Jump to content

Problem with Domain Group Policy after migrating roles from server 200

Cai0

By Cai0
in Windows 2000/2003/NT4

 Share

Recommended Posts

Cai0

Cai0

Posted
Posted (edited)

Hi to all,

I've this problem, I've added a windows 2003 machine to an entire windows 2000 server domain that had only 1 DC.

Now, after the adding of 2003, in the net there are 2 DC.

My objective was to migrate the Active directory from 2000 to 2003, to the aim of remove the 2000 machine after the adding.

So I've applied all the step required by the migration, preparing the AD of 2000 with the adprep commands, joining the 2003 to domain as DC, transferring all 5 roles from 2000 to 2003, and flagging the 2003 to be a global catalog.

In this way I would have all the structure of the 2000 in an exacted copy in the 2003.

Normally after this, in the MMC if I add the snap-in Group Policy Object Editor (in new server 2003), I can select the default domain policy without problem.

In my case, if I add this snap-in, I have an error. This error tell me that "The DC controller for the operation Group policy editor is not available." I can select from a popup one of this 2 options:

"The DC with the token of master operation for the PDC emulator" or "any available DC". You can see this error here: http://filibusta.crema.unimi.it/~caio/S200...iterigruppo.JPG

Then, if I select the first option (token PDC) I have another error, telling me that is impossible to find another DC and that there could be a policy that prevent to select another DC.

If I select the second, the server connected is the server2000 but not the 2003.

You can see this error here: http://filibusta.crema.unimi.it/~caio/S2003/PDC.jpg

This problem cause that if I shut off the server 2000 and leave the 2003 up I can't see the group policy in the mmc of this. Because I would to demote and remove the 2000 from the domain this is a big problem for me.

Moreover if I add some snap-in to the mmc from the 2003 server, I see that this snap-in are added referring by default to the old 2000 server.

In fact GPO, sites and services, users and computers links to the old server while schema of AD links to server2003.

Then, if I tell to this snap-in to connect to another DC, I can see these snap-in referring to the 2003 server.

You can see this situation in the screenshots below, in the first 4 snap-in I have added the snap-in by default, and in the last 3 I've connected the snap-in to the server2003 explicitly(the local where I execute mmc) telling to "connect to DC".

http://filibusta.crema.unimi.it/~caio/S2003/sc_mmc.JPG

Some ideas to resolve this problem?

Thank you

Edited by Cai0
Link to comment
Share on other sites

cluberti

cluberti

Posted
Posted

A few things - have you checked the NTFRS logs on all of the domain controllers to make sure everything is replicating properly and the FRS isn't broken? From the errors you're getting, it sounds lke the 2003 server isn't getting updated information from the 2000 server(s) and is using stale sysvol data, which would indicate a replication problem.

Also, make sure that the Windows Server 2003 machine does not have it's firewall enabled, and if you have any IPSEC policies in place or TCP filtering, that this is either working properly on all machines or is disabled entirely until the migration is complete.

Link to comment
Share on other sites
Cai0

Cai0

Posted
  • Author
Posted
A few things - have you checked the NTFRS logs on all of the domain controllers to make sure everything is replicating properly and the FRS isn't broken? From the errors you're getting, it sounds lke the 2003 server isn't getting updated information from the 2000 server(s) and is using stale sysvol data, which would indicate a replication problem.

Also, make sure that the Windows Server 2003 machine does not have it's firewall enabled, and if you have any IPSEC policies in place or TCP filtering, that this is either working properly on all machines or is disabled entirely until the migration is complete.

Bingo!

I've a lot of entries (event 13508) in the FRS events telling me that the FRS has failed.

The error is about:

FRS can't enable the replica from the \\server2000 to \\server2003 through the DNS name \\server2000.

Possible cause suggested are:

1)FRS can't resolve the name \\server2000 correctly.

I can ping it from both server.

2)FRS is not in execution

The service runs on both server.

3)The topologic information for the AD is not replicated yet.

How can I control or do it?

The firewall in 2003 is disabled.

I don't know where to check IPSEC policies.

If I lunch in command prompt the command: net share

I can see SYSVOL and NETLOGON in the 2000 server but none of this in 2003 server.

Is this normal?

Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted

Since more than 90% of AD issues are directly cause by DNS misconfiguration/resolution issues, I'd have to second fizban's suggestion to check your DNS infrastructure on all machines and make sure everything is kosher before going any further in troubleshooting.

Link to comment
Share on other sites
Cai0

Cai0

Posted
  • Author
Posted
do both servers have DNS setup on them? are they intergrated zones? sounds like a resolution issue.

Yes, now there are 2 DNS set as primary zone in both DNS.

But until 1 day ago there was only 1 DNS in win 2000 server, and from both server I could resolve the name of both DC correctly. (now I can too).

Since more than 90% of AD issues are directly cause by DNS misconfiguration/resolution issues, I'd have to second fizban's suggestion to check your DNS infrastructure on all machines and make sure everything is kosher before going any further in troubleshooting.

Ok, but I can resolve correctly the name of both server from each machine, and I have the srv records in both DNS server.

The only difference is that in the netlogon.dns file (win/system32/config) all entries on every server point to itself.

How more can I chech that the DNS infrastructure is correct?

Don't you think that the problem is the missing share directories in the 2003 server?

Link to comment
Share on other sites
  • 3 weeks later...
Cai0

Cai0

Posted
  • Author
Posted
You could also use tool replmon from Windows Server 2k/2k3 support tools to pinpoint your replica problem ...

What I've to check with replmon?

I've checked the replication topologies and all is ok, the query FSMO seems to be ok, what I've to control?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...