Lack of Connectivty to Domain Controller - Domain Controller Access Issues Requires Repeated Reauthentication

Similar Messages

• The processing of Group Policy failed because of lack of network connectivity to a domain controller

  We are setting up a new AD environment  with one AD/DC running DNS services,  and a secondary DNS server configured with secondary zone. The problem is that none of the machines in the the domain are getting GPO.
  When I run a gpupdate /force from a machine, I get the following output:
  "Updating Policy...
  User Policy update has completed successfully.
  Computer policy could not be updated successfully. The following errors were enc
  ountered:
  The processing of Group Policy failed because of lack of network connectivity to
   a domain controller. This may be a transient condition. A success message would
   be generated once the machine gets connected to the domain controller and Group
   Policy has succesfully processed. If you do not see a success message for sever
  al hours, then contact your administrator.
  To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
  rom the command line to access information about Group Policy results."
  While the system event log outputs the following:
  "The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy
  has succesfully processed. If you do not see a success message for several hours, then contact your administrator." 
  All the machines that were joined to the domain are able to resolve in forward and reverse lookups, ping the DC and ping each other so  I dont understand how the error can be resolved.
  Here are few things I have tried:
  1. I came across this KB which checked ok for me: http://support.microsoft.com/kb/241515
  2. Made a copy of the default GPO, applied to a OU with one machine, and made sure to remove any GPO links from above
  3. Enabled the following  two local Group policies on a test member:
  GP slow link detection
  Startup policy processing wait time
  4. Modified firewall to allow everything on both member and DC
  5. Verified DSN logs, SRV records, access to sysvol ( added authenticated users to sysvol)
  I have yet to figure out the reason for this issue. Has anyone seen anything like this before?

  1. I checked the NIC, it only has one IP. and I followed your article. I set the primary DNS to its own IP and the secondary DNS to the loopback ip
  2. This is a new DC and DNS server. I dont have old records yet. I also check the DNS event logs. No errors
  3. I made sure the member server is pointing only to the only DC/DNS server
  4. Here is the output from the dcdiag....  everything passed except, the Netlogons part. I'm not sure what means or how to fix it yet:
        Starting test: NetLogons
           * Warning BUILTIN\Administrators did not have the "Access this
           computer
           "*   from network" right.
           [hostname] An net use or LsaPolicy operation failed with error
           1, Incorrect function..
           ......................... hostname failed test NetLogons
  Complete output:
  > hostname
  Server:  hostname.domain.local
  Address:  X.X.X.95
  > ^C
  C:\Windows\system32>
  C:\Windows\system32>nslookup
  > set type=all
  >
  >
  >
  > _ldap._tcp.dc._msdcs.domainname
  _ldap._tcp.dc._msdcs.domain.local SRV service location:
            priority       = 0
            weight         = 100
            port           = 389
            svr hostname   = hostname.domain.local
  hostname.domain.local      internet address = X.X.X.95
  > ^C
  C:\Windows\system32>cd ..
  C:\Windows>cd SYSVOL
  C:\Windows\SYSVOL>cd sysvol
  C:\Windows\SYSVOL\sysvol>dir
   Volume in drive C has no label.
   Volume Serial Number is F624-CDB2
   Directory of C:\Windows\SYSVOL\sysvol
  10/29/2014  08:25 PM    <DIR>          .
  10/29/2014  08:25 PM    <DIR>          ..
  10/29/2014  08:25 PM    <JUNCTION>     domain.local [C:\Windows\SYSVOL\domain]
                 0 File(s)              0 bytes
                 3 Dir(s)  63,971,037,184 bytes free
  C:\Windows\SYSVOL\sysvol>dcdiag
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     Home Server = hostname
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
     Testing server: Default-First-Site-Name\hostname
        Starting test: Connectivity
           ......................... hostname passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\hostname
        Starting test: Advertising
           ......................... hostname passed test Advertising
        Starting test: FrsEvent
           ......................... hostname passed test FrsEvent
        Starting test: DFSREvent
           ......................... hostname passed test DFSREvent
        Starting test: SysVolCheck
           ......................... hostname passed test SysVolCheck
        Starting test: KccEvent
           ......................... hostname passed test KccEvent
        Starting test: KnowsOfRoleHolders
           ......................... hostname passed test
           KnowsOfRoleHolders
        Starting test: MachineAccount
           ......................... hostname passed test MachineAccount
        Starting test: NCSecDesc
           ......................... hostname passed test NCSecDesc
        Starting test: NetLogons
           * Warning BUILTIN\Administrators did not have the "Access this
           computer
           "*   from network" right.
           [hostname] An net use or LsaPolicy operation failed with error
           1, Incorrect function..
           ......................... hostname failed test NetLogons
        Starting test: ObjectsReplicated
           ......................... hostname passed test
           ObjectsReplicated
        Starting test: Replications
           ......................... hostname passed test Replications
        Starting test: RidManager
           ......................... hostname passed test RidManager
        Starting test: Services
           ......................... hostname passed test Services
        Starting test: SystemLog
           A warning event occurred.  EventID: 0x000003F6
              Time Generated: 03/04/2015   18:23:06
              Event String:
              Name resolution for the name ctldl.windowsupdate.com timed out after
   none of the configured DNS servers responded.
           ......................... hostname passed test SystemLog
        Starting test: VerifyReferences
           ......................... hostname passed test VerifyReferences
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test
           CrossRefValidation
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test
           CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
     Running partition tests on : emcdsm
        Starting test: CheckSDRefDom
           ......................... emcdsm passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... emcdsm passed test CrossRefValidation
     Running enterprise tests on : domain.local
        Starting test: LocatorCheck
           ......................... domain.local passed test LocatorCheck
        Starting test: Intersite
           ......................... domain.local passed test Intersite
  C:\Windows\SYSVOL\sysvol>

• ACL migration Error : 1210 could not find a domain controller for domain "Test Domain" (Old Domain)

  Hi
  We are migrating from old domain to new domain. Before live migration, we are trying to check the ACE/ACL migration through SubInACL. We are running the SubInACL on a cluster, which is a member of the Old Domain (Test Domain). We are able to resolve and
  ping both Old Domain and the New domain from this cluster machine. We have created a network share on this cluster, which is accessible to all Domain Users of the Old Domain. Both Domains have two way forest level trust. we are trying to migrate
  the ACL of this share (\\ClusterMachine\testshare$) to the new domain using SubInACL. We are trying to run the below command to get it done.  
  subinacl /outputlog=C:\Users\Administrator\Desktop\Migrationlog.txt /subdirectories
  \\ClusterMachine\testshare$\*.* /migratetodomain=OldDomain=NewDomain=mappingfile.txt
  Mapping file contains : Domain Users=NewDomain_Users
  But we are geeting the Error that "1210 could not find a domain controller for domain "Test Domain". Error finding domain name : 1210 the format of the specified computer name is invalid. Current Object "\\ClusterMachine\testshare$"
  will not be processed."

  Hello,
  how in detail is DNS set up in each domain?
  Any problems when using nslookup to verify?
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Limitations off regulatory domains on a controller

  Hello,
  are there any limitations off the amount off used regulatory domains on a controller?
  Sven

  Hello Saravanan,
  very good information.
  But one question is open for me:
  The quantity.
  How many regualatory domains can I use on one controller simultaneous?
  Unlimited?
  Regard Sven

• SCCM 2012 R2 - Distribution Point untrusted domain - Not acknowledging Network Access Account (FYI)

  Hello!
  Scenario
  Built a single primary site server in one domain with multiple distribution points. All site servers are member of this one site.
  The distribution points in the primary site servers' domain function as expected. The distribution point deployed to an untrusted domain does not. The primary site server can see all objects in the domain, publishes successfully, and CCM client on the
  DP in the untrusted domain knows its part of the site, knows its AD site (according to locationservices.log). The DP role is installed properly, logs are populating, queries are being made for application lists and updates. nfortuantely authentication
  errors indicate that this software can'tbe downloaded.
  In essence the DP in the untrusted domain can't pull down content from the primary site server. The role uses BITS to download content from IIS on the primary site server, but the requests each throw a 401 error. Unauthorised. This should be an easy fix.
  Create a Network Access Account in the primary site server's domain, assign it to the site (Software Distribution setting), wait for the DP to pick up the setting and watch it retrieve its content. The DP in the untrusted domain is configured as a Pull DP,
  implying it has to use a Network Access Account to download content. It knows the content is available and makes every effort to download it.
  Problem
  The DP in the untrusted domain doesn't know a Network Access Account (NAA) has been defined for the site.
  The account does exist, created in the primary site server's domain and assigned to the site. Its not a password issue. IIS has not been set for Anonymous access as this isn't needed - the NAA should provide the credentials it requires to pull down content.
  A manual check using the URL of the package confirms the package is accessible from the DP when using the NAA's credentials. I've allowed enough time (i think) for the DP to acknowledge the NAA. For fun the DP role was removed, and the CCM agent removed. Both
  were reinstalled. A fresh install didn't detect the NAA.
  Solution
  After some soul searching and a little frustration, it came down to this: A Pull DP always uses the Network Access Account. If the DP can't find a Network Access account it will fail to pull down content. This is undisputed. Found an article that states
  the Pull DP always uses the CCM client configuration to do its dirty work. At that point the CCM client was checked. It had the classic problem of only displaying two Actions - Machine Policy Retrieval & Evaluation Cycle, User policy Retrieval & Evaluation
  Cycle. Most components were installed but not enabled. This is fairly common. Looked at the console, found the device, added the Approval column. Turns out it wasn't auto-approved. Reason being that the client is in an untrusted domain and clients in untrusted
  domains aren't approved automatically (by default).
  In this case something as simple as an Approving the client fixed these issues. 
  The DataTransferService.log highlights the issue:
  <![LOG[CDTSJob::JobError: DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' BITS Job ID='{38B81ADE-55B5-4BD7-A881-DBFF13943EDE}' ErrorCode=0x80190191]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="1" thread="3136" file="dtsjob.cpp:3501">
  <![LOG[CDTSJob::JobError: DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' URL='http://PRIMARYSERVER.A.B.COM:80/SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68'
  ProtType=1]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3136" file="dtsjob.cpp:3504">
  <![LOG[Authentication required by the proxy, DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' BITS Job ID='{38B81ADE-55B5-4BD7-A881-DBFF13943EDE}'.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="3" thread="3136" file="dtsjob.cpp:3513">
  <![LOG[DTSJob {8814E9A1-3D26-4089-83CF-3C7D17BCEC6E} in state 'Cancelled'.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3688"
  file="dtsjob.h:166">
  <![LOG[DTS job {17E0B672-F699-434D-B063-87CC2ACF715C} BITS job
  {38B81ADE-55B5-4BD7-A881-DBFF13943EDE} encountered Access Denied error during download.  Will retry using Network Access Account.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="2" thread="3136" file="dtsjob.cpp:3652">
  <![LOG[DTSJob {8814E9A1-3D26-4089-83CF-3C7D17BCEC6E} cancelled by client.]LOG]!><time="18:25:54.280+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3688"
  file="dtsjob.cpp:3205">
  <![LOG[No network access account info found.]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context="" type="1"
  thread="3136" file="netaccessaccount.cpp:288">
  <![LOG[The network access account is not defined.]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context=""
  type="1" thread="3136" file="netaccessaccount.cpp:858">
  <![LOG[DTSJob {17E0B672-F699-434D-B063-87CC2ACF715C} encountered error setting BITS job to use Network Access Account
  (0x00000000).]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context="" type="3" thread="3136" file="dtsjob.cpp:1885">
  The IIS server logs u_ex150219.log captures the request:
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 2 5 1509 2
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 1 3221225581 1509 4
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 1 3221225581 1509 3
  2 x Domains: DomainA and DomainX
  - Single domain forests
  - No trusts between domains/forests
  DomainA\PRIMARYSERVER
  - Primary Site Server, MP, DP, IIS, all roles
  DomainX\DP1
  - Distribution Point, IIS, etc
  - CCM client installed

  Based on the above, you are using a PullDP. If so, have you installed the client agent on this system? The client agent is required on PullDPs in untrusted domains so that they can acquire the NAA.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Difference between component controller & Custom controller

  Hi all
  what is the main difference b/w component controller , custom controller & interface controller.
  i want to know the difference of these three in the real time environment.
  if anybody explains me with any simple example then it is great help to me....
  Thanks
  Suresh babu.

  Hi Suresh,
  Component Controller and Custom Controller are more or less the same. Both are related to a particular component in the webdynpro application you create.
  Component Controller:-
  For each component of yours there will be a component controller, were in you can define context variables and methods, events etc.. This usefull while using models.
  Simple example where we can see this is, when you create global context variable in this controller and map this variable to the view controller context variable of different view, which enables you to pass the value of the variable from one view to another.
  Custome Controller:-
  They also have the same the function but as the name suggest there function can be customised. That is we can have more than one custom controller for a component. This is usefull when we need to create seperate execute methods for inputs from model import( Both webservice and rfc call).So you can seperate each other. Example is there in the more sample codes and application section.
  Interface Controller:
  There is only one interface controller for a component. It is mainly used when we need to communicate between two components.There is sample application for communication between two components in the sample codes and application section.
  Regards
  Sreedhar.

• Diff between Component controller,Custome controller and  View controller

  hi,
      Can any body tell me the following details,
  1.difference between the Component controller,Custome controller and  View controller in WD-ABAP.?
  2.what is Lead Selection?   
  Regards,
  Ravi

  Hi Ravi.
  The component controller is visbile to all views in a component. So all context nodes and methods you create here can be accessed from all views in the component. This way you can share data between the views by mapping context nodes or thru method calls. You can also mark methods and nodes as interface so that they are acessable from other components that define component usages to this cmponent.
  Custom controller is quiet similar to the component controller. You can define it if you want to group some views with a custom controller for a certain functionality.
  If you want to access a custom controller in a view you have to define the usage first on the properties tab of the view.
  A view controller is only visible in the view itself. So all methods or context nodes you define here are only accesable by the current view.
  The lead selection is in most cases the current selected element in a context node. The lead selection is used by many UI elements to determine which element has to be shown (e.g drop down).
  If you have a table with single selection the current selected table row is the lead selection element of the bound context node.
  SO you can get the lead selection element easily in any mthod by calling context_node->get_element( ).
  Hope this clears your questions.
  Cheers,
  Sascha

• Non-Domain Computers No Longer Access Domain Shares

  Hey All,
  I have a few Windows 2003 servers running AD on a domain.
  I have some users who have AD accounts on the domain but have been accessing from computers (PC and MAC) that are not on the domain.  They would simply connect \\servername\share.  They would get the prompt to authenticate...They would enter their
  Domain AD Credentials and access the share.
  Now they are unable to access the share with their credentials.  Unless I login with the administrative account.  They can access the share from a computer that IS on the domain though with their credentials.  This problem only appears to
  happen on the file servers.  Any credential can authenticate on the DCs regardless of whether their computer is on the domain or not.  I'm a little stumped here and would really appreciate any help.  
  Thanks.

  Please, see release v2:
  The V2 release of MS15-027 / KB 3002657 that resolves NTLM v2 authentication failures by Windows Server 2003 DCs is available:
  The X86 version is at
  http://www.microsoft.com/en-us/download/details.aspx?id=46147
  The ia64 version is at:
  http://www.microsoft.com/en-us/download/details.aspx?id=46204
  The amd64 is at:
  http://www.microsoft.com/en-us/download/details.aspx?id=46054
  Best Regards, Andrei ...
  Microsoft Certified Professional

• Jython scripts fails from cmd line Error: no domain or domain template...

  --------------script---------------
  connect('weblogic','welcome1','t3://obi5.mnapps.state.mn.us:7101',adminServerName='AdminServer');
  print 'Connecting to Domain ...'
  try:     
       domainCustom()
  except:     
       print 'Already in domainCustom'
  cd('..\..')     
  print 'Go to biee admin domain'
  cd('oracle.biee.admin')
  print 'Go to coreapplication_obips1 Mbean'
  cd('oracle.biee.admin:oracleInstance=EPM91TD,type=BIDomain.BIInstanceDeployment.BIComponent,biInstance=coreapplication,process=coreapplication_obis1,group=Service')
  ------------script end---------------------
  ---works fine if it start wlst and type commands
  when runing "java weblogic.WLST RestartOBI.py"
  -----------------------------output from command line execution--------------------------
  Welcome to WebLogic Server Administration Scripting Shell
  Type help() for help on available commands
  Error: No domain or domain template has been read.
  Connecting to Domain ...
  You will need to be connected to a running server to execute this command
  Go to biee admin domain
  Error: No domain or domain template has been read.
  Go to coreapplication_obips1 Mbean
  Thanks

  Also, you must put the parameters of the net use command in the correct order.
  C:\>net help localgroup
  The syntax of this command is:
  NET LOCALGROUP
  [groupname [/COMMENT:"text"]] [/DOMAIN]
  groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN]
  groupname name [...] {/ADD | /DELETE} [/DOMAIN]
  This help information tells you that you put the group name first after the words
  net localgroup. As Forest brook pointed out, if the group name contains spaces, you must enclose it in quotes.
  After the group name, put the name of the user or group you want to add to (or remove from) the local group. If the user or group name contains spaces, as noted, you must enclose it in quotes. After this group name, put the parameter
  /ADD to add to the local group, or put /DELETE to remove.
  For example, suppose you want to add the domain group FABRIKAM\Account Operators to the local Administrators group. This is the command you would enter:
  C:\> net localgroup Administrators "FABRIKAM\Account Operators" /add
  This command adds FABRIKAM\Account Operators to the local Administrators group.
  In your specific case, it looks like the command would be:
  C:\> net localgroup Administrators "XYZ\Desktop Administrator" /delete
  Bill

• Domains Juggler, Domain Backup.

  For those use Domains Juggler: I updated Domains Juggler, why? you ask.
  Because some people still use it, and it allows a bit simpler way to create new Domain.sites.
  http://hac.i4host.net/ --> iWeb.html
  For those use Domain Backup: Domain Backup ONLY copies ~/Library/Application Support/iWeb/Domain.sites.
  Domain Backup will not work properly if you start iWeb by double click other Domain.sites outside of ~/Library/Application Support/iWeb/
  I'm looking at the solution on how to back up multiple Domain.sites. All inputs are welcome.

  Try this and send an email.
  http://www.geocities.com/[email protected]/Home.html
  OR
  try iWebSites
  http://mistergregg.com/cocoadrillosoftware/

• Broken delegated domain _msdcs.domain.local (demoted last 'legacy' DC)

  Hi,
  We just decommissioned the last of our Windows 2003 domain controllers (replaced them with Windows 2012 DCs)
  All DNS zones are AD integrated including the delegated _msdcs.domain.local zone
  When I ran DCDIAG DNS tests afterwards I get :              
                    TEST: Delegations (Del)
                    Error: DNS server: W2K3DC.domain.local. IP:x.x.x.x
                    [Broken delegated domain _msdcs.domain.local.]
  The last W2K3 DC to go also happened to be the first DC that was ever installed i.e when the domain.local domain and the delegation for _msdcs were created.
  It turns out that the NS record in the _msdcs.domain.local delegation only listed this server and no others.
  I have now added one of our W2K12 domain controllers as a name server in the NS record. I believe that I should now remove the old , demoted server from the NS record now in order to get rid of the error message from DCDIAG.
  Just wanted some second opinions before I did this...
  Thanks for any help with this

  Just make sure that all existing DC/DNS servers are added under Name Servers
  tab in your zone properties. Also, remove your old DC/DNS servers from there.
  After that, just run dcdiag again to make sure that everything is okay.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• User DOMAIN / user has no access authorization for computer IP_address

  Dear Forum,
  When running a function module FTP_CONNECT with RFC destination SAPFTPA (in SM59). I always get a message "User <DOMAIN>/<user> has no access authorization for computer <IP_address>". Trying it with IE, I have no problem.
  There is always an event viewer security failure log when I try it:
  ===========================================
  Logon Failure:
       Reason:          Unknown user name or bad password
       User Name:     <user>
       Domain:          <DOMAIN>
       Logon Type:     8
       Logon Process:     IIS    
       Authentication Package:     MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:     GDCS009D
       Caller User Name:     GDCS009D$
       Caller Domain:     ERP
       Caller Logon ID:     (0x0,0x3E7)
       Caller Process ID:     968
       Transited Services:     -
       Source Network Address:     -
       Source Port:     -
  For more information, see Help and Support Center at
  ===========================================
  Please help....
  Regards,
  Agoes

  Hi ,
  Each and every SAP client ( as it is client dependent)
  Go to SE16
  Table name : SAPFTP_SERVERS
  Go to Menu TABLE ---> Create new entries
  FTP SERVER NAME  *
  FTP SERVER PORT 21
  Save
  Regards
  Venkat

• Domain's "$DOMAIN-diagnostic.log" file contains only incident reports

  Domain's "$DOMAIN-diagnostic.log" file contains only incident reports
  In OSB 11.1.1.4.0, the domain's $DOMAIN-diagnostic.log file contains ONLY lines like:
  [2011-04-18T11:40:55.362+10:00] [CWSOATS2_OSB1] [NOTIFICATION] [DFW-40104] [oracle.dfw.incident] [tid: [ACTIVE].ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <WLS Kernel>] [ecid: a9082073e3c17b68:4cae68eb:12f662ee536:-8000-0000000000000634,0] [errid: 16] [detailLoc: e:\wldom\cwsoats2\servers\cwsoats2_osb1\adr\diag\ofm\cwsoats2\cwsoats2_osb1\incident\incdir_16] [probKey: BEA-337 [WebLogicServer]] incident 16 created with problem key "BEA-337 [WebLogicServer]"
  Previously, this file would contain a record of the activity of my JCA DBAdapter polling adapters.
  I have seen this on all instances of OSB 11.1.1.4.0 to which I have access (all on Windows: desktop Win7 and server 2003R2).
  Googling hasn't explained this to me: what this really means; why it occurs and what actions (if any) are needed to rectify this situation.
  Can some kind member of this forum clarify things, please?

  Hi,
  Do you mean that when you remove the user’s workstation computer accout from AD then re-add it, the user still can use these "elevated" privileges to access other user directories? 
  Please check the permssions of the user directory network share on the user’s workstation to see if the permissions are the same with other worksatations. If you enable the offline files on the user’s workstation, please also disable the offline files to check
  the results. 
  Best Regards,
  Mandy 
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Cross Domain Migrations - Able to access own mailbox but no other resource

  Hi,
  I wondered in anyone could offer any guidance on a problem we are seeing with a
  cross forest Exchange 2010 (domain A) to Exchange 2013 (domain b)migration.
  Our problem is based around the fact that the users are still logging into 'windows clients' in the source domain (domain A). We have configured mail enabled users in the source to enable auto discover to work correctly and the user can successfully
  connect to their own mailbox once it is provisioned in Exchange 2013 (domain B). Our main Outlook client being 2010 SP2.
  The user is not prompted to login at this stage, which is preferred.
  However the problem is that they cannot connect to any other resource in the Exchange 2013 (domain B) environment. (We have no interest in them accessing resources in the Exchange 2010 environment as this is a major switchover). When attempting to connect
  to public folders (2013) they receive only those permissions provided by the 'Default' user permission. When trying to expand a mailbox where full access has been granted they receive the 'Unable to expand. An attempt to logon to Microsoft Exchange
  has failed' error.
  If we change Outlook to 'Always prompt for logon credentials' and then login with credentials from the target domain (domain B, all resources can be accessed successfully.
  As part of our migration we have used ADMT, a two way trust is in place, SID history has been migrated and SID filtering is turned off in both directions. Passwords in both domains are matching by virtue of an Identity management solution. Outlook anywhere
  on exchange 2013 is set to negotiate (internal and external) with IIS configured with 'Basic, NTLM and Negotiate' as authentication types.
  Whilst the obvious answer is simply to get the users to login to the target domain (domain B), it is unfortunately a requirement that users continue to login to the source domain (domain a) for a while after the Exchange migration has completed.
  Would anyone be able to advise if this is just something we have to live with and find a way to force users to login every time they open outlook, or is there perhaps a way to configure this to work so that users are not prompted to login but can access
  all their resources.
  Many thanks for any assistance or opinions.
  Kind Regards,
  Mark Needham

  Hi Mark,
  Please try to clean up the cached credential in your computer. Then fill in with new domain information (domainB\user) when it prompted for credentials next time and check the Remember my credential to save it. About how to remove cached credentials, please
  follow these steps:
  1. Launch the Credential Manager from Control Panel > All Control Panel Items > Credential Manager.
  2. In the Generic Credentials section you’ll see a setting for [MS Outlook] which will include your SSO details. Click the downward-pointing arrow to the right of that value.
  3. In the expand details, click Remove from vault. Then Outlook will no longer have a stored copy of your old login information (domainA\user).
  If it doesn’t work, please change the windows account with domainB\user information to have a try.
  Regards,
  Winnie Liang
  TechNet Community Support

• Domain access issue with limited user access

  Hi all,
  I have to deploy a flex site (without the flex data services,
  unless essential) that acesses xml data from servlets that arent
  neccessarily under the same domain, and some will be physically
  located on different servers.
  I am using the cross-domain policy file, and this works fine
  provided the server is logged in with Administrative privlidges.
  However if it is logged in under a domain (with some limited
  access) I can no longer access the required data. This data is
  still available if I access it direct by typing the location into
  the browser address bar. So there is definately something stopping
  me from accessing the data within flex.
  If anyone has encountered similar problems and come up with
  solutions (which does not involve forwarding data using additional
  servlets) then your tips and advice would be much appreciated.
  Thanks!

  It was issue due to some configurations in 'External Facing Extension Service' inside configuraton-content management-global service.