Buggered AD Domain

**pmeswani** · 29 September 2009, 18:46

Does this help?

http://social.technet.microsoft.com/...0-8ac36e585d6f

**the_duderama** · 29 September 2009, 18:52

The access denised error on the workstations is pointing towards the file used for the group policy objects - ie what you use to manage the server/users/workstations settings.

SYSVOL is where the AD database is stored, FRS is used to replicate it around to other domain controllers, not relivant in this case i know, but it does point to a permissions problem that would cause issues with the GPO's, that would also cause slow logons etc.

You can try a couple of things - turn security logging on for the sysvol folder (normaly in the system32 or just windows if i remember correctly, don't do this stuff anymore) and see what system users are being denied access to sysvol.

Confirm DNS is working correctly, DNS is key to AD.

You could also try logging onto the sysvol folder from on of the workstations as a domain admin, you should be able to browse to it, if you can't then it isn't shared, or again the permissiosn aren't correct.

Problem here is that the permissions/sharing of the syvol is part of intial setup when you create a domain controller and hence it should be automated. I would expect other problems further down the line even if you do manage to fix this, so i would really suggest a complete rebuild. Also make sure you disable any AV on the DC whilst installing AD otherwise it might block file shares etc that are part of the process.

That'll be £2K please, thanks.

**wxman** · 29 September 2009, 18:55

Imm my gut feeling is that is is a DNS error

You did name the forest something.something when you did the install ??

**TykeMerc** · 29 September 2009, 19:01

Originally posted by wxman View Post

Imm my gut feeling is that is is a DNS error

You did name the forest something.something when you did the install ??

WHS, I've seen similar symptoms from goosed DNS configs quite often.

**portseven** · 29 September 2009, 20:54

Just had another look at the SYSVOL folder, I have got in the NTFS security tab an 'Account Unknown' in there, which implies that some critical account has been deleted, SYSVOL inherits stuff from c:\windows and thats the same.

I think that might be the cause of the problems, no clue what this 'Account Unknown' is

The accounts listed are

'Account Unknown'
Administrators
Creator Ownder
System

I am guessing the Account Unknown should be Administrator???

Reinstall looking more likley

**DimPrawn** · 30 September 2009, 09:36

DNS.

You probably have your DNS server using the Internet to try and resolve local IP addresses unless you setup DNS properly and that's more than just installing it.

**dmini** · 30 September 2009, 19:32

You unlisted account is probably "Authenticated users" - they need permissions to be able to read / execute. Otherwise users wont have permission to read group policy etc (like you are seeing)
On our 2003 DCs we also have "Server Operator" - not sure why that is missing off your list
Check the permissions on that unknown account.
Agree about the dns though as well. Check your DC is ONLY pointing to itself
Also take a look at http://www.tomshardware.co.uk/forum/...1479_36_0.html. Theres a suggestion at the bottom of redeploying the default domain controller security policy.

**vetran** · 30 September 2009, 20:33

DNS - my first thought.

post ipconfig /all on ws & server.

without DNS 2003 AD is like a dead parrot.

**HairyArsedBloke** · 30 September 2009, 22:08

Yeah, gotta be DNS.

Actually, I haven't a clue - it's just what everyone else is saying.

On the other hand, when I had my grief with AD it did turn out to be shagged up DNS too.

Buggered AD Domain