 2003 R2 x64) in my Windows 2003 domain (not R2). My setup contains two Windows 2003 DC's, both being DNS servers with the PDC being a WINS server. I have been working on a problem with a 1054 error in the event log for the mentioned Windows 2003 R2 x64 member server that has been added recently. Error 1054 as a refresh is the following: Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted. I worked on solutions all day Friday to no avail so I am seeking assistance on this matter. No other member of the domain has this error that I am aware of. SRV records for the DC's are in the DNS and is setup correctly on the troubled member server. I have looked through WINS and saw no apparent problems with its setup either. I ha
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
Hi Steve, When running nltest /dsgetdc: on the problem member server I get the following (NOTE: I ran it twice, once for DOMAIN and again for DOMAIN.LOCAL which is the full name. I noticed that the flags for each are different): C:\Documents and Settings\supervisor>nltest /dsgetdc:domain DC: \\ATHENA Address: \\192.168.1.6 Dom Guid: 0c93e47c-f1a8-4e05-916c-d6e6670f2c96 Dom Name: DOMAIN Forest Name: domain.local Dc Site Name: Default-First-Site-Name Our Site Name: Default-First-Site-Name Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_S ITE The command completed successfully C:\Documents and Settings\supervisor>nltest /dsgetdc:domain.local DC: \\athena.domain.local Address: \\192.168.1.6 Dom Guid: 0c93e47c-f1a8-4e05-916c-d6e6670f2c96 Dom Name: domain.local Forest Name: domain.local Dc Site Name: Default-First-Site-Name Our Site Name: Default-First-Site-Name Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE The command completed successfully I have already tried to disable slow link detection on the problem member server however I had to do so by going into gpedit.msc and setting it to 0 as that registry location doesn't exist on Windows 2003 Server R2 x64 (when searching on Google I could not find the location of this key in this version of windows). Also of note is that I have went so far as forcing 100Mb connection on the active NIC on the problem member server but it also did not solve the issue so I set it back to auto. The NIC in the machine is a 1Gb card. This morning I removed it from the domain and added it back. The group policy seemed to work for a bit but after about 15 minutes of tests I got the 1054 error again. Strangely if I do a gpupdate /force I don't get the 1054 error in the event log and instead get a 1704 (Security policy in the Group policy objects has been applied successfully). Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Monday, January 15, 2007 10:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) It appears that you are having problems with slow link detection from the log below. You can try disabling it on the client to see if that corrects the problem by following the steps in this article for disabling slow link detection: http://support.microsoft.com/kb/910206/en-us. I would not recommend this as a long term solution but simply a troubleshooting step to see if it is indeed a problem with Slow link detection. I believe the LDAP error 59 later in the log is spurious and caused by the abortion of slow link detection. However just in case you can also validate that you can successfully make a DSGetDCName() call by using nltest /dsgetdc: and see if it returns the same error on the machine in question? Let us know the results of each test an maybe we can provide some additional insight. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Donavon Yelton [EMAIL PROTECTED] Sent: Monday, January 15, 2007 6:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I have a new member server (Windows 2003 R2 x64) in my Windows 2003 domain (not R2). My setup contains two Windows 2003 DC's, both being DNS servers with the PDC being a WINS server. I have been working on a problem with a 1054 error in the event log for the mentioned Windows 2003 R2 x64 member server that has been added recently. Error 1054 as a refresh is the following: Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted. I worked on solutions all day Friday to no avail so I am seeking assistance on this matter. No other member of the domain has this error that I am aware of. SRV records for the DC's are in the DNS and is setup correctly on the troubled member server. I have looked through WINS and saw no apparent problems with its setup either. I have updated the drivers and firmware for the network cards in the new member server and in both DC's. I will say that I have a strange issue on my local PC from time to time (and I'll assume this happens on other domain member's PC's as well) where I cannot logon to Active Directory Users and Computers by using the domain as a locator, however I am able to go into it if I selectively choose a specific DC from the list. When running netdiag on the problem member server I see no issues and when running netdiag and dcdiag on the DC's I see no issues. I am able to get to SYSVOL from the problem member server by going to \\domain\sysvol\domain. I have turned on logging of USERENV on the problem member server and I
[ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
I have a new member server (Windows 2003 R2 x64) in my Windows 2003 domain (not R2). My setup contains two Windows 2003 DC's, both being DNS servers with the PDC being a WINS server. I have been working on a problem with a 1054 error in the event log for the mentioned Windows 2003 R2 x64 member server that has been added recently. Error 1054 as a refresh is the following: Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted. I worked on solutions all day Friday to no avail so I am seeking assistance on this matter. No other member of the domain has this error that I am aware of. SRV records for the DC's are in the DNS and is setup correctly on the troubled member server. I have looked through WINS and saw no apparent problems with its setup either. I have updated the drivers and firmware for the network cards in the new member server and in both DC's. I will say that I have a strange issue on my local PC from time to time (and I'll assume this happens on other domain member's PC's as well) where I cannot logon to Active Directory Users and Computers by using the domain as a locator, however I am able to go into it if I selectively choose a specific DC from the list. When running netdiag on the problem member server I see no issues and when running netdiag and dcdiag on the DC's I see no issues. I am able to get to SYSVOL from the problem member server by going to \\domain\sysvol\domain. I have turned on logging of USERENV on the problem member server and I get this in the log: USERENV(37c.66c) 07:00:02:294 PingComputer: PingBufferSize set as 2048 USERENV(37c.66c) 07:00:02:294 PingComputer: Adapter speed 10 bps USERENV(37c.66c) 07:00:02:294 PingComputer: First time: 2482 USERENV(37c.66c) 07:00:02:294 PingComputer: Second time: 2482 USERENV(37c.66c) 07:00:02:294 PingComputer: First and second times match. USERENV(37c.66c) 07:00:02:294 PingComputer: First time: 2482 USERENV(37c.66c) 07:00:02:294 PingComputer: Second time: 2482 USERENV(37c.66c) 07:00:02:294 PingComputer: First and second times match. USERENV(37c.66c) 07:00:02:294 PingComputer: First time: 2482 USERENV(37c.66c) 07:00:02:294 PingComputer: Second time: 2482 USERENV(37c.66c) 07:00:02:294 PingComputer: First and second times match. USERENV(37c.66c) 07:00:02:294 PingComputer: No data available USERENV(37c.66c) 07:00:02:294 ProcessGPOs: DSGetDCName failed with 59. I am very close to calling Microsoft to help resolve the issue but I thought I'd run it by you guys. I'm in the unfortunate position of being the only IT personnel here and having to be a jack of all trades as it would be. I typically have no problem solving an issue like this, especially with the help of Google but this problem just goes beyond stumping me. Any help is appreciated. Donavon Yelton Manager of Information Systems Carpenter Industries, Inc. (704) 743-2068 http://www.dennis-carpenter.com <http://www.dennis-carpenter.com/> THIS MESSAGE CONTAINS INFORMATION INTENDED ONLY FOR THE USE OF THE INDIVIDUAL OR ENTITY NAMED ABOVE. IF THE READER OF THIS MESSAGE IS NOT THE RECIPIENT, OR THE EMPLOYEE OR AGENT RESPONSIBLE TO DELIVER IT TO THE INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY DISSEMINATION, DISTRIBUTION OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE NOTIFY US IMMEDIATELY VIA RETURN-E-MAIL AND DELETE THIS MESSAGE FROM YOUR SYSTEM. THANK YOU. Carpenter Industries, Inc.
RE: [ActiveDir] The Administrator Certificate Template could not be loaded. Element not found.
1. 2003 Standard 2. Templates are available. The only one failing is the issue to the DC 3. Administrator: Administrator CA: Root Certification Authority CEPEncryption: CEP Encryption ClientAuth: Authenticated Session CodeSigning: Code Signing CTLSigning: Trust List Signing DomainController: Domain Controller EFS: Basic EFS EFSRecovery: EFS Recovery Agent EnrollmentAgent: Enrollment Agent EnrollmentAgentOffline: Exchange Enrollment Agent ( ExchangeUser: Exchange User ExchangeUserSignature: Exchange Signature Only IPSECIntermediateOffline: IPSec (Offline request) IPSECIntermediateOnline: IPSec Machine: Computer MachineEnrollmentAgent: Enrollment Agent (Computer) OfflineRouter: Router (Offline request) SmartcardLogon: Smartcard Logon SmartcardUser: Smartcard User SubCA: Subordinate Certification Authority User: User UserSignature: User Signature Only WebServer: Web Server CertUtil: -Template command completed successfully. 4. er.com -CAtemplates IPSECIntermediateOnline: IPSec EFSRecovery: EFS Recovery Agent EFS: Basic EFS DomainController: Domain Controller WebServer: Web Server Machine: Computer User: User SubCA: Subordinate Certification Authority Administrator: Administrator CertUtil: -CATemplates command completed successfully. 5. sydney.carpenter.local\mail.dennis-carpenter.com CertUtil: -TemplateCAs command completed successfully. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Tuesday, June 21, 2005 1:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] The Administrator Certificate Template could not be loaded. Element not found. A few questions: 1. The Enterprise CA is running on 2003 Sp1 - is this 2003 Standard or Enterprise editions OS? 2. When you open the MMC for cert templates - do you see the templates available? 3. If you run this cmd: "certutil -template" what is the output? 4. If you run "certutil -config \ -CAtemplates" what is the output? 5. run "certutil -templateCAs Administrator" steve - Original Message - From: "Donavon Yelton" <[EMAIL PROTECTED]> To: Sent: Tuesday, June 21, 2005 4:34 AM Subject: [ActiveDir] The Administrator Certificate Template could not be loaded. Element not found. I have two domain controllers. Our primary is Windows 2003SP1 and the other is Windows 2000SP4. All primary roles, FSMO, etc. are on the 2003 DC. Our Enterprise CA is on our Exchange 2003SP1 server running Windows 2003SP1. My problem is that I'm now logging event ID 77 warnings from CertSvc in the event log. Here is an example: " The "Windows default" Policy Module logged the following warning: The Administrator Certificate Template could not be loaded. Element not found. 0x80070490 (WIN32: 1168). " Microsoft has a KB article but has no information on this other than the error itself: http://support.microsoft.com/default.aspx?scid=kb;en-us;283218 I'm at a loss of what to do as there seems to be little to no information on the web on how to remedy this problem. If I open up the the CA MMC on the CA server it shows my primary domain controller as failing to obtain a certificate. Reason given is "The requested certificate template is not supported by this CA. 0x80094800(-2146875392)." This is causing (I'm assuming) a problem where the Exchange server can no longer obtain information from the DC and prevents users from opening their exchange account. If I manually request an Administrative certificate on the DC it tells me that my certificate request was denied. Any help would be appreciated. Donavon Yelton List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] The Administrator Certificate Template could not be loaded. Element not found.
I have two domain controllers. Our primary is Windows 2003SP1 and the other is Windows 2000SP4. All primary roles, FSMO, etc. are on the 2003 DC. Our Enterprise CA is on our Exchange 2003SP1 server running Windows 2003SP1. My problem is that I'm now logging event ID 77 warnings from CertSvc in the event log. Here is an example: " The "Windows default" Policy Module logged the following warning: The Administrator Certificate Template could not be loaded. Element not found. 0x80070490 (WIN32: 1168). " Microsoft has a KB article but has no information on this other than the error itself: http://support.microsoft.com/default.aspx?scid=kb;en-us;283218 I'm at a loss of what to do as there seems to be little to no information on the web on how to remedy this problem. If I open up the the CA MMC on the CA server it shows my primary domain controller as failing to obtain a certificate. Reason given is "The requested certificate template is not supported by this CA. 0x80094800(-2146875392)." This is causing (I'm assuming) a problem where the Exchange server can no longer obtain information from the DC and prevents users from opening their exchange account. If I manually request an Administrative certificate on the DC it tells me that my certificate request was denied. Any help would be appreciated. Donavon Yelton
RE: [ActiveDir] DC's not communicating with each other
I'm having the same problem today except I only have 2 DC's. The problem child on my domain is the PDC though and it won't let me demote because it says it's not authorized and can't transfer FSMO roles, etc. to the BDC. I am trying to get a restore from backup for AD right now and my last resort I guess will be to manually remove the PDC from the domain and reintroduce it as a domain controller. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Wednesday, June 01, 2005 12:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC's not communicating with each other I've talked about this a little before, but I dug in a littler further and found more info. I have 4 domain controllers in 1 domain. When I'm on one of the 3 DC's that is not the PDC and I try to connect to the PDC it tells me I'm not authorized. I get this when trying to connect to the PDC's AD users and computers, DNS, or even a file share. I can however connect to any of these services using the IP address. This is strange because all DC's can ping each other and resolve the IP addresses from the names just fine and I don't seem to be having any DNS issues. The 3 DC's (not the PDC) can connect to each other just fine. I'm pretty sure I'm going to need to remove 1 or more of the DC's from the domain and re-introduce them. I'm just trying to figure out if I should remove the PDC or remove the other 3 DCs. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] GFI LanGuard?
Does anyone have experience using GFI LanGuard to deploy security patches across their network? I'd like to know how well this works in the real world for windows, office etc. patches. Donavon YeltonManager of Information SystemsCarpenter Industries, Inc.(704) 743-2068http://www.dennis-carpenter.com/ THIS MESSAGE CONTAINS INFORMATION INTENDED ONLY FOR THE USE OF THE INDIVIDUAL OR ENTITY NAMED ABOVE. IF THE READER OF THIS MESSAGE IS NOT THE RECIPIENT, OR THE EMPLOYEE OR AGENT RESPONSIBLE TO DELIVER IT TO THE INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY DISSEMINATION, DISTRIBUTION OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE NOTIFY US IMMEDIATELY VIA RETURN-E-MAIL AND DELETE THIS MESSAGE FROM YOUR SYSTEM. THANK YOU.Carpenter Industries, Inc.
[ActiveDir] HP LH3000 W2K3 Upgrade?
I have two HP LH3000 servers, one is the PDC and the other a BDC. HP does not support an upgrade to W2K3 but I've read where it is possible to upgrade these servers from W2K to W2K3. The current domain is in native mode, no NT4 servers but I do have a mix of Win2k3 and Win2k computers. The LH3000's are P3 733MHz machines but we only have ~60 users, I'm wondering if it's even worth the upgrade or if I should put efforts in getting a couple new machines in here to replace the current DC's. If I upgrade the current LH3000's what is the safest process for doing so in case the upgrade doesn't take? Donavon Yelton List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Website Restriction through group policy
I do the exact same thing here. What I did was put the users that I only wanted access to a couple of sites in a different OU than those that did have Internet access. On the GPO for those that only had access to a couple of sites I required proxy for IE but put the two sites I wanted bypassed in the exempt list. Donavon Yelton Carpenter Industries, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Umer Y. Sent: Monday, February 21, 2005 2:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Website Restriction through group policy Hello, I want to restrict a computer from accessing any website other than two web domains of my choice. Is there a way to accomplish that with Group Policy? Thanks! ... you don't know what you've got 'till it's gone.. - Joni Mitchell List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
