bradders

Hi,
We're running a clean-build 2003 R2 SP2 AD domain, forest & domain
functional level set to 2003, with most clients running XP Embedded SP2. DCs
sit on the same subnet in the datacentre, clients sit at customer sites with
firewalls and encryptors between them.

Everything appeared fine until a couple of weeks ago when we needed to do
loopback GPO processing on the workstation OU. The GPO failed to apply on
several machines, the only error in the log is:

Userenv, ID 1087, "Windows cannot do loopback processing when the computer
is joined to a downlevel domain or is a member of a workgroup. Loopback
processing will be disabled."

As everything is XP/2003 I think this must be a misleading error message.

We've enabled detailed userenv logging which hasn't helped, the only
difference between a failing machine and working machine is a line that
repeats the above error, and of course the fact the machine doesn't process
the loopback user policy.

The problem is inconsistent - during troubleshooting, a gpupdate /force
appeared to fix some machines, but not others. Moving machines to different
network ports worked a few times, but a few reboots later the problem came
back.

Whilst writing this I've finally been given access to the DC event logs and
it looks like there are other underlying issues e.g:
netlogon, id 5719, "unable to setup a secure session with a domain
controller in domain Contoso [DC's own domain] due to the following: there
are currently no logon servers available to service the logon request" -
occurs only 3 times in the last 3 months, all during the day when the 2nd DC
was up.
DNS, id 4015, "the DNS server has encountered a critical error from the
Active Directory. Check that the Active Directory is functioning properly.
The extended error debug information (which may be empty) is ""." - has
occurred twice in the last 3 months, no correlation with any other errors.

So although there are issues, I can't see how these are causing such
intermittent problems with just one policy (which has been deleted &
recreated just in case) on some machines. Can anyone help pinpoint my
troubleshooting?

Cheers,
Simon

meinolf weber [mvp-ds]

Hello Bradders,

Let's start with the domain controllers. Make sure that they use only domain
internal DNS servers on there NIC's. If you need the ISP's DNS server, configure
them as FORWARDER on the DNS server properties in the DNS management console.

Also make sure that Dynamic updats on the zone properties are configured
to secure only. Check that all DC/DNS servers are listed correctly int he
forward/reverse lookup zone's. I would choose, if not done, AD integrated
zones, so all changes are replicated with AD to all DC's.

Check that you can ping between all DC's with ip address, computername and
FQDN.

Now start running the diagnostic tools. Dcdiag /v and netdiag /v from the
command prompt to check for errors, if you have some post the complete output
from the command here or solve them first. Replmon from the run line or repadmin
/showrepl (only if more then one DC exist), For this tools you have to install
the support\tools\suptools.msi from the 2003 installation disk.

Please post an unedited ipconfig all from the DC/DNS servers.

Make sure no firewall blocks replication between the DC's, at least follow
this article to open ports:
http://support.microsoft.com/kb/555381

Event id 4015:
http://www.eventid.net/display.asp?e...=DNS&ph ase=1

Event id 5719:
http://www.eventid.net/display.asp?e...OG ON&phase=1


How does the clients connect to the main site, you said they are at customer
site not in the site where the DC's are located?

Are they using firewalls which has closed some ports for connecting to the
domain, see the article above?

Please post an unedited ipconfig all from a problem client.

Also for the clients check that you can ping to all DC's with ip address,
computername and FQDN.

Are the workstations installed from images without being sysprepped?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm