Problems with XP SP2

Discussion in 'Active Directory' started by Adrian Marsh (NNTP), Feb 27, 2006.

  1. Further on this:

    The exact error I get on RSOP is :

    NoXPSP2Update.adm
    Location -
    "\\uk-lab.lucent.com\sysvol\uk-lab.lucent.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Adm\NoXPSP2Update.adm"
    Error - Logon failure: unknown user name or bad password.
    system.adm
    Location -
    "\\uk-lab.lucent.com\SysVol\uk-lab.lucent.com\Policies\{B8A1F8F1-C322-4EC8-A882-8BA28C070926}\Adm\system.adm"
    Error - Logon failure: unknown user name or bad password.
     
    Adrian Marsh (NNTP), Mar 7, 2006
    #21
    1. Advertisements

  2. It doesn't seem to matter how I try this... I still can't get the
    clients to work 100%.

    DNS is ok. Yet RSOP shows that the domain GPOs aren't being 100% successful.
     
    Adrian Marsh (NNTP), Mar 10, 2006
    #22
    1. Advertisements

  3. Heres what I see now on that PC.

    I also see that something is happening on other PCs too (now I know the
    logs to check), but it doesn't seem to hamper their startup scripts
    (which is why I didn't notice it). (Logging in on both as the same
    domain user):

    Heres what I get off test1300 (the new, test machine)

    USERENV(29c.2a0) 11:46:16:390 MyRegUnLoadKey: Failed to unmount hive
    00000005
    USERENV(29c.2a0) 11:46:16:390 UnLoadClassHive: failed to unload classes
    key with 5
    USERENV(29c.2a0) 11:46:16:390 DumpOpenRegistryHandle: 2 user registry
    Handles leaked from
    \Registry\User\S-1-5-21-296956002-2069592275-4115700884-500_Classes
    USERENV(29c.2a0) 11:46:16:390 ReportError: Impersonating user.
    USERENV(29c.2a0) 11:47:24:671 CUserProfile::CleanupUserProfile: Ref
    Count is not 0
    USERENV(29c.2a0) 11:47:24:687 CUserProfile::CleanupUserProfile: Ref
    Count is not 0
    USERENV(29c.2a0) 11:47:24:687 CUserProfile::CleanupUserProfile: Ref
    Count is not 0
    USERENV(29c.5d0) 11:47:26:265 ProcessGPOs: The DC for domain UK-LAB is
    not available at startup. retrying
    USERENV(29c.5d0) 11:47:26:265 RetryDCContactAtMachineStartup: Failed to
    query GpNetworkStartTimeoutPolicyValue with 2, exit.
    USERENV(29c.5d0) 11:47:26:265 ProcessGPOs: The DC for domain UK-LAB is
    not available after retries.
    USERENV(29c.5d0) 11:47:26:265 ProcessGPOs: The DC for domain UK-LAB is
    not available. aborting


    Heres what I see on an existing built machine: (nethawk02) - says it
    cant access gpt.ini, but no problem on finding the domain.


    USERENV(2e4.2e8) 14:28:45:792 MyRegUnLoadKey: Failed to unmount hive
    00000005
    USERENV(2e4.2e8) 14:28:45:892 UnLoadClassHive: failed to unload classes
    key with 5
    USERENV(2e4.2e8) 14:28:45:892 DumpOpenRegistryHandle: 2 user registry
    Handles leaked from
    \Registry\User\S-1-5-21-842925246-861567501-839522115-1102_Classes
    USERENV(2e4.2e8) 14:28:45:892 ReportError: Impersonating user.
    USERENV(2e4.2e8) 14:29:37:942 CUserProfile::CleanupUserProfile: Ref
    Count is not 0
    USERENV(2e4.2e8) 14:29:37:952 CUserProfile::CleanupUserProfile: Ref
    Count is not 0
    USERENV(2e4.2e8) 14:29:37:952 CUserProfile::CleanupUserProfile: Ref
    Count is not 0
    USERENV(2e4.724) 14:29:49:608 GetGPOInfo: Local GPO's gpt.ini is not
    accessible, assuming default state.
    USERENV(2e4.350) 14:39:18:447 GetGPOInfo: Local GPO's gpt.ini is not
    accessible, assuming default state.
     
    Adrian Marsh (NNTP), Mar 10, 2006
    #23
  4. I also see the below in the gptext file on the test machine (lots of
    entries).

    GPTEXT(ef4.494) 11:38:35:137 CPolicyComponentData::LoadRSOPTemplates:
    Unable to parse template
    \\uk-lab.lucent.com\SysVol\uk-lab.lucent.com\Policies\{B8A1F8F1-C322-4EC8-A882-8BA28C070926}\Adm\system.adm
    due to error 1326. Switching to the local copy of system.adm.
    GPTEXT(ef4.494) 11:38:36:747 CPolicyComponentData::parseTemplate:
    Failed to copy adm file with error 1326.
    GPTEXT(ef4.494) 11:38:36:747 CPolicyComponentData::LoadRSOPTemplates:
    Unable to parse template
    \\uk-lab.lucent.com\sysvol\uk-lab.lucent.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Adm\NoXPSP2Update.adm
    due to error 1326. Switching to the local copy of NoXPSP2Update.adm.
    GPTEXT(ef4.494) 11:38:36:747 CPolicyComponentData::parseTemplate:
    Failed to copy adm file with error 2.
     
    Adrian Marsh (NNTP), Mar 13, 2006
    #24
  5. I may now have this fixed. After the DNS entries were all sorted out, I
    then applied the below reg-hack from MS again. Seems that the login
    scripts now work ok, and SI has now installed Adobe... I'm retesting to
    death to confirm.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;840669#XSLTH3163121123120121120120

    I now get the below in the userenv log:

    USERENV(29c.2a0) 12:32:05:531 CUserProfile::CleanupUserProfile: Ref
    Count is not 0
    USERENV(29c.2a0) 12:32:05:546 CUserProfile::CleanupUserProfile: Ref
    Count is not 0
    USERENV(29c.2a0) 12:32:05:546 CUserProfile::CleanupUserProfile: Ref
    Count is not 0
    USERENV(29c.5f0) 12:32:08:687 ProcessGPOs: The DC for domain UK-LAB is
    not available at startup. retrying
    USERENV(29c.5f0) 12:32:15:546 ProcessGPOs: DC for domain UK-LAB is
    reachable after retries.
    USERENV(29c.5f0) 12:32:16:140 GetGPOInfo: Local GPO's gpt.ini is not
    accessible, assuming default state.
     
    Adrian Marsh (NNTP), Mar 14, 2006
    #25
  6. Hmmm, when you boot this machine cannot find the domain. But is then able
    to later. That suggests, things are slowing down the normal order of system
    services starting, and/ or network problems.

    Before we close this, check the permissions on
    %systemroot%\system32\grouppolicy. Is this "slowness" only occurring on
    this machine or others too?
     
    Paul Williams [MVP], Mar 15, 2006
    #26
  7. Hi Paul.

    Attached is an AccessEnum (sysinternals) output showing the perms on
    GroupPolicy in the PDC (don't find this in the second DC). All looks
    normal to me

    I still get an event in the Eventlog, but I think thats because of the
    initial failure right?

    Event Type: Error
    Event Source: NETLOGON
    Event Category: None
    Event ID: 5719
    Date: 16/03/2006
    Time: 16:18:37
    User: N/A
    Computer: TEST1300
    Description:
    No Domain Controller is available for domain UK-LAB due to the following:
    There are currently no logon servers available to service the logon
    request. .
    Make sure that the computer is connected to the network and try again.
    If the problem persists, please contact your domain administrator.

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 5e 00 00 c0 ^..

    ÿþ"\0P\0a\0t\0h\0"\0 \0"\0R\0e\0a\0d\0"\0 \0"\0W\0r\0i\0t\0e\0"\0 \0"\0D\0e\0n\0y\0"\0 \0
    \0
    \0"\0C\0:\0\\0W\0I\0N\0N\0T\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0G\0r\0o\0u\0p\0P\0o\0l\0i\0c\0y\0"\0 \0"\0A\0d\0m\0i\0n\0i\0s\0t\0r\0a\0t\0o\0r\0s\0,\0 \0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\\0A\0u\0t\0h\0e\0n\0t\0i\0c\0a\0t\0e\0d\0 \0U\0s\0e\0r\0s\0,\0 \0S\0e\0r\0v\0e\0r\0 \0O\0p\0e\0r\0a\0t\0o\0r\0s\0"\0 \0"\0A\0d\0m\0i\0n\0i\0s\0t\0r\0a\0t\0o\0r\0s\0"\0 \0"\0"\0 \0
    \0
    \0
     
    Adrian Marsh (NNTP), Mar 16, 2006
    #27
  8. I've rebuilt the PC from scratch today, and one of the things I noticed
    was the order in which some of the events happen. Heres a summary example:

    15:09:56 - 35 - W32time , telling me it now syncs up
    15:09:33 - 4201 - TCPip - Telling me the interface is up
    15:09:18 - IFXTPM - Some device starting
    15:09:37 - 5719 - netlogon complaining it cant find the domain

    What caught my eye, is that the event are in the exact above order...
    And if that means anything, then it would suggest that the NIC isn't up
    until after netlogon has run.

    Of course, if the order that it appears in the event log is irrelevant,
    and the time is correct, then it doesn't mean a thing.

    My GPO does have "Always wait for the network at computer startup and
    logon" enabled (confirmed in RSOP)

    A.
     
    Adrian Marsh (NNTP), Mar 17, 2006
    #28
  9. Hmmm, that looks like it might be a problem. I've always taken the time and
    order of the events in the event log as correct.

    Perhaps you can speak to the NIC manufacturer, or install later drivers?
     
    Paul Williams [MVP], Mar 19, 2006
    #29
  10. My computer also has SYSTEM - Full Control.

    I'll check a DC tomorrow and get back to you.
     
    Paul Williams [MVP], Mar 19, 2006
    #30
  11. Well.. the PCs only 1 month old now. I cant remember the NIC
    manufacturer right now - but I remember it was an odd name, but its
    integrated onto the Intel motherboard. I'll get the details tomorrow.

    Pretty sure its got the latest drivers (but again I'll check).
     
    Adrian Marsh (NNTP), Mar 19, 2006
    #31
  12. Hmmm.

    I installed ethereal on the server just to check that comms was ok. I
    see lots and lots of communication to and from the client, so on first
    glance things look ok. I see ICMP,LDAP,SMB protocols + more).

    2 questions:

    1) I thought that with a 2000 based environment, the concept of PDC and
    BDC was removed? Yet throughout all this I've seen specific mentions
    (especially in DNS) for entries specific only to one of the DCs (the
    "PDC"). Is this only for NT4 backward compatibility only? Does 2000/XP
    use these unique SRV records ?

    2) I was thinking of disabling one of the DCs temporarily to test each
    DC at a time. I know I can remove the second DC from the domain
    permanently by de-growing it out, but is there a way to do it
    temporarily ? (is powering the server down the simplest way??)


    I've run some more testing tools against both DCs (ADtest for one), and
    everything checks out. Are there any more you know of that might just
    confirm the status of the DCs ?

    Adrian
     
    Adrian Marsh (NNTP), Mar 19, 2006
    #32
  13. Hmmm,

    I think that was it... I just upgraded the NIC drivers from the
    out-of-the-factory ones (dated 2004) to the latest generic ones on the
    www site (Marvell), and removed the Gpupdatetimeout key. I've rebooted
    twice and now theres no userenv error.

    talk about a hotpot of problems..

    But as of this minute everything looks good, and I've learned a whole
    bunch more, so at least I know now the domain is running ok...

    Thanks paul - for all the help! let me know where to send the pint of
    beer..

    Adrian
     
    Adrian Marsh (NNTP), Mar 19, 2006
    #33
  14. Glad we've finally found a resolution. All the best!
     
    Paul Williams [MVP], Mar 21, 2006
    #34
  15. 1) I thought that with a 2000 based environment, the concept of PDC and
    The PDCe performs a number of vital roles in NT 5.x too. Have a look at
    this:
    -- http://www.msresource.net/content/view/13/46/

    Yes, powering down or simply unplugging the NIC(s) will do it. Just make
    sure your clients point to more than one server for DNS and that there's
    another GC.
     
    Paul Williams [MVP], Mar 21, 2006
    #35
  16. I think thats the bit that maybe I have to read up more on. If I
    understand correctly, then I only have one GC at the moment. I've no NT
    machines - so does this matter? Can I "add" my second DC as another GC?
     
    Adrian Marsh (NNTP), Mar 21, 2006
    #36
  17. Paul Williams [MVP], Mar 21, 2006
    #37
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.