Services for Macintosh won't start after AD install
Tony T.
Also seeing the series 10001 w/10027 & 10021, and when starting the service
by hand, 1724.
The service doesn't start, and if it is set to start with Local System, the
1724 error has 'service-specific error 5' and if I use Administrator, it
changes to 1327.
These servers used to work before the Active Directory install.
I get the idea that there are special GPO settings required for SFM that are
not required for SFWindows.
Tony
Dolemite
are you using.
There's a new Os X patch out that fixes alot of these issues. Win 2K
requires SP 3.
Check out Apple's support site for more info.
"Tony T." <real...@bizalter.natives.net> wrote in message
news:UIeFa.1192227$S_4.1213685@rwcrnsc53...
William M. Smith
> The error msg's are: 5789 w/5788 Domain Controller not found.
> Also seeing the series 10001 w/10027 & 10021, and when starting the service
> by hand, 1724.
Hi Tony!
The first message, "Domain Controller not found", should be of more concern
and probably lends itself to your problem.
AD requires DNS. When a domain controller can not find a domain controller,
this tells me that DNS may be improperly configured or that your domain is
having problems.
Check for descrepencies within your DNS and fix these. If AD is completely
new to your network, then you may want to verify which servers have which
FSMO roles for further trouble-shooting.
Hope this helps! bill
--
William M. Smith
(Microsoft Interop MVP)
Tony T.
The W2k is SP3, the Mac patch level is not a factor at this point, as there
is no contact, no services up.
Will check the Apple site, but I think you are right in suspecting naming in
the Directory.
T.
"Dolemite" <yom...@nospam.com> wrote in message
news:OYCUg4zL...@tk2msftngp13.phx.gbl...
Tony T.
Where is a comprehensive list of the DNS entries needed to support
logon/auth?
"William M. Smith" <meck...@REMOVETHIS.mn.rr.com> wrote in message
news:BB0B3BCC.701F%meck...@REMOVETHIS.mn.rr.com...
William M. Smith
> In the Directory, there are only _msdcs and _dc entries for the one DC.
> Where is a comprehensive list of the DNS entries needed to support
> logon/auth?
Hi Tony!
I found the following article number 258503 in Microsoft's Knowledgebase
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B258503
It's titled "DNS Registration Errors 5788 and 5789 When DNS Domain and
Active Directory Domain Name Differ".
Although I believe your problem is DNS related, it may not necessarily be a
DNS configuration problem as I suspected, but rather a simple server or
domain name misconfiguration.
And I guess we still need to see if this is or isn't related to your Mac
Services problem. I'll keep my fingers crossed.
Dolemite
of the problems seem to be limitations of the Mac OS at the time the KB
article was written.
However, as I noted earlier, he should take a look at Apple's site as they
seem to have fixed most if not all the problems interoperating within Macs
and Windoes.
"William M. Smith" <meck...@REMOVETHIS.mn.rr.com> wrote in message
news:BB0C0E8F.716C%meck...@REMOVETHIS.mn.rr.com...
Tony T.
object, and for its properties page, adding rights to read/write
DNSHostname, SPN, userobjects, and still no dice. One of the errors on
starting the SFM does mention Access Denied, but the other is 'Not Found' .
I think the Domain Controller is not reliably identified in AD. I see the
SID (or whatever that 20 digit # is) xxx._msdcs.domain.lan entries, but how
do I know what that # should be? Can I look it up using dcdiag or repadmin?
The DNS domain and Active Directory domain are the same. Could WINS be
involved?
I noticed today that the WINS entries for the DC are the same as for the
member servers. SHouldn't there be another entry for DC's? Or is that the
wrong tree to be sniffing around?
Tony
"William M. Smith" <meck...@REMOVETHIS.mn.rr.com> wrote in message
news:BB0C0E8F.716C%meck...@REMOVETHIS.mn.rr.com...
Tony T.
anything yet, as the service has not started, there is no relationship to go
sour. The only interop problem is the Service for Macintosh interoperating
with the Active Directory we migrated to.
Tony
"Dolemite" <yom...@nospam.com> wrote in message
news:%23XSG858...@TK2MSFTNGP11.phx.gbl...
William M. Smith
> Or is that the wrong tree to be sniffing around?
Hi Tony!
I don't have an AD setup to be able to research what you're seeing and
correctly identify how things should appear, so I've asked for assistance
from some other MVPs who specialize in AD and/or domain server setups.
Let's see what responses we get from them.
Eric Fleischman [MSFT]
Let's take a step back for a second here.
Let's check for a few things:
1) Who is our DC pointed to for DNS.
2) If you right click on my computer, then properties. Please there go to
the Network Identification tab. Can you tell us both what you see in "Full
computer name" as well as "domain name"?
Thanks!
~Eric
--
Eric Fleischman [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no rights
"Tony T." <real...@bizalter.natives.net> wrote in message
news:UIeFa.1192227$S_4.1213685@rwcrnsc53...
Tony T.
_xxx.domain.lan subdomains of the AD domain. There was another DC, rogue,
they disagreed on auth, but that has been combed out of DC and ntds settings
using the tools.
THe SOA record for the DNS domain (the AD domain) has the dc as owner.
In the event log, the Netlogon service checks itself before starting, and
the event implies that it thinks itself authoritative for the Domain.
The Domain name of the DC and the affected (services won't start) member
servers is the AD domain. THe primary DNS server for the affected servers is
also the dc. WINS too.
Do you, or any respondent, know how to check the entries in
_msdcs.domain.lan, to make sure that 20digit id aliased to the DC is naming
the object correctly?
THanks, Tony
"Eric Fleischman [MSFT]" <efl...@online.microsoft.com> wrote in message
news:Ocluh9BM...@TK2MSFTNGP11.phx.gbl...
Tony T.
news:UIeFa.1192227$S_4.1213685@rwcrnsc53...
trying native tools, all the way to surgically repairing with ADSI I had
most of the DC/replication/authorization errors out, and the rogue dc downed
and off all replication schemes in AD. Why oh Why is it still coming up 'not
found' in event log errors for various services, even on servers that were
turned up since the cleanup?
The registry on the PDCEmulator, still held the former (mucked up) fqdn of
the rogue (now offline) DC. Not on Microsoft's kb articles, Makes ya wonder
if they're holding some fixes for an easy $245 on the phone.
The key, is under HKLM/System/CCS/NTDS/Parameters/ values for source server,
and 2 replication values. Edited the source server one, and made the
remaining dc the source, removed the values for the replication items with
the fqdn of the downed server. Rebooted just to make sure.
Displace the natives to reply, Tony
Tony T.
"Tony T." <real...@bizalter.natives.net> wrote in message
news:UIeFa.1192227$S_4.1213685@rwcrnsc53...
problem even after the AD fix allowed the service to start. The AppleTalk
protocol properties page wouldn't show a zone. No amount of reloading
/reinstalling the services would fix it.
The machine has 2 nic's, only one of which is plugged in, and enabled.
I knew that Appletalk could only be bound to one adapter, so I figured it
must be elsewhere. Turns out that installing AT bound it to both adapters,
and that even though one was disabled, the conflict prevented the protocol
from lighting up on the enabled adapter. For no particular reason, I checked
the properties of the disabled adapter, and unchecked the AppleTalk protocol
box.
The zone was immediately available in the properties page on the other
adapter. Well (*&^(*^(* me!
displace the natives to reply,
Tony