Home | Site Map | Cisco How ToNet How To | Windows Vista | Case Studies | Forums | Services | Donations | Careers | About Us | Contact Us|

 

Active Directory 0704

Re: Seeing Serv03 users/groups from a WinXP client

RE: Seeking tips for setting up an AD 2003 test lab accessible by prod

Re: sending command to an AD server?

Re: Server 2000 domain upgrade to Server 2003

Re: Site Policies and Domain Controllers

Re: SYSVOL share hand icon is red

RE: Tips for setting up a test lab

Re: Types of ICMP Used by DC?

Re: User logging in as limited account

RE: Using netdom.exe to join active directory

Re: w2k3 logs me off right after user/password

Re: W32Time problem

Re: Windows 2003 & 2000 Servers

Re: Windows 2003 NtFrs Event 13508 sysvol\domain

Re: Would You Advise Adding a Domain?

Re: You have exceeded the maximum number of computer accounts ...

Re: [X-POST] Person and User.

Top


 

From: Billy Preston <billy.prestonNOSPAM@victorychurchNOSPAM.com>

To: none

Subject: Re: Seeing Serv03 users/groups from a WinXP client

Date: 09/26/2007 16:10:39

Al Mulnick wrote:

> Sounds like a problem with the xp machine.  Have you checked the system log

> of the workstation?  Any clues there? anything to do with netlogon?

> You have verified that it's a member of the domain right? Verified that it's

> membership is active and problem free?

>

>

>

>

> "Billy Preston" <billy.prestonNOSPAM@victorychurchNOSPAM.com> wrote in

> message news:13fgqna7u52f091@news.supernews.com...

>> Hello everyone,

>>

>> I'm having some problems seeing my WinServ03 domain's users/groups from my

>> XP clients.

>>

>> With my NT4 server when I needed to add Domain Users as Local

>> Administrators to my XP clients, I'd go to Administrative Tools>Computer

>> Management>Local Users and Groups>Groups and open the Administrators

>> group - in the Administrator properties window, I click on the add button,

>> and in the Select Users, Computers, or Groups window, I'd choose my domain

>> using the Locations button, then click on the Advanced and Find Now

>> buttons to find all of the users/groups in my domain. (The client is

>> joined to the NT4 domain.)

>>

>> However, with my WinServ03 when I do the same process, I click on the

>> Location button and all I can see is the XP client - I can't see any

>> domain (and the client is joined to the WinServ03 domain).

>>

>> Any ideas why I can't see the domain? Without seeing it, I can't add the

>> users/groups. I've tried it both as a network administrator and a local

>> administrator and neither work.

>

>

I verified that netlogon is working, there are no errors in the system

log, and the client is indeed a member of the domain. Any other ideas?

 

Top


 

From: Billy Preston <billy.prestonNOSPAM@victorychurchNOSPAM.com>

To: none

Subject: Re: Seeing Serv03 users/groups from a WinXP client

Date: 09/26/2007 18:45:01

Problem is solved...found the solution at

http://techrepublic.com.com/5208-6230-0.html?forumID=48&threadID=166522&messageID=1701814

 

Billy Preston wrote:

> Al Mulnick wrote:

>> Sounds like a problem with the xp machine.  Have you checked the

>> system log of the workstation?  Any clues there? anything to do with

>> netlogon?

>> You have verified that it's a member of the domain right? Verified

>> that it's membership is active and problem free?

>> "Billy Preston" <billy.prestonNOSPAM@victorychurchNOSPAM.com> wrote in

>> message news:13fgqna7u52f091@news.supernews.com...

>>> Hello everyone,

>>>

>>> I'm having some problems seeing my WinServ03 domain's users/groups

>>> from my XP clients.

>>>

>>> With my NT4 server when I needed to add Domain Users as Local

>>> Administrators to my XP clients, I'd go to Administrative

>>> Tools>Computer Management>Local Users and Groups>Groups and open the

>>> Administrators group - in the Administrator properties window, I

>>> click on the add button, and in the Select Users, Computers, or

>>> Groups window, I'd choose my domain using the Locations button, then

>>> click on the Advanced and Find Now buttons to find all of the

>>> users/groups in my domain. (The client is joined to the NT4 domain.)

>>>

>>> However, with my WinServ03 when I do the same process, I click on the

>>> Location button and all I can see is the XP client - I can't see any

>>> domain (and the client is joined to the WinServ03 domain).

>>>

>>> Any ideas why I can't see the domain? Without seeing it, I can't add

>>> the users/groups. I've tried it both as a network administrator and a

>>> local administrator and neither work.

> I verified that netlogon is working, there are no errors in the system

> log, and the client is indeed a member of the domain. Any other ideas?

 

Top


 

From: Al Mulnick <amulnick_No_SPAM@ncDOTrr.com>

To: none

Subject: Re: Seeing Serv03 users/groups from a WinXP client

Date: 09/26/2007 19:23:10

Wow.  You did all of those steps?  That's a long way around if you ask me

but I'm surprised that you had no errors with the netlogon service or any

others.  If that was the fix, you should not have been able to talk to the

domain and it should have been in the event logs of the local machine.

"Billy Preston" <billy.prestonNOSPAM@victorychurchNOSPAM.com> wrote in

message news:13flrlvkhkb5173@news.supernews.com...

> Problem is solved...found the solution at

> http://techrepublic.com.com/5208-6230-0.html?forumID=48&threadID=166522&messageID=1701814

>

> Billy Preston wrote:

>> Al Mulnick wrote:

>>> Sounds like a problem with the xp machine.  Have you checked the system

>>> log of the workstation?  Any clues there? anything to do with netlogon?

>>> You have verified that it's a member of the domain right? Verified that

>>> it's membership is active and problem free?

>>>

>>>

>>> "Billy Preston" <billy.prestonNOSPAM@victorychurchNOSPAM.com> wrote in

>>> message news:13fgqna7u52f091@news.supernews.com...

>>>> Hello everyone,

>>>>

>>>> I'm having some problems seeing my WinServ03 domain's users/groups from

>>>> my XP clients.

>>>>

>>>> With my NT4 server when I needed to add Domain Users as Local

>>>> Administrators to my XP clients, I'd go to Administrative

>>>> Tools>Computer Management>Local Users and Groups>Groups and open the

>>>> Administrators group - in the Administrator properties window, I click

>>>> on the add button, and in the Select Users, Computers, or Groups

>>>> window, I'd choose my domain using the Locations button, then click on

>>>> the Advanced and Find Now buttons to find all of the users/groups in my

>>>> domain. (The client is joined to the NT4 domain.)

>>>>

>>>> However, with my WinServ03 when I do the same process, I click on the

>>>> Location button and all I can see is the XP client - I can't see any

>>>> domain (and the client is joined to the WinServ03 domain).

>>>>

>>>> Any ideas why I can't see the domain? Without seeing it, I can't add

>>>> the users/groups. I've tried it both as a network administrator and a

>>>> local administrator and neither work.

>> I verified that netlogon is working, there are no errors in the system

>> log, and the client is indeed a member of the domain. Any other ideas?

 

Top


 

From: jwd <jwd@discussions.microsoft.com>

To: none

Subject: RE: Seeking tips for setting up an AD 2003 test lab accessible by prod

Date: 09/27/2007 10:51:02

If you want to test schema extensions then it will need to be a completely

separate forest.  All domains in a single forest share the same schema.

 

Best Regards

Joe Dunn MCSE

"shdowflare" wrote:

 

> Hi,

>

> We're getting ready to build out an Active Directory 2003 test lab. We

> need

> a place to check schema extensions, group policies, and software

> updates

> before putting into production. We need the test environment to be

> accessible to our corporate network, so applications can interact with

> the

> test directory during testing. So the LDAP lab can't be isolated. It

> needs

> to be on our corporate LAN. I imagine putting the test AD controller

> on our

> LAN means it will be found by our production DC's (and vice versa). So

> I was

> wondering how to structure the test domain hierarchy. Should it be a

> separate forest? Or just a separate domain under the production forest

> root?

>

> Basically, I'm looking for ideas on the best way to accomplish the

> requirements above and address the questions I've posed. Can you guys

> help

> out?

>

> Looking forward to your replies.

>

> -S

 

Top


 

From: kj [SBS MVP] <KevinJ.SBS@SPAMFREE.gmail.com>

To: none

Subject: Re: sending command to an AD server?

Date: 09/27/2007 15:28:47

alazarevich@gmail.com wrote:

> Hi,

>

> We'd like to be able to send a command (for adding users) to our AD

> domain server from a remote linux machine. We know what the command is

> (dsadd user...), but we don't know the best way (secure + ease) to

> send that command to the AD server.

>

> We know there is an MMC that can be run from other clients in the

> domain, but isn't there a way to send a command to an AD server as

> well?

>

> Any ideas would be helpful. Thanks!

>

> Alex

 

Psexec in the windows world, but then dsadd needn't be run from a DC either.

 

--

/kj

 

Top


 

From: alazarevich@gmail.com <alazarevich@gmail.com>

To: none

Subject: Re: sending command to an AD server?

Date: 09/27/2007 16:23:18

On Sep 27, 3:28 pm, "kj [SBS MVP]" <KevinJ....@SPAMFREE.gmail.com>

wrote:

> alazarev...@gmail.com wrote:

> > Hi,

>

> > We'd like to be able to send a command (for adding users) to our AD

> > domain server from a remote linux machine. We know what the command is

> > (dsadd user...), but we don't know the best way (secure + ease) to

> > send that command to the AD server.

>

> > We know there is an MMC that can be run from other clients in the

> > domain, but isn't there a way to send a command to an AD server as

> > well?

>

> > Any ideas would be helpful. Thanks!

>

> > Alex

>

> Psexec in the windows world, but then dsadd needn't be run from a DC either.

 

psexec looks cool, I like it. But then what is this about dsadd not

needing to be run on the DC? dsadd can be run from a domain client

computer? How? I looked in the Resource Kit but didn't find anything

like that.

 

Thanks!

 

alex

 

Top


 

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: sending command to an AD server?

Date: 09/27/2007 16:35:16

Hello,

 

i am pretty sure you will have to use directly the ldap protocol to make

this.

 

If using php, it would be around ldap_add function

Else give a try to openldap as a client

Perl would do the trick through NET::LDAP

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

<alazarevich@gmail.com> wrote in message

news:1190928198.925116.228920@d55g2000hsg.googlegroups.com...

> On Sep 27, 3:28 pm, "kj [SBS MVP]" <KevinJ....@SPAMFREE.gmail.com>

> wrote:

>> alazarev...@gmail.com wrote:

>> > Hi,

>>

>> > We'd like to be able to send a command (for adding users) to our AD

>> > domain server from a remote linux machine. We know what the command is

>> > (dsadd user...), but we don't know the best way (secure + ease) to

>> > send that command to the AD server.

>>

>> > We know there is an MMC that can be run from other clients in the

>> > domain, but isn't there a way to send a command to an AD server as

>> > well?

>>

>> > Any ideas would be helpful. Thanks!

>>

>> > Alex

>>

>> Psexec in the windows world, but then dsadd needn't be run from a DC

>> either.

>

> psexec looks cool, I like it. But then what is this about dsadd not

> needing to be run on the DC? dsadd can be run from a domain client

> computer? How? I looked in the Resource Kit but didn't find anything

> like that.

>

> Thanks!

>

> alex

>

 

Top


 

From: kj [SBS MVP] <KevinJ.SBS@SPAMFREE.gmail.com>

To: none

Subject: Re: sending command to an AD server?

Date: 09/27/2007 17:50:37

alazarevich@gmail.com wrote:

> On Sep 27, 3:28 pm, "kj [SBS MVP]" <KevinJ....@SPAMFREE.gmail.com>

> wrote:

>> alazarev...@gmail.com wrote:

>>> Hi,

>>

>>> We'd like to be able to send a command (for adding users) to our AD

>>> domain server from a remote linux machine. We know what the command

>>> is (dsadd user...), but we don't know the best way (secure + ease)

>>> to send that command to the AD server.

>>

>>> We know there is an MMC that can be run from other clients in the

>>> domain, but isn't there a way to send a command to an AD server as

>>> well?

>>

>>> Any ideas would be helpful. Thanks!

>>

>>> Alex

>>

>> Psexec in the windows world, but then dsadd needn't be run from a DC

>> either.

>

> psexec looks cool, I like it. But then what is this about dsadd not

> needing to be run on the DC? dsadd can be run from a domain client

> computer? How? I looked in the Resource Kit but didn't find anything

> like that.

>

> Thanks!

>

> alex

 

I use the ds tools and the admod/adfind/adexplorer/adsiedit/and the rest of

the AD & Windows management tools all the time from a member XP workstation

using a domain account.

 

"The command-line tools can be installed and run on computers that are

running Windows XP Service Pack 1 and Windows Server 2003 Server."

http://support.microsoft.com/kb/298882/en-us

 

Most of the DCs I manage are remote or tucked away. It's just easier that

way (& you can use runas instead of logging in).

--

/kj

 

Top


 

From: alazarevich@gmail.com <alazarevich@gmail.com>

To: none

Subject: Re: sending command to an AD server?

Date: 09/27/2007 19:05:27

On Sep 27, 5:50 pm, "kj [SBS MVP]" <KevinJ....@SPAMFREE.gmail.com>

wrote:

> alazarev...@gmail.com wrote:

> > On Sep 27, 3:28 pm, "kj [SBS MVP]" <KevinJ....@SPAMFREE.gmail.com>

> > wrote:

> >> alazarev...@gmail.com wrote:

> >>> Hi,

>

> >>> We'd like to be able to send a command (for adding users) to our AD

> >>> domain server from a remote linux machine. We know what the command

> >>> is (dsadd user...), but we don't know the best way (secure + ease)

> >>> to send that command to the AD server.

>

> >>> We know there is an MMC that can be run from other clients in the

> >>> domain, but isn't there a way to send a command to an AD server as

> >>> well?

>

> >>> Any ideas would be helpful. Thanks!

>

> >>> Alex

>

> >> Psexec in the windows world, but then dsadd needn't be run from a DC

> >> either.

>

> > psexec looks cool, I like it. But then what is this about dsadd not

> > needing to be run on the DC? dsadd can be run from a domain client

> > computer? How? I looked in the Resource Kit but didn't find anything

> > like that.

>

> > Thanks!

>

> > alex

>

> I use the ds tools and the admod/adfind/adexplorer/adsiedit/and the rest of

> the AD & Windows management tools all the time from a member XP workstation

> using a domain account.

>

> "The command-line tools can be installed and run on computers that are

> running Windows XP Service Pack 1 and Windows Server 2003 Server."http://support.microsoft.com/kb/298882/en-us

>

> Most of the DCs I manage are remote or tucked away. It's just easier that

> way (& you can use runas instead of logging in).

> --

> /kj

 

okay, this might work for me. but, i can't find a way to install these

dsadd tools to an XP client. i can't find an installer on MS website,

nor do they seem to be on the 2003 install CDs. what do i do just copy

over the .exe's and .dll's from the 2003 server systemroot/system32 to

the xp client?

 

thanks!

 

alex

 

Top


 

From: kj [SBS MVP] <KevinJ.SBS@SPAMFREE.gmail.com>

To: none

Subject: Re: sending command to an AD server?

Date: 09/27/2007 23:42:29

alazarevich@gmail.com wrote:

> On Sep 27, 5:50 pm, "kj [SBS MVP]" <KevinJ....@SPAMFREE.gmail.com>

> wrote:

>> alazarev...@gmail.com wrote:

>>> On Sep 27, 3:28 pm, "kj [SBS MVP]" <KevinJ....@SPAMFREE.gmail.com>

>>> wrote:

>>>> alazarev...@gmail.com wrote:

>>>>> Hi,

>>

>>>>> We'd like to be able to send a command (for adding users) to our

>>>>> AD domain server from a remote linux machine. We know what the

>>>>> command is (dsadd user...), but we don't know the best way

>>>>> (secure + ease) to send that command to the AD server.

>>

>>>>> We know there is an MMC that can be run from other clients in the

>>>>> domain, but isn't there a way to send a command to an AD server as

>>>>> well?

>>

>>>>> Any ideas would be helpful. Thanks!

>>

>>>>> Alex

>>

>>>> Psexec in the windows world, but then dsadd needn't be run from a

>>>> DC either.

>>

>>> psexec looks cool, I like it. But then what is this about dsadd not

>>> needing to be run on the DC? dsadd can be run from a domain client

>>> computer? How? I looked in the Resource Kit but didn't find anything

>>> like that.

>>

>>> Thanks!

>>

>>> alex

>>

>> I use the ds tools and the admod/adfind/adexplorer/adsiedit/and the

>> rest of

>> the AD & Windows management tools all the time from a member XP

>> workstation

>> using a domain account.

>>

>> "The command-line tools can be installed and run on computers that

>> are

>> running Windows XP Service Pack 1 and Windows Server 2003

>> Server."http://support.microsoft.com/kb/298882/en-us

>>

>> Most of the DCs I manage are remote or tucked away. It's just easier

>> that

>> way (& you can use runas instead of logging in).

>> --

>> /kj

>

> okay, this might work for me. but, i can't find a way to install these

> dsadd tools to an XP client. i can't find an installer on MS website,

> nor do they seem to be on the 2003 install CDs. what do i do just copy

> over the .exe's and .dll's from the 2003 server systemroot/system32 to

> the xp client?

>

> thanks!

>

> alex

 

Support/tools folder on the Windows CD, or get the SP1 version here;

 

http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en

--

/kj

 

Top


 

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: sending command to an AD server?

Date: 09/28/2007 01:08:18

Hello,

 

in your first post, you were looking to manage AD from a linux machine ?

is this idea gone?

 

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

<alazarevich@gmail.com> wrote in message

news:1190937927.775294.297180@22g2000hsm.googlegroups.com...

> On Sep 27, 5:50 pm, "kj [SBS MVP]" <KevinJ....@SPAMFREE.gmail.com>

> wrote:

>> alazarev...@gmail.com wrote:

>> > On Sep 27, 3:28 pm, "kj [SBS MVP]" <KevinJ....@SPAMFREE.gmail.com>

>> > wrote:

>> >> alazarev...@gmail.com wrote:

>> >>> Hi,

>>

>> >>> We'd like to be able to send a command (for adding users) to our AD

>> >>> domain server from a remote linux machine. We know what the command

>> >>> is (dsadd user...), but we don't know the best way (secure + ease)

>> >>> to send that command to the AD server.

>>

>> >>> We know there is an MMC that can be run from other clients in the

>> >>> domain, but isn't there a way to send a command to an AD server as

>> >>> well?

>>

>> >>> Any ideas would be helpful. Thanks!

>>

>> >>> Alex

>>

>> >> Psexec in the windows world, but then dsadd needn't be run from a DC

>> >> either.

>>

>> > psexec looks cool, I like it. But then what is this about dsadd not

>> > needing to be run on the DC? dsadd can be run from a domain client

>> > computer? How? I looked in the Resource Kit but didn't find anything

>> > like that.

>>

>> > Thanks!

>>

>> > alex

>>

>> I use the ds tools and the admod/adfind/adexplorer/adsiedit/and the rest

>> of

>> the AD & Windows management tools all the time from a member XP

>> workstation

>> using a domain account.

>>

>> "The command-line tools can be installed and run on computers that are

>> running Windows XP Service Pack 1 and Windows Server 2003

>> Server."http://support.microsoft.com/kb/298882/en-us

>>

>> Most of the DCs I manage are remote or tucked away. It's just easier that

>> way (& you can use runas instead of logging in).

>> --

>> /kj

>

> okay, this might work for me. but, i can't find a way to install these

> dsadd tools to an XP client. i can't find an installer on MS website,

> nor do they seem to be on the 2003 install CDs. what do i do just copy

> over the .exe's and .dll's from the 2003 server systemroot/system32 to

> the xp client?

>

> thanks!

>

> alex

>

 

Top


 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: Server 2000 domain upgrade to Server 2003

Date: 09/25/2007 14:51:54

You may use the 64bit R2 in the existing forest, you only need to get the

second CD "where the adprep is" 32 bit version. You can get the 2nd CD from

Microsoft siet for the trial version of the Windows 2003 R2 32bit and use it

to upgrade your 32 bit forest to R2.

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"TM" <TM@discussions.microsoft.com> wrote in message

news:FE79DC66-E86A-416E-A588-2DC3F48EEB35@microsoft.com...

> Jorge,

> Thanks for the reply.

> I understand the fact about 2 servers and I have that. And have done the

> adprep from the 32 bit cd's.

> But where you say about the second cd on the install to not use it.

> So just so I have a clear understanding I might have a better chance at

> getting this right if I try from scratch on the 64bit 2003 server but not

> install the second CD. do the domain controller upgrade.

>

> If that works then a guy would install the second cd once things are

> working

> and 2000 DC are removed.

>

> Let me know. I want to say thanks for your help guys.

> I tested this all in a test lab and I got it to upgrade etc. but of course

> once I start messing with a server that has been in production for a few

> years it is a different story.

> "Jorge Silva" wrote:

>

>> You can't do a direct upgrade from 32 to 64 bit in the same machine.

>> If you want to introduce the 64 bit Windows 2003 you'll need a separate

>> server.

>>

>> To introduce Windows 2003 in your 2000 forest you first need to upgrade

>> the

>> forest and the Domain using adprep.

>>

>> Is not mandatory upgrade the schema to R2, this applies to 32bit and

>> 64bit

>> OS W2k3 If you install only OS and ignore/dismiss the second CD after the

>> OS

>> is installed then you have a Windows2003SP1/2 normal. If you run the

>> second

>> CD after OS installation then you'll be forced to upgrade the schema when

>> you try to introduce that server as a DC, but isn't MANDATORY to do that

>> unless you run the second CD after OS promotion.

>>

>> Now because you're running 32 bit version in other DCs, to upgrade the

>> forest to R2 you'll need to run adprep 32bit version in the shema master.

>>

>> --

>> I hope that the information above helps you.

>> Have a Nice day.

>>

>> Jorge Silva

>> MCSE, MVP Directory Services

>> "TM" <TM@discussions.microsoft.com> wrote in message

>> news:3A6222A9-E94B-4CB9-8C8B-6196B4E3E9EE@microsoft.com...

>> > Thanks for the response.

>> > I have read where to upgrade to 2003 but with a few of the programs I

>> > have

>> > on there currently I don't want to do that option on that server cause

>> > it

>> > is

>> > still needed for other apps.

>> >

>> > What do you think of building a server 2000 and making it a domain

>> > controller. DCPromoing the current server so it isn't a Domain

>> > Controller

>> > any

>> > more. then doing the suggested upgrade to 2003. Then moving the domain

>> > controller role to the server that I am intending it to be on.

>> >

>> > So it will be a few more steps and time than I wanted to spend but does

>> > this

>> > seem a feasible option?

>> >

>> > Thanks for your help.

>> >

>> > "Meinolf Weber" wrote:

>> >

>> >> Hello tm,

>> >>

>> >> Maybe you did not read the article completely? With a windows 2000

>> >> domain

>> >> controller it is not possible to change it. You have to upgrade to

>> >> 2003

>> >> like

>> >> stated in the article.

>> >>

>> >> Best regards

>> >>

>> >> Meinolf Weber

>> >> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> >> confers

>> >> no rights.

>> >>

>> >> > Well I have went through the article that both of you have suggested

>> >> > without

>> >> > any luck. Unless I am doing something wrong.

>> >> > Just a question does it matter if I am going to from 32bit 2000

>> >> > server

>> >> > to a

>> >> > 64bit 2003 server?

>> >> > Also, I have the 2000 server at native mode the only 2000 server as

>> >> > Domain Controller with Exchange 2000 on it.

>> >> >

>> >> > Is there any other suggestions to get this fixed?

>> >> >

>> >> > "Jorge Silva" wrote:

>> >> >

>> >> >> With Windows 2000 DCs you shouldn't get your DFL and FFL more thatn

>> >> >> Windows

>> >> >> 2000 Native otherwise the 2000 DCs will sop working.

>> >> >> Please read:

>> >> >> http://support.microsoft.com/kb/322692

>> >> >> --

>> >> >> I hope that the information above helps you.

>> >> >> Have a Nice day.

>> >> >> Jorge Silva

>> >> >> MCSE, MVP Directory Services

>> >> >> "TM" <TM@discussions.microsoft.com> wrote in message

>> >> >> news:A9BB3E80-DB8B-41CC-A527-9C6B38A94229@microsoft.com...

>> >> >>> Sorry for not getting more info

>> >> >>> On the current Server 2000 DC it is on Service Pack 4 with all the

>> >> >>> available

>> >> >>> updates.

>> >> >>> On the Server 2003 std. I have all the updates installed.

>> >> >>> It has all the roles and global catalog server.

>> >> >>> But I am to the step of raising the domain functional level now

>> >> >>> and

>> >> >>> I am getting the message below about not able to raise.

>> >> >>>

>> >> >>> If there is any other information I need to add let me know.

>> >> >>> thanks for your response

>> >> >>> --------------------------------------------------------------------

>> >> >>> ----------------------------

>> >> >>> To update the domain functional level, the domain controllers in

>> >> >>> the

>> >> >>> domain

>> >> >>> must be running the appropriate version of windows.

>> >> >>> Domain Name

>> >> >>> norfolkiron.com

>> >> >>> Current domain functional level

>> >> >>> Windows 2000 native

>> >> >>> The following domain controllers are running earlier versions of

>> >> >>> windows:

>> >> >>> Domain Name Domain Controller Version of Windows

>> >> >>> norfolkiron.com server1.norfolkiron.com Windows 2000 Server 5.0

>> >> >>> (2195)

>> >> >>> --------------------------------------------------------------------

>> >> >>> ----------------------------

>> >> >>> "Jorge Silva" wrote:

>> >> >>>

>> >> >>>> Hi

>> >> >>>> Is this the error?

>> >> >>>> Error message when you run the Active Directory Installation

>> >> >>>> Wizard: "The

>> >> >>>> version of the Active Directory schema of the source forest is

>> >> >>>> not

>> >> >>>> compatible with the version of Active Directory on this computer"

>> >> >>>> http://support.microsoft.com/?kbid=917385

>> >> >>>>

>> >> >>>> --

>> >> >>>> I hope that the information above helps you.

>> >> >>>> Have a Nice day.

>> >> >>>> Jorge Silva

>> >> >>>> MCSE, MVP Directory Services

>> >> >>>> "TM" <TM@discussions.microsoft.com> wrote in message

>> >> >>>> news:3B68DD51-4FA6-4FE4-81D9-B205ED7C7D01@microsoft.com...

>> >> >>>>> I am having a very hard time upgrading the Domain controller

>> >> >>>>> from

>> >> >>>>> server

>> >> >>>>> 2000

>> >> >>>>> to server 2003. It keeps sending back a message saying that the

>> >> >>>>> server

>> >> >>>>> 2000

>> >> >>>>> is at an earlier version. But I have all the updates done and

>> >> >>>>> everything

>> >> >>>>> that

>> >> >>>>> I have read I have tried.

>> >> >>>>> I am at the end of the rope need some assistance in suggestions

>> >> >>>>> in

>> >> >>>>> getting

>> >> >>>>> this moved over. Would love to start using my exchange 2007 box

>> >> >>>>> but

>> >> >>>>> with

>> >> >>>>> the

>> >> >>>>> Domain upgrade holding me back this isn't fun any more.

>> >> >>>>> Thanks in advanced for any assistance

>> >> >>>>>

>> >>

>> >>

>> >>

>>

 

Top


 

From: TM <TM@discussions.microsoft.com>

To: none

Subject: Re: Server 2000 domain upgrade to Server 2003

Date: 09/25/2007 15:26:02

Well I have done that when getting everything set to upgrade to the 2003

server 64bit r2 version of server.

I used the supplied CD's that I had bought.

But I still ran into the issue of the 2000 dc being an earlier version.

 

"Jorge Silva" wrote:

 

> You may use the 64bit R2 in the existing forest, you only need to get the

> second CD "where the adprep is" 32 bit version. You can get the 2nd CD from

> Microsoft siet for the trial version of the Windows 2003 R2 32bit and use it

> to upgrade your 32 bit forest to R2.

>

> --

> I hope that the information above helps you.

> Have a Nice day.

>

> Jorge Silva

> MCSE, MVP Directory Services

> "TM" <TM@discussions.microsoft.com> wrote in message

> news:FE79DC66-E86A-416E-A588-2DC3F48EEB35@microsoft.com...

> > Jorge,

> > Thanks for the reply.

> > I understand the fact about 2 servers and I have that. And have done the

> > adprep from the 32 bit cd's.

> > But where you say about the second cd on the install to not use it.

> > So just so I have a clear understanding I might have a better chance at

> > getting this right if I try from scratch on the 64bit 2003 server but not

> > install the second CD. do the domain controller upgrade.

> >

> > If that works then a guy would install the second cd once things are

> > working

> > and 2000 DC are removed.

> >

> > Let me know. I want to say thanks for your help guys.

> > I tested this all in a test lab and I got it to upgrade etc. but of course

> > once I start messing with a server that has been in production for a few

> > years it is a different story.

> >

> >

> > "Jorge Silva" wrote:

> >

> >> You can't do a direct upgrade from 32 to 64 bit in the same machine.

> >> If you want to introduce the 64 bit Windows 2003 you'll need a separate

> >> server.

> >>

> >> To introduce Windows 2003 in your 2000 forest you first need to upgrade

> >> the

> >> forest and the Domain using adprep.

> >>

> >> Is not mandatory upgrade the schema to R2, this applies to 32bit and

> >> 64bit

> >> OS W2k3 If you install only OS and ignore/dismiss the second CD after the

> >> OS

> >> is installed then you have a Windows2003SP1/2 normal. If you run the

> >> second

> >> CD after OS installation then you'll be forced to upgrade the schema when

> >> you try to introduce that server as a DC, but isn't MANDATORY to do that

> >> unless you run the second CD after OS promotion.

> >>

> >> Now because you're running 32 bit version in other DCs, to upgrade the

> >> forest to R2 you'll need to run adprep 32bit version in the shema master.

> >>

> >> --

> >> I hope that the information above helps you.

> >> Have a Nice day.

> >>

> >> Jorge Silva

> >> MCSE, MVP Directory Services

> >> "TM" <TM@discussions.microsoft.com> wrote in message

> >> news:3A6222A9-E94B-4CB9-8C8B-6196B4E3E9EE@microsoft.com...

> >> > Thanks for the response.

> >> > I have read where to upgrade to 2003 but with a few of the programs I

> >> > have

> >> > on there currently I don't want to do that option on that server cause

> >> > it

> >> > is

> >> > still needed for other apps.

> >> >

> >> > What do you think of building a server 2000 and making it a domain

> >> > controller. DCPromoing the current server so it isn't a Domain

> >> > Controller

> >> > any

> >> > more. then doing the suggested upgrade to 2003. Then moving the domain

> >> > controller role to the server that I am intending it to be on.

> >> >

> >> > So it will be a few more steps and time than I wanted to spend but does

> >> > this

> >> > seem a feasible option?

> >> >

> >> > Thanks for your help.

> >> >

> >> > "Meinolf Weber" wrote:

> >> >

> >> >> Hello tm,

> >> >>

> >> >> Maybe you did not read the article completely? With a windows 2000

> >> >> domain

> >> >> controller it is not possible to change it. You have to upgrade to

> >> >> 2003

> >> >> like

> >> >> stated in the article.

> >> >>

> >> >> Best regards

> >> >>

> >> >> Meinolf Weber

> >> >> Disclaimer: This posting is provided "AS IS" with no warranties, and

> >> >> confers

> >> >> no rights.

> >> >>

> >> >> > Well I have went through the article that both of you have suggested

> >> >> > without

> >> >> > any luck. Unless I am doing something wrong.

> >> >> > Just a question does it matter if I am going to from 32bit 2000

> >> >> > server

> >> >> > to a

> >> >> > 64bit 2003 server?

> >> >> > Also, I have the 2000 server at native mode the only 2000 server as

> >> >> > Domain Controller with Exchange 2000 on it.

> >> >> >

> >> >> > Is there any other suggestions to get this fixed?

> >> >> >

> >> >> > "Jorge Silva" wrote:

> >> >> >

> >> >> >> With Windows 2000 DCs you shouldn't get your DFL and FFL more thatn

> >> >> >> Windows

> >> >> >> 2000 Native otherwise the 2000 DCs will sop working.

> >> >> >> Please read:

> >> >> >> http://support.microsoft.com/kb/322692

> >> >> >> --

> >> >> >> I hope that the information above helps you.

> >> >> >> Have a Nice day.

> >> >> >> Jorge Silva

> >> >> >> MCSE, MVP Directory Services

> >> >> >> "TM" <TM@discussions.microsoft.com> wrote in message

> >> >> >> news:A9BB3E80-DB8B-41CC-A527-9C6B38A94229@microsoft.com...

> >> >> >>> Sorry for not getting more info

> >> >> >>> On the current Server 2000 DC it is on Service Pack 4 with all the

> >> >> >>> available

> >> >> >>> updates.

> >> >> >>> On the Server 2003 std. I have all the updates installed.

> >> >> >>> It has all the roles and global catalog server.

> >> >> >>> But I am to the step of raising the domain functional level now

> >> >> >>> and

> >> >> >>> I am getting the message below about not able to raise.

> >> >> >>>

> >> >> >>> If there is any other information I need to add let me know.

> >> >> >>> thanks for your response

> >> >> >>> --------------------------------------------------------------------

> >> >> >>> ----------------------------

> >> >> >>> To update the domain functional level, the domain controllers in

> >> >> >>> the

> >> >> >>> domain

> >> >> >>> must be running the appropriate version of windows.

> >> >> >>> Domain Name

> >> >> >>> norfolkiron.com

> >> >> >>> Current domain functional level

> >> >> >>> Windows 2000 native

> >> >> >>> The following domain controllers are running earlier versions of

> >> >> >>> windows:

> >> >> >>> Domain Name Domain Controller Version of Windows

> >> >> >>> norfolkiron.com server1.norfolkiron.com Windows 2000 Server 5.0

> >> >> >>> (2195)

> >> >> >>> --------------------------------------------------------------------

> >> >> >>> ----------------------------

> >> >> >>> "Jorge Silva" wrote:

> >> >> >>>

> >> >> >>>> Hi

> >> >> >>>> Is this the error?

> >> >> >>>> Error message when you run the Active Directory Installation

> >> >> >>>> Wizard: "The

> >> >> >>>> version of the Active Directory schema of the source forest is

> >> >> >>>> not

> >> >> >>>> compatible with the version of Active Directory on this computer"

> >> >> >>>> http://support.microsoft.com/?kbid=917385

> >> >> >>>>

> >> >> >>>> --

> >> >> >>>> I hope that the information above helps you.

> >> >> >>>> Have a Nice day.

> >> >> >>>> Jorge Silva

> >> >> >>>> MCSE, MVP Directory Services

> >> >> >>>> "TM" <TM@discussions.microsoft.com> wrote in message

> >> >> >>>> news:3B68DD51-4FA6-4FE4-81D9-B205ED7C7D01@microsoft.com...

> >> >> >>>>> I am having a very hard time upgrading the Domain controller

> >> >> >>>>> from

> >> >> >>>>> server

> >> >> >>>>> 2000

> >> >> >>>>> to server 2003. It keeps sending back a message saying that the

> >> >> >>>>> server

> >> >> >>>>> 2000

> >> >> >>>>> is at an earlier version. But I have all the updates done and

> >> >> >>>>> everything

> >> >> >>>>> that

> >> >> >>>>> I have read I have tried.

> >> >> >>>>> I am at the end of the rope need some assistance in suggestions

> >> >> >>>>> in

> >> >> >>>>> getting

> >> >> >>>>> this moved over. Would love to start using my exchange 2007 box

> >> >> >>>>> but

> >> >> >>>>> with

> >> >> >>>>> the

> >> >> >>>>> Domain upgrade holding me back this isn't fun any more.

> >> >> >>>>> Thanks in advanced for any assistance

> >> >> >>>>>

> >> >>

> >> >>

> >> >>

> >>

> >>

> >>

>

 

Top


 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: Server 2000 domain upgrade to Server 2003

Date: 09/25/2007 15:33:10

You need the 32 bit version, not the 64bit.

64bit CDs/DVDs are not compatible with 32bit version.

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"TM" <TM@discussions.microsoft.com> wrote in message

news:991CAAC9-72E1-41F0-98A0-DA27627145F5@microsoft.com...

> Well I have done that when getting everything set to upgrade to the 2003

> server 64bit r2 version of server.

> I used the supplied CD's that I had bought.

> But I still ran into the issue of the 2000 dc being an earlier version.

>

> "Jorge Silva" wrote:

>

>> You may use the 64bit R2 in the existing forest, you only need to get the

>> second CD "where the adprep is" 32 bit version. You can get the 2nd CD

>> from

>> Microsoft siet for the trial version of the Windows 2003 R2 32bit and use

>> it

>> to upgrade your 32 bit forest to R2.

>>

>> --

>> I hope that the information above helps you.

>> Have a Nice day.

>>

>> Jorge Silva

>> MCSE, MVP Directory Services

>> "TM" <TM@discussions.microsoft.com> wrote in message

>> news:FE79DC66-E86A-416E-A588-2DC3F48EEB35@microsoft.com...

>> > Jorge,

>> > Thanks for the reply.

>> > I understand the fact about 2 servers and I have that. And have done

>> > the

>> > adprep from the 32 bit cd's.

>> > But where you say about the second cd on the install to not use it.

>> > So just so I have a clear understanding I might have a better chance at

>> > getting this right if I try from scratch on the 64bit 2003 server but

>> > not

>> > install the second CD. do the domain controller upgrade.

>> >

>> > If that works then a guy would install the second cd once things are

>> > working

>> > and 2000 DC are removed.

>> >

>> > Let me know. I want to say thanks for your help guys.

>> > I tested this all in a test lab and I got it to upgrade etc. but of

>> > course

>> > once I start messing with a server that has been in production for a

>> > few

>> > years it is a different story.

>> >

>> >

>> > "Jorge Silva" wrote:

>> >

>> >> You can't do a direct upgrade from 32 to 64 bit in the same machine.

>> >> If you want to introduce the 64 bit Windows 2003 you'll need a

>> >> separate

>> >> server.

>> >>

>> >> To introduce Windows 2003 in your 2000 forest you first need to

>> >> upgrade

>> >> the

>> >> forest and the Domain using adprep.

>> >>

>> >> Is not mandatory upgrade the schema to R2, this applies to 32bit and

>> >> 64bit

>> >> OS W2k3 If you install only OS and ignore/dismiss the second CD after

>> >> the

>> >> OS

>> >> is installed then you have a Windows2003SP1/2 normal. If you run the

>> >> second

>> >> CD after OS installation then you'll be forced to upgrade the schema

>> >> when

>> >> you try to introduce that server as a DC, but isn't MANDATORY to do

>> >> that

>> >> unless you run the second CD after OS promotion.

>> >>

>> >> Now because you're running 32 bit version in other DCs, to upgrade the

>> >> forest to R2 you'll need to run adprep 32bit version in the shema

>> >> master.

>> >>

>> >> --

>> >> I hope that the information above helps you.

>> >> Have a Nice day.

>> >>

>> >> Jorge Silva

>> >> MCSE, MVP Directory Services

>> >> "TM" <TM@discussions.microsoft.com> wrote in message

>> >> news:3A6222A9-E94B-4CB9-8C8B-6196B4E3E9EE@microsoft.com...

>> >> > Thanks for the response.

>> >> > I have read where to upgrade to 2003 but with a few of the programs

>> >> > I

>> >> > have

>> >> > on there currently I don't want to do that option on that server

>> >> > cause

>> >> > it

>> >> > is

>> >> > still needed for other apps.

>> >> >

>> >> > What do you think of building a server 2000 and making it a domain

>> >> > controller. DCPromoing the current server so it isn't a Domain

>> >> > Controller

>> >> > any

>> >> > more. then doing the suggested upgrade to 2003. Then moving the

>> >> > domain

>> >> > controller role to the server that I am intending it to be on.

>> >> >

>> >> > So it will be a few more steps and time than I wanted to spend but

>> >> > does

>> >> > this

>> >> > seem a feasible option?

>> >> >

>> >> > Thanks for your help.

>> >> >

>> >> > "Meinolf Weber" wrote:

>> >> >

>> >> >> Hello tm,

>> >> >>

>> >> >> Maybe you did not read the article completely? With a windows 2000

>> >> >> domain

>> >> >> controller it is not possible to change it. You have to upgrade to

>> >> >> 2003

>> >> >> like

>> >> >> stated in the article.

>> >> >>

>> >> >> Best regards

>> >> >>

>> >> >> Meinolf Weber

>> >> >> Disclaimer: This posting is provided "AS IS" with no warranties,

>> >> >> and

>> >> >> confers

>> >> >> no rights.

>> >> >>

>> >> >> > Well I have went through the article that both of you have

>> >> >> > suggested

>> >> >> > without

>> >> >> > any luck. Unless I am doing something wrong.

>> >> >> > Just a question does it matter if I am going to from 32bit 2000

>> >> >> > server

>> >> >> > to a

>> >> >> > 64bit 2003 server?

>> >> >> > Also, I have the 2000 server at native mode the only 2000 server

>> >> >> > as

>> >> >> > Domain Controller with Exchange 2000 on it.

>> >> >> >

>> >> >> > Is there any other suggestions to get this fixed?

>> >> >> >

>> >> >> > "Jorge Silva" wrote:

>> >> >> >

>> >> >> >> With Windows 2000 DCs you shouldn't get your DFL and FFL more

>> >> >> >> thatn

>> >> >> >> Windows

>> >> >> >> 2000 Native otherwise the 2000 DCs will sop working.

>> >> >> >> Please read:

>> >> >> >> http://support.microsoft.com/kb/322692

>> >> >> >> --

>> >> >> >> I hope that the information above helps you.

>> >> >> >> Have a Nice day.

>> >> >> >> Jorge Silva

>> >> >> >> MCSE, MVP Directory Services

>> >> >> >> "TM" <TM@discussions.microsoft.com> wrote in message

>> >> >> >> news:A9BB3E80-DB8B-41CC-A527-9C6B38A94229@microsoft.com...

>> >> >> >>> Sorry for not getting more info

>> >> >> >>> On the current Server 2000 DC it is on Service Pack 4 with all

>> >> >> >>> the

>> >> >> >>> available

>> >> >> >>> updates.

>> >> >> >>> On the Server 2003 std. I have all the updates installed.

>> >> >> >>> It has all the roles and global catalog server.

>> >> >> >>> But I am to the step of raising the domain functional level now

>> >> >> >>> and

>> >> >> >>> I am getting the message below about not able to raise.

>> >> >> >>>

>> >> >> >>> If there is any other information I need to add let me know.

>> >> >> >>> thanks for your response

>> >> >> >>> --------------------------------------------------------------------

>> >> >> >>> ----------------------------

>> >> >> >>> To update the domain functional level, the domain controllers

>> >> >> >>> in

>> >> >> >>> the

>> >> >> >>> domain

>> >> >> >>> must be running the appropriate version of windows.

>> >> >> >>> Domain Name

>> >> >> >>> norfolkiron.com

>> >> >> >>> Current domain functional level

>> >> >> >>> Windows 2000 native

>> >> >> >>> The following domain controllers are running earlier versions

>> >> >> >>> of

>> >> >> >>> windows:

>> >> >> >>> Domain Name Domain Controller Version of Windows

>> >> >> >>> norfolkiron.com server1.norfolkiron.com Windows 2000 Server 5.0

>> >> >> >>> (2195)

>> >> >> >>> --------------------------------------------------------------------

>> >> >> >>> ----------------------------

>> >> >> >>> "Jorge Silva" wrote:

>> >> >> >>>

>> >> >> >>>> Hi

>> >> >> >>>> Is this the error?

>> >> >> >>>> Error message when you run the Active Directory Installation

>> >> >> >>>> Wizard: "The

>> >> >> >>>> version of the Active Directory schema of the source forest is

>> >> >> >>>> not

>> >> >> >>>> compatible with the version of Active Directory on this

>> >> >> >>>> computer"

>> >> >> >>>> http://support.microsoft.com/?kbid=917385

>> >> >> >>>>

>> >> >> >>>> --

>> >> >> >>>> I hope that the information above helps you.

>> >> >> >>>> Have a Nice day.

>> >> >> >>>> Jorge Silva

>> >> >> >>>> MCSE, MVP Directory Services

>> >> >> >>>> "TM" <TM@discussions.microsoft.com> wrote in message

>> >> >> >>>> news:3B68DD51-4FA6-4FE4-81D9-B205ED7C7D01@microsoft.com...

>> >> >> >>>>> I am having a very hard time upgrading the Domain controller

>> >> >> >>>>> from

>> >> >> >>>>> server

>> >> >> >>>>> 2000

>> >> >> >>>>> to server 2003. It keeps sending back a message saying that

>> >> >> >>>>> the

>> >> >> >>>>> server

>> >> >> >>>>> 2000

>> >> >> >>>>> is at an earlier version. But I have all the updates done and

>> >> >> >>>>> everything

>> >> >> >>>>> that

>> >> >> >>>>> I have read I have tried.

>> >> >> >>>>> I am at the end of the rope need some assistance in

>> >> >> >>>>> suggestions

>> >> >> >>>>> in

>> >> >> >>>>> getting

>> >> >> >>>>> this moved over. Would love to start using my exchange 2007

>> >> >> >>>>> box

>> >> >> >>>>> but

>> >> >> >>>>> with

>> >> >> >>>>> the

>> >> >> >>>>> Domain upgrade holding me back this isn't fun any more.

>> >> >> >>>>> Thanks in advanced for any assistance

>> >> >> >>>>>

>> >> >>

>> >> >>

>> >> >>

>> >>

>> >>

>> >>

>>

 

Top


 

From: TM <TM@discussions.microsoft.com>

To: none

Subject: Re: Server 2000 domain upgrade to Server 2003

Date: 09/25/2007 15:46:02

I do have the 32bit version of server 2003 r2 and also the 64bit version of

2003 r2

 

"Jorge Silva" wrote:

 

> You need the 32 bit version, not the 64bit.

> 64bit CDs/DVDs are not compatible with 32bit version.

>

> --

> I hope that the information above helps you.

> Have a Nice day.

>

> Jorge Silva

> MCSE, MVP Directory Services

> "TM" <TM@discussions.microsoft.com> wrote in message

> news:991CAAC9-72E1-41F0-98A0-DA27627145F5@microsoft.com...

> > Well I have done that when getting everything set to upgrade to the 2003

> > server 64bit r2 version of server.

> > I used the supplied CD's that I had bought.

> > But I still ran into the issue of the 2000 dc being an earlier version.

> >

> > "Jorge Silva" wrote:

> >

> >> You may use the 64bit R2 in the existing forest, you only need to get the

> >> second CD "where the adprep is" 32 bit version. You can get the 2nd CD

> >> from

> >> Microsoft siet for the trial version of the Windows 2003 R2 32bit and use

> >> it

> >> to upgrade your 32 bit forest to R2.

> >>

> >> --

> >> I hope that the information above helps you.

> >> Have a Nice day.

> >>

> >> Jorge Silva

> >> MCSE, MVP Directory Services

> >> "TM" <TM@discussions.microsoft.com> wrote in message

> >> news:FE79DC66-E86A-416E-A588-2DC3F48EEB35@microsoft.com...

> >> > Jorge,

> >> > Thanks for the reply.

> >> > I understand the fact about 2 servers and I have that. And have done

> >> > the

> >> > adprep from the 32 bit cd's.

> >> > But where you say about the second cd on the install to not use it.

> >> > So just so I have a clear understanding I might have a better chance at

> >> > getting this right if I try from scratch on the 64bit 2003 server but

> >> > not

> >> > install the second CD. do the domain controller upgrade.

> >> >

> >> > If that works then a guy would install the second cd once things are

> >> > working

> >> > and 2000 DC are removed.

> >> >

> >> > Let me know. I want to say thanks for your help guys.

> >> > I tested this all in a test lab and I got it to upgrade etc. but of

> >> > course

> >> > once I start messing with a server that has been in production for a

> >> > few

> >> > years it is a different story.

> >> >

> >> >

> >> > "Jorge Silva" wrote:

> >> >

> >> >> You can't do a direct upgrade from 32 to 64 bit in the same machine.

> >> >> If you want to introduce the 64 bit Windows 2003 you'll need a

> >> >> separate

> >> >> server.

> >> >>

> >> >> To introduce Windows 2003 in your 2000 forest you first need to

> >> >> upgrade

> >> >> the

> >> >> forest and the Domain using adprep.

> >> >>

> >> >> Is not mandatory upgrade the schema to R2, this applies to 32bit and

> >> >> 64bit

> >> >> OS W2k3 If you install only OS and ignore/dismiss the second CD after

> >> >> the

> >> >> OS

> >> >> is installed then you have a Windows2003SP1/2 normal. If you run the

> >> >> second

> >> >> CD after OS installation then you'll be forced to upgrade the schema

> >> >> when

> >> >> you try to introduce that server as a DC, but isn't MANDATORY to do

> >> >> that

> >> >> unless you run the second CD after OS promotion.

> >> >>

> >> >> Now because you're running 32 bit version in other DCs, to upgrade the

> >> >> forest to R2 you'll need to run adprep 32bit version in the shema

> >> >> master.

> >> >>

> >> >> --

> >> >> I hope that the information above helps you.

> >> >> Have a Nice day.

> >> >>

> >> >> Jorge Silva

> >> >> MCSE, MVP Directory Services

> >> >> "TM" <TM@discussions.microsoft.com> wrote in message

> >> >> news:3A6222A9-E94B-4CB9-8C8B-6196B4E3E9EE@microsoft.com...

> >> >> > Thanks for the response.

> >> >> > I have read where to upgrade to 2003 but with a few of the programs

> >> >> > I

> >> >> > have

> >> >> > on there currently I don't want to do that option on that server

> >> >> > cause

> >> >> > it

> >> >> > is

> >> >> > still needed for other apps.

> >> >> >

> >> >> > What do you think of building a server 2000 and making it a domain

> >> >> > controller. DCPromoing the current server so it isn't a Domain

> >> >> > Controller

> >> >> > any

> >> >> > more. then doing the suggested upgrade to 2003. Then moving the

> >> >> > domain

> >> >> > controller role to the server that I am intending it to be on.

> >> >> >

> >> >> > So it will be a few more steps and time than I wanted to spend but

> >> >> > does

> >> >> > this

> >> >> > seem a feasible option?

> >> >> >

> >> >> > Thanks for your help.

> >> >> >

> >> >> > "Meinolf Weber" wrote:

> >> >> >

> >> >> >> Hello tm,

> >> >> >>

> >> >> >> Maybe you did not read the article completely? With a windows 2000

> >> >> >> domain

> >> >> >> controller it is not possible to change it. You have to upgrade to

> >> >> >> 2003

> >> >> >> like

> >> >> >> stated in the article.

> >> >> >>

> >> >> >> Best regards

> >> >> >>

> >> >> >> Meinolf Weber

> >> >> >> Disclaimer: This posting is provided "AS IS" with no warranties,

> >> >> >> and

> >> >> >> confers

> >> >> >> no rights.

> >> >> >>

> >> >> >> > Well I have went through the article that both of you have

> >> >> >> > suggested

> >> >> >> > without

> >> >> >> > any luck. Unless I am doing something wrong.

> >> >> >> > Just a question does it matter if I am going to from 32bit 2000

> >> >> >> > server

> >> >> >> > to a

> >> >> >> > 64bit 2003 server?

> >> >> >> > Also, I have the 2000 server at native mode the only 2000 server

> >> >> >> > as

> >> >> >> > Domain Controller with Exchange 2000 on it.

> >> >> >> >

> >> >> >> > Is there any other suggestions to get this fixed?

> >> >> >> >

> >> >> >> > "Jorge Silva" wrote:

> >> >> >> >

> >> >> >> >> With Windows 2000 DCs you shouldn't get your DFL and FFL more

> >> >> >> >> thatn

> >> >> >> >> Windows

> >> >> >> >> 2000 Native otherwise the 2000 DCs will sop working.

> >> >> >> >> Please read:

> >> >> >> >> http://support.microsoft.com/kb/322692

> >> >> >> >> --

> >> >> >> >> I hope that the information above helps you.

> >> >> >> >> Have a Nice day.

> >> >> >> >> Jorge Silva

> >> >> >> >> MCSE, MVP Directory Services

> >> >> >> >> "TM" <TM@discussions.microsoft.com> wrote in message

> >> >> >> >> news:A9BB3E80-DB8B-41CC-A527-9C6B38A94229@microsoft.com...

> >> >> >> >>> Sorry for not getting more info

> >> >> >> >>> On the current Server 2000 DC it is on Service Pack 4 with all

> >> >> >> >>> the

> >> >> >> >>> available

> >> >> >> >>> updates.

> >> >> >> >>> On the Server 2003 std. I have all the updates installed.

> >> >> >> >>> It has all the roles and global catalog server.

> >> >> >> >>> But I am to the step of raising the domain functional level now

> >> >> >> >>> and

> >> >> >> >>> I am getting the message below about not able to raise.

> >> >> >> >>>

> >> >> >> >>> If there is any other information I need to add let me know.

> >> >> >> >>> thanks for your response

> >> >> >> >>> --------------------------------------------------------------------

> >> >> >> >>> ----------------------------

> >> >> >> >>> To update the domain functional level, the domain controllers

> >> >> >> >>> in

> >> >> >> >>> the

> >> >> >> >>> domain

> >> >> >> >>> must be running the appropriate version of windows.

> >> >> >> >>> Domain Name

> >> >> >> >>> norfolkiron.com

> >> >> >> >>> Current domain functional level

> >> >> >> >>> Windows 2000 native

> >> >> >> >>> The following domain controllers are running earlier versions

> >> >> >> >>> of

> >> >> >> >>> windows:

> >> >> >> >>> Domain Name Domain Controller Version of Windows

> >> >> >> >>> norfolkiron.com server1.norfolkiron.com Windows 2000 Server 5.0

> >> >> >> >>> (2195)

> >> >> >> >>> --------------------------------------------------------------------

> >> >> >> >>> ----------------------------

> >> >> >> >>> "Jorge Silva" wrote:

> >> >> >> >>>

> >> >> >> >>>> Hi

> >> >> >> >>>> Is this the error?

> >> >> >> >>>> Error message when you run the Active Directory Installation

> >> >> >> >>>> Wizard: "The

> >> >> >> >>>> version of the Active Directory schema of the source forest is

> >> >> >> >>>> not

> >> >> >> >>>> compatible with the version of Active Directory on this

> >> >> >> >>>> computer"

> >> >> >> >>>> http://support.microsoft.com/?kbid=917385

> >> >> >> >>>>

> >> >> >> >>>> --

> >> >> >> >>>> I hope that the information above helps you.

> >> >> >> >>>> Have a Nice day.

> >> >> >> >>>> Jorge Silva

> >> >> >> >>>> MCSE, MVP Directory Services

> >> >> >> >>>> "TM" <TM@discussions.microsoft.com> wrote in message

> >> >> >> >>>> news:3B68DD51-4FA6-4FE4-81D9-B205ED7C7D01@microsoft.com...

> >> >> >> >>>>> I am having a very hard time upgrading the Domain controller

> >> >> >> >>>>> from

> >> >> >> >>>>> server

> >> >> >> >>>>> 2000

> >> >> >> >>>>> to server 2003. It keeps sending back a message saying that

> >> >> >> >>>>> the

> >> >> >> >>>>> server

> >> >> >> >>>>> 2000

> >> >> >> >>>>> is at an earlier version. But I have all the updates done and

> >> >> >> >>>>> everything

> >> >> >> >>>>> that

> >> >> >> >>>>> I have read I have tried.

> >> >> >> >>>>> I am at the end of the rope need some assistance in

> >> >> >> >>>>> suggestions

> >> >> >> >>>>> in

> >> >> >> >>>>> getting

> >> >> >> >>>>> this moved over. Would love to start using my exchange 2007

> >> >> >> >>>>> box

> >> >> >> >>>>> but

> >> >> >> >>>>> with

> >> >> >> >>>>> the

> >> >> >> >>>>> Domain upgrade holding me back this isn't fun any more.

> >> >> >> >>>>> Thanks in advanced for any assistance

> >> >> >> >>>>>

> >> >> >>

> >> >> >>

> >> >> >>

> >> >>

> >> >>

> >> >>

> >>

> >>

> >>

>

 

Top


 

From: TM <TM@discussions.microsoft.com>

To: none

Subject: Re: Server 2000 domain upgrade to Server 2003

Date: 09/25/2007 16:26:01

would there be any reason that I would need to run the adprep again?

I have ran it once with the 32bit disc 2 from the disks.

Assuming that it isn't liking the adprep that was ran from before?

 

See i have followed all of microsofts directions to raise the domain and I

did it in a test lab but now it isn't working in the production enviroment.

 

One thing I have just realized which didn't make sense to me earlier and

probably why I didn't do it.

Going through the steps of

1. Upgrade the AD schema using the 32bit disc 2

2. installing active directory on the 2003 server

3. moving the roles to the new server

*4. is whare is says retire the domain controllers through dcpromo

5. raising the domain level

 

Well I didn't do step 4 for the reason I was afraid it might lose

information. But after the reading I have done today since I have the 2003

server in place and roles on it. It should matter cause the 2000 works

differently than 2003.

So if I get the 2003 server with all the roles on it and it says it is DC in

the active directory it should be a good domain controller (correct?).

then run the dcpromo on the current domain controller and everything will be

happy (maybe).

 

If that makes any sense.

I think if I would have done the step 4 I wouldn't be in this predictament.

If I have nothing to worry about let me know and I will just do it and

hopefully won't have to look back and say oh shoot.

 

Thanks for your help again.

 

"Jorge Silva" wrote:

 

> You need the 32 bit version, not the 64bit.

> 64bit CDs/DVDs are not compatible with 32bit version.

>

> --

> I hope that the information above helps you.

> Have a Nice day.

>

> Jorge Silva

> MCSE, MVP Directory Services

> "TM" <TM@discussions.microsoft.com> wrote in message

> news:991CAAC9-72E1-41F0-98A0-DA27627145F5@microsoft.com...

> > Well I have done that when getting everything set to upgrade to the 2003

> > server 64bit r2 version of server.

> > I used the supplied CD's that I had bought.

> > But I still ran into the issue of the 2000 dc being an earlier version.

> >

> > "Jorge Silva" wrote:

> >

> >> You may use the 64bit R2 in the existing forest, you only need to get the

> >> second CD "where the adprep is" 32 bit version. You can get the 2nd CD

> >> from

> >> Microsoft siet for the trial version of the Windows 2003 R2 32bit and use

> >> it

> >> to upgrade your 32 bit forest to R2.

> >>

> >> --

> >> I hope that the information above helps you.

> >> Have a Nice day.

> >>

> >> Jorge Silva

> >> MCSE, MVP Directory Services

> >> "TM" <TM@discussions.microsoft.com> wrote in message

> >> news:FE79DC66-E86A-416E-A588-2DC3F48EEB35@microsoft.com...

> >> > Jorge,

> >> > Thanks for the reply.

> >> > I understand the fact about 2 servers and I have that. And have done

> >> > the

> >> > adprep from the 32 bit cd's.

> >> > But where you say about the second cd on the install to not use it.

> >> > So just so I have a clear understanding I might have a better chance at

> >> > getting this right if I try from scratch on the 64bit 2003 server but

> >> > not

> >> > install the second CD. do the domain controller upgrade.

> >> >

> >> > If that works then a guy would install the second cd once things are

> >> > working

> >> > and 2000 DC are removed.

> >> >

> >> > Let me know. I want to say thanks for your help guys.

> >> > I tested this all in a test lab and I got it to upgrade etc. but of

> >> > course

> >> > once I start messing with a server that has been in production for a

> >> > few

> >> > years it is a different story.

> >> >

> >> >

> >> > "Jorge Silva" wrote:

> >> >

> >> >> You can't do a direct upgrade from 32 to 64 bit in the same machine.

> >> >> If you want to introduce the 64 bit Windows 2003 you'll need a

> >> >> separate

> >> >> server.

> >> >>

> >> >> To introduce Windows 2003 in your 2000 forest you first need to

> >> >> upgrade

> >> >> the

> >> >> forest and the Domain using adprep.

> >> >>

> >> >> Is not mandatory upgrade the schema to R2, this applies to 32bit and

> >> >> 64bit

> >> >> OS W2k3 If you install only OS and ignore/dismiss the second CD after

> >> >> the

> >> >> OS

> >> >> is installed then you have a Windows2003SP1/2 normal. If you run the

> >> >> second

> >> >> CD after OS installation then you'll be forced to upgrade the schema

> >> >> when

> >> >> you try to introduce that server as a DC, but isn't MANDATORY to do

> >> >> that

> >> >> unless you run the second CD after OS promotion.

> >> >>

> >> >> Now because you're running 32 bit version in other DCs, to upgrade the

> >> >> forest to R2 you'll need to run adprep 32bit version in the shema

> >> >> master.

> >> >>

> >> >> --

> >> >> I hope that the information above helps you.

> >> >> Have a Nice day.

> >> >>

> >> >> Jorge Silva

> >> >> MCSE, MVP Directory Services

> >> >> "TM" <TM@discussions.microsoft.com> wrote in message

> >> >> news:3A6222A9-E94B-4CB9-8C8B-6196B4E3E9EE@microsoft.com...

> >> >> > Thanks for the response.

> >> >> > I have read where to upgrade to 2003 but with a few of the programs

> >> >> > I

> >> >> > have

> >> >> > on there currently I don't want to do that option on that server

> >> >> > cause

> >> >> > it

> >> >> > is

> >> >> > still needed for other apps.

> >> >> >

> >> >> > What do you think of building a server 2000 and making it a domain

> >> >> > controller. DCPromoing the current server so it isn't a Domain

> >> >> > Controller

> >> >> > any

> >> >> > more. then doing the suggested upgrade to 2003. Then moving the

> >> >> > domain

> >> >> > controller role to the server that I am intending it to be on.

> >> >> >

> >> >> > So it will be a few more steps and time than I wanted to spend but

> >> >> > does

> >> >> > this

> >> >> > seem a feasible option?

> >> >> >

> >> >> > Thanks for your help.

> >> >> >

> >> >> > "Meinolf Weber" wrote:

> >> >> >

> >> >> >> Hello tm,

> >> >> >>

> >> >> >> Maybe you did not read the article completely? With a windows 2000

> >> >> >> domain

> >> >> >> controller it is not possible to change it. You have to upgrade to

> >> >> >> 2003

> >> >> >> like

> >> >> >> stated in the article.

> >> >> >>

> >> >> >> Best regards

> >> >> >>

> >> >> >> Meinolf Weber

> >> >> >> Disclaimer: This posting is provided "AS IS" with no warranties,

> >> >> >> and

> >> >> >> confers

> >> >> >> no rights.

> >> >> >>

> >> >> >> > Well I have went through the article that both of you have

> >> >> >> > suggested

> >> >> >> > without

> >> >> >> > any luck. Unless I am doing something wrong.

> >> >> >> > Just a question does it matter if I am going to from 32bit 2000

> >> >> >> > server

> >> >> >> > to a

> >> >> >> > 64bit 2003 server?

> >> >> >> > Also, I have the 2000 server at native mode the only 2000 server

> >> >> >> > as

> >> >> >> > Domain Controller with Exchange 2000 on it.

> >> >> >> >

> >> >> >> > Is there any other suggestions to get this fixed?

> >> >> >> >

> >> >> >> > "Jorge Silva" wrote:

> >> >> >> >

> >> >> >> >> With Windows 2000 DCs you shouldn't get your DFL and FFL more

> >> >> >> >> thatn

> >> >> >> >> Windows

> >> >> >> >> 2000 Native otherwise the 2000 DCs will sop working.

> >> >> >> >> Please read:

> >> >> >> >> http://support.microsoft.com/kb/322692

> >> >> >> >> --

> >> >> >> >> I hope that the information above helps you.

> >> >> >> >> Have a Nice day.

> >> >> >> >> Jorge Silva

> >> >> >> >> MCSE, MVP Directory Services

> >> >> >> >> "TM" <TM@discussions.microsoft.com> wrote in message

> >> >> >> >> news:A9BB3E80-DB8B-41CC-A527-9C6B38A94229@microsoft.com...

> >> >> >> >>> Sorry for not getting more info

> >> >> >> >>> On the current Server 2000 DC it is on Service Pack 4 with all

> >> >> >> >>> the

> >> >> >> >>> available

> >> >> >> >>> updates.

> >> >> >> >>> On the Server 2003 std. I have all the updates installed.

> >> >> >> >>> It has all the roles and global catalog server.

> >> >> >> >>> But I am to the step of raising the domain functional level now

> >> >> >> >>> and

> >> >> >> >>> I am getting the message below about not able to raise.

> >> >> >> >>>

> >> >> >> >>> If there is any other information I need to add let me know.

> >> >> >> >>> thanks for your response

> >> >> >> >>> --------------------------------------------------------------------

> >> >> >> >>> ----------------------------

> >> >> >> >>> To update the domain functional level, the domain controllers

> >> >> >> >>> in

> >> >> >> >>> the

> >> >> >> >>> domain

> >> >> >> >>> must be running the appropriate version of windows.

> >> >> >> >>> Domain Name

> >> >> >> >>> norfolkiron.com

> >> >> >> >>> Current domain functional level

> >> >> >> >>> Windows 2000 native

> >> >> >> >>> The following domain controllers are running earlier versions

> >> >> >> >>> of

> >> >> >> >>> windows:

> >> >> >> >>> Domain Name Domain Controller Version of Windows

> >> >> >> >>> norfolkiron.com server1.norfolkiron.com Windows 2000 Server 5.0

> >> >> >> >>> (2195)

> >> >> >> >>> --------------------------------------------------------------------

> >> >> >> >>> ----------------------------

> >> >> >> >>> "Jorge Silva" wrote:

> >> >> >> >>>

> >> >> >> >>>> Hi

> >> >> >> >>>> Is this the error?

> >> >> >> >>>> Error message when you run the Active Directory Installation

> >> >> >> >>>> Wizard: "The

> >> >> >> >>>> version of the Active Directory schema of the source forest is

> >> >> >> >>>> not

> >> >> >> >>>> compatible with the version of Active Directory on this

> >> >> >> >>>> computer"

> >> >> >> >>>> http://support.microsoft.com/?kbid=917385

> >> >> >> >>>>

> >> >> >> >>>> --

> >> >> >> >>>> I hope that the information above helps you.

> >> >> >> >>>> Have a Nice day.

> >> >> >> >>>> Jorge Silva

> >> >> >> >>>> MCSE, MVP Directory Services

> >> >> >> >>>> "TM" <TM@discussions.microsoft.com> wrote in message

> >> >> >> >>>> news:3B68DD51-4FA6-4FE4-81D9-B205ED7C7D01@microsoft.com...

> >> >> >> >>>>> I am having a very hard time upgrading the Domain controller

> >> >> >> >>>>> from

> >> >> >> >>>>> server

> >> >> >> >>>>> 2000

> >> >> >> >>>>> to server 2003. It keeps sending back a message saying that

> >> >> >> >>>>> the

> >> >> >> >>>>> server

> >> >> >> >>>>> 2000

> >> >> >> >>>>> is at an earlier version. But I have all the updates done and

> >> >> >> >>>>> everything

> >> >> >> >>>>> that

> >> >> >> >>>>> I have read I have tried.

> >> >> >> >>>>> I am at the end of the rope need some assistance in

> >> >> >> >>>>> suggestions

> >> >> >> >>>>> in

> >> >> >> >>>>> getting

> >> >> >> >>>>> this moved over. Would love to start using my exchange 2007

> >> >> >> >>>>> box

> >> >> >> >>>>> but

> >> >> >> >>>>> with

> >> >> >> >>>>> the

> >> >> >> >>>>> Domain upgrade holding me back this isn't fun any more.

> >> >> >> >>>>> Thanks in advanced for any assistance

> >> >> >> >>>>>

> >> >> >>

> >> >> >>

> >> >> >>

> >> >>

> >> >>

> >> >>

> >>

> >>

> >>

>

 

Top


 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: Server 2000 domain upgrade to Server 2003

Date: 09/25/2007 16:51:39

From DISC1 (32bit:)

- You use adprep /forestprep (on schema master)

- You use adprep /domainprep (on IM master)

Replicate all changes among all exisiting DCs

 

From DISC2 (32bit:)

- You use Drive:\CMPNENTS\R2\ADPREP\adprep.exe /forestprep (on schema

master)

Replicate all changes among all exisiting DCs

 

You can also verify the operating system support level of the schema by

using the Adsiedit.exe utility or the Ldp.exe utility to view the

objectVersion attribute in the properties of the

cn=schema,cn=configuration,dc=<domain> partition.

 

At this point you should be ready to introduce the W2k3 R2.

 

As I understand you, you already have 1 DC awith W2003 in the forest, and

when you try to transfer the roles you get that message?

Can you state the exact message, and how are you trying to TRANSFER the

Roles (NOT Seize the roles).

TYransfering the Master Roles doesn't make 2000 DCs stop working, however if

you change your DFL/FFL to Windows 2003 all Windows 2000 DCs will stop

working in that Forest/Domain, once that you do taht there's no turning

back.

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"TM" <TM@discussions.microsoft.com> wrote in message

news:8CF72DB7-3B3C-424F-9AC2-7AD3BF4C7B3D@microsoft.com...

> would there be any reason that I would need to run the adprep again?

> I have ran it once with the 32bit disc 2 from the disks.

> Assuming that it isn't liking the adprep that was ran from before?

>

> See i have followed all of microsofts directions to raise the domain and I

> did it in a test lab but now it isn't working in the production

> enviroment.

>

> One thing I have just realized which didn't make sense to me earlier and

> probably why I didn't do it.

> Going through the steps of

> 1. Upgrade the AD schema using the 32bit disc 2

> 2. installing active directory on the 2003 server

> 3. moving the roles to the new server

> *4. is whare is says retire the domain controllers through dcpromo

> 5. raising the domain level

>

> Well I didn't do step 4 for the reason I was afraid it might lose

> information. But after the reading I have done today since I have the 2003

> server in place and roles on it. It should matter cause the 2000 works

> differently than 2003.

> So if I get the 2003 server with all the roles on it and it says it is DC

> in

> the active directory it should be a good domain controller (correct?).

> then run the dcpromo on the current domain controller and everything will

> be

> happy (maybe).

>

> If that makes any sense.

> I think if I would have done the step 4 I wouldn't be in this

> predictament.

> If I have nothing to worry about let me know and I will just do it and

> hopefully won't have to look back and say oh shoot.

>

> Thanks for your help again.

>

> "Jorge Silva" wrote:

>

>> You need the 32 bit version, not the 64bit.

>> 64bit CDs/DVDs are not compatible with 32bit version.

>>

>> --

>> I hope that the information above helps you.

>> Have a Nice day.

>>

>> Jorge Silva

>> MCSE, MVP Directory Services

>> "TM" <TM@discussions.microsoft.com> wrote in message

>> news:991CAAC9-72E1-41F0-98A0-DA27627145F5@microsoft.com...

>> > Well I have done that when getting everything set to upgrade to the

>> > 2003

>> > server 64bit r2 version of server.

>> > I used the supplied CD's that I had bought.

>> > But I still ran into the issue of the 2000 dc being an earlier version.

>> >

>> > "Jorge Silva" wrote:

>> >

>> >> You may use the 64bit R2 in the existing forest, you only need to get

>> >> the

>> >> second CD "where the adprep is" 32 bit version. You can get the 2nd CD

>> >> from

>> >> Microsoft siet for the trial version of the Windows 2003 R2 32bit and

>> >> use

>> >> it

>> >> to upgrade your 32 bit forest to R2.

>> >>

>> >> --

>> >> I hope that the information above helps you.

>> >> Have a Nice day.

>> >>

>> >> Jorge Silva

>> >> MCSE, MVP Directory Services

>> >> "TM" <TM@discussions.microsoft.com> wrote in message

>> >> news:FE79DC66-E86A-416E-A588-2DC3F48EEB35@microsoft.com...

>> >> > Jorge,

>> >> > Thanks for the reply.

>> >> > I understand the fact about 2 servers and I have that. And have done

>> >> > the

>> >> > adprep from the 32 bit cd's.

>> >> > But where you say about the second cd on the install to not use it.

>> >> > So just so I have a clear understanding I might have a better chance

>> >> > at

>> >> > getting this right if I try from scratch on the 64bit 2003 server

>> >> > but

>> >> > not

>> >> > install the second CD. do the domain controller upgrade.

>> >> >

>> >> > If that works then a guy would install the second cd once things are

>> >> > working

>> >> > and 2000 DC are removed.

>> >> >

>> >> > Let me know. I want to say thanks for your help guys.

>> >> > I tested this all in a test lab and I got it to upgrade etc. but of

>> >> > course

>> >> > once I start messing with a server that has been in production for a

>> >> > few

>> >> > years it is a different story.

>> >> >

>> >> >

>> >> > "Jorge Silva" wrote:

>> >> >

>> >> >> You can't do a direct upgrade from 32 to 64 bit in the same

>> >> >> machine.

>> >> >> If you want to introduce the 64 bit Windows 2003 you'll need a

>> >> >> separate

>> >> >> server.

>> >> >>

>> >> >> To introduce Windows 2003 in your 2000 forest you first need to

>> >> >> upgrade

>> >> >> the

>> >> >> forest and the Domain using adprep.

>> >> >>

>> >> >> Is not mandatory upgrade the schema to R2, this applies to 32bit

>> >> >> and

>> >> >> 64bit

>> >> >> OS W2k3 If you install only OS and ignore/dismiss the second CD

>> >> >> after

>> >> >> the

>> >> >> OS

>> >> >> is installed then you have a Windows2003SP1/2 normal. If you run

>> >> >> the

>> >> >> second

>> >> >> CD after OS installation then you'll be forced to upgrade the

>> >> >> schema

>> >> >> when

>> >> >> you try to introduce that server as a DC, but isn't MANDATORY to do

>> >> >> that

>> >> >> unless you run the second CD after OS promotion.

>> >> >>

>> >> >> Now because you're running 32 bit version in other DCs, to upgrade

>> >> >> the

>> >> >> forest to R2 you'll need to run adprep 32bit version in the shema

>> >> >> master.

>> >> >>

>> >> >> --

>> >> >> I hope that the information above helps you.

>> >> >> Have a Nice day.

>> >> >>

>> >> >> Jorge Silva

>> >> >> MCSE, MVP Directory Services

>> >> >> "TM" <TM@discussions.microsoft.com> wrote in message

>> >> >> news:3A6222A9-E94B-4CB9-8C8B-6196B4E3E9EE@microsoft.com...

>> >> >> > Thanks for the response.

>> >> >> > I have read where to upgrade to 2003 but with a few of the

>> >> >> > programs

>> >> >> > I

>> >> >> > have

>> >> >> > on there currently I don't want to do that option on that server

>> >> >> > cause

>> >> >> > it

>> >> >> > is

>> >> >> > still needed for other apps.

>> >> >> >

>> >> >> > What do you think of building a server 2000 and making it a

>> >> >> > domain

>> >> >> > controller. DCPromoing the current server so it isn't a Domain

>> >> >> > Controller

>> >> >> > any

>> >> >> > more. then doing the suggested upgrade to 2003. Then moving the

>> >> >> > domain

>> >> >> > controller role to the server that I am intending it to be on.

>> >> >> >

>> >> >> > So it will be a few more steps and time than I wanted to spend

>> >> >> > but

>> >> >> > does

>> >> >> > this

>> >> >> > seem a feasible option?

>> >> >> >

>> >> >> > Thanks for your help.

>> >> >> >

>> >> >> > "Meinolf Weber" wrote:

>> >> >> >

>> >> >> >> Hello tm,

>> >> >> >>

>> >> >> >> Maybe you did not read the article completely? With a windows

>> >> >> >> 2000

>> >> >> >> domain

>> >> >> >> controller it is not possible to change it. You have to upgrade

>> >> >> >> to

>> >> >> >> 2003

>> >> >> >> like

>> >> >> >> stated in the article.

>> >> >> >>

>> >> >> >> Best regards

>> >> >> >>

>> >> >> >> Meinolf Weber

>> >> >> >> Disclaimer: This posting is provided "AS IS" with no warranties,

>> >> >> >> and

>> >> >> >> confers

>> >> >> >> no rights.

>> >> >> >>

>> >> >> >> > Well I have went through the article that both of you have

>> >> >> >> > suggested

>> >> >> >> > without

>> >> >> >> > any luck. Unless I am doing something wrong.

>> >> >> >> > Just a question does it matter if I am going to from 32bit

>> >> >> >> > 2000

>> >> >> >> > server

>> >> >> >> > to a

>> >> >> >> > 64bit 2003 server?

>> >> >> >> > Also, I have the 2000 server at native mode the only 2000

>> >> >> >> > server

>> >> >> >> > as

>> >> >> >> > Domain Controller with Exchange 2000 on it.

>> >> >> >> >

>> >> >> >> > Is there any other suggestions to get this fixed?

>> >> >> >> >

>> >> >> >> > "Jorge Silva" wrote:

>> >> >> >> >

>> >> >> >> >> With Windows 2000 DCs you shouldn't get your DFL and FFL more

>> >> >> >> >> thatn

>> >> >> >> >> Windows

>> >> >> >> >> 2000 Native otherwise the 2000 DCs will sop working.

>> >> >> >> >> Please read:

>> >> >> >> >> http://support.microsoft.com/kb/322692

>> >> >> >> >> --

>> >> >> >> >> I hope that the information above helps you.

>> >> >> >> >> Have a Nice day.

>> >> >> >> >> Jorge Silva

>> >> >> >> >> MCSE, MVP Directory Services

>> >> >> >> >> "TM" <TM@discussions.microsoft.com> wrote in message

>> >> >> >> >> news:A9BB3E80-DB8B-41CC-A527-9C6B38A94229@microsoft.com...

>> >> >> >> >>> Sorry for not getting more info

>> >> >> >> >>> On the current Server 2000 DC it is on Service Pack 4 with

>> >> >> >> >>> all

>> >> >> >> >>> the

>> >> >> >> >>> available

>> >> >> >> >>> updates.

>> >> >> >> >>> On the Server 2003 std. I have all the updates installed.

>> >> >> >> >>> It has all the roles and global catalog server.

>> >> >> >> >>> But I am to the step of raising the domain functional level

>> >> >> >> >>> now

>> >> >> >> >>> and

>> >> >> >> >>> I am getting the message below about not able to raise.

>> >> >> >> >>>

>> >> >> >> >>> If there is any other information I need to add let me know.

>> >> >> >> >>> thanks for your response

>> >> >> >> >>> --------------------------------------------------------------------

>> >> >> >> >>> ----------------------------

>> >> >> >> >>> To update the domain functional level, the domain

>> >> >> >> >>> controllers

>> >> >> >> >>> in

>> >> >> >> >>> the

>> >> >> >> >>> domain

>> >> >> >> >>> must be running the appropriate version of windows.

>> >> >> >> >>> Domain Name

>> >> >> >> >>> norfolkiron.com

>> >> >> >> >>> Current domain functional level

>> >> >> >> >>> Windows 2000 native

>> >> >> >> >>> The following domain controllers are running earlier

>> >> >> >> >>> versions

>> >> >> >> >>> of

>> >> >> >> >>> windows:

>> >> >> >> >>> Domain Name Domain Controller Version of Windows

>> >> >> >> >>> norfolkiron.com server1.norfolkiron.com Windows 2000 Server

>> >> >> >> >>> 5.0

>> >> >> >> >>> (2195)

>> >> >> >> >>> --------------------------------------------------------------------

>> >> >> >> >>> ----------------------------

>> >> >> >> >>> "Jorge Silva" wrote:

>> >> >> >> >>>

>> >> >> >> >>>> Hi

>> >> >> >> >>>> Is this the error?

>> >> >> >> >>>> Error message when you run the Active Directory

>> >> >> >> >>>> Installation

>> >> >> >> >>>> Wizard: "The

>> >> >> >> >>>> version of the Active Directory schema of the source forest

>> >> >> >> >>>> is

>> >> >> >> >>>> not

>> >> >> >> >>>> compatible with the version of Active Directory on this

>> >> >> >> >>>> computer"

>> >> >> >> >>>> http://support.microsoft.com/?kbid=917385

>> >> >> >> >>>>

>> >> >> >> >>>> --

>> >> >> >> >>>> I hope that the information above helps you.

>> >> >> >> >>>> Have a Nice day.

>> >> >> >> >>>> Jorge Silva

>> >> >> >> >>>> MCSE, MVP Directory Services

>> >> >> >> >>>> "TM" <TM@discussions.microsoft.com> wrote in message

>> >> >> >> >>>> news:3B68DD51-4FA6-4FE4-81D9-B205ED7C7D01@microsoft.com...

>> >> >> >> >>>>> I am having a very hard time upgrading the Domain

>> >> >> >> >>>>> controller

>> >> >> >> >>>>> from

>> >> >> >> >>>>> server

>> >> >> >> >>>>> 2000

>> >> >> >> >>>>> to server 2003. It keeps sending back a message saying

>> >> >> >> >>>>> that

>> >> >> >> >>>>> the

>> >> >> >> >>>>> server

>> >> >> >> >>>>> 2000

>> >> >> >> >>>>> is at an earlier version. But I have all the updates done

>> >> >> >> >>>>> and

>> >> >> >> >>>>> everything

>> >> >> >> >>>>> that

>> >> >> >> >>>>> I have read I have tried.

>> >> >> >> >>>>> I am at the end of the rope need some assistance in

>> >> >> >> >>>>> suggestions

>> >> >> >> >>>>> in

>> >> >> >> >>>>> getting

>> >> >> >> >>>>> this moved over. Would love to start using my exchange

>> >> >> >> >>>>> 2007

>> >> >> >> >>>>> box

>> >> >> >> >>>>> but

>> >> >> >> >>>>> with

>> >> >> >> >>>>> the

>> >> >> >> >>>>> Domain upgrade holding me back this isn't fun any more.

>> >> >> >> >>>>> Thanks in advanced for any assistance

>> >> >> >> >>>>>

>> >> >> >>

>> >> >> >>

>> >> >> >>

>> >> >>

>> >> >>

>> >> >>

>> >>

>> >>

>> >>

>>

 

Top


 

From: TM <TM@discussions.microsoft.com>

To: none

Subject: Re: Server 2000 domain upgrade to Server 2003

Date: 09/25/2007 17:04:04

Jorge,

 

I do not get any errors in transfering the roles. everything transfers fine

in that side.

 

What I think I messed up in after transfering the roles, I did not demote

the 2000 server. Cause instead of demoting the current DC I tried to raise

the domain functional level before removing the current 2000 DC.

 

So if I am right when I remove the 2000 DC then I can raise the domain

functional level on the 2003 server. (something I over looked before)

 

"Jorge Silva" wrote:

 

> From DISC1 (32bit:)

> - You use adprep /forestprep (on schema master)

> - You use adprep /domainprep (on IM master)

> Replicate all changes among all exisiting DCs

>

> From DISC2 (32bit:)

> - You use Drive:\CMPNENTS\R2\ADPREP\adprep.exe /forestprep (on schema

> master)

> Replicate all changes among all exisiting DCs

>

> You can also verify the operating system support level of the schema by

> using the Adsiedit.exe utility or the Ldp.exe utility to view the

> objectVersion attribute in the properties of the

> cn=schema,cn=configuration,dc=<domain> partition.

>

> At this point you should be ready to introduce the W2k3 R2.

>

> As I understand you, you already have 1 DC awith W2003 in the forest, and

> when you try to transfer the roles you get that message?

> Can you state the exact message, and how are you trying to TRANSFER the

> Roles (NOT Seize the roles).

> TYransfering the Master Roles doesn't make 2000 DCs stop working, however if

> you change your DFL/FFL to Windows 2003 all Windows 2000 DCs will stop

> working in that Forest/Domain, once that you do taht there's no turning

> back.

>

> --

> I hope that the information above helps you.

> Have a Nice day.

>

> Jorge Silva

> MCSE, MVP Directory Services

> "TM" <TM@discussions.microsoft.com> wrote in message

> news:8CF72DB7-3B3C-424F-9AC2-7AD3BF4C7B3D@microsoft.com...

> > would there be any reason that I would need to run the adprep again?

> > I have ran it once with the 32bit disc 2 from the disks.

> > Assuming that it isn't liking the adprep that was ran from before?

> >

> > See i have followed all of microsofts directions to raise the domain and I

> > did it in a test lab but now it isn't working in the production

> > enviroment.

> >

> > One thing I have just realized which didn't make sense to me earlier and

> > probably why I didn't do it.

> > Going through the steps of

> > 1. Upgrade the AD schema using the 32bit disc 2

> > 2. installing active directory on the 2003 server

> > 3. moving the roles to the new server

> > *4. is whare is says retire the domain controllers through dcpromo

> > 5. raising the domain level

> >

> > Well I didn't do step 4 for the reason I was afraid it might lose

> > information. But after the reading I have done today since I have the 2003

> > server in place and roles on it. It should matter cause the 2000 works

> > differently than 2003.

> > So if I get the 2003 server with all the roles on it and it says it is DC

> > in

> > the active directory it should be a good domain controller (correct?).

> > then run the dcpromo on the current domain controller and everything will

> > be

> > happy (maybe).

> >

> > If that makes any sense.

> > I think if I would have done the step 4 I wouldn't be in this

> > predictament.

> > If I have nothing to worry about let me know and I will just do it and

> > hopefully won't have to look back and say oh shoot.

> >

> > Thanks for your help again.

> >

> > "Jorge Silva" wrote:

> >

> >> You need the 32 bit version, not the 64bit.

> >> 64bit CDs/DVDs are not compatible with 32bit version.

> >>

> >> --

> >> I hope that the information above helps you.

> >> Have a Nice day.

> >>

> >> Jorge Silva

> >> MCSE, MVP Directory Services

> >> "TM" <TM@discussions.microsoft.com> wrote in message

> >> news:991CAAC9-72E1-41F0-98A0-DA27627145F5@microsoft.com...

> >> > Well I have done that when getting everything set to upgrade to the

> >> > 2003

> >> > server 64bit r2 version of server.

> >> > I used the supplied CD's that I had bought.

> >> > But I still ran into the issue of the 2000 dc being an earlier version.

> >> >

> >> > "Jorge Silva" wrote:

> >> >

> >> >> You may use the 64bit R2 in the existing forest, you only need to get

> >> >> the

> >> >> second CD "where the adprep is" 32 bit version. You can get the 2nd CD

> >> >> from

> >> >> Microsoft siet for the trial version of the Windows 2003 R2 32bit and

> >> >> use

> >> >> it

> >> >> to upgrade your 32 bit forest to R2.

> >> >>

> >> >> --

> >> >> I hope that the information above helps you.

> >> >> Have a Nice day.

> >> >>

> >> >> Jorge Silva

> >> >> MCSE, MVP Directory Services

> >> >> "TM" <TM@discussions.microsoft.com> wrote in message

> >> >> news:FE79DC66-E86A-416E-A588-2DC3F48EEB35@microsoft.com...

> >> >> > Jorge,

> >> >> > Thanks for the reply.

> >> >> > I understand the fact about 2 servers and I have that. And have done

> >> >> > the

> >> >> > adprep from the 32 bit cd's.

> >> >> > But where you say about the second cd on the install to not use it.

> >> >> > So just so I have a clear understanding I might have a better chance

> >> >> > at

> >> >> > getting this right if I try from scratch on the 64bit 2003 server

> >> >> > but

> >> >> > not

> >> >> > install the second CD. do the domain controller upgrade.

> >> >> >

> >> >> > If that works then a guy would install the second cd once things are

> >> >> > working

> >> >> > and 2000 DC are removed.

> >> >> >

> >> >> > Let me know. I want to say thanks for your help guys.

> >> >> > I tested this all in a test lab and I got it to upgrade etc. but of

> >> >> > course

> >> >> > once I start messing with a server that has been in production for a

> >> >> > few

> >> >> > years it is a different story.

> >> >> >

> >> >> >

> >> >> > "Jorge Silva" wrote:

> >> >> >

> >> >> >> You can't do a direct upgrade from 32 to 64 bit in the same

> >> >> >> machine.

> >> >> >> If you want to introduce the 64 bit Windows 2003 you'll need a

> >> >> >> separate

> >> >> >> server.

> >> >> >>

> >> >> >> To introduce Windows 2003 in your 2000 forest you first need to

> >> >> >> upgrade

> >> >> >> the

> >> >> >> forest and the Domain using adprep.

> >> >> >>

> >> >> >> Is not mandatory upgrade the schema to R2, this applies to 32bit

> >> >> >> and

> >> >> >> 64bit

> >> >> >> OS W2k3 If you install only OS and ignore/dismiss the second CD

> >> >> >> after

> >> >> >> the

> >> >> >> OS

> >> >> >> is installed then you have a Windows2003SP1/2 normal. If you run

> >> >> >> the

> >> >> >> second

> >> >> >> CD after OS installation then you'll be forced to upgrade the

> >> >> >> schema

> >> >> >> when

> >> >> >> you try to introduce that server as a DC, but isn't MANDATORY to do

> >> >> >> that

> >> >> >> unless you run the second CD after OS promotion.

> >> >> >>

> >> >> >> Now because you're running 32 bit version in other DCs, to upgrade

> >> >> >> the

> >> >> >> forest to R2 you'll need to run adprep 32bit version in the shema

> >> >> >> master.

> >> >> >>

> >> >> >> --

> >> >> >> I hope that the information above helps you.

> >> >> >> Have a Nice day.

> >> >> >>

> >> >> >> Jorge Silva

> >> >> >> MCSE, MVP Directory Services

> >> >> >> "TM" <TM@discussions.microsoft.com> wrote in message

> >> >> >> news:3A6222A9-E94B-4CB9-8C8B-6196B4E3E9EE@microsoft.com...

> >> >> >> > Thanks for the response.

> >> >> >> > I have read where to upgrade to 2003 but with a few of the

> >> >> >> > programs

> >> >> >> > I

> >> >> >> > have

> >> >> >> > on there currently I don't want to do that option on that server

> >> >> >> > cause

> >> >> >> > it

> >> >> >> > is

> >> >> >> > still needed for other apps.

> >> >> >> >

> >> >> >> > What do you think of building a server 2000 and making it a

> >> >> >> > domain

> >> >> >> > controller. DCPromoing the current server so it isn't a Domain

> >> >> >> > Controller

> >> >> >> > any

> >> >> >> > more. then doing the suggested upgrade to 2003. Then moving the

> >> >> >> > domain

> >> >> >> > controller role to the server that I am intending it to be on.

> >> >> >> >

> >> >> >> > So it will be a few more steps and time than I wanted to spend

> >> >> >> > but

> >> >> >> > does

> >> >> >> > this

> >> >> >> > seem a feasible option?

> >> >> >> >

> >> >> >> > Thanks for your help.

> >> >> >> >

> >> >> >> > "Meinolf Weber" wrote:

> >> >> >> >

> >> >> >> >> Hello tm,

> >> >> >> >>

> >> >> >> >> Maybe you did not read the article completely? With a windows

> >> >> >> >> 2000

> >> >> >> >> domain

> >> >> >> >> controller it is not possible to change it. You have to upgrade

> >> >> >> >> to

> >> >> >> >> 2003

> >> >> >> >> like

> >> >> >> >> stated in the article.

> >> >> >> >>

> >> >> >> >> Best regards

> >> >> >> >>

> >> >> >> >> Meinolf Weber

> >> >> >> >> Disclaimer: This posting is provided "AS IS" with no warranties,

> >> >> >> >> and

> >> >> >> >> confers

> >> >> >> >> no rights.

> >> >> >> >>

> >> >> >> >> > Well I have went through the article that both of you have

> >> >> >> >> > suggested

> >> >> >> >> > without

> >> >> >> >> > any luck. Unless I am doing something wrong.

> >> >> >> >> > Just a question does it matter if I am going to from 32bit

> >> >> >> >> > 2000

> >> >> >> >> > server

> >> >> >> >> > to a

> >> >> >> >> > 64bit 2003 server?

> >> >> >> >> > Also, I have the 2000 server at native mode the only 2000

> >> >> >> >> > server

> >> >> >> >> > as

> >> >> >> >> > Domain Controller with Exchange 2000 on it.

> >> >> >> >> >

> >> >> >> >> > Is there any other suggestions to get this fixed?

> >> >> >> >> >

> >> >> >> >> > "Jorge Silva" wrote:

> >> >> >> >> >

> >> >> >> >> >> With Windows 2000 DCs you shouldn't get your DFL and FFL more

> >> >> >> >> >> thatn

> >> >> >> >> >> Windows

> >> >> >> >> >> 2000 Native otherwise the 2000 DCs will sop working.

> >> >> >> >> >> Please read:

> >> >> >> >> >> http://support.microsoft.com/kb/322692

> >> >> >> >> >> --

> >> >> >> >> >> I hope that the information above helps you.

> >> >> >> >> >> Have a Nice day.

> >> >> >> >> >> Jorge Silva

> >> >> >> >> >> MCSE, MVP Directory Services

> >> >> >> >> >> "TM" <TM@discussions.microsoft.com> wrote in message

> >> >> >> >> >> news:A9BB3E80-DB8B-41CC-A527-9C6B38A94229@microsoft.com...

> >> >> >> >> >>> Sorry for not getting more info

> >> >> >> >> >>> On the current Server 2000 DC it is on Service Pack 4 with

> >> >> >> >> >>> all

> >> >> >> >> >>> the

> >> >> >> >> >>> available

> >> >> >> >> >>> updates.

> >> >> >> >> >>> On the Server 2003 std. I have all the updates installed.

> >> >> >> >> >>> It has all the roles and global catalog server.

> >> >> >> >> >>> But I am to the step of raising the domain functional level

> >> >> >> >> >>> now

> >> >> >> >> >>> and

> >> >> >> >> >>> I am getting the message below about not able to raise.

> >> >> >> >> >>>

> >> >> >> >> >>> If there is any other information I need to add let me know.

> >> >> >> >> >>> thanks for your response

> >> >> >> >> >>> --------------------------------------------------------------------

> >> >> >> >> >>> ----------------------------

> >> >> >> >> >>> To update the domain functional level, the domain

> >> >> >> >> >>> controllers

> >> >> >> >> >>> in

> >> >> >> >> >>> the

> >> >> >> >> >>> domain

> >> >> >> >> >>> must be running the appropriate version of windows.

> >> >> >> >> >>> Domain Name

> >> >> >> >> >>> norfolkiron.com

> >> >> >> >> >>> Current domain functional level

> >> >> >> >> >>> Windows 2000 native

> >> >> >> >> >>> The following domain controllers are running earlier

> >> >> >> >> >>> versions

> >> >> >> >> >>> of

> >> >> >> >> >>> windows:

> >> >> >> >> >>> Domain Name Domain Controller Version of Windows

> >> >> >> >> >>> norfolkiron.com server1.norfolkiron.com Windows 2000 Server

> >> >> >> >> >>> 5.0

> >> >> >> >> >>> (2195)

> >> >> >> >> >>> --------------------------------------------------------------------

> >> >> >> >> >>> ----------------------------

> >> >> >> >> >>> "Jorge Silva" wrote:

> >> >> >> >> >>>

> >> >> >> >> >>>> Hi

> >> >> >> >> >>>> Is this the error?

> >> >> >> >> >>>> Error message when you run the Active Directory

> >> >> >> >> >>>> Installation

> >> >> >> >> >>>> Wizard: "The

 

Top


 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: Server 2000 domain upgrade to Server 2003

Date: 09/25/2007 18:08:36

Correct, after you demoted all Exisitng 2000 DCs you safely raise the DFl to

2003.

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"TM" <TM@discussions.microsoft.com> wrote in message

news:B3F4051A-A172-4A1F-81A9-5FA1C93C9E7D@microsoft.com...

> Jorge,

>

> I do not get any errors in transfering the roles. everything transfers

> fine

> in that side.

>

> What I think I messed up in after transfering the roles, I did not demote

> the 2000 server. Cause instead of demoting the current DC I tried to raise

> the domain functional level before removing the current 2000 DC.

>

> So if I am right when I remove the 2000 DC then I can raise the domain

> functional level on the 2003 server. (something I over looked before)

>

> "Jorge Silva" wrote:

>

>> From DISC1 (32bit:)

>> - You use adprep /forestprep (on schema master)

>> - You use adprep /domainprep (on IM master)

>> Replicate all changes among all exisiting DCs

>>

>> From DISC2 (32bit:)

>> - You use Drive:\CMPNENTS\R2\ADPREP\adprep.exe /forestprep (on schema

>> master)

>> Replicate all changes among all exisiting DCs

>>

>> You can also verify the operating system support level of the schema by

>> using the Adsiedit.exe utility or the Ldp.exe utility to view the

>> objectVersion attribute in the properties of the

>> cn=schema,cn=configuration,dc=<domain> partition.

>>

>> At this point you should be ready to introduce the W2k3 R2.

>>

>> As I understand you, you already have 1 DC awith W2003 in the forest, and

>> when you try to transfer the roles you get that message?

>> Can you state the exact message, and how are you trying to TRANSFER the

>> Roles (NOT Seize the roles).

>> TYransfering the Master Roles doesn't make 2000 DCs stop working, however

>> if

>> you change your DFL/FFL to Windows 2003 all Windows 2000 DCs will stop

>> working in that Forest/Domain, once that you do taht there's no turning

>> back.

>>

>> --

>> I hope that the information above helps you.

>> Have a Nice day.

>>

>> Jorge Silva

>> MCSE, MVP Directory Services

>> "TM" <TM@discussions.microsoft.com> wrote in message

>> news:8CF72DB7-3B3C-424F-9AC2-7AD3BF4C7B3D@microsoft.com...

>> > would there be any reason that I would need to run the adprep again?

>> > I have ran it once with the 32bit disc 2 from the disks.

>> > Assuming that it isn't liking the adprep that was ran from before?

>> >

>> > See i have followed all of microsofts directions to raise the domain

>> > and I

>> > did it in a test lab but now it isn't working in the production

>> > enviroment.

>> >

>> > One thing I have just realized which didn't make sense to me earlier

>> > and

>> > probably why I didn't do it.

>> > Going through the steps of

>> > 1. Upgrade the AD schema using the 32bit disc 2

>> > 2. installing active directory on the 2003 server

>> > 3. moving the roles to the new server

>> > *4. is whare is says retire the domain controllers through dcpromo

>> > 5. raising the domain level

>> >

>> > Well I didn't do step 4 for the reason I was afraid it might lose

>> > information. But after the reading I have done today since I have the

>> > 2003

>> > server in place and roles on it. It should matter cause the 2000 works

>> > differently than 2003.

>> > So if I get the 2003 server with all the roles on it and it says it is

>> > DC

>> > in

>> > the active directory it should be a good domain controller (correct?).

>> > then run the dcpromo on the current domain controller and everything

>> > will

>> > be

>> > happy (maybe).

>> >

>> > If that makes any sense.

>> > I think if I would have done the step 4 I wouldn't be in this

>> > predictament.

>> > If I have nothing to worry about let me know and I will just do it and

>> > hopefully won't have to look back and say oh shoot.

>> >

>> > Thanks for your help again.

>> >

>> > "Jorge Silva" wrote:

>> >

>> >> You need the 32 bit version, not the 64bit.

>> >> 64bit CDs/DVDs are not compatible with 32bit version.

>> >>

>> >> --

>> >> I hope that the information above helps you.

>> >> Have a Nice day.

>> >>

>> >> Jorge Silva

>> >> MCSE, MVP Directory Services

>> >> "TM" <TM@discussions.microsoft.com> wrote in message

>> >> news:991CAAC9-72E1-41F0-98A0-DA27627145F5@microsoft.com...

>> >> > Well I have done that when getting everything set to upgrade to the

>> >> > 2003

>> >> > server 64bit r2 version of server.

>> >> > I used the supplied CD's that I had bought.

>> >> > But I still ran into the issue of the 2000 dc being an earlier

>> >> > version.

>> >> >

>> >> > "Jorge Silva" wrote:

>> >> >

>> >> >> You may use the 64bit R2 in the existing forest, you only need to

>> >> >> get

>> >> >> the

>> >> >> second CD "where the adprep is" 32 bit version. You can get the 2nd

>> >> >> CD

>> >> >> from

>> >> >> Microsoft siet for the trial version of the Windows 2003 R2 32bit

>> >> >> and

>> >> >> use

>> >> >> it

>> >> >> to upgrade your 32 bit forest to R2.

>> >> >>

>> >> >> --

>> >> >> I hope that the information above helps you.

>> >> >> Have a Nice day.

>> >> >>

>> >> >> Jorge Silva

>> >> >> MCSE, MVP Directory Services

>> >> >> "TM" <TM@discussions.microsoft.com> wrote in message

>> >> >> news:FE79DC66-E86A-416E-A588-2DC3F48EEB35@microsoft.com...

>> >> >> > Jorge,

>> >> >> > Thanks for the reply.

>> >> >> > I understand the fact about 2 servers and I have that. And have

>> >> >> > done

>> >> >> > the

>> >> >> > adprep from the 32 bit cd's.

>> >> >> > But where you say about the second cd on the install to not use

>> >> >> > it.

>> >> >> > So just so I have a clear understanding I might have a better

>> >> >> > chance

>> >> >> > at

>> >> >> > getting this right if I try from scratch on the 64bit 2003 server

>> >> >> > but

>> >> >> > not

>> >> >> > install the second CD. do the domain controller upgrade.

>> >> >> >

>> >> >> > If that works then a guy would install the second cd once things

>> >> >> > are

>> >> >> > working

>> >> >> > and 2000 DC are removed.

>> >> >> >

>> >> >> > Let me know. I want to say thanks for your help guys.

>> >> >> > I tested this all in a test lab and I got it to upgrade etc. but

>> >> >> > of

>> >> >> > course

>> >> >> > once I start messing with a server that has been in production

>> >> >> > for a

>> >> >> > few

>> >> >> > years it is a different story.

>> >> >> >

>> >> >> >

>> >> >> > "Jorge Silva" wrote:

>> >> >> >

>> >> >> >> You can't do a direct upgrade from 32 to 64 bit in the same

>> >> >> >> machine.

>> >> >> >> If you want to introduce the 64 bit Windows 2003 you'll need a

>> >> >> >> separate

>> >> >> >> server.

>> >> >> >>

>> >> >> >> To introduce Windows 2003 in your 2000 forest you first need to

>> >> >> >> upgrade

>> >> >> >> the

>> >> >> >> forest and the Domain using adprep.

>> >> >> >>

>> >> >> >> Is not mandatory upgrade the schema to R2, this applies to 32bit

>> >> >> >> and

>> >> >> >> 64bit

>> >> >> >> OS W2k3 If you install only OS and ignore/dismiss the second CD

>> >> >> >> after

>> >> >> >> the

>> >> >> >> OS

>> >> >> >> is installed then you have a Windows2003SP1/2 normal. If you run

>> >> >> >> the

>> >> >> >> second

>> >> >> >> CD after OS installation then you'll be forced to upgrade the

>> >> >> >> schema

>> >> >> >> when

>> >> >> >> you try to introduce that server as a DC, but isn't MANDATORY to

>> >> >> >> do

>> >> >> >> that

>> >> >> >> unless you run the second CD after OS promotion.

>> >> >> >>

>> >> >> >> Now because you're running 32 bit version in other DCs, to

>> >> >> >> upgrade

>> >> >> >> the

>> >> >> >> forest to R2 you'll need to run adprep 32bit version in the

>> >> >> >> shema

>> >> >> >> master.

>> >> >> >>

>> >> >> >> --

>> >> >> >> I hope that the information above helps you.

>> >> >> >> Have a Nice day.

>> >> >> >>

>> >> >> >> Jorge Silva

>> >> >> >> MCSE, MVP Directory Services

>> >> >> >> "TM" <TM@discussions.microsoft.com> wrote in message

>> >> >> >> news:3A6222A9-E94B-4CB9-8C8B-6196B4E3E9EE@microsoft.com...

>> >> >> >> > Thanks for the response.

>> >> >> >> > I have read where to upgrade to 2003 but with a few of the

>> >> >> >> > programs

>> >> >> >> > I

>> >> >> >> > have

>> >> >> >> > on there currently I don't want to do that option on that

>> >> >> >> > server

>> >> >> >> > cause

>> >> >> >> > it

>> >> >> >> > is

>> >> >> >> > still needed for other apps.

>> >> >> >> >

>> >> >> >> > What do you think of building a server 2000 and making it a

>> >> >> >> > domain

>> >> >> >> > controller. DCPromoing the current server so it isn't a Domain

>> >> >> >> > Controller

>> >> >> >> > any

>> >> >> >> > more. then doing the suggested upgrade to 2003. Then moving

>> >> >> >> > the

>> >> >> >> > domain

>> >> >> >> > controller role to the server that I am intending it to be on.

>> >> >> >> >

>> >> >> >> > So it will be a few more steps and time than I wanted to spend

>> >> >> >> > but

>> >> >> >> > does

>> >> >> >> > this

>> >> >> >> > seem a feasible option?

>> >> >> >> >

>> >> >> >> > Thanks for your help.

>> >> >> >> >

>> >> >> >> > "Meinolf Weber" wrote:

>> >> >> >> >

>> >> >> >> >> Hello tm,

>> >> >> >> >>

>> >> >> >> >> Maybe you did not read the article completely? With a windows

>> >> >> >> >> 2000

>> >> >> >> >> domain

>> >> >> >> >> controller it is not possible to change it. You have to

>> >> >> >> >> upgrade

>> >> >> >> >> to

>> >> >> >> >> 2003

>> >> >> >> >> like

>> >> >> >> >> stated in the article.

>> >> >> >> >>

>> >> >> >> >> Best regards

>> >> >> >> >>

>> >> >> >> >> Meinolf Weber

>> >> >> >> >> Disclaimer: This posting is provided "AS IS" with no

>> >> >> >> >> warranties,

>> >> >> >> >> and

>> >> >> >> >> confers

>> >> >> >> >> no rights.

>> >> >> >> >>

>> >> >> >> >> > Well I have went through the article that both of you have

>> >> >> >> >> > suggested

>> >> >> >> >> > without

>> >> >> >> >> > any luck. Unless I am doing something wrong.

>> >> >> >> >> > Just a question does it matter if I am going to from 32bit

>> >> >> >> >> > 2000

>> >> >> >> >> > server

>> >> >> >> >> > to a

>> >> >> >> >> > 64bit 2003 server?

>> >> >> >> >> > Also, I have the 2000 server at native mode the only 2000

>> >> >> >> >> > server

>> >> >> >> >> > as

>> >> >> >> >> > Domain Controller with Exchange 2000 on it.

>> >> >> >> >> >

>> >> >> >> >> > Is there any other suggestions to get this fixed?

>> >> >> >> >> >

>> >> >> >> >> > "Jorge Silva" wrote:

>> >> >> >> >> >

>> >> >> >> >> >> With Windows 2000 DCs you shouldn't get your DFL and FFL

>> >> >> >> >> >> more

>> >> >> >> >> >> thatn

>> >> >> >> >> >> Windows

>> >> >> >> >> >> 2000 Native otherwise the 2000 DCs will sop working.

>> >> >> >> >> >> Please read:

>> >> >> >> >> >> http://support.microsoft.com/kb/322692

>> >> >> >> >> >> --

>> >> >> >> >> >> I hope that the information above helps you.

>> >> >> >> >> >> Have a Nice day.

>> >> >> >> >> >> Jorge Silva

>> >> >> >> >> >> MCSE, MVP Directory Services

>> >> >> >> >> >> "TM" <TM@discussions.microsoft.com> wrote in message

>> >> >> >> >> >> news:A9BB3E80-DB8B-41CC-A527-9C6B38A94229@microsoft.com...

>> >> >> >> >> >>> Sorry for not getting more info

>> >> >> >> >> >>> On the current Server 2000 DC it is on Service Pack 4

>> >> >> >> >> >>> with

>> >> >> >> >> >>> all

>> >> >> >> >> >>> the

>> >> >> >> >> >>> available

>> >> >> >> >> >>> updates.

>> >> >> >> >> >>> On the Server 2003 std. I have all the updates installed.

>> >> >> >> >> >>> It has all the roles and global catalog server.

>> >> >> >> >> >>> But I am to the step of raising the domain functional

>> >> >> >> >> >>> level

>> >> >> >> >> >>> now

>> >> >> >> >> >>> and

>> >> >> >> >> >>> I am getting the message below about not able to raise.

>> >> >> >> >> >>>

>> >> >> >> >> >>> If there is any other information I need to add let me

>> >> >> >> >> >>> know.

>> >> >> >> >> >>> thanks for your response

>> >> >> >> >> >>> --------------------------------------------------------------------

>> >> >> >> >> >>> ----------------------------

>> >> >> >> >> >>> To update the domain functional level, the domain

>> >> >> >> >> >>> controllers

>> >> >> >> >> >>> in

>> >> >> >> >> >>> the

>> >> >> >> >> >>> domain

>> >> >> >> >> >>> must be running the appropriate version of windows.

>> >> >> >> >> >>> Domain Name

>> >> >> >> >> >>> norfolkiron.com

>> >> >> >> >> >>> Current domain functional level

>> >> >> >> >> >>> Windows 2000 native

>> >> >> >> >> >>> The following domain controllers are running earlier

>> >> >> >> >> >>> versions

>> >> >> >> >> >>> of

>> >> >> >> >> >>> windows:

>> >> >> >> >> >>> Domain Name Domain Controller Version of Windows

>> >> >> >> >> >>> norfolkiron.com server1.norfolkiron.com Windows 2000

>> >> >> >> >> >>> Server

>> >> >> >> >> >>> 5.0

>> >> >> >> >> >>> (2195)

>> >> >> >> >> >>> --------------------------------------------------------------------

>> >> >> >> >> >>> ----------------------------

>> >> >> >> >> >>> "Jorge Silva" wrote:

>> >> >> >> >> >>>

>> >> >> >> >> >>>> Hi

>> >> >> >> >> >>>> Is this the error?

>> >> >> >> >> >>>> Error message when you run the Active Directory

>> >> >> >> >> >>>> Installation

>> >> >> >> >> >>>> Wizard: "The

 

Top


 

From: Florian Frommherz [MVP] <florian@PLEASELEAVETHISOUT.frickelsoft.net>

To: none

Subject: Re: Site Policies and Domain Controllers

Date: 09/26/2007 00:27:31

Howdie!

 

JayDee schrieb:

> We would like to create a site policy that adds a domain global group

> to the local administrators group of all servers on a specific subnet,

> since we will have a local group supporting them... however, there is

> a domain controller on one of the subnets. Is there any way to set up

> our "restricted groups" policy on all servers without giving those

> admins administrator access to the entire domain??

 

You could try to create the Group Policy linked to the site and then

deny the specific domain controller the "Read" and "Apply Group Policy"

permission on the GP:

 

http://www.frickelsoft.net/blog/?p=28

 

cheers,

 

Florian

--

Microsoft MVP - Windows Server - Group Policy.

eMail: prename [at] frickelsoft [dot] net.

blog: http://www.frickelsoft.net/blog.

 

Top


 

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: SYSVOL share hand icon is red

Date: 09/28/2007 01:05:57

Hello,

 

get the real path where the share point to.

Then check up that the folder still exist.

Did you change NTFS security recently ?

 

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

"Sofi" <Sofi@discussions.microsoft.com> wrote in message

news:CBF51BB1-A50A-4455-BE7E-C3F11C84CE6E@microsoft.com...

> Hi,

> I just saw that the icon hand for the SYSVOL share has turned RED. What

> does

> that mean?

> THANKS!!

> Sofia

 

Top


 

From: Ryan Hanisco <RyanHanisco@discussions.microsoft.com>

To: none

Subject: RE: Tips for setting up a test lab

Date: 09/27/2007 17:32:01

Hi shdowflare,

 

You mentioned that you wanted a testbed to be able to test out schema

extensions among other things.  Remember that the schema is at the

forest-level, so the only way to have an isolated location for that would be

to keep it completely segregated from your production forest. 

 

There are three ways to do this (That I can think of, anyway):

1. Create a completely separate forest.  This would isolate the environment

but allow you to use the same LAN.  The forest would be visible and you could

use trusts to share resources, though it could be argued that this might

reduce the validity of your tests.  You would also be able to use ADMT and AD

imports to populate the forest with similar accounts and PWDs -- even

maintain SIDHistory (again test validity...)

 

2. Use ADAM to create a directory structure that you can sync with your

production AD as a test bed.  This can be a very attractive option, but you

don't get the whole host of services that a separate forest brings and there

is some impact to your GCs and the like.  This works well for app and schema

tests though.

 

3. Pretend to be an Amoeba.  You can add a DC with DNS to your domain and

then completely segregate it on a separate LAN.  From there you can seize the

FSMO roles and treat it as a separate forest that is identical to your

production AD.  Note that you can NEVER have it interact with your production

environment so this is a good option if you want to test GPOs or applications

in an isolated environment.  This will not, however, allow you to test other

network resources that have a connection to the "real world."  (I know, not

ideal for you.)

--

Ryan Hanisco

MCSE, MCTS: SQL 2005, Project+

www.techsterity.com

Chicago, IL

 

Remember: Marking helpful answers helps everyone find the info they need

quickly.

"shdowflare" wrote:

 

> Hi,

>

> We're getting ready to build out an Active Directory 2003 test lab.  We need

> a place to check schema extensions, group policies, and software updates

> before putting into production.  We need the test environment to be

> accessible to our corporate network, so applications can interact with the

> test directory during testing.  So the LDAP lab can't be isolated.  It needs

> to be on our corporate LAN.  I imagine putting the test AD controller on our

> LAN means it will be found by our production DC's (and vice versa).  So I was

> wondering how to structure the test domain hierarchy.  Should it be a

> separate forest?  Or just a separate domain under the forest root?

>

> Basically, I'm looking for ideas on the best way to accomplish the

> requirements above and address the questions I've posed.  Can you guys help

> out?

>

> Looking forward to your replies.

> --

> -B

 

Top


 

From: Ryan Hanisco <RyanHanisco@discussions.microsoft.com>

To: none

Subject: Re: Types of ICMP Used by DC?

Date: 09/25/2007 23:58:02

Will,

 

DCs use ICMP Ping for a number of things and will need the ICMP types that

ping requires.  Of course, the most common will be echo and echo reply, but

the others will be needed for failure or redirect status.

 

Other than that, you'll see no other "odd" ICMP traffic.

 

Usually DCs are connected on LAN, WAN, or VPN circuits that are considered

part of the Internal network so so filter very little.  If you are concerned

about blocking specific ICMP types, I would be afraid that you might have a

bad design on your hands -- or at least an overly complicated one.

 

Cheers,

--

Ryan Hanisco

MCSE, MCTS: SQL 2005, Project+

www.techsterity.com

Chicago, IL

 

Remember: Marking helpful answers helps everyone find the info they need

quickly.

"Will" wrote:

 

> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

> news:uW3cMt2$HHA.4496@TK2MSFTNGP06.phx.gbl...

> > I only know of one icmp type traffic.  What exactly are you referring to?

>

> Open Windows Firewall.

>

> Select Advanced tab.

>

> Select ICMP Settings button.

>

> Those are the options I want to know about.   Which ICMP subtypes do DCs use

> between DCs?

>

> --

> Will

>

 

Top


 

From: Will <westes-usc@noemail.nospam>

To: none

Subject: Re: Types of ICMP Used by DC?

Date: 09/26/2007 00:16:32

"Ryan Hanisco" <RyanHanisco@discussions.microsoft.com> wrote in message

news:67019A97-0A96-47BC-9996-35E4A211D225@microsoft.com...

> Will,

>

> DCs use ICMP Ping for a number of things and will need the ICMP types that

> ping requires.  Of course, the most common will be echo and echo reply,

> but

> the others will be needed for failure or redirect status.

>

> Other than that, you'll see no other "odd" ICMP traffic.

>

> Usually DCs are connected on LAN, WAN, or VPN circuits that are considered

> part of the Internal network so so filter very little.  If you are

> concerned

> about blocking specific ICMP types, I would be afraid that you might have

> a

> bad design on your hands -- or at least an overly complicated one.

 

Since we are stuck with Windows Firewall, and Windows Firewall by default

does block most types of ICMP, I'm simply asking the question which types

should I unblock.

 

If your answer is "unblock them all because they all might be used," then

okay.

 

--

Will

 

Top


 

From: Paul Bergson [MVP-DS] <pbergson@allete_nospam.com>

To: none

Subject: Re: Types of ICMP Used by DC?

Date: 09/26/2007 08:08:28

Will I was unaware of the icmp options and will have to research this.  I

don't have an answer for you but will attempt to get one for you.

 

--

Paul Bergson

MVP - Directory Services

MCT, MCSE, MCSA, Security+, BS CSci

2003, 2000 (Early Achiever), NT

 

http://www.pbbergs.com

 

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

 

"Will" <westes-usc@noemail.nospam> wrote in message

news:Z6KdnU-O4avjwmTbnZ2dnUVZ_vamnZ2d@giganews.com...

> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

> news:uW3cMt2$HHA.4496@TK2MSFTNGP06.phx.gbl...

>> I only know of one icmp type traffic.  What exactly are you referring to?

>

> Open Windows Firewall.

>

> Select Advanced tab.

>

> Select ICMP Settings button.

>

> Those are the options I want to know about.   Which ICMP subtypes do DCs

> use

> between DCs?

>

> --

> Will

 

Top


 

From: Paul Bergson [MVP-DS] <pbergson@allete_nospam.com>

To: none

Subject: Re: Types of ICMP Used by DC?

Date: 09/26/2007 13:58:02

I have been able to open a Microsoft support incident for you. I had one

that was to expire at the end of the week.

 

--

Paul Bergson

MVP - Directory Services

MCT, MCSE, MCSA, Security+, BS CSci

2003, 2000 (Early Achiever), NT

 

http://www.pbbergs.com

 

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

 

"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

news:%23XL2V5DAIHA.3940@TK2MSFTNGP05.phx.gbl...

> Will I was unaware of the icmp options and will have to research this.  I

> don't have an answer for you but will attempt to get one for you.

>

> --

> Paul Bergson

> MVP - Directory Services

> MCT, MCSE, MCSA, Security+, BS CSci

> 2003, 2000 (Early Achiever), NT

>

> http://www.pbbergs.com

>

> Please no e-mails, any questions should be posted in the NewsGroup

> This posting is provided "AS IS" with no warranties, and confers no

> rights.

>

> "Will" <westes-usc@noemail.nospam> wrote in message

> news:Z6KdnU-O4avjwmTbnZ2dnUVZ_vamnZ2d@giganews.com...

>> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

>> news:uW3cMt2$HHA.4496@TK2MSFTNGP06.phx.gbl...

>>> I only know of one icmp type traffic.  What exactly are you referring

>>> to?

>>

>> Open Windows Firewall.

>>

>> Select Advanced tab.

>>

>> Select ICMP Settings button.

>>

>> Those are the options I want to know about.   Which ICMP subtypes do DCs

>> use

>> between DCs?

>>

>> --

>> Will

 

Top


 

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: Types of ICMP Used by DC?

Date: 09/26/2007 14:17:34

you may have sold it on ebay ;)

 

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

news:ub6Sr8GAIHA.5164@TK2MSFTNGP05.phx.gbl...

>I have been able to open a Microsoft support incident for you. I had one

>that was to expire at the end of the week.

>

> --

> Paul Bergson

> MVP - Directory Services

> MCT, MCSE, MCSA, Security+, BS CSci

> 2003, 2000 (Early Achiever), NT

>

> http://www.pbbergs.com

>

> Please no e-mails, any questions should be posted in the NewsGroup

> This posting is provided "AS IS" with no warranties, and confers no

> rights.

>

> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

> news:%23XL2V5DAIHA.3940@TK2MSFTNGP05.phx.gbl...

>> Will I was unaware of the icmp options and will have to research this.  I

>> don't have an answer for you but will attempt to get one for you.

>>

>> --

>> Paul Bergson

>> MVP - Directory Services

>> MCT, MCSE, MCSA, Security+, BS CSci

>> 2003, 2000 (Early Achiever), NT

>>

>> http://www.pbbergs.com

>>

>> Please no e-mails, any questions should be posted in the NewsGroup

>> This posting is provided "AS IS" with no warranties, and confers no

>> rights.

>>

>> "Will" <westes-usc@noemail.nospam> wrote in message

>> news:Z6KdnU-O4avjwmTbnZ2dnUVZ_vamnZ2d@giganews.com...

>>> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

>>> news:uW3cMt2$HHA.4496@TK2MSFTNGP06.phx.gbl...

>>>> I only know of one icmp type traffic.  What exactly are you referring

>>>> to?

>>>

>>> Open Windows Firewall.

>>>

>>> Select Advanced tab.

>>>

>>> Select ICMP Settings button.

>>>

>>> Those are the options I want to know about.   Which ICMP subtypes do DCs

>>> use

>>> between DCs?

>>>

>>> --

>>> Will

 

Top


 

From: Paul Bergson [MVP-DS] <pbergson@allete_nospam.com>

To: none

Subject: Re: Types of ICMP Used by DC?

Date: 09/26/2007 14:17:14

Microsoft just got back to me and stated that the only ICMP needed to be

allowed is the top option.

 

Allow Incoming Echo Requests

 

--

Paul Bergson

MVP - Directory Services

MCT, MCSE, MCSA, Security+, BS CSci

2003, 2000 (Early Achiever), NT

 

http://www.pbbergs.com

 

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

 

"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

news:ub6Sr8GAIHA.5164@TK2MSFTNGP05.phx.gbl...

>I have been able to open a Microsoft support incident for you. I had one

>that was to expire at the end of the week.

>

> --

> Paul Bergson

> MVP - Directory Services

> MCT, MCSE, MCSA, Security+, BS CSci

> 2003, 2000 (Early Achiever), NT

>

> http://www.pbbergs.com

>

> Please no e-mails, any questions should be posted in the NewsGroup

> This posting is provided "AS IS" with no warranties, and confers no

> rights.

>

> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

> news:%23XL2V5DAIHA.3940@TK2MSFTNGP05.phx.gbl...

>> Will I was unaware of the icmp options and will have to research this.  I

>> don't have an answer for you but will attempt to get one for you.

>>

>> --

>> Paul Bergson

>> MVP - Directory Services

>> MCT, MCSE, MCSA, Security+, BS CSci

>> 2003, 2000 (Early Achiever), NT

>>

>> http://www.pbbergs.com

>>

>> Please no e-mails, any questions should be posted in the NewsGroup

>> This posting is provided "AS IS" with no warranties, and confers no

>> rights.

>>

>> "Will" <westes-usc@noemail.nospam> wrote in message

>> news:Z6KdnU-O4avjwmTbnZ2dnUVZ_vamnZ2d@giganews.com...

>>> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

>>> news:uW3cMt2$HHA.4496@TK2MSFTNGP06.phx.gbl...

>>>> I only know of one icmp type traffic.  What exactly are you referring

>>>> to?

>>>

>>> Open Windows Firewall.

>>>

>>> Select Advanced tab.

>>>

>>> Select ICMP Settings button.

>>>

>>> Those are the options I want to know about.   Which ICMP subtypes do DCs

>>> use

>>> between DCs?

>>>

>>> --

>>> Will

 

Top


 

From: Paul Bergson [MVP-DS] <pbergson@allete_nospam.com>

To: none

Subject: Re: Types of ICMP Used by DC?

Date: 09/26/2007 14:20:17

For got to include a link they provided if you care

 

http://msdn2.microsoft.com/en-us/library/ms912869.aspx

 

--

Paul Bergson

MVP - Directory Services

MCT, MCSE, MCSA, Security+, BS CSci

2003, 2000 (Early Achiever), NT

 

http://www.pbbergs.com

 

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

 

"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

news:ub6Sr8GAIHA.5164@TK2MSFTNGP05.phx.gbl...

>I have been able to open a Microsoft support incident for you. I had one

>that was to expire at the end of the week.

>

> --

> Paul Bergson

> MVP - Directory Services

> MCT, MCSE, MCSA, Security+, BS CSci

> 2003, 2000 (Early Achiever), NT

>

> http://www.pbbergs.com

>

> Please no e-mails, any questions should be posted in the NewsGroup

> This posting is provided "AS IS" with no warranties, and confers no

> rights.

>

> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

> news:%23XL2V5DAIHA.3940@TK2MSFTNGP05.phx.gbl...

>> Will I was unaware of the icmp options and will have to research this.  I

>> don't have an answer for you but will attempt to get one for you.

>>

>> --

>> Paul Bergson

>> MVP - Directory Services

>> MCT, MCSE, MCSA, Security+, BS CSci

>> 2003, 2000 (Early Achiever), NT

>>

>> http://www.pbbergs.com

>>

>> Please no e-mails, any questions should be posted in the NewsGroup

>> This posting is provided "AS IS" with no warranties, and confers no

>> rights.

>>

>> "Will" <westes-usc@noemail.nospam> wrote in message

>> news:Z6KdnU-O4avjwmTbnZ2dnUVZ_vamnZ2d@giganews.com...

>>> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

>>> news:uW3cMt2$HHA.4496@TK2MSFTNGP06.phx.gbl...

>>>> I only know of one icmp type traffic.  What exactly are you referring

>>>> to?

>>>

>>> Open Windows Firewall.

>>>

>>> Select Advanced tab.

>>>

>>> Select ICMP Settings button.

>>>

>>> Those are the options I want to know about.   Which ICMP subtypes do DCs

>>> use

>>> between DCs?

>>>

>>> --

>>> Will

 

Top


 

From: Anthony <anthony.spam@spammedout.com>

To: none

Subject: Re: Types of ICMP Used by DC?

Date: 09/26/2007 14:49:39

That's above and beyond the call of duty!

"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

news:ub6Sr8GAIHA.5164@TK2MSFTNGP05.phx.gbl...

>I have been able to open a Microsoft support incident for you. I had one

>that was to expire at the end of the week.

>

> --

> Paul Bergson

> MVP - Directory Services

> MCT, MCSE, MCSA, Security+, BS CSci

> 2003, 2000 (Early Achiever), NT

>

> http://www.pbbergs.com

>

> Please no e-mails, any questions should be posted in the NewsGroup

> This posting is provided "AS IS" with no warranties, and confers no

> rights.

>

> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

> news:%23XL2V5DAIHA.3940@TK2MSFTNGP05.phx.gbl...

>> Will I was unaware of the icmp options and will have to research this.  I

>> don't have an answer for you but will attempt to get one for you.

>>

>> --

>> Paul Bergson

>> MVP - Directory Services

>> MCT, MCSE, MCSA, Security+, BS CSci

>> 2003, 2000 (Early Achiever), NT

>>

>> http://www.pbbergs.com

>>

>> Please no e-mails, any questions should be posted in the NewsGroup

>> This posting is provided "AS IS" with no warranties, and confers no

>> rights.

>>

>> "Will" <westes-usc@noemail.nospam> wrote in message

>> news:Z6KdnU-O4avjwmTbnZ2dnUVZ_vamnZ2d@giganews.com...

>>> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

>>> news:uW3cMt2$HHA.4496@TK2MSFTNGP06.phx.gbl...

>>>> I only know of one icmp type traffic.  What exactly are you referring

>>>> to?

>>>

>>> Open Windows Firewall.

>>>

>>> Select Advanced tab.

>>>

>>> Select ICMP Settings button.

>>>

>>> Those are the options I want to know about.   Which ICMP subtypes do DCs

>>> use

>>> between DCs?

>>>

>>> --

>>> Will

 

Top


 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: User logging in as limited account

Date: 09/26/2007 12:47:02

Hi

To install software he needs Admin permisssions, check if that account is

member of local Administrators Security group.

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

<PeterDowney01@gmail.com> wrote in message

news:1190828315.082730.276700@n39g2000hsh.googlegroups.com...

> I've got a customer running server 2003.  We added an account for his

> computer to log in to the server with.  Using his client computer when

> we log into the account (his system has xp installed) it logs us in as

> a limited account.  We need his computer to log in as an administrator

> because we have to install software on his computer, and he wants to

> be able to enable and disable his wireless card.

>

> What am I doing wrong that it's logging in as a limited account?

>

 

Top


 

From: Technical <Technical@discussions.microsoft.com>

To: none

Subject: RE: Using netdom.exe to join active directory

Date: 09/26/2007 07:30:05

Hello Sransom ,

 

Insead of /D write /Domain:domainname

 

"sransom" wrote:

 

> Hi All,

>

> Im trying to write a small batch file to let me join new computers to our

> domain. The line is as follows:

>

> NETDOM join %ComputerName% /D:mydomain.nsw.edu.au /UserD:Admin

> /passwordD:xxxxx UserO:Administrator /PasswordO:xxx /reboot:10

>

> When i run it all i get is a line saying "the syntax for this command is"

> and then the help commands for netdom. I have gon crosseyed trying to find

> what im doing wrong.

>

> Any ideas please?

>

>

> --

> I Run A Help Desk, Not A Resume Service

 

Top


 

From: sransom <sransom@discussions.microsoft.com>

To: none

Subject: RE: Using netdom.exe to join active directory

Date: 09/26/2007 18:48:01

Tried that, but the problem persists..

 

Scott

--

I Run A Help Desk, Not A Resume Service

"Technical" wrote:

 

> Hello Sransom ,

>

> Insead of /D write /Domain:domainname

>

> "sransom" wrote:

>

> > Hi All,

> >

> > Im trying to write a small batch file to let me join new computers to our

> > domain. The line is as follows:

> >

> > NETDOM join %ComputerName% /D:mydomain.nsw.edu.au /UserD:Admin

> > /passwordD:xxxxx UserO:Administrator /PasswordO:xxx /reboot:10

> >

> > When i run it all i get is a line saying "the syntax for this command is"

> > and then the help commands for netdom. I have gon crosseyed trying to find

> > what im doing wrong.

> >

> > Any ideas please?

> >

> >

> > --

> > I Run A Help Desk, Not A Resume Service

 

Top


 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: w2k3 logs me off right after user/password

Date: 09/25/2007 14:48:42

Hi check inline:

>  - if I log on as a *normal* user, once I typed in the credential, it

> logs me off right after - the logging off window pops up followed by

> the ctrl-alt-del window. This doesn't always happen but happens 9 out

> of 10 attemps(or more frequent)

 

Logs are full, or maybe some virus on that machine.

 

>  - however if I type in my credential again, I can get into the

> desktop

So you can log successfully after the second atempt?

 

>  - admin doesn' t have this problem

That's good, you can use that account to check log errors or if logs are

full, or if you have any process (like a virus) that doesn't like the normal

user account.

 

>  - if I log on as Admin, and in the System properties window,

> profile, highlight the *normal* user account, the "copy to" and

> "remove" button is grayed out.

Can you rename the profile manually, and then try to logon with a new user

and check if the same behavior applies.

 

>  - there was once or twice if I unplugged the power completely then

> log back in as Admin, the above "copy to" and "remove" buttons became

> availabe again.

Try the rename, if you can rename,you must first talke ownershipt of the

folder and subfolders and files..

 

>  - newly created profile didn't help

New profile for what user the domain admin or the normal account?

 

>  - absolutely nothing noticeable in event viewer

 

>  - if I log in as Admin, then open a RDP session to itself( mstsc /

> v:localhost), log in as the user in question, it won't ask me for

> password twice. However, I can't launch certain programs within the

> session (such as firefox, outlook). They are terminated at some point

> (for example, I can see the prompt from firefox "restore sessions/new

> session", but then nothing)

That suggests something wrong with the profile or GPO security.

 

> - I reset the security policy by importing the setupsec.inf but this

> didn't help either

It doesn't matter if the policy is being applied at domain or OU level, the

local GPO is the one that is overwrited by alll others.

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"future2Bunknown" <johnlan@gmail.com> wrote in message

news:1190748178.396470.231270@50g2000hsm.googlegroups.com...

>I have a windows 2003 in workgroup having following symptoms:

>  - if I log on as a *normal* user, once I typed in the credential, it

> logs me off right after - the logging off window pops up followed by

> the ctrl-alt-del window. This doesn't always happen but happens 9 out

> of 10 attemps(or more frequent)

>  - however if I type in my credential again, I can get into the

> desktop

>  - admin doesn' t have this problem

>  - if I log on as Admin, and in the System properties window,

> profile, highlight the *normal* user account, the "copy to" and

> "remove" button is grayed out.

>  - there was once or twice if I unplugged the power completely then

> log back in as Admin, the above "copy to" and "remove" buttons became

> availabe again.

>  - newly created profile didn't help

>  - absolutely nothing noticeable in event viewer

>  - if I log in as Admin, then open a RDP session to itself( mstsc /

> v:localhost), log in as the user in question, it won't ask me for

> password twice. However, I can't launch certain programs within the

> session (such as firefox, outlook). They are terminated at some point

> (for example, I can see the prompt from firefox "restore sessions/new

> session", but then nothing)

> - I reset the security policy by importing the setupsec.inf but this

> didn't help either

>

> Any help appreciated.

>

 

Top


 

From: future2Bunknown <johnlan@gmail.com>

To: none

Subject: Re: w2k3 logs me off right after user/password

Date: 09/26/2007 09:18:32

Jorge,

 

Thanks for the reply. Please see my reply to your comments:

 

1. This is a workgroup server therefore no upper level GP will

override local policy

2. Second attempt to log on always suceeds

3. If, as I myself suspected and as you pointed out, profile and/or

security settings are to blamed, I've replaced both  to no avail

4. logs in event has been cleared multiple times during my

troubleshooting. And I don't believe there is any other size limit on

text-based logs. Plus, all disks have sufficient space

5. I didn't bother to verify if other users have same problem because

this is the only account I need to keep and make it workable. But I

believe the others don't have this issue. I will try later though and

post back.

6. while I can't say 100% sure that I am not hit by virus, I am very

confident my compupter is clean. Having worked in security field, I am

always cautious what's installed and my computer is well protected.

The symptoms don't look like virus either.

7. I do have the userenv.log if you want to see it.

 

On Sep 25, 3:48 pm, "Jorge Silva" <jorgesilva...@hotmail.com> wrote:

> Hi check inline:

>

> >  - if I log on as a *normal* user, once I typed in the credential, it

> > logs me off right after - the logging off window pops up followed by

> > the ctrl-alt-del window. This doesn't always happen but happens 9 out

> > of 10 attemps(or more frequent)

>

> Logs are full, or maybe some virus on that machine.

>

> >  - however if I type in my credential again, I can get into the

> > desktop

>

> So you can log successfully after the second atempt?

>

> >  - admin doesn' t have this problem

>

> That's good, you can use that account to check log errors or if logs are

> full, or if you have any process (like a virus) that doesn't like the normal

> user account.

>

> >  - if I log on as Admin, and in the System properties window,

> > profile, highlight the *normal* user account, the "copy to" and

> > "remove" button is grayed out.

>

> Can you rename the profile manually, and then try to logon with a new user

> and check if the same behavior applies.

>

> >  - there was once or twice if I unplugged the power completely then

> > log back in as Admin, the above "copy to" and "remove" buttons became

> > availabe again.

>

> Try the rename, if you can rename,you must first talke ownershipt of the

> folder and subfolders and files..

>

> >  - newly created profile didn't help

>

> New profile for what user the domain admin or the normal account?

>

> >  - absolutely nothing noticeable in event viewer

> >  - if I log in as Admin, then open a RDP session to itself( mstsc /

> > v:localhost), log in as the user in question, it won't ask me for

> > password twice. However, I can't launch certain programs within the

> > session (such as firefox, outlook). They are terminated at some point

> > (for example, I can see the prompt from firefox "restore sessions/new

> > session", but then nothing)

>

> That suggests something wrong with the profile or GPO security.

>

> > - I reset the security policy by importing the setupsec.inf but this

> > didn't help either

>

> It doesn't matter if the policy is being applied at domain or OU level, the

> local GPO is the one that is overwrited by alll others.

>

> --

> I hope that the information above helps you.

> Have a Nice day.

>

> Jorge Silva

> MCSE, MVP Directory Services"future2Bunknown" <john...@gmail.com> wrote in message

>

> news:1190748178.396470.231270@50g2000hsm.googlegroups.com...

>

> >I have a windows 2003 in workgroup having following symptoms:

> >  - if I log on as a *normal* user, once I typed in the credential, it

> > logs me off right after - the logging off window pops up followed by

> > the ctrl-alt-del window. This doesn't always happen but happens 9 out

> > of 10 attemps(or more frequent)

> >  - however if I type in my credential again, I can get into the

> > desktop

> >  - admin doesn' t have this problem

> >  - if I log on as Admin, and in the System properties window,

> > profile, highlight the *normal* user account, the "copy to" and

> > "remove" button is grayed out.

> >  - there was once or twice if I unplugged the power completely then

> > log back in as Admin, the above "copy to" and "remove" buttons became

> > availabe again.

> >  - newly created profile didn't help

> >  - absolutely nothing noticeable in event viewer

> >  - if I log in as Admin, then open a RDP session to itself( mstsc /

> > v:localhost), log in as the user in question, it won't ask me for

> > password twice. However, I can't launch certain programs within the

> > session (such as firefox, outlook). They are terminated at some point

> > (for example, I can see the prompt from firefox "restore sessions/new

> > session", but then nothing)

> > - I reset the security policy by importing the setupsec.inf but this

> > didn't help either

>

> > Any help appreciated.

 

Top


 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: w2k3 logs me off right after user/password

Date: 09/26/2007 11:48:10

Inline

> 1. This is a workgroup server therefore no upper level GP will

> override local policy

Ok. But you can also check local policy.

 

> 2. Second attempt to log on always suceeds

Yeah this is the weird part. Never saw something similar, that's why I

suggested that may be a Virus problem or GPO restriction.

 

> 3. If, as I myself suspected and as you pointed out, profile and/or

> security settings are to blamed, I've replaced both  to no avail

1 place less to search ;)

 

> 4. logs in event has been cleared multiple times during my

> troubleshooting. And I don't believe there is any other size limit on

> text-based logs. Plus, all disks have sufficient space

Ok.

 

> 5. I didn't bother to verify if other users have same problem because

> this is the only account I need to keep and make it workable. But I

> believe the others don't have this issue. I will try later though and

> post back.

Yes try to create a different account and check with that account (I never

know, strange behaviors lead to strange solutions)

 

> 6. while I can't say 100% sure that I am not hit by virus, I am very

> confident my compupter is clean. Having worked in security field, I am

> always cautious what's installed and my computer is well protected.

> The symptoms don't look like virus either.

You wan't waste to much time by running the antivirus, just in case.

 

> 7. I do have the userenv.log if you want to see it.

Only the things that contains errors or strange things

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"future2Bunknown" <johnlan@gmail.com> wrote in message

news:1190816312.730005.167360@22g2000hsm.googlegroups.com...

> Jorge,

>

> Thanks for the reply. Please see my reply to your comments:

>

> 1. This is a workgroup server therefore no upper level GP will

> override local policy

> 2. Second attempt to log on always suceeds

> 3. If, as I myself suspected and as you pointed out, profile and/or

> security settings are to blamed, I've replaced both  to no avail

> 4. logs in event has been cleared multiple times during my

> troubleshooting. And I don't believe there is any other size limit on

> text-based logs. Plus, all disks have sufficient space

> 5. I didn't bother to verify if other users have same problem because

> this is the only account I need to keep and make it workable. But I

> believe the others don't have this issue. I will try later though and

> post back.

> 6. while I can't say 100% sure that I am not hit by virus, I am very

> confident my compupter is clean. Having worked in security field, I am

> always cautious what's installed and my computer is well protected.

> The symptoms don't look like virus either.

> 7. I do have the userenv.log if you want to see it.

>

> On Sep 25, 3:48 pm, "Jorge Silva" <jorgesilva...@hotmail.com> wrote:

>> Hi check inline:

>>

>> >  - if I log on as a *normal* user, once I typed in the credential, it

>> > logs me off right after - the logging off window pops up followed by

>> > the ctrl-alt-del window. This doesn't always happen but happens 9 out

>> > of 10 attemps(or more frequent)

>>

>> Logs are full, or maybe some virus on that machine.

>>

>> >  - however if I type in my credential again, I can get into the

>> > desktop

>>

>> So you can log successfully after the second atempt?

>>

>> >  - admin doesn' t have this problem

>>

>> That's good, you can use that account to check log errors or if logs are

>> full, or if you have any process (like a virus) that doesn't like the

>> normal

>> user account.

>>

>> >  - if I log on as Admin, and in the System properties window,

>> > profile, highlight the *normal* user account, the "copy to" and

>> > "remove" button is grayed out.

>>

>> Can you rename the profile manually, and then try to logon with a new

>> user

>> and check if the same behavior applies.

>>

>> >  - there was once or twice if I unplugged the power completely then

>> > log back in as Admin, the above "copy to" and "remove" buttons became

>> > availabe again.

>>

>> Try the rename, if you can rename,you must first talke ownershipt of the

>> folder and subfolders and files..

>>

>> >  - newly created profile didn't help

>>

>> New profile for what user the domain admin or the normal account?

>>

>> >  - absolutely nothing noticeable in event viewer

>> >  - if I log in as Admin, then open a RDP session to itself( mstsc /

>> > v:localhost), log in as the user in question, it won't ask me for

>> > password twice. However, I can't launch certain programs within the

>> > session (such as firefox, outlook). They are terminated at some point

>> > (for example, I can see the prompt from firefox "restore sessions/new

>> > session", but then nothing)

>>

>> That suggests something wrong with the profile or GPO security.

>>

>> > - I reset the security policy by importing the setupsec.inf but this

>> > didn't help either

>>

>> It doesn't matter if the policy is being applied at domain or OU level,

>> the

>> local GPO is the one that is overwrited by alll others.

>>

>> --

>> I hope that the information above helps you.

>> Have a Nice day.

>>

>> Jorge Silva

>> MCSE, MVP Directory Services"future2Bunknown" <john...@gmail.com> wrote

>> in message

>>

>> news:1190748178.396470.231270@50g2000hsm.googlegroups.com...

>>

>> >I have a windows 2003 in workgroup having following symptoms:

>> >  - if I log on as a *normal* user, once I typed in the credential, it

>> > logs me off right after - the logging off window pops up followed by

>> > the ctrl-alt-del window. This doesn't always happen but happens 9 out

>> > of 10 attemps(or more frequent)

>> >  - however if I type in my credential again, I can get into the

>> > desktop

>> >  - admin doesn' t have this problem

>> >  - if I log on as Admin, and in the System properties window,

>> > profile, highlight the *normal* user account, the "copy to" and

>> > "remove" button is grayed out.

>> >  - there was once or twice if I unplugged the power completely then

>> > log back in as Admin, the above "copy to" and "remove" buttons became

>> > availabe again.

>> >  - newly created profile didn't help

>> >  - absolutely nothing noticeable in event viewer

>> >  - if I log in as Admin, then open a RDP session to itself( mstsc /

>> > v:localhost), log in as the user in question, it won't ask me for

>> > password twice. However, I can't launch certain programs within the

>> > session (such as firefox, outlook). They are terminated at some point

>> > (for example, I can see the prompt from firefox "restore sessions/new

>> > session", but then nothing)

>> > - I reset the security policy by importing the setupsec.inf but this

>> > didn't help either

>>

>> > Any help appreciated.

 

Top


 

From: Cyberstorme <Cyberstorme@discussions.microsoft.com>

To: none

Subject: Re: w2k3 logs me off right after user/password

Date: 09/28/2007 02:50:02

I remember seeing this behaviour during the early W2K3 days. I believe the

issue was corrected in SP1. Is your system at SP1?

 

"future2Bunknown" wrote:

 

> Jorge,

>

> Thanks for the reply. Please see my reply to your comments:

>

> 1. This is a workgroup server therefore no upper level GP will

> override local policy

> 2. Second attempt to log on always suceeds

> 3. If, as I myself suspected and as you pointed out, profile and/or

> security settings are to blamed, I've replaced both  to no avail

> 4. logs in event has been cleared multiple times during my

> troubleshooting. And I don't believe there is any other size limit on

> text-based logs. Plus, all disks have sufficient space

> 5. I didn't bother to verify if other users have same problem because

> this is the only account I need to keep and make it workable. But I

> believe the others don't have this issue. I will try later though and

> post back.

> 6. while I can't say 100% sure that I am not hit by virus, I am very

> confident my compupter is clean. Having worked in security field, I am

> always cautious what's installed and my computer is well protected.

> The symptoms don't look like virus either.

> 7. I do have the userenv.log if you want to see it.

>

> On Sep 25, 3:48 pm, "Jorge Silva" <jorgesilva...@hotmail.com> wrote:

> > Hi check inline:

> >

> > >  - if I log on as a *normal* user, once I typed in the credential, it

> > > logs me off right after - the logging off window pops up followed by

> > > the ctrl-alt-del window. This doesn't always happen but happens 9 out

> > > of 10 attemps(or more frequent)

> >

> > Logs are full, or maybe some virus on that machine.

> >

> > >  - however if I type in my credential again, I can get into the

> > > desktop

> >

> > So you can log successfully after the second atempt?

> >

> > >  - admin doesn' t have this problem

> >

> > That's good, you can use that account to check log errors or if logs are

> > full, or if you have any process (like a virus) that doesn't like the normal

> > user account.

> >

> > >  - if I log on as Admin, and in the System properties window,

> > > profile, highlight the *normal* user account, the "copy to" and

> > > "remove" button is grayed out.

> >

> > Can you rename the profile manually, and then try to logon with a new user

> > and check if the same behavior applies.

> >

> > >  - there was once or twice if I unplugged the power completely then

> > > log back in as Admin, the above "copy to" and "remove" buttons became

> > > availabe again.

> >

> > Try the rename, if you can rename,you must first talke ownershipt of the

> > folder and subfolders and files..

> >

> > >  - newly created profile didn't help

> >

> > New profile for what user the domain admin or the normal account?

> >

> > >  - absolutely nothing noticeable in event viewer

> > >  - if I log in as Admin, then open a RDP session to itself( mstsc /

> > > v:localhost), log in as the user in question, it won't ask me for

> > > password twice. However, I can't launch certain programs within the

> > > session (such as firefox, outlook). They are terminated at some point

> > > (for example, I can see the prompt from firefox "restore sessions/new

> > > session", but then nothing)

> >

> > That suggests something wrong with the profile or GPO security.

> >

> > > - I reset the security policy by importing the setupsec.inf but this

> > > didn't help either

> >

> > It doesn't matter if the policy is being applied at domain or OU level, the

> > local GPO is the one that is overwrited by alll others.

> >

> > --

> > I hope that the information above helps you.

> > Have a Nice day.

> >

> > Jorge Silva

> > MCSE, MVP Directory Services"future2Bunknown" <john...@gmail.com> wrote in message

> >

> > news:1190748178.396470.231270@50g2000hsm.googlegroups.com...

> >

> > >I have a windows 2003 in workgroup having following symptoms:

> > >  - if I log on as a *normal* user, once I typed in the credential, it

> > > logs me off right after - the logging off window pops up followed by

> > > the ctrl-alt-del window. This doesn't always happen but happens 9 out

> > > of 10 attemps(or more frequent)

> > >  - however if I type in my credential again, I can get into the

> > > desktop

> > >  - admin doesn' t have this problem

> > >  - if I log on as Admin, and in the System properties window,

> > > profile, highlight the *normal* user account, the "copy to" and

> > > "remove" button is grayed out.

> > >  - there was once or twice if I unplugged the power completely then

> > > log back in as Admin, the above "copy to" and "remove" buttons became

> > > availabe again.

> > >  - newly created profile didn't help

> > >  - absolutely nothing noticeable in event viewer

> > >  - if I log in as Admin, then open a RDP session to itself( mstsc /

> > > v:localhost), log in as the user in question, it won't ask me for

> > > password twice. However, I can't launch certain programs within the

> > > session (such as firefox, outlook). They are terminated at some point

> > > (for example, I can see the prompt from firefox "restore sessions/new

> > > session", but then nothing)

> > > - I reset the security policy by importing the setupsec.inf but this

> > > didn't help either

> >

> > > Any help appreciated.

>

 

Top


 

From: JayDee <dopamine@mail.com>

To: none

Subject: Re: W32Time problem

Date: 09/25/2007 20:05:38

On Sep 25, 12:43 am, "Jorge Silva" <jorgesilva...@hotmail.com> wrote:

> Hi

> If you move the role of the PDC emulator to a new domain controller you must

> also Change the Windows Time service configuration on the previous PDC

> emulator. here's how:

>

> http://technet2.microsoft.com/WindowsServer/en/library/ce8890cf-ef46-...

>

> --

> I hope that the information above helps you.

> Have a Nice day.

>

> Jorge Silva

> MCSE, MVP Directory Services"JayDee" <dopam...@mail.com> wrote in message

>

> news:1190690630.848609.135610@y42g2000hsy.googlegroups.com...

>

> > this is weird. I set up a disaster recovery environment and brought up

> > a copy of one of our DC's, I then seized all the roles. Things seem to

> > work, except I get a W32Time warning whenever member servers are

> > rebooted:

>

> > Event ID 54

> > The Windows Time Service was not able to find a Domain Controller. A

> > time and date update was not possible.

>

> > IF I do "net time \\dcname /set /y"

> > I get:

> > Could not locate a time-server.

>

> > However, I do get a valid time on the DC if I simply do a "net time \

> > \dcname".

>

> > I confirmed that all the roles (including PDCe) have been successfully

> > siezed by the DC.

>

> > Any ideas? I really wanna figure this out. The registry on the clients

> > is configured with "Nt5DS" and the clients as well as the dc are all

> > in the same Site.

>

> > Thank you.

>

> > - JD- Hide quoted text -

>

> - Show quoted text -

 

That article did the trick... Thanks!

 

Top


 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: W32Time problem

Date: 09/26/2007 07:08:33

Great.

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"JayDee" <dopamine@mail.com> wrote in message

news:1190768738.131098.277250@d55g2000hsg.googlegroups.com...

> On Sep 25, 12:43 am, "Jorge Silva" <jorgesilva...@hotmail.com> wrote:

>> Hi

>> If you move the role of the PDC emulator to a new domain controller you

>> must

>> also Change the Windows Time service configuration on the previous PDC

>> emulator. here's how:

>>

>> http://technet2.microsoft.com/WindowsServer/en/library/ce8890cf-ef46-...

>>

>> --

>> I hope that the information above helps you.

>> Have a Nice day.

>>

>> Jorge Silva

>> MCSE, MVP Directory Services"JayDee" <dopam...@mail.com> wrote in message

>>

>> news:1190690630.848609.135610@y42g2000hsy.googlegroups.com...

>>

>> > this is weird. I set up a disaster recovery environment and brought up

>> > a copy of one of our DC's, I then seized all the roles. Things seem to

>> > work, except I get a W32Time warning whenever member servers are

>> > rebooted:

>>

>> > Event ID 54

>> > The Windows Time Service was not able to find a Domain Controller. A

>> > time and date update was not possible.

>>

>> > IF I do "net time \\dcname /set /y"

>> > I get:

>> > Could not locate a time-server.

>>

>> > However, I do get a valid time on the DC if I simply do a "net time \

>> > \dcname".

>>

>> > I confirmed that all the roles (including PDCe) have been successfully

>> > siezed by the DC.

>>

>> > Any ideas? I really wanna figure this out. The registry on the clients

>> > is configured with "Nt5DS" and the clients as well as the dc are all

>> > in the same Site.

>>

>> > Thank you.

>>

>> > - JD- Hide quoted text -

>>

>> - Show quoted text -

>

> That article did the trick... Thanks!

>

 

Top


 

From: Meinolf Weber <meiweb(nospam)@gmx.de>

To: none

Subject: Re: Windows 2003 & 2000 Servers

Date: 09/26/2007 16:52:28

Hello bblakistone@gmail.com,

 

Yes, you are right.

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

 

> Hi all,

>

> I have two servers, one a 2003 running active directory in mixed 2000

> mode, the second a Win2k running in workgroup mode.  They have come

> over from another company, and I want to rename the domain on the

> 2003.  I see there is a rename tool, and have gone through the docs on

> that, but in order to do a rename I must switch to 2003 mode on the

> directory.

>

> My question is if I switch to 2003 forest functionality, can I bring

> the 2000 server into the directory as long as I don't use it as backup

> or primary domain controller?  Also when I do, I am guessing there is

> no way to bring those workgroup based security setups into the domain,

> is that right?

>

> Thanks for any help.

>

> Best regards,

> Brian Blakistone

 

Top


 

From: bblakistone@gmail.com

To: none

Subject: Re: Windows 2003 & 2000 Servers

Date: 09/27/2007 09:24:09

Thanks Meinolf!

 

On Sep 26, 2:52 pm, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:

> Hello bblakist...@gmail.com,

 

> Yes, you are right.

 

> Meinolf Weber

 

> > I have two servers, one a 2003 running active directory in mixed 2000

> > mode, the second a Win2k running in workgroup mode.  They have come

> > over from another company, and I want to rename the domain on the

> > 2003.  I see there is a rename tool, and have gone through the docs on

> > that, but in order to do a rename I must switch to 2003 mode on the

> > directory.

>

> > My question is if I switch to 2003 forest functionality, can I bring

> > the 2000 server into the directory as long as I don't use it as backup

> > or primary domain controller?  Also when I do, I am guessing there is

> > no way to bring those workgroup based security setups into the domain,

> > is that right?

 

Top


 

From: Meinolf Weber <meiweb(nospam)@gmx.de>

To: none

Subject: Re: Windows 2003 NtFrs Event 13508 sysvol\domain

Date: 09/26/2007 01:10:09

Hello Thylo,

 

Please post an ipconfig /all from both DC/DNS server.

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

 

> Hi,

>

> We have a Windows 2003 domain, with two domain controllers. Both

> domain controllers are running Windows 2003 SP2, fully patched. The

> same warning appears in the File Replication Service Log on both

> servers, with the server names reveresed on the other server (I have

> changed the names of the servers and domain here).

>

> Event Type: Warning

> Event Source: NtFrs

> Event Category: None

> Event ID: 13508

> Date:  25/09/2007

> Time:  3:00:03 PM

> User:  N/A

> Computer: DomainDC1

> Description:

> The File Replication Service is having trouble enabling replication

> from

> DomainDC2 to DomainDC1 for c:\windows\sysvol\domain using the DNS name

> domaindc2.domain.org.au. FRS will keep retrying.

> Following are some of the reasons you would see this warning.

> [1] FRS can not correctly resolve the DNS name

> domaindc2.domain.org.au from

> this computer.

> [2] FRS is not running on domaindc2.domain.org.au.

> [3] The topology information in the Active Directory for this replica

> has

> not yet replicated to all the Domain Controllers.

> This event log message will appear once per connection, After the

> problem is fixed you will see another event log message indicating

> that the connection has been established.

>

> ****

>

> There are no 13509 events after these. I have been searching the

> groups trying to find something that will help. Both servers are able

> to ping each other using their FQDN, the FRS service is running on

> both servers and replication appears to be working, as changes to

> Sites and Services are replicated almost immediately when they are

> made, inlcuding changing the site name and deleting and regenerating

> Active Directory Connections (which I did as a test). I have also

> tried changing both servers so that they are using the same DNS server

> (all combinations) to no avail.

>

> I ran the FRSDiag utility, from both my workstation and on the

> servers. All of them report an RPC error trying to connect to both

> servers. On the server I was logged in as the Administrator, so

> permissions shouldn't have been a problem. I have the logs from the

> FRSDiag utility if that will help anyone!

>

> When I run "ntfrsutl version" on both servers, I get:

>

> NtFrsApi Version Information

> NtFrsApi Major      : 0

> NtFrsApi Minor      : 0

> NtFrsApi Compiled on: Feb 16 2007 20:01:19

> ERROR - Cannot bind w/authentication to computer, (null)

> ERROR - Cannot bind w/o authentication to computer, (nul ERROR -

> Cannot RPC to computer, (null); 000006d9 (1753)

>

> ****

>

> (null) is replaced by the FQDN of both servers when I enter that

> information in the command line as well.

>

> I have followed all of the kb articles and usergroup threads that I

> can find, with no luck. Hopefully there's something that I've missed

> that someone can point me to.

>

> Other events that may help (or could confuse the matter further), is

> that when users change their passwords, the Windows 2000 ISA Server

> prompts them for their password, even when they log off (or even

> restart their computers completely) and log back on with the new

> password. Even once that is sorted out, which can involve re-creating

> their profile or resetting the password again on one of the DCs,

> failed logon attempts are regularly recorded in the security log on

> both DCs.  Profiles have also become completely corrupted afer a

> password change on a couple of occassions.

>

> I look forward to any suggestion. Thanks in advance.

>

 

Top


 

From: Thylo <Thylo@discussions.microsoft.com>

To: none

Subject: Re: Windows 2003 NtFrs Event 13508 sysvol\domain

Date: 09/26/2007 01:28:30

Hi Meinolf,

 

Below are the ipconfig /all results from domain controller, they are the

only DNS servers on the network as well:

 

Windows IP Configuration

 

   Host Name . . . . . . . . . . . . : domaindc1

   Primary Dns Suffix  . . . . . . . : domain.org.au

   Node Type . . . . . . . . . . . . : Hybrid

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : domain.org.au

                                       org.au

 

Ethernet adapter Intel Pro 1000 CT Gigabit Ethernet Adapter - Onboard:

 

   Connection-specific DNS Suffix  . : domain.org.au

   Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network Connection

   Physical Address. . . . . . . . . : 00-C0-9F-4B-9E-5D

   DHCP Enabled. . . . . . . . . . . : No

   IP Address. . . . . . . . . . . . : 172.30.14.7

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 172.30.14.1

   DNS Servers . . . . . . . . . . . : 172.30.14.2

                                       172.30.14.7

   Primary WINS Server . . . . . . . : 172.30.14.7

   Secondary WINS Server . . . . . . : 172.30.14.2

 

Windows IP Configuration

 

   Host Name . . . . . . . . . . . . : domaindc2

   Primary Dns Suffix  . . . . . . . : domain.org.au

   Node Type . . . . . . . . . . . . : Hybrid

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : domain.org.au

                                       org.au

 

Ethernet adapter Local Area Connection:

 

   Connection-specific DNS Suffix  . : domain.org.au

   Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network Connection

   Physical Address. . . . . . . . . : 00-11-43-CE-40-E6

   DHCP Enabled. . . . . . . . . . . : No

   IP Address. . . . . . . . . . . . : 172.30.14.2

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 172.30.14.1

   DNS Servers . . . . . . . . . . . : 172.30.14.2

                                       172.30.14.7

   Primary WINS Server . . . . . . . : 172.30.14.2

   Secondary WINS Server . . . . . . : 172.30.14.7

 

***

 

Cheers,

 

--

Leigh

MCSE (NT4, 2000)

"Meinolf Weber" wrote:

 

> Hello Thylo,

>

> Please post an ipconfig /all from both DC/DNS server.

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> no rights.

>

> > Hi,

> >

> > We have a Windows 2003 domain, with two domain controllers. Both

> > domain controllers are running Windows 2003 SP2, fully patched. The

> > same warning appears in the File Replication Service Log on both

> > servers, with the server names reveresed on the other server (I have

> > changed the names of the servers and domain here).

> >

> > Event Type: Warning

> > Event Source: NtFrs

> > Event Category: None

> > Event ID: 13508

> > Date:  25/09/2007

> > Time:  3:00:03 PM

> > User:  N/A

> > Computer: DomainDC1

> > Description:

> > The File Replication Service is having trouble enabling replication

> > from

> > DomainDC2 to DomainDC1 for c:\windows\sysvol\domain using the DNS name

> > domaindc2.domain.org.au. FRS will keep retrying.

> > Following are some of the reasons you would see this warning.

> > [1] FRS can not correctly resolve the DNS name

> > domaindc2.domain.org.au from

> > this computer.

> > [2] FRS is not running on domaindc2.domain.org.au.

> > [3] The topology information in the Active Directory for this replica

> > has

> > not yet replicated to all the Domain Controllers.

> > This event log message will appear once per connection, After the

> > problem is fixed you will see another event log message indicating

> > that the connection has been established.

> >

> > ****

> >

> > There are no 13509 events after these. I have been searching the

> > groups trying to find something that will help. Both servers are able

> > to ping each other using their FQDN, the FRS service is running on

> > both servers and replication appears to be working, as changes to

> > Sites and Services are replicated almost immediately when they are

> > made, inlcuding changing the site name and deleting and regenerating

> > Active Directory Connections (which I did as a test). I have also

> > tried changing both servers so that they are using the same DNS server

> > (all combinations) to no avail.

> >

> > I ran the FRSDiag utility, from both my workstation and on the

> > servers. All of them report an RPC error trying to connect to both

> > servers. On the server I was logged in as the Administrator, so

> > permissions shouldn't have been a problem. I have the logs from the

> > FRSDiag utility if that will help anyone!

> >

> > When I run "ntfrsutl version" on both servers, I get:

> >

> > NtFrsApi Version Information

> > NtFrsApi Major      : 0

> > NtFrsApi Minor      : 0

> > NtFrsApi Compiled on: Feb 16 2007 20:01:19

> > ERROR - Cannot bind w/authentication to computer, (null)

> > ERROR - Cannot bind w/o authentication to computer, (nul ERROR -

> > Cannot RPC to computer, (null); 000006d9 (1753)

> >

> > ****

> >

> > (null) is replaced by the FQDN of both servers when I enter that

> > information in the command line as well.

> >

> > I have followed all of the kb articles and usergroup threads that I

> > can find, with no luck. Hopefully there's something that I've missed

> > that someone can point me to.

> >

> > Other events that may help (or could confuse the matter further), is

> > that when users change their passwords, the Windows 2000 ISA Server

> > prompts them for their password, even when they log off (or even

> > restart their computers completely) and log back on with the new

> > password. Even once that is sorted out, which can involve re-creating

> > their profile or resetting the password again on one of the DCs,

> > failed logon attempts are regularly recorded in the security log on

> > both DCs.  Profiles have also become completely corrupted afer a

> > password change on a couple of occassions.

> >

> > I look forward to any suggestion. Thanks in advance.

> >

>

 

Top


 

From: Meinolf Weber <meiweb(nospam)@gmx.de>

To: none

Subject: Re: Windows 2003 NtFrs Event 13508 sysvol\domain

Date: 09/26/2007 01:53:15

Hello Thylo,

 

Have a look here:

http://www.eventid.net/display.asp?eventid=13508&eventno=349&source=ntfrs&phase=1

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

 

> Hi Meinolf,

>

> Below are the ipconfig /all results from domain controller, they are

> the only DNS servers on the network as well:

>

> Windows IP Configuration

>

> Host Name . . . . . . . . . . . . : domaindc1

> Primary Dns Suffix  . . . . . . . : domain.org.au

> Node Type . . . . . . . . . . . . : Hybrid

> IP Routing Enabled. . . . . . . . : No

> WINS Proxy Enabled. . . . . . . . : No

> DNS Suffix Search List. . . . . . : domain.org.au

> org.au

> Ethernet adapter Intel Pro 1000 CT Gigabit Ethernet Adapter - Onboard:

>

> Connection-specific DNS Suffix  . : domain.org.au

> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network

> Connection

> Physical Address. . . . . . . . . : 00-C0-9F-4B-9E-5D

> DHCP Enabled. . . . . . . . . . . : No

> IP Address. . . . . . . . . . . . : 172.30.14.7

> Subnet Mask . . . . . . . . . . . : 255.255.255.0

> Default Gateway . . . . . . . . . : 172.30.14.1

> DNS Servers . . . . . . . . . . . : 172.30.14.2

> 172.30.14.7

> Primary WINS Server . . . . . . . : 172.30.14.7

> Secondary WINS Server . . . . . . : 172.30.14.2

> Windows IP Configuration

>

> Host Name . . . . . . . . . . . . : domaindc2

> Primary Dns Suffix  . . . . . . . : domain.org.au

> Node Type . . . . . . . . . . . . : Hybrid

> IP Routing Enabled. . . . . . . . : No

> WINS Proxy Enabled. . . . . . . . : No

> DNS Suffix Search List. . . . . . : domain.org.au

> org.au

> Ethernet adapter Local Area Connection:

>

> Connection-specific DNS Suffix  . : domain.org.au

> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network

> Connection

> Physical Address. . . . . . . . . : 00-11-43-CE-40-E6

> DHCP Enabled. . . . . . . . . . . : No

> IP Address. . . . . . . . . . . . : 172.30.14.2

> Subnet Mask . . . . . . . . . . . : 255.255.255.0

> Default Gateway . . . . . . . . . : 172.30.14.1

> DNS Servers . . . . . . . . . . . : 172.30.14.2

> 172.30.14.7

> Primary WINS Server . . . . . . . : 172.30.14.2

> Secondary WINS Server . . . . . . : 172.30.14.7

> ***

>

> Cheers,

>

> "Meinolf Weber" wrote:

>

>> Hello Thylo,

>>

>> Please post an ipconfig /all from both DC/DNS server.

>>

>> Best regards

>>

>> Meinolf Weber

>> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> confers

>> no rights.

>>> Hi,

>>>

>>> We have a Windows 2003 domain, with two domain controllers. Both

>>> domain controllers are running Windows 2003 SP2, fully patched. The

>>> same warning appears in the File Replication Service Log on both

>>> servers, with the server names reveresed on the other server (I have

>>> changed the names of the servers and domain here).

>>>

>>> Event Type: Warning

>>> Event Source: NtFrs

>>> Event Category: None

>>> Event ID: 13508

>>> Date:  25/09/2007

>>> Time:  3:00:03 PM

>>> User:  N/A

>>> Computer: DomainDC1

>>> Description:

>>> The File Replication Service is having trouble enabling replication

>>> from

>>> DomainDC2 to DomainDC1 for c:\windows\sysvol\domain using the DNS

>>> name

>>> domaindc2.domain.org.au. FRS will keep retrying.

>>> Following are some of the reasons you would see this warning.

>>> [1] FRS can not correctly resolve the DNS name

>>> domaindc2.domain.org.au from

>>> this computer.

>>> [2] FRS is not running on domaindc2.domain.org.au.

>>> [3] The topology information in the Active Directory for this

>>> replica

>>> has

>>> not yet replicated to all the Domain Controllers.

>>> This event log message will appear once per connection, After the

>>> problem is fixed you will see another event log message indicating

>>> that the connection has been established.

>>> ****

>>>

>>> There are no 13509 events after these. I have been searching the

>>> groups trying to find something that will help. Both servers are

>>> able to ping each other using their FQDN, the FRS service is running

>>> on both servers and replication appears to be working, as changes to

>>> Sites and Services are replicated almost immediately when they are

>>> made, inlcuding changing the site name and deleting and regenerating

>>> Active Directory Connections (which I did as a test). I have also

>>> tried changing both servers so that they are using the same DNS

>>> server (all combinations) to no avail.

>>>

>>> I ran the FRSDiag utility, from both my workstation and on the

>>> servers. All of them report an RPC error trying to connect to both

>>> servers. On the server I was logged in as the Administrator, so

>>> permissions shouldn't have been a problem. I have the logs from the

>>> FRSDiag utility if that will help anyone!

>>>

>>> When I run "ntfrsutl version" on both servers, I get:

>>>

>>> NtFrsApi Version Information

>>> NtFrsApi Major      : 0

>>> NtFrsApi Minor      : 0

>>> NtFrsApi Compiled on: Feb 16 2007 20:01:19

>>> ERROR - Cannot bind w/authentication to computer, (null)

>>> ERROR - Cannot bind w/o authentication to computer, (nul ERROR -

>>> Cannot RPC to computer, (null); 000006d9 (1753)

>>> ****

>>>

>>> (null) is replaced by the FQDN of both servers when I enter that

>>> information in the command line as well.

>>>

>>> I have followed all of the kb articles and usergroup threads that I

>>> can find, with no luck. Hopefully there's something that I've missed

>>> that someone can point me to.

>>>

>>> Other events that may help (or could confuse the matter further), is

>>> that when users change their passwords, the Windows 2000 ISA Server

>>> prompts them for their password, even when they log off (or even

>>> restart their computers completely) and log back on with the new

>>> password. Even once that is sorted out, which can involve

>>> re-creating their profile or resetting the password again on one of

>>> the DCs, failed logon attempts are regularly recorded in the

>>> security log on both DCs.  Profiles have also become completely

>>> corrupted afer a password change on a couple of occassions.

>>>

>>> I look forward to any suggestion. Thanks in advance.

>>>

 

Top


 

From: Technical <Technical@discussions.microsoft.com>

To: none

Subject: Re: Windows 2003 NtFrs Event 13508 sysvol\domain

Date: 09/26/2007 04:44:02

check this article

http://technet.microsoft.com/en-us/library/Bb727056.aspx#EMAA

 

"Meinolf Weber" wrote:

 

> Hello Thylo,

>

> Have a look here:

> http://www.eventid.net/display.asp?eventid=13508&eventno=349&source=ntfrs&phase=1

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> no rights.

>

> > Hi Meinolf,

> >

> > Below are the ipconfig /all results from domain controller, they are

> > the only DNS servers on the network as well:

> >

> > Windows IP Configuration

> >

> > Host Name . . . . . . . . . . . . : domaindc1

> > Primary Dns Suffix  . . . . . . . : domain.org.au

> > Node Type . . . . . . . . . . . . : Hybrid

> > IP Routing Enabled. . . . . . . . : No

> > WINS Proxy Enabled. . . . . . . . : No

> > DNS Suffix Search List. . . . . . : domain.org.au

> > org.au

> > Ethernet adapter Intel Pro 1000 CT Gigabit Ethernet Adapter - Onboard:

> >

> > Connection-specific DNS Suffix  . : domain.org.au

> > Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network

> > Connection

> > Physical Address. . . . . . . . . : 00-C0-9F-4B-9E-5D

> > DHCP Enabled. . . . . . . . . . . : No

> > IP Address. . . . . . . . . . . . : 172.30.14.7

> > Subnet Mask . . . . . . . . . . . : 255.255.255.0

> > Default Gateway . . . . . . . . . : 172.30.14.1

> > DNS Servers . . . . . . . . . . . : 172.30.14.2

> > 172.30.14.7

> > Primary WINS Server . . . . . . . : 172.30.14.7

> > Secondary WINS Server . . . . . . : 172.30.14.2

> > Windows IP Configuration

> >

> > Host Name . . . . . . . . . . . . : domaindc2

> > Primary Dns Suffix  . . . . . . . : domain.org.au

> > Node Type . . . . . . . . . . . . : Hybrid

> > IP Routing Enabled. . . . . . . . : No

> > WINS Proxy Enabled. . . . . . . . : No

> > DNS Suffix Search List. . . . . . : domain.org.au

> > org.au

> > Ethernet adapter Local Area Connection:

> >

> > Connection-specific DNS Suffix  . : domain.org.au

> > Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network

> > Connection

> > Physical Address. . . . . . . . . : 00-11-43-CE-40-E6

> > DHCP Enabled. . . . . . . . . . . : No

> > IP Address. . . . . . . . . . . . : 172.30.14.2

> > Subnet Mask . . . . . . . . . . . : 255.255.255.0

> > Default Gateway . . . . . . . . . : 172.30.14.1

> > DNS Servers . . . . . . . . . . . : 172.30.14.2

> > 172.30.14.7

> > Primary WINS Server . . . . . . . : 172.30.14.2

> > Secondary WINS Server . . . . . . : 172.30.14.7

> > ***

> >

> > Cheers,

> >

> > "Meinolf Weber" wrote:

> >

> >> Hello Thylo,

> >>

> >> Please post an ipconfig /all from both DC/DNS server.

> >>

> >> Best regards

> >>

> >> Meinolf Weber

> >> Disclaimer: This posting is provided "AS IS" with no warranties, and

> >> confers

> >> no rights.

> >>> Hi,

> >>>

> >>> We have a Windows 2003 domain, with two domain controllers. Both

> >>> domain controllers are running Windows 2003 SP2, fully patched. The

> >>> same warning appears in the File Replication Service Log on both

> >>> servers, with the server names reveresed on the other server (I have

> >>> changed the names of the servers and domain here).

> >>>

> >>> Event Type: Warning

> >>> Event Source: NtFrs

> >>> Event Category: None

> >>> Event ID: 13508

> >>> Date:  25/09/2007

> >>> Time:  3:00:03 PM

> >>> User:  N/A

> >>> Computer: DomainDC1

> >>> Description:

> >>> The File Replication Service is having trouble enabling replication

> >>> from

> >>> DomainDC2 to DomainDC1 for c:\windows\sysvol\domain using the DNS

> >>> name

> >>> domaindc2.domain.org.au. FRS will keep retrying.

> >>> Following are some of the reasons you would see this warning.

> >>> [1] FRS can not correctly resolve the DNS name

> >>> domaindc2.domain.org.au from

> >>> this computer.

> >>> [2] FRS is not running on domaindc2.domain.org.au.

> >>> [3] The topology information in the Active Directory for this

> >>> replica

> >>> has

> >>> not yet replicated to all the Domain Controllers.

> >>> This event log message will appear once per connection, After the

> >>> problem is fixed you will see another event log message indicating

> >>> that the connection has been established.

> >>> ****

> >>>

> >>> There are no 13509 events after these. I have been searching the

> >>> groups trying to find something that will help. Both servers are

> >>> able to ping each other using their FQDN, the FRS service is running

> >>> on both servers and replication appears to be working, as changes to

> >>> Sites and Services are replicated almost immediately when they are

> >>> made, inlcuding changing the site name and deleting and regenerating

> >>> Active Directory Connections (which I did as a test). I have also

> >>> tried changing both servers so that they are using the same DNS

> >>> server (all combinations) to no avail.

> >>>

> >>> I ran the FRSDiag utility, from both my workstation and on the

> >>> servers. All of them report an RPC error trying to connect to both

> >>> servers. On the server I was logged in as the Administrator, so

> >>> permissions shouldn't have been a problem. I have the logs from the

> >>> FRSDiag utility if that will help anyone!

> >>>

> >>> When I run "ntfrsutl version" on both servers, I get:

> >>>

> >>> NtFrsApi Version Information

> >>> NtFrsApi Major      : 0

> >>> NtFrsApi Minor      : 0

> >>> NtFrsApi Compiled on: Feb 16 2007 20:01:19

> >>> ERROR - Cannot bind w/authentication to computer, (null)

> >>> ERROR - Cannot bind w/o authentication to computer, (nul ERROR -

> >>> Cannot RPC to computer, (null); 000006d9 (1753)

> >>> ****

> >>>

> >>> (null) is replaced by the FQDN of both servers when I enter that

> >>> information in the command line as well.

> >>>

> >>> I have followed all of the kb articles and usergroup threads that I

> >>> can find, with no luck. Hopefully there's something that I've missed

> >>> that someone can point me to.

> >>>

> >>> Other events that may help (or could confuse the matter further), is

> >>> that when users change their passwords, the Windows 2000 ISA Server

> >>> prompts them for their password, even when they log off (or even

> >>> restart their computers completely) and log back on with the new

> >>> password. Even once that is sorted out, which can involve

> >>> re-creating their profile or resetting the password again on one of

> >>> the DCs, failed logon attempts are regularly recorded in the

> >>> security log on both DCs.  Profiles have also become completely

> >>> corrupted afer a password change on a couple of occassions.

> >>>

> >>> I look forward to any suggestion. Thanks in advance.

> >>>

>

 

Top


 

From: Thylo <Thylo@discussions.microsoft.com>

To: none

Subject: Re: Windows 2003 NtFrs Event 13508 sysvol\domain

Date: 09/26/2007 20:10:02

Hey Meinolf,

 

I'm sure I had gone through that page before, but I double checked all of

them anyway to make sure. The times are synchronised between all servers on

the network, there aren't any firewalls (apart from Windows 2003 own which is

configured as required) between the servers, there is plenty of disk space

(20GB+), non of the other errors come up that "should" for the other

solutions, it is a native Windows 2003 domain with only Windows 2003 server

and it was upgraded from a Windows 2000 domain before I started here.

 

It is a very frustrating issue!!

 

Cheers,

 

--

Leigh

MCSE (NT4, 2000)

"Meinolf Weber" wrote:

 

> Hello Thylo,

>

> Have a look here:

> http://www.eventid.net/display.asp?eventid=13508&eventno=349&source=ntfrs&phase=1

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> no rights.

>

> > Hi Meinolf,

> >

> > Below are the ipconfig /all results from domain controller, they are

> > the only DNS servers on the network as well:

> >

> > Windows IP Configuration

> >

> > Host Name . . . . . . . . . . . . : domaindc1

> > Primary Dns Suffix  . . . . . . . : domain.org.au

> > Node Type . . . . . . . . . . . . : Hybrid

> > IP Routing Enabled. . . . . . . . : No

> > WINS Proxy Enabled. . . . . . . . : No

> > DNS Suffix Search List. . . . . . : domain.org.au

> > org.au

> > Ethernet adapter Intel Pro 1000 CT Gigabit Ethernet Adapter - Onboard:

> >

> > Connection-specific DNS Suffix  . : domain.org.au

> > Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network

> > Connection

> > Physical Address. . . . . . . . . : 00-C0-9F-4B-9E-5D

> > DHCP Enabled. . . . . . . . . . . : No

> > IP Address. . . . . . . . . . . . : 172.30.14.7

> > Subnet Mask . . . . . . . . . . . : 255.255.255.0

> > Default Gateway . . . . . . . . . : 172.30.14.1

> > DNS Servers . . . . . . . . . . . : 172.30.14.2

> > 172.30.14.7

> > Primary WINS Server . . . . . . . : 172.30.14.7

> > Secondary WINS Server . . . . . . : 172.30.14.2

> > Windows IP Configuration

> >

> > Host Name . . . . . . . . . . . . : domaindc2

> > Primary Dns Suffix  . . . . . . . : domain.org.au

> > Node Type . . . . . . . . . . . . : Hybrid

> > IP Routing Enabled. . . . . . . . : No

> > WINS Proxy Enabled. . . . . . . . : No

> > DNS Suffix Search List. . . . . . : domain.org.au

> > org.au

> > Ethernet adapter Local Area Connection:

> >

> > Connection-specific DNS Suffix  . : domain.org.au

> > Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network

> > Connection

> > Physical Address. . . . . . . . . : 00-11-43-CE-40-E6

> > DHCP Enabled. . . . . . . . . . . : No

> > IP Address. . . . . . . . . . . . : 172.30.14.2

> > Subnet Mask . . . . . . . . . . . : 255.255.255.0

> > Default Gateway . . . . . . . . . : 172.30.14.1

> > DNS Servers . . . . . . . . . . . : 172.30.14.2

> > 172.30.14.7

> > Primary WINS Server . . . . . . . : 172.30.14.2

> > Secondary WINS Server . . . . . . : 172.30.14.7

> > ***

> >

> > Cheers,

> >

> > "Meinolf Weber" wrote:

> >

> >> Hello Thylo,

> >>

> >> Please post an ipconfig /all from both DC/DNS server.

> >>

> >> Best regards

> >>

> >> Meinolf Weber

> >> Disclaimer: This posting is provided "AS IS" with no warranties, and

> >> confers

> >> no rights.

> >>> Hi,

> >>>

> >>> We have a Windows 2003 domain, with two domain controllers. Both

> >>> domain controllers are running Windows 2003 SP2, fully patched. The

> >>> same warning appears in the File Replication Service Log on both

> >>> servers, with the server names reveresed on the other server (I have

> >>> changed the names of the servers and domain here).

> >>>

> >>> Event Type: Warning

> >>> Event Source: NtFrs

> >>> Event Category: None

> >>> Event ID: 13508

> >>> Date:  25/09/2007

> >>> Time:  3:00:03 PM

> >>> User:  N/A

> >>> Computer: DomainDC1

> >>> Description:

> >>> The File Replication Service is having trouble enabling replication

> >>> from

> >>> DomainDC2 to DomainDC1 for c:\windows\sysvol\domain using the DNS

> >>> name

> >>> domaindc2.domain.org.au. FRS will keep retrying.

> >>> Following are some of the reasons you would see this warning.

> >>> [1] FRS can not correctly resolve the DNS name

> >>> domaindc2.domain.org.au from

> >>> this computer.

> >>> [2] FRS is not running on domaindc2.domain.org.au.

> >>> [3] The topology information in the Active Directory for this

> >>> replica

> >>> has

> >>> not yet replicated to all the Domain Controllers.

> >>> This event log message will appear once per connection, After the

> >>> problem is fixed you will see another event log message indicating

> >>> that the connection has been established.

> >>> ****

> >>>

> >>> There are no 13509 events after these. I have been searching the

> >>> groups trying to find something that will help. Both servers are

> >>> able to ping each other using their FQDN, the FRS service is running

> >>> on both servers and replication appears to be working, as changes to

> >>> Sites and Services are replicated almost immediately when they are

> >>> made, inlcuding changing the site name and deleting and regenerating

> >>> Active Directory Connections (which I did as a test). I have also

> >>> tried changing both servers so that they are using the same DNS

> >>> server (all combinations) to no avail.

> >>>

> >>> I ran the FRSDiag utility, from both my workstation and on the

> >>> servers. All of them report an RPC error trying to connect to both

> >>> servers. On the server I was logged in as the Administrator, so

> >>> permissions shouldn't have been a problem. I have the logs from the

> >>> FRSDiag utility if that will help anyone!

> >>>

> >>> When I run "ntfrsutl version" on both servers, I get:

> >>>

> >>> NtFrsApi Version Information

> >>> NtFrsApi Major      : 0

> >>> NtFrsApi Minor      : 0

> >>> NtFrsApi Compiled on: Feb 16 2007 20:01:19

> >>> ERROR - Cannot bind w/authentication to computer, (null)

> >>> ERROR - Cannot bind w/o authentication to computer, (nul ERROR -

> >>> Cannot RPC to computer, (null); 000006d9 (1753)

> >>> ****

> >>>

> >>> (null) is replaced by the FQDN of both servers when I enter that

> >>> information in the command line as well.

> >>>

> >>> I have followed all of the kb articles and usergroup threads that I

> >>> can find, with no luck. Hopefully there's something that I've missed

> >>> that someone can point me to.

> >>>

> >>> Other events that may help (or could confuse the matter further), is

> >>> that when users change their passwords, the Windows 2000 ISA Server

> >>> prompts them for their password, even when they log off (or even

> >>> restart their computers completely) and log back on with the new

> >>> password. Even once that is sorted out, which can involve

> >>> re-creating their profile or resetting the password again on one of

> >>> the DCs, failed logon attempts are regularly recorded in the

> >>> security log on both DCs.  Profiles have also become completely

> >>> corrupted afer a password change on a couple of occassions.

> >>>

> >>> I look forward to any suggestion. Thanks in advance.

> >>>

>

 

Top


 

From: Thylo <Thylo@discussions.microsoft.com>

To: none

Subject: Re: Windows 2003 NtFrs Event 13508 sysvol\domain

Date: 09/26/2007 20:18:00

Hi Technical,

 

I have seen and been through that article numerous times, however non of the

solutions or hints there make any difference. Actice Directory replication

appears to be working fine, as when a new person is added or OU, it is

replicated to the other server. New user additions are often done on the

Exchange 2003 member server, but still replication appears to work just fine

wherever additions or alterations are made.

 

Each server can ping the other using their FQDN and there aren't any

hardware firewalls between the servers, only the Windows 2003 firewall, which

I have triple and quadruple checked is done correctly.

 

Cheers,

 

--

Leigh

MCSE (NT4, 2000)

"Technical" wrote:

 

> check this article

> http://technet.microsoft.com/en-us/library/Bb727056.aspx#EMAA

>

> "Meinolf Weber" wrote:

>

> > Hello Thylo,

> >

> > Have a look here:

> > http://www.eventid.net/display.asp?eventid=13508&eventno=349&source=ntfrs&phase=1

> >

> > Best regards

> >

> > Meinolf Weber

> > Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> > no rights.

> >

> > > Hi Meinolf,

> > >

> > > Below are the ipconfig /all results from domain controller, they are

> > > the only DNS servers on the network as well:

> > >

> > > Windows IP Configuration

> > >

> > > Host Name . . . . . . . . . . . . : domaindc1

> > > Primary Dns Suffix  . . . . . . . : domain.org.au

> > > Node Type . . . . . . . . . . . . : Hybrid

> > > IP Routing Enabled. . . . . . . . : No

> > > WINS Proxy Enabled. . . . . . . . : No

> > > DNS Suffix Search List. . . . . . : domain.org.au

> > > org.au

> > > Ethernet adapter Intel Pro 1000 CT Gigabit Ethernet Adapter - Onboard:

> > >

> > > Connection-specific DNS Suffix  . : domain.org.au

> > > Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network

> > > Connection

> > > Physical Address. . . . . . . . . : 00-C0-9F-4B-9E-5D

> > > DHCP Enabled. . . . . . . . . . . : No

> > > IP Address. . . . . . . . . . . . : 172.30.14.7

> > > Subnet Mask . . . . . . . . . . . : 255.255.255.0

> > > Default Gateway . . . . . . . . . : 172.30.14.1

> > > DNS Servers . . . . . . . . . . . : 172.30.14.2

> > > 172.30.14.7

> > > Primary WINS Server . . . . . . . : 172.30.14.7

> > > Secondary WINS Server . . . . . . : 172.30.14.2

> > > Windows IP Configuration

> > >

> > > Host Name . . . . . . . . . . . . : domaindc2

> > > Primary Dns Suffix  . . . . . . . : domain.org.au

> > > Node Type . . . . . . . . . . . . : Hybrid

> > > IP Routing Enabled. . . . . . . . : No

> > > WINS Proxy Enabled. . . . . . . . : No

> > > DNS Suffix Search List. . . . . . : domain.org.au

> > > org.au

> > > Ethernet adapter Local Area Connection:

> > >

> > > Connection-specific DNS Suffix  . : domain.org.au

> > > Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network

> > > Connection

> > > Physical Address. . . . . . . . . : 00-11-43-CE-40-E6

> > > DHCP Enabled. . . . . . . . . . . : No

> > > IP Address. . . . . . . . . . . . : 172.30.14.2

> > > Subnet Mask . . . . . . . . . . . : 255.255.255.0

> > > Default Gateway . . . . . . . . . : 172.30.14.1

> > > DNS Servers . . . . . . . . . . . : 172.30.14.2

> > > 172.30.14.7

> > > Primary WINS Server . . . . . . . : 172.30.14.2

> > > Secondary WINS Server . . . . . . : 172.30.14.7

> > > ***

> > >

> > > Cheers,

> > >

> > > "Meinolf Weber" wrote:

> > >

> > >> Hello Thylo,

> > >>

> > >> Please post an ipconfig /all from both DC/DNS server.

> > >>

> > >> Best regards

> > >>

> > >> Meinolf Weber

> > >> Disclaimer: This posting is provided "AS IS" with no warranties, and

> > >> confers

> > >> no rights.

> > >>> Hi,

> > >>>

> > >>> We have a Windows 2003 domain, with two domain controllers. Both

> > >>> domain controllers are running Windows 2003 SP2, fully patched. The

> > >>> same warning appears in the File Replication Service Log on both

> > >>> servers, with the server names reveresed on the other server (I have

> > >>> changed the names of the servers and domain here).

> > >>>

> > >>> Event Type: Warning

> > >>> Event Source: NtFrs

> > >>> Event Category: None

> > >>> Event ID: 13508

> > >>> Date:  25/09/2007

> > >>> Time:  3:00:03 PM

> > >>> User:  N/A

> > >>> Computer: DomainDC1

> > >>> Description:

> > >>> The File Replication Service is having trouble enabling replication

> > >>> from

> > >>> DomainDC2 to DomainDC1 for c:\windows\sysvol\domain using the DNS

> > >>> name

> > >>> domaindc2.domain.org.au. FRS will keep retrying.

> > >>> Following are some of the reasons you would see this warning.

> > >>> [1] FRS can not correctly resolve the DNS name

> > >>> domaindc2.domain.org.au from

> > >>> this computer.

> > >>> [2] FRS is not running on domaindc2.domain.org.au.

> > >>> [3] The topology information in the Active Directory for this

> > >>> replica

> > >>> has

> > >>> not yet replicated to all the Domain Controllers.

> > >>> This event log message will appear once per connection, After the

> > >>> problem is fixed you will see another event log message indicating

> > >>> that the connection has been established.

> > >>> ****

> > >>>

> > >>> There are no 13509 events after these. I have been searching the

> > >>> groups trying to find something that will help. Both servers are

> > >>> able to ping each other using their FQDN, the FRS service is running

> > >>> on both servers and replication appears to be working, as changes to

> > >>> Sites and Services are replicated almost immediately when they are

> > >>> made, inlcuding changing the site name and deleting and regenerating

> > >>> Active Directory Connections (which I did as a test). I have also

> > >>> tried changing both servers so that they are using the same DNS

> > >>> server (all combinations) to no avail.

> > >>>

> > >>> I ran the FRSDiag utility, from both my workstation and on the

> > >>> servers. All of them report an RPC error trying to connect to both

> > >>> servers. On the server I was logged in as the Administrator, so

> > >>> permissions shouldn't have been a problem. I have the logs from the

> > >>> FRSDiag utility if that will help anyone!

> > >>>

> > >>> When I run "ntfrsutl version" on both servers, I get:

> > >>>

> > >>> NtFrsApi Version Information

> > >>> NtFrsApi Major      : 0

> > >>> NtFrsApi Minor      : 0

> > >>> NtFrsApi Compiled on: Feb 16 2007 20:01:19

> > >>> ERROR - Cannot bind w/authentication to computer, (null)

> > >>> ERROR - Cannot bind w/o authentication to computer, (nul ERROR -

> > >>> Cannot RPC to computer, (null); 000006d9 (1753)

> > >>> ****

> > >>>

> > >>> (null) is replaced by the FQDN of both servers when I enter that

> > >>> information in the command line as well.

> > >>>

> > >>> I have followed all of the kb articles and usergroup threads that I

> > >>> can find, with no luck. Hopefully there's something that I've missed

> > >>> that someone can point me to.

> > >>>

> > >>> Other events that may help (or could confuse the matter further), is

> > >>> that when users change their passwords, the Windows 2000 ISA Server

> > >>> prompts them for their password, even when they log off (or even

> > >>> restart their computers completely) and log back on with the new

> > >>> password. Even once that is sorted out, which can involve

> > >>> re-creating their profile or resetting the password again on one of

> > >>> the DCs, failed logon attempts are regularly recorded in the

> > >>> security log on both DCs.  Profiles have also become completely

> > >>> corrupted afer a password change on a couple of occassions.

> > >>>

> > >>> I look forward to any suggestion. Thanks in advance.

> > >>>

> >

> >

> >

 

Top


 

From: Meinolf Weber <meiweb(nospam)@gmx.de>

To: none

Subject: Re: Windows 2003 NtFrs Event 13508 sysvol\domain

Date: 09/27/2007 02:30:11

Hello Thylo,

 

Did you also check for errors with dcdiag and netdiag?

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

 

> Hey Meinolf,

>

> I'm sure I had gone through that page before, but I double checked all

> of them anyway to make sure. The times are synchronised between all

> servers on the network, there aren't any firewalls (apart from Windows

> 2003 own which is configured as required) between the servers, there

> is plenty of disk space (20GB+), non of the other errors come up that

> "should" for the other solutions, it is a native Windows 2003 domain

> with only Windows 2003 server and it was upgraded from a Windows 2000

> domain before I started here.

>

> It is a very frustrating issue!!

>

> Cheers,

>

> "Meinolf Weber" wrote:

>

>> Hello Thylo,

>>

>> Have a look here:

>> http://www.eventid.net/display.asp?eventid=13508&eventno=349&source=n

>> tfrs&phase=1

>> Best regards

>>

>> Meinolf Weber

>> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> confers

>> no rights.

>>> Hi Meinolf,

>>>

>>> Below are the ipconfig /all results from domain controller, they are

>>> the only DNS servers on the network as well:

>>>

>>> Windows IP Configuration

>>>

>>> Host Name . . . . . . . . . . . . : domaindc1

>>> Primary Dns Suffix  . . . . . . . : domain.org.au

>>> Node Type . . . . . . . . . . . . : Hybrid

>>> IP Routing Enabled. . . . . . . . : No

>>> WINS Proxy Enabled. . . . . . . . : No

>>> DNS Suffix Search List. . . . . . : domain.org.au

>>> org.au

>>> Ethernet adapter Intel Pro 1000 CT Gigabit Ethernet Adapter -

>>> Onboard:

>>> Connection-specific DNS Suffix  . : domain.org.au

>>> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network

>>> Connection

>>> Physical Address. . . . . . . . . : 00-C0-9F-4B-9E-5D

>>> DHCP Enabled. . . . . . . . . . . : No

>>> IP Address. . . . . . . . . . . . : 172.30.14.7

>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0

>>> Default Gateway . . . . . . . . . : 172.30.14.1

>>> DNS Servers . . . . . . . . . . . : 172.30.14.2

>>> 172.30.14.7

>>> Primary WINS Server . . . . . . . : 172.30.14.7

>>> Secondary WINS Server . . . . . . : 172.30.14.2

>>> Windows IP Configuration

>>> Host Name . . . . . . . . . . . . : domaindc2

>>> Primary Dns Suffix  . . . . . . . : domain.org.au

>>> Node Type . . . . . . . . . . . . : Hybrid

>>> IP Routing Enabled. . . . . . . . : No

>>> WINS Proxy Enabled. . . . . . . . : No

>>> DNS Suffix Search List. . . . . . : domain.org.au

>>> org.au

>>> Ethernet adapter Local Area Connection:

>>> Connection-specific DNS Suffix  . : domain.org.au

>>> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network

>>> Connection

>>> Physical Address. . . . . . . . . : 00-11-43-CE-40-E6

>>> DHCP Enabled. . . . . . . . . . . : No

>>> IP Address. . . . . . . . . . . . : 172.30.14.2

>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0

>>> Default Gateway . . . . . . . . . : 172.30.14.1

>>> DNS Servers . . . . . . . . . . . : 172.30.14.2

>>> 172.30.14.7

>>> Primary WINS Server . . . . . . . : 172.30.14.2

>>> Secondary WINS Server . . . . . . : 172.30.14.7

>>> ***

>>> Cheers,

>>>

>>> "Meinolf Weber" wrote:

>>>

>>>> Hello Thylo,

>>>>

>>>> Please post an ipconfig /all from both DC/DNS server.

>>>>

>>>> Best regards

>>>>

>>>> Meinolf Weber

>>>> Disclaimer: This posting is provided "AS IS" with no warranties,

>>>> and

>>>> confers

>>>> no rights.

>>>>> Hi,

>>>>>

>>>>> We have a Windows 2003 domain, with two domain controllers. Both

>>>>> domain controllers are running Windows 2003 SP2, fully patched.

>>>>> The same warning appears in the File Replication Service Log on

>>>>> both servers, with the server names reveresed on the other server

>>>>> (I have changed the names of the servers and domain here).

>>>>>

>>>>> Event Type: Warning

>>>>> Event Source: NtFrs

>>>>> Event Category: None

>>>>> Event ID: 13508

>>>>> Date:  25/09/2007

>>>>> Time:  3:00:03 PM

>>>>> User:  N/A

>>>>> Computer: DomainDC1

>>>>> Description:

>>>>> The File Replication Service is having trouble enabling

>>>>> replication

>>>>> from

>>>>> DomainDC2 to DomainDC1 for c:\windows\sysvol\domain using the DNS

>>>>> name

>>>>> domaindc2.domain.org.au. FRS will keep retrying.

>>>>> Following are some of the reasons you would see this warning.

>>>>> [1] FRS can not correctly resolve the DNS name

>>>>> domaindc2.domain.org.au from

>>>>> this computer.

>>>>> [2] FRS is not running on domaindc2.domain.org.au.

>>>>> [3] The topology information in the Active Directory for this

>>>>> replica

>>>>> has

>>>>> not yet replicated to all the Domain Controllers.

>>>>> This event log message will appear once per connection, After the

>>>>> problem is fixed you will see another event log message indicating

>>>>> that the connection has been established.

>>>>> ****

>>>>> There are no 13509 events after these. I have been searching the

>>>>> groups trying to find something that will help. Both servers are

>>>>> able to ping each other using their FQDN, the FRS service is

>>>>> running on both servers and replication appears to be working, as

>>>>> changes to Sites and Services are replicated almost immediately

>>>>> when they are made, inlcuding changing the site name and deleting

>>>>> and regenerating Active Directory Connections (which I did as a

>>>>> test). I have also tried changing both servers so that they are

>>>>> using the same DNS server (all combinations) to no avail.

>>>>>

>>>>> I ran the FRSDiag utility, from both my workstation and on the

>>>>> servers. All of them report an RPC error trying to connect to both

>>>>> servers. On the server I was logged in as the Administrator, so

>>>>> permissions shouldn't have been a problem. I have the logs from

>>>>> the FRSDiag utility if that will help anyone!

>>>>>

>>>>> When I run "ntfrsutl version" on both servers, I get:

>>>>>

>>>>> NtFrsApi Version Information

>>>>> NtFrsApi Major      : 0

>>>>> NtFrsApi Minor      : 0

>>>>> NtFrsApi Compiled on: Feb 16 2007 20:01:19

>>>>> ERROR - Cannot bind w/authentication to computer, (null)

>>>>> ERROR - Cannot bind w/o authentication to computer, (nul ERROR -

>>>>> Cannot RPC to computer, (null); 000006d9 (1753)

>>>>> ****

>>>>> (null) is replaced by the FQDN of both servers when I enter that

>>>>> information in the command line as well.

>>>>>

>>>>> I have followed all of the kb articles and usergroup threads that

>>>>> I can find, with no luck. Hopefully there's something that I've

>>>>> missed that someone can point me to.

>>>>>

>>>>> Other events that may help (or could confuse the matter further),

>>>>> is that when users change their passwords, the Windows 2000 ISA

>>>>> Server prompts them for their password, even when they log off (or

>>>>> even restart their computers completely) and log back on with the

>>>>> new password. Even once that is sorted out, which can involve

>>>>> re-creating their profile or resetting the password again on one

>>>>> of the DCs, failed logon attempts are regularly recorded in the

>>>>> security log on both DCs.  Profiles have also become completely

>>>>> corrupted afer a password change on a couple of occassions.

>>>>>

>>>>> I look forward to any suggestion. Thanks in advance.

>>>>>

 

Top


 

From: Thylo <Thylo@discussions.microsoft.com>

To: none

Subject: Re: Windows 2003 NtFrs Event 13508 sysvol\domain

Date: 09/27/2007 19:16:00

Hi Meinolf,

 

Both the dcdiag and net diag results are clean, I have pasted them below

just incase I have gone too cross eyes looking at everything to not notice

something obvious, a fresh set of eyes can do wonders!! The only "failures"

that I can see are is the frsevent, which is what I'm trying to solve and the

modem diagnositcs, understanable as there is no modem. ICMP is disabled on

our gateway, the servers are on the same segment/subnet anyway.

 

Domain Controller Diagnosis

 

Performing initial setup:

   Done gathering initial info.

 

Doing initial required tests

 

   Testing server: Flemington\domainDC1

      Starting test: Connectivity

         ......................... domainDC1 passed test Connectivity

 

Doing primary tests

 

   Testing server: Flemington\domainDC1

      Starting test: Replications

         ......................... domainDC1 passed test Replications

      Starting test: NCSecDesc

         ......................... domainDC1 passed test NCSecDesc

      Starting test: NetLogons

         ......................... domainDC1 passed test NetLogons

      Starting test: Advertising

         ......................... domainDC1 passed test Advertising

      Starting test: KnowsOfRoleHolders

         ......................... domainDC1 passed test KnowsOfRoleHolders

      Starting test: RidManager

         ......................... domainDC1 passed test RidManager

      Starting test: MachineAccount

         ......................... domainDC1 passed test MachineAccount

      Starting test: Services

         ......................... domainDC1 passed test Services

      Starting test: ObjectsReplicated

         ......................... domainDC1 passed test ObjectsReplicated

      Starting test: frssysvol

         ......................... domainDC1 passed test frssysvol

      Starting test: frsevent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may

cause

         Group Policy problems.

         ......................... domainDC1 failed test frsevent

      Starting test: kccevent

         ......................... domainDC1 passed test kccevent

      Starting test: systemlog

         ......................... domainDC1 passed test systemlog

      Starting test: VerifyReferences

         ......................... domainDC1 passed test VerifyReferences

 

   Running partition tests on : ForestDnsZones

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

CrossRefValidation

 

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

 

   Running partition tests on : DomainDnsZones

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

CrossRefValidation

 

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

 

   Running partition tests on : Schema

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

 

   Running partition tests on : Configuration

      Starting test: CrossRefValidation

         ......................... Configuration passed test

CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

 

   Running partition tests on : domain

      Starting test: CrossRefValidation

         ......................... domain passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... domain passed test CheckSDRefDom

 

   Running enterprise tests on : domain.org.au

      Starting test: Intersite

         ......................... domain.org.au passed test Intersite

      Starting test: FsmoCheck

         ......................... domain.org.au passed test FsmoCheck

 

****

 

Domain Controller Diagnosis

 

Performing initial setup:

   Done gathering initial info.

 

Doing initial required tests

 

   Testing server: Flemington\domainDC2

      Starting test: Connectivity

         ......................... domainDC2 passed test Connectivity

 

Doing primary tests

 

   Testing server: Flemington\domainDC2

      Starting test: Replications

         ......................... domainDC2 passed test Replications

      Starting test: NCSecDesc

         ......................... domainDC2 passed test NCSecDesc

      Starting test: NetLogons

         ......................... domainDC2 passed test NetLogons

      Starting test: Advertising

         ......................... domainDC2 passed test Advertising

      Starting test: KnowsOfRoleHolders

         ......................... domainDC2 passed test KnowsOfRoleHolders

      Starting test: RidManager

         ......................... domainDC2 passed test RidManager

      Starting test: MachineAccount

         ......................... domainDC2 passed test MachineAccount

      Starting test: Services

         ......................... domainDC2 passed test Services

      Starting test: ObjectsReplicated

         ......................... domainDC2 passed test ObjectsReplicated

      Starting test: frssysvol

         ......................... domainDC2 passed test frssysvol

      Starting test: frsevent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may

cause

         Group Policy problems.

         ......................... domainDC2 failed test frsevent

      Starting test: kccevent

         ......................... domainDC2 passed test kccevent

      Starting test: systemlog

         An Error Event occured.  EventID: 0xC0002716

            Time Generated: 09/28/2007   09:05:21

            (Event String could not be retrieved)

         ......................... domainDC2 failed test systemlog

      Starting test: VerifyReferences

         ......................... domainDC2 passed test VerifyReferences

 

   Running partition tests on : ForestDnsZones

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

CrossRefValidation

 

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

 

   Running partition tests on : DomainDnsZones

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

CrossRefValidation

 

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

 

   Running partition tests on : Schema

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

 

   Running partition tests on : Configuration

      Starting test: CrossRefValidation

         ......................... Configuration passed test

CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

 

   Running partition tests on : domain

      Starting test: CrossRefValidation

         ......................... domain passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... domain passed test CheckSDRefDom

 

   Running enterprise tests on : domain.org.au

      Starting test: Intersite

         ......................... domain.org.au passed test Intersite

      Starting test: FsmoCheck

         ......................... domain.org.au passed test FsmoCheck

 

****

    Computer Name: domainDC1

    DNS Host Name: domaindc1.domain.org.au

    System info : Windows 2000 Server (Build 3790)

    Processor : x86 Family 15 Model 3 Stepping 4, GenuineIntel

    List of installed hotfixes :

        KB909520

        KB911564

        KB921503

        KB925398_WMP64

        KB925876

        KB925902

        KB926122

        KB927891

        KB929123

        KB930178

        KB931768

        KB931784

        KB931836

        KB932168

        KB933360

        KB933566

        KB933854

        KB935839

        KB935840

        KB935966

        KB936021

        KB936357

        KB936782

        KB937143

        KB937143-IE7

        KB938127

        KB938127-IE7

        Q147222

Netcard queries test . . . . . . . : Passed

 

Per interface results:

 

    Adapter : Intel Pro 1000 CT Gigabit Ethernet Adapter - Onboard

 

        Netcard queries test . . . : Passed

 

        Host Name. . . . . . . . . : domaindc1.domain.org.au

        IP Address . . . . . . . . : 172.30.14.7

        Subnet Mask. . . . . . . . : 255.255.255.0

        Default Gateway. . . . . . : 172.30.14.1

        Primary WINS Server. . . . : 172.30.14.7

        Secondary WINS Server. . . : 172.30.14.2

        Dns Servers. . . . . . . . : 172.30.14.2

                                     172.30.14.7

        AutoConfiguration results. . . . . . : Passed

 

        Default gateway test . . . : Failed

            No gateway reachable for this adapter.

 

        NetBT name test. . . . . . : Passed

        [WARNING] At least one of the <00> 'WorkStation Service', <03>

'Messenge

r Service', <20> 'WINS' names is missing.

            No remote names have been found.

 

        WINS service test. . . . . : Passed

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed

    List of NetBt transports currently configured:

        NetBT_Tcpip_{4F560CD5-3A18-429E-946D-0BF9FF8297DD}

    1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Failed

 

    [FATAL] NO GATEWAYS ARE REACHABLE.

    You have no connectivity to other network segments.

    If you configured the IP protocol manually then

    you need to add at least one valid gateway.

NetBT name test. . . . . . . . . . : Passed

    [WARNING] You don't have a single interface with the <00> 'WorkStation

Servi

ce', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Passed

    PASS - All the DNS entries for DC are registered on DNS server

'172.30.14.2'

and other DCs also have some of the names registered.

    PASS - All the DNS entries for DC are registered on DNS server

'172.30.14.7'

and other DCs also have some of the names registered.

Redir and Browser test . . . . . . : Passed

    List of NetBt transports currently bound to the Redir

        NetBT_Tcpip_{4F560CD5-3A18-429E-946D-0BF9FF8297DD}

    The redir is bound to 1 NetBt transport.

 

    List of NetBt transports currently bound to the browser

        NetBT_Tcpip_{4F560CD5-3A18-429E-946D-0BF9FF8297DD}

    The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Skipped

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped

    No active remote access connections.

Modem diagnostics test . . . . . . : Failed

    [FATAL] Cannot initialize TAPI. Failed with error(0x80000048).

 

IP Security test . . . . . . . . . : Skipped

 

    Note: run "netsh ipsec dynamic show /?" for more detailed information

The command completed successfully

 

******

    Computer Name: domainDC2

    DNS Host Name: domaindc2.domain.org.au

    System info : Windows 2000 Server (Build 3790)

    Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel

    List of installed hotfixes :

        KB911564

        KB921503

        KB925398_WMP64

        KB925876

        KB925902

        KB926122

        KB927891

        KB929123

        KB930178

        KB931768

        KB931784

        KB931836

        KB932168

        KB933360

        KB933566

        KB933854

        KB935839

        KB935840

        KB935966

        KB936021

        KB936357

        KB936782

        KB937143

        KB937143-IE7

        KB938127

        KB938127-IE7

        Q147222

Netcard queries test . . . . . . . : Passed

 

Per interface results:

 

    Adapter : Local Area Connection

 

        Netcard queries test . . . : Passed

 

        Host Name. . . . . . . . . : domaindc2.domain.org.au

        IP Address . . . . . . . . : 172.30.14.2

        Subnet Mask. . . . . . . . : 255.255.255.0

        Default Gateway. . . . . . : 172.30.14.1

        Primary WINS Server. . . . : 172.30.14.2

        Secondary WINS Server. . . : 172.30.14.7

        Dns Servers. . . . . . . . : 172.30.14.2

                                     172.30.14.7

        AutoConfiguration results. . . . . . : Passed

 

        Default gateway test . . . : Failed

            No gateway reachable for this adapter.

 

        NetBT name test. . . . . . : Passed

        [WARNING] At least one of the <00> 'WorkStation Service', <03>

'Messenger Service', <20> 'WINS' names is missing.

 

        WINS service test. . . . . : Passed

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed

    List of NetBt transports currently configured:

        NetBT_Tcpip_{D8CF205A-978A-4B53-83B4-E5C818075579}

    1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Failed

 

    [FATAL] NO GATEWAYS ARE REACHABLE.

    You have no connectivity to other network segments.

    If you configured the IP protocol manually then

    you need to add at least one valid gateway.

NetBT name test. . . . . . . . . . : Passed

    [WARNING] You don't have a single interface with the <00> 'WorkStation

Service', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Passed

    PASS - All the DNS entries for DC are registered on DNS server

'172.30.14.2' and other DCs also have some of the names registered.

    PASS - All the DNS entries for DC are registered on DNS server

'172.30.14.7' and other DCs also have some of the names registered.

Redir and Browser test . . . . . . : Passed

    List of NetBt transports currently bound to the Redir

        NetBT_Tcpip_{D8CF205A-978A-4B53-83B4-E5C818075579}

    The redir is bound to 1 NetBt transport.

 

    List of NetBt transports currently bound to the browser

        NetBT_Tcpip_{D8CF205A-978A-4B53-83B4-E5C818075579}

    The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Passed

    Secure channel for domain 'domain' is to '\\domaindc1.domain.org.au'.

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped

    No active remote access connections.

Modem diagnostics test . . . . . . : Failed

    [FATAL] Cannot initialize TAPI. Failed with error(0x80000048).

 

IP Security test . . . . . . . . . : Skipped

 

    Note: run "netsh ipsec dynamic show /?" for more detailed information

The command completed successfully

 

*********

 

Cheers,

 

--

Leigh

MCSE (NT4, 2000)

"Meinolf Weber" wrote:

 

> Hello Thylo,

>

> Did you also check for errors with dcdiag and netdiag?

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> no rights.

>

> > Hey Meinolf,

> >

> > I'm sure I had gone through that page before, but I double checked all

> > of them anyway to make sure. The times are synchronised between all

> > servers on the network, there aren't any firewalls (apart from Windows

> > 2003 own which is configured as required) between the servers, there

> > is plenty of disk space (20GB+), non of the other errors come up that

> > "should" for the other solutions, it is a native Windows 2003 domain

> > with only Windows 2003 server and it was upgraded from a Windows 2000

> > domain before I started here.

> >

> > It is a very frustrating issue!!

> >

> > Cheers,

> >

> > "Meinolf Weber" wrote:

> >

> >> Hello Thylo,

> >>

> >> Have a look here:

> >> http://www.eventid.net/display.asp?eventid=13508&eventno=349&source=n

> >> tfrs&phase=1

> >> Best regards

> >>

> >> Meinolf Weber

> >> Disclaimer: This posting is provided "AS IS" with no warranties, and

> >> confers

> >> no rights.

> >>> Hi Meinolf,

> >>>

> >>> Below are the ipconfig /all results from domain controller, they are

> >>> the only DNS servers on the network as well:

> >>>

> >>> Windows IP Configuration

> >>>

> >>> Host Name . . . . . . . . . . . . : domaindc1

> >>> Primary Dns Suffix  . . . . . . . : domain.org.au

> >>> Node Type . . . . . . . . . . . . : Hybrid

> >>> IP Routing Enabled. . . . . . . . : No

> >>> WINS Proxy Enabled. . . . . . . . : No

> >>> DNS Suffix Search List. . . . . . : domain.org.au

> >>> org.au

> >>> Ethernet adapter Intel Pro 1000 CT Gigabit Ethernet Adapter -

> >>> Onboard:

> >>> Connection-specific DNS Suffix  . : domain.org.au

> >>> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network

> >>> Connection

> >>> Physical Address. . . . . . . . . : 00-C0-9F-4B-9E-5D

> >>> DHCP Enabled. . . . . . . . . . . : No

> >>> IP Address. . . . . . . . . . . . : 172.30.14.7

> >>> Subnet Mask . . . . . . . . . . . : 255.255.255.0

> >>> Default Gateway . . . . . . . . . : 172.30.14.1

> >>> DNS Servers . . . . . . . . . . . : 172.30.14.2

> >>> 172.30.14.7

> >>> Primary WINS Server . . . . . . . : 172.30.14.7

> >>> Secondary WINS Server . . . . . . : 172.30.14.2

> >>> Windows IP Configuration

> >>> Host Name . . . . . . . . . . . . : domaindc2

> >>> Primary Dns Suffix  . . . . . . . : domain.org.au

> >>> Node Type . . . . . . . . . . . . : Hybrid

> >>> IP Routing Enabled. . . . . . . . : No

> >>> WINS Proxy Enabled. . . . . . . . : No

> >>> DNS Suffix Search List. . . . . . : domain.org.au

> >>> org.au

> >>> Ethernet adapter Local Area Connection:

> >>> Connection-specific DNS Suffix  . : domain.org.au

> >>> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network

> >>> Connection

> >>> Physical Address. . . . . . . . . : 00-11-43-CE-40-E6

> >>> DHCP Enabled. . . . . . . . . . . : No

> >>> IP Address. . . . . . . . . . . . : 172.30.14.2

> >>> Subnet Mask . . . . . . . . . . . : 255.255.255.0

> >>> Default Gateway . . . . . . . . . : 172.30.14.1

> >>> DNS Servers . . . . . . . . . . . : 172.30.14.2

> >>> 172.30.14.7

> >>> Primary WINS Server . . . . . . . : 172.30.14.2

> >>> Secondary WINS Server . . . . . . : 172.30.14.7

> >>> ***

> >>> Cheers,

> >>>

> >>> "Meinolf Weber" wrote:

> >>>

> >>>> Hello Thylo,

> >>>>

> >>>> Please post an ipconfig /all from both DC/DNS server.

> >>>>

> >>>> Best regards

> >>>>

> >>>> Meinolf Weber

> >>>> Disclaimer: This posting is provided "AS IS" with no warranties,

> >>>> and

> >>>> confers

> >>>> no rights.

> >>>>> Hi,

> >>>>>

> >>>>> We have a Windows 2003 domain, with two domain controllers. Both

> >>>>> domain controllers are running Windows 2003 SP2, fully patched.

> >>>>> The same warning appears in the File Replication Service Log on

> >>>>> both servers, with the server names reveresed on the other server

> >>>>> (I have changed the names of the servers and domain here).

> >>>>>

> >>>>> Event Type: Warning

> >>>>> Event Source: NtFrs

> >>>>> Event Category: None

> >>>>> Event ID: 13508

> >>>>> Date:  25/09/2007

> >>>>> Time:  3:00:03 PM

> >>>>> User:  N/A

> >>>>> Computer: DomainDC1

> >>>>> Description:

> >>>>> The File Replication Service is having trouble enabling

> >>>>> replication

> >>>>> from

> >>>>> DomainDC2 to DomainDC1 for c:\windows\sysvol\domain using the DNS

> >>>>> name

> >>>>> domaindc2.domain.org.au. FRS will keep retrying.

> >>>>> Following are some of the reasons you would see this warning.

> >>>>> [1] FRS can not correctly resolve the DNS name

> >>>>> domaindc2.domain.org.au from

> >>>>> this computer.

> >>>>> [2] FRS is not running on domaindc2.domain.org.au.

> >>>>> [3] The topology information in the Active Directory for this

> >>>>> replica

> >>>>> has

> >>>>> not yet replicated to all the Domain Controllers.

> >>>>> This event log message will appear once per connection, After the

> >>>>> problem is fixed you will see another event log message indicating

> >>>>> that the connection has been established.

> >>>>> ****

> >>>>> There are no 13509 events after these. I have been searching the

> >>>>> groups trying to find something that will help. Both servers are

> >>>>> able to ping each other using their FQDN, the FRS service is

> >>>>> running on both servers and replication appears to be working, as

> >>>>> changes to Sites and Services are replicated almost immediately

> >>>>> when they are made, inlcuding changing the site name and deleting

> >>>>> and regenerating Active Directory Connections (which I did as a

> >>>>> test). I have also tried changing both servers so that they are

> >>>>> using the same DNS server (all combinations) to no avail.

> >>>>>

> >>>>> I ran the FRSDiag utility, from both my workstation and on the

> >>>>> servers. All of them report an RPC error trying to connect to both

> >>>>> servers. On the server I was logged in as the Administrator, so

> >>>>> permissions shouldn't have been a problem. I have the logs from

> >>>>> the FRSDiag utility if that will help anyone!

> >>>>>

> >>>>> When I run "ntfrsutl version" on both servers, I get:

> >>>>>

> >>>>> NtFrsApi Version Information

> >>>>> NtFrsApi Major      : 0

> >>>>> NtFrsApi Minor      : 0

> >>>>> NtFrsApi Compiled on: Feb 16 2007 20:01:19

> >>>>> ERROR - Cannot bind w/authentication to computer, (null)

> >>>>> ERROR - Cannot bind w/o authentication to computer, (nul ERROR -

> >>>>> Cannot RPC to computer, (null); 000006d9 (1753)

> >>>>> ****

> >>>>> (null) is replaced by the FQDN of both servers when I enter that

> >>>>> information in the command line as well.

> >>>>>

> >>>>> I have followed all of the kb articles and usergroup threads that

> >>>>> I can find, with no luck. Hopefully there's something that I've

> >>>>> missed that someone can point me to.

> >>>>>

> >>>>> Other events that may help (or could confuse the matter further),

> >>>>> is that when users change their passwords, the Windows 2000 ISA

> >>>>> Server prompts them for their password, even when they log off (or

> >>>>> even restart their computers completely) and log back on with the

> >>>>> new password. Even once that is sorted out, which can involve

> >>>>> re-creating their profile or resetting the password again on one

> >>>>> of the DCs, failed logon attempts are regularly recorded in the

> >>>>> security log on both DCs.  Profiles have also become completely

> >>>>> corrupted afer a password change on a couple of occassions.

> >>>>>

> >>>>> I look forward to any suggestion. Thanks in advance.

> >>>>>

>

 

Top


 

From: Thylo <Thylo@discussions.microsoft.com>

To: none

Subject: Re: Windows 2003 NtFrs Event 13508 sysvol\domain

Date: 09/27/2007 20:31:01

Hi Meinolf,

 

I have found something that may shed some light on the situtation, although

I'm not sure how to proceed given that most things seem ok. I re-ran dcdiag

with some extra options and the following differences showed up:

 

when run on domaindc2:

 

            DC: domaindc2.domain.org.au

            Domain: domain.org.au

 

                 

               TEST: Authentication (Auth)

                  Authentication test: Successfully completed

                 

               TEST: Basic (Basc)

                   Microsoft(R) Windows(R) Server 2003, Standard Edition

(Service Pack level: 2.0) is supported

                  NETLOGON service is running

                  kdc service is running

                  DNSCACHE service is running

                  DNS service is running

                  DC is a DNS server

                  Network adapters information:

                  Adapter [00000001] Intel(R) PRO/1000 CT Network Connection:

                     MAC address is 00:11:43:CE:40:E6

                     IP address is static

                     IP address: 172.30.14.2

                     DNS servers:

                        172.30.14.2 (<name unavailable>) [Valid]

                        172.30.14.7 (<name unavailable>) [Valid]

                  The A record for this DC was found

                  The SOA record for the Active Directory zone was found

                  The Active Directory zone on this DC/DNS server was found

(primary)

                  Root zone on this DC/DNS server was not found

 

****

 

when run on domaindc1:

 

            DC: domaindc2.domain.org.au

            Domain: domain.org.au

 

                 

               TEST: Authentication (Auth)

                  Authentication test: Successfully completed

                 

               TEST: Basic (Basc)

                   Microsoft(R) Windows(R) Server 2003, Standard Edition

(Service Pack level: 2.0) is supported

                  NETLOGON service is running

                  kdc service is running

                  DNSCACHE service is running

                  DNS service is running

                  DC is a DNS server

                  Network adapters information:

                  Adapter [00000001] Intel(R) PRO/1000 CT Network Connection:

                     MAC address is 00:11:43:CE:40:E6

                     IP address is static

                     IP address: 172.30.14.2

                     DNS servers:

                        172.30.14.2 (<name unavailable>) [Valid]

                        172.30.14.7 (<name unavailable>) [Valid]

                  The A record for this DC was found

                  The SOA record for the Active Directory zone was found

                  Warning: no DNS RPC connectivity (error or non Microsoft

DNS server is running)

                  [Error details: 1753 (Type: Win32 - Description: There are

no more endpoints available from the endpoint mapper.)]

 

****

 

I have seen it before while checking this problem now that I think of it,

however I couldn't find any useful information relating to it, other than

checking that the RPC services were set to start correctly, which they are,

so I forgot about it! Probably not a good move on my behalf!

 

Any thoughts on this one?!!

 

--

Leigh

MCSE (NT4, 2000)

"Meinolf Weber" wrote:

 

> Hello Thylo,

>

> Did you also check for errors with dcdiag and netdiag?

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> no rights.

>

> > Hey Meinolf,

> >

> > I'm sure I had gone through that page before, but I double checked all

> > of them anyway to make sure. The times are synchronised between all

> > servers on the network, there aren't any firewalls (apart from Windows

> > 2003 own which is configured as required) between the servers, there

> > is plenty of disk space (20GB+), non of the other errors come up that

> > "should" for the other solutions, it is a native Windows 2003 domain

> > with only Windows 2003 server and it was upgraded from a Windows 2000

> > domain before I started here.

> >

> > It is a very frustrating issue!!

> >

> > Cheers,

> >

> > "Meinolf Weber" wrote:

> >

> >> Hello Thylo,

> >>

> >> Have a look here:

> >> http://www.eventid.net/display.asp?eventid=13508&eventno=349&source=n

> >> tfrs&phase=1

> >> Best regards

> >>

> >> Meinolf Weber

> >> Disclaimer: This posting is provided "AS IS" with no warranties, and

> >> confers

> >> no rights.

> >>> Hi Meinolf,

> >>>

> >>> Below are the ipconfig /all results from domain controller, they are

> >>> the only DNS servers on the network as well:

> >>>

> >>> Windows IP Configuration

> >>>

> >>> Host Name . . . . . . . . . . . . : domaindc1

> >>> Primary Dns Suffix  . . . . . . . : domain.org.au

> >>> Node Type . . . . . . . . . . . . : Hybrid

> >>> IP Routing Enabled. . . . . . . . : No

> >>> WINS Proxy Enabled. . . . . . . . : No

> >>> DNS Suffix Search List. . . . . . : domain.org.au

> >>> org.au

> >>> Ethernet adapter Intel Pro 1000 CT Gigabit Ethernet Adapter -

> >>> Onboard:

> >>> Connection-specific DNS Suffix  . : domain.org.au

> >>> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network

> >>> Connection

> >>> Physical Address. . . . . . . . . : 00-C0-9F-4B-9E-5D

> >>> DHCP Enabled. . . . . . . . . . . : No

> >>> IP Address. . . . . . . . . . . . : 172.30.14.7

> >>> Subnet Mask . . . . . . . . . . . : 255.255.255.0

> >>> Default Gateway . . . . . . . . . : 172.30.14.1

> >>> DNS Servers . . . . . . . . . . . : 172.30.14.2

> >>> 172.30.14.7

> >>> Primary WINS Server . . . . . . . : 172.30.14.7

> >>> Secondary WINS Server . . . . . . : 172.30.14.2

> >>> Windows IP Configuration

> >>> Host Name . . . . . . . . . . . . : domaindc2

> >>> Primary Dns Suffix  . . . . . . . : domain.org.au

> >>> Node Type . . . . . . . . . . . . : Hybrid

> >>> IP Routing Enabled. . . . . . . . : No

> >>> WINS Proxy Enabled. . . . . . . . : No

> >>> DNS Suffix Search List. . . . . . : domain.org.au

> >>> org.au

> >>> Ethernet adapter Local Area Connection:

> >>> Connection-specific DNS Suffix  . : domain.org.au

> >>> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network

> >>> Connection

> >>> Physical Address. . . . . . . . . : 00-11-43-CE-40-E6

> >>> DHCP Enabled. . . . . . . . . . . : No

> >>> IP Address. . . . . . . . . . . . : 172.30.14.2

> >>> Subnet Mask . . . . . . . . . . . : 255.255.255.0

> >>> Default Gateway . . . . . . . . . : 172.30.14.1

> >>> DNS Servers . . . . . . . . . . . : 172.30.14.2

> >>> 172.30.14.7

> >>> Primary WINS Server . . . . . . . : 172.30.14.2

> >>> Secondary WINS Server . . . . . . : 172.30.14.7

> >>> ***

> >>> Cheers,

> >>>

> >>> "Meinolf Weber" wrote:

> >>>

> >>>> Hello Thylo,

> >>>>

> >>>> Please post an ipconfig /all from both DC/DNS server.

> >>>>

> >>>> Best regards

> >>>>

> >>>> Meinolf Weber

> >>>> Disclaimer: This posting is provided "AS IS" with no warranties,

> >>>> and

> >>>> confers

> >>>> no rights.

> >>>>> Hi,

> >>>>>

> >>>>> We have a Windows 2003 domain, with two domain controllers. Both

> >>>>> domain controllers are running Windows 2003 SP2, fully patched.

> >>>>> The same warning appears in the File Replication Service Log on

> >>>>> both servers, with the server names reveresed on the other server

> >>>>> (I have changed the names of the servers and domain here).

> >>>>>

> >>>>> Event Type: Warning

> >>>>> Event Source: NtFrs

> >>>>> Event Category: None

> >>>>> Event ID: 13508

> >>>>> Date:  25/09/2007

> >>>>> Time:  3:00:03 PM

> >>>>> User:  N/A

> >>>>> Computer: DomainDC1

> >>>>> Description:

> >>>>> The File Replication Service is having trouble enabling

> >>>>> replication

> >>>>> from

> >>>>> DomainDC2 to DomainDC1 for c:\windows\sysvol\domain using the DNS

> >>>>> name

> >>>>> domaindc2.domain.org.au. FRS will keep retrying.

> >>>>> Following are some of the reasons you would see this warning.

> >>>>> [1] FRS can not correctly resolve the DNS name

> >>>>> domaindc2.domain.org.au from

> >>>>> this computer.

> >>>>> [2] FRS is not running on domaindc2.domain.org.au.

> >>>>> [3] The topology information in the Active Directory for this

> >>>>> replica

> >>>>> has

> >>>>> not yet replicated to all the Domain Controllers.

> >>>>> This event log message will appear once per connection, After the

> >>>>> problem is fixed you will see another event log message indicating

> >>>>> that the connection has been established.

> >>>>> ****

> >>>>> There are no 13509 events after these. I have been searching the

> >>>>> groups trying to find something that will help. Both servers are

> >>>>> able to ping each other using their FQDN, the FRS service is

> >>>>> running on both servers and replication appears to be working, as

> >>>>> changes to Sites and Services are replicated almost immediately

> >>>>> when they are made, inlcuding changing the site name and deleting

> >>>>> and regenerating Active Directory Connections (which I did as a

> >>>>> test). I have also tried changing both servers so that they are

> >>>>> using the same DNS server (all combinations) to no avail.

> >>>>>

> >>>>> I ran the FRSDiag utility, from both my workstation and on the

> >>>>> servers. All of them report an RPC error trying to connect to both

> >>>>> servers. On the server I was logged in as the Administrator, so

> >>>>> permissions shouldn't have been a problem. I have the logs from

> >>>>> the FRSDiag utility if that will help anyone!

> >>>>>

> >>>>> When I run "ntfrsutl version" on both servers, I get:

> >>>>>

> >>>>> NtFrsApi Version Information

> >>>>> NtFrsApi Major      : 0

> >>>>> NtFrsApi Minor      : 0

> >>>>> NtFrsApi Compiled on: Feb 16 2007 20:01:19

> >>>>> ERROR - Cannot bind w/authentication to computer, (null)

> >>>>> ERROR - Cannot bind w/o authentication to computer, (nul ERROR -

> >>>>> Cannot RPC to computer, (null); 000006d9 (1753)

> >>>>> ****

> >>>>> (null) is replaced by the FQDN of both servers when I enter that

> >>>>> information in the command line as well.

> >>>>>

> >>>>> I have followed all of the kb articles and usergroup threads that

> >>>>> I can find, with no luck. Hopefully there's something that I've

> >>>>> missed that someone can point me to.

> >>>>>

> >>>>> Other events that may help (or could confuse the matter further),

> >>>>> is that when users change their passwords, the Windows 2000 ISA

> >>>>> Server prompts them for their password, even when they log off (or

> >>>>> even restart their computers completely) and log back on with the

> >>>>> new password. Even once that is sorted out, which can involve

> >>>>> re-creating their profile or resetting the password again on one

> >>>>> of the DCs, failed logon attempts are regularly recorded in the

> >>>>> security log on both DCs.  Profiles have also become completely

> >>>>> corrupted afer a password change on a couple of occassions.

> >>>>>

> >>>>> I look forward to any suggestion. Thanks in advance.

> >>>>>

>

 

Top


 

From: Meinolf Weber <meiweb(nospam)@gmx.de>

To: none

Subject: Re: Windows 2003 NtFrs Event 13508 sysvol\domain

Date: 09/28/2007 01:39:45

Hello Thylo,

 

In the dcdiag the Default gateway test FAILED. No gateway reachable for this

adapter? Can you take out the ISA for testing?

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

 

> Hi Meinolf,

>

> Both the dcdiag and net diag results are clean, I have pasted them

> below just incase I have gone too cross eyes looking at everything to

> not notice something obvious, a fresh set of eyes can do wonders!! The

> only "failures" that I can see are is the frsevent, which is what I'm

> trying to solve and the modem diagnositcs, understanable as there is

> no modem. ICMP is disabled on our gateway, the servers are on the same

> segment/subnet anyway.

>

> Domain Controller Diagnosis

>

> Performing initial setup:

> Done gathering initial info.

> Doing initial required tests

>

> Testing server: Flemington\domainDC1

> Starting test: Connectivity

> ......................... domainDC1 passed test Connectivity

> Doing primary tests

>

> Testing server: Flemington\domainDC1

> Starting test: Replications

> ......................... domainDC1 passed test Replications

> Starting test: NCSecDesc

> ......................... domainDC1 passed test NCSecDesc

> Starting test: NetLogons

> ......................... domainDC1 passed test NetLogons

> Starting test: Advertising

> ......................... domainDC1 passed test Advertising

> Starting test: KnowsOfRoleHolders

> ......................... domainDC1 passed test

> KnowsOfRoleHolders

> Starting test: RidManager

> ......................... domainDC1 passed test RidManager

> Starting test: MachineAccount

> ......................... domainDC1 passed test

> MachineAccount

> Starting test: Services

> ......................... domainDC1 passed test Services

> Starting test: ObjectsReplicated

> ......................... domainDC1 passed test

> ObjectsReplicated

> Starting test: frssysvol

> ......................... domainDC1 passed test frssysvol

> Starting test: frsevent

> There are warning or error events within the last 24 hours

> after the

> SYSVOL has been shared.  Failing SYSVOL replication problems

> may

> cause

> Group Policy problems.

> ......................... domainDC1 failed test frsevent

> Starting test: kccevent

> ......................... domainDC1 passed test kccevent

> Starting test: systemlog

> ......................... domainDC1 passed test systemlog

> Starting test: VerifyReferences

> ......................... domainDC1 passed test

> VerifyReferences

> Running partition tests on : ForestDnsZones

> Starting test: CrossRefValidation

> ......................... ForestDnsZones passed test

> CrossRefValidation

> Starting test: CheckSDRefDom

> ......................... ForestDnsZones passed test

> CheckSDRefDom

> Running partition tests on : DomainDnsZones

> Starting test: CrossRefValidation

> ......................... DomainDnsZones passed test

> CrossRefValidation

> Starting test: CheckSDRefDom

> ......................... DomainDnsZones passed test

> CheckSDRefDom

> Running partition tests on : Schema

> Starting test: CrossRefValidation

> ......................... Schema passed test

> CrossRefValidation

> Starting test: CheckSDRefDom

> ......................... Schema passed test CheckSDRefDom

> Running partition tests on : Configuration

> Starting test: CrossRefValidation

> ......................... Configuration passed test

> CrossRefValidation

> Starting test: CheckSDRefDom

> ......................... Configuration passed test

> CheckSDRefDom

> Running partition tests on : domain

> Starting test: CrossRefValidation

> ......................... domain passed test

> CrossRefValidation

> Starting test: CheckSDRefDom

> ......................... domain passed test CheckSDRefDom

> Running enterprise tests on : domain.org.au

> Starting test: Intersite

> ......................... domain.org.au passed test Intersite

> Starting test: FsmoCheck

> ......................... domain.org.au passed test FsmoCheck

> ****

>

> Domain Controller Diagnosis

>

> Performing initial setup:

> Done gathering initial info.

> Doing initial required tests

>

> Testing server: Flemington\domainDC2

> Starting test: Connectivity

> ......................... domainDC2 passed test Connectivity

> Doing primary tests

>

> Testing server: Flemington\domainDC2

> Starting test: Replications

> ......................... domainDC2 passed test Replications

> Starting test: NCSecDesc

> ......................... domainDC2 passed test NCSecDesc

> Starting test: NetLogons

> ......................... domainDC2 passed test NetLogons

> Starting test: Advertising

> ......................... domainDC2 passed test Advertising

> Starting test: KnowsOfRoleHolders

> ......................... domainDC2 passed test

> KnowsOfRoleHolders

> Starting test: RidManager

> ......................... domainDC2 passed test RidManager

> Starting test: MachineAccount

> ......................... domainDC2 passed test

> MachineAccount

> Starting test: Services

> ......................... domainDC2 passed test Services

> Starting test: ObjectsReplicated

> ......................... domainDC2 passed test

> ObjectsReplicated

> Starting test: frssysvol

> ......................... domainDC2 passed test frssysvol

> Starting test: frsevent

> There are warning or error events within the last 24 hours

> after the

> SYSVOL has been shared.  Failing SYSVOL replication problems

> may

> cause

> Group Policy problems.

> ......................... domainDC2 failed test frsevent

> Starting test: kccevent

> ......................... domainDC2 passed test kccevent

> Starting test: systemlog

> An Error Event occured.  EventID: 0xC0002716

> Time Generated: 09/28/2007   09:05:21

> (Event String could not be retrieved)

> ......................... domainDC2 failed test systemlog

> Starting test: VerifyReferences

> ......................... domainDC2 passed test

> VerifyReferences

> Running partition tests on : ForestDnsZones

> Starting test: CrossRefValidation

> ......................... ForestDnsZones passed test

> CrossRefValidation

> Starting test: CheckSDRefDom

> ......................... ForestDnsZones passed test

> CheckSDRefDom

> Running partition tests on : DomainDnsZones

> Starting test: CrossRefValidation

> ......................... DomainDnsZones passed test

> CrossRefValidation

> Starting test: CheckSDRefDom

> ......................... DomainDnsZones passed test

> CheckSDRefDom

> Running partition tests on : Schema

> Starting test: CrossRefValidation

> ......................... Schema passed test

> CrossRefValidation

> Starting test: CheckSDRefDom

> ......................... Schema passed test CheckSDRefDom

> Running partition tests on : Configuration

> Starting test: CrossRefValidation

> ......................... Configuration passed test

> CrossRefValidation

> Starting test: CheckSDRefDom

> ......................... Configuration passed test

> CheckSDRefDom

> Running partition tests on : domain

> Starting test: CrossRefValidation

> ......................... domain passed test

> CrossRefValidation

> Starting test: CheckSDRefDom

> ......................... domain passed test CheckSDRefDom

> Running enterprise tests on : domain.org.au

> Starting test: Intersite

> ......................... domain.org.au passed test Intersite

> Starting test: FsmoCheck

> ......................... domain.org.au passed test FsmoCheck

> ****

> Computer Name: domainDC1

> DNS Host Name: domaindc1.domain.org.au

> System info : Windows 2000 Server (Build 3790)

> Processor : x86 Family 15 Model 3 Stepping 4, GenuineIntel

> List of installed hotfixes :

> KB909520

> KB911564

> KB921503

> KB925398_WMP64

> KB925876

> KB925902

> KB926122

> KB927891

> KB929123

> KB930178

> KB931768

> KB931784

> KB931836

> KB932168

> KB933360

> KB933566

> KB933854

> KB935839

> KB935840

> KB935966

> KB936021

> KB936357

> KB936782

> KB937143

> KB937143-IE7

> KB938127

> KB938127-IE7

> Q147222

> Netcard queries test . . . . . . . : Passed

>

> Per interface results:

>

> Adapter : Intel Pro 1000 CT Gigabit Ethernet Adapter - Onboard

>

> Netcard queries test . . . : Passed

>

> Host Name. . . . . . . . . : domaindc1.domain.org.au

> IP Address . . . . . . . . : 172.30.14.7

> Subnet Mask. . . . . . . . : 255.255.255.0

> Default Gateway. . . . . . : 172.30.14.1

> Primary WINS Server. . . . : 172.30.14.7

> Secondary WINS Server. . . : 172.30.14.2

> Dns Servers. . . . . . . . : 172.30.14.2

> 172.30.14.7

> AutoConfiguration results. . . . . . : Passed

>

> Default gateway test . . . : Failed

> No gateway reachable for this adapter.

> NetBT name test. . . . . . : Passed

> [WARNING] At least one of the <00> 'WorkStation Service', <03>

> 'Messenge

> r Service', <20> 'WINS' names is missing.

> No remote names have been found.

> WINS service test. . . . . : Passed

>

> Global results:

>

> Domain membership test . . . . . . : Passed

>

> NetBT transports test. . . . . . . : Passed

> List of NetBt transports currently configured:

> NetBT_Tcpip_{4F560CD5-3A18-429E-946D-0BF9FF8297DD}

> 1 NetBt transport currently configured.

> Autonet address test . . . . . . . : Passed

>

> IP loopback ping test. . . . . . . : Passed

>

> Default gateway test . . . . . . . : Failed

>

> [FATAL] NO GATEWAYS ARE REACHABLE.

> You have no connectivity to other network segments.

> If you configured the IP protocol manually then

> you need to add at least one valid gateway.

> NetBT name test. . . . . . . . . . : Passed

> [WARNING] You don't have a single interface with the <00>

> 'WorkStation

> Servi

> ce', <03> 'Messenger Service', <20> 'WINS' names defined.

>

> Winsock test . . . . . . . . . . . : Passed

>

> DNS test . . . . . . . . . . . . . : Passed

> PASS - All the DNS entries for DC are registered on DNS server

> '172.30.14.2'

> and other DCs also have some of the names registered.

> PASS - All the DNS entries for DC are registered on DNS server

> '172.30.14.7'

> and other DCs also have some of the names registered.

> Redir and Browser test . . . . . . : Passed

> List of NetBt transports currently bound to the Redir

> NetBT_Tcpip_{4F560CD5-3A18-429E-946D-0BF9FF8297DD}

> The redir is bound to 1 NetBt transport.

> List of NetBt transports currently bound to the browser

> NetBT_Tcpip_{4F560CD5-3A18-429E-946D-0BF9FF8297DD}

> The browser is bound to 1 NetBt transport.

> DC discovery test. . . . . . . . . : Passed

>

> DC list test . . . . . . . . . . . : Passed

>

> Trust relationship test. . . . . . : Skipped

>

> Kerberos test. . . . . . . . . . . : Passed

>

> LDAP test. . . . . . . . . . . . . : Passed

>

> Bindings test. . . . . . . . . . . : Passed

>

> WAN configuration test . . . . . . : Skipped

> No active remote access connections.

> Modem diagnostics test . . . . . . : Failed

> [FATAL] Cannot initialize TAPI. Failed with error(0x80000048).

> IP Security test . . . . . . . . . : Skipped

>

> Note: run "netsh ipsec dynamic show /?" for more detailed

> information

>

> The command completed successfully

>

> ******

> Computer Name: domainDC2

> DNS Host Name: domaindc2.domain.org.au

> System info : Windows 2000 Server (Build 3790)

> Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel

> List of installed hotfixes :

> KB911564

> KB921503

> KB925398_WMP64

> KB925876

> KB925902

> KB926122

> KB927891

> KB929123

> KB930178

> KB931768

> KB931784

> KB931836

> KB932168

> KB933360

> KB933566

> KB933854

> KB935839

> KB935840

> KB935966

> KB936021

> KB936357

> KB936782

> KB937143

> KB937143-IE7

> KB938127

> KB938127-IE7

> Q147222

> Netcard queries test . . . . . . . : Passed

>

> Per interface results:

>

> Adapter : Local Area Connection

>

> Netcard queries test . . . : Passed

>

> Host Name. . . . . . . . . : domaindc2.domain.org.au

> IP Address . . . . . . . . : 172.30.14.2

> Subnet Mask. . . . . . . . : 255.255.255.0

> Default Gateway. . . . . . : 172.30.14.1

> Primary WINS Server. . . . : 172.30.14.2

> Secondary WINS Server. . . : 172.30.14.7

> Dns Servers. . . . . . . . : 172.30.14.2

> 172.30.14.7

> AutoConfiguration results. . . . . . : Passed

>

> Default gateway test . . . : Failed

> No gateway reachable for this adapter.

> NetBT name test. . . . . . : Passed

> [WARNING] At least one of the <00> 'WorkStation Service', <03>

> 'Messenger Service', <20> 'WINS' names is missing.

> WINS service test. . . . . : Passed

>

> Global results:

>

> Domain membership test . . . . . . : Passed

>

> NetBT transports test. . . . . . . : Passed

> List of NetBt transports currently configured:

> NetBT_Tcpip_{D8CF205A-978A-4B53-83B4-E5C818075579}

> 1 NetBt transport currently configured.

> Autonet address test . . . . . . . : Passed

>

> IP loopback ping test. . . . . . . : Passed

>

> Default gateway test . . . . . . . : Failed

>

> [FATAL] NO GATEWAYS ARE REACHABLE.

> You have no connectivity to other network segments.

> If you configured the IP protocol manually then

> you need to add at least one valid gateway.

> NetBT name test. . . . . . . . . . : Passed

> [WARNING] You don't have a single interface with the <00>

> 'WorkStation

> Service', <03> 'Messenger Service', <20> 'WINS' names defined.

> Winsock test . . . . . . . . . . . : Passed

>

> DNS test . . . . . . . . . . . . . : Passed

> PASS - All the DNS entries for DC are registered on DNS server

> '172.30.14.2' and other DCs also have some of the names registered.

> PASS - All the DNS entries for DC are registered on DNS server

> '172.30.14.7' and other DCs also have some of the names registered.

> Redir and Browser test . . . . . . : Passed

> List of NetBt transports currently bound to the Redir

> NetBT_Tcpip_{D8CF205A-978A-4B53-83B4-E5C818075579}

> The redir is bound to 1 NetBt transport.

> List of NetBt transports currently bound to the browser

> NetBT_Tcpip_{D8CF205A-978A-4B53-83B4-E5C818075579}

> The browser is bound to 1 NetBt transport.

> DC discovery test. . . . . . . . . : Passed

>

> DC list test . . . . . . . . . . . : Passed

>

> Trust relationship test. . . . . . : Passed

> Secure channel for domain 'domain' is to

> '\\domaindc1.domain.org.au'.

> Kerberos test. . . . . . . . . . . : Passed

>

> LDAP test. . . . . . . . . . . . . : Passed

>

> Bindings test. . . . . . . . . . . : Passed

>

> WAN configuration test . . . . . . : Skipped

> No active remote access connections.

> Modem diagnostics test . . . . . . : Failed

> [FATAL] Cannot initialize TAPI. Failed with error(0x80000048).

> IP Security test . . . . . . . . . : Skipped

>

> Note: run "netsh ipsec dynamic show /?" for more detailed

> information

>

> The command completed successfully

>

> *********

>

> Cheers,

>

> "Meinolf Weber" wrote:

>

>> Hello Thylo,

>>

>> Did you also check for errors with dcdiag and netdiag?

>>

>> Best regards

>>

>> Meinolf Weber

>> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> confers

>> no rights.

>>> Hey Meinolf,

>>>

>>> I'm sure I had gone through that page before, but I double checked

>>> all of them anyway to make sure. The times are synchronised between

>>> all servers on the network, there aren't any firewalls (apart from

>>> Windows 2003 own which is configured as required) between the

>>> servers, there is plenty of disk space (20GB+), non of the other

>>> errors come up that "should" for the other solutions, it is a native

>>> Windows 2003 domain with only Windows 2003 server and it was

>>> upgraded from a Windows 2000 domain before I started here.

>>>

>>> It is a very frustrating issue!!

>>>

>>> Cheers,

>>>

>>> "Meinolf Weber" wrote:

>>>

>>>> Hello Thylo,

>>>>

>>>> Have a look here:

>>>> http://www.eventid.net/display.asp?eventid=13508&eventno=349&source

>>>> =n

>>>> tfrs&phase=1

>>>> Best regards

>>>> Meinolf Weber

>>>> Disclaimer: This posting is provided "AS IS" with no warranties,

>>>> and

>>>> confers

>>>> no rights.

>>>>> Hi Meinolf,

>>>>>

>>>>> Below are the ipconfig /all results from domain controller, they

>>>>> are the only DNS servers on the network as well:

>>>>>

>>>>> Windows IP Configuration

>>>>>

>>>>> Host Name . . . . . . . . . . . . : domaindc1

>>>>> Primary Dns Suffix  . . . . . . . : domain.org.au

>>>>> Node Type . . . . . . . . . . . . : Hybrid

>>>>> IP Routing Enabled. . . . . . . . : No

>>>>> WINS Proxy Enabled. . . . . . . . : No

>>>>> DNS Suffix Search List. . . . . . : domain.org.au

>>>>> org.au

>>>>> Ethernet adapter Intel Pro 1000 CT Gigabit Ethernet Adapter -

>>>>> Onboard:

>>>>> Connection-specific DNS Suffix  . : domain.org.au

>>>>> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network

>>>>> Connection

>>>>> Physical Address. . . . . . . . . : 00-C0-9F-4B-9E-5D

>>>>> DHCP Enabled. . . . . . . . . . . : No

>>>>> IP Address. . . . . . . . . . . . : 172.30.14.7

>>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0

>>>>> Default Gateway . . . . . . . . . : 172.30.14.1

>>>>> DNS Servers . . . . . . . . . . . : 172.30.14.2

>>>>> 172.30.14.7

>>>>> Primary WINS Server . . . . . . . : 172.30.14.7

>>>>> Secondary WINS Server . . . . . . : 172.30.14.2

>>>>> Windows IP Configuration

>>>>> Host Name . . . . . . . . . . . . : domaindc2

>>>>> Primary Dns Suffix  . . . . . . . : domain.org.au

>>>>> Node Type . . . . . . . . . . . . : Hybrid

>>>>> IP Routing Enabled. . . . . . . . : No

>>>>> WINS Proxy Enabled. . . . . . . . : No

>>>>> DNS Suffix Search List. . . . . . : domain.org.au

>>>>> org.au

>>>>> Ethernet adapter Local Area Connection:

>>>>> Connection-specific DNS Suffix  . : domain.org.au

>>>>> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network

>>>>> Connection

>>>>> Physical Address. . . . . . . . . : 00-11-43-CE-40-E6

>>>>> DHCP Enabled. . . . . . . . . . . : No

>>>>> IP Address. . . . . . . . . . . . : 172.30.14.2

>>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0

>>>>> Default Gateway . . . . . . . . . : 172.30.14.1

>>>>> DNS Servers . . . . . . . . . . . : 172.30.14.2

>>>>> 172.30.14.7

>>>>> Primary WINS Server . . . . . . . : 172.30.14.2

>>>>> Secondary WINS Server . . . . . . : 172.30.14.7

>>>>> ***

>>>>> Cheers,

>>>>> "Meinolf Weber" wrote:

>>>>>

>>>>>> Hello Thylo,

>>>>>>

>>>>>> Please post an ipconfig /all from both DC/DNS server.

>>>>>>

>>>>>> Best regards

>>>>>>

>>>>>> Meinolf Weber

>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,

>>>>>> and

>>>>>> confers

>>>>>> no rights.

>>>>>>> Hi,

>>>>>>>

>>>>>>> We have a Windows 2003 domain, with two domain controllers. Both

>>>>>>> domain controllers are running Windows 2003 SP2, fully patched.

>>>>>>> The same warning appears in the File Replication Service Log on

>>>>>>> both servers, with the server names reveresed on the other

>>>>>>> server (I have changed the names of the servers and domain

>>>>>>> here).

>>>>>>>

>>>>>>> Event Type: Warning

>>>>>>> Event Source: NtFrs

>>>>>>> Event Category: None

>>>>>>> Event ID: 13508

>>>>>>> Date:  25/09/2007

>>>>>>> Time:  3:00:03 PM

>>>>>>> User:  N/A

>>>>>>> Computer: DomainDC1

>>>>>>> Description:

>>>>>>> The File Replication Service is having trouble enabling

>>>>>>> replication

>>>>>>> from

>>>>>>> DomainDC2 to DomainDC1 for c:\windows\sysvol\domain using the

>>>>>>> DNS

>>>>>>> name

>>>>>>> domaindc2.domain.org.au. FRS will keep retrying.

>>>>>>> Following are some of the reasons you would see this warning.

>>>>>>> [1] FRS can not correctly resolve the DNS name

>>>>>>> domaindc2.domain.org.au from

>>>>>>> this computer.

>>>>>>> [2] FRS is not running on domaindc2.domain.org.au.

>>>>>>> [3] The topology information in the Active Directory for this

>>>>>>> replica

>>>>>>> has

>>>>>>> not yet replicated to all the Domain Controllers.

>>>>>>> This event log message will appear once per connection, After

>>>>>>> the

>>>>>>> problem is fixed you will see another event log message

>>>>>>> indicating

>>>>>>> that the connection has been established.

>>>>>>> ****

>>>>>>> There are no 13509 events after these. I have been searching the

>>>>>>> groups trying to find something that will help. Both servers are

>>>>>>> able to ping each other using their FQDN, the FRS service is

>>>>>>> running on both servers and replication appears to be working,

>>>>>>> as

>>>>>>> changes to Sites and Services are replicated almost immediately

>>>>>>> when they are made, inlcuding changing the site name and

>>>>>>> deleting

>>>>>>> and regenerating Active Directory Connections (which I did as a

>>>>>>> test). I have also tried changing both servers so that they are

>>>>>>> using the same DNS server (all combinations) to no avail.

>>>>>>> I ran the FRSDiag utility, from both my workstation and on the

>>>>>>> servers. All of them report an RPC error trying to connect to

>>>>>>> both servers. On the server I was logged in as the

>>>>>>> Administrator, so permissions shouldn't have been a problem. I

>>>>>>> have the logs from the FRSDiag utility if that will help anyone!

>>>>>>>

>>>>>>> When I run "ntfrsutl version" on both servers, I get:

>>>>>>>

>>>>>>> NtFrsApi Version Information

>>>>>>> NtFrsApi Major      : 0

>>>>>>> NtFrsApi Minor      : 0

>>>>>>> NtFrsApi Compiled on: Feb 16 2007 20:01:19

>>>>>>> ERROR - Cannot bind w/authentication to computer, (null)

>>>>>>> ERROR - Cannot bind w/o authentication to computer, (nul ERROR -

>>>>>>> Cannot RPC to computer, (null); 000006d9 (1753)

>>>>>>> ****

>>>>>>> (null) is replaced by the FQDN of both servers when I enter that

>>>>>>> information in the command line as well.

>>>>>>> I have followed all of the kb articles and usergroup threads

>>>>>>> that I can find, with no luck. Hopefully there's something that

>>>>>>> I've missed that someone can point me to.

>>>>>>>

>>>>>>> Other events that may help (or could confuse the matter

>>>>>>> further), is that when users change their passwords, the Windows

>>>>>>> 2000 ISA Server prompts them for their password, even when they

>>>>>>> log off (or even restart their computers completely) and log

>>>>>>> back on with the new password. Even once that is sorted out,

>>>>>>> which can involve re-creating their profile or resetting the

>>>>>>> password again on one of the DCs, failed logon attempts are

>>>>>>> regularly recorded in the security log on both DCs.  Profiles

>>>>>>> have also become completely corrupted afer a password change on

>>>>>>> a couple of occassions.

>>>>>>>

>>>>>>> I look forward to any suggestion. Thanks in advance.

>>>>>>>

 

Top


 

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: Would You Advise Adding a Domain?

Date: 09/27/2007 14:47:08

Hello,

 

OU are often used to apply different policy based on OU membership.

They can also be used to represent the company organization.

If you set a lot of things through gpo, you may let them in a different OU,

to not "hurt" them directly. But it will be then harder to make them just

like others.

 

A domain seems not appropriate to me (too much for 15 users), and not

usefull since you seem to be the only admin ;)

 

I vote for OU ;)

 

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

"razor" <razor@discussions.microsoft.com> wrote in message

news:FB9CBD32-5E6A-4485-B094-A6590FFD4666@microsoft.com...

> Hello--

>

> We have a small, single domain network of about 100 machines, including 12

> servers with about 50 users. We have three subnets, one in the host

> office,

> and one each for two remote locations connected via a WAN. All servers are

> running Windows Server 2003 and all workstations are running Windows XP

> Pro.

>

> We are just about to finalize negotiations where a partner of ours is

> going

> to have us manage them. They will stay a separate company at a separate

> physical location, but will need to access some, but not all, of our

> network

> resources via a dedicated Terminal Server.

>

> They only have about 15 users, and so I was not sure if there is any "best

> practice" suggestions on whether we should create another domain for them

> on

> our network or just another OU?

>

> Any suggestions would be appreciated.

 

Top


 

From: razor <razor@discussions.microsoft.com>

To: none

Subject: Re: Would You Advise Adding a Domain?

Date: 09/27/2007 15:04:00

Yes, I agree--but it's always good to get a 2nd opinion ;-)

 

Thanks,

 

sd

 

"Mathieu CHATEAU" wrote:

 

> Hello,

>

> OU are often used to apply different policy based on OU membership.

> They can also be used to represent the company organization.

> If you set a lot of things through gpo, you may let them in a different OU,

> to not "hurt" them directly. But it will be then harder to make them just

> like others.

>

> A domain seems not appropriate to me (too much for 15 users), and not

> usefull since you seem to be the only admin ;)

>

> I vote for OU ;)

>

> --

> Cordialement,

> Mathieu CHATEAU

> http://lordoftheping.blogspot.com

>

>

> "razor" <razor@discussions.microsoft.com> wrote in message

> news:FB9CBD32-5E6A-4485-B094-A6590FFD4666@microsoft.com...

> > Hello--

> >

> > We have a small, single domain network of about 100 machines, including 12

> > servers with about 50 users. We have three subnets, one in the host

> > office,

> > and one each for two remote locations connected via a WAN. All servers are

> > running Windows Server 2003 and all workstations are running Windows XP

> > Pro.

> >

> > We are just about to finalize negotiations where a partner of ours is

> > going

> > to have us manage them. They will stay a separate company at a separate

> > physical location, but will need to access some, but not all, of our

> > network

> > resources via a dedicated Terminal Server.

> >

> > They only have about 15 users, and so I was not sure if there is any "best

> > practice" suggestions on whether we should create another domain for them

> > on

> > our network or just another OU?

> >

> > Any suggestions would be appreciated.

 

Top


 

From: Ryan Hanisco <RyanHanisco@discussions.microsoft.com>

To: none

Subject: Re: Would You Advise Adding a Domain?

Date: 09/27/2007 17:17:03

Razor,

 

AN OU seems to fit the bill for what you're looking to do -- at least as

tersely as your have explained the challenge you are facing.  Remember,

though, that they will have to log in again and will be operating under your

domain when they are connected to the terminal session.

 

You will want to get a copy of their AUP and make sure that they are aware

of any of your policies so there isn't trouble down the line.  You will also

want to make absolutely certain that you have all security settings reviewed

and confirmed on the t-server as you'll have "foreign" users inside your

network perimeter.

 

Hope this helps.

--

Ryan Hanisco

MCSE, MCTS: SQL 2005, Project+

www.techsterity.com

Chicago, IL

 

Remember: Marking helpful answers helps everyone find the info they need

quickly.

"razor" wrote:

 

> Yes, I agree--but it's always good to get a 2nd opinion ;-)

>

> Thanks,

>

> sd

>

> "Mathieu CHATEAU" wrote:

>

> > Hello,

> >

> > OU are often used to apply different policy based on OU membership.

> > They can also be used to represent the company organization.

> > If you set a lot of things through gpo, you may let them in a different OU,

> > to not "hurt" them directly. But it will be then harder to make them just

> > like others.

> >

> > A domain seems not appropriate to me (too much for 15 users), and not

> > usefull since you seem to be the only admin ;)

> >

> > I vote for OU ;)

> >

> > --

> > Cordialement,

> > Mathieu CHATEAU

> > http://lordoftheping.blogspot.com

> >

> >

> > "razor" <razor@discussions.microsoft.com> wrote in message

> > news:FB9CBD32-5E6A-4485-B094-A6590FFD4666@microsoft.com...

> > > Hello--

> > >

> > > We have a small, single domain network of about 100 machines, including 12

> > > servers with about 50 users. We have three subnets, one in the host

> > > office,

> > > and one each for two remote locations connected via a WAN. All servers are

> > > running Windows Server 2003 and all workstations are running Windows XP

> > > Pro.

> > >

> > > We are just about to finalize negotiations where a partner of ours is

> > > going

> > > to have us manage them. They will stay a separate company at a separate

> > > physical location, but will need to access some, but not all, of our

> > > network

> > > resources via a dedicated Terminal Server.

> > >

> > > They only have about 15 users, and so I was not sure if there is any "best

> > > practice" suggestions on whether we should create another domain for them

> > > on

> > > our network or just another OU?

> > >

> > > Any suggestions would be appreciated.

> >

> >

 

Top


 

From: razor <razor@discussions.microsoft.com>

To: none

Subject: Re: Would You Advise Adding a Domain?

Date: 09/27/2007 17:23:04

Yes, all good stuff--thank you. Right now our GPO's are connected to our

domain, and so I will need to move those to just our main OU (We really don't

use OUs here) otherwise that might cause issues--especially since we are

deliberating having them connect to the TS via a VPN on our concentrator and

it assigns a private IP via DHCP.

 

sd

 

"Ryan Hanisco" wrote:

 

> Razor,

>

> AN OU seems to fit the bill for what you're looking to do -- at least as

> tersely as your have explained the challenge you are facing.  Remember,

> though, that they will have to log in again and will be operating under your

> domain when they are connected to the terminal session.

>

> You will want to get a copy of their AUP and make sure that they are aware

> of any of your policies so there isn't trouble down the line.  You will also

> want to make absolutely certain that you have all security settings reviewed

> and confirmed on the t-server as you'll have "foreign" users inside your

> network perimeter.

>

> Hope this helps.

> --

> Ryan Hanisco

> MCSE, MCTS: SQL 2005, Project+

> www.techsterity.com

> Chicago, IL

>

> Remember: Marking helpful answers helps everyone find the info they need

> quickly.

>

>

> "razor" wrote:

>

> > Yes, I agree--but it's always good to get a 2nd opinion ;-)

> >

> > Thanks,

> >

> > sd

> >

> > "Mathieu CHATEAU" wrote:

> >

> > > Hello,

> > >

> > > OU are often used to apply different policy based on OU membership.

> > > They can also be used to represent the company organization.

> > > If you set a lot of things through gpo, you may let them in a different OU,

> > > to not "hurt" them directly. But it will be then harder to make them just

> > > like others.

> > >

> > > A domain seems not appropriate to me (too much for 15 users), and not

> > > usefull since you seem to be the only admin ;)

> > >

> > > I vote for OU ;)

> > >

> > > --

> > > Cordialement,

> > > Mathieu CHATEAU

> > > http://lordoftheping.blogspot.com

> > >

> > >

> > > "razor" <razor@discussions.microsoft.com> wrote in message

> > > news:FB9CBD32-5E6A-4485-B094-A6590FFD4666@microsoft.com...

> > > > Hello--

> > > >

> > > > We have a small, single domain network of about 100 machines, including 12

> > > > servers with about 50 users. We have three subnets, one in the host

> > > > office,

> > > > and one each for two remote locations connected via a WAN. All servers are

> > > > running Windows Server 2003 and all workstations are running Windows XP

> > > > Pro.

> > > >

> > > > We are just about to finalize negotiations where a partner of ours is

> > > > going

> > > > to have us manage them. They will stay a separate company at a separate

> > > > physical location, but will need to access some, but not all, of our

> > > > network

> > > > resources via a dedicated Terminal Server.

> > > >

> > > > They only have about 15 users, and so I was not sure if there is any "best

> > > > practice" suggestions on whether we should create another domain for them

> > > > on

> > > > our network or just another OU?

> > > >

> > > > Any suggestions would be appreciated.

> > >

> > >

 

Top


 

From: Lanwench [MVP - Exchange] <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com>

To: none

Subject: Re: Would You Advise Adding a Domain?

Date: 09/27/2007 16:50:08

razor <razor@discussions.microsoft.com> wrote:

> Hello--

>

> We have a small, single domain network of about 100 machines,

> including 12 servers with about 50 users. We have three subnets, one

> in the host office, and one each for two remote locations connected

> via a WAN. All servers are running Windows Server 2003 and all

> workstations are running Windows XP Pro.

>

> We are just about to finalize negotiations where a partner of ours is

> going to have us manage them. They will stay a separate company at a

> separate physical location, but will need to access some, but not

> all, of our network resources via a dedicated Terminal Server.

>

> They only have about 15 users, and so I was not sure if there is any

> "best practice" suggestions on whether we should create another

> domain for them on our network or just another OU?

>

> Any suggestions would be appreciated.

 

I agree with Mathieu. Since another domain doesn't offer you anything in the

way of security, it's only going to add complexity with no benefit.

 

If their network is to be integrated with yours at all their office could be

in the same AD domain but in a separate site/subnet, and you can use OUs to

organize things.

 

However, that said, all you've mentioned they will be touching/accessing is

Terminal Services - so do they even need to be part of your domain? Will you

be responsible for centrally managing *their* local server/workstations

across a WAN link? It isn't clear from your post. If all they need is TS,

perhaps none of this is necessary - they could use thin clients for that.

 

Top


 

From: razor <razor@discussions.microsoft.com>

To: none

Subject: Re: Would You Advise Adding a Domain?

Date: 09/27/2007 19:22:00

If by saying thin clients you mean users with limited permissions, that is

what I have in mind. I would just like to put them all in one OU to keep them

organized and removed from any GPOs we have.

 

They will be running a third-party application on the TS that accesses their

own client information in a db located on our SQL server within the same

subnet as the TS.

 

sd

 

"Lanwench [MVP - Exchange]" wrote:

 

> razor <razor@discussions.microsoft.com> wrote:

> > Hello--

> >

> > We have a small, single domain network of about 100 machines,

> > including 12 servers with about 50 users. We have three subnets, one

> > in the host office, and one each for two remote locations connected

> > via a WAN. All servers are running Windows Server 2003 and all

> > workstations are running Windows XP Pro.

> >

> > We are just about to finalize negotiations where a partner of ours is

> > going to have us manage them. They will stay a separate company at a

> > separate physical location, but will need to access some, but not

> > all, of our network resources via a dedicated Terminal Server.

> >

> > They only have about 15 users, and so I was not sure if there is any

> > "best practice" suggestions on whether we should create another

> > domain for them on our network or just another OU?

> >

> > Any suggestions would be appreciated.

>

> I agree with Mathieu. Since another domain doesn't offer you anything in the

> way of security, it's only going to add complexity with no benefit.

>

> If their network is to be integrated with yours at all their office could be

> in the same AD domain but in a separate site/subnet, and you can use OUs to

> organize things.

>

> However, that said, all you've mentioned they will be touching/accessing is

> Terminal Services - so do they even need to be part of your domain? Will you

> be responsible for centrally managing *their* local server/workstations

> across a WAN link? It isn't clear from your post. If all they need is TS,

> perhaps none of this is necessary - they could use thin clients for that.

>

 

Top


 

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: You have exceeded the maximum number of computer accounts ...

Date: 09/28/2007 01:18:04

Hello,

 

http://lordoftheping.blogspot.com/2007/09/default-limit-to-number-of-workstations.html

 

By default, users can only add 10 workstations to the domain before loosing

their delegation

If you may need to increase this:

http://support.microsoft.com/kb/243327/en-us

The guilty attribute is ms-DS-MachineAccountQuota

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

"ali kemal" <alikemal@discussions.microsoft.com> wrote in message

news:BA9CFAEB-060F-4966-B8ED-40738C4BAEAA@microsoft.com...

> Hi,

>

> There is a remote office of our company and we gave a user a right to

> create

> computer object in AD in order to join th computer.

> Now, the user get the error "You have exceeded the maximum number of

> computer accounts ". Hence he can't add any computer to the domain.

>

> So how can we solve this problem.

>

> Thanks in advance.

> Ali Kemal.

> Tunca.

>

 

Top


 

From: David Shen <davidsunshine2000@hotmail.com>

To: none

Subject: Re: [X-POST] Person and User.

Date: 09/28/2007 01:36:07

To Alessandro,

 

     You can use Sysinternals tool ADExplorer to view userPrincipalName very

easily.You may download it with www.sysinternals.com

 

"AM" <AM@AM.AM> ??????:%23GArXW1wHHA.424@TK2MSFTNGP06.phx.gbl...

> Hi all,

>

> is there anyone who can kindly tell me how the object/category specified

> in the subject play the role in the big picture of Active Directory?

>

> I need to access the attribute userPrincipalName and someone told me to

> refer to the object (?-I hope to call it with the right name) USER instead

> of PERSON.

>

> Browsing the AD through an LDAP browser the "user" has both the

> objectclass User and Person so I can not see any difference between them

> and I can not understand why to use the first instead of the second. Maybe

> I'm missing something.

>

> I would be interested in some drawings that explains at which level those

> "object" are placed and which is the "role" of each one.

>

> Many thanks in advance.

>

> Alessandro

 

Top


 

Post your questions, comments, feedbacks and suggestions