Q: I recently rebuilt a crashed Windows Server 2003 and none of the User OUs replicated from the second (2000 server) DC were editable due to loss of permission. After upgrading the second DC to Windows Server 2003 and re-building User OUs, they are now editable but not now being applied. What is going on?
A: When the system crashed, I assume that it was a Domain Controller. You rebuilt the machine, but did you first check to see if the FSMO roles were all on the Windows 2000 machine? Since you did not do a system restore to the Windows 2003 server you may have created some confusion for the AD on who is the holder of the FSMO roles. Check to see which server currently has all of the FSMO roles. If it is divided up between the two, I would move them to the Second server (old Windows 2000). Then, run DCDIAG on each of the domain controllers and see if they can all communicate correctly. DCDIAG from the Windows support tools on the original Windows 2003/2000 CD that you installed from.
Scan the event logs (System, Directory, File Replication) for errors regarding replication. You may only have one real working Domain Controller (likely the second DC). Correcting the replication issue may resolve the problem. You can also use REPLMON, again from the Support Tools, to check on the status and force replication.
If the Windows 2003 machine actually crashed, you may be looking at corruption in the Active Directory. The corrective measure would be to restore from a known good copy.
Dig Deeper on Windows systems and network management
Related Q&A from Paul Hinsberg
Need to take an in-place upgraded PDC offline to rebuild it and use the second and third freshly-built 2003 DCs to handle services? Our expert ... Continue Reading
One admin wants to know if he can run DCPROMO on a Windows Server 2003 machine while the root domain is on Windows 2000. Continue Reading
A new admin's Active Directory is in utter chaos. Here's what our expert suggests. Continue Reading