Hi,

I have recently been to a new customers site and they were having issues 
with their Exchange 2003 Server.  They have 5 servers, 3 of which are DCs. 
The Exchange Server is not a DC but is running Windows 2003 Server.  1 DC is 
running Windows 2003 Server and holds all FSMO roles, while the other 2 DCs 
are running Windows 2000 Server.  The other server is a member running 
Windows 2003 Server and hosts a NAS.

DNS was not configured correctly when I got there and I have since corrected 
that.

The main problem with the Exchange Server was it hung at Applying Computer 
Settings for about an hour, sometimes longer.  When it eventually came up it 
didn't have permission to the NAS area that contained the priv & pub and log 
files.  I removed the server from the domain and rejoined (after removing 
the computer account from the AD) and the server still booted extremely 
slowly.  However it could now see and access the logs and edb files.  I then 
tried to boot without the network cables plugged in and it booted as normal! 
And after plugging in the network cable it behaved normally and all services 
are OK!  How can I establish why it boots so slow and hangs at that point?

Any suggestions are greatly appreciated!

Regards,

Stuart.

It sounds to me as though the Exchange server is not located within in the 
correct container as shown in ADUC. There should be an Exchange Enterprise 
and Exchange Domain Container. Check those out.

Nue
"Stuart Errington"  wrote in message 
news:OJA$mX%23JGHA.2628@TK2MSFTNGP15.phx.gbl...
> Hi,
>
> I have recently been to a new customers site and they were having issues 
> with their Exchange 2003 Server.  They have 5 servers, 3 of which are DCs. 
> The Exchange Server is not a DC but is running Windows 2003 Server.  1 DC 
> is running Windows 2003 Server and holds all FSMO roles, while the other 2 
> DCs are running Windows 2000 Server.  The other server is a member running 
> Windows 2003 Server and hosts a NAS.
>
> DNS was not configured correctly when I got there and I have since 
> corrected that.
>
> The main problem with the Exchange Server was it hung at Applying Computer 
> Settings for about an hour, sometimes longer.  When it eventually came up 
> it didn't have permission to the NAS area that contained the priv & pub 
> and log files.  I removed the server from the domain and rejoined (after 
> removing the computer account from the AD) and the server still booted 
> extremely slowly.  However it could now see and access the logs and edb 
> files.  I then tried to boot without the network cables plugged in and it 
> booted as normal! And after plugging in the network cable it behaved 
> normally and all services are OK!  How can I establish why it boots so 
> slow and hangs at that point?
>
> Any suggestions are greatly appreciated!
>
> Regards,
>
> Stuart.
>

Slow logons usually indicate DNS problems.  Verify that this DC can find a 
DC with either NLTEST or NSLOOKUP [1] and that there are not userenv, scecli 
and/ or netlogon errors in the event logs.

Also, seeing as you deleted and re-created the computer account, ensure that 
the Exchange server is a member of the local Exchange Domain Servers group.


---
[1] The following commands will help:

nltest /dsgetdc:domain-name.com
nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com

Note.  NLTEST is a support tool - 
http://www.msresource.net/content/view/53/46/

-- 
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

On Thu, 2 Feb 2006 13:51:14 -0000, "Paul Williams [MVP]"
 wrote:

>Slow logons usually indicate DNS problems.  Verify that this DC can find a 
>DC with either NLTEST or NSLOOKUP [1] and that there are not userenv, scecli 
>and/ or netlogon errors in the event logs.
	Indeed! 
	When it grinds when applying computer settings, 9 out of 10
times its DNS. Unless you have so many GPOs it chokes :) 



>
>Also, seeing as you deleted and re-created the computer account, ensure that 
>the Exchange server is a member of the local Exchange Domain Servers group.
>
>
>---
>[1] The following commands will help:
>
>nltest /dsgetdc:domain-name.com
>nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com
>
>Note.  NLTEST is a support tool - 
>http://www.msresource.net/content/view/53/46/

Thanks for the info, I'll try that!

Its funny how it boots OK without a network connection and works OK after I 
plug the network cable back in once its up?  However, been getting these in 
the event logs:

DSACCESS returned an error '0x80004005' on DS notification. Microsoft 
Exchange System Attendant will re-set DS notification later.

Details
Product: Exchange
Event ID: 9154
Source: MSExchangeSA
Version: 6.5.0000.0
Message: DSACCESS returned an error 'error code' on DS notification. 
Microsoft Exchange System Attendant will re-set DS notification later.

Explanation
This event is displayed in the Application Log when the Exchange server is 
unable to access a Domain Controller (DC). For example, this event may occur 
when a DC is restarted, if that is the ONLY DC in the site that the Exchange 
server belongs to.

The most likely cause for this Event is that the Kerberos ticket timed out. 
This typically happens in a topology that has a single DC. When the Kerberos 
tickets that are associated with the Lightweight Directory Access Protocol 
(LDAP) connections time out, all LDAP connection attempts show errors 
because the security contexts have failed. These connections must be 
re-established. Because there is only one domain controller in this 
topology, there are no other servers to obtain a ticket from while this 
re-establishment takes place. Therefore, the error occurs.

Incorrect DNS configuration.


User Action
The client LDAP connections should get re-established automatically and the 
errors should go away once this re-establishment has taken place. It is 
recommended that additional DCs be installed in the site in order to avoid 
such errors.

Ensure that both the Primary and Alternate DNS Servers listed in the 
Exchange Server IP Properties are up and running and have been configured 
properly.


Check the DC to ensure that it is running properly. For example, ensure that 
is not restarting unnecessarily.



Version: 6.5.6940.0
Component: Microsoft Exchange System Attendant
Message: DSACCESS returned an error '<error code>' on DS notification. 
Microsoft Exchange System Attendant will re-set DS notification later.

Explanation
This event is displayed in the application log when the Exchange server is 
unable to access a domain controller. For example, this event can occur when 
a domain controller is restarted, if that is the ONLY domain controller in 
the site to which the Exchange server belongs.

The most probable cause for this event is that the Kerberos ticket timed 
out. This typically happens in a topology that has a single domain 
controller. When the Kerberos tickets that are associated with the 
Lightweight Directory Access Protocol (LDAP) connections time out, all LDAP 
connection attempts show errors because the security contexts have failed. 
These connections must be re-established. Because there is only one domain 
controller in this topology, there are no other servers to obtain a ticket 
from while this re-establishment takes place. Therefore, the error occurs.

Incorrect Domain Name System (DNS) configuration.


User Action
The client LDAP connections should get re-established automatically and the 
errors should go away once this re-establishment has taken place. It is 
recommended that additional domain controllers be installed in the site in 
order to avoid such errors.

Ensure that both the Primary and Alternate DNS servers listed in the 
Exchange Server IP Properties are up and running and have been configured 
properly.

Check the domain controller to ensure that it is running properly. For 
example, ensure


Process MAD.EXE (PID=4980). All Domain Controller Servers in use are not 
responding:
MOBBOSS.lancaster.monstermob.com
mob001.lancaster.monstermob.com
mobapp.lancaster.monstermob.com



Details
Product: Exchange
Event ID: 2102
Source: MSExchangeDSAccess
Version: 6.5.0000.0
Message: Process %1 (PID=%2). All Domain Controller Servers in use are not 
responding:

%3

Explanation
This event indicates that the DSAccess component on the Exchange Server was 
unable to find any domain controllers suitable for LDAP queries. This can 
result in the halting of mail flow, so it should be investigated 
immediately.

The most likely cause is that the Kerberos ticket timed out. When the 
Kerberos tickets that are associated with the Lightweight Directory Access 
Protocol (LDAP) connections time out, all LDAP connections get errors 
because the security contexts have failed and these connections must be 
re-established. If there are no other servers to obtain a ticket from while 
this re-establishment takes place, then the error occurs.
The Manage Auditing and Security Log right (SeSecurityPrivilege) was removed 
for the Exchange Enterprise Servers domain local group on some or all of the 
domain controllers.
All intra-site and extra-site DCs are down or network problems have rendered 
them unreachable.


User Action
Try to have at least two DCs (configured as GCs) in a SITE. This is for 
failover purposes.
Run the Exchange setup with the /DOMAINPREP switch. This will reassign the 
SeSecurityPrivilege right to the Exchange Enterprise Servers Group.
Check the event log for DSAccess event ID 2080 (may need to increase the 
DSAccess logging level to record this event). The detail in that event will 
help determine if DCs have been contacted that are unsuitable for some 
reason. They can then be corrected.
Look for DSAccess event ID 2070 in the event logs. These events will detail 
why each DC has become unsuitable. Correct as necessary.



Process STORE.EXE (PID=4336). Topology Discovery failed, error 0x80040952.



Details
Product: Exchange
Event ID: 2114
Source: MSExchangeDSAccess
Version: 6.5.6940.0
Component: Microsoft Exchange Directory Access Cache
Message: Process <process name> (PID=<process id>). Topology Discovery 
failed, error 0x<error code>.

Explanation
This event indicates that new topology could not be generated. If this is 
NOT the first topology discovery since system startup, the previously 
discovered topology will be used. However, topology discovery failure is 
usually a sign of a serious problem and needs to be investigated 
immediately. The following are the possible causes:

All local domain controllers are down or deemed not suitable.
Network problems are preventing the Exchange server from contacting the 
domain controllers.
There are permissions problems.


User Action
Look up the Lightweight Directory Access Protocol (LDAP) error description 
in the "Microsoft LDAP Error Codes" Knowledge Base article. To reach this 
article, search for "Microsoft LDAP Error Codes" on the Microsoft web site.
Check local domain controllers to ensure that they are up and running and 
also check network connectivity to these domain controllers.
Look for accompanying events in the application log. You may need to turn up 
logging for the Topology category of DSAccess to see these additional 
events.


"Paul Williams [MVP]"  wrote in message 
news:elUL4%23$JGHA.3200@tk2msftngp13.phx.gbl...
> Slow logons usually indicate DNS problems.  Verify that this DC can find a
> DC with either NLTEST or NSLOOKUP [1] and that there are not userenv, 
> scecli
> and/ or netlogon errors in the event logs.
>
> Also, seeing as you deleted and re-created the computer account, ensure 
> that
> the Exchange server is a member of the local Exchange Domain Servers 
> group.
>
>
> ---
> [1] The following commands will help:
>
> nltest /dsgetdc:domain-name.com
> nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com
>
> Note.  NLTEST is a support tool -
> http://www.msresource.net/content/view/53/46/
>
> -- 
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>

Random thoughts:

1. Check DNS settings. DNS config accounts for most AD related issues IMO.
2. Check GPOs. How many GPOs are applied? Are file and/or reg ACLs applied?
3. Trace the network activity to/from the server at boot. This should gives 
clues.

neil





"Stuart Errington" wrote:

> Hi,
> 
> I have recently been to a new customers site and they were having issues 
> with their Exchange 2003 Server.  They have 5 servers, 3 of which are DCs. 
> The Exchange Server is not a DC but is running Windows 2003 Server.  1 DC is 
> running Windows 2003 Server and holds all FSMO roles, while the other 2 DCs 
> are running Windows 2000 Server.  The other server is a member running 
> Windows 2003 Server and hosts a NAS.
> 
> DNS was not configured correctly when I got there and I have since corrected 
> that.
> 
> The main problem with the Exchange Server was it hung at Applying Computer 
> Settings for about an hour, sometimes longer.  When it eventually came up it 
> didn't have permission to the NAS area that contained the priv & pub and log 
> files.  I removed the server from the domain and rejoined (after removing 
> the computer account from the AD) and the server still booted extremely 
> slowly.  However it could now see and access the logs and edb files.  I then 
> tried to boot without the network cables plugged in and it booted as normal! 
> And after plugging in the network cable it behaved normally and all services 
> are OK!  How can I establish why it boots so slow and hangs at that point?
> 
> Any suggestions are greatly appreciated!
> 
> Regards,
> 
> Stuart. 
> 
> 
>

Guys,

Could an incorrect DNS suffix that has been manually added cause these 
issues?

Cheers,

Stuart.

"Paul Williams [MVP]"  wrote in message 
news:elUL4%23$JGHA.3200@tk2msftngp13.phx.gbl...
> Slow logons usually indicate DNS problems.  Verify that this DC can find a
> DC with either NLTEST or NSLOOKUP [1] and that there are not userenv, 
> scecli
> and/ or netlogon errors in the event logs.
>
> Also, seeing as you deleted and re-created the computer account, ensure 
> that
> the Exchange server is a member of the local Exchange Domain Servers 
> group.
>
>
> ---
> [1] The following commands will help:
>
> nltest /dsgetdc:domain-name.com
> nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com
>
> Note.  NLTEST is a support tool -
> http://www.msresource.net/content/view/53/46/
>
> -- 
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>

I wouldn't have thought so.  DNS suffixes are used for resolving unqualified 
names.  When the client talks to a DC it uses FQDNs.

-- 
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Well, Exchange can't find any of your DCs.

What are the results of the NLTEST and NSLOOKUP commands I posted earlier?

Any networking problems or firewalls in the way?

Anything in the event logs re. GPO or NETLOGON?

-- 
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

I would check and make sure that you have checked "regsiter this connections 
address in DNS" on the Exchange server, maybe there is no record for it in DNS

"Paul Williams [MVP]" wrote:

> I wouldn't have thought so.  DNS suffixes are used for resolving unqualified 
> names.  When the client talks to a DC it uses FQDNs.
> 
> -- 
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
> 
> 
>

Just waiting for the client to mail them back to me!

The main problem with this was DNS.  The first server wasn't pointing to 
itself for DNS and neither were the other 2 DNS enabled DCs.  I have changed 
this so the "primary" DNS server for the zone points to itself and the other 
2 DCs that are both running DNS point to it.  However, are there any other 
measures that I have to take to flush out any bad entries from any of the 
DNS servers?

I appreciate your advice,

Stuart.

"Paul Williams [MVP]"  wrote in message 
news:OHkMJzBKGHA.1132@TK2MSFTNGP10.phx.gbl...
> Well, Exchange can't find any of your DCs.
>
> What are the results of the NLTEST and NSLOOKUP commands I posted earlier?
>
> Any networking problems or firewalls in the way?
>
> Anything in the event logs re. GPO or NETLOGON?
>
> -- 
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>

Paul,

Here are the results, does the nltest result indicate 10.0.0.50 is 
authoratative for the dns zone?

C:\>nltest /dsgetdc:lancaster.monstermob.com
           DC: \\mob001.lancaster.monstermob.com
      Address: \\10.0.0.50
     Dom Guid: 0ecbb2ab-b4b2-422c-9d8b-b7fd451388b7
     Dom Name: lancaster.monstermob.com
  Forest Name: lancaster.monstermob.com
 Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
        Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST 
CLO
SE_SITE
The command completed successfully

C:\>nslookup -type=srv _ldap._tcp.dc._msdcs.lancaster.monstermob.com
Server:  mobboss.lancaster.monstermob.com
Address:  10.0.0.55

_ldap._tcp.dc._msdcs.lancaster.monstermob.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = mob001.lancaster.monstermob.com
_ldap._tcp.dc._msdcs.lancaster.monstermob.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = mobapp.lancaster.monstermob.com
_ldap._tcp.dc._msdcs.lancaster.monstermob.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = mobboss.lancaster.monstermob.com
mob001.lancaster.monstermob.com internet address = 10.0.0.50
mobapp.lancaster.monstermob.com internet address = 10.0.0.51
mobboss.lancaster.monstermob.com        internet address = 10.0.0.55


"Paul Williams [MVP]"  wrote in message 
news:OHkMJzBKGHA.1132@TK2MSFTNGP10.phx.gbl...
> Well, Exchange can't find any of your DCs.
>
> What are the results of the NLTEST and NSLOOKUP commands I posted earlier?
>
> Any networking problems or firewalls in the way?
>
> Anything in the event logs re. GPO or NETLOGON?
>
> -- 
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>

> does the nltest result indicate 10.0.0.50 is authoratative for the dns 
> zone?

No.  It is just the DC that was located.  This DC should be in your site. 
If your site comprises of one subnet, this result is passed back using round 
robin "load balancing".  If you have several subnets in the site, the 
results are still passed back in a round robin format but are re-jigged by 
the resolver so that the local network is on the top.

-- 
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

> The first server wasn't pointing to itself for DNS and neither were the 
> other 2 DNS enabled DCs.

They don't have to point to themselves.  They can all point to one another. 
As long as they are able to resolve the {GUID} CNAME they will all 
replicate.  However, at some point they need to point to the same DNS server 
to register the records that will allow them to replicate.


> I have changed this so the "primary" DNS server for the zone points to 
> itself and the other 2 DCs that are both running DNS point to it.

Fine.  Make sure they each point to another DC for DNS too.


> However, are there any other measures that I have to take to flush out any 
> bad entries from any of the DNS servers?

You need to ensure that your clients are pointing to at least two DCs for 
DNS.  If you have three DCs in a site, configure all three as DNS servers 
for clients, member servers and DCs.

You can manually check there are no stale entries in there.  If you only 
have a small number of DCs, just delete the _msdcs sub-domain.  Then restart 
NETLOGON on them all.  This will recreate the zone and populate it with the 
correct records.  You will be sure there are no erroneous records in there 
then.

-- 
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Paul,

Now getting this in the logs, any suggestions?:

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date:  07/02/2006
Time:  01:16:52
User:  N/A
Computer: MOBMAIL
Description:
The Security System detected an authentication error for the server 
ldap/mobapp.lancaster.monstermob.com.  The failure code from authentication 
protocol Kerberos was "The attempted logon is invalid. This is either due to 
a bad username or authentication information.
 (0xc000006d)".

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0               m..

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date:  07/02/2006
Time:  01:16:52
User:  N/A
Computer: MOBMAIL
Description:
The Security System detected an authentication error for the server 
ldap/mob001.lancaster.monstermob.com.  The failure code from authentication 
protocol Kerberos was "The attempted logon is invalid. This is either due to 
a bad username or authentication information.
 (0xc000006d)".

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0               m..

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date:  07/02/2006
Time:  01:17:02
User:  N/A
Computer: MOBMAIL
Description:
The Security System detected an authentication error for the server 
ldap/MOBBOSS.lancaster.monstermob.com.  The failure code from authentication 
protocol Kerberos was "The attempted logon is invalid. This is either due to 
a bad username or authentication information.
 (0xc000006d)".

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0               m..

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date:  07/02/2006
Time:  01:17:02
User:  N/A
Computer: MOBMAIL
Description:
The Security System detected an authentication error for the server 
ldap/mobapp.lancaster.monstermob.com/lancaster.monstermob.com@lancaster.monstermob.com. 
The failure code from authentication protocol Kerberos was "The attempted 
logon is invalid. This is either due to a bad username or authentication 
information.
 (0xc000006d)".

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0               m..

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date:  07/02/2006
Time:  01:50:06
User:  N/A
Computer: MOBMAIL
Description:
The Security System detected an authentication error for the server 
LDAP/MOBBOSS.lancaster.monstermob.com/lancaster.monstermob.com@lancaster.monstermob.com. 
The failure code from authentication protocol Kerberos was "The attempted 
logon is invalid. This is either due to a bad username or authentication 
information.
 (0xc000006d)".

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0               m..

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date:  07/02/2006
Time:  01:50:06
User:  N/A
Computer: MOBMAIL
Description:
The Security System detected an authentication error for the server 
LDAP/mobapp.lancaster.monstermob.com/lancaster.monstermob.com@lancaster.monstermob.com. 
The failure code from authentication protocol Kerberos was "The attempted 
logon is invalid. This is either due to a bad username or authentication 
information.
 (0xc000006d)".

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0               m..

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date:  07/02/2006
Time:  01:50:08
User:  N/A
Computer: MOBMAIL
Description:
The Security System detected an authentication error for the server 
LDAP/mob001.lancaster.monstermob.com/lancaster.monstermob.com@lancaster.monstermob.com. 
The failure code from authentication protocol Kerberos was "The attempted 
logon is invalid. This is either due to a bad username or authentication 
information.
 (0xc000006d)".

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0               m..
"Paul Williams [MVP]"  wrote in message 
news:uF$LyPWKGHA.4044@TK2MSFTNGP10.phx.gbl...
>> does the nltest result indicate 10.0.0.50 is authoratative for the dns
>> zone?
>
> No.  It is just the DC that was located.  This DC should be in your site.
> If your site comprises of one subnet, this result is passed back using 
> round
> robin "load balancing".  If you have several subnets in the site, the
> results are still passed back in a round robin format but are re-jigged by
> the resolver so that the local network is on the top.
>
> -- 
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>

I'll point you here:
 --  
http://www.eventid.net/display.asp?eventid=40960&eventno=787&source=LsaSrv&phase=1


Apologies if you've already seen this.

-- 
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Hi Paul,

Thanks for that.  Additionally the information store database is located on 
a DFS share.  It seems that the LDAP problems cause the "connection" to the 
DFS share to drop.  Does this give you anymore ideas as to why I am seeing 
the errors??

Cheers,

Stuart.

"Paul Williams [MVP]"  wrote in message 
news:eeHqswGMGHA.1032@TK2MSFTNGP11.phx.gbl...
> I'll point you here:
> --
> http://www.eventid.net/display.asp?eventid=40960&eventno=787&source=LsaSrv&phase=1
>
>
> Apologies if you've already seen this.
>
> -- 
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>

Can you elaborate on the DFS statement, and on what you think is causing the 
problems?

-- 
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net