In news:(E-Mail Removed) oups.com,
(E-Mail Removed) <(E-Mail Removed)> typed:
> I am at my wits end here trying to find a solution to a really
> perplexing
> problem and I hope you all can help me out here.
<snipped>
> Computers MMC; however once this timeout/lag issue occurs 15 - 20
> minutes
> after the restart I can still connect to the internet via any account
> but
> the domain accounts take FOREVER and a day to log in (possibly becuase
<snipped>
> Of course, if I am logged in as an
> Administrator after the 15 - 20 minute timeout/lag I can only access
> the
> internet.
>
> Taking a look at the Event Viewer, the Application log does have one
> interesting event:
>
> Event ID: 1007
> Source: Userenv
> "Windows can not determine the associated site for this computer.
> (There
> are currently no logon servers available to service the logon
> request).
> Group Policy processing aborted."
>
> &
>
> Event ID: 13
> Source: Autoenrollment
> "Automatic certificate enrollment for local system failed to enroll
> one
> xxx.Machine.Computer Authentication certificate (ox80070005). Acces is
> denied."
>
>
> I would appreciate any and all help possible on this matter as its
> rendered our offices useless for the past 2 days.
You posted the symptoms well, however you haven't provided configuration
information, which is beneficial.
This sounds like a DNS misconfiguartion issue. I'll explain why, please read
on...
Noticed I snipped some stuff out above. The main thing that caught my eye is
the long logon times and loss of connectivity to internal resources, and the
biggest thing when you lose internal conenctivity, outside connecitivity
thrives. Therefore...
The FIRST thing that comes to mind is that you have your users and the
server(s) set to use your internal DNS and your ISP's DNS in their IP
properties. Remember, AD and all it's functions, services and service
locations are stored in DNS. AD highly relies on DNS to find th edomain
controller during logons, authentication, etc. If you are using your ISP's
DNS, then how is it going to find your internal data?
Remember, AD does not use NetBIOS, like NT4 did so many years ago. It uses
DNS.
Same reason why autoenrollment is being denied a cert, because it can't find
the DC to send it's authentication request. Curious, what are you using
autoenrollment for?
If using DHCP, DO NOT use the router's DHCP service. Use your DC's DHCP
services. It works hand in hand with Microsoft DNS.
Tell you what, please provide some specific configuration information to
assist in a more accurate diagnosis, such as:
1. ipconfig /all from a client and from your DC(s)
2. The DNS domain name of AD (found in ADUC)
3. The zonename in your Forward Lookup Zones in DNS
4. If updates are set to allow under zone properties
5. If this machine has more than one NIC
6. Do you have a firewall? If so, what brand?
7. Is/are forwarder(s) configured?
8. Do the SRV records exist under your zone name?
Thanks,
--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations
Having difficulty reading or finding responses to your post?
Instead of the website you're using, try using OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. Anonymous access. It's free - no username or password
required nor do you need a Newsgroup Usenet account with your ISP. It
connects directly to the Microsoft Public Newsgroups. OEx allows you
o easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject. It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164
"Quitting smoking is easy. I've done it a thousand times." - Mark Twain
Similar Threads
Linear Mode
