GPO/AD ISSUES....

  • Thread starter Thread starter M. T
  • Start date Start date
M

M. T

In short, I can not gain access to my AD so in turn I can
not edit my GP. When I attempt to open my AD MMC I get
this error: "Naming information can not be located
because: The logon attempt failed." Which was
suggested to be edited to resolve my AD issues. The only
way I can access my AD is via hyena. And even then I can
dont get to edit my GP. Every time I attempt to I get
this error message: "Group Policy Error"
Failed to open the Group Policy Object. "You may not
have appropriate rights" (yet I am logged in with DC
Admin account) "The specified domain either does not
exist or could not be contacted"

Via Hyena I can create a user but not assign a password.
This new user can even join the domain. But when I
attempt to set a passwd, I get this error
message : "error setting password for 'username' on
LDAP://DBA-
SERVER/CN=username,CN=Users,DC=saminco,DC=local. The
network path was not found."

When I attempt to create a new GP I get this
error: "Unable to create new policy 'LDAP://DBA-
SERVER/DC=saminco,DC=local'. the network path was not
found."


Any suggestions would be GREAT!!!

Thank You Kindly!
 
Hi-

See if any of these help you out:

http://support.microsoft.com/default.aspx?scid=kb;en-us;304121
http://support.microsoft.com/default.aspx?scid=kb;en-us;826893
http://support.microsoft.com/default.aspx?scid=kb;en-us;269195
http://support.microsoft.com/default.aspx?scid=kb;en-us;323542
http://support.microsoft.com/default.aspx?scid=kb;en-us;272686

Also check your event logs for specific event ids.

--
Thanks,
Richard Moreno
MCSE NT4\2000, MCSA 2000

*This posting is provided "AS IS" with no warranties, and confers no
rights.
 
I would definitely update your AV software with latest signatures and run it
on these machines, as well as also running a different "flavor" of AV as
well (some you can download). I have seen similar things many times where
infections have happened, and a typical thing they do is to start removing
admins etc from different rights/perms.
You should still be able to check your dns error, "The specified domain
either does not exist or could not be contacted", and verify that dns is
working properly as this is a name resolution error here which in win2k
means dns.
You may also need to reset security using secedit, but often times you will
see different error msg when opening the different snapins (aduc, ad
sites/services, domains & trusts, etc) as well as your policies, so please
try those and note the errror msg you get and if they differ.


--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
Also look at the following to see if these error msg are what you're seeing
there;
257346 "Access This Computer from the Network" User Right Causes Tools Not
to
http://support.microsoft.com/?id=257346

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
Thank You for your reply.

304121: We do not use a Proxy server
826893: We do not use a Proxy server
269195: Microsoft Metadirectory Services 2.2, not in use
323542: Signed on the DC as the admin account, I get thsi
message when I attempt to see the properties: "You do not
have sufficient priviledges..." ????
272686: Windows Time Service is started and set to
automatic.

Also, dcdiag.exe or netdiag.exe does not run on my DC.
They both throw errors: "dcdiag.exe is not recognized as
an internal or external command."

Thank You
 
The below are the error messages when I attempt to open
these snap-in:

Active Directory Domains and trusts: The configuration
information describing this enterprise is not available.
The Logon attempt failed.

Active Directory Sites and Services: Naming information
cannot be located because: the logon attempt failed.

Active Directory Users and Computers: Naming information
cannot be located because: the logon attempt failed.

DNS: no errors thrown

Domain Security Policy: The specified network password
is not correct. Failed to open GPO. you may not have
apporiate rights.

Domain Controller Security Policy: The specified network
password is not correct. Failed to open GPO. you may
not have apporiate rights.

As far as events on my DC goes, here are the following
events that seem to keep generating:

DNS:
Event 7062: the DNS server encountered a packet to itself.

Application Log:
1000: Windows can not determin the user name or computer
name.
1003: W3Ctrs: Unable to query the W3SVC (HTTP) service.
2003: Perflib: The configuration information at the
performance library doe not match the trusted performance
library information stored in the registry.
1704: SceCli: Security policy in the GPO are applied
successfully.

Other than the above events, all else seems fine.

Thank You Kindly
 
The DC is still fully accessable via the LAN. As I have
an application running on it and all users can access it
fine as normal.

thank You
 
More Information:

After installing the rescource tool, DCDIAG shows:

[dba-server] LDAP bind failed with error 31. A device
attached to the system is not functioning.

NETDIAG shows (most passed, i'll list the troubled ones):

DC List test failed. [warning] cannot call DsBind to DBA-
server.saminco.local [error_logon_failure]

LDAP test: Passed [warning] failed to query SPN
registration on DC 'dba-server.saminco.local.

Thank you
 
Additional Information:

When I use LDAP and review the information, all looks
correct. except one item: LdapServiceName:
saminco.local:[email protected]. I dont
understand as to why there would be a "$" within there.

When attempting to use ADSI, I get a pop-up messages "The
Logon Attempt Failed" but then will let me enter after I
hit "ok" on it about 10 times. Within ADSI, anytime I
select either: Domain NC, Configuration Container, or
Schema error "The Logon Attempt failed". And no
information will show on the right plain. I can only
select settings on all three.

PLEASE advise.

Thank You Kindly

P.S Should a call to Microsoft be made to help resolve
this or might it be able to fixed/corrected via
messageboard replies?
 
I'm not sure that we (SystemTools) can help with this problem since
the normal Microsoft utilities are giving you errors, and in general,
Hyena won't work right if Microsoft's tools won't. But since you have
our product, I'll add whatever I can to suggest where the problem may
be.

The path in Hyena's error indicates that Hyena has received an error
back from AD and it does not like the path. Try these things:

- Make sure that you can ping (by name and ip) "DBA-SERVER"

- Verify the DNS address (primary and secondary) that you have used on
the client computer.

As an interim solution, you should be able to change the domain type
of the domain in Hyena temporarily to a "Windows NT" domain. This
should make Hyena NOT use Active Directory to manage the domain,
thereby using NT functions which probably won't fail. You will be
able to do everything normally except manage by OUs and see Universal
groups, etc. But you should be able to set the password, etc.

Kevin Stanush
SystemTools Software Inc.
Home of 'Hyena' for Windows NT/2000 System Administration
http://www.systemtools.com
 
Thank You for the reply. Last night I had built up
another windows 2000 Server w/AD. Currently I have one
PC signed into the NEW DC. but am having minor issues
with a few items: This one machine is running XP
Professional and seems to take a VERY long time to
authenicate once I enter in my password. the other issue
is related to GP: I had created a new OU "Saminco
employees", created a new GP within the new OU. Added my
test user to the new OU. Made a few GP changes, disable
changing background and also start c:\\windows\system32
\calc.exe. But when I logon, neither items happen. any
thoughts?

Much thanks
 
Back
Top