Q: I recently rebuilt a crashed Windows Server 2003 and none of the User OUs replicated from the second (2000 server) DC were editable due to loss of permission. After upgrading the second DC to Windows Server 2003 and re-building User OUs, they are now editable but not now being applied. What is going on?
A: When the system crashed, I assume that it was a Domain Controller. You rebuilt the machine, but did you first check to see if the FSMO roles were all on the Windows 2000 machine? Since you did not do a system restore to the Windows 2003 server you may have created some confusion for the AD on who is the holder of the FSMO roles. Check to see which server currently has all of the FSMO roles. If it is divided up between the two, I would move them to the Second server (old Windows 2000). Then, run DCDIAG on each of the domain controllers and see if they can all communicate correctly. DCDIAG from the Windows support tools on the original Windows 2003/2000 CD that you installed from.
Scan the event logs (System, Directory, File Replication) for errors regarding replication. You may only have one real working Domain Controller (likely the second DC). Correcting the replication issue may resolve the problem. You can also use REPLMON, again from the Support Tools, to check on the status and force replication.
If the Windows 2003 machine actually crashed, you may be looking at corruption in the Active Directory. The corrective measure would be to restore from a known good copy.
This was first published in August 2005