Access Denied error while edit some of the GPOs in Windows 2003 AD

Hi

We are unable to edit some of the GPOs (Default Domain Policy, etc) and 
getting Access Denied error. We checked the permission of SYSVOL folder and 
found Administrators (Domain), System and Authenticated Users have full 
control share permissions. Full access has been provided to Administrators, 
creator owner & System and read & execute permission has been provided to 
Authenticated users in Security tab.

Can anyone help me to resolve the issue and also any doc is available to 
check the correct permissions with SYSVOL.

Thanks in advance for help

Regards
Lal
-- 
----Server Management Team----
0
Utf
3/14/2010 12:21:01 PM
windows.server.active_director 902 articles. 0 followers. Follow

16 Replies
1954 Views

Similar Articles

[PageSpeed] 33

Hello Laljeev,

The permissions at the moment sounds ok for me. Please run dcdiag /v on the 
DCs and post the output here. Are you working on the DCs directly or from 
a workstation with adminpak installed?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers 
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm 


> Hi
> 
> We are unable to edit some of the GPOs (Default Domain Policy, etc)
> and getting Access Denied error. We checked the permission of SYSVOL
> folder and found Administrators (Domain), System and Authenticated
> Users have full control share permissions. Full access has been
> provided to Administrators, creator owner & System and read & execute
> permission has been provided to Authenticated users in Security tab.
> 
> Can anyone help me to resolve the issue and also any doc is available
> to check the correct permissions with SYSVOL.
> 
> Thanks in advance for help
> 
> Regards
> Lal


0
Meinolf
3/14/2010 12:31:17 PM
Hi

Below is the output from dcdiag/v, I'm accessing the server through terminal 
service (mstsc -admin). One of our DCs is down from this morning (jpdc02)

____________________


Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine rpdc04, is a DC. 
   * Connecting to directory service on server rpdc04.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 4 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: RHO\rpdc04
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... rpdc04 passed test Connectivity

Doing primary tests
   
   Testing server: RHO\rpdc04
      Starting test: Replications
         * Replications Check
         [Replications Check,rpdc04] No replication recently attempted:
            From dbdc01 to rpdc04
            Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
            The last attempt occurred at 2010-03-14 15:47:00 (about 3 hours 
ago).
         [Replications Check,rpdc04] A recent replication attempt failed:
            From jpdc02 to rpdc04
            Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
            The replication generated an error (1256):
            The remote system is not available. For information about 
network troubleshooting, see Windows Help.
            The failure occurred at 2010-03-14 18:54:08.
            The last success occurred at 2010-03-13 12:17:32.
            122 failures have occurred since the last success.
         [Replications Check,rpdc04] A recent replication attempt failed:
            From jpdc02 to rpdc04
            Naming Context: DC=DomainDnsZones,DC=mycompany,DC=com
            The replication generated an error (1256):
            The remote system is not available. For information about 
network troubleshooting, see Windows Help.
            The failure occurred at 2010-03-14 18:54:08.
            The last success occurred at 2010-03-13 12:17:32.
            122 failures have occurred since the last success.
         [Replications Check,rpdc04] A recent replication attempt failed:
            From jpdc02 to rpdc04
            Naming Context: CN=Schema,CN=Configuration,DC=mycompany,DC=com
            The replication generated an error (1727):
            The remote procedure call failed and did not execute.
            The failure occurred at 2010-03-14 18:46:47.
            The last success occurred at 2010-03-13 12:17:31.
            121 failures have occurred since the last success.
         [Replications Check,rpdc04] A recent replication attempt failed:
            From jpdc02 to rpdc04
            Naming Context: CN=Configuration,DC=mycompany,DC=com
            The replication generated an error (1727):
            The remote procedure call failed and did not execute.
            The failure occurred at 2010-03-14 19:01:22.
            The last success occurred at 2010-03-13 12:17:24.
            122 failures have occurred since the last success.
         [Replications Check,rpdc04] A recent replication attempt failed:
            From jpdc02 to rpdc04
            Naming Context: DC=mycompany,DC=com
            The replication generated an error (1727):
            The remote procedure call failed and did not execute.
            The failure occurred at 2010-03-14 18:54:08.
            The last success occurred at 2010-03-13 12:17:23.
            11 failures have occurred since the last success.
         rpdc04: There are 21 replication work items in the queue.
         REPLICATION LATENCY WARNING
         rpdc04: A long-running replication operation is in progress
            The job has been executing for 5 minutes and 2 seconds.
            Replication of new changes along this path will be delayed.
            Error: Higher priority replications are being blocked
            Enqueued 2010-03-14 18:47:22 at priority 170
            Op: SYNC FROM SOURCE
            NC CN=Schema,CN=Configuration,DC=mycompany,DC=com
            DSADN CN=NTDS 
Settings,CN=jpdc02,CN=Servers,CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com
            DSA transport addr 
f9f5b45f-b5e6-4302-9e97-069c79fd1585._msdcs.mycompany.com
         * Replication Latency Check
         REPLICATION-RECEIVED LATENCY WARNING
         rpdc04:  Current time is 2010-03-14 19:06:31.
            DC=ForestDnsZones,DC=mycompany,DC=com
               Last replication recieved from jpdc02 at 2010-03-13 12:18:23.
               Latency information for 12 entries in the vector were ignored.
                  12 were retired Invocations.  0 were either: read-only 
replicas and are not verifiably latent, or dc's no longer replicating this 
nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=mycompany,DC=com
               Last replication recieved from jpdc02 at 2010-03-13 12:18:22.
               Latency information for 12 entries in the vector were ignored.
                  12 were retired Invocations.  0 were either: read-only 
replicas and are not verifiably latent, or dc's no longer replicating this 
nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=mycompany,DC=com
               Last replication recieved from jpdc02 at 2010-03-13 12:18:22.
               Latency information for 19 entries in the vector were ignored.
                  19 were retired Invocations.  0 were either: read-only 
replicas and are not verifiably latent, or dc's no longer replicating this 
nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=mycompany,DC=com
               Last replication recieved from jpdc02 at 2010-03-13 12:18:21.
               Latency information for 19 entries in the vector were ignored.
                  19 were retired Invocations.  0 were either: read-only 
replicas and are not verifiably latent, or dc's no longer replicating this 
nc.  0 had no latency information (Win2K DC).  
            DC=mycompany,DC=com
               Last replication recieved from jpdc02 at 2010-03-13 12:18:22.
               Latency information for 18 entries in the vector were ignored.
                  18 were retired Invocations.  0 were either: read-only 
replicas and are not verifiably latent, or dc's no longer replicating this 
nc.  0 had no latency information (Win2K DC).  
         ......................... rpdc04 passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC rpdc04.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=mycompany,DC=com
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=mycompany,DC=com
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=mycompany,DC=com
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=mycompany,DC=com
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=mycompany,DC=com
            (Domain,Version 2)
         ......................... rpdc04 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\rpdc04\netlogon
         Verified share \\rpdc04\sysvol
         ......................... rpdc04 passed test NetLogons
      Starting test: Advertising
         The DC rpdc04 is advertising itself as a DC and having a DS.
         The DC rpdc04 is advertising as an LDAP server
         The DC rpdc04 is advertising as having a writeable directory
         The DC rpdc04 is advertising as a Key Distribution Center
         The DC rpdc04 is advertising as a time server
         The DS rpdc04 is advertising as a GC.
         ......................... rpdc04 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS 
Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=mycompany,DC=com
         Role Domain Owner = CN=NTDS 
Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=mycompany,DC=com
         Role PDC Owner = CN=NTDS 
Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=mycompany,DC=com
         Role Rid Owner = CN=NTDS 
Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=mycompany,DC=com
         Role Infrastructure Update Owner = CN=NTDS 
Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=mycompany,DC=com
         ......................... rpdc04 passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 22603 to 1073741823
         * rpdc03.mycompany.com is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 20103 to 20602
         * rIDPreviousAllocationPool is 20103 to 20602
         * rIDNextRID: 20266
         ......................... rpdc04 passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC rpdc04 on DC rpdc04.
         * SPN found :LDAP/rpdc04.mycompany.com/mycompany.com
         * SPN found :LDAP/rpdc04.mycompany.com
         * SPN found :LDAP/rpdc04
         * SPN found :LDAP/rpdc04.mycompany.com/mycompany
         * SPN found 
:LDAP/25671f81-8b4c-404c-991f-e5ae1eb35d62._msdcs.mycompany.com
         * SPN found 
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/25671f81-8b4c-404c-991f-e5ae1eb35d62/mycompany.com
         * SPN found :HOST/rpdc04.mycompany.com/mycompany.com
         * SPN found :HOST/rpdc04.mycompany.com
         * SPN found :HOST/rpdc04
         * SPN found :HOST/rpdc04.mycompany.com/mycompany
         * SPN found :GC/rpdc04.mycompany.com/mycompany.com
         ......................... rpdc04 passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... rpdc04 passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         rpdc04 is in domain DC=mycompany,DC=com
         Checking for CN=rpdc04,OU=Domain Controllers,DC=mycompany,DC=com in 
domain DC=mycompany,DC=com on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS 
Settings,CN=rpdc04,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=mycompany,DC=com in domain CN=Configuration,DC=mycompany,DC=com on 1 servers
            Object is up-to-date on all servers.
         ......................... rpdc04 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test 
         File Replication Service's SYSVOL is ready 
         ......................... rpdc04 passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test 
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may 
cause

         Group Policy problems. 
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 03/14/2010   14:22:14
            (Event String could not be retrieved)
         ......................... rpdc04 failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 03/14/2010   18:52:28
            Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable. 

 

Site:

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com

 

Directory partition:

DC=mycompany,DC=com 

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=mycompany,DC=com

 
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 03/14/2010   18:52:28
            Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory

partition. 

 

Directory partition:

DC=mycompany,DC=com 

 

There is insufficient site connectivity

information in Active Directory Sites and

Services for the KCC to create a spanning tree

replication topology. Or, one or more domain

controllers with this directory partition are

unable to replicate the directory partition

information. This is probably due to inaccessible

domain controllers. 

 

User Action 

Use Active Directory Sites and Services to

perform one of the following actions: 

- Publish sufficient site connectivity

information so that the KCC can determine a route

by which this directory partition can reach this

site. This is the preferred option. 

- Add a Connection object to a domain controller

that contains the directory partition in this

site from a domain controller that contains the

same directory partition in another site. 

 

If neither of the Active Directory Sites and

Services tasks correct this condition, see

previous events logged by the KCC that identify

the inaccessible domain controllers. 
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 03/14/2010   18:52:28
            Event String: The Knowledge Consistency Checker (KCC) was

unable to form a complete spanning tree network

topology. As a result, the following list of

sites cannot be reached from the local site. 

 

Sites: 

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com

 

 

 

 

 

 

 

 
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 03/14/2010   18:52:28
            Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable. 

 

Site:

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com

 

Directory partition:

DC=ForestDnsZones,DC=mycompany,DC=com 

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=mycompany,DC=com

 
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 03/14/2010   18:52:28
            Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory

partition. 

 

Directory partition:

DC=ForestDnsZones,DC=mycompany,DC=com 

 

There is insufficient site connectivity

information in Active Directory Sites and

Services for the KCC to create a spanning tree

replication topology. Or, one or more domain

controllers with this directory partition are

unable to replicate the directory partition

information. This is probably due to inaccessible

domain controllers. 

 

User Action 

Use Active Directory Sites and Services to

perform one of the following actions: 

- Publish sufficient site connectivity

information so that the KCC can determine a route

by which this directory partition can reach this

site. This is the preferred option. 

- Add a Connection object to a domain controller

that contains the directory partition in this

site from a domain controller that contains the

same directory partition in another site. 

 

If neither of the Active Directory Sites and

Services tasks correct this condition, see

previous events logged by the KCC that identify

the inaccessible domain controllers. 
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 03/14/2010   18:52:28
            Event String: The Knowledge Consistency Checker (KCC) was

unable to form a complete spanning tree network

topology. As a result, the following list of

sites cannot be reached from the local site. 

 

Sites: 

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com

 

 

 

 

 

 

 

 
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 03/14/2010   18:52:28
            Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable. 

 

Site:

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com

 

Directory partition:

DC=DomainDnsZones,DC=mycompany,DC=com 

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=mycompany,DC=com

 
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 03/14/2010   18:52:28
            Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory

partition. 

 

Directory partition:

DC=DomainDnsZones,DC=mycompany,DC=com 

 

There is insufficient site connectivity

information in Active Directory Sites and

Services for the KCC to create a spanning tree

replication topology. Or, one or more domain

controllers with this directory partition are

unable to replicate the directory partition

information. This is probably due to inaccessible

domain controllers. 

 

User Action 

Use Active Directory Sites and Services to

perform one of the following actions: 

- Publish sufficient site connectivity

information so that the KCC can determine a route

by which this directory partition can reach this

site. This is the preferred option. 

- Add a Connection object to a domain controller

that contains the directory partition in this

site from a domain controller that contains the

same directory partition in another site. 

 

If neither of the Active Directory Sites and

Services tasks correct this condition, see

previous events logged by the KCC that identify

the inaccessible domain controllers. 
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 03/14/2010   18:52:28
            Event String: The Knowledge Consistency Checker (KCC) was

unable to form a complete spanning tree network

topology. As a result, the following list of

sites cannot be reached from the local site. 

 

Sites: 

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com

 

 

 

 

 

 

 

 
         An Warning Event occured.  EventID: 0x8000061E
            Time Generated: 03/14/2010   18:52:28
            Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable. 

 

Site:

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com

 

Directory partition:

CN=Configuration,DC=mycompany,DC=com 

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=mycompany,DC=com

 
         An Error Event occured.  EventID: 0xC000051F
            Time Generated: 03/14/2010   18:52:28
            Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory

partition. 

 

Directory partition:

CN=Configuration,DC=mycompany,DC=com 

 

There is insufficient site connectivity

information in Active Directory Sites and

Services for the KCC to create a spanning tree

replication topology. Or, one or more domain

controllers with this directory partition are

unable to replicate the directory partition

information. This is probably due to inaccessible

domain controllers. 

 

User Action 

Use Active Directory Sites and Services to

perform one of the following actions: 

- Publish sufficient site connectivity

information so that the KCC can determine a route

by which this directory partition can reach this

site. This is the preferred option. 

- Add a Connection object to a domain controller

that contains the directory partition in this

site from a domain controller that contains the

same directory partition in another site. 

 

If neither of the Active Directory Sites and

Services tasks correct this condition, see

previous events logged by the KCC that identify

the inaccessible domain controllers. 
         An Warning Event occured.  EventID: 0x80000749
            Time Generated: 03/14/2010   18:52:28
            Event String: The Knowledge Consistency Checker (KCC) was

unable to form a complete spanning tree network

topology. As a result, the following list of

sites cannot be reached from the local site. 

 

Sites: 

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=com

 

 

 

 

 

 

 

 
         ......................... rpdc04 failed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x0000165B
            Time Generated: 03/14/2010   18:28:42
            Event String: The session setup from computer 'RIYDTP110'

failed because the security database does not

contain a trust account 'RIYDTP110$' referenced

by the specified computer.  



USER ACTION  

If this is the first occurrence of this event for

the specified computer and account, this may be a

transient issue that doesn't require any action

at this time. Otherwise, the following steps may

be taken to resolve this problem:  



If 'RIYDTP110$' is a legitimate machine account

for the computer 'RIYDTP110', then 'RIYDTP110'

should be rejoined to the domain.  



If 'RIYDTP110$' is a legitimate interdomain trust

account, then the trust should be recreated.  



Otherwise, assuming that 'RIYDTP110$' is not a

legitimate account, the following action should

be taken on 'RIYDTP110':  



If 'RIYDTP110' is a Domain Controller, then the

trust associated with 'RIYDTP110$' should be

deleted.  



If 'RIYDTP110' is not a Domain Controller, it

should be disjoined from the domain. 
         An Error Event occured.  EventID: 0x000016AD
            Time Generated: 03/14/2010   18:33:21
            Event String: The session setup from the computer RIYDTP110

failed to authenticate. The following error

occurred: 

%%5 
         ......................... rpdc04 failed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)

         CN=rpdc04,OU=Domain Controllers,DC=mycompany,DC=com and backlink on

         
CN=rpdc04,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=mycompany,DC=com

         are correct. 
         The system object reference (frsComputerReferenceBL)

         CN=rpdc04,CN=Domain System Volume (SYSVOL share),CN=File 
Replication Service,CN=System,DC=mycompany,DC=com

         and backlink on CN=rpdc04,OU=Domain Controllers,DC=mycompany,DC=com

         are correct. 
         The system object reference (serverReferenceBL)

         CN=rpdc04,CN=Domain System Volume (SYSVOL share),CN=File 
Replication Service,CN=System,DC=mycompany,DC=com

         and backlink on

         CN=NTDS 
Settings,CN=rpdc04,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=mycompany,DC=com

         are correct. 
         ......................... rpdc04 passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test 
CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test 
CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test 
CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : mycompany
      Starting test: CrossRefValidation
         ......................... mycompany passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... mycompany passed test CheckSDRefDom
   
   Running enterprise tests on : mycompany.com
      Starting test: Intersite
         Skipping site RHO, this site is outside the scope provided by the

         command line arguments provided. 
         Skipping site DAM, this site is outside the scope provided by the

         command line arguments provided. 
         Skipping site JED, this site is outside the scope provided by the

         command line arguments provided. 
         ......................... mycompany.com passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\rpdc04.mycompany.com
         Locator Flags: 0xe00001fc
         PDC Name: \\rpdc03.mycompany.com
         Locator Flags: 0xe00003fd
         Time Server Name: \\rpdc04.mycompany.com
         Locator Flags: 0xe00001fc
         Preferred Time Server Name: \\rpdc03.mycompany.com
         Locator Flags: 0xe00003fd
         KDC Name: \\rpdc04.mycompany.com
         Locator Flags: 0xe00001fc
         ......................... mycompany.com passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS
---------------------

Regards
Lal
-- 
----Server Management Team----


"Meinolf Weber [MVP-DS]" wrote:

> Hello Laljeev,
> 
> The permissions at the moment sounds ok for me. Please run dcdiag /v on the 
> DCs and post the output here. Are you working on the DCs directly or from 
> a workstation with adminpak installed?
> 
> Best regards
> 
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers 
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm 
> 
> 
> > Hi
> > 
> > We are unable to edit some of the GPOs (Default Domain Policy, etc)
> > and getting Access Denied error. We checked the permission of SYSVOL
> > folder and found Administrators (Domain), System and Authenticated
> > Users have full control share permissions. Full access has been
> > provided to Administrators, creator owner & System and read & execute
> > permission has been provided to Authenticated users in Security tab.
> > 
> > Can anyone help me to resolve the issue and also any doc is available
> > to check the correct permissions with SYSVOL.
> > 
> > Thanks in advance for help
> > 
> > Regards
> > Lal
> 
> 
> .
> 
0
Utf
3/14/2010 4:24:01 PM
Hi

The contents of both SYSVOL and Netlogon are same on all Dcs and Repadmin 
shows the replication as successfull. Shall we remove those GPOs which are 
not allowing to edit and create new GPOs with same config

Regards
Lal
-- 
----Server Management Team----


"Meinolf Weber [MVP-DS]" wrote:

> Hello Laljeev,
> 
> Hopefully the second DC is back soon for you. Did you check the event viewer 
> for errors on the DC where ryou logged in to when the access denied pop up?
> 
> As you wrote you can't edit some of the GPOs, so you are able to edit some 
> other? Did you check that the content of sysvol and netlogon is the same 
> on all DCs in the domain and replication is working on each DC with repadmin 
> /showrepl?
> 
> Best regards
> 
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers 
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm 
> 
> 
> > Hi
> > 
> > Below is the output from dcdiag/v, I'm accessing the server through
> > terminal service (mstsc -admin). One of our DCs is down from this
> > morning (jpdc02)
> > 
> > ____________________
> > 
> > Domain Controller Diagnosis
> > 
> > Performing initial setup:
> > * Verifying that the local machine rpdc04, is a DC.
> > * Connecting to directory service on server rpdc04.
> > * Collecting site info.
> > * Identifying all servers.
> > * Identifying all NC cross-refs.
> > * Found 4 DC(s). Testing 1 of them.
> > Done gathering initial info.
> > Doing initial required tests
> > 
> > Testing server: RHO\rpdc04
> > Starting test: Connectivity
> > * Active Directory LDAP Services Check
> > * Active Directory RPC Services Check
> > ......................... rpdc04 passed test Connectivity
> > Doing primary tests
> > 
> > Testing server: RHO\rpdc04
> > Starting test: Replications
> > * Replications Check
> > [Replications Check,rpdc04] No replication recently
> > attempted:
> > From dbdc01 to rpdc04
> > Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> > The last attempt occurred at 2010-03-14 15:47:00 (about 3
> > hours
> > ago).
> > [Replications Check,rpdc04] A recent replication attempt
> > failed:
> > From jpdc02 to rpdc04
> > Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> > The replication generated an error (1256):
> > The remote system is not available. For information about
> > network troubleshooting, see Windows Help.
> > The failure occurred at 2010-03-14 18:54:08.
> > The last success occurred at 2010-03-13 12:17:32.
> > 122 failures have occurred since the last success.
> > [Replications Check,rpdc04] A recent replication attempt
> > failed:
> > From jpdc02 to rpdc04
> > Naming Context: DC=DomainDnsZones,DC=mycompany,DC=com
> > The replication generated an error (1256):
> > The remote system is not available. For information about
> > network troubleshooting, see Windows Help.
> > The failure occurred at 2010-03-14 18:54:08.
> > The last success occurred at 2010-03-13 12:17:32.
> > 122 failures have occurred since the last success.
> > [Replications Check,rpdc04] A recent replication attempt
> > failed:
> > From jpdc02 to rpdc04
> > Naming Context:
> > CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > The replication generated an error (1727):
> > The remote procedure call failed and did not execute.
> > The failure occurred at 2010-03-14 18:46:47.
> > The last success occurred at 2010-03-13 12:17:31.
> > 121 failures have occurred since the last success.
> > [Replications Check,rpdc04] A recent replication attempt
> > failed:
> > From jpdc02 to rpdc04
> > Naming Context: CN=Configuration,DC=mycompany,DC=com
> > The replication generated an error (1727):
> > The remote procedure call failed and did not execute.
> > The failure occurred at 2010-03-14 19:01:22.
> > The last success occurred at 2010-03-13 12:17:24.
> > 122 failures have occurred since the last success.
> > [Replications Check,rpdc04] A recent replication attempt
> > failed:
> > From jpdc02 to rpdc04
> > Naming Context: DC=mycompany,DC=com
> > The replication generated an error (1727):
> > The remote procedure call failed and did not execute.
> > The failure occurred at 2010-03-14 18:54:08.
> > The last success occurred at 2010-03-13 12:17:23.
> > 11 failures have occurred since the last success.
> > rpdc04: There are 21 replication work items in the queue.
> > REPLICATION LATENCY WARNING
> > rpdc04: A long-running replication operation is in progress
> > The job has been executing for 5 minutes and 2 seconds.
> > Replication of new changes along this path will be
> > delayed.
> > Error: Higher priority replications are being blocked
> > Enqueued 2010-03-14 18:47:22 at priority 170
> > Op: SYNC FROM SOURCE
> > NC CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > DSADN CN=NTDS
> > Settings,CN=jpdc02,CN=Servers,CN=JED,CN=Sites,CN=Configuration,DC=myco
> > mpany,DC=com
> > DSA transport addr
> > f9f5b45f-b5e6-4302-9e97-069c79fd1585._msdcs.mycompany.com
> > * Replication Latency Check
> > REPLICATION-RECEIVED LATENCY WARNING
> > rpdc04:  Current time is 2010-03-14 19:06:31.
> > DC=ForestDnsZones,DC=mycompany,DC=com
> > Last replication recieved from jpdc02 at 2010-03-13
> > 12:18:23.
> > Latency information for 12 entries in the vector were
> > ignored.
> > 12 were retired Invocations.  0 were either:
> > read-only
> > replicas and are not verifiably latent, or dc's no longer replicating
> > this
> > nc.  0 had no latency information (Win2K DC).
> > DC=DomainDnsZones,DC=mycompany,DC=com
> > Last replication recieved from jpdc02 at 2010-03-13
> > 12:18:22.
> > Latency information for 12 entries in the vector were
> > ignored.
> > 12 were retired Invocations.  0 were either:
> > read-only
> > replicas and are not verifiably latent, or dc's no longer replicating
> > this
> > nc.  0 had no latency information (Win2K DC).
> > CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > Last replication recieved from jpdc02 at 2010-03-13
> > 12:18:22.
> > Latency information for 19 entries in the vector were
> > ignored.
> > 19 were retired Invocations.  0 were either:
> > read-only
> > replicas and are not verifiably latent, or dc's no longer replicating
> > this
> > nc.  0 had no latency information (Win2K DC).
> > CN=Configuration,DC=mycompany,DC=com
> > Last replication recieved from jpdc02 at 2010-03-13
> > 12:18:21.
> > Latency information for 19 entries in the vector were
> > ignored.
> > 19 were retired Invocations.  0 were either:
> > read-only
> > replicas and are not verifiably latent, or dc's no longer replicating
> > this
> > nc.  0 had no latency information (Win2K DC).
> > DC=mycompany,DC=com
> > Last replication recieved from jpdc02 at 2010-03-13
> > 12:18:22.
> > Latency information for 18 entries in the vector were
> > ignored.
> > 18 were retired Invocations.  0 were either:
> > read-only
> > replicas and are not verifiably latent, or dc's no longer replicating
> > this
> > nc.  0 had no latency information (Win2K DC).
> > ......................... rpdc04 passed test Replications
> > Test omitted by user request: Topology
> > Test omitted by user request: CutoffServers
> > Starting test: NCSecDesc
> > * Security Permissions check for all NC's on DC rpdc04.
> > * Security Permissions Check for
> > DC=ForestDnsZones,DC=mycompany,DC=com
> > (NDNC,Version 2)
> > * Security Permissions Check for
> > DC=DomainDnsZones,DC=mycompany,DC=com
> > (NDNC,Version 2)
> > * Security Permissions Check for
> > CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > (Schema,Version 2)
> > * Security Permissions Check for
> > CN=Configuration,DC=mycompany,DC=com
> > (Configuration,Version 2)
> > * Security Permissions Check for
> > DC=mycompany,DC=com
> > (Domain,Version 2)
> > ......................... rpdc04 passed test NCSecDesc
> > Starting test: NetLogons
> > * Network Logons Privileges Check
> > Verified share \\rpdc04\netlogon
> > Verified share \\rpdc04\sysvol
> > ......................... rpdc04 passed test NetLogons
> > Starting test: Advertising
> > The DC rpdc04 is advertising itself as a DC and having a DS.
> > The DC rpdc04 is advertising as an LDAP server
> > The DC rpdc04 is advertising as having a writeable directory
> > The DC rpdc04 is advertising as a Key Distribution Center
> > The DC rpdc04 is advertising as a time server
> > The DS rpdc04 is advertising as a GC.
> > ......................... rpdc04 passed test Advertising
> > Starting test: KnowsOfRoleHolders
> > Role Schema Owner = CN=NTDS
> > Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=myco
> > mpany,DC=com
> > Role Domain Owner = CN=NTDS
> > Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=myco
> > mpany,DC=com
> > Role PDC Owner = CN=NTDS
> > Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=myco
> > mpany,DC=com
> > Role Rid Owner = CN=NTDS
> > Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=myco
> > mpany,DC=com
> > Role Infrastructure Update Owner = CN=NTDS
> > Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=myco
> > mpany,DC=com
> > ......................... rpdc04 passed test
> > KnowsOfRoleHolders
> > Starting test: RidManager
> > * Available RID Pool for the Domain is 22603 to 1073741823
> > * rpdc03.mycompany.com is the RID Master
> > * DsBind with RID Master was successful
> > * rIDAllocationPool is 20103 to 20602
> > * rIDPreviousAllocationPool is 20103 to 20602
> > * rIDNextRID: 20266
> > ......................... rpdc04 passed test RidManager
> > Starting test: MachineAccount
> > Checking machine account for DC rpdc04 on DC rpdc04.
> > * SPN found :LDAP/rpdc04.mycompany.com/mycompany.com
> > * SPN found :LDAP/rpdc04.mycompany.com
> > * SPN found :LDAP/rpdc04
> > * SPN found :LDAP/rpdc04.mycompany.com/mycompany
> > * SPN found
> > :LDAP/25671f81-8b4c-404c-991f-e5ae1eb35d62._msdcs.mycompany.com
> > * SPN found
> > :E3514235-4B06-11D1-AB04-00C04FC2DCD2/25671f81-8b4c-404c-991f-e5ae1eb3
> > 5d62/mycompany.com
> > * SPN found :HOST/rpdc04.mycompany.com/mycompany.com
> > * SPN found :HOST/rpdc04.mycompany.com
> > * SPN found :HOST/rpdc04
> > * SPN found :HOST/rpdc04.mycompany.com/mycompany
> > * SPN found :GC/rpdc04.mycompany.com/mycompany.com
> > ......................... rpdc04 passed test MachineAccount
> > Starting test: Services
> > * Checking Service: Dnscache
> > * Checking Service: NtFrs
> > * Checking Service: IsmServ
> > * Checking Service: kdc
> > * Checking Service: SamSs
> > * Checking Service: LanmanServer
> > * Checking Service: LanmanWorkstation
> > * Checking Service: RpcSs
> > * Checking Service: w32time
> > * Checking Service: NETLOGON
> > ......................... rpdc04 passed test Services
> > Test omitted by user request: OutboundSecureChannels
> > Starting test: ObjectsReplicated
> > rpdc04 is in domain DC=mycompany,DC=com
> > Checking for CN=rpdc04,OU=Domain
> > Controllers,DC=mycompany,DC=com in
> > domain DC=mycompany,DC=com on 1 servers
> > Object is up-to-date on all servers.
> > Checking for CN=NTDS
> > Settings,CN=rpdc04,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=myco
> > mpany,DC=com in domain CN=Configuration,DC=mycompany,DC=com on 1
> > servers
> > Object is up-to-date on all servers.
> > ......................... rpdc04 passed test
> > ObjectsReplicated
> > Starting test: frssysvol
> > * The File Replication Service SYSVOL ready test
> > File Replication Service's SYSVOL is ready
> > ......................... rpdc04 passed test frssysvol
> > Starting test: frsevent
> > * The File Replication Service Event log test
> > There are warning or error events within the last 24 hours
> > after the
> > SYSVOL has been shared.  Failing SYSVOL replication problems
> > may cause
> > 
> > Group Policy problems.
> > An Warning Event occured.  EventID: 0x800034C4
> > Time Generated: 03/14/2010   14:22:14
> > (Event String could not be retrieved)
> > ......................... rpdc04 failed test frsevent
> > Starting test: kccevent
> > * The KCC Event log test
> > An Warning Event occured.  EventID: 0x8000061E
> > Time Generated: 03/14/2010   18:52:28
> > Event String: All domain controllers in the following site
> > that
> > can replicate the directory partition over this
> > 
> > transport are currently unavailable.
0
Utf
3/15/2010 6:15:01 AM
Hi Meinolf

2 years back we demoted a DC in another site (which is down now because of 
Hardware failure), then again promoted to DC using dcpromo /adv from the 
backup of one of the DCs in the main site. But this issue started recently. 
Again we are planning to promote the same failed DC using the same procedure.

What do you think of this issue?

Regards
Lal
-- 
----Server Management Team----


"Meinolf Weber [MVP-DS]" wrote:

> Hello Laljeev,
> 
> I wouldn't, there must be a reason. Was there a restore from a DC some time 
> ago?
> 
> Best regards
> 
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers 
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm 
> 
> 
> > Hi
> > 
> > The contents of both SYSVOL and Netlogon are same on all Dcs and
> > Repadmin shows the replication as successfull. Shall we remove those
> > GPOs which are not allowing to edit and create new GPOs with same
> > config
> > 
> > Regards
> > Lal
> > "Meinolf Weber [MVP-DS]" wrote:
> > 
> >> Hello Laljeev,
> >> 
> >> Hopefully the second DC is back soon for you. Did you check the event
> >> viewer for errors on the DC where ryou logged in to when the access
> >> denied pop up?
> >> 
> >> As you wrote you can't edit some of the GPOs, so you are able to edit
> >> some other? Did you check that the content of sysvol and netlogon is
> >> the same on all DCs in the domain and replication is working on each
> >> DC with repadmin /showrepl?
> >> 
> >> Best regards
> >> 
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> Hi
> >>> 
> >>> Below is the output from dcdiag/v, I'm accessing the server through
> >>> terminal service (mstsc -admin). One of our DCs is down from this
> >>> morning (jpdc02)
> >>> 
> >>> ____________________
> >>> 
> >>> Domain Controller Diagnosis
> >>> 
> >>> Performing initial setup:
> >>> * Verifying that the local machine rpdc04, is a DC.
> >>> * Connecting to directory service on server rpdc04.
> >>> * Collecting site info.
> >>> * Identifying all servers.
> >>> * Identifying all NC cross-refs.
> >>> * Found 4 DC(s). Testing 1 of them.
> >>> Done gathering initial info.
> >>> Doing initial required tests
> >>> Testing server: RHO\rpdc04
> >>> Starting test: Connectivity
> >>> * Active Directory LDAP Services Check
> >>> * Active Directory RPC Services Check
> >>> ......................... rpdc04 passed test Connectivity
> >>> Doing primary tests
> >>> Testing server: RHO\rpdc04
> >>> Starting test: Replications
> >>> * Replications Check
> >>> [Replications Check,rpdc04] No replication recently
> >>> attempted:
> >>> From dbdc01 to rpdc04
> >>> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> >>> The last attempt occurred at 2010-03-14 15:47:00 (about 3
> >>> hours
> >>> ago).
> >>> [Replications Check,rpdc04] A recent replication attempt
> >>> failed:
> >>> From jpdc02 to rpdc04
> >>> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> >>> The replication generated an error (1256):
> >>> The remote system is not available. For information about
> >>> network troubleshooting, see Windows Help.
> >>> The failure occurred at 2010-03-14 18:54:08.
> >>> The last success occurred at 2010-03-13 12:17:32.
> >>> 122 failures have occurred since the last success.
> >>> [Replications Check,rpdc04] A recent replication attempt
> >>> failed:
> >>> From jpdc02 to rpdc04
> >>> Naming Context: DC=DomainDnsZones,DC=mycompany,DC=com
> >>> The replication generated an error (1256):
> >>> The remote system is not available. For information about
> >>> network troubleshooting, see Windows Help.
> >>> The failure occurred at 2010-03-14 18:54:08.
> >>> The last success occurred at 2010-03-13 12:17:32.
> >>> 122 failures have occurred since the last success.
> >>> [Replications Check,rpdc04] A recent replication attempt
> >>> failed:
> >>> From jpdc02 to rpdc04
> >>> Naming Context:
> >>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> >>> The replication generated an error (1727):
> >>> The remote procedure call failed and did not execute.
> >>> The failure occurred at 2010-03-14 18:46:47.
> >>> The last success occurred at 2010-03-13 12:17:31.
> >>> 121 failures have occurred since the last success.
> >>> [Replications Check,rpdc04] A recent replication attempt
> >>> failed:
> >>> From jpdc02 to rpdc04
> >>> Naming Context: CN=Configuration,DC=mycompany,DC=com
> >>> The replication generated an error (1727):
> >>> The remote procedure call failed and did not execute.
> >>> The failure occurred at 2010-03-14 19:01:22.
> >>> The last success occurred at 2010-03-13 12:17:24.
> >>> 122 failures have occurred since the last success.
> >>> [Replications Check,rpdc04] A recent replication attempt
> >>> failed:
> >>> From jpdc02 to rpdc04
> >>> Naming Context: DC=mycompany,DC=com
> >>> The replication generated an error (1727):
> >>> The remote procedure call failed and did not execute.
> >>> The failure occurred at 2010-03-14 18:54:08.
> >>> The last success occurred at 2010-03-13 12:17:23.
> >>> 11 failures have occurred since the last success.
> >>> rpdc04: There are 21 replication work items in the queue.
> >>> REPLICATION LATENCY WARNING
> >>> rpdc04: A long-running replication operation is in progress
> >>> The job has been executing for 5 minutes and 2 seconds.
> >>> Replication of new changes along this path will be
> >>> delayed.
> >>> Error: Higher priority replications are being blocked
> >>> Enqueued 2010-03-14 18:47:22 at priority 170
> >>> Op: SYNC FROM SOURCE
> >>> NC CN=Schema,CN=Configuration,DC=mycompany,DC=com
> >>> DSADN CN=NTDS
> >>> Settings,CN=jpdc02,CN=Servers,CN=JED,CN=Sites,CN=Configuration,DC=my
> >>> co
> >>> mpany,DC=com
> >>> DSA transport addr
> >>> f9f5b45f-b5e6-4302-9e97-069c79fd1585._msdcs.mycompany.com
> >>> * Replication Latency Check
> >>> REPLICATION-RECEIVED LATENCY WARNING
> >>> rpdc04:  Current time is 2010-03-14 19:06:31.
> >>> DC=ForestDnsZones,DC=mycompany,DC=com
> >>> Last replication recieved from jpdc02 at 2010-03-13
> >>> 12:18:23.
> >>> Latency information for 12 entries in the vector were
> >>> ignored.
> >>> 12 were retired Invocations.  0 were either:
> >>> read-only
> >>> replicas and are not verifiably latent, or dc's no longer
> >>> replicating
> >>> this
> >>> nc.  0 had no latency information (Win2K DC).
> >>> DC=DomainDnsZones,DC=mycompany,DC=com
> >>> Last replication recieved from jpdc02 at 2010-03-13
> >>> 12:18:22.
> >>> Latency information for 12 entries in the vector were
> >>> ignored.
> >>> 12 were retired Invocations.  0 were either:
> >>> read-only
> >>> replicas and are not verifiably latent, or dc's no longer
> >>> replicating
> >>> this
> >>> nc.  0 had no latency information (Win2K DC).
> >>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> >>> Last replication recieved from jpdc02 at 2010-03-13
> >>> 12:18:22.
> >>> Latency information for 19 entries in the vector were
> >>> ignored.
> >>> 19 were retired Invocations.  0 were either:
> >>> read-only
> >>> replicas and are not verifiably latent, or dc's no longer
> >>> replicating
> >>> this
> >>> nc.  0 had no latency information (Win2K DC).
> >>> CN=Configuration,DC=mycompany,DC=com
> >>> Last replication recieved from jpdc02 at 2010-03-13
> >>> 12:18:21.
> >>> Latency information for 19 entries in the vector were
> >>> ignored.
> >>> 19 were retired Invocations.  0 were either:
> >>> read-only
> >>> replicas and are not verifiably latent, or dc's no longer
> >>> replicating
> >>> this
> >>> nc.  0 had no latency information (Win2K DC).
> >>> DC=mycompany,DC=com
> >>> Last replication recieved from jpdc02 at 2010-03-13
> >>> 12:18:22.
> >>> Latency information for 18 entries in the vector were
> >>> ignored.
> >>> 18 were retired Invocations.  0 were either:
> >>> read-only
> >>> replicas and are not verifiably latent, or dc's no longer
> >>> replicating
> >>> this
> >>> nc.  0 had no latency information (Win2K DC).
> >>> ......................... rpdc04 passed test Replications
> >>> Test omitted by user request: Topology
> >>> Test omitted by user request: CutoffServers
> >>> Starting test: NCSecDesc
> >>> * Security Permissions check for all NC's on DC rpdc04.
> >>> * Security Permissions Check for
> >>> DC=ForestDnsZones,DC=mycompany,DC=com
> >>> (NDNC,Version 2)
> >>> * Security Permissions Check for
> >>> DC=DomainDnsZones,DC=mycompany,DC=com
> >>> (NDNC,Version 2)
> >>> * Security Permissions Check for
> >>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> >>> (Schema,Version 2)
> >>> * Security Permissions Check for
> >>> CN=Configuration,DC=mycompany,DC=com
> >>> (Configuration,Version 2)
> >>> * Security Permissions Check for
> >>> DC=mycompany,DC=com
> >>> (Domain,Version 2)
> >>> ......................... rpdc04 passed test NCSecDesc
> >>> Starting test: NetLogons
> >>> * Network Logons Privileges Check
> >>> Verified share \\rpdc04\netlogon
> >>> Verified share \\rpdc04\sysvol
> >>> ......................... rpdc04 passed test NetLogons
> >>> Starting test: Advertising
> >>> The DC rpdc04 is advertising itself as a DC and having a DS.
> >>> The DC rpdc04 is advertising as an LDAP server
> >>> The DC rpdc04 is advertising as having a writeable directory
> >>> The DC rpdc04 is advertising as a Key Distribution Center
> >>> The DC rpdc04 is advertising as a time server
> >>> The DS rpdc04 is advertising as a GC.
> >>> ......................... rpdc04 passed test Advertising
> >>> Starting test: KnowsOfRoleHolders
> >>> Role Schema Owner = CN=NTDS
> >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=my
> >>> co
> >>> mpany,DC=com
> >>> Role Domain Owner = CN=NTDS
> >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=my
> >>> co
> >>> mpany,DC=com
> >>> Role PDC Owner = CN=NTDS
> >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=my
> >>> co
> >>> mpany,DC=com
> >>> Role Rid Owner = CN=NTDS
> >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=my
> >>> co
> >>> mpany,DC=com
> >>> Role Infrastructure Update Owner = CN=NTDS
> >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=my
> >>> co
> >>> mpany,DC=com
> >>> ......................... rpdc04 passed test
> >>> KnowsOfRoleHolders
> >>> Starting test: RidManager
> >>> * Available RID Pool for the Domain is 22603 to 1073741823
> >>> * rpdc03.mycompany.com is the RID Master
> >>> * DsBind with RID Master was successful
> >>> * rIDAllocationPool is 20103 to 20602
> >>> * rIDPreviousAllocationPool is 20103 to 20602
> >>> * rIDNextRID: 20266
> >>> ......................... rpdc04 passed test RidManager
> >>> Starting test: MachineAccount
> >>> Checking machine account for DC rpdc04 on DC rpdc04.
> >>> * SPN found :LDAP/rpdc04.mycompany.com/mycompany.com
> >>> * SPN found :LDAP/rpdc04.mycompany.com
> >>> * SPN found :LDAP/rpdc04
> >>> * SPN found :LDAP/rpdc04.mycompany.com/mycompany
> >>> * SPN found
> >>> :LDAP/25671f81-8b4c-404c-991f-e5ae1eb35d62._msdcs.mycompany.com
> >>> * SPN found
> >>> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/25671f81-8b4c-404c-991f-e5ae1e
> >>> b3
> >>> 5d62/mycompany.com
> >>> * SPN found :HOST/rpdc04.mycompany.com/mycompany.com
> >>> * SPN found :HOST/rpdc04.mycompany.com
> >>> * SPN found :HOST/rpdc04
> >>> * SPN found :HOST/rpdc04.mycompany.com/mycompany
> >>> * SPN found :GC/rpdc04.mycompany.com/mycompany.com
> >>> ......................... rpdc04 passed test MachineAccount
> >>> Starting test: Services
> >>> * Checking Service: Dnscache
> >>> * Checking Service: NtFrs
> >>> * Checking Service: IsmServ
> >>> * Checking Service: kdc
> >>> * Checking Service: SamSs
> >>> * Checking Service: LanmanServer
> >>> * Checking Service: LanmanWorkstation
> >>> * Checking Service: RpcSs
> >>> * Checking Service: w32time
> >>> * Checking Service: NETLOGON
> >>> ......................... rpdc04 passed test Services
> >>> Test omitted by user request: OutboundSecureChannels
> >>> Starting test: ObjectsReplicated
> >>> rpdc04 is in domain DC=mycompany,DC=com
> >>> Checking for CN=rpdc04,OU=Domain
0
Utf
3/16/2010 4:59:01 AM
Hi Meinolf

I forgot to tell you one thing, while installing the new DC (for the failed 
one) we upgraded the schema to windows 2003 R2. Now I tried to edit all GPOs 
and we are facing problem for all those old GPOs which were there before 
schema upgradation.
All new GPOs can be edited

Regards
Lal- 
----Server Management Team----


"Laljeev M" wrote:

> Hi Meinolf
> 
> 2 years back we demoted a DC in another site (which is down now because of 
> Hardware failure), then again promoted to DC using dcpromo /adv from the 
> backup of one of the DCs in the main site. But this issue started recently. 
> Again we are planning to promote the same failed DC using the same procedure.
> 
> What do you think of this issue?
> 
> Regards
> Lal
> -- 
> ----Server Management Team----
> 
> 
> "Meinolf Weber [MVP-DS]" wrote:
> 
> > Hello Laljeev,
> > 
> > I wouldn't, there must be a reason. Was there a restore from a DC some time 
> > ago?
> > 
> > Best regards
> > 
> > Meinolf Weber
> > Disclaimer: This posting is provided "AS IS" with no warranties, and confers 
> > no rights.
> > ** Please do NOT email, only reply to Newsgroups
> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm 
> > 
> > 
> > > Hi
> > > 
> > > The contents of both SYSVOL and Netlogon are same on all Dcs and
> > > Repadmin shows the replication as successfull. Shall we remove those
> > > GPOs which are not allowing to edit and create new GPOs with same
> > > config
> > > 
> > > Regards
> > > Lal
> > > "Meinolf Weber [MVP-DS]" wrote:
> > > 
> > >> Hello Laljeev,
> > >> 
> > >> Hopefully the second DC is back soon for you. Did you check the event
> > >> viewer for errors on the DC where ryou logged in to when the access
> > >> denied pop up?
> > >> 
> > >> As you wrote you can't edit some of the GPOs, so you are able to edit
> > >> some other? Did you check that the content of sysvol and netlogon is
> > >> the same on all DCs in the domain and replication is working on each
> > >> DC with repadmin /showrepl?
> > >> 
> > >> Best regards
> > >> 
> > >> Meinolf Weber
> > >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> > >> confers
> > >> no rights.
> > >> ** Please do NOT email, only reply to Newsgroups
> > >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> > >>> Hi
> > >>> 
> > >>> Below is the output from dcdiag/v, I'm accessing the server through
> > >>> terminal service (mstsc -admin). One of our DCs is down from this
> > >>> morning (jpdc02)
> > >>> 
> > >>> ____________________
> > >>> 
> > >>> Domain Controller Diagnosis
> > >>> 
> > >>> Performing initial setup:
> > >>> * Verifying that the local machine rpdc04, is a DC.
> > >>> * Connecting to directory service on server rpdc04.
> > >>> * Collecting site info.
> > >>> * Identifying all servers.
> > >>> * Identifying all NC cross-refs.
> > >>> * Found 4 DC(s). Testing 1 of them.
> > >>> Done gathering initial info.
> > >>> Doing initial required tests
> > >>> Testing server: RHO\rpdc04
> > >>> Starting test: Connectivity
> > >>> * Active Directory LDAP Services Check
> > >>> * Active Directory RPC Services Check
> > >>> ......................... rpdc04 passed test Connectivity
> > >>> Doing primary tests
> > >>> Testing server: RHO\rpdc04
> > >>> Starting test: Replications
> > >>> * Replications Check
> > >>> [Replications Check,rpdc04] No replication recently
> > >>> attempted:
> > >>> From dbdc01 to rpdc04
> > >>> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> > >>> The last attempt occurred at 2010-03-14 15:47:00 (about 3
> > >>> hours
> > >>> ago).
> > >>> [Replications Check,rpdc04] A recent replication attempt
> > >>> failed:
> > >>> From jpdc02 to rpdc04
> > >>> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> > >>> The replication generated an error (1256):
> > >>> The remote system is not available. For information about
> > >>> network troubleshooting, see Windows Help.
> > >>> The failure occurred at 2010-03-14 18:54:08.
> > >>> The last success occurred at 2010-03-13 12:17:32.
> > >>> 122 failures have occurred since the last success.
> > >>> [Replications Check,rpdc04] A recent replication attempt
> > >>> failed:
> > >>> From jpdc02 to rpdc04
> > >>> Naming Context: DC=DomainDnsZones,DC=mycompany,DC=com
> > >>> The replication generated an error (1256):
> > >>> The remote system is not available. For information about
> > >>> network troubleshooting, see Windows Help.
> > >>> The failure occurred at 2010-03-14 18:54:08.
> > >>> The last success occurred at 2010-03-13 12:17:32.
> > >>> 122 failures have occurred since the last success.
> > >>> [Replications Check,rpdc04] A recent replication attempt
> > >>> failed:
> > >>> From jpdc02 to rpdc04
> > >>> Naming Context:
> > >>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > >>> The replication generated an error (1727):
> > >>> The remote procedure call failed and did not execute.
> > >>> The failure occurred at 2010-03-14 18:46:47.
> > >>> The last success occurred at 2010-03-13 12:17:31.
> > >>> 121 failures have occurred since the last success.
> > >>> [Replications Check,rpdc04] A recent replication attempt
> > >>> failed:
> > >>> From jpdc02 to rpdc04
> > >>> Naming Context: CN=Configuration,DC=mycompany,DC=com
> > >>> The replication generated an error (1727):
> > >>> The remote procedure call failed and did not execute.
> > >>> The failure occurred at 2010-03-14 19:01:22.
> > >>> The last success occurred at 2010-03-13 12:17:24.
> > >>> 122 failures have occurred since the last success.
> > >>> [Replications Check,rpdc04] A recent replication attempt
> > >>> failed:
> > >>> From jpdc02 to rpdc04
> > >>> Naming Context: DC=mycompany,DC=com
> > >>> The replication generated an error (1727):
> > >>> The remote procedure call failed and did not execute.
> > >>> The failure occurred at 2010-03-14 18:54:08.
> > >>> The last success occurred at 2010-03-13 12:17:23.
> > >>> 11 failures have occurred since the last success.
> > >>> rpdc04: There are 21 replication work items in the queue.
> > >>> REPLICATION LATENCY WARNING
> > >>> rpdc04: A long-running replication operation is in progress
> > >>> The job has been executing for 5 minutes and 2 seconds.
> > >>> Replication of new changes along this path will be
> > >>> delayed.
> > >>> Error: Higher priority replications are being blocked
> > >>> Enqueued 2010-03-14 18:47:22 at priority 170
> > >>> Op: SYNC FROM SOURCE
> > >>> NC CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > >>> DSADN CN=NTDS
> > >>> Settings,CN=jpdc02,CN=Servers,CN=JED,CN=Sites,CN=Configuration,DC=my
> > >>> co
> > >>> mpany,DC=com
> > >>> DSA transport addr
> > >>> f9f5b45f-b5e6-4302-9e97-069c79fd1585._msdcs.mycompany.com
> > >>> * Replication Latency Check
> > >>> REPLICATION-RECEIVED LATENCY WARNING
> > >>> rpdc04:  Current time is 2010-03-14 19:06:31.
> > >>> DC=ForestDnsZones,DC=mycompany,DC=com
> > >>> Last replication recieved from jpdc02 at 2010-03-13
> > >>> 12:18:23.
> > >>> Latency information for 12 entries in the vector were
> > >>> ignored.
> > >>> 12 were retired Invocations.  0 were either:
> > >>> read-only
> > >>> replicas and are not verifiably latent, or dc's no longer
> > >>> replicating
> > >>> this
> > >>> nc.  0 had no latency information (Win2K DC).
> > >>> DC=DomainDnsZones,DC=mycompany,DC=com
> > >>> Last replication recieved from jpdc02 at 2010-03-13
> > >>> 12:18:22.
> > >>> Latency information for 12 entries in the vector were
> > >>> ignored.
> > >>> 12 were retired Invocations.  0 were either:
> > >>> read-only
> > >>> replicas and are not verifiably latent, or dc's no longer
> > >>> replicating
> > >>> this
> > >>> nc.  0 had no latency information (Win2K DC).
> > >>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > >>> Last replication recieved from jpdc02 at 2010-03-13
> > >>> 12:18:22.
> > >>> Latency information for 19 entries in the vector were
> > >>> ignored.
> > >>> 19 were retired Invocations.  0 were either:
> > >>> read-only
> > >>> replicas and are not verifiably latent, or dc's no longer
> > >>> replicating
> > >>> this
> > >>> nc.  0 had no latency information (Win2K DC).
> > >>> CN=Configuration,DC=mycompany,DC=com
> > >>> Last replication recieved from jpdc02 at 2010-03-13
> > >>> 12:18:21.
> > >>> Latency information for 19 entries in the vector were
> > >>> ignored.
> > >>> 19 were retired Invocations.  0 were either:
> > >>> read-only
> > >>> replicas and are not verifiably latent, or dc's no longer
> > >>> replicating
> > >>> this
> > >>> nc.  0 had no latency information (Win2K DC).
> > >>> DC=mycompany,DC=com
> > >>> Last replication recieved from jpdc02 at 2010-03-13
> > >>> 12:18:22.
> > >>> Latency information for 18 entries in the vector were
> > >>> ignored.
> > >>> 18 were retired Invocations.  0 were either:
> > >>> read-only
> > >>> replicas and are not verifiably latent, or dc's no longer
> > >>> replicating
> > >>> this
> > >>> nc.  0 had no latency information (Win2K DC).
> > >>> ......................... rpdc04 passed test Replications
> > >>> Test omitted by user request: Topology
> > >>> Test omitted by user request: CutoffServers
> > >>> Starting test: NCSecDesc
> > >>> * Security Permissions check for all NC's on DC rpdc04.
> > >>> * Security Permissions Check for
> > >>> DC=ForestDnsZones,DC=mycompany,DC=com
> > >>> (NDNC,Version 2)
> > >>> * Security Permissions Check for
> > >>> DC=DomainDnsZones,DC=mycompany,DC=com
> > >>> (NDNC,Version 2)
> > >>> * Security Permissions Check for
> > >>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > >>> (Schema,Version 2)
> > >>> * Security Permissions Check for
> > >>> CN=Configuration,DC=mycompany,DC=com
> > >>> (Configuration,Version 2)
> > >>> * Security Permissions Check for
> > >>> DC=mycompany,DC=com
> > >>> (Domain,Version 2)
> > >>> ......................... rpdc04 passed test NCSecDesc
> > >>> Starting test: NetLogons
> > >>> * Network Logons Privileges Check
> > >>> Verified share \\rpdc04\netlogon
> > >>> Verified share \\rpdc04\sysvol
> > >>> ......................... rpdc04 passed test NetLogons
> > >>> Starting test: Advertising
> > >>> The DC rpdc04 is advertising itself as a DC and having a DS.
> > >>> The DC rpdc04 is advertising as an LDAP server
> > >>> The DC rpdc04 is advertising as having a writeable directory
> > >>> The DC rpdc04 is advertising as a Key Distribution Center
> > >>> The DC rpdc04 is advertising as a time server
> > >>> The DS rpdc04 is advertising as a GC.
> > >>> ......................... rpdc04 passed test Advertising
> > >>> Starting test: KnowsOfRoleHolders
> > >>> Role Schema Owner = CN=NTDS
> > >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=my
> > >>> co
> > >>> mpany,DC=com
> > >>> Role Domain Owner = CN=NTDS
> > >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=my
> > >>> co
> > >>> mpany,DC=com
> > >>> Role PDC Owner = CN=NTDS
> > >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=my
> > >>> co
> > >>> mpany,DC=com
> > >>> Role Rid Owner = CN=NTDS
> > >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=my
> > >>> co
> > >>> mpany,DC=com
> > >>> Role Infrastructure Update Owner = CN=NTDS
> > >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=Configuration,DC=my
> > >>> co
> > >>> mpany,DC=com
> > >>> ......................... rpdc04 passed test
> > >>> KnowsOfRoleHolders
> > >>> Starting test: RidManager
> > >>> * Available RID Pool for the Domain is 22603 to 1073741823
> > >>> * rpdc03.mycompany.com is the RID Master
> > >>> * DsBind with RID Master was successful
> > >>> * rIDAllocationPool is 20103 to 20602
> > >>> * rIDPreviousAllocationPool is 20103 to 20602
> > >>> * rIDNextRID: 20266
> > >>> ......................... rpdc04 passed test RidManager
> > >>> Starting test: MachineAccount
> > >>> Checking machine account for DC rpdc04 on DC rpdc04.
> > >>> * SPN found :LDAP/rpdc04.mycompany.com/mycompany.com
> > >>> * SPN found :LDAP/rpdc04.mycompany.com
> > >>> * SPN found :LDAP/rpdc04
> > >>> * SPN found :LDAP/rpdc04.mycompany.com/mycompany
> > >>> * SPN found
> > >>> :LDAP/25671f81-8b4c-404c-991f-e5ae1eb35d62._msdcs.mycompany.com
> > >>> * SPN found
> > >>> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/25671f81-8b4c-404c-991f-e5ae1e
> > >>> b3
> > >>> 5d62/mycompany.com
> > >>> * SPN found :HOST/rpdc04.mycompany.com/mycompany.com
> > >>> * SPN found :HOST/rpdc04.mycompany.com
> > >>> * SPN found :HOST/rpdc04
> > >>> * SPN found :HOST/rpdc04.mycompany.com/mycompany
> > >>> * SPN found :GC/rpdc04.mycompany.com/mycompany.com
0
Utf
3/16/2010 5:37:01 AM
Hi

We took system state back from a working DC, where all roles are installed. 
Then using dcpromo /adv command promoted the new DC. 

Below are results from repadmin from each DCs

---------
----dco3 output----



repadmin running command /showrepl against server localhost



RHO\dc03

DC Options: IS_GC 

Site Options: (none)

DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480

DC invocationID: 0c0e7c99-ee98-4f22-b3a9-f5b0e841c29b



==== INBOUND NEIGHBORS ======================================



DC=mycomp,DC=com

    RHO\dc04 via RPC

        DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

        Last attempt @ 2010-03-16 12:05:45 was successful.



CN=Configuration,DC=mycomp,DC=com

    RHO\dc04 via RPC

        DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

        Last attempt @ 2010-03-16 12:05:45 was successful.



CN=Schema,CN=Configuration,DC=mycomp,DC=com

    RHO\dc04 via RPC

        DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

        Last attempt @ 2010-03-16 12:05:45 was successful.



DC=DomainDnsZones,DC=mycomp,DC=com

    RHO\dc04 via RPC

        DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

        Last attempt @ 2010-03-16 12:05:45 was successful.



DC=ForestDnsZones,DC=mycomp,DC=com

    RHO\dc04 via RPC

        DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

        Last attempt @ 2010-03-16 12:05:45 was successful.


-----dc04 output----




repadmin running command /showrepl against server localhost



RHO\dc04

DC Options: IS_GC 

Site Options: (none)

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

DC invocationID: 402b9c2f-63e3-4bd4-9dfe-0c079a6fca57



==== INBOUND NEIGHBORS ======================================



DC=mycomp,DC=com

    DAM\bdc01 via RPC

        DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af

        Last attempt @ 2010-03-16 12:02:29 was successful.

    RHO\dc03 via RPC

        DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480

        Last attempt @ 2010-03-16 12:11:04 was successful.



CN=Configuration,DC=mycomp,DC=com

    RHO\dc03 via RPC

        DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480

        Last attempt @ 2010-03-16 12:02:29 was successful.

    DAM\bdc01 via RPC

        DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af

        Last attempt @ 2010-03-16 12:02:29 was successful.



CN=Schema,CN=Configuration,DC=mycomp,DC=com

    RHO\dc03 via RPC

        DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480

        Last attempt @ 2010-03-16 12:02:29 was successful.

    DAM\bdc01 via RPC

        DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af

        Last attempt @ 2010-03-16 12:02:29 was successful.



DC=DomainDnsZones,DC=mycomp,DC=com

    RHO\dc03 via RPC

        DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480

        Last attempt @ 2010-03-16 12:02:29 was successful.

    DAM\bdc01 via RPC

        DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af

        Last attempt @ 2010-03-16 12:02:30 was successful.



DC=ForestDnsZones,DC=mycomp,DC=com

    RHO\dc03 via RPC

        DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480

        Last attempt @ 2010-03-16 12:02:29 was successful.

    DAM\bdc01 via RPC

        DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af

        Last attempt @ 2010-03-16 12:02:30 was successful.

---From BDc01---

repadmin running command /showrepl against server localhost



DAM\bdc01

DC Options: IS_GC 

Site Options: (none)

DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af

DC invocationID: 3c658661-677a-4a29-821f-0e00ba288862



==== INBOUND NEIGHBORS ======================================



DC=mycomp,DC=com

    RHO\dc04 via RPC

        DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

        Last attempt @ 2010-03-16 11:48:21 was successful.



CN=Configuration,DC=mycomp,DC=com

    RHO\dc04 via RPC

        DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

        Last attempt @ 2010-03-16 11:48:20 was successful.



CN=Schema,CN=Configuration,DC=mycomp,DC=com

    RHO\dc04 via RPC

        DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

        Last attempt @ 2010-03-16 11:48:20 was successful.



DC=DomainDnsZones,DC=mycomp,DC=com

    RHO\dc04 via RPC

        DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

        Last attempt @ 2010-03-16 11:48:21 was successful.



DC=ForestDnsZones,DC=mycomp,DC=com

    RHO\dc04 via RPC

        DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

        Last attempt @ 2010-03-16 11:48:22 was successful.

-----

Regards
Lal
-- 
Server Management Team



0
Utf
3/16/2010 9:31:01 AM
Hi Meinolf

We have 3 sites

in Site01 we have 2 Dcs (dc03 & Dc04), in DC03 installed all FSMO roles, 
replication enabled between 03 & 04

Site 02, we have 1 Dc (bdc01), replication between dc04 & bdc01 eabled. We 
restored bdc01 from Dc03's backup

Site03 has 1 Dc, which failed due to hardware issue

We run GPOTOOL.exe and found mismatches for those GPOs in SYSVOL between 
those 3 DCs and we face issues only for those GPOs. We can see mismatches 
between Dc03 & Dc04 and for some GPOs mismatch between Dc04 & Bdc01.

Can you help me to resolve this

Regards
Lal
-- 
----Server Management Team----


"Meinolf Weber [MVP-DS]" wrote:

> Hello Laljeev,
> 
> "We took system state back from a working DC, where all roles are installed. 
> Then using dcpromo /adv command promoted the new DC"
> 
> This is a not supported way of installing a DC, having FSMOs more then once 
> this way will result in problems.
> 
> What about DC2? Isn't it listed in AD sites and services and have all DCs 
> replicaiton connectors to the others?
> 
> Best regards
> 
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers 
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm 
> 
> 
> > Hi
> > 
> > We took system state back from a working DC, where all roles are
> > installed. Then using dcpromo /adv command promoted the new DC.
> > 
> > Below are results from repadmin from each DCs
> > 
> > ---------
> > ----dco3 output----
> > repadmin running command /showrepl against server localhost
> > 
> > RHO\dc03
> > 
> > DC Options: IS_GC
> > 
> > Site Options: (none)
> > 
> > DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480
> > 
> > DC invocationID: 0c0e7c99-ee98-4f22-b3a9-f5b0e841c29b
> > 
> > ==== INBOUND NEIGHBORS ======================================
> > 
> > DC=mycomp,DC=com
> > 
> > RHO\dc04 via RPC
> > 
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> > 
> > Last attempt @ 2010-03-16 12:05:45 was successful.
> > 
> > CN=Configuration,DC=mycomp,DC=com
> > 
> > RHO\dc04 via RPC
> > 
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> > 
> > Last attempt @ 2010-03-16 12:05:45 was successful.
> > 
> > CN=Schema,CN=Configuration,DC=mycomp,DC=com
> > 
> > RHO\dc04 via RPC
> > 
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> > 
> > Last attempt @ 2010-03-16 12:05:45 was successful.
> > 
> > DC=DomainDnsZones,DC=mycomp,DC=com
> > 
> > RHO\dc04 via RPC
> > 
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> > 
> > Last attempt @ 2010-03-16 12:05:45 was successful.
> > 
> > DC=ForestDnsZones,DC=mycomp,DC=com
> > 
> > RHO\dc04 via RPC
> > 
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> > 
> > Last attempt @ 2010-03-16 12:05:45 was successful.
> > 
> > -----dc04 output----
> > 
> > repadmin running command /showrepl against server localhost
> > 
> > RHO\dc04
> > 
> > DC Options: IS_GC
> > 
> > Site Options: (none)
> > 
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> > 
> > DC invocationID: 402b9c2f-63e3-4bd4-9dfe-0c079a6fca57
> > 
> > ==== INBOUND NEIGHBORS ======================================
> > 
> > DC=mycomp,DC=com
> > 
> > DAM\bdc01 via RPC
> > 
> > DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af
> > 
> > Last attempt @ 2010-03-16 12:02:29 was successful.
> > 
> > RHO\dc03 via RPC
> > 
> > DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480
> > 
> > Last attempt @ 2010-03-16 12:11:04 was successful.
> > 
> > CN=Configuration,DC=mycomp,DC=com
> > 
> > RHO\dc03 via RPC
> > 
> > DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480
> > 
> > Last attempt @ 2010-03-16 12:02:29 was successful.
> > 
> > DAM\bdc01 via RPC
> > 
> > DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af
> > 
> > Last attempt @ 2010-03-16 12:02:29 was successful.
> > 
> > CN=Schema,CN=Configuration,DC=mycomp,DC=com
> > 
> > RHO\dc03 via RPC
> > 
> > DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480
> > 
> > Last attempt @ 2010-03-16 12:02:29 was successful.
> > 
> > DAM\bdc01 via RPC
> > 
> > DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af
> > 
> > Last attempt @ 2010-03-16 12:02:29 was successful.
> > 
> > DC=DomainDnsZones,DC=mycomp,DC=com
> > 
> > RHO\dc03 via RPC
> > 
> > DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480
> > 
> > Last attempt @ 2010-03-16 12:02:29 was successful.
> > 
> > DAM\bdc01 via RPC
> > 
> > DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af
> > 
> > Last attempt @ 2010-03-16 12:02:30 was successful.
> > 
> > DC=ForestDnsZones,DC=mycomp,DC=com
> > 
> > RHO\dc03 via RPC
> > 
> > DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480
> > 
> > Last attempt @ 2010-03-16 12:02:29 was successful.
> > 
> > DAM\bdc01 via RPC
> > 
> > DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af
> > 
> > Last attempt @ 2010-03-16 12:02:30 was successful.
> > 
> > ---From BDc01---
> > 
> > repadmin running command /showrepl against server localhost
> > 
> > DAM\bdc01
> > 
> > DC Options: IS_GC
> > 
> > Site Options: (none)
> > 
> > DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af
> > 
> > DC invocationID: 3c658661-677a-4a29-821f-0e00ba288862
> > 
> > ==== INBOUND NEIGHBORS ======================================
> > 
> > DC=mycomp,DC=com
> > 
> > RHO\dc04 via RPC
> > 
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> > 
> > Last attempt @ 2010-03-16 11:48:21 was successful.
> > 
> > CN=Configuration,DC=mycomp,DC=com
> > 
> > RHO\dc04 via RPC
> > 
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> > 
> > Last attempt @ 2010-03-16 11:48:20 was successful.
> > 
> > CN=Schema,CN=Configuration,DC=mycomp,DC=com
> > 
> > RHO\dc04 via RPC
> > 
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> > 
> > Last attempt @ 2010-03-16 11:48:20 was successful.
> > 
> > DC=DomainDnsZones,DC=mycomp,DC=com
> > 
> > RHO\dc04 via RPC
> > 
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> > 
> > Last attempt @ 2010-03-16 11:48:21 was successful.
> > 
> > DC=ForestDnsZones,DC=mycomp,DC=com
> > 
> > RHO\dc04 via RPC
> > 
> > DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62
> > 
> > Last attempt @ 2010-03-16 11:48:22 was successful.
> > 
> > -----
> > 
> > Regards
> > Lal
> 
> 
> .
> 
0
Utf
3/16/2010 10:59:01 AM
"Laljeev M" <news08@nospam.nospam> wrote in message =
news:65F1A611-66B9-4401-8648-EB3F3045F06A@microsoft.com...
> Hi Meinolf
>=20
> We have 3 sites
>=20
> in Site01 we have 2 Dcs (dc03 & Dc04), in DC03 installed all FSMO =
roles,=20
> replication enabled between 03 & 04
>=20
> Site 02, we have 1 Dc (bdc01), replication between dc04 & bdc01 =
eabled. We=20
> restored bdc01 from Dc03's backup
>=20
> Site03 has 1 Dc, which failed due to hardware issue
>=20
> We run GPOTOOL.exe and found mismatches for those GPOs in SYSVOL =
between=20
> those 3 DCs and we face issues only for those GPOs. We can see =
mismatches=20
> between Dc03 & Dc04 and for some GPOs mismatch between Dc04 & Bdc01.
>=20
> Can you help me to resolve this
>=20
> Regards
> Lal
>

A mismatch indicates a replication issue. Post the eventID# for the =
errors you see in all of your DCs, please.

Sometimes you can go into the older DC and edit the GPO, just change =
something, and it should sync up making them match again. If that =
doesn'twork, then it is definitely back to a replication issue. This =
could be also due to a DNS misconfiguration.

However, what complicates trying to tech support this issue is the way =
you did it. You restored a DC with a system state that introduced an =
older DC that is holding a FSMO role being held by another DC. I'm =
willing to bet that the restored DC is holding the PDC Emulator role =
which is being held by another.=20

How old and how long offline was that DC's backup that you used to =
restore? Was a role seizure performed?

Also, run the following from each DC. Please post the results from each. =
I'm curious what each DC role thinks each holds.
netdom query fsmo

In addition, please post an ipconfig /all from each DC.

Thank you,

--=20
Ace

This posting is provided "AS-IS" with no warranties or guarantees and =
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit =
among responding engineers, and to help others benefit from your =
resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & =
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, =
please contact Microsoft PSS directly. Please check =
http://support.microsoft.com for regional support phone numbers.


0
Ace
3/17/2010 2:01:18 AM
Hi Ace 

> A mismatch indicates a replication issue. Post the eventID# for the errors you see in all of your DCs, please.

No logs are generated in any of these 3 DCs,  some logs are there in Dc04 
which because of the failed DC

> Sometimes you can go into the older DC and edit the GPO, just change something, and it should sync up making them match again. If that doesn'twork, then it is definitely back to a replication issue. This could be also due to a DNS misconfiguration.

I tried to edit from 3 DCs, getting the same error. On both the DCs BDC01 & 
DC04, even if connected to the same DCs while editing GPO it's showing GPO 
from DC03, from DC03 I used GPMC and connected to BDC03, at that time we are 
getting many other errors other than access denied error like 

> However, what complicates trying to tech support this issue is the way you did it. You restored a DC with a system state that introduced an older DC that is holding a FSMO role being held by another DC. I'm willing to bet that the restored DC is holding the PDC Emulator role which is being held by another. 
> How old and how long offline was that DC's backup that you used to restore? Was a role seizure performed?

No, I clearly mentioned that we took the system state backup of dc03 (which 
is in production and in site01) and using this backup we promoted the other 
DC (becuase this site02 was not replicating properly for many months, so we 
demoted bdc01 and again promoted using dcpromo /adv). For last 2 or more 
years everything was working fine, recently this behaviour started.
For testing purpose we created a txt file in SYSVOL of all these DCs and 
it's not replicating properly. but the scripts or small files created in 
created in \\Domain\netlogon is replicating properly.

> Also, run the following from each DC. Please post the results from each. I'm curious what each DC role thinks each holds.
> netdom query fsmo

All DCs showing fsmo roles are in DC03.

> In addition, please post an ipconfig /all from each DC.

DC03

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : dc03
   Primary Dns Suffix  . . . . . . . : mycomp.com
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mycomp.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : mycomp.com
   Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
   Physical Address. . . . . . . . . : 00-0B-CD-F0-27-C9
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.80.1.44
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Default Gateway . . . . . . . . . : 10.80.1.1
   DNS Servers . . . . . . . . . . . : 10.80.1.44
                                       10.80.1.45
   NetBIOS over Tcpip. . . . . . . . : Disabled

DC04

C:\Documents and Settings\lmam>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : dc04
   Primary Dns Suffix  . . . . . . . : mycomp.com
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mycomp.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : mycomp.com
   Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
   Physical Address. . . . . . . . . : 00-0D-9D-DC-3F-92
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.80.1.45
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Default Gateway . . . . . . . . . : 10.80.1.1
   DNS Servers . . . . . . . . . . . : 10.80.1.45
                                       10.80.1.44
   NetBIOS over Tcpip. . . . . . . . : Disabled


BDC01

C:\Documents and Settings\lmam>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : bdc01
   Primary Dns Suffix  . . . . . . . : mycomp.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mycomp.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : HP NC3163 Fast Ethernet NIC
   Physical Address. . . . . . . . . : 00-02-A5-ED-2C-8C
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.80.12.2
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Default Gateway . . . . . . . . . : 10.80.12.9
   DNS Servers . . . . . . . . . . . : 10.80.12.2
                                       10.80.1.44
   Primary WINS Server . . . . . . . : 10.80.12.2
   Secondary WINS Server . . . . . . : 10.80.1.7
   NetBIOS over Tcpip. . . . . . . . : Disabled

Regards
-- 
Server Management Team

  
0
Utf
3/17/2010 4:27:01 AM
Dear Meinolf

We are planning install DC by next week, tell me how can we install a DC in 
a remote location without systemstate backup?

As per MS article (http://support.microsoft.com/kb/290647) I modified SYSVOL 
permissions on DCs and will check the GPOs later, do you have any suggestions 
to resolve the issues?

Regards

-- 
----Server Management Team----


"Meinolf Weber [MVP-DS]" wrote:

0
Utf
3/17/2010 12:50:01 PM
"Laljeev M" <news08@nospam.nospam> wrote in message =
news:B6C49739-5F79-464F-BD82-997D5CDAE8A5@microsoft.com...
> Dear Meinolf
>=20
> We are planning install DC by next week, tell me how can we install a =
DC in=20
> a remote location without systemstate backup?
>=20
> As per MS article (http://support.microsoft.com/kb/290647) I modified =
SYSVOL=20
> permissions on DCs and will check the GPOs later, do you have any =
suggestions=20
> to resolve the issues?
>=20
> Regards
>=20
> --=20
> ----Server Management Team----

I don't know why you are focusing on using a systemstate backup to =
install a DC??? That's the premise that caused your current issues.

You said that a DC was down for a couple of months. How long exactly is =
"a couple of months?" Is it more than 6 months (180 days)? If so, you =
can't restore a 2003 or newer DC beyond that time period because that is =
the TTL for all AD objects to get scavenged from the AD database. I =
would suggest to scrap that DC you installed, and follow Meinolf's =
suggestion to use ntdutil to perform a Metadata cleanup to remove it's =
reference. I would actually do that anyway, bring your systems back to =
the point before you restored that systemstate, and get a fresh start, =
and simply install a fresh copy of Windows and promote it as a new DC.

I agree with Meinolf to install and promote it locally, then ship it, if =
the line is slow. Or simply install a fresh copy of Windows server on =
the machine, set it up to allow RDP, ship it, remote in and promote it. =
Nothing to it. :-)

As for the ipconfigs, they look good, too. One thing I should mention =
about WINS. A WINS server must ONLY point to itself, with no other WINS =
addresses. This is because of the way WINS works regarding record =
ownerships. If you put another one in the WINS server ipconfig, the =
ownership attribute gets skewed. Setup WINS replication partners between =
your WINS servers. You can put two WINS servers addresses in any =
non-WINS server or workstation.=20

Ace

0
Ace
3/17/2010 3:15:03 PM
Hi

Thanks for your responses. 

Shall I do one thing.I will demote the DC Bdc01 from site02 snd will promote 
it again to additional DC (not from systemstate backup), same will be done 
for the other failed Dc. 

Will it resolve the issues? After demoting the DC how to cleanup the SYSVOl 
and other databases in that DC, because DHCP is running on that DC.

Regards
-- 
----Server Management Team----


0
Utf
3/18/2010 2:38:01 PM
"Laljeev M" <news08@nospam.nospam> wrote in message =
news:FB02B828-BDC2-4077-B4B8-2787E5B485C4@microsoft.com...
> Hi
>=20
> Thanks for your responses.=20
>=20
> Shall I do one thing.I will demote the DC Bdc01 from site02 snd will =
promote=20
> it again to additional DC (not from systemstate backup), same will be =
done=20
> for the other failed Dc.=20
>=20
> Will it resolve the issues? After demoting the DC how to cleanup the =
SYSVOl=20
> and other databases in that DC, because DHCP is running on that DC.
>=20
> Regards
> --=20
> ----Server Management Team----
>=20
>


First, I agree with Meinold that to make sure that the old DCs are no =
longer referenced in the AD database by running the Metadata cleanup =
procedure outlined in:
http://support.microsoft.com/kb/216498

Then actually, I would suggest before you promote anything else to a DC, =
let's work on straightening out the Sysvol issue. Let us know if the =
metadata cleanup works before moving forward.

Ace
0
Ace
3/19/2010 6:52:13 AM
Hi All

We removed the DC from the 2nd site and also removed all the occurences of 
the removed DC from AD, DNS. Even before this we noticed one thing, 
immediately after restarting the DC we can able to edit all GPOs. Same is 
happening after removing the DC from 2nd site. Clearly speaking, immediately 
after restarting the DC we are able to edit all GPOs (which includes default 
Domain Policy), but after some time again facing the same issue. 

Also we moved the PDC role  to the 2nd node, then for some time we can able 
to edit the GPOs, but the issue repeats. Later we moved back the PDC to same 
DC. Currently we have only one site with 2 DCs, all FSMO roles in 1 DC and 
DHCP configured in 2 nd DC.

Can you help us

Regards
Lal
----Server Management Team----

0
Utf
3/24/2010 6:02:01 PM
"Laljeev M" <news08@nospam.nospam> wrote in message =
news:C51D241C-34F0-43BF-A0F2-83B453CE30E2@microsoft.com...
> Hi All
>=20
> We removed the DC from the 2nd site and also removed all the =
occurences of=20
> the removed DC from AD, DNS. Even before this we noticed one thing,=20
> immediately after restarting the DC we can able to edit all GPOs. Same =
is=20
> happening after removing the DC from 2nd site. Clearly speaking, =
immediately=20
> after restarting the DC we are able to edit all GPOs (which includes =
default=20
> Domain Policy), but after some time again facing the same issue.=20
>=20
> Also we moved the PDC role  to the 2nd node, then for some time we can =
able=20
> to edit the GPOs, but the issue repeats. Later we moved back the PDC =
to same=20
> DC. Currently we have only one site with 2 DCs, all FSMO roles in 1 DC =
and=20
> DHCP configured in 2 nd DC.
>=20
> Can you help us
>=20
> Regards
> Lal
> ----Server Management Team----
>


Apparently we are making some headway. It appears there is a =
communication problem to the server holding the PDC Emulator role. Run =
"netdom query fsmo" on each server, and post the results.

Give us an updated ipconfig /all, too, please.

Are you still seeing the mismatched error message?

Anything new in the Event logs? Please post any new errors or old =
errors,  if you are still getting them.


--=20
Ace

This posting is provided "AS-IS" with no warranties or guarantees and =
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit =
among responding engineers, and to help others benefit from your =
resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & =
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, =
please contact Microsoft PSS directly. Please check =
http://support.microsoft.com for regional support phone numbers.
0
Ace
3/25/2010 4:54:25 AM
Hi Ace 

Thanks for your help
1) For netdom both the servers giving same output as below

Schema owner               pdc03.mycomp.com

Domain role owner          pdc03.mycomp.com

PDC role                   pdc03.mycomp.com

RID pool manager           pdc03.mycomp.com

Infrastructure owner       pdc03.mycomp.com

2) Below are IPCONFIG output

Host Name . . . . . . . . . . . . :pdc03
   Primary Dns Suffix  . . . . . . . : mycomp.com
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mycomp.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : mycomp.com
   Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
   Physical Address. . . . . . . . . : 00-0B-CD-F0-27-C9
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.80.1.44
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Default Gateway . . . . . . . . . : 10.80.1.1
   DNS Servers . . . . . . . . . . . : 10.80.1.44
                                       10.80.1.45

Host Name . . . . . . . . . . . . :pdc04
   Primary Dns Suffix  . . . . . . . : mycomp.com
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mycomp.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : mycomp.com
   Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
   Physical Address. . . . . . . . . : 00-0D-9D-DC-3F-92
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.80.1.45
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Default Gateway . . . . . . . . . : 10.80.1.1
   DNS Servers . . . . . . . . . . . : 10.80.1.45
                                       10.80.1.44
   NetBIOS over Tcpip. . . . . . . . : Disabled

3) From yesterday in PDC03 we are getting errors (1030 & 1058) only on PDC03 
as below

Windows cannot access the file gpt.ini for GPO 
cn={BEB01D8A-FE42-4B03-B96A-CF6F631782A0},cn=policies,cn=system,DC=MYSAGIA,DC=GOV. 
The file must be present at the location 
<\\mycomp.com\SysVol\mycomp.com\Policies\{BEB01D8A-FE42-4B03-B96A-CF6F631782A0}\gpt.ini>. (Access is denied. ). Group Policy processing aborted. 

user SYSTEM

after remiving this GPO, which is applied at site level, started getting 
another error as below for another GPO

Windows cannot access the file gpt.ini for GPO 
cn={526D7832-E621-4717-956A-C4EA12787AC5},cn=policies,cn=system,DC=MYSAGIA,DC=GOV. 
The file must be present at the location 
<\\mycomp.com\SysVol\mycomp.com\Policies\{526D7832-E621-4717-956A-C4EA12787AC5}\gpt.ini>. (Access is denied. ). Group Policy processing aborted. 

user System

4) Below is Gpotool.exe output from pdc03


Validating DCs...
Available DCs:
pdc03.mycomp.com
pdc04.mycomp.com
Searching for policies...
Found 32 policies
============================================================
Policy {15F97E0D-396B-4912-A930-0F26F133BA34}
Friendly name: Add _techSupportDAM to local Admin except servers & syseng
Policy OK
============================================================
Policy {1B7E43CF-7B3C-4A19-B576-5A05D6C65873}
Friendly name: Disable SUS client
Policy OK
============================================================
Policy {25894A7F-3983-47B7-83CB-AE4061193691}
Friendly name: SCCM Agent Installtion - Logon Script 
Policy OK
============================================================
Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
Error: Version mismatch on pdc03.mycomp.com, DS=262248, sysvol=262228
Friendly name: Default Domain Policy
Details:
------------------------------------------------------------
DC: pdc03.mycomp.com
Friendly name: Default Domain Policy
Created: 5/4/2002 12:30:23 PM
Changed: 3/25/2010 9:55:08 AM
DS version:     4(user) 104(machine)
Sysvol version: 4(user) 84(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: 
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
Machine extensions: 
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: pdc04.mycomp.com
Friendly name: Default Domain Policy
Created: 5/4/2002 12:30:23 PM
Changed: 3/25/2010 9:55:24 AM
DS version:     4(user) 104(machine)
Sysvol version: 4(user) 104(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: 
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
Machine extensions: 
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {42174B77-B2A7-43BC-973B-AAEB2CBBC353}
Friendly name: modify IE home page to MYSAGIA & Bypass proxy enabled
Policy OK
============================================================
Policy {4DAF3660-DE8F-48A6-B267-9FFC8A9397F5}
Friendly name: Windows XP SP2 Firewall settings
Error: pdc03.mycomp.com - pdc04.mycomp.com sysvol mismatch
Details:
------------------------------------------------------------
DC: pdc03.mycomp.com
Friendly name: Windows XP SP2 Firewall settings
Created: 9/7/2004 5:50:50 AM
Changed: 10/22/2008 12:10:52 PM
DS version:     0(user) 26(machine)
Sysvol version: 0(user) 26(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: 
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: pdc04.mycomp.com
Friendly name: Windows XP SP2 Firewall settings
Created: 9/7/2004 5:50:50 AM
Changed: 10/22/2008 12:11:36 PM
DS version:     0(user) 26(machine)
Sysvol version: 0(user) 26(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: 
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {526D7832-E621-4717-956A-C4EA12787AC5}
Friendly name: Enable Remote access features 
Policy OK
============================================================
Policy {5525A7FF-996B-4EEB-BC01-9D588B088E71}
Friendly name: Add _techSupportRHO to local Admin except servers & syseng
Policy OK
============================================================
Policy {5D0C8DD1-CB4C-42FF-A0BB-AD336AED8E17}
Friendly name: New Group Policy Object
Policy OK
============================================================
Policy {640048BD-2875-4952-9C3D-4E5D38BB521E}
Friendly name: IE Proxy_ Jed Site
Policy OK
============================================================
Policy {6848ACAE-73D8-4F76-A59A-99C14ED56616}
Friendly name: Update time sync parameters & TimeZone values for nonDC
Policy OK
============================================================
Policy {6863DB6B-0560-4C31-9928-4663F9DF1F2B}
Friendly name: RF Client 9.0 Installation 
Policy OK
============================================================
Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
Friendly name: Default Domain Controllers Policy
Policy OK
============================================================
Policy {6BDE4791-2B84-4555-9F6E-781FF688CC9C}
Friendly name: SAGIAOSType variable add
Policy OK
============================================================
Policy {6D1E9C4C-A0DB-4365-A9B0-8FFA4D1B202B}
Friendly name: Security Logging & Auditing
Policy OK
============================================================
Policy {6F8601FD-6A10-4DE1-8A1E-B8F76CC269B3}
Friendly name: New Proxy For Ryd
Policy OK
============================================================
Policy {83DC7387-2C5D-4CE8-A5E8-661BF56E24A1}
Friendly name: Prevent Conficker GPO
Policy OK
============================================================
Policy {86451220-1667-4226-871E-64BE1586B625}
Friendly name: Security Zone GPO (SAP EP SSO)
Policy OK
============================================================
Policy {86FD8E3D-7C6F-4C52-96AC-3AD3B16C1663}
Friendly name: Disable Proxy Settings - Riyadh
Policy OK
============================================================
Policy {9AA171E1-534C-4E8A-AB5E-11D8A4AFBCCE}
Friendly name: Investor User restriction
Policy OK
============================================================
Policy {9DB207D5-1B8A-4C24-8D58-4C07BDD3E342}
Friendly name: Servers logging, Auditing & Account lock out & Banner
Policy OK
============================================================
Policy {B71860F5-9C06-449C-B87B-D5C4F8587A5D}
Friendly name: OCS 2007 R2 Installation
Policy OK
============================================================
Policy {BAF3194A-B545-4828-B40E-04A3556E0A98}
Friendly name: IE Home Page
Policy OK
============================================================
Policy {CDBC55B5-61C8-4814-95F6-C7EF27D32A8C}
Friendly name: SCCM Client Agent Installation
Policy OK
============================================================
Policy {D1EBF1CC-FBEE-4C22-BC3C-2A29C414BB86}
Friendly name: MS Office 2007 Template to Whitelist Spam
Policy OK
============================================================
Policy {D74DB362-376E-4755-9AF5-E896A7EEE3C4}
Friendly name: Remote access
Policy OK
============================================================
Policy {DB5858E8-EE40-492A-8344-E4263085481D}
Friendly name: HijriAdjustment-decrement1
Policy OK
============================================================
Policy {DF1CAC42-E1CD-4D68-88F4-7ECEED7791F0}
Friendly name: MS Office 2007 Reg Value
Policy OK
============================================================
Policy {E9FF7AA0-8357-4E7C-A721-163E54F60BA6}
Friendly name: IE Proxy - Dam Site
Policy OK
============================================================
Policy {F5016DA4-EAE9-4CF1-B8A4-B98844B890BB}
Friendly name: Google secreen server
Policy OK
============================================================
Policy {F7170DAF-D7C2-4CFD-B43B-1513550DF8B8}
Friendly name: Enabling Logon Screen Saver for 30 min idle
Policy OK
============================================================
Policy {FE9088C0-BF04-4DCF-90CD-9BD66438E10D}
Friendly name: SAGIA Password Policy
Policy OK
============================================================

Errors found

Also now getting error on both DCs for win32time, it started after chnaging 
the PDC role to pdc04 for some time yesterday

Do you have any clue?

Regards
Lal
-- 
----Server Management Team----

0
Utf
3/25/2010 11:10:01 AM
Reply:

Similar Artilces:

Outlook 0x800ccc0d error when Norton e-mail protect enabled: see hosts
This post is made to help others solve this issue, based on my experience. Symptom: - Outlook works perfectly well when Norton Anti-Virus e-mail protection is disabled - Outlook cannot retrieve incoming messages when NAV e-mail protection is enabled, message being: pop3 server not found, error 0x800ccc0d This symptom, and possible solutions, are exactly the object of Symantec support note: http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000020716064206 Please read this note first ! The object of this post is to add another possible solution to this problem. NAV email protection sets up...

Reporting from Project Server
I dont know if i need to ask this question here or in the Access section. I have an ODBC connection to the Project Server database so I can make reports through Access. Access' limit of 255 fields per table is causing me some trouble. for example, the MSP_VIEW_PROJ_PROJECTS_ENT table has well over 255 fields. Access only shows me the first 255 fields. how can I change that so I can see all the fields in that table? thanks, Hadi Hadi, I have not tried this yet it may be a viable option. Have your DBA create a view that pulls the key fields to this table and the specifi...

From Outlook 2000 to Outllook 2003
How do I migrate I personal folders file (.pst) from Outlook 2000 to Outlook 2003? Read the Help Files: http://office.microsoft.com/en-us/assistance/HA010771141033.aspx -- Russ Valentine [MVP-Outlook] "rolo" <rolo@discussions.microsoft.com> wrote in message news:706405A0-2971-409F-B213-67714B12713C@microsoft.com... > How do I migrate I personal folders file (.pst) from Outlook 2000 to > Outlook > 2003? Thanks Russ it helped. By the way how can I get to this useful help files? "Russ Valentine [MVP-Outlook]" wrote: > Read the Help Files: > htt...

AD Sync problem
Hello, One of my DC was disconnected from the network for quite a long time and cannot be synchronized with AD anymore. I have been trying to apply the http://support.microsoft.com/kb/325850/en-us procedure to reset the machine account password. After launching the command "netdom resetpwd /S: ....." I've got the following error message : "The machine account password for the local machine could not be reset. Echec d'ouverture de session : unknown user or incorrect password. The command failed to complete successfully." ANy idea to help me ? Man...

Unknown error from CFtpConnection::GetFile()...
Hi all, I'm having intermittent problems with CFtpConnection::GetFile()... 99% of the time GetFile() succeeds but occasionally it fails and returns FALSE with a GetLastError of 0x2EFF (12031) which I can't find documented/defined anywhere... Anyone know what this error means...? Where it is defined...? A bit of searching on on the web seems to suggest; "The connection with the server has been reset." Can anyone confirm this...? Many thanks, Andy. Andrew Kilgore wrote: > Hi all, > > I'm having intermittent problems with CFtpConnection::GetFile()... > 99%...

How do I Remove a Split from my Comments in Excel 2003? #2
I have set my current workbook to split/freeze the first column and first 2 rows. Now, when I add a comment to the second row (in any column) my comments are cut off if I should scroll down. I don't ever remember the behavior before. And I don't know what I've done to enable it but it's really annoying. How do turn this off ? ...

Error 550 Relaying denied
I get this nearly every time I try to send information using MS Outlook email. Any suggestions? You probably need to turn on authentication to your outgoing server. You can do so on the "Outgoing Server" tab for your mail account. -- Jocelyn Fiorello MVP - Outlook *** Messages sent to my e-mail address will NOT be answered -- please reply only to the newsgroup to preserve the message thread. *** In news:9cf101c3eacf$a3250cb0$a401280a@phx.gbl, Dick Brenneke wrote: > I get this nearly every time I try to send information > using MS Outlook email. Any suggestions? Th...

unable to paste Excel 2003 chart into Outlook 2003
(This was posted on "excel.charting" group.) I have a user who's unable to paste an Excel 2003 chart into Outlook 2003 email message. In Outlook options, the checkbox is selected for "Use Microsoft Office Word 2003 to edit e-mail messages". When I tested this on my own computer running the same version of Office, if the box is check, I have no problem pasting; if this box is cleared, I cannot paste. But on his computer, it doesn't work regardless. Thanks and regards, TL ...

will CRM load on a 2003 server?
will CRM load on a 2003 server? Microsoft CRM v1.2 supports Windows 2000/2003 Server. Frank Lee Workopia, Inc. >> Other Microsoft CRM Online Forum Resources: http://www.workopia.com/Links.htm >-----Original Message----- >will CRM load on a 2003 server? >. > No problem. We just completed a 1.2 installation on a 2003 server, without any problems. Brian Demoe "Troy Hicks" <tlhicks@nc.rr.com> wrote in message news:03dd01c3dcb2$93653a00$a501280a@phx.gbl... > will CRM load on a 2003 server? CRM 1.2 will also load on Small business server 2003 as wel...

Cannot open Outlook, keep getting Send error report of Microsoft.
We are having problems with Outlook 2003. Everytime we try to open, we get this: Send error report to Microsoft. Any ideas why? All windows and office update have been completed. ...

setup Windows Mail as Word 2003 default emailer
All I can do is setup Outlook. I do not use Outlook. I would like to email Word docs using MS Windows Mail (new version of Express) In the Windows Start area, type Regedit into the search bar and then start the Registry Editor and go to HKEY_CURRENT_USER>Software>Clients>Mail Right Click on the (Default) item and then on Modify and in the Value data: field enter Windows Mail so that after you click OK, you have (Default) REG_SZ WIndows Mail -- Hope this helps. Please reply to the newsgroup unless you wish to avail yourself of my services on a pa...

Filters not working in Exchange 2003
I have been trying to turn on the Recipient, Connection, and Sender filters. I have gone to the Default SMTP Virtual Server and turned it on there without getting an error but when I go to the Properties and add senders to block and the hit Apply, it tells me that I must manually turn the filtering on in the SMTP VS. I have stopped and started the Default SMTP VS but still no luck. Any ideas? Hi Wayne That is a standard dialog box, it does not check to see if it is already enabled, have you tested the sender filtering? -- Mark Fugatt Microsoft Limited This posting is provided &quo...

Document Viewer installer error
I recently ran CHKDSK /F as this was prompted when I attempted to run defrag etc. Since the chkdsk was run, when I turn my PC on, I receive the following message: "document viewier - installed encountered an unexpected error - error code 2908". I click run, the same error just repeats and loops. The only was I can remove it is to end task via task manager. Any ideas how I can correct this error? many thanks ...

Outlook 2003 Drag and Drop Emails
I have an issue where there is a SBS 2003 server (newly installed) & when I drag emails to the file system (explorer window) in order to create file records of the emails it generates an error. Dialog Box Name: Error Copying File or Folder Error Msg: Not enough storage is available to process this command. I can't find an error logged anywhere, either on the server event logs or on the local machine event logs... I have searched the MS KB & Office online, but no joy yet... If anyone can help that would be great!!! R ...

Redirect Exchange 2000 IS backup to different Exchange 2003 server
I recently added an Exchange 2003 server to the same org as a 2000 server. I have dbs from the 2000 server that I need to restore to retrieve email from a user whose mailbox was moved to 2003. So I need to restore the db for that mailbox from BEFORE it was moved because when you move mailboxes you lose any deleted items that were being saved by retention policy. Is this possible? I'm using Veritas Backup Exec 10 but nothing in their support KB seems to follow this exact scenario. If it helps, the old Exch 2000 server is currently empty of users and is ready to be uninstalled. W...

CSV Files and VLOOKUP error
Does anyone know why VLOOKUP and Compare formulas don't work o information originating from a CSV file? I've tried copying an pasting values only (to leave behind any formatting), but it doesn' help. Through countless tests, I've narrowed it down to the CSV file bein the only possible cause -- Message posted from http://www.ExcelForum.com Hi ajpowers, Just a guess but the imported data may have leading or trailing spaces or are numbers stored as text. You could use the formula =A1=D1 to see if you get a true or false, where A1 is the lookup value and D1 ia the CVS valu...

Recreating site/directory connectors on 2003?
Just got the first 2003 server up and running. We have a single domain, and two sites/admin groups. SiteA contains the current 5.5 server (ServerA) and the new 2003 server (ServerB). SiteB contains a single 5.5 server (ServerC). There is a site connector created under 5.5 between SiteA and SiteB with ServerA and ServerC as the bridgeheads in each site. There is also a directory replication connector between SiteA and SiteB, again with ServerA and ServerC as the bridgeheads in each site. The ADC is installed and working with the default mailbox/public folder CA's for both SiteA ...

microsoft.public.access.conversion
...

Uninstall of mappoint has caused errors with excel
Hi, I am running Office 2003 on the terminal server (windows 2003) and had a copy of mappoint as well. This is a mapping program. We ininstalled mappoint which has caused an error message with Excel and other office products. The error says "Cd:\documents and settings\administrator.ocrdc1\application data\microsoft\addins c:\Program files\common files\microsoft shared\geography\mpoai9.dll is not a valid add-in." I then click OK and excel opens up and everything is fine. The problem is that we are using other programs as well such as Quickbooks that export to excel and t...

how do I add error bars to a 3D chart in excel?
The help states you can only add error bars to data series in 2D area. Is there a way to add them to a 3D chart? Hi, I would not have thought so. Obviously as it is not a built-in option the only way would be a work around perhaps using dummy series. Unfortunately you can create 3d combination charts. Stick with the 2d view. Cheers Andy elahe wrote: > The help states you can only add error bars to data series in 2D area. Is > there a way to add them to a 3D chart? -- Andy Pope, Microsoft MVP - Excel http://www.andypope.info I checked, and error bars are not offered for 3D ch...

SBS 2003 RWW & Windows 7 64 bit
Need help remotely connecting to 64 bit clients connected to SBS 2003 SP2. I have installed KB926505 (Vista compatabilty) on the server. When I try to establish the connection to the 64 bit machine using my 32 bit windows 7 laptop, I get a dialog box titled remote desktop disconnected. On the Windows 7 64 bit machine I have checked remote connection properties and also the advanced firewall properties, inbound connections remote connections are enabled under the domain profile. What am I missing? Thanks, So let me understand this? sorry I have a cold and it's hard for m...

After editing example1.xls and click SAVE, the filename changes to AABBEE.xls
After editing example1.xls and click SAVE, the filename changes to AABBEE.xls. The original file still exist and has been updated but the 'funny' filename also have the same content, and editable. The example1.xls is stored in a server and accessed by many people within the company. Everyone accessing to the file will change the filename unknowingly after saving it. ...

Are Exchange 2003 OWA Backups necessary
Is there a real need to backup OWA with the DR option available with Exchange 2003? There are no stores running on this box. -- Thanks Paul Paul, I am not sure I understand the question. OWA is just away of accessing your mailbox via a web browser, so by backing up the Exchange servers hosting the mailboxes you are backing up what you can see ia OWA. When you state that "there are no stores running on this box", what box are you reffering to ? Is it a front-end server ? Regards Paul Ford Edge IT Ltd "Paul Bergson" <pbergson@allete_nospam.com> wrote in...

Access to User Calendar
I have a user called small conference room that is used to schedule meetings on its calendar. I would like to link the calendar from our intranet site to the calendar with a UNC path. I am calling outlook: and I can get to my local mailbox and public folders but I am unable to connect to another users calendar. I am running Exchange 2003 and Outlook 2003. Is there some security modifications that need to be done? Any help is appreciated. Thanks, Steve I believe that you will need full mailbox rights. -- Ed Crowley MVP - Exchange "Protecting the world from PSTs and brick backups!&...

Error 130
Hope someone can point me in the right direction. OSX 10.63, MacOffice 2008 12.2.4 When I try to connect to the following news server ( that doesn't require a user name or password ) I get the following error when attempting to download the List of Newsgroups: "Too many connections in your class - Could not receive the Newsgroup List - ERROR 130 " Any pointers much appreciated. Using Msnews servers works fine. -- Welsh Gas Remove usual to reply direct. paulatwoodsforddotcodotuk On 4/27/10 10:49 PM, in article 59bb7979.-1@webcrossing.JaKIaxP2ac0, "We...