AD Problem! Please Help!

B

Brian

Hello,
Just yesterday, I (domain admin) and another domain admin are sporradically
getting errors in AD Users and Computers. Specifically when opening groups
and trying to see members of the groups. I get the following error:

"A global catalog cannot be contacted to retrieve the icons for the member
list because access was denied. Some icons may not be shown."

When I try to access the 'Member Of' tab, I get:

"The operation failed with error code -1073741428 (0xc000018c)"

Here is my domain setup:

corp.com
subdomain: contoso.corp.com

I've got two DCs (these are the only servers in this domain) in corp.com
I've got several DCs in contoso.corp.com

I see no errors whatsoever on my contoso.corp.com domain controllers.
I see a bunch of netlogon errors on both of my corp.com domain controllers:
NETLOGON Event ID 5721
"The session setup to the Windows NT or Windows 2000 Domain Controller
<unknown> for the domain CONTOSO failed because the domain controller does
not have an account for the computer CORP1DC. <--corp1dc is one of the dcs
in corp.com

I had found this morning that my trust between corp.us and contoso.corp.us
was broken. I was able to recreate the trust. However, the problem is still
happening.

Am I in serious trouble here? This may warrent a call to Microsoft.

Thanks! Brian
 
B

Brian

Never mind. Sorry to be a bother. It turns out that re-establishing the
trust between my domains fixed the problem. Thank you.

Brian
 
G

Guest

Before you go - as a side note... you might want to check about having a
local domain controller (DC) become a Global Catalogue (GC) server as well.

Were Global Catalogue servers implemented in your other sites, besides the
first site and domain in your forest? As an FYI - by default, the only GC you
have in your forest is the first domain controller in the first domain. By
having a GC local to your site and within your domain, it would eliminate
errors connecting to the single GC if your trust breaks down again.

Here is an article on how to make a DC a GC as well...
http://support.microsoft.com/default.aspx?scid=kb;en-us;875427

Here is an article on GC placement best practices specific to Exchange.
http://support.microsoft.com/default.aspx?scid=kb;en-us;875427

A word of caution - before you place a GC role in your site, you will have
to consider the impact additional replication might have on your network
links. You might want to consult with the people who created your AD design
as to the current GC placement strategy (if one exists).

When I was implementing my AD designs, I always used a best practice of
having a GC local to the clients in their sites, if the bandwidth is
available. It makes sense for deployment of Exchange 2000 or 2003.

Rick Claus [MSFT], MCSE
TechNet CDN - IT Pro Advisor

No Email Please... This alias is for newsgroup purposes only.
This posting is provided “AS IS†with no warranties and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

win 2000 / 2003 ad problem 1
Multiple domains 1
GLobal Catalog Server Communication in Parent/Child Domain 0
Active Directory Problem 2
Innundated with 1864 and 1862 replication errors after introduction of "lag-site" (longish) 0
Default Trusts? 2
W2k DC in a 4.0 domain? 2
Problem with AD restore... 7

Top