G
Guest
Hi,
Here's one to get your collective teeth into - bit of a long one, please
bear with me while I flesh this one out.
At one of our client sites we have a really wierd problem. Firstly the site
is a Win 2003 server, SP1 controlled site. Single server with all roles on
it, about fifty Windows XP Pro SP2 clients. Client software deployed using
RIS and group policy, and user GPs in place to lock the environment down
(it's a school so we don't want the students "clicking" anywhere they
shouldn't and getting off-task).
About six months ago we had this problem on a dozen or so machines - and we
were unable to find an answer to explain or cure it at the time but we did
discover re-installing the PCs affected from scratch seemed to rectify it.
Now it's come back on (I think) the same dozen machines as before -
literally overnight - but I don't want to have to re-install all those PCs
again as it created enough disruption last time.
As far as I can tell, nothing changed to prompt the problem to recurr.
Printers are all epson personal inkjets of various ages. There is Sophos
antivirus on each workstation and the server - it is configured correctly,
there is no firewall active, and it is up-to-date.
The initial symptom is to do with accessing the directory service to look
for a shared printer on the network. Use the Add Printer wizard and
everything appears to work as it should until clicking through to the second
or third screen when a "Directory Service is currently unavailable" error
message appears.
If the affected computer is host to a shared print device, client computers
already mapped to the shared printer can no longer print to it. Printers
mapped using (for example) a VB logon script to connect to \\computer\printer
on an affected computer connect fine but can't print. In both cases, jobs go
into the queue but are not processed though local printing from the affected
PC to the printer appears to work fine.
If the affected PC is a client to a shared printer, same thing - won't print
though this time the job isn't submitted into the queue.
Going into computer management to check the event logs on affected machines,
we notice that there is a big red "X" through Local Users and Groups, pretty
much like you used to see on a Win 2k server that had just been promoted to a
DC role. It is impossible to manage local users or groups on that computer
using the computer management interface. Unaffected PCs don't display this
problem.
There are also errors in the system logs on the affected machines. Event ID
27 logged by NTAUTHORITY\SYSTEM and with the description: "PrintQueue could
not be created because we failed to bind to the container:
LDAP://brackenfield1.brackenfield.org.uk/CN=BRSTATION44,OU=Library,OU=Computers,OU=Brackenfield, DC=Brackenfield,DC=org,DC=UK. Error 8002801d"
Checking the server shows the DHCP, DNS, WINS are all working and configured
correctly and an IPCONFIG /all on affected machines gives the same
information as on unaffected PCs. There do not appear to be any related
security or unknown-machine errors on the server as you might expect if a PC
had lost its connection to AD and was attempting to reconnect, and other
machines can access the directory service to view network printers properly.
Removing affected PCs from the domain into a workgroup, then re-adding them
back into the domain does not have any effect. Directory service remains
unavailable and local users and groups are not manageable.
I suspect something has gone wrong with AD at this school, possibly even a
GP that's failing to apply properly, though I couldn't say why I think this -
not every machine in a given OU could be affected, and it affects machines
across multiple OUs.
Can anyone shed any light on this problem?
Thanks in advance!
Jim
Here's one to get your collective teeth into - bit of a long one, please
bear with me while I flesh this one out.
At one of our client sites we have a really wierd problem. Firstly the site
is a Win 2003 server, SP1 controlled site. Single server with all roles on
it, about fifty Windows XP Pro SP2 clients. Client software deployed using
RIS and group policy, and user GPs in place to lock the environment down
(it's a school so we don't want the students "clicking" anywhere they
shouldn't and getting off-task).
About six months ago we had this problem on a dozen or so machines - and we
were unable to find an answer to explain or cure it at the time but we did
discover re-installing the PCs affected from scratch seemed to rectify it.
Now it's come back on (I think) the same dozen machines as before -
literally overnight - but I don't want to have to re-install all those PCs
again as it created enough disruption last time.
As far as I can tell, nothing changed to prompt the problem to recurr.
Printers are all epson personal inkjets of various ages. There is Sophos
antivirus on each workstation and the server - it is configured correctly,
there is no firewall active, and it is up-to-date.
The initial symptom is to do with accessing the directory service to look
for a shared printer on the network. Use the Add Printer wizard and
everything appears to work as it should until clicking through to the second
or third screen when a "Directory Service is currently unavailable" error
message appears.
If the affected computer is host to a shared print device, client computers
already mapped to the shared printer can no longer print to it. Printers
mapped using (for example) a VB logon script to connect to \\computer\printer
on an affected computer connect fine but can't print. In both cases, jobs go
into the queue but are not processed though local printing from the affected
PC to the printer appears to work fine.
If the affected PC is a client to a shared printer, same thing - won't print
though this time the job isn't submitted into the queue.
Going into computer management to check the event logs on affected machines,
we notice that there is a big red "X" through Local Users and Groups, pretty
much like you used to see on a Win 2k server that had just been promoted to a
DC role. It is impossible to manage local users or groups on that computer
using the computer management interface. Unaffected PCs don't display this
problem.
There are also errors in the system logs on the affected machines. Event ID
27 logged by NTAUTHORITY\SYSTEM and with the description: "PrintQueue could
not be created because we failed to bind to the container:
LDAP://brackenfield1.brackenfield.org.uk/CN=BRSTATION44,OU=Library,OU=Computers,OU=Brackenfield, DC=Brackenfield,DC=org,DC=UK. Error 8002801d"
Checking the server shows the DHCP, DNS, WINS are all working and configured
correctly and an IPCONFIG /all on affected machines gives the same
information as on unaffected PCs. There do not appear to be any related
security or unknown-machine errors on the server as you might expect if a PC
had lost its connection to AD and was attempting to reconnect, and other
machines can access the directory service to view network printers properly.
Removing affected PCs from the domain into a workgroup, then re-adding them
back into the domain does not have any effect. Directory service remains
unavailable and local users and groups are not manageable.
I suspect something has gone wrong with AD at this school, possibly even a
GP that's failing to apply properly, though I couldn't say why I think this -
not every machine in a given OU could be affected, and it affects machines
across multiple OUs.
Can anyone shed any light on this problem?
Thanks in advance!
Jim