AD problems after 2000 to 2003 migration
http://support.microsoft.com/default.aspx?scid=kb;en-us;828760
http://support.microsoft.com/default.aspx?scid=kb;en-us;814338
There are solutions to the problem that can be executed. To avoid the problem one would have to make sure that the Windows 2000 systems were all SP4 during the process of creating the domain. This is difficult of course if you're upgrading from Windows NT 4.0.
Generally, when you are presented with the dialog box if you have permissions you click the OK button and the permissions are adjusted. In some cases you may have to perform the adjustments to the SYSVOL yourself. The issues with the Enterprise Domain Controllers is roughly the same thing -- a permissions issues created by the Windows 2000 system not being up to SP 4.
The issue with the policy creation is that it requires access to the PDC Emulator in the environment. In most cases the problem is that the other DCs are unable to locate the PDC emulator due to DNS issues. The server name may appear in DNS, but the SRV records, Service Records, for the PDC emulator must also appear. Try doing the following:
1) Make sure that the DC's are all pointing to the same DNS server as primary (assuming the all DCs are in the same physical location).
2) Check that the PDC Emulator is able to properly register the DNS entries by opening a command prompt and type IPCONFIG /REGISTERDNS or stopping and restarting the NETLOGON service. Then check the Event log for issues.
3) Review the DNS records and look for the PDC emulator role under Forward lookup zones/[your domain]/_msdcs/pdc/_tcp
4) Check what the other DC's think the PDC emulator is. I like using NTDSUTIL.exe for this. Open a command prompt and type Ntdsutil (this requires that the Windows Support Tools have been installed from the CD). You get a NTDSUTIL: prompt. Now type…
Ntsdutil: roles fsmo maintenance: connections server connections: connect to server [servername of non-PDC emulator system] Connected to [servername] using credentials of locally logged on user. server connections: quit fsmo maintenance: Select operation target select operation target: List roles for connected serverThe output will be similar to this:
Server "myserver" knows about 5 roles Schema - CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN= Sites,CN=Configuration,DC=mydomain,DC=com Domain - CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN= Sites,CN=Configuration,DC=mydomain,DC=com PDC - CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Site s,CN=Configuration,DC=mydomain,DC=com RID - CN=NTDS Settings,CN=MYSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sit es,CN=Configuration,DC=mydomain,DC=com Infrastructure - CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=Default-First-Site-N ame,CN=Sites,CN=Configuration,DC=mydomain,DC=com
Additional Expert Help: Be sure to check our Answer FAQ for more expert advice. For faster answers, visit ITKnowledge...
Continue Reading This Article
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
Exchange.
Dig Deeper on Domain Name System (DNS)
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.
Meet all of our Windows Server experts
View all Windows Server questions and answers
Start the conversation
0 comments