Problem solve Get help with specific problems with your technologies, process and projects.

AD problems after 2000 to 2003 migration

Since upgrading our domain controllers from 2000 to 2003, we've had a few problems with AD. For starters, we get a message that the permission for this GPO in the SYSVOL folder is inconsistent with AD. I think I found a solution, but I'd like to hear your thoughts on the matter. Also, some of the older policies give an error message that the Enterprise Domain Controllers group doesn't have permission. Again, I think I found a solution, but your suggestions would be very welcome. Lastly, we can only create/edit new policies from the PDC (this role had to be seized during the upgrade because the upgrade on the primary failed). Have you seen this? Thanks for any information you can pass on to me.
Yes, the problem with the SYSVOL permissions and the GPO are common for those situations when the Windows environment was created prior to SP 4. This is confirmed in articles:

There are solutions to the problem that can be executed. To avoid the problem one would have to make sure that the Windows 2000 systems were all SP4 during the process of creating the domain. This is difficult of course if you're upgrading from Windows NT 4.0.

Generally, when you are presented with the dialog box if you have permissions you click the OK button and the permissions are adjusted. In some cases you may have to perform the adjustments to the SYSVOL yourself. The issues with the Enterprise Domain Controllers is roughly the same thing -- a permissions issues created by the Windows 2000 system not being up to SP 4.

The issue with the policy creation is that it requires access to the PDC Emulator in the environment. In most cases the problem is that the other DCs are unable to locate the PDC emulator due to DNS issues. The server name may appear in DNS, but the SRV records, Service Records, for the PDC emulator must also appear. Try doing the following:

1) Make sure that the DC's are all pointing to the same DNS server as primary (assuming the all DCs are in the same physical location).
2) Check that the PDC Emulator is able to properly register the DNS entries by opening a command prompt and type IPCONFIG /REGISTERDNS or stopping and restarting the NETLOGON service. Then check the Event log for issues.
3) Review the DNS records and look for the PDC emulator role under Forward lookup zones/[your domain]/_msdcs/pdc/_tcp
4) Check what the other DC's think the PDC emulator is. I like using NTDSUTIL.exe for this. Open a command prompt and type Ntdsutil (this requires that the Windows Support Tools have been installed from the CD). You get a NTDSUTIL: prompt. Now type…

Ntsdutil: roles
fsmo maintenance: connections
server connections: connect to server [servername of non-PDC emulator system] 
Connected to [servername] using credentials of locally logged on user.
server connections: quit
fsmo maintenance: Select operation target
select operation target: List roles for connected server
The output will be similar to this:
Server "myserver" knows about 5 roles
Schema - CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=
Domain - CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=
PDC - CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Site
RID - CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sit
Infrastructure - CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=Default-First-Site-N

Additional Expert Help:
Be sure to check our Answer FAQ for more expert advice.
For faster answers, visit ITKnowledge Exchange.

Dig Deeper on Windows systems and network management