Thanks for the suggestions -- I actually did have loopback processing
configured, but not the cross-forest setting. That didn't correct the
problem though. It was indeed a bug, someone from Microsoft posted the
fix on another list that I am on. Here it is if anyone is interested:
http://support.microsoft.com/default.aspx?scid=kb;en-us;827182
Thanks again for the help,
- Robbie
Robbie Foust, IT Analyst
OIT/CASI - Administrative Information Support
Duke University
Guy Teverovsky wrote:
I just wonder whether W2K3 gets confused and tries to treat
authenticating against MIT Kerberos realm as fully bloated cross-forest
logon.
Do you have loopback enabled in this GPO ?
W2K3 and W2K behave a bit differently when doing cross-forest logons.
W2K by default does not process the user policies, roaming profiles and
logon scripts from the user account domain when authenticating over
cross forest trust (but does not default to loopback). W2K3 (by default)
disables the cross-forest GPO processing and defaults to loopback.
Now if you explicitly disable the loopback, W2K still fails to process
the logon scripts (I believe there is an open bug regarding this one).
I'd suggest you to explicitly set "Allow cross-forest User Policies and
Roaming Profiles" in the computer part of the GPO to "Disabled" and also
check whether disabling/enabling loopback changes things.
Well... Just my 2 mumbling cents.
Guy
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Robbie Foust
Sent: Wednesday, February 16, 2005 8:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] userenv bug in w2k3?
Hi,
I have a w2k3 machine (terminal server) that works fine when a user
logs
in to the domain. But, if a user authenticates to a MIT kerberos
realm
(with a name mapping defined in AD) then the server logs an event id
1054 (Userenv). The description is:
"Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be
contacted. ). Group Policy processing aborted."
To make a long story shorter, I enabled debug logging for userenv and
confirmed that it is looking in the wrong domain for the DC's when
looking up group policy for the user. Its looking in the
authenticating
realm (the MIT kerberos realm) and not the AD domain. The server
configuration *is* correct. In other words, the domain suffix is the
AD
domain name. (confirmed by ipconfig /all and netdiag). This server
is
using the same GP as another working (2000) server. I compared TGT's
and they look the same, so I'm not sure where else to look.
Suggestions? :-)
Thanks!
--
Robbie Foust, IT Analyst
OIT/CASI - Administrative Information Support
Duke University
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
