Re: Strange Problem(s) After Installing Security Update 818529
From: Ace Fekay [MVP] (PleaseSubstituteMyFirstName&LastNameHere_at_hotmail.com)
Date: 06/07/03
- Next message: H Leboeuf: "Re: Whats up with my IP addresses?"
- Previous message: David Liu_MSFT: "Re: Re-apply service pack?"
- In reply to:(deleted message) IOStorm: "Strange Problem(s) After Installing Security Update 818529"
- Next in thread: IOStorm: "Re: Strange Problem(s) After Installing Security Update 818529"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 7 Jun 2003 09:08:30 -0400
In news:e0n1ev4mn9ve9jgrnu260qc4hoj4ti9s52@4ax.com,
IOStorm <noemail@noemail.net> posted his concerns then I replied down below:
> I'm cross-posting to five groups because they all may apply...
>
> I installed the security update 818529 yesterday, which was acquired
> through the automatic updater (and I went ahead and let it install, as
> I do for all security patches).
>
> I ended up with some weird problems.
>
> 1: When the system restarted, I has an error stating that LSASS.EXE
> had an error and Active Directory could not start. I restarted in AD
> repair mode, fiddled with NTDSUTIL and had errors with the jet
> database. I deleted the *.log files, and then NTDSUTIL successfully
> checked the integrity and repaired the database. I also ran the
> semantic analysis, which found no errors.
>
> 2: I rebooted, and was able to logon. AD seemed to be working.
> However, the logon screen seemed odd. Usually the domain name is
> already selected, but now it was blank and I had to select it
> manually. I allow this system to autologon (via TweakUI) as
> administrator for various reasons, but it would not do it anymore
> because it won't save the domain name in the logon screen.
>
> 3: When running Windows Update manually, along with errors telling me
> that ActiveX must be running (which it is) to use the site, I am
> presented with a screen telling me that only an administrator can
> download and install updates. So the site is useless now. But I *am*
> logged on as administrator. I also have no option for "Run As" when I
> right-click Windows Update.
>
> 4: The system log consistently gives the error: Registration of the
> DNS record '97678c29-9955-4573-8105-9baac54a5a47._msdcs.starfleet.gov.
> 600 IN CNAME ncc-1701.starfleet.gov.' failed with the following error:
> DNS name does not exist.
>
> Note: this is a LAN computer, a test system which is completely
> internal, so it has the geeky starfleet.gov domain name just for
> kicks. I'm a DNS neophyte and installed DNS simply because it is
> required for AD, and to try and learn DNS administration before
> fiddling with DNS on the production servers. My intention was to
> setup DNS on the test system to be completely internal and not to
> interact with any other DNS system (just an XP and Win2k Pro
> clients.). The test system has internet access via a router and the
> ISP's DNS settings. Primary DNS in the TCP/IP settings is set to the
> local DNS. This might be a completely botched setup, so any
> suggestions would be welcome.
>
> All in all, the system is running okay. Just a few odd things. I
> downloaded the 818529 patch again and installed it to see if it caused
> the problem again. It did, and the same error with the AD database
> occured. I used the same process to fix it again.
>
> I don't know what was lost during the AD crash. It seems as if the
> system no longer thinks that administrator is a local admin. But it
> seems to know administrator is a domain admin. That, or there is some
> error with the local computer account (which doesn't appear in the
> list on the logon screen.. but I can't recall if it ever did. Win2k
> Pro and XP clients do have the option of either a local logon or
> domain logon.) The local computer account is still listed in the AD
> users and computers under "Domain Controllers".
>
> Other than that, the error logs are clean and, as I said, most
> everything appears to be working normally. But I'd like to get to the
> bottom of this problem before I allow that security patch to be
> installed on the production servers.
>
> TIA for any help you can offer.
First thing I would do is remove the ISP's DNS address from your IP
properties. That is probably causing that error and not necessarily due to
the hotfix/updates. AD is trying to register into DNS *but* since you have
your ISP's in there, it either cannot find the zone, or the zone doesn't
have updates enabled on it, or other problems. THe idea is basically not to
use your ISP's at all anywhere other than a forwarder. Read this next
section to see what I mean.
Here's a re-post of a previous post I just answered that is having a similar
problem with DNS and AD:
========
This is because AD stores ALL of it's domain info (service and resource
locations) in DNS. Your ISP's DNS doesn't have the answer when a client
asks, "Where's a domain controller so I can...login...find domain...etc,"
and many other requests of your AD domain.
General rule of thumb, and best practice method to INSURE AD's complete
clean functionality:
Point ALL internal machines to the internal DNS servers ONLY.
Do not use ISP's DNS servers in any internal machine properties.
If you have one DC, point DNS to the internal server, even if it's itself.
IF you have two DCs running AD Integrated zones:
DC1: DC2
DC1
DC2: DC1
DC2
If you need Internet resolution, use a forwarder that you would individually
setup on each DNS server to "forward" outside requests to the ISP's and it
will return the answer to the client. This way ALL queries will go to your
DNS server(s) first, which will ensure AD;s functionality. IT shows you how
to setup a forwarder in this article:
http://support.microsoft.com/?id=300202
============
-- Regards, Ace Please direct all replies to the newsgroup so all can benefit. Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP Microsoft Windows MVP - Active Directory -- =================================
- Next message: H Leboeuf: "Re: Whats up with my IP addresses?"
- Previous message: David Liu_MSFT: "Re: Re-apply service pack?"
- In reply to:(deleted message) IOStorm: "Strange Problem(s) After Installing Security Update 818529"
- Next in thread: IOStorm: "Re: Strange Problem(s) After Installing Security Update 818529"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
