Problem solve
Get help with specific problems with your technologies, process and projects.
AD problems after 2000 to 2003 migration
Since upgrading our domain controllers from 2000 to 2003, we've had a few problems with AD. For starters, we get a message that the permission for this GPO in the SYSVOL folder is inconsistent with AD. I think I found a solution, but I'd like to hear your thoughts on the matter. Also, some of the older policies give an error message that the Enterprise Domain Controllers group doesn't have permission. Again, I think I found a solution, but your suggestions would be very welcome. Lastly, we can only create/edit new policies from the PDC (this role had to be seized during the upgrade because the upgrade on the primary failed). Have you seen this? Thanks for any information you can pass on to me.
Yes, the problem with the SYSVOL permissions and the GPO are common for those situations when the Windows environment was created prior to SP 4. This is confirmed in articles:
http://support.microsoft.com/default.aspx?scid=kb;en-us;828760
http://support.microsoft.com/default.aspx?scid=kb;en-us;814338
There are solutions to the problem that can be executed. To avoid the problem one would have to make sure that the Windows 2000 systems were all SP4 during the process of creating the domain. This is difficult of course if you're upgrading from Windows NT 4.0.
Generally, when you are presented with the dialog box if you have permissions you click the OK button and the permissions are adjusted. In some cases you may have to perform the adjustments to the SYSVOL yourself. The issues with the Enterprise Domain Controllers is roughly the same thing -- a permissions issues created by the Windows 2000 system not being up to SP 4.
The issue with the policy creation is that it requires access to the PDC Emulator in the environment. In most cases the problem is that the other DCs are unable to locate the PDC emulator due to DNS issues. The server name may appear in DNS, but the SRV records, Service Records, for the PDC emulator must also appear. Try doing the following:
1) Make sure that the DC's are all pointing to the same DNS server as primary (assuming the all DCs are in the same physical location).
2) Check that the PDC Emulator is able to properly register the DNS entries by opening a command prompt and type IPCONFIG /REGISTERDNS or stopping and restarting the NETLOGON service. Then check the Event log for issues.
3) Review the DNS records and look for the PDC emulator role under Forward lookup zones/[your domain]/_msdcs/pdc/_tcp
4) Check what the other DC's think the PDC emulator is. I like using NTDSUTIL.exe for this. Open a command prompt and type Ntdsutil (this requires that the Windows Support Tools have been installed from the CD). You get a NTDSUTIL: prompt. Now type…
http://support.microsoft.com/default.aspx?scid=kb;en-us;828760
http://support.microsoft.com/default.aspx?scid=kb;en-us;814338
There are solutions to the problem that can be executed. To avoid the problem one would have to make sure that the Windows 2000 systems were all SP4 during the process of creating the domain. This is difficult of course if you're upgrading from Windows NT 4.0.
Generally, when you are presented with the dialog box if you have permissions you click the OK button and the permissions are adjusted. In some cases you may have to perform the adjustments to the SYSVOL yourself. The issues with the Enterprise Domain Controllers is roughly the same thing -- a permissions issues created by the Windows 2000 system not being up to SP 4.
The issue with the policy creation is that it requires access to the PDC Emulator in the environment. In most cases the problem is that the other DCs are unable to locate the PDC emulator due to DNS issues. The server name may appear in DNS, but the SRV records, Service Records, for the PDC emulator must also appear. Try doing the following:
1) Make sure that the DC's are all pointing to the same DNS server as primary (assuming the all DCs are in the same physical location).
2) Check that the PDC Emulator is able to properly register the DNS entries by opening a command prompt and type IPCONFIG /REGISTERDNS or stopping and restarting the NETLOGON service. Then check the Event log for issues.
3) Review the DNS records and look for the PDC emulator role under Forward lookup zones/[your domain]/_msdcs/pdc/_tcp
4) Check what the other DC's think the PDC emulator is. I like using NTDSUTIL.exe for this. Open a command prompt and type Ntdsutil (this requires that the Windows Support Tools have been installed from the CD). You get a NTDSUTIL: prompt. Now type…
Ntsdutil: roles fsmo maintenance: connections server connections: connect to server [servername of non-PDC emulator system] Connected to [servername] using credentials of locally logged on user. server connections: quit fsmo maintenance: Select operation target select operation target: List roles for connected serverThe output will be similar to this:
Server "myserver" knows about 5 roles Schema - CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN= Sites,CN=Configuration,DC=mydomain,DC=com Domain - CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN= Sites,CN=Configuration,DC=mydomain,DC=com PDC - CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Site s,CN=Configuration,DC=mydomain,DC=com RID - CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sit es,CN=Configuration,DC=mydomain,DC=com Infrastructure - CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=Default-First-Site-N ame,CN=Sites,CN=Configuration,DC=mydomain,DC=com
Additional Expert Help:
Be sure to check our Answer FAQ for more expert advice.
For faster answers, visit ITKnowledge Exchange.
Dig Deeper on Windows systems and network management
-
![]()
Get back on the mend with Active Directory recovery methods
By: Richard Siddaway
-
![]()
Active Directory restores: How to restore deleted objects
By: Brien Posey
-
![]()
How to size an Active Directory domain controller in Windows
By: Gary Olsen
-
![]()
A closer look at the Ntdsutil command-line tools for Active Directory
By: Gary Olsen
Start the conversation
0 comments