Group policy issue.......

[Momo]

I'm getting the following errors logged on my workstations in an AD
domain I've recently setup...... and groups policies aren't getting
applied to my workstations any suggestions on whats the
cause............

Application Event Log


Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 15
Date: 5/31/2002
Time: 5:36:16 PM
User: N/A
Computer: TREATMENT
Description:
Automatic certificate enrollment for local system failed to contact the

active directory (0x80072095). A directory service error has occurred.

Enrollment will not be performed.


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1053
Date: 5/31/2002
Time: 5:35:15 PM
User: NT AUTHORITY\SYSTEM
Computer: TREATMENT
Description:
Windows cannot determine the user or computer name. (An internal error
occurred. ). Group Policy processing aborted.


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


System Event Log


Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 5/31/2002
Time: 5:57:45 PM
User: N/A
Computer: TREATMENT
Description:
The Security System detected an attempted downgrade attack for server
ldap/312server1.mydomain.com. The failure code from authentication
protocol
Kerberos was "No authority could be contacted for authentication.
(0x80090311)".


Thanks alot

Momo

 

[Oli Restorick [MVP]]

Check your DNS setup. Your workstations and member servers should be
pointing only to your internal DNS servers. If you're using AD-integrated
DNS, the DCs should point to themselves, and use forwarders for external
name resolution.

Frequently asked questions about Windows 2000 DNS and Windows Server 2003
DNS
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

Regards

Oli

 

[Momo]

I've checked the DNS settings and they seem to be correct. What seems
to be strange is I can't access the \sysvol directory on the DC's which
may be the cause.....

I tried clicking on \sysvol and it gives an error "you don't have
permissions to use this network resource........ the user have not
been granted the requested logon type at this computer..........."

I can't even access the UNC path.....

Tried changing the "Access computer from network policy and that seems
fine.... also checked permissions on \sysvol directory and they seem
fine tooo

Stuck help

 

[Momo]

Finally seemed to have found the problem................. we have 2
sites configured on the Child domain...... and we hadn't configured the
subnets address for the sites... and then found that it was giving
errors in the servers system\debug\netlogon logs with something like
no_client_sites....

So after we configured the sites for the servers everything seemed to
be fine and we could access the \\domain\sysvol

That seemed to be the root cause ...... but still don't really
understand the reason by because it was we had 2DCs in site A, and 1 in
Site B and by default the worksations whihc belong to site A tried to
logon to site B and somehow couldn't so they coulnd't get access to the
\\sysvol

Thanks for all the help guys...............