Active
Directory 0704
Top
From: Billy Preston
<billy.prestonNOSPAM@victorychurchNOSPAM.com>
To:
none
Subject:
Re: Seeing Serv03 users/groups from a WinXP client
Date:
09/26/2007 16:10:39
Al
Mulnick wrote:
>
Sounds like a problem with the xp machine. Have you checked the
system log
>
of the workstation? Any clues there? anything to do with netlogon?
>
You have verified that it's a member of the domain right? Verified that
it's
>
membership is active and problem free?
>
>
>
>
>
"Billy Preston"
<billy.prestonNOSPAM@victorychurchNOSPAM.com> wrote in
>
message news:13fgqna7u52f091@news.supernews.com...
>>
Hello everyone,
>>
>>
I'm having some problems seeing my WinServ03 domain's users/groups from my
>>
XP clients.
>>
>>
With my NT4 server when I needed to add Domain Users as Local
>>
Administrators to my XP clients, I'd go to Administrative Tools>Computer
>>
Management>Local Users and Groups>Groups and open the Administrators
>>
group - in the Administrator properties window, I click on the add button,
>>
and in the Select Users, Computers, or Groups window, I'd choose my domain
>>
using the Locations button, then click on the Advanced and Find Now
>>
buttons to find all of the users/groups in my domain. (The client is
>>
joined to the NT4 domain.)
>>
>>
However, with my WinServ03 when I do the same process, I click on the
>>
Location button and all I can see is the XP client - I can't see any
>>
domain (and the client is joined to the WinServ03 domain).
>>
>>
Any ideas why I can't see the domain? Without seeing it, I can't add the
>>
users/groups. I've tried it both as a network administrator and a local
>>
administrator and neither work.
>
>
I
verified that netlogon is working, there are no errors in the system
log,
and the client is indeed a member of the domain. Any other ideas?
Top
From: Billy Preston
<billy.prestonNOSPAM@victorychurchNOSPAM.com>
To:
none
Subject:
Re: Seeing Serv03 users/groups from a WinXP client
Date:
09/26/2007 18:45:01
Problem
is solved...found the solution at
http://techrepublic.com.com/5208-6230-0.html?forumID=48&threadID=166522&messageID=1701814
Billy
Preston wrote:
>
Al Mulnick wrote:
>>
Sounds like a problem with the xp machine. Have you checked the
>>
system log of the workstation? Any clues there? anything to do with
>>
netlogon?
>>
You have verified that it's a member of the domain right? Verified
>>
that it's membership is active and problem free?
>>
"Billy Preston"
<billy.prestonNOSPAM@victorychurchNOSPAM.com> wrote in
>>
message news:13fgqna7u52f091@news.supernews.com...
>>>
Hello everyone,
>>>
>>>
I'm having some problems seeing my WinServ03 domain's users/groups
>>>
from my XP clients.
>>>
>>>
With my NT4 server when I needed to add Domain Users as Local
>>>
Administrators to my XP clients, I'd go to Administrative
>>>
Tools>Computer Management>Local Users and Groups>Groups and open
the
>>>
Administrators group - in the Administrator properties window, I
>>>
click on the add button, and in the Select Users, Computers, or
>>>
Groups window, I'd choose my domain using the Locations button, then
>>>
click on the Advanced and Find Now buttons to find all of the
>>>
users/groups in my domain. (The client is joined to the NT4 domain.)
>>>
>>>
However, with my WinServ03 when I do the same process, I click on the
>>>
Location button and all I can see is the XP client - I can't see any
>>>
domain (and the client is joined to the WinServ03 domain).
>>>
>>>
Any ideas why I can't see the domain? Without seeing it, I can't add
>>>
the users/groups. I've tried it both as a network administrator and a
>>>
local administrator and neither work.
>
I verified that netlogon is working, there are no errors in the system
>
log, and the client is indeed a member of the domain. Any other ideas?
Top
From: Al Mulnick
<amulnick_No_SPAM@ncDOTrr.com>
To:
none
Subject:
Re: Seeing Serv03 users/groups from a WinXP client
Date:
09/26/2007 19:23:10
Wow.
You did all of those steps? That's a long way around if you ask me
but
I'm surprised that you had no errors with the netlogon service or any
others.
If that was the fix, you should not have been able to talk to the
domain
and it should have been in the event logs of the local machine.
"Billy
Preston" <billy.prestonNOSPAM@victorychurchNOSPAM.com> wrote in
message
news:13flrlvkhkb5173@news.supernews.com...
>
Problem is solved...found the solution at
>
http://techrepublic.com.com/5208-6230-0.html?forumID=48&threadID=166522&messageID=1701814
>
>
Billy Preston wrote:
>>
Al Mulnick wrote:
>>>
Sounds like a problem with the xp machine. Have you checked the
system
>>>
log of the workstation? Any clues there? anything to do with
netlogon?
>>>
You have verified that it's a member of the domain right? Verified that
>>>
it's membership is active and problem free?
>>>
>>>
>>>
"Billy Preston"
<billy.prestonNOSPAM@victorychurchNOSPAM.com> wrote in
>>>
message news:13fgqna7u52f091@news.supernews.com...
>>>>
Hello everyone,
>>>>
>>>>
I'm having some problems seeing my WinServ03 domain's users/groups from
>>>>
my XP clients.
>>>>
>>>>
With my NT4 server when I needed to add Domain Users as Local
>>>>
Administrators to my XP clients, I'd go to Administrative
>>>>
Tools>Computer Management>Local Users and Groups>Groups and open
the
>>>>
Administrators group - in the Administrator properties window, I click
>>>>
on the add button, and in the Select Users, Computers, or Groups
>>>>
window, I'd choose my domain using the Locations button, then click on
>>>>
the Advanced and Find Now buttons to find all of the users/groups in my
>>>>
domain. (The client is joined to the NT4 domain.)
>>>>
>>>>
However, with my WinServ03 when I do the same process, I click on the
>>>>
Location button and all I can see is the XP client - I can't see any
>>>>
domain (and the client is joined to the WinServ03 domain).
>>>>
>>>>
Any ideas why I can't see the domain? Without seeing it, I can't add
>>>>
the users/groups. I've tried it both as a network administrator and a
>>>>
local administrator and neither work.
>>
I verified that netlogon is working, there are no errors in the system
>>
log, and the client is indeed a member of the domain. Any other ideas?
Top
From: jwd
<jwd@discussions.microsoft.com>
To:
none
Subject:
RE: Seeking tips for setting up an AD 2003 test lab accessible
by prod
Date:
09/27/2007 10:51:02
If
you want to test schema extensions then it will need to be a completely
separate
forest. All domains in a single forest share the same schema.
Best
Regards
Joe
Dunn MCSE
"shdowflare"
wrote:
>
Hi,
>
>
We're getting ready to build out an Active Directory 2003 test lab. We
>
need
>
a place to check schema extensions, group policies, and software
>
updates
>
before putting into production. We need the test environment to be
>
accessible to our corporate network, so applications can interact with
>
the
>
test directory during testing. So the LDAP lab can't be isolated. It
>
needs
>
to be on our corporate LAN. I imagine putting the test AD controller
>
on our
>
LAN means it will be found by our production DC's (and vice versa). So
>
I was
>
wondering how to structure the test domain hierarchy. Should it be a
>
separate forest? Or just a separate domain under the production forest
>
root?
>
>
Basically, I'm looking for ideas on the best way to accomplish the
>
requirements above and address the questions I've posed. Can you guys
>
help
>
out?
>
>
Looking forward to your replies.
>
>
-S
Top
From: kj [SBS MVP]
<KevinJ.SBS@SPAMFREE.gmail.com>
To:
none
Subject:
Re: sending command to an AD server?
Date:
09/27/2007 15:28:47
alazarevich@gmail.com
wrote:
>
Hi,
>
>
We'd like to be able to send a command (for adding users) to our AD
>
domain server from a remote linux machine. We know what the command is
>
(dsadd user...), but we don't know the best way (secure + ease) to
>
send that command to the AD server.
>
>
We know there is an MMC that can be run from other clients in the
>
domain, but isn't there a way to send a command to an AD server as
>
well?
>
>
Any ideas would be helpful. Thanks!
>
>
Alex
Psexec
in the windows world, but then dsadd needn't be run from a DC either.
--
/kj
Top
From: alazarevich@gmail.com
<alazarevich@gmail.com>
To:
none
Subject:
Re: sending command to an AD server?
Date:
09/27/2007 16:23:18
On
Sep 27, 3:28 pm, "kj [SBS MVP]"
<KevinJ....@SPAMFREE.gmail.com>
wrote:
>
alazarev...@gmail.com wrote:
>
> Hi,
>
>
> We'd like to be able to send a command (for adding users) to our AD
>
> domain server from a remote linux machine. We know what the command is
>
> (dsadd user...), but we don't know the best way (secure + ease) to
>
> send that command to the AD server.
>
>
> We know there is an MMC that can be run from other clients in the
>
> domain, but isn't there a way to send a command to an AD server as
>
> well?
>
>
> Any ideas would be helpful. Thanks!
>
>
> Alex
>
>
Psexec in the windows world, but then dsadd needn't be run from a DC
either.
psexec
looks cool, I like it. But then what is this about dsadd not
needing
to be run on the DC? dsadd can be run from a domain client
computer?
How? I looked in the Resource Kit but didn't find anything
like
that.
Thanks!
alex
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: sending command to an AD server?
Date:
09/27/2007 16:35:16
Hello,
i
am pretty sure you will have to use directly the ldap protocol to make
this.
If
using php, it would be around ldap_add function
Else
give a try to openldap as a client
Perl
would do the trick through NET::LDAP
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
<alazarevich@gmail.com>
wrote in message
news:1190928198.925116.228920@d55g2000hsg.googlegroups.com...
>
On Sep 27, 3:28 pm, "kj [SBS MVP]"
<KevinJ....@SPAMFREE.gmail.com>
>
wrote:
>>
alazarev...@gmail.com wrote:
>>
> Hi,
>>
>>
> We'd like to be able to send a command (for adding users) to our AD
>>
> domain server from a remote linux machine. We know what the command is
>>
> (dsadd user...), but we don't know the best way (secure + ease) to
>>
> send that command to the AD server.
>>
>>
> We know there is an MMC that can be run from other clients in the
>>
> domain, but isn't there a way to send a command to an AD server as
>>
> well?
>>
>>
> Any ideas would be helpful. Thanks!
>>
>>
> Alex
>>
>>
Psexec in the windows world, but then dsadd needn't be run from a DC
>>
either.
>
>
psexec looks cool, I like it. But then what is this about dsadd not
>
needing to be run on the DC? dsadd can be run from a domain client
>
computer? How? I looked in the Resource Kit but didn't find anything
>
like that.
>
>
Thanks!
>
>
alex
>
Top
From: kj [SBS MVP]
<KevinJ.SBS@SPAMFREE.gmail.com>
To:
none
Subject:
Re: sending command to an AD server?
Date:
09/27/2007 17:50:37
alazarevich@gmail.com
wrote:
>
On Sep 27, 3:28 pm, "kj [SBS MVP]"
<KevinJ....@SPAMFREE.gmail.com>
>
wrote:
>>
alazarev...@gmail.com wrote:
>>>
Hi,
>>
>>>
We'd like to be able to send a command (for adding users) to our AD
>>>
domain server from a remote linux machine. We know what the command
>>>
is (dsadd user...), but we don't know the best way (secure + ease)
>>>
to send that command to the AD server.
>>
>>>
We know there is an MMC that can be run from other clients in the
>>>
domain, but isn't there a way to send a command to an AD server as
>>>
well?
>>
>>>
Any ideas would be helpful. Thanks!
>>
>>>
Alex
>>
>>
Psexec in the windows world, but then dsadd needn't be run from a DC
>>
either.
>
>
psexec looks cool, I like it. But then what is this about dsadd not
>
needing to be run on the DC? dsadd can be run from a domain client
>
computer? How? I looked in the Resource Kit but didn't find anything
>
like that.
>
>
Thanks!
>
>
alex
I
use the ds tools and the admod/adfind/adexplorer/adsiedit/and the rest of
the
AD & Windows management tools all the time from a member XP workstation
using
a domain account.
"The
command-line tools can be installed and run on computers that are
running
Windows XP Service Pack 1 and Windows Server 2003 Server."
http://support.microsoft.com/kb/298882/en-us
Most
of the DCs I manage are remote or tucked away. It's just easier that
way
(& you can use runas instead of logging in).
--
/kj
Top
From: alazarevich@gmail.com <alazarevich@gmail.com>
To:
none
Subject:
Re: sending command to an AD server?
Date:
09/27/2007 19:05:27
On
Sep 27, 5:50 pm, "kj [SBS MVP]"
<KevinJ....@SPAMFREE.gmail.com>
wrote:
>
alazarev...@gmail.com wrote:
>
> On Sep 27, 3:28 pm, "kj [SBS MVP]" <KevinJ....@SPAMFREE.gmail.com>
>
> wrote:
>
>> alazarev...@gmail.com wrote:
>
>>> Hi,
>
>
>>> We'd like to be able to send a command (for adding users) to
our AD
>
>>> domain server from a remote linux machine. We know what the
command
>
>>> is (dsadd user...), but we don't know the best way (secure +
ease)
>
>>> to send that command to the AD server.
>
>
>>> We know there is an MMC that can be run from other clients in
the
>
>>> domain, but isn't there a way to send a command to an AD
server as
>
>>> well?
>
>
>>> Any ideas would be helpful. Thanks!
>
>
>>> Alex
>
>
>> Psexec in the windows world, but then dsadd needn't be run from a
DC
>
>> either.
>
>
> psexec looks cool, I like it. But then what is this about dsadd not
>
> needing to be run on the DC? dsadd can be run from a domain client
>
> computer? How? I looked in the Resource Kit but didn't find anything
>
> like that.
>
>
> Thanks!
>
>
> alex
>
>
I use the ds tools and the admod/adfind/adexplorer/adsiedit/and the rest of
>
the AD & Windows management tools all the time from a member XP
workstation
>
using a domain account.
>
>
"The command-line tools can be installed and run on computers that are
>
running Windows XP Service Pack 1 and Windows Server 2003
Server."http://support.microsoft.com/kb/298882/en-us
>
>
Most of the DCs I manage are remote or tucked away. It's just easier that
>
way (& you can use runas instead of logging in).
>
--
>
/kj
okay,
this might work for me. but, i can't find a way to install these
dsadd
tools to an XP client. i can't find an installer on MS website,
nor
do they seem to be on the 2003 install CDs. what do i do just copy
over
the .exe's and .dll's from the 2003 server systemroot/system32 to
the
xp client?
thanks!
alex
Top
From: kj [SBS MVP]
<KevinJ.SBS@SPAMFREE.gmail.com>
To:
none
Subject:
Re: sending command to an AD server?
Date:
09/27/2007 23:42:29
alazarevich@gmail.com
wrote:
>
On Sep 27, 5:50 pm, "kj [SBS MVP]"
<KevinJ....@SPAMFREE.gmail.com>
>
wrote:
>>
alazarev...@gmail.com wrote:
>>>
On Sep 27, 3:28 pm, "kj [SBS MVP]"
<KevinJ....@SPAMFREE.gmail.com>
>>>
wrote:
>>>>
alazarev...@gmail.com wrote:
>>>>>
Hi,
>>
>>>>>
We'd like to be able to send a command (for adding users) to our
>>>>>
AD domain server from a remote linux machine. We know what the
>>>>>
command is (dsadd user...), but we don't know the best way
>>>>>
(secure + ease) to send that command to the AD server.
>>
>>>>>
We know there is an MMC that can be run from other clients in the
>>>>>
domain, but isn't there a way to send a command to an AD server as
>>>>>
well?
>>
>>>>>
Any ideas would be helpful. Thanks!
>>
>>>>>
Alex
>>
>>>>
Psexec in the windows world, but then dsadd needn't be run from a
>>>>
DC either.
>>
>>>
psexec looks cool, I like it. But then what is this about dsadd not
>>>
needing to be run on the DC? dsadd can be run from a domain client
>>>
computer? How? I looked in the Resource Kit but didn't find anything
>>>
like that.
>>
>>>
Thanks!
>>
>>>
alex
>>
>>
I use the ds tools and the admod/adfind/adexplorer/adsiedit/and the
>>
rest of
>>
the AD & Windows management tools all the time from a member XP
>>
workstation
>>
using a domain account.
>>
>>
"The command-line tools can be installed and run on computers that
>>
are
>>
running Windows XP Service Pack 1 and Windows Server 2003
>>
Server."http://support.microsoft.com/kb/298882/en-us
>>
>>
Most of the DCs I manage are remote or tucked away. It's just easier
>>
that
>>
way (& you can use runas instead of logging in).
>>
--
>>
/kj
>
>
okay, this might work for me. but, i can't find a way to install these
>
dsadd tools to an XP client. i can't find an installer on MS website,
>
nor do they seem to be on the 2003 install CDs. what do i do just copy
>
over the .exe's and .dll's from the 2003 server systemroot/system32 to
>
the xp client?
>
>
thanks!
>
>
alex
Support/tools
folder on the Windows CD, or get the SP1 version here;
http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en
--
/kj
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: sending command to an AD server?
Date:
09/28/2007 01:08:18
Hello,
in
your first post, you were looking to manage AD from a linux machine ?
is
this idea gone?
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
<alazarevich@gmail.com>
wrote in message
news:1190937927.775294.297180@22g2000hsm.googlegroups.com...
>
On Sep 27, 5:50 pm, "kj [SBS MVP]"
<KevinJ....@SPAMFREE.gmail.com>
>
wrote:
>>
alazarev...@gmail.com wrote:
>>
> On Sep 27, 3:28 pm, "kj [SBS MVP]"
<KevinJ....@SPAMFREE.gmail.com>
>>
> wrote:
>>
>> alazarev...@gmail.com wrote:
>>
>>> Hi,
>>
>>
>>> We'd like to be able to send a command (for adding users) to
our AD
>>
>>> domain server from a remote linux machine. We know what the
command
>>
>>> is (dsadd user...), but we don't know the best way (secure +
ease)
>>
>>> to send that command to the AD server.
>>
>>
>>> We know there is an MMC that can be run from other clients in
the
>>
>>> domain, but isn't there a way to send a command to an AD
server as
>>
>>> well?
>>
>>
>>> Any ideas would be helpful. Thanks!
>>
>>
>>> Alex
>>
>>
>> Psexec in the windows world, but then dsadd needn't be run from a
DC
>>
>> either.
>>
>>
> psexec looks cool, I like it. But then what is this about dsadd not
>>
> needing to be run on the DC? dsadd can be run from a domain client
>>
> computer? How? I looked in the Resource Kit but didn't find anything
>>
> like that.
>>
>>
> Thanks!
>>
>>
> alex
>>
>>
I use the ds tools and the admod/adfind/adexplorer/adsiedit/and the rest
>>
of
>>
the AD & Windows management tools all the time from a member XP
>>
workstation
>>
using a domain account.
>>
>>
"The command-line tools can be installed and run on computers that are
>>
running Windows XP Service Pack 1 and Windows Server 2003
>>
Server."http://support.microsoft.com/kb/298882/en-us
>>
>>
Most of the DCs I manage are remote or tucked away. It's just easier that
>>
way (& you can use runas instead of logging in).
>>
--
>>
/kj
>
>
okay, this might work for me. but, i can't find a way to install these
>
dsadd tools to an XP client. i can't find an installer on MS website,
>
nor do they seem to be on the 2003 install CDs. what do i do just copy
>
over the .exe's and .dll's from the 2003 server systemroot/system32 to
>
the xp client?
>
>
thanks!
>
>
alex
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Server 2000 domain upgrade to Server 2003
Date:
09/25/2007 14:51:54
You
may use the 64bit R2 in the existing forest, you only need to get the
second
CD "where the adprep is" 32 bit version. You can get the 2nd CD
from
Microsoft
siet for the trial version of the Windows 2003 R2 32bit and use it
to
upgrade your 32 bit forest to R2.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"TM"
<TM@discussions.microsoft.com> wrote in message
news:FE79DC66-E86A-416E-A588-2DC3F48EEB35@microsoft.com...
>
Jorge,
>
Thanks for the reply.
>
I understand the fact about 2 servers and I have that. And have done the
>
adprep from the 32 bit cd's.
>
But where you say about the second cd on the install to not use it.
>
So just so I have a clear understanding I might have a better chance at
>
getting this right if I try from scratch on the 64bit 2003 server but not
>
install the second CD. do the domain controller upgrade.
>
>
If that works then a guy would install the second cd once things are
>
working
>
and 2000 DC are removed.
>
>
Let me know. I want to say thanks for your help guys.
>
I tested this all in a test lab and I got it to upgrade etc. but of course
>
once I start messing with a server that has been in production for a few
>
years it is a different story.
>
"Jorge Silva" wrote:
>
>>
You can't do a direct upgrade from 32 to 64 bit in the same machine.
>>
If you want to introduce the 64 bit Windows 2003 you'll need a separate
>>
server.
>>
>>
To introduce Windows 2003 in your 2000 forest you first need to upgrade
>>
the
>>
forest and the Domain using adprep.
>>
>>
Is not mandatory upgrade the schema to R2, this applies to 32bit and
>>
64bit
>>
OS W2k3 If you install only OS and ignore/dismiss the second CD after the
>>
OS
>>
is installed then you have a Windows2003SP1/2 normal. If you run the
>>
second
>>
CD after OS installation then you'll be forced to upgrade the schema when
>>
you try to introduce that server as a DC, but isn't MANDATORY to do that
>>
unless you run the second CD after OS promotion.
>>
>>
Now because you're running 32 bit version in other DCs, to upgrade the
>>
forest to R2 you'll need to run adprep 32bit version in the shema master.
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>>
"TM" <TM@discussions.microsoft.com> wrote in message
>>
news:3A6222A9-E94B-4CB9-8C8B-6196B4E3E9EE@microsoft.com...
>>
> Thanks for the response.
>>
> I have read where to upgrade to 2003 but with a few of the programs I
>>
> have
>>
> on there currently I don't want to do that option on that server cause
>>
> it
>>
> is
>>
> still needed for other apps.
>>
>
>>
> What do you think of building a server 2000 and making it a domain
>>
> controller. DCPromoing the current server so it isn't a Domain
>>
> Controller
>>
> any
>>
> more. then doing the suggested upgrade to 2003. Then moving the domain
>>
> controller role to the server that I am intending it to be on.
>>
>
>>
> So it will be a few more steps and time than I wanted to spend but
does
>>
> this
>>
> seem a feasible option?
>>
>
>>
> Thanks for your help.
>>
>
>>
> "Meinolf Weber" wrote:
>>
>
>>
>> Hello tm,
>>
>>
>>
>> Maybe you did not read the article completely? With a windows 2000
>>
>> domain
>>
>> controller it is not possible to change it. You have to upgrade to
>>
>> 2003
>>
>> like
>>
>> stated in the article.
>>
>>
>>
>> Best regards
>>
>>
>>
>> Meinolf Weber
>>
>> Disclaimer: This posting is provided "AS IS" with no
warranties, and
>>
>> confers
>>
>> no rights.
>>
>>
>>
>> > Well I have went through the article that both of you have
suggested
>>
>> > without
>>
>> > any luck. Unless I am doing something wrong.
>>
>> > Just a question does it matter if I am going to from 32bit
2000
>>
>> > server
>>
>> > to a
>>
>> > 64bit 2003 server?
>>
>> > Also, I have the 2000 server at native mode the only 2000
server as
>>
>> > Domain Controller with Exchange 2000 on it.
>>
>> >
>>
>> > Is there any other suggestions to get this fixed?
>>
>> >
>>
>> > "Jorge Silva" wrote:
>>
>> >
>>
>> >> With Windows 2000 DCs you shouldn't get your DFL and FFL
more thatn
>>
>> >> Windows
>>
>> >> 2000 Native otherwise the 2000 DCs will sop working.
>>
>> >> Please read:
>>
>> >> http://support.microsoft.com/kb/322692
>>
>> >> --
>>
>> >> I hope that the information above helps you.
>>
>> >> Have a Nice day.
>>
>> >> Jorge Silva
>>
>> >> MCSE, MVP Directory Services
>>
>> >> "TM" <TM@discussions.microsoft.com> wrote
in message
>>
>> >>
news:A9BB3E80-DB8B-41CC-A527-9C6B38A94229@microsoft.com...
>>
>> >>> Sorry for not getting more info
>>
>> >>> On the current Server 2000 DC it is on Service Pack 4
with all the
>>
>> >>> available
>>
>> >>> updates.
>>
>> >>> On the Server 2003 std. I have all the updates
installed.
>>
>> >>> It has all the roles and global catalog server.
>>
>> >>> But I am to the step of raising the domain functional
level now
>>
>> >>> and
>>
>> >>> I am getting the message below about not able to
raise.
>>
>> >>>
>>
>> >>> If there is any other information I need to add let
me know.
>>
>> >>> thanks for your response
>>
>> >>>
--------------------------------------------------------------------
>>
>> >>> ----------------------------
>>
>> >>> To update the domain functional level, the domain
controllers in
>>
>> >>> the
>>
>> >>> domain
>>
>> >>> must be running the appropriate version of windows.
>>
>> >>> Domain Name
>>
>> >>> norfolkiron.com
>>
>> >>> Current domain functional level
>>
>> >>> Windows 2000 native
>>
>> >>> The following domain controllers are running earlier
versions of
>>
>> >>> windows:
>>
>> >>> Domain Name Domain Controller Version of Windows
>>
>> >>> norfolkiron.com server1.norfolkiron.com Windows 2000
Server 5.0
>>
>> >>> (2195)
>>
>> >>>
--------------------------------------------------------------------
>>
>> >>> ----------------------------
>>
>> >>> "Jorge Silva" wrote:
>>
>> >>>
>>
>> >>>> Hi
>>
>> >>>> Is this the error?
>>
>> >>>> Error message when you run the Active Directory
Installation
>>
>> >>>> Wizard: "The
>>
>> >>>> version of the Active Directory schema of the
source forest is
>>
>> >>>> not
>>
>> >>>> compatible with the version of Active Directory
on this computer"
>>
>> >>>> http://support.microsoft.com/?kbid=917385
>>
>> >>>>
>>
>> >>>> --
>>
>> >>>> I hope that the information above helps you.
>>
>> >>>> Have a Nice day.
>>
>> >>>> Jorge Silva
>>
>> >>>> MCSE, MVP Directory Services
>>
>> >>>> "TM"
<TM@discussions.microsoft.com> wrote in message
>>
>> >>>>
news:3B68DD51-4FA6-4FE4-81D9-B205ED7C7D01@microsoft.com...
>>
>> >>>>> I am having a very hard time upgrading the
Domain controller
>>
>> >>>>> from
>>
>> >>>>> server
>>
>> >>>>> 2000
>>
>> >>>>> to server 2003. It keeps sending back a
message saying that the
>>
>> >>>>> server
>>
>> >>>>> 2000
>>
>> >>>>> is at an earlier version. But I have all the
updates done and
>>
>> >>>>> everything
>>
>> >>>>> that
>>
>> >>>>> I have read I have tried.
>>
>> >>>>> I am at the end of the rope need some
assistance in suggestions
>>
>> >>>>> in
>>
>> >>>>> getting
>>
>> >>>>> this moved over. Would love to start using my
exchange 2007 box
>>
>> >>>>> but
>>
>> >>>>> with
>>
>> >>>>> the
>>
>> >>>>> Domain upgrade holding me back this isn't fun
any more.
>>
>> >>>>> Thanks in advanced for any assistance
>>
>> >>>>>
>>
>>
>>
>>
>>
>>
>>
Top
From: TM
<TM@discussions.microsoft.com>
To:
none
Subject:
Re: Server 2000 domain upgrade to Server 2003
Date:
09/25/2007 15:26:02
Well
I have done that when getting everything set to upgrade to the 2003
server
64bit r2 version of server.
I
used the supplied CD's that I had bought.
But
I still ran into the issue of the 2000 dc being an earlier version.
"Jorge
Silva" wrote:
>
You may use the 64bit R2 in the existing forest, you only need to get the
>
second CD "where the adprep is" 32 bit version. You can get the
2nd CD from
>
Microsoft siet for the trial version of the Windows 2003 R2 32bit and use
it
>
to upgrade your 32 bit forest to R2.
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"TM" <TM@discussions.microsoft.com> wrote in message
>
news:FE79DC66-E86A-416E-A588-2DC3F48EEB35@microsoft.com...
>
> Jorge,
>
> Thanks for the reply.
>
> I understand the fact about 2 servers and I have that. And have done
the
>
> adprep from the 32 bit cd's.
>
> But where you say about the second cd on the install to not use it.
>
> So just so I have a clear understanding I might have a better chance
at
>
> getting this right if I try from scratch on the 64bit 2003 server but
not
>
> install the second CD. do the domain controller upgrade.
>
>
>
> If that works then a guy would install the second cd once things are
>
> working
>
> and 2000 DC are removed.
>
>
>
> Let me know. I want to say thanks for your help guys.
>
> I tested this all in a test lab and I got it to upgrade etc. but of
course
>
> once I start messing with a server that has been in production for a
few
>
> years it is a different story.
>
>
>
>
>
> "Jorge Silva" wrote:
>
>
>
>> You can't do a direct upgrade from 32 to 64 bit in the same
machine.
>
>> If you want to introduce the 64 bit Windows 2003 you'll need a
separate
>
>> server.
>
>>
>
>> To introduce Windows 2003 in your 2000 forest you first need to
upgrade
>
>> the
>
>> forest and the Domain using adprep.
>
>>
>
>> Is not mandatory upgrade the schema to R2, this applies to 32bit
and
>
>> 64bit
>
>> OS W2k3 If you install only OS and ignore/dismiss the second CD
after the
>
>> OS
>
>> is installed then you have a Windows2003SP1/2 normal. If you run
the
>
>> second
>
>> CD after OS installation then you'll be forced to upgrade the
schema when
>
>> you try to introduce that server as a DC, but isn't MANDATORY to
do that
>
>> unless you run the second CD after OS promotion.
>
>>
>
>> Now because you're running 32 bit version in other DCs, to upgrade
the
>
>> forest to R2 you'll need to run adprep 32bit version in the shema
master.
>
>>
>
>> --
>
>> I hope that the information above helps you.
>
>> Have a Nice day.
>
>>
>
>> Jorge Silva
>
>> MCSE, MVP Directory Services
>
>> "TM" <TM@discussions.microsoft.com> wrote in
message
>
>> news:3A6222A9-E94B-4CB9-8C8B-6196B4E3E9EE@microsoft.com...
>
>> > Thanks for the response.
>
>> > I have read where to upgrade to 2003 but with a few of the
programs I
>
>> > have
>
>> > on there currently I don't want to do that option on that
server cause
>
>> > it
>
>> > is
>
>> > still needed for other apps.
>
>> >
>
>> > What do you think of building a server 2000 and making it a
domain
>
>> > controller. DCPromoing the current server so it isn't a
Domain
>
>> > Controller
>
>> > any
>
>> > more. then doing the suggested upgrade to 2003. Then moving
the domain
>
>> > controller role to the server that I am intending it to be
on.
>
>> >
>
>> > So it will be a few more steps and time than I wanted to
spend but does
>
>> > this
>
>> > seem a feasible option?
>
>> >
>
>> > Thanks for your help.
>
>> >
>
>> > "Meinolf Weber" wrote:
>
>> >
>
>> >> Hello tm,
>
>> >>
>
>> >> Maybe you did not read the article completely? With a
windows 2000
>
>> >> domain
>
>> >> controller it is not possible to change it. You have to
upgrade to
>
>> >> 2003
>
>> >> like
>
>> >> stated in the article.
>
>> >>
>
>> >> Best regards
>
>> >>
>
>> >> Meinolf Weber
>
>> >> Disclaimer: This posting is provided "AS IS"
with no warranties, and
>
>> >> confers
>
>> >> no rights.
>
>> >>
>
>> >> > Well I have went through the article that both of
you have suggested
>
>> >> > without
>
>> >> > any luck. Unless I am doing something wrong.
>
>> >> > Just a question does it matter if I am going to from
32bit 2000
>
>> >> > server
>
>> >> > to a
>
>> >> > 64bit 2003 server?
>
>> >> > Also, I have the 2000 server at native mode the only
2000 server as
>
>> >> > Domain Controller with Exchange 2000 on it.
>
>> >> >
>
>> >> > Is there any other suggestions to get this fixed?
>
>> >> >
>
>> >> > "Jorge Silva" wrote:
>
>> >> >
>
>> >> >> With Windows 2000 DCs you shouldn't get your DFL
and FFL more thatn
>
>> >> >> Windows
>
>> >> >> 2000 Native otherwise the 2000 DCs will sop
working.
>
>> >> >> Please read:
>
>> >> >> http://support.microsoft.com/kb/322692
>
>> >> >> --
>
>> >> >> I hope that the information above helps you.
>
>> >> >> Have a Nice day.
>
>> >> >> Jorge Silva
>
>> >> >> MCSE, MVP Directory Services
>
>> >> >> "TM"
<TM@discussions.microsoft.com> wrote in message
>
>> >> >>
news:A9BB3E80-DB8B-41CC-A527-9C6B38A94229@microsoft.com...
>
>> >> >>> Sorry for not getting more info
>
>> >> >>> On the current Server 2000 DC it is on
Service Pack 4 with all the
>
>> >> >>> available
>
>> >> >>> updates.
>
>> >> >>> On the Server 2003 std. I have all the
updates installed.
>
>> >> >>> It has all the roles and global catalog
server.
>
>> >> >>> But I am to the step of raising the domain
functional level now
>
>> >> >>> and
>
>> >> >>> I am getting the message below about not
able to raise.
>
>> >> >>>
>
>> >> >>> If there is any other information I need to
add let me know.
>
>> >> >>> thanks for your response
>
>> >> >>>
--------------------------------------------------------------------
>
>> >> >>> ----------------------------
>
>> >> >>> To update the domain functional level, the
domain controllers in
>
>> >> >>> the
>
>> >> >>> domain
>
>> >> >>> must be running the appropriate version of
windows.
>
>> >> >>> Domain Name
>
>> >> >>> norfolkiron.com
>
>> >> >>> Current domain functional level
>
>> >> >>> Windows 2000 native
>
>> >> >>> The following domain controllers are running
earlier versions of
>
>> >> >>> windows:
>
>> >> >>> Domain Name Domain Controller Version of
Windows
>
>> >> >>> norfolkiron.com server1.norfolkiron.com
Windows 2000 Server 5.0
>
>> >> >>> (2195)
>
>> >> >>>
--------------------------------------------------------------------
>
>> >> >>> ----------------------------
>
>> >> >>> "Jorge Silva" wrote:
>
>> >> >>>
>
>> >> >>>> Hi
>
>> >> >>>> Is this the error?
>
>> >> >>>> Error message when you run the Active
Directory Installation
>
>> >> >>>> Wizard: "The
>
>> >> >>>> version of the Active Directory schema
of the source forest is
>
>> >> >>>> not
>
>> >> >>>> compatible with the version of Active
Directory on this computer"
>
>> >> >>>>
http://support.microsoft.com/?kbid=917385
>
>> >> >>>>
>
>> >> >>>> --
>
>> >> >>>> I hope that the information above helps
you.
>
>> >> >>>> Have a Nice day.
>
>> >> >>>> Jorge Silva
>
>> >> >>>> MCSE, MVP Directory Services
>
>> >> >>>> "TM"
<TM@discussions.microsoft.com> wrote in message
>
>> >> >>>> news:3B68DD51-4FA6-4FE4-81D9-B205ED7C7D01@microsoft.com...
>
>> >> >>>>> I am having a very hard time
upgrading the Domain controller
>
>> >> >>>>> from
>
>> >> >>>>> server
>
>> >> >>>>> 2000
>
>> >> >>>>> to server 2003. It keeps sending
back a message saying that the
>
>> >> >>>>> server
>
>> >> >>>>> 2000
>
>> >> >>>>> is at an earlier version. But I have
all the updates done and
>
>> >> >>>>> everything
>
>> >> >>>>> that
>
>> >> >>>>> I have read I have tried.
>
>> >> >>>>> I am at the end of the rope need
some assistance in suggestions
>
>> >> >>>>> in
>
>> >> >>>>> getting
>
>> >> >>>>> this moved over. Would love to start
using my exchange 2007 box
>
>> >> >>>>> but
>
>> >> >>>>> with
>
>> >> >>>>> the
>
>> >> >>>>> Domain upgrade holding me back this
isn't fun any more.
>
>> >> >>>>> Thanks in advanced for any
assistance
>
>> >> >>>>>
>
>> >>
>
>> >>
>
>> >>
>
>>
>
>>
>
>>
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Server 2000 domain upgrade to Server 2003
Date:
09/25/2007 15:33:10
You
need the 32 bit version, not the 64bit.
64bit
CDs/DVDs are not compatible with 32bit version.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"TM"
<TM@discussions.microsoft.com> wrote in message
news:991CAAC9-72E1-41F0-98A0-DA27627145F5@microsoft.com...
>
Well I have done that when getting everything set to upgrade to the 2003
>
server 64bit r2 version of server.
>
I used the supplied CD's that I had bought.
>
But I still ran into the issue of the 2000 dc being an earlier version.
>
>
"Jorge Silva" wrote:
>
>>
You may use the 64bit R2 in the existing forest, you only need to get the
>>
second CD "where the adprep is" 32 bit version. You can get the
2nd CD
>>
from
>>
Microsoft siet for the trial version of the Windows 2003 R2 32bit and use
>>
it
>>
to upgrade your 32 bit forest to R2.
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>>
"TM" <TM@discussions.microsoft.com> wrote in message
>>
news:FE79DC66-E86A-416E-A588-2DC3F48EEB35@microsoft.com...
>>
> Jorge,
>>
> Thanks for the reply.
>>
> I understand the fact about 2 servers and I have that. And have done
>>
> the
>>
> adprep from the 32 bit cd's.
>>
> But where you say about the second cd on the install to not use it.
>>
> So just so I have a clear understanding I might have a better chance
at
>>
> getting this right if I try from scratch on the 64bit 2003 server but
>>
> not
>>
> install the second CD. do the domain controller upgrade.
>>
>
>>
> If that works then a guy would install the second cd once things are
>>
> working
>>
> and 2000 DC are removed.
>>
>
>>
> Let me know. I want to say thanks for your help guys.
>>
> I tested this all in a test lab and I got it to upgrade etc. but of
>>
> course
>>
> once I start messing with a server that has been in production for a
>>
> few
>>
> years it is a different story.
>>
>
>>
>
>>
> "Jorge Silva" wrote:
>>
>
>>
>> You can't do a direct upgrade from 32 to 64 bit in the same
machine.
>>
>> If you want to introduce the 64 bit Windows 2003 you'll need a
>>
>> separate
>>
>> server.
>>
>>
>>
>> To introduce Windows 2003 in your 2000 forest you first need to
>>
>> upgrade
>>
>> the
>>
>> forest and the Domain using adprep.
>>
>>
>>
>> Is not mandatory upgrade the schema to R2, this applies to 32bit
and
>>
>> 64bit
>>
>> OS W2k3 If you install only OS and ignore/dismiss the second CD
after
>>
>> the
>>
>> OS
>>
>> is installed then you have a Windows2003SP1/2 normal. If you run
the
>>
>> second
>>
>> CD after OS installation then you'll be forced to upgrade the
schema
>>
>> when
>>
>> you try to introduce that server as a DC, but isn't MANDATORY to
do
>>
>> that
>>
>> unless you run the second CD after OS promotion.
>>
>>
>>
>> Now because you're running 32 bit version in other DCs, to upgrade
the
>>
>> forest to R2 you'll need to run adprep 32bit version in the shema
>>
>> master.
>>
>>
>>
>> --
>>
>> I hope that the information above helps you.
>>
>> Have a Nice day.
>>
>>
>>
>> Jorge Silva
>>
>> MCSE, MVP Directory Services
>>
>> "TM" <TM@discussions.microsoft.com> wrote in
message
>>
>> news:3A6222A9-E94B-4CB9-8C8B-6196B4E3E9EE@microsoft.com...
>>
>> > Thanks for the response.
>>
>> > I have read where to upgrade to 2003 but with a few of the
programs
>>
>> > I
>>
>> > have
>>
>> > on there currently I don't want to do that option on that
server
>>
>> > cause
>>
>> > it
>>
>> > is
>>
>> > still needed for other apps.
>>
>> >
>>
>> > What do you think of building a server 2000 and making it a
domain
>>
>> > controller. DCPromoing the current server so it isn't a
Domain
>>
>> > Controller
>>
>> > any
>>
>> > more. then doing the suggested upgrade to 2003. Then moving
the
>>
>> > domain
>>
>> > controller role to the server that I am intending it to be
on.
>>
>> >
>>
>> > So it will be a few more steps and time than I wanted to
spend but
>>
>> > does
>>
>> > this
>>
>> > seem a feasible option?
>>
>> >
>>
>> > Thanks for your help.
>>
>> >
>>
>> > "Meinolf Weber" wrote:
>>
>> >
>>
>> >> Hello tm,
>>
>> >>
>>
>> >> Maybe you did not read the article completely? With a
windows 2000
>>
>> >> domain
>>
>> >> controller it is not possible to change it. You have to
upgrade to
>>
>> >> 2003
>>
>> >> like
>>
>> >> stated in the article.
>>
>> >>
>>
>> >> Best regards
>>
>> >>
>>
>> >> Meinolf Weber
>>
>> >> Disclaimer: This posting is provided "AS IS"
with no warranties,
>>
>> >> and
>>
>> >> confers
>>
>> >> no rights.
>>
>> >>
>>
>> >> > Well I have went through the article that both of
you have
>>
>> >> > suggested
>>
>> >> > without
>>
>> >> > any luck. Unless I am doing something wrong.
>>
>> >> > Just a question does it matter if I am going to from
32bit 2000
>>
>> >> > server
>>
>> >> > to a
>>
>> >> > 64bit 2003 server?
>>
>> >> > Also, I have the 2000 server at native mode the only
2000 server
>>
>> >> > as
>>
>> >> > Domain Controller with Exchange 2000 on it.
>>
>> >> >
>>
>> >> > Is there any other suggestions to get this fixed?
>>
>> >> >
>>
>> >> > "Jorge Silva" wrote:
>>
>> >> >
>>
>> >> >> With Windows 2000 DCs you shouldn't get your DFL
and FFL more
>>
>> >> >> thatn
>>
>> >> >> Windows
>>
>> >> >> 2000 Native otherwise the 2000 DCs will sop
working.
>>
>> >> >> Please read:
>>
>> >> >> http://support.microsoft.com/kb/322692
>>
>> >> >> --
>>
>> >> >> I hope that the information above helps you.
>>
>> >> >> Have a Nice day.
>>
>> >> >> Jorge Silva
>>
>> >> >> MCSE, MVP Directory Services
>>
>> >> >> "TM"
<TM@discussions.microsoft.com> wrote in message
>>
>> >> >> news:A9BB3E80-DB8B-41CC-A527-9C6B38A94229@microsoft.com...
>>
>> >> >>> Sorry for not getting more info
>>
>> >> >>> On the current Server 2000 DC it is on
Service Pack 4 with all
>>
>> >> >>> the
>>
>> >> >>> available
>>
>> >> >>> updates.
>>
>> >> >>> On the Server 2003 std. I have all the
updates installed.
>>
>> >> >>> It has all the roles and global catalog
server.
>>
>> >> >>> But I am to the step of raising the domain
functional level now
>>
>> >> >>> and
>>
>> >> >>> I am getting the message below about not
able to raise.
>>
>> >> >>>
>>
>> >> >>> If there is any other information I need to
add let me know.
>>
>> >> >>> thanks for your response
>>
>> >> >>>
--------------------------------------------------------------------
>>
>> >> >>> ----------------------------
>>
>> >> >>> To update the domain functional level, the
domain controllers
>>
>> >> >>> in
>>
>> >> >>> the
>>
>> >> >>> domain
>>
>> >> >>> must be running the appropriate version of
windows.
>>
>> >> >>> Domain Name
>>
>> >> >>> norfolkiron.com
>>
>> >> >>> Current domain functional level
>>
>> >> >>> Windows 2000 native
>>
>> >> >>> The following domain controllers are running
earlier versions
>>
>> >> >>> of
>>
>> >> >>> windows:
>>
>> >> >>> Domain Name Domain Controller Version of
Windows
>>
>> >> >>> norfolkiron.com server1.norfolkiron.com
Windows 2000 Server 5.0
>>
>> >> >>> (2195)
>>
>> >> >>>
--------------------------------------------------------------------
>>
>> >> >>> ----------------------------
>>
>> >> >>> "Jorge Silva" wrote:
>>
>> >> >>>
>>
>> >> >>>> Hi
>>
>> >> >>>> Is this the error?
>>
>> >> >>>> Error message when you run the Active
Directory Installation
>>
>> >> >>>> Wizard: "The
>>
>> >> >>>> version of the Active Directory schema
of the source forest is
>>
>> >> >>>> not
>>
>> >> >>>> compatible with the version of Active
Directory on this
>>
>> >> >>>> computer"
>>
>> >> >>>>
http://support.microsoft.com/?kbid=917385
>>
>> >> >>>>
>>
>> >> >>>> --
>>
>> >> >>>> I hope that the information above helps
you.
>>
>> >> >>>> Have a Nice day.
>>
>> >> >>>> Jorge Silva
>>
>> >> >>>> MCSE, MVP Directory Services
>>
>> >> >>>> "TM"
<TM@discussions.microsoft.com> wrote in message
>>
>> >> >>>> news:3B68DD51-4FA6-4FE4-81D9-B205ED7C7D01@microsoft.com...
>>
>> >> >>>>> I am having a very hard time
upgrading the Domain controller
>>
>> >> >>>>> from
>>
>> >> >>>>> server
>>
>> >> >>>>> 2000
>>
>> >> >>>>> to server 2003. It keeps sending
back a message saying that
>>
>> >> >>>>> the
>>
>> >> >>>>> server
>>
>> >> >>>>> 2000
>>
>> >> >>>>> is at an earlier version. But I have
all the updates done and
>>
>> >> >>>>> everything
>>
>> >> >>>>> that
>>
>> >> >>>>> I have read I have tried.
>>
>> >> >>>>> I am at the end of the rope need
some assistance in
>>
>> >> >>>>> suggestions
>>
>> >> >>>>> in
>>
>> >> >>>>> getting
>>
>> >> >>>>> this moved over. Would love to start
using my exchange 2007
>>
>> >> >>>>> box
>>
>> >> >>>>> but
>>
>> >> >>>>> with
>>
>> >> >>>>> the
>>
>> >> >>>>> Domain upgrade holding me back this
isn't fun any more.
>>
>> >> >>>>> Thanks in advanced for any
assistance
>>
>> >> >>>>>
>>
>> >>
>>
>> >>
>>
>> >>
>>
>>
>>
>>
>>
>>
>>
Top
From: TM <TM@discussions.microsoft.com>
To:
none
Subject:
Re: Server 2000 domain upgrade to Server 2003
Date:
09/25/2007 15:46:02
I
do have the 32bit version of server 2003 r2 and also the 64bit version of
2003
r2
"Jorge
Silva" wrote:
>
You need the 32 bit version, not the 64bit.
>
64bit CDs/DVDs are not compatible with 32bit version.
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"TM" <TM@discussions.microsoft.com> wrote in message
>
news:991CAAC9-72E1-41F0-98A0-DA27627145F5@microsoft.com...
>
> Well I have done that when getting everything set to upgrade to the
2003
>
> server 64bit r2 version of server.
>
> I used the supplied CD's that I had bought.
>
> But I still ran into the issue of the 2000 dc being an earlier
version.
>
>
>
> "Jorge Silva" wrote:
>
>
>
>> You may use the 64bit R2 in the existing forest, you only need to
get the
>
>> second CD "where the adprep is" 32 bit version. You can
get the 2nd CD
>
>> from
>
>> Microsoft siet for the trial version of the Windows 2003 R2 32bit
and use
>
>> it
>
>> to upgrade your 32 bit forest to R2.
>
>>
>
>> --
>
>> I hope that the information above helps you.
>
>> Have a Nice day.
>
>>
>
>> Jorge Silva
>
>> MCSE, MVP Directory Services
>
>> "TM" <TM@discussions.microsoft.com> wrote in
message
>
>> news:FE79DC66-E86A-416E-A588-2DC3F48EEB35@microsoft.com...
>
>> > Jorge,
>
>> > Thanks for the reply.
>
>> > I understand the fact about 2 servers and I have that. And
have done
>
>> > the
>
>> > adprep from the 32 bit cd's.
>
>> > But where you say about the second cd on the install to not
use it.
>
>> > So just so I have a clear understanding I might have a better
chance at
>
>> > getting this right if I try from scratch on the 64bit 2003
server but
>
>> > not
>
>> > install the second CD. do the domain controller upgrade.
>
>> >
>
>> > If that works then a guy would install the second cd once
things are
>
>> > working
>
>> > and 2000 DC are removed.
>
>> >
>
>> > Let me know. I want to say thanks for your help guys.
>
>> > I tested this all in a test lab and I got it to upgrade etc.
but of
>
>> > course
>
>> > once I start messing with a server that has been in
production for a
>
>> > few
>
>> > years it is a different story.
>
>> >
>
>> >
>
>> > "Jorge Silva" wrote:
>
>> >
>
>> >> You can't do a direct upgrade from 32 to 64 bit in the
same machine.
>
>> >> If you want to introduce the 64 bit Windows 2003 you'll
need a
>
>> >> separate
>
>> >> server.
>
>> >>
>
>> >> To introduce Windows 2003 in your 2000 forest you first
need to
>
>> >> upgrade
>
>> >> the
>
>> >> forest and the Domain using adprep.
>
>> >>
>
>> >> Is not mandatory upgrade the schema to R2, this applies
to 32bit and
>
>> >> 64bit
>
>> >> OS W2k3 If you install only OS and ignore/dismiss the
second CD after
>
>> >> the
>
>> >> OS
>
>> >> is installed then you have a Windows2003SP1/2 normal. If
you run the
>
>> >> second
>
>> >> CD after OS installation then you'll be forced to upgrade
the schema
>
>> >> when
>
>> >> you try to introduce that server as a DC, but isn't
MANDATORY to do
>
>> >> that
>
>> >> unless you run the second CD after OS promotion.
>
>> >>
>
>> >> Now because you're running 32 bit version in other DCs,
to upgrade the
>
>> >> forest to R2 you'll need to run adprep 32bit version in
the shema
>
>> >> master.
>
>> >>
>
>> >> --
>
>> >> I hope that the information above helps you.
>
>> >> Have a Nice day.
>
>> >>
>
>> >> Jorge Silva
>
>> >> MCSE, MVP Directory Services
>
>> >> "TM" <TM@discussions.microsoft.com> wrote
in message
>
>> >>
news:3A6222A9-E94B-4CB9-8C8B-6196B4E3E9EE@microsoft.com...
>
>> >> > Thanks for the response.
>
>> >> > I have read where to upgrade to 2003 but with a few
of the programs
>
>> >> > I
>
>> >> > have
>
>> >> > on there currently I don't want to do that option on
that server
>
>> >> > cause
>
>> >> > it
>
>> >> > is
>
>> >> > still needed for other apps.
>
>> >> >
>
>> >> > What do you think of building a server 2000 and
making it a domain
>
>> >> > controller. DCPromoing the current server so it
isn't a Domain
>
>> >> > Controller
>
>> >> > any
>
>> >> > more. then doing the suggested upgrade to 2003. Then
moving the
>
>> >> > domain
>
>> >> > controller role to the server that I am intending it
to be on.
>
>> >> >
>
>> >> > So it will be a few more steps and time than I
wanted to spend but
>
>> >> > does
>
>> >> > this
>
>> >> > seem a feasible option?
>
>> >> >
>
>> >> > Thanks for your help.
>
>> >> >
>
>> >> > "Meinolf Weber" wrote:
>
>> >> >
>
>> >> >> Hello tm,
>
>> >> >>
>
>> >> >> Maybe you did not read the article completely?
With a windows 2000
>
>> >> >> domain
>
>> >> >> controller it is not possible to change it. You
have to upgrade to
>
>> >> >> 2003
>
>> >> >> like
>
>> >> >> stated in the article.
>
>> >> >>
>
>> >> >> Best regards
>
>> >> >>
>
>> >> >> Meinolf Weber
>
>> >> >> Disclaimer: This posting is provided "AS
IS" with no warranties,
>
>> >> >> and
>
>> >> >> confers
>
>> >> >> no rights.
>
>> >> >>
>
>> >> >> > Well I have went through the article that
both of you have
>
>> >> >> > suggested
>
>> >> >> > without
>
>> >> >> > any luck. Unless I am doing something
wrong.
>
>> >> >> > Just a question does it matter if I am going
to from 32bit 2000
>
>> >> >> > server
>
>> >> >> > to a
>
>> >> >> > 64bit 2003 server?
>
>> >> >> > Also, I have the 2000 server at native mode
the only 2000 server
>
>> >> >> > as
>
>> >> >> > Domain Controller with Exchange 2000 on it.
>
>> >> >> >
>
>> >> >> > Is there any other suggestions to get this
fixed?
>
>> >> >> >
>
>> >> >> > "Jorge Silva" wrote:
>
>> >> >> >
>
>> >> >> >> With Windows 2000 DCs you shouldn't get
your DFL and FFL more
>
>> >> >> >> thatn
>
>> >> >> >> Windows
>
>> >> >> >> 2000 Native otherwise the 2000 DCs will
sop working.
>
>> >> >> >> Please read:
>
>> >> >> >> http://support.microsoft.com/kb/322692
>
>> >> >> >> --
>
>> >> >> >> I hope that the information above helps
you.
>
>> >> >> >> Have a Nice day.
>
>> >> >> >> Jorge Silva
>
>> >> >> >> MCSE, MVP Directory Services
>
>> >> >> >> "TM"
<TM@discussions.microsoft.com> wrote in message
>
>> >> >> >>
news:A9BB3E80-DB8B-41CC-A527-9C6B38A94229@microsoft.com...
>
>> >> >> >>> Sorry for not getting more info
>
>> >> >> >>> On the current Server 2000 DC it is
on Service Pack 4 with all
>
>> >> >> >>> the
>
>> >> >> >>> available
>
>> >> >> >>> updates.
>
>> >> >> >>> On the Server 2003 std. I have all
the updates installed.
>
>> >> >> >>> It has all the roles and global catalog
server.
>
>> >> >> >>> But I am to the step of raising the
domain functional level now
>
>> >> >> >>> and
>
>> >> >> >>> I am getting the message below
about not able to raise.
>
>> >> >> >>>
>
>> >> >> >>> If there is any other information I
need to add let me know.
>
>> >> >> >>> thanks for your response
>
>> >> >> >>>
--------------------------------------------------------------------
>
>> >> >> >>> ----------------------------
>
>> >> >> >>> To update the domain functional
level, the domain controllers
>
>> >> >> >>> in
>
>> >> >> >>> the
>
>> >> >> >>> domain
>
>> >> >> >>> must be running the appropriate
version of windows.
>
>> >> >> >>> Domain Name
>
>> >> >> >>> norfolkiron.com
>
>> >> >> >>> Current domain functional level
>
>> >> >> >>> Windows 2000 native
>
>> >> >> >>> The following domain controllers
are running earlier versions
>
>> >> >> >>> of
>
>> >> >> >>> windows:
>
>> >> >> >>> Domain Name Domain Controller
Version of Windows
>
>> >> >> >>> norfolkiron.com
server1.norfolkiron.com Windows 2000 Server 5.0
>
>> >> >> >>> (2195)
>
>> >> >> >>>
--------------------------------------------------------------------
>
>> >> >> >>> ----------------------------
>
>> >> >> >>> "Jorge Silva" wrote:
>
>> >> >> >>>
>
>> >> >> >>>> Hi
>
>> >> >> >>>> Is this the error?
>
>> >> >> >>>> Error message when you run the
Active Directory Installation
>
>> >> >> >>>> Wizard: "The
>
>> >> >> >>>> version of the Active Directory
schema of the source forest is
>
>> >> >> >>>> not
>
>> >> >> >>>> compatible with the version of
Active Directory on this
>
>> >> >> >>>> computer"
>
>> >> >> >>>>
http://support.microsoft.com/?kbid=917385
>
>> >> >> >>>>
>
>> >> >> >>>> --
>
>> >> >> >>>> I hope that the information
above helps you.
>
>> >> >> >>>> Have a Nice day.
>
>> >> >> >>>> Jorge Silva
>
>> >> >> >>>> MCSE, MVP Directory Services
>
>> >> >> >>>> "TM"
<TM@discussions.microsoft.com> wrote in message
>
>> >> >> >>>>
news:3B68DD51-4FA6-4FE4-81D9-B205ED7C7D01@microsoft.com...
>
>> >> >> >>>>> I am having a very hard
time upgrading the Domain controller
>
>> >> >> >>>>> from
>
>> >> >> >>>>> server
>
>> >> >> >>>>> 2000
>
>> >> >> >>>>> to server 2003. It keeps
sending back a message saying that
>
>> >> >> >>>>> the
>
>> >> >> >>>>> server
>
>> >> >> >>>>> 2000
>
>> >> >> >>>>> is at an earlier version.
But I have all the updates done and
>
>> >> >> >>>>> everything
>
>> >> >> >>>>> that
>
>> >> >> >>>>> I have read I have tried.
>
>> >> >> >>>>> I am at the end of the rope
need some assistance in
>
>> >> >> >>>>> suggestions
>
>> >> >> >>>>> in
>
>> >> >> >>>>> getting
>
>> >> >> >>>>> this moved over. Would love
to start using my exchange 2007
>
>> >> >> >>>>> box
>
>> >> >> >>>>> but
>
>> >> >> >>>>> with
>
>> >> >> >>>>> the
>
>> >> >> >>>>> Domain upgrade holding me
back this isn't fun any more.
>
>> >> >> >>>>> Thanks in advanced for any
assistance
>
>> >> >> >>>>>
>
>> >> >>
>
>> >> >>
>
>> >> >>
>
>> >>
>
>> >>
>
>> >>
>
>>
>
>>
>
>>
>
Top
From: TM
<TM@discussions.microsoft.com>
To:
none
Subject:
Re: Server 2000 domain upgrade to Server 2003
Date:
09/25/2007 16:26:01
would
there be any reason that I would need to run the adprep again?
I
have ran it once with the 32bit disc 2 from the disks.
Assuming
that it isn't liking the adprep that was ran from before?
See
i have followed all of microsofts directions to raise the domain and I
did
it in a test lab but now it isn't working in the production enviroment.
One
thing I have just realized which didn't make sense to me earlier and
probably
why I didn't do it.
Going
through the steps of
1.
Upgrade the AD schema using the 32bit disc 2
2.
installing active directory on the 2003 server
3.
moving the roles to the new server
*4.
is whare is says retire the domain controllers through dcpromo
5.
raising the domain level
Well
I didn't do step 4 for the reason I was afraid it might lose
information.
But after the reading I have done today since I have the 2003
server
in place and roles on it. It should matter cause the 2000 works
differently
than 2003.
So
if I get the 2003 server with all the roles on it and it says it is DC in
the
active directory it should be a good domain controller (correct?).
then
run the dcpromo on the current domain controller and everything will be
happy
(maybe).
If
that makes any sense.
I
think if I would have done the step 4 I wouldn't be in this predictament.
If
I have nothing to worry about let me know and I will just do it and
hopefully
won't have to look back and say oh shoot.
Thanks
for your help again.
"Jorge
Silva" wrote:
>
You need the 32 bit version, not the 64bit.
>
64bit CDs/DVDs are not compatible with 32bit version.
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"TM" <TM@discussions.microsoft.com> wrote in message
>
news:991CAAC9-72E1-41F0-98A0-DA27627145F5@microsoft.com...
>
> Well I have done that when getting everything set to upgrade to the
2003
>
> server 64bit r2 version of server.
>
> I used the supplied CD's that I had bought.
>
> But I still ran into the issue of the 2000 dc being an earlier
version.
>
>
>
> "Jorge Silva" wrote:
>
>
>
>> You may use the 64bit R2 in the existing forest, you only need to
get the
>
>> second CD "where the adprep is" 32 bit version. You can
get the 2nd CD
>
>> from
>
>> Microsoft siet for the trial version of the Windows 2003 R2 32bit
and use
>
>> it
>
>> to upgrade your 32 bit forest to R2.
>
>>
>
>> --
>
>> I hope that the information above helps you.
>
>> Have a Nice day.
>
>>
>
>> Jorge Silva
>
>> MCSE, MVP Directory Services
>
>> "TM" <TM@discussions.microsoft.com> wrote in
message
>
>> news:FE79DC66-E86A-416E-A588-2DC3F48EEB35@microsoft.com...
>
>> > Jorge,
>
>> > Thanks for the reply.
>
>> > I understand the fact about 2 servers and I have that. And
have done
>
>> > the
>
>> > adprep from the 32 bit cd's.
>
>> > But where you say about the second cd on the install to not
use it.
>
>> > So just so I have a clear understanding I might have a better
chance at
>
>> > getting this right if I try from scratch on the 64bit 2003
server but
>
>> > not
>
>> > install the second CD. do the domain controller upgrade.
>
>> >
>
>> > If that works then a guy would install the second cd once
things are
>
>> > working
>
>> > and 2000 DC are removed.
>
>> >
>
>> > Let me know. I want to say thanks for your help guys.
>
>> > I tested this all in a test lab and I got it to upgrade etc.
but of
>
>> > course
>
>> > once I start messing with a server that has been in
production for a
>
>> > few
>
>> > years it is a different story.
>
>> >
>
>> >
>
>> > "Jorge Silva" wrote:
>
>> >
>
>> >> You can't do a direct upgrade from 32 to 64 bit in the
same machine.
>
>> >> If you want to introduce the 64 bit Windows 2003 you'll
need a
>
>> >> separate
>
>> >> server.
>
>> >>
>
>> >> To introduce Windows 2003 in your 2000 forest you first
need to
>
>> >> upgrade
>
>> >> the
>
>> >> forest and the Domain using adprep.
>
>> >>
>
>> >> Is not mandatory upgrade the schema to R2, this applies
to 32bit and
>
>> >> 64bit
>
>> >> OS W2k3 If you install only OS and ignore/dismiss the
second CD after
>
>> >> the
>
>> >> OS
>
>> >> is installed then you have a Windows2003SP1/2 normal. If
you run the
>
>> >> second
>
>> >> CD after OS installation then you'll be forced to upgrade
the schema
>
>> >> when
>
>> >> you try to introduce that server as a DC, but isn't
MANDATORY to do
>
>> >> that
>
>> >> unless you run the second CD after OS promotion.
>
>> >>
>
>> >> Now because you're running 32 bit version in other DCs,
to upgrade the
>
>> >> forest to R2 you'll need to run adprep 32bit version in
the shema
>
>> >> master.
>
>> >>
>
>> >> --
>
>> >> I hope that the information above helps you.
>
>> >> Have a Nice day.
>
>> >>
>
>> >> Jorge Silva
>
>> >> MCSE, MVP Directory Services
>
>> >> "TM" <TM@discussions.microsoft.com> wrote
in message
>
>> >>
news:3A6222A9-E94B-4CB9-8C8B-6196B4E3E9EE@microsoft.com...
>
>> >> > Thanks for the response.
>
>> >> > I have read where to upgrade to 2003 but with a few
of the programs
>
>> >> > I
>
>> >> > have
>
>> >> > on there currently I don't want to do that option on
that server
>
>> >> > cause
>
>> >> > it
>
>> >> > is
>
>> >> > still needed for other apps.
>
>> >> >
>
>> >> > What do you think of building a server 2000 and
making it a domain
>
>> >> > controller. DCPromoing the current server so it
isn't a Domain
>
>> >> > Controller
>
>> >> > any
>
>> >> > more. then doing the suggested upgrade to 2003. Then
moving the
>
>> >> > domain
>
>> >> > controller role to the server that I am intending it
to be on.
>
>> >> >
>
>> >> > So it will be a few more steps and time than I
wanted to spend but
>
>> >> > does
>
>> >> > this
>
>> >> > seem a feasible option?
>
>> >> >
>
>> >> > Thanks for your help.
>
>> >> >
>
>> >> > "Meinolf Weber" wrote:
>
>> >> >
>
>> >> >> Hello tm,
>
>> >> >>
>
>> >> >> Maybe you did not read the article completely?
With a windows 2000
>
>> >> >> domain
>
>> >> >> controller it is not possible to change it. You
have to upgrade to
>
>> >> >> 2003
>
>> >> >> like
>
>> >> >> stated in the article.
>
>> >> >>
>
>> >> >> Best regards
>
>> >> >>
>
>> >> >> Meinolf Weber
>
>> >> >> Disclaimer: This posting is provided "AS
IS" with no warranties,
>
>> >> >> and
>
>> >> >> confers
>
>> >> >> no rights.
>
>> >> >>
>
>> >> >> > Well I have went through the article that
both of you have
>
>> >> >> > suggested
>
>> >> >> > without
>
>> >> >> > any luck. Unless I am doing something
wrong.
>
>> >> >> > Just a question does it matter if I am
going to from 32bit 2000
>
>> >> >> > server
>
>> >> >> > to a
>
>> >> >> > 64bit 2003 server?
>
>> >> >> > Also, I have the 2000 server at native mode
the only 2000 server
>
>> >> >> > as
>
>> >> >> > Domain Controller with Exchange 2000 on it.
>
>> >> >> >
>
>> >> >> > Is there any other suggestions to get this
fixed?
>
>> >> >> >
>
>> >> >> > "Jorge Silva" wrote:
>
>> >> >> >
>
>> >> >> >> With Windows 2000 DCs you shouldn't get
your DFL and FFL more
>
>> >> >> >> thatn
>
>> >> >> >> Windows
>
>> >> >> >> 2000 Native otherwise the 2000 DCs will
sop working.
>
>> >> >> >> Please read:
>
>> >> >> >> http://support.microsoft.com/kb/322692
>
>> >> >> >> --
>
>> >> >> >> I hope that the information above helps
you.
>
>> >> >> >> Have a Nice day.
>
>> >> >> >> Jorge Silva
>
>> >> >> >> MCSE, MVP Directory Services
>
>> >> >> >> "TM"
<TM@discussions.microsoft.com> wrote in message
>
>> >> >> >>
news:A9BB3E80-DB8B-41CC-A527-9C6B38A94229@microsoft.com...
>
>> >> >> >>> Sorry for not getting more info
>
>> >> >> >>> On the current Server 2000 DC it is
on Service Pack 4 with all
>
>> >> >> >>> the
>
>> >> >> >>> available
>
>> >> >> >>> updates.
>
>> >> >> >>> On the Server 2003 std. I have all
the updates installed.
>
>> >> >> >>> It has all the roles and global
catalog server.
>
>> >> >> >>> But I am to the step of raising the
domain functional level now
>
>> >> >> >>> and
>
>> >> >> >>> I am getting the message below
about not able to raise.
>
>> >> >> >>>
>
>> >> >> >>> If there is any other information I
need to add let me know.
>
>> >> >> >>> thanks for your response
>
>> >> >> >>>
--------------------------------------------------------------------
>
>> >> >> >>> ----------------------------
>
>> >> >> >>> To update the domain functional
level, the domain controllers
>
>> >> >> >>> in
>
>> >> >> >>> the
>
>> >> >> >>> domain
>
>> >> >> >>> must be running the appropriate
version of windows.
>
>> >> >> >>> Domain Name
>
>> >> >> >>> norfolkiron.com
>
>> >> >> >>> Current domain functional level
>
>> >> >> >>> Windows 2000 native
>
>> >> >> >>> The following domain controllers
are running earlier versions
>
>> >> >> >>> of
>
>> >> >> >>> windows:
>
>> >> >> >>> Domain Name Domain Controller
Version of Windows
>
>> >> >> >>> norfolkiron.com
server1.norfolkiron.com Windows 2000 Server 5.0
>
>> >> >> >>> (2195)
>
>> >> >> >>>
--------------------------------------------------------------------
>
>> >> >> >>> ----------------------------
>
>> >> >> >>> "Jorge Silva" wrote:
>
>> >> >> >>>
>
>> >> >> >>>> Hi
>
>> >> >> >>>> Is this the error?
>
>> >> >> >>>> Error message when you run the
Active Directory Installation
>
>> >> >> >>>> Wizard: "The
>
>> >> >> >>>> version of the Active Directory
schema of the source forest is
>
>> >> >> >>>> not
>
>> >> >> >>>> compatible with the version of
Active Directory on this
>
>> >> >> >>>> computer"
>
>> >> >> >>>>
http://support.microsoft.com/?kbid=917385
>
>> >> >> >>>>
>
>> >> >> >>>> --
>
>> >> >> >>>> I hope that the information
above helps you.
>
>> >> >> >>>> Have a Nice day.
>
>> >> >> >>>> Jorge Silva
>
>> >> >> >>>> MCSE, MVP Directory Services
>
>> >> >> >>>> "TM"
<TM@discussions.microsoft.com> wrote in message
>
>> >> >> >>>>
news:3B68DD51-4FA6-4FE4-81D9-B205ED7C7D01@microsoft.com...
>
>> >> >> >>>>> I am having a very hard
time upgrading the Domain controller
>
>> >> >> >>>>> from
>
>> >> >> >>>>> server
>
>> >> >> >>>>> 2000
>
>> >> >> >>>>> to server 2003. It keeps
sending back a message saying that
>
>> >> >> >>>>> the
>
>> >> >> >>>>> server
>
>> >> >> >>>>> 2000
>
>> >> >> >>>>> is at an earlier version.
But I have all the updates done and
>
>> >> >> >>>>> everything
>
>> >> >> >>>>> that
>
>> >> >> >>>>> I have read I have tried.
>
>> >> >> >>>>> I am at the end of the rope
need some assistance in
>
>> >> >> >>>>> suggestions
>
>> >> >> >>>>> in
>
>> >> >> >>>>> getting
>
>> >> >> >>>>> this moved over. Would love
to start using my exchange 2007
>
>> >> >> >>>>> box
>
>> >> >> >>>>> but
>
>> >> >> >>>>> with
>
>> >> >> >>>>> the
>
>> >> >> >>>>> Domain upgrade holding me
back this isn't fun any more.
>
>> >> >> >>>>> Thanks in advanced for any
assistance
>
>> >> >> >>>>>
>
>> >> >>
>
>> >> >>
>
>> >> >>
>
>> >>
>
>> >>
>
>> >>
>
>>
>
>>
>
>>
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Server 2000 domain upgrade to Server 2003
Date:
09/25/2007 16:51:39
From
DISC1 (32bit:)
-
You use adprep /forestprep (on schema master)
-
You use adprep /domainprep (on IM master)
Replicate
all changes among all exisiting DCs
From
DISC2 (32bit:)
-
You use Drive:\CMPNENTS\R2\ADPREP\adprep.exe /forestprep (on schema
master)
Replicate
all changes among all exisiting DCs
You
can also verify the operating system support level of the schema by
using
the Adsiedit.exe utility or the Ldp.exe utility to view the
objectVersion
attribute in the properties of the
cn=schema,cn=configuration,dc=<domain>
partition.
At
this point you should be ready to introduce the W2k3 R2.
As
I understand you, you already have 1 DC awith W2003 in the forest, and
when
you try to transfer the roles you get that message?
Can
you state the exact message, and how are you trying to TRANSFER the
Roles
(NOT Seize the roles).
TYransfering
the Master Roles doesn't make 2000 DCs stop working, however if
you
change your DFL/FFL to Windows 2003 all Windows 2000 DCs will stop
working
in that Forest/Domain, once that you do taht there's no turning
back.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"TM"
<TM@discussions.microsoft.com> wrote in message
news:8CF72DB7-3B3C-424F-9AC2-7AD3BF4C7B3D@microsoft.com...
>
would there be any reason that I would need to run the adprep again?
>
I have ran it once with the 32bit disc 2 from the disks.
>
Assuming that it isn't liking the adprep that was ran from before?
>
>
See i have followed all of microsofts directions to raise the domain and I
>
did it in a test lab but now it isn't working in the production
>
enviroment.
>
>
One thing I have just realized which didn't make sense to me earlier and
>
probably why I didn't do it.
>
Going through the steps of
>
1. Upgrade the AD schema using the 32bit disc 2
>
2. installing active directory on the 2003 server
>
3. moving the roles to the new server
>
*4. is whare is says retire the domain controllers through dcpromo
>
5. raising the domain level
>
>
Well I didn't do step 4 for the reason I was afraid it might lose
>
information. But after the reading I have done today since I have the 2003
>
server in place and roles on it. It should matter cause the 2000 works
>
differently than 2003.
>
So if I get the 2003 server with all the roles on it and it says it is DC
>
in
>
the active directory it should be a good domain controller (correct?).
>
then run the dcpromo on the current domain controller and everything will
>
be
>
happy (maybe).
>
>
If that makes any sense.
>
I think if I would have done the step 4 I wouldn't be in this
>
predictament.
>
If I have nothing to worry about let me know and I will just do it and
>
hopefully won't have to look back and say oh shoot.
>
>
Thanks for your help again.
>
>
"Jorge Silva" wrote:
>
>>
You need the 32 bit version, not the 64bit.
>>
64bit CDs/DVDs are not compatible with 32bit version.
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>>
"TM" <TM@discussions.microsoft.com> wrote in message
>>
news:991CAAC9-72E1-41F0-98A0-DA27627145F5@microsoft.com...
>>
> Well I have done that when getting everything set to upgrade to the
>>
> 2003
>>
> server 64bit r2 version of server.
>>
> I used the supplied CD's that I had bought.
>>
> But I still ran into the issue of the 2000 dc being an earlier
version.
>>
>
>>
> "Jorge Silva" wrote:
>>
>
>>
>> You may use the 64bit R2 in the existing forest, you only need to
get
>>
>> the
>>
>> second CD "where the adprep is" 32 bit version. You can
get the 2nd CD
>>
>> from
>>
>> Microsoft siet for the trial version of the Windows 2003 R2 32bit
and
>>
>> use
>>
>> it
>>
>> to upgrade your 32 bit forest to R2.
>>
>>
>>
>> --
>>
>> I hope that the information above helps you.
>>
>> Have a Nice day.
>>
>>
>>
>> Jorge Silva
>>
>> MCSE, MVP Directory Services
>>
>> "TM" <TM@discussions.microsoft.com> wrote in
message
>>
>> news:FE79DC66-E86A-416E-A588-2DC3F48EEB35@microsoft.com...
>>
>> > Jorge,
>>
>> > Thanks for the reply.
>>
>> > I understand the fact about 2 servers and I have that. And
have done
>>
>> > the
>>
>> > adprep from the 32 bit cd's.
>>
>> > But where you say about the second cd on the install to not
use it.
>>
>> > So just so I have a clear understanding I might have a better
chance
>>
>> > at
>>
>> > getting this right if I try from scratch on the 64bit 2003
server
>>
>> > but
>>
>> > not
>>
>> > install the second CD. do the domain controller upgrade.
>>
>> >
>>
>> > If that works then a guy would install the second cd once
things are
>>
>> > working
>>
>> > and 2000 DC are removed.
>>
>> >
>>
>> > Let me know. I want to say thanks for your help guys.
>>
>> > I tested this all in a test lab and I got it to upgrade etc.
but of
>>
>> > course
>>
>> > once I start messing with a server that has been in
production for a
>>
>> > few
>>
>> > years it is a different story.
>>
>> >
>>
>> >
>>
>> > "Jorge Silva" wrote:
>>
>> >
>>
>> >> You can't do a direct upgrade from 32 to 64 bit in the
same
>>
>> >> machine.
>>
>> >> If you want to introduce the 64 bit Windows 2003 you'll
need a
>>
>> >> separate
>>
>> >> server.
>>
>> >>
>>
>> >> To introduce Windows 2003 in your 2000 forest you first
need to
>>
>> >> upgrade
>>
>> >> the
>>
>> >> forest and the Domain using adprep.
>>
>> >>
>>
>> >> Is not mandatory upgrade the schema to R2, this applies
to 32bit
>>
>> >> and
>>
>> >> 64bit
>>
>> >> OS W2k3 If you install only OS and ignore/dismiss the
second CD
>>
>> >> after
>>
>> >> the
>>
>> >> OS
>>
>> >> is installed then you have a Windows2003SP1/2 normal. If
you run
>>
>> >> the
>>
>> >> second
>>
>> >> CD after OS installation then you'll be forced to upgrade
the
>>
>> >> schema
>>
>> >> when
>>
>> >> you try to introduce that server as a DC, but isn't
MANDATORY to do
>>
>> >> that
>>
>> >> unless you run the second CD after OS promotion.
>>
>> >>
>>
>> >> Now because you're running 32 bit version in other DCs,
to upgrade
>>
>> >> the
>>
>> >> forest to R2 you'll need to run adprep 32bit version in
the shema
>>
>> >> master.
>>
>> >>
>>
>> >> --
>>
>> >> I hope that the information above helps you.
>>
>> >> Have a Nice day.
>>
>> >>
>>
>> >> Jorge Silva
>>
>> >> MCSE, MVP Directory Services
>>
>> >> "TM" <TM@discussions.microsoft.com> wrote
in message
>>
>> >>
news:3A6222A9-E94B-4CB9-8C8B-6196B4E3E9EE@microsoft.com...
>>
>> >> > Thanks for the response.
>>
>> >> > I have read where to upgrade to 2003 but with a few
of the
>>
>> >> > programs
>>
>> >> > I
>>
>> >> > have
>>
>> >> > on there currently I don't want to do that option on
that server
>>
>> >> > cause
>>
>> >> > it
>>
>> >> > is
>>
>> >> > still needed for other apps.
>>
>> >> >
>>
>> >> > What do you think of building a server 2000 and
making it a
>>
>> >> > domain
>>
>> >> > controller. DCPromoing the current server so it
isn't a Domain
>>
>> >> > Controller
>>
>> >> > any
>>
>> >> > more. then doing the suggested upgrade to 2003. Then
moving the
>>
>> >> > domain
>>
>> >> > controller role to the server that I am intending it
to be on.
>>
>> >> >
>>
>> >> > So it will be a few more steps and time than I
wanted to spend
>>
>> >> > but
>>
>> >> > does
>>
>> >> > this
>>
>> >> > seem a feasible option?
>>
>> >> >
>>
>> >> > Thanks for your help.
>>
>> >> >
>>
>> >> > "Meinolf Weber" wrote:
>>
>> >> >
>>
>> >> >> Hello tm,
>>
>> >> >>
>>
>> >> >> Maybe you did not read the article completely?
With a windows
>>
>> >> >> 2000
>>
>> >> >> domain
>>
>> >> >> controller it is not possible to change it. You
have to upgrade
>>
>> >> >> to
>>
>> >> >> 2003
>>
>> >> >> like
>>
>> >> >> stated in the article.
>>
>> >> >>
>>
>> >> >> Best regards
>>
>> >> >>
>>
>> >> >> Meinolf Weber
>>
>> >> >> Disclaimer: This posting is provided "AS
IS" with no warranties,
>>
>> >> >> and
>>
>> >> >> confers
>>
>> >> >> no rights.
>>
>> >> >>
>>
>> >> >> > Well I have went through the article that
both of you have
>>
>> >> >> > suggested
>>
>> >> >> > without
>>
>> >> >> > any luck. Unless I am doing something
wrong.
>>
>> >> >> > Just a question does it matter if I am
going to from 32bit
>>
>> >> >> > 2000
>>
>> >> >> > server
>>
>> >> >> > to a
>>
>> >> >> > 64bit 2003 server?
>>
>> >> >> > Also, I have the 2000 server at native mode
the only 2000
>>
>> >> >> > server
>>
>> >> >> > as
>>
>> >> >> > Domain Controller with Exchange 2000 on it.
>>
>> >> >> >
>>
>> >> >> > Is there any other suggestions to get this
fixed?
>>
>> >> >> >
>>
>> >> >> > "Jorge Silva" wrote:
>>
>> >> >> >
>>
>> >> >> >> With Windows 2000 DCs you shouldn't get
your DFL and FFL more
>>
>> >> >> >> thatn
>>
>> >> >> >> Windows
>>
>> >> >> >> 2000 Native otherwise the 2000 DCs will
sop working.
>>
>> >> >> >> Please read:
>>
>> >> >> >> http://support.microsoft.com/kb/322692
>>
>> >> >> >> --
>>
>> >> >> >> I hope that the information above helps
you.
>>
>> >> >> >> Have a Nice day.
>>
>> >> >> >> Jorge Silva
>>
>> >> >> >> MCSE, MVP Directory Services
>>
>> >> >> >> "TM"
<TM@discussions.microsoft.com> wrote in message
>>
>> >> >> >>
news:A9BB3E80-DB8B-41CC-A527-9C6B38A94229@microsoft.com...
>>
>> >> >> >>> Sorry for not getting more info
>>
>> >> >> >>> On the current Server 2000 DC it is
on Service Pack 4 with
>>
>> >> >> >>> all
>>
>> >> >> >>> the
>>
>> >> >> >>> available
>>
>> >> >> >>> updates.
>>
>> >> >> >>> On the Server 2003 std. I have all
the updates installed.
>>
>> >> >> >>> It has all the roles and global
catalog server.
>>
>> >> >> >>> But I am to the step of raising the
domain functional level
>>
>> >> >> >>> now
>>
>> >> >> >>> and
>>
>> >> >> >>> I am getting the message below
about not able to raise.
>>
>> >> >> >>>
>>
>> >> >> >>> If there is any other information I
need to add let me know.
>>
>> >> >> >>> thanks for your response
>>
>> >> >> >>> --------------------------------------------------------------------
>>
>> >> >> >>> ----------------------------
>>
>> >> >> >>> To update the domain functional
level, the domain
>>
>> >> >> >>> controllers
>>
>> >> >> >>> in
>>
>> >> >> >>> the
>>
>> >> >> >>> domain
>>
>> >> >> >>> must be running the appropriate
version of windows.
>>
>> >> >> >>> Domain Name
>>
>> >> >> >>> norfolkiron.com
>>
>> >> >> >>> Current domain functional level
>>
>> >> >> >>> Windows 2000 native
>>
>> >> >> >>> The following domain controllers
are running earlier
>>
>> >> >> >>> versions
>>
>> >> >> >>> of
>>
>> >> >> >>> windows:
>>
>> >> >> >>> Domain Name Domain Controller
Version of Windows
>>
>> >> >> >>> norfolkiron.com
server1.norfolkiron.com Windows 2000 Server
>>
>> >> >> >>> 5.0
>>
>> >> >> >>> (2195)
>>
>> >> >> >>>
--------------------------------------------------------------------
>>
>> >> >> >>> ----------------------------
>>
>> >> >> >>> "Jorge Silva" wrote:
>>
>> >> >> >>>
>>
>> >> >> >>>> Hi
>>
>> >> >> >>>> Is this the error?
>>
>> >> >> >>>> Error message when you run the
Active Directory
>>
>> >> >> >>>> Installation
>>
>> >> >> >>>> Wizard: "The
>>
>> >> >> >>>> version of the Active Directory
schema of the source forest
>>
>> >> >> >>>> is
>>
>> >> >> >>>> not
>>
>> >> >> >>>> compatible with the version of
Active Directory on this
>>
>> >> >> >>>> computer"
>>
>> >> >> >>>>
http://support.microsoft.com/?kbid=917385
>>
>> >> >> >>>>
>>
>> >> >> >>>> --
>>
>> >> >> >>>> I hope that the information
above helps you.
>>
>> >> >> >>>> Have a Nice day.
>>
>> >> >> >>>> Jorge Silva
>>
>> >> >> >>>> MCSE, MVP Directory Services
>>
>> >> >> >>>> "TM"
<TM@discussions.microsoft.com> wrote in message
>>
>> >> >> >>>>
news:3B68DD51-4FA6-4FE4-81D9-B205ED7C7D01@microsoft.com...
>>
>> >> >> >>>>> I am having a very hard
time upgrading the Domain
>>
>> >> >> >>>>> controller
>>
>> >> >> >>>>> from
>>
>> >> >> >>>>> server
>>
>> >> >> >>>>> 2000
>>
>> >> >> >>>>> to server 2003. It keeps
sending back a message saying
>>
>> >> >> >>>>> that
>>
>> >> >> >>>>> the
>>
>> >> >> >>>>> server
>>
>> >> >> >>>>> 2000
>>
>> >> >> >>>>> is at an earlier version.
But I have all the updates done
>>
>> >> >> >>>>> and
>>
>> >> >> >>>>> everything
>>
>> >> >> >>>>> that
>>
>> >> >> >>>>> I have read I have tried.
>>
>> >> >> >>>>> I am at the end of the rope
need some assistance in
>>
>> >> >> >>>>> suggestions
>>
>> >> >> >>>>> in
>>
>> >> >> >>>>> getting
>>
>> >> >> >>>>> this moved over. Would love
to start using my exchange
>>
>> >> >> >>>>> 2007
>>
>> >> >> >>>>> box
>>
>> >> >> >>>>> but
>>
>> >> >> >>>>> with
>>
>> >> >> >>>>> the
>>
>> >> >> >>>>> Domain upgrade holding me
back this isn't fun any more.
>>
>> >> >> >>>>> Thanks in advanced for any
assistance
>>
>> >> >> >>>>>
>>
>> >> >>
>>
>> >> >>
>>
>> >> >>
>>
>> >>
>>
>> >>
>>
>> >>
>>
>>
>>
>>
>>
>>
>>
Top
From: TM
<TM@discussions.microsoft.com>
To:
none
Subject:
Re: Server 2000 domain upgrade to Server 2003
Date:
09/25/2007 17:04:04
Jorge,
I
do not get any errors in transfering the roles. everything transfers fine
in
that side.
What
I think I messed up in after transfering the roles, I did not demote
the
2000 server. Cause instead of demoting the current DC I tried to raise
the
domain functional level before removing the current 2000 DC.
So
if I am right when I remove the 2000 DC then I can raise the domain
functional
level on the 2003 server. (something I over looked before)
"Jorge
Silva" wrote:
>
From DISC1 (32bit:)
>
- You use adprep /forestprep (on schema master)
>
- You use adprep /domainprep (on IM master)
>
Replicate all changes among all exisiting DCs
>
>
From DISC2 (32bit:)
>
- You use Drive:\CMPNENTS\R2\ADPREP\adprep.exe /forestprep (on schema
>
master)
>
Replicate all changes among all exisiting DCs
>
>
You can also verify the operating system support level of the schema by
>
using the Adsiedit.exe utility or the Ldp.exe utility to view the
>
objectVersion attribute in the properties of the
>
cn=schema,cn=configuration,dc=<domain> partition.
>
>
At this point you should be ready to introduce the W2k3 R2.
>
>
As I understand you, you already have 1 DC awith W2003 in the forest, and
>
when you try to transfer the roles you get that message?
>
Can you state the exact message, and how are you trying to TRANSFER the
>
Roles (NOT Seize the roles).
>
TYransfering the Master Roles doesn't make 2000 DCs stop working, however
if
>
you change your DFL/FFL to Windows 2003 all Windows 2000 DCs will stop
>
working in that Forest/Domain, once that you do taht there's no turning
>
back.
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
"TM" <TM@discussions.microsoft.com> wrote in message
>
news:8CF72DB7-3B3C-424F-9AC2-7AD3BF4C7B3D@microsoft.com...
>
> would there be any reason that I would need to run the adprep again?
>
> I have ran it once with the 32bit disc 2 from the disks.
>
> Assuming that it isn't liking the adprep that was ran from before?
>
>
>
> See i have followed all of microsofts directions to raise the domain
and I
>
> did it in a test lab but now it isn't working in the production
>
> enviroment.
>
>
>
> One thing I have just realized which didn't make sense to me earlier
and
>
> probably why I didn't do it.
>
> Going through the steps of
>
> 1. Upgrade the AD schema using the 32bit disc 2
>
> 2. installing active directory on the 2003 server
>
> 3. moving the roles to the new server
>
> *4. is whare is says retire the domain controllers through dcpromo
>
> 5. raising the domain level
>
>
>
> Well I didn't do step 4 for the reason I was afraid it might lose
>
> information. But after the reading I have done today since I have the
2003
>
> server in place and roles on it. It should matter cause the 2000 works
>
> differently than 2003.
>
> So if I get the 2003 server with all the roles on it and it says it is
DC
>
> in
>
> the active directory it should be a good domain controller (correct?).
>
> then run the dcpromo on the current domain controller and everything
will
>
> be
>
> happy (maybe).
>
>
>
> If that makes any sense.
>
> I think if I would have done the step 4 I wouldn't be in this
>
> predictament.
>
> If I have nothing to worry about let me know and I will just do it and
>
> hopefully won't have to look back and say oh shoot.
>
>
>
> Thanks for your help again.
>
>
>
> "Jorge Silva" wrote:
>
>
>
>> You need the 32 bit version, not the 64bit.
>
>> 64bit CDs/DVDs are not compatible with 32bit version.
>
>>
>
>> --
>
>> I hope that the information above helps you.
>
>> Have a Nice day.
>
>>
>
>> Jorge Silva
>
>> MCSE, MVP Directory Services
>
>> "TM" <TM@discussions.microsoft.com> wrote in
message
>
>> news:991CAAC9-72E1-41F0-98A0-DA27627145F5@microsoft.com...
>
>> > Well I have done that when getting everything set to upgrade
to the
>
>> > 2003
>
>> > server 64bit r2 version of server.
>
>> > I used the supplied CD's that I had bought.
>
>> > But I still ran into the issue of the 2000 dc being an
earlier version.
>
>> >
>
>> > "Jorge Silva" wrote:
>
>> >
>
>> >> You may use the 64bit R2 in the existing forest, you only
need to get
>
>> >> the
>
>> >> second CD "where the adprep is" 32 bit version.
You can get the 2nd CD
>
>> >> from
>
>> >> Microsoft siet for the trial version of the Windows 2003
R2 32bit and
>
>> >> use
>
>> >> it
>
>> >> to upgrade your 32 bit forest to R2.
>
>> >>
>
>> >> --
>
>> >> I hope that the information above helps you.
>
>> >> Have a Nice day.
>
>> >>
>
>> >> Jorge Silva
>
>> >> MCSE, MVP Directory Services
>
>> >> "TM" <TM@discussions.microsoft.com> wrote
in message
>
>> >>
news:FE79DC66-E86A-416E-A588-2DC3F48EEB35@microsoft.com...
>
>> >> > Jorge,
>
>> >> > Thanks for the reply.
>
>> >> > I understand the fact about 2 servers and I have
that. And have done
>
>> >> > the
>
>> >> > adprep from the 32 bit cd's.
>
>> >> > But where you say about the second cd on the install
to not use it.
>
>> >> > So just so I have a clear understanding I might have
a better chance
>
>> >> > at
>
>> >> > getting this right if I try from scratch on the
64bit 2003 server
>
>> >> > but
>
>> >> > not
>
>> >> > install the second CD. do the domain controller
upgrade.
>
>> >> >
>
>> >> > If that works then a guy would install the second cd
once things are
>
>> >> > working
>
>> >> > and 2000 DC are removed.
>
>> >> >
>
>> >> > Let me know. I want to say thanks for your help
guys.
>
>> >> > I tested this all in a test lab and I got it to
upgrade etc. but of
>
>> >> > course
>
>> >> > once I start messing with a server that has been in
production for a
>
>> >> > few
>
>> >> > years it is a different story.
>
>> >> >
>
>> >> >
>
>> >> > "Jorge Silva" wrote:
>
>> >> >
>
>> >> >> You can't do a direct upgrade from 32 to 64 bit
in the same
>
>> >> >> machine.
>
>> >> >> If you want to introduce the 64 bit Windows 2003
you'll need a
>
>> >> >> separate
>
>> >> >> server.
>
>> >> >>
>
>> >> >> To introduce Windows 2003 in your 2000 forest
you first need to
>
>> >> >> upgrade
>
>> >> >> the
>
>> >> >> forest and the Domain using adprep.
>
>> >> >>
>
>> >> >> Is not mandatory upgrade the schema to R2, this
applies to 32bit
>
>> >> >> and
>
>> >> >> 64bit
>
>> >> >> OS W2k3 If you install only OS and
ignore/dismiss the second CD
>
>> >> >> after
>
>> >> >> the
>
>> >> >> OS
>
>> >> >> is installed then you have a Windows2003SP1/2
normal. If you run
>
>> >> >> the
>
>> >> >> second
>
>> >> >> CD after OS installation then you'll be forced
to upgrade the
>
>> >> >> schema
>
>> >> >> when
>
>> >> >> you try to introduce that server as a DC, but
isn't MANDATORY to do
>
>> >> >> that
>
>> >> >> unless you run the second CD after OS promotion.
>
>> >> >>
>
>> >> >> Now because you're running 32 bit version in
other DCs, to upgrade
>
>> >> >> the
>
>> >> >> forest to R2 you'll need to run adprep 32bit
version in the shema
>
>> >> >> master.
>
>> >> >>
>
>> >> >> --
>
>> >> >> I hope that the information above helps you.
>
>> >> >> Have a Nice day.
>
>> >> >>
>
>> >> >> Jorge Silva
>
>> >> >> MCSE, MVP Directory Services
>
>> >> >> "TM"
<TM@discussions.microsoft.com> wrote in message
>
>> >> >>
news:3A6222A9-E94B-4CB9-8C8B-6196B4E3E9EE@microsoft.com...
>
>> >> >> > Thanks for the response.
>
>> >> >> > I have read where to upgrade to 2003 but
with a few of the
>
>> >> >> > programs
>
>> >> >> > I
>
>> >> >> > have
>
>> >> >> > on there currently I don't want to do that
option on that server
>
>> >> >> > cause
>
>> >> >> > it
>
>> >> >> > is
>
>> >> >> > still needed for other apps.
>
>> >> >> >
>
>> >> >> > What do you think of building a server 2000
and making it a
>
>> >> >> > domain
>
>> >> >> > controller. DCPromoing the current server
so it isn't a Domain
>
>> >> >> > Controller
>
>> >> >> > any
>
>> >> >> > more. then doing the suggested upgrade to
2003. Then moving the
>
>> >> >> > domain
>
>> >> >> > controller role to the server that I am
intending it to be on.
>
>> >> >> >
>
>> >> >> > So it will be a few more steps and time
than I wanted to spend
>
>> >> >> > but
>
>> >> >> > does
>
>> >> >> > this
>
>> >> >> > seem a feasible option?
>
>> >> >> >
>
>> >> >> > Thanks for your help.
>
>> >> >> >
>
>> >> >> > "Meinolf Weber" wrote:
>
>> >> >> >
>
>> >> >> >> Hello tm,
>
>> >> >> >>
>
>> >> >> >> Maybe you did not read the article
completely? With a windows
>
>> >> >> >> 2000
>
>> >> >> >> domain
>
>> >> >> >> controller it is not possible to change
it. You have to upgrade
>
>> >> >> >> to
>
>> >> >> >> 2003
>
>> >> >> >> like
>
>> >> >> >> stated in the article.
>
>> >> >> >>
>
>> >> >> >> Best regards
>
>> >> >> >>
>
>> >> >> >> Meinolf Weber
>
>> >> >> >> Disclaimer: This posting is provided
"AS IS" with no warranties,
>
>> >> >> >> and
>
>> >> >> >> confers
>
>> >> >> >> no rights.
>
>> >> >> >>
>
>> >> >> >> > Well I have went through the
article that both of you have
>
>> >> >> >> > suggested
>
>> >> >> >> > without
>
>> >> >> >> > any luck. Unless I am doing
something wrong.
>
>> >> >> >> > Just a question does it matter if
I am going to from 32bit
>
>> >> >> >> > 2000
>
>> >> >> >> > server
>
>> >> >> >> > to a
>
>> >> >> >> > 64bit 2003 server?
>
>> >> >> >> > Also, I have the 2000 server at
native mode the only 2000
>
>> >> >> >> > server
>
>> >> >> >> > as
>
>> >> >> >> > Domain Controller with Exchange
2000 on it.
>
>> >> >> >> >
>
>> >> >> >> > Is there any other suggestions to
get this fixed?
>
>> >> >> >> >
>
>> >> >> >> > "Jorge Silva" wrote:
>
>> >> >> >> >
>
>> >> >> >> >> With Windows 2000 DCs you
shouldn't get your DFL and FFL more
>
>> >> >> >> >> thatn
>
>> >> >> >> >> Windows
>
>> >> >> >> >> 2000 Native otherwise the 2000
DCs will sop working.
>
>> >> >> >> >> Please read:
>
>> >> >> >> >> http://support.microsoft.com/kb/322692
>
>> >> >> >> >> --
>
>> >> >> >> >> I hope that the information
above helps you.
>
>> >> >> >> >> Have a Nice day.
>
>> >> >> >> >> Jorge Silva
>
>> >> >> >> >> MCSE, MVP Directory Services
>
>> >> >> >> >> "TM"
<TM@discussions.microsoft.com> wrote in message
>
>> >> >> >> >>
news:A9BB3E80-DB8B-41CC-A527-9C6B38A94229@microsoft.com...
>
>> >> >> >> >>> Sorry for not getting more
info
>
>> >> >> >> >>> On the current Server 2000
DC it is on Service Pack 4 with
>
>> >> >> >> >>> all
>
>> >> >> >> >>> the
>
>> >> >> >> >>> available
>
>> >> >> >> >>> updates.
>
>> >> >> >> >>> On the Server 2003 std. I
have all the updates installed.
>
>> >> >> >> >>> It has all the roles and
global catalog server.
>
>> >> >> >> >>> But I am to the step of
raising the domain functional level
>
>> >> >> >> >>> now
>
>> >> >> >> >>> and
>
>> >> >> >> >>> I am getting the message
below about not able to raise.
>
>> >> >> >> >>>
>
>> >> >> >> >>> If there is any other
information I need to add let me know.
>
>> >> >> >> >>> thanks for your response
>
>> >> >> >> >>>
--------------------------------------------------------------------
>
>> >> >> >> >>>
----------------------------
>
>> >> >> >> >>> To update the domain
functional level, the domain
>
>> >> >> >> >>> controllers
>
>> >> >> >> >>> in
>
>> >> >> >> >>> the
>
>> >> >> >> >>> domain
>
>> >> >> >> >>> must be running the
appropriate version of windows.
>
>> >> >> >> >>> Domain Name
>
>> >> >> >> >>> norfolkiron.com
>
>> >> >> >> >>> Current domain functional
level
>
>> >> >> >> >>> Windows 2000 native
>
>> >> >> >> >>> The following domain
controllers are running earlier
>
>> >> >> >> >>> versions
>
>> >> >> >> >>> of
>
>> >> >> >> >>> windows:
>
>> >> >> >> >>> Domain Name Domain Controller
Version of Windows
>
>> >> >> >> >>> norfolkiron.com
server1.norfolkiron.com Windows 2000 Server
>
>> >> >> >> >>> 5.0
>
>> >> >> >> >>> (2195)
>
>> >> >> >> >>>
--------------------------------------------------------------------
>
>> >> >> >> >>>
----------------------------
>
>> >> >> >> >>> "Jorge Silva"
wrote:
>
>> >> >> >> >>>
>
>> >> >> >> >>>> Hi
>
>> >> >> >> >>>> Is this the error?
>
>> >> >> >> >>>> Error message when you
run the Active Directory
>
>> >> >> >> >>>> Installation
>
>> >> >> >> >>>> Wizard: "The
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Server 2000 domain upgrade to Server 2003
Date:
09/25/2007 18:08:36
Correct,
after you demoted all Exisitng 2000 DCs you safely raise the DFl to
2003.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"TM"
<TM@discussions.microsoft.com> wrote in message
news:B3F4051A-A172-4A1F-81A9-5FA1C93C9E7D@microsoft.com...
>
Jorge,
>
>
I do not get any errors in transfering the roles. everything transfers
>
fine
>
in that side.
>
>
What I think I messed up in after transfering the roles, I did not demote
>
the 2000 server. Cause instead of demoting the current DC I tried to raise
>
the domain functional level before removing the current 2000 DC.
>
>
So if I am right when I remove the 2000 DC then I can raise the domain
>
functional level on the 2003 server. (something I over looked before)
>
>
"Jorge Silva" wrote:
>
>>
From DISC1 (32bit:)
>>
- You use adprep /forestprep (on schema master)
>>
- You use adprep /domainprep (on IM master)
>>
Replicate all changes among all exisiting DCs
>>
>>
From DISC2 (32bit:)
>>
- You use Drive:\CMPNENTS\R2\ADPREP\adprep.exe /forestprep (on schema
>>
master)
>>
Replicate all changes among all exisiting DCs
>>
>>
You can also verify the operating system support level of the schema by
>>
using the Adsiedit.exe utility or the Ldp.exe utility to view the
>>
objectVersion attribute in the properties of the
>>
cn=schema,cn=configuration,dc=<domain> partition.
>>
>>
At this point you should be ready to introduce the W2k3 R2.
>>
>>
As I understand you, you already have 1 DC awith W2003 in the forest, and
>>
when you try to transfer the roles you get that message?
>>
Can you state the exact message, and how are you trying to TRANSFER the
>>
Roles (NOT Seize the roles).
>>
TYransfering the Master Roles doesn't make 2000 DCs stop working, however
>>
if
>>
you change your DFL/FFL to Windows 2003 all Windows 2000 DCs will stop
>>
working in that Forest/Domain, once that you do taht there's no turning
>>
back.
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>>
"TM" <TM@discussions.microsoft.com> wrote in message
>>
news:8CF72DB7-3B3C-424F-9AC2-7AD3BF4C7B3D@microsoft.com...
>>
> would there be any reason that I would need to run the adprep again?
>>
> I have ran it once with the 32bit disc 2 from the disks.
>>
> Assuming that it isn't liking the adprep that was ran from before?
>>
>
>>
> See i have followed all of microsofts directions to raise the domain
>>
> and I
>>
> did it in a test lab but now it isn't working in the production
>>
> enviroment.
>>
>
>>
> One thing I have just realized which didn't make sense to me earlier
>>
> and
>>
> probably why I didn't do it.
>>
> Going through the steps of
>>
> 1. Upgrade the AD schema using the 32bit disc 2
>>
> 2. installing active directory on the 2003 server
>>
> 3. moving the roles to the new server
>>
> *4. is whare is says retire the domain controllers through dcpromo
>>
> 5. raising the domain level
>>
>
>>
> Well I didn't do step 4 for the reason I was afraid it might lose
>>
> information. But after the reading I have done today since I have the
>>
> 2003
>>
> server in place and roles on it. It should matter cause the 2000 works
>>
> differently than 2003.
>>
> So if I get the 2003 server with all the roles on it and it says it is
>>
> DC
>>
> in
>>
> the active directory it should be a good domain controller (correct?).
>>
> then run the dcpromo on the current domain controller and everything
>>
> will
>>
> be
>>
> happy (maybe).
>>
>
>>
> If that makes any sense.
>>
> I think if I would have done the step 4 I wouldn't be in this
>>
> predictament.
>>
> If I have nothing to worry about let me know and I will just do it and
>>
> hopefully won't have to look back and say oh shoot.
>>
>
>>
> Thanks for your help again.
>>
>
>>
> "Jorge Silva" wrote:
>>
>
>>
>> You need the 32 bit version, not the 64bit.
>>
>> 64bit CDs/DVDs are not compatible with 32bit version.
>>
>>
>>
>> --
>>
>> I hope that the information above helps you.
>>
>> Have a Nice day.
>>
>>
>>
>> Jorge Silva
>>
>> MCSE, MVP Directory Services
>>
>> "TM" <TM@discussions.microsoft.com> wrote in
message
>>
>> news:991CAAC9-72E1-41F0-98A0-DA27627145F5@microsoft.com...
>>
>> > Well I have done that when getting everything set to upgrade
to the
>>
>> > 2003
>>
>> > server 64bit r2 version of server.
>>
>> > I used the supplied CD's that I had bought.
>>
>> > But I still ran into the issue of the 2000 dc being an
earlier
>>
>> > version.
>>
>> >
>>
>> > "Jorge Silva" wrote:
>>
>> >
>>
>> >> You may use the 64bit R2 in the existing forest, you only
need to
>>
>> >> get
>>
>> >> the
>>
>> >> second CD "where the adprep is" 32 bit version.
You can get the 2nd
>>
>> >> CD
>>
>> >> from
>>
>> >> Microsoft siet for the trial version of the Windows 2003
R2 32bit
>>
>> >> and
>>
>> >> use
>>
>> >> it
>>
>> >> to upgrade your 32 bit forest to R2.
>>
>> >>
>>
>> >> --
>>
>> >> I hope that the information above helps you.
>>
>> >> Have a Nice day.
>>
>> >>
>>
>> >> Jorge Silva
>>
>> >> MCSE, MVP Directory Services
>>
>> >> "TM" <TM@discussions.microsoft.com> wrote
in message
>>
>> >>
news:FE79DC66-E86A-416E-A588-2DC3F48EEB35@microsoft.com...
>>
>> >> > Jorge,
>>
>> >> > Thanks for the reply.
>>
>> >> > I understand the fact about 2 servers and I have
that. And have
>>
>> >> > done
>>
>> >> > the
>>
>> >> > adprep from the 32 bit cd's.
>>
>> >> > But where you say about the second cd on the install
to not use
>>
>> >> > it.
>>
>> >> > So just so I have a clear understanding I might have
a better
>>
>> >> > chance
>>
>> >> > at
>>
>> >> > getting this right if I try from scratch on the
64bit 2003 server
>>
>> >> > but
>>
>> >> > not
>>
>> >> > install the second CD. do the domain controller
upgrade.
>>
>> >> >
>>
>> >> > If that works then a guy would install the second cd
once things
>>
>> >> > are
>>
>> >> > working
>>
>> >> > and 2000 DC are removed.
>>
>> >> >
>>
>> >> > Let me know. I want to say thanks for your help
guys.
>>
>> >> > I tested this all in a test lab and I got it to
upgrade etc. but
>>
>> >> > of
>>
>> >> > course
>>
>> >> > once I start messing with a server that has been in
production
>>
>> >> > for a
>>
>> >> > few
>>
>> >> > years it is a different story.
>>
>> >> >
>>
>> >> >
>>
>> >> > "Jorge Silva" wrote:
>>
>> >> >
>>
>> >> >> You can't do a direct upgrade from 32 to 64 bit
in the same
>>
>> >> >> machine.
>>
>> >> >> If you want to introduce the 64 bit Windows 2003
you'll need a
>>
>> >> >> separate
>>
>> >> >> server.
>>
>> >> >>
>>
>> >> >> To introduce Windows 2003 in your 2000 forest
you first need to
>>
>> >> >> upgrade
>>
>> >> >> the
>>
>> >> >> forest and the Domain using adprep.
>>
>> >> >>
>>
>> >> >> Is not mandatory upgrade the schema to R2, this
applies to 32bit
>>
>> >> >> and
>>
>> >> >> 64bit
>>
>> >> >> OS W2k3 If you install only OS and
ignore/dismiss the second CD
>>
>> >> >> after
>>
>> >> >> the
>>
>> >> >> OS
>>
>> >> >> is installed then you have a Windows2003SP1/2
normal. If you run
>>
>> >> >> the
>>
>> >> >> second
>>
>> >> >> CD after OS installation then you'll be forced
to upgrade the
>>
>> >> >> schema
>>
>> >> >> when
>>
>> >> >> you try to introduce that server as a DC, but
isn't MANDATORY to
>>
>> >> >> do
>>
>> >> >> that
>>
>> >> >> unless you run the second CD after OS promotion.
>>
>> >> >>
>>
>> >> >> Now because you're running 32 bit version in
other DCs, to
>>
>> >> >> upgrade
>>
>> >> >> the
>>
>> >> >> forest to R2 you'll need to run adprep 32bit
version in the
>>
>> >> >> shema
>>
>> >> >> master.
>>
>> >> >>
>>
>> >> >> --
>>
>> >> >> I hope that the information above helps you.
>>
>> >> >> Have a Nice day.
>>
>> >> >>
>>
>> >> >> Jorge Silva
>>
>> >> >> MCSE, MVP Directory Services
>>
>> >> >> "TM"
<TM@discussions.microsoft.com> wrote in message
>>
>> >> >>
news:3A6222A9-E94B-4CB9-8C8B-6196B4E3E9EE@microsoft.com...
>>
>> >> >> > Thanks for the response.
>>
>> >> >> > I have read where to upgrade to 2003 but
with a few of the
>>
>> >> >> > programs
>>
>> >> >> > I
>>
>> >> >> > have
>>
>> >> >> > on there currently I don't want to do that
option on that
>>
>> >> >> > server
>>
>> >> >> > cause
>>
>> >> >> > it
>>
>> >> >> > is
>>
>> >> >> > still needed for other apps.
>>
>> >> >> >
>>
>> >> >> > What do you think of building a server 2000
and making it a
>>
>> >> >> > domain
>>
>> >> >> > controller. DCPromoing the current server
so it isn't a Domain
>>
>> >> >> > Controller
>>
>> >> >> > any
>>
>> >> >> > more. then doing the suggested upgrade to
2003. Then moving
>>
>> >> >> > the
>>
>> >> >> > domain
>>
>> >> >> > controller role to the server that I am
intending it to be on.
>>
>> >> >> >
>>
>> >> >> > So it will be a few more steps and time
than I wanted to spend
>>
>> >> >> > but
>>
>> >> >> > does
>>
>> >> >> > this
>>
>> >> >> > seem a feasible option?
>>
>> >> >> >
>>
>> >> >> > Thanks for your help.
>>
>> >> >> >
>>
>> >> >> > "Meinolf Weber" wrote:
>>
>> >> >> >
>>
>> >> >> >> Hello tm,
>>
>> >> >> >>
>>
>> >> >> >> Maybe you did not read the article
completely? With a windows
>>
>> >> >> >> 2000
>>
>> >> >> >> domain
>>
>> >> >> >> controller it is not possible to change
it. You have to
>>
>> >> >> >> upgrade
>>
>> >> >> >> to
>>
>> >> >> >> 2003
>>
>> >> >> >> like
>>
>> >> >> >> stated in the article.
>>
>> >> >> >>
>>
>> >> >> >> Best regards
>>
>> >> >> >>
>>
>> >> >> >> Meinolf Weber
>>
>> >> >> >> Disclaimer: This posting is provided
"AS IS" with no
>>
>> >> >> >> warranties,
>>
>> >> >> >> and
>>
>> >> >> >> confers
>>
>> >> >> >> no rights.
>>
>> >> >> >>
>>
>> >> >> >> > Well I have went through the
article that both of you have
>>
>> >> >> >> > suggested
>>
>> >> >> >> > without
>>
>> >> >> >> > any luck. Unless I am doing
something wrong.
>>
>> >> >> >> > Just a question does it matter if
I am going to from 32bit
>>
>> >> >> >> > 2000
>>
>> >> >> >> > server
>>
>> >> >> >> > to a
>>
>> >> >> >> > 64bit 2003 server?
>>
>> >> >> >> > Also, I have the 2000 server at
native mode the only 2000
>>
>> >> >> >> > server
>>
>> >> >> >> > as
>>
>> >> >> >> > Domain Controller with Exchange
2000 on it.
>>
>> >> >> >> >
>>
>> >> >> >> > Is there any other suggestions to
get this fixed?
>>
>> >> >> >> >
>>
>> >> >> >> > "Jorge Silva" wrote:
>>
>> >> >> >> >
>>
>> >> >> >> >> With Windows 2000 DCs you
shouldn't get your DFL and FFL
>>
>> >> >> >> >> more
>>
>> >> >> >> >> thatn
>>
>> >> >> >> >> Windows
>>
>> >> >> >> >> 2000 Native otherwise the 2000
DCs will sop working.
>>
>> >> >> >> >> Please read:
>>
>> >> >> >> >> http://support.microsoft.com/kb/322692
>>
>> >> >> >> >> --
>>
>> >> >> >> >> I hope that the information
above helps you.
>>
>> >> >> >> >> Have a Nice day.
>>
>> >> >> >> >> Jorge Silva
>>
>> >> >> >> >> MCSE, MVP Directory Services
>>
>> >> >> >> >> "TM" <TM@discussions.microsoft.com>
wrote in message
>>
>> >> >> >> >>
news:A9BB3E80-DB8B-41CC-A527-9C6B38A94229@microsoft.com...
>>
>> >> >> >> >>> Sorry for not getting more
info
>>
>> >> >> >> >>> On the current Server 2000
DC it is on Service Pack 4
>>
>> >> >> >> >>> with
>>
>> >> >> >> >>> all
>>
>> >> >> >> >>> the
>>
>> >> >> >> >>> available
>>
>> >> >> >> >>> updates.
>>
>> >> >> >> >>> On the Server 2003 std. I
have all the updates installed.
>>
>> >> >> >> >>> It has all the roles and
global catalog server.
>>
>> >> >> >> >>> But I am to the step of
raising the domain functional
>>
>> >> >> >> >>> level
>>
>> >> >> >> >>> now
>>
>> >> >> >> >>> and
>>
>> >> >> >> >>> I am getting the message
below about not able to raise.
>>
>> >> >> >> >>>
>>
>> >> >> >> >>> If there is any other
information I need to add let me
>>
>> >> >> >> >>> know.
>>
>> >> >> >> >>> thanks for your response
>>
>> >> >> >> >>>
--------------------------------------------------------------------
>>
>> >> >> >> >>> ----------------------------
>>
>> >> >> >> >>> To update the domain
functional level, the domain
>>
>> >> >> >> >>> controllers
>>
>> >> >> >> >>> in
>>
>> >> >> >> >>> the
>>
>> >> >> >> >>> domain
>>
>> >> >> >> >>> must be running the
appropriate version of windows.
>>
>> >> >> >> >>> Domain Name
>>
>> >> >> >> >>> norfolkiron.com
>>
>> >> >> >> >>> Current domain functional
level
>>
>> >> >> >> >>> Windows 2000 native
>>
>> >> >> >> >>> The following domain
controllers are running earlier
>>
>> >> >> >> >>> versions
>>
>> >> >> >> >>> of
>>
>> >> >> >> >>> windows:
>>
>> >> >> >> >>> Domain Name Domain
Controller Version of Windows
>>
>> >> >> >> >>> norfolkiron.com
server1.norfolkiron.com Windows 2000
>>
>> >> >> >> >>> Server
>>
>> >> >> >> >>> 5.0
>>
>> >> >> >> >>> (2195)
>>
>> >> >> >> >>>
--------------------------------------------------------------------
>>
>> >> >> >> >>>
----------------------------
>>
>> >> >> >> >>> "Jorge Silva"
wrote:
>>
>> >> >> >> >>>
>>
>> >> >> >> >>>> Hi
>>
>> >> >> >> >>>> Is this the error?
>>
>> >> >> >> >>>> Error message when you
run the Active Directory
>>
>> >> >> >> >>>> Installation
>>
>> >> >> >> >>>> Wizard: "The
Top
From: Florian Frommherz [MVP] <florian@PLEASELEAVETHISOUT.frickelsoft.net>
To:
none
Subject:
Re: Site Policies and Domain Controllers
Date:
09/26/2007 00:27:31
Howdie!
JayDee
schrieb:
>
We would like to create a site policy that adds a domain global group
>
to the local administrators group of all servers on a specific subnet,
>
since we will have a local group supporting them... however, there is
>
a domain controller on one of the subnets. Is there any way to set up
>
our "restricted groups" policy on all servers without giving
those
>
admins administrator access to the entire domain??
You
could try to create the Group Policy linked to the site and then
deny
the specific domain controller the "Read" and "Apply Group
Policy"
permission
on the GP:
http://www.frickelsoft.net/blog/?p=28
cheers,
Florian
--
Microsoft
MVP - Windows Server - Group Policy.
eMail:
prename [at] frickelsoft [dot] net.
blog:
http://www.frickelsoft.net/blog.
Top
From: Mathieu CHATEAU <gollum123@free.fr>
To:
none
Subject:
Re: SYSVOL share hand icon is red
Date:
09/28/2007 01:05:57
Hello,
get
the real path where the share point to.
Then
check up that the folder still exist.
Did
you change NTFS security recently ?
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"Sofi"
<Sofi@discussions.microsoft.com> wrote in message
news:CBF51BB1-A50A-4455-BE7E-C3F11C84CE6E@microsoft.com...
>
Hi,
>
I just saw that the icon hand for the SYSVOL share has turned RED. What
>
does
>
that mean?
>
THANKS!!
>
Sofia
Top
From: Ryan Hanisco
<RyanHanisco@discussions.microsoft.com>
To:
none
Subject:
RE: Tips for setting up a test lab
Date:
09/27/2007 17:32:01
Hi
shdowflare,
You
mentioned that you wanted a testbed to be able to test out schema
extensions
among other things. Remember that the schema is at the
forest-level,
so the only way to have an isolated location for that would be
to
keep it completely segregated from your production forest.
There
are three ways to do this (That I can think of, anyway):
1.
Create a completely separate forest. This would isolate the
environment
but
allow you to use the same LAN. The forest would be visible and you
could
use
trusts to share resources, though it could be argued that this might
reduce
the validity of your tests. You would also be able to use ADMT and AD
imports
to populate the forest with similar accounts and PWDs -- even
maintain
SIDHistory (again test validity...)
2.
Use ADAM to create a directory structure that you can sync with your
production
AD as a test bed. This can be a very attractive option, but you
don't
get the whole host of services that a separate forest brings and there
is
some impact to your GCs and the like. This works well for app and
schema
tests
though.
3.
Pretend to be an Amoeba. You can add a DC with DNS to your domain and
then
completely segregate it on a separate LAN. From there you can seize
the
FSMO
roles and treat it as a separate forest that is identical to your
production
AD. Note that you can NEVER have it interact with your production
environment
so this is a good option if you want to test GPOs or applications
in
an isolated environment. This will not, however, allow you to test
other
network
resources that have a connection to the "real world." (I
know, not
ideal
for you.)
--
Ryan
Hanisco
MCSE,
MCTS: SQL 2005, Project+
www.techsterity.com
Chicago,
IL
Remember:
Marking helpful answers helps everyone find the info they need
quickly.
"shdowflare"
wrote:
>
Hi,
>
>
We're getting ready to build out an Active Directory 2003 test lab.
We need
>
a place to check schema extensions, group policies, and software updates
>
before putting into production. We need the test environment to be
>
accessible to our corporate network, so applications can interact with the
>
test directory during testing. So the LDAP lab can't be
isolated. It needs
>
to be on our corporate LAN. I imagine putting the test AD controller
on our
>
LAN means it will be found by our production DC's (and vice versa).
So I was
>
wondering how to structure the test domain hierarchy. Should it be a
>
separate forest? Or just a separate domain under the forest root?
>
>
Basically, I'm looking for ideas on the best way to accomplish the
>
requirements above and address the questions I've posed. Can you guys
help
>
out?
>
>
Looking forward to your replies.
>
--
>
-B
Top
From: Ryan Hanisco
<RyanHanisco@discussions.microsoft.com>
To:
none
Subject:
Re: Types of ICMP Used by DC?
Date:
09/25/2007 23:58:02
Will,
DCs
use ICMP Ping for a number of things and will need the ICMP types that
ping
requires. Of course, the most common will be echo and echo reply, but
the
others will be needed for failure or redirect status.
Other
than that, you'll see no other "odd" ICMP traffic.
Usually
DCs are connected on LAN, WAN, or VPN circuits that are considered
part
of the Internal network so so filter very little. If you are
concerned
about
blocking specific ICMP types, I would be afraid that you might have a
bad
design on your hands -- or at least an overly complicated one.
Cheers,
--
Ryan
Hanisco
MCSE,
MCTS: SQL 2005, Project+
www.techsterity.com
Chicago,
IL
Remember:
Marking helpful answers helps everyone find the info they need
quickly.
"Will"
wrote:
>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>
news:uW3cMt2$HHA.4496@TK2MSFTNGP06.phx.gbl...
>
> I only know of one icmp type traffic. What exactly are you
referring to?
>
>
Open Windows Firewall.
>
>
Select Advanced tab.
>
>
Select ICMP Settings button.
>
>
Those are the options I want to know about. Which ICMP subtypes
do DCs use
>
between DCs?
>
>
--
>
Will
>
Top
From: Will
<westes-usc@noemail.nospam>
To:
none
Subject:
Re: Types of ICMP Used by DC?
Date:
09/26/2007 00:16:32
"Ryan
Hanisco" <RyanHanisco@discussions.microsoft.com> wrote in
message
news:67019A97-0A96-47BC-9996-35E4A211D225@microsoft.com...
>
Will,
>
>
DCs use ICMP Ping for a number of things and will need the ICMP types that
>
ping requires. Of course, the most common will be echo and echo
reply,
>
but
>
the others will be needed for failure or redirect status.
>
>
Other than that, you'll see no other "odd" ICMP traffic.
>
>
Usually DCs are connected on LAN, WAN, or VPN circuits that are considered
>
part of the Internal network so so filter very little. If you are
>
concerned
>
about blocking specific ICMP types, I would be afraid that you might have
>
a
>
bad design on your hands -- or at least an overly complicated one.
Since
we are stuck with Windows Firewall, and Windows Firewall by default
does
block most types of ICMP, I'm simply asking the question which types
should
I unblock.
If
your answer is "unblock them all because they all might be used,"
then
okay.
--
Will
Top
From: Paul Bergson [MVP-DS]
<pbergson@allete_nospam.com>
To:
none
Subject:
Re: Types of ICMP Used by DC?
Date:
09/26/2007 08:08:28
Will
I was unaware of the icmp options and will have to research this. I
don't
have an answer for you but will attempt to get one for you.
--
Paul
Bergson
MVP
- Directory Services
MCT,
MCSE, MCSA, Security+, BS CSci
2003,
2000 (Early Achiever), NT
http://www.pbbergs.com
Please
no e-mails, any questions should be posted in the NewsGroup
This
posting is provided "AS IS" with no warranties, and confers no
rights.
"Will"
<westes-usc@noemail.nospam> wrote in message
news:Z6KdnU-O4avjwmTbnZ2dnUVZ_vamnZ2d@giganews.com...
>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>
news:uW3cMt2$HHA.4496@TK2MSFTNGP06.phx.gbl...
>>
I only know of one icmp type traffic. What exactly are you referring
to?
>
>
Open Windows Firewall.
>
>
Select Advanced tab.
>
>
Select ICMP Settings button.
>
>
Those are the options I want to know about. Which ICMP subtypes
do DCs
>
use
>
between DCs?
>
>
--
>
Will
Top
From: Paul Bergson [MVP-DS] <pbergson@allete_nospam.com>
To:
none
Subject:
Re: Types of ICMP Used by DC?
Date:
09/26/2007 13:58:02
I
have been able to open a Microsoft support incident for you. I had one
that
was to expire at the end of the week.
--
Paul
Bergson
MVP
- Directory Services
MCT,
MCSE, MCSA, Security+, BS CSci
2003,
2000 (Early Achiever), NT
http://www.pbbergs.com
Please
no e-mails, any questions should be posted in the NewsGroup
This
posting is provided "AS IS" with no warranties, and confers no
rights.
"Paul
Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:%23XL2V5DAIHA.3940@TK2MSFTNGP05.phx.gbl...
>
Will I was unaware of the icmp options and will have to research
this. I
>
don't have an answer for you but will attempt to get one for you.
>
>
--
>
Paul Bergson
>
MVP - Directory Services
>
MCT, MCSE, MCSA, Security+, BS CSci
>
2003, 2000 (Early Achiever), NT
>
>
http://www.pbbergs.com
>
>
Please no e-mails, any questions should be posted in the NewsGroup
>
This posting is provided "AS IS" with no warranties, and confers
no
>
rights.
>
>
"Will" <westes-usc@noemail.nospam> wrote in message
>
news:Z6KdnU-O4avjwmTbnZ2dnUVZ_vamnZ2d@giganews.com...
>>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>>
news:uW3cMt2$HHA.4496@TK2MSFTNGP06.phx.gbl...
>>>
I only know of one icmp type traffic. What exactly are you referring
>>>
to?
>>
>>
Open Windows Firewall.
>>
>>
Select Advanced tab.
>>
>>
Select ICMP Settings button.
>>
>>
Those are the options I want to know about. Which ICMP subtypes
do DCs
>>
use
>>
between DCs?
>>
>>
--
>>
Will
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: Types of ICMP Used by DC?
Date:
09/26/2007 14:17:34
you
may have sold it on ebay ;)
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"Paul
Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:ub6Sr8GAIHA.5164@TK2MSFTNGP05.phx.gbl...
>I
have been able to open a Microsoft support incident for you. I had one
>that
was to expire at the end of the week.
>
>
--
>
Paul Bergson
>
MVP - Directory Services
>
MCT, MCSE, MCSA, Security+, BS CSci
>
2003, 2000 (Early Achiever), NT
>
>
http://www.pbbergs.com
>
>
Please no e-mails, any questions should be posted in the NewsGroup
>
This posting is provided "AS IS" with no warranties, and confers
no
>
rights.
>
>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>
news:%23XL2V5DAIHA.3940@TK2MSFTNGP05.phx.gbl...
>>
Will I was unaware of the icmp options and will have to research
this. I
>>
don't have an answer for you but will attempt to get one for you.
>>
>>
--
>>
Paul Bergson
>>
MVP - Directory Services
>>
MCT, MCSE, MCSA, Security+, BS CSci
>>
2003, 2000 (Early Achiever), NT
>>
>>
http://www.pbbergs.com
>>
>>
Please no e-mails, any questions should be posted in the NewsGroup
>>
This posting is provided "AS IS" with no warranties, and confers
no
>>
rights.
>>
>>
"Will" <westes-usc@noemail.nospam> wrote in message
>>
news:Z6KdnU-O4avjwmTbnZ2dnUVZ_vamnZ2d@giganews.com...
>>>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>>>
news:uW3cMt2$HHA.4496@TK2MSFTNGP06.phx.gbl...
>>>>
I only know of one icmp type traffic. What exactly are you referring
>>>>
to?
>>>
>>>
Open Windows Firewall.
>>>
>>>
Select Advanced tab.
>>>
>>>
Select ICMP Settings button.
>>>
>>>
Those are the options I want to know about. Which ICMP subtypes
do DCs
>>>
use
>>>
between DCs?
>>>
>>>
--
>>>
Will
Top
From: Paul Bergson [MVP-DS]
<pbergson@allete_nospam.com>
To:
none
Subject:
Re: Types of ICMP Used by DC?
Date:
09/26/2007 14:17:14
Microsoft
just got back to me and stated that the only ICMP needed to be
allowed
is the top option.
Allow
Incoming Echo Requests
--
Paul
Bergson
MVP
- Directory Services
MCT,
MCSE, MCSA, Security+, BS CSci
2003,
2000 (Early Achiever), NT
http://www.pbbergs.com
Please
no e-mails, any questions should be posted in the NewsGroup
This
posting is provided "AS IS" with no warranties, and confers no
rights.
"Paul
Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:ub6Sr8GAIHA.5164@TK2MSFTNGP05.phx.gbl...
>I
have been able to open a Microsoft support incident for you. I had one
>that
was to expire at the end of the week.
>
>
--
>
Paul Bergson
>
MVP - Directory Services
>
MCT, MCSE, MCSA, Security+, BS CSci
>
2003, 2000 (Early Achiever), NT
>
>
http://www.pbbergs.com
>
>
Please no e-mails, any questions should be posted in the NewsGroup
>
This posting is provided "AS IS" with no warranties, and confers
no
>
rights.
>
>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>
news:%23XL2V5DAIHA.3940@TK2MSFTNGP05.phx.gbl...
>>
Will I was unaware of the icmp options and will have to research
this. I
>>
don't have an answer for you but will attempt to get one for you.
>>
>>
--
>>
Paul Bergson
>>
MVP - Directory Services
>>
MCT, MCSE, MCSA, Security+, BS CSci
>>
2003, 2000 (Early Achiever), NT
>>
>>
http://www.pbbergs.com
>>
>>
Please no e-mails, any questions should be posted in the NewsGroup
>>
This posting is provided "AS IS" with no warranties, and confers
no
>>
rights.
>>
>>
"Will" <westes-usc@noemail.nospam> wrote in message
>>
news:Z6KdnU-O4avjwmTbnZ2dnUVZ_vamnZ2d@giganews.com...
>>>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>>>
news:uW3cMt2$HHA.4496@TK2MSFTNGP06.phx.gbl...
>>>>
I only know of one icmp type traffic. What exactly are you referring
>>>>
to?
>>>
>>>
Open Windows Firewall.
>>>
>>>
Select Advanced tab.
>>>
>>>
Select ICMP Settings button.
>>>
>>>
Those are the options I want to know about. Which ICMP subtypes
do DCs
>>>
use
>>>
between DCs?
>>>
>>>
--
>>>
Will
Top
From: Paul Bergson [MVP-DS]
<pbergson@allete_nospam.com>
To:
none
Subject:
Re: Types of ICMP Used by DC?
Date:
09/26/2007 14:20:17
For
got to include a link they provided if you care
http://msdn2.microsoft.com/en-us/library/ms912869.aspx
--
Paul
Bergson
MVP
- Directory Services
MCT,
MCSE, MCSA, Security+, BS CSci
2003,
2000 (Early Achiever), NT
http://www.pbbergs.com
Please
no e-mails, any questions should be posted in the NewsGroup
This
posting is provided "AS IS" with no warranties, and confers no
rights.
"Paul
Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:ub6Sr8GAIHA.5164@TK2MSFTNGP05.phx.gbl...
>I
have been able to open a Microsoft support incident for you. I had one
>that
was to expire at the end of the week.
>
>
--
>
Paul Bergson
>
MVP - Directory Services
>
MCT, MCSE, MCSA, Security+, BS CSci
>
2003, 2000 (Early Achiever), NT
>
>
http://www.pbbergs.com
>
>
Please no e-mails, any questions should be posted in the NewsGroup
>
This posting is provided "AS IS" with no warranties, and confers
no
>
rights.
>
>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>
news:%23XL2V5DAIHA.3940@TK2MSFTNGP05.phx.gbl...
>>
Will I was unaware of the icmp options and will have to research
this. I
>>
don't have an answer for you but will attempt to get one for you.
>>
>>
--
>>
Paul Bergson
>>
MVP - Directory Services
>>
MCT, MCSE, MCSA, Security+, BS CSci
>>
2003, 2000 (Early Achiever), NT
>>
>>
http://www.pbbergs.com
>>
>>
Please no e-mails, any questions should be posted in the NewsGroup
>>
This posting is provided "AS IS" with no warranties, and confers
no
>>
rights.
>>
>>
"Will" <westes-usc@noemail.nospam> wrote in message
>>
news:Z6KdnU-O4avjwmTbnZ2dnUVZ_vamnZ2d@giganews.com...
>>>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>>>
news:uW3cMt2$HHA.4496@TK2MSFTNGP06.phx.gbl...
>>>>
I only know of one icmp type traffic. What exactly are you referring
>>>>
to?
>>>
>>>
Open Windows Firewall.
>>>
>>>
Select Advanced tab.
>>>
>>>
Select ICMP Settings button.
>>>
>>>
Those are the options I want to know about. Which ICMP subtypes
do DCs
>>>
use
>>>
between DCs?
>>>
>>>
--
>>>
Will
Top
From: Anthony
<anthony.spam@spammedout.com>
To:
none
Subject:
Re: Types of ICMP Used by DC?
Date:
09/26/2007 14:49:39
That's
above and beyond the call of duty!
"Paul
Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:ub6Sr8GAIHA.5164@TK2MSFTNGP05.phx.gbl...
>I
have been able to open a Microsoft support incident for you. I had one
>that
was to expire at the end of the week.
>
>
--
>
Paul Bergson
>
MVP - Directory Services
>
MCT, MCSE, MCSA, Security+, BS CSci
>
2003, 2000 (Early Achiever), NT
>
>
http://www.pbbergs.com
>
>
Please no e-mails, any questions should be posted in the NewsGroup
>
This posting is provided "AS IS" with no warranties, and confers
no
>
rights.
>
>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>
news:%23XL2V5DAIHA.3940@TK2MSFTNGP05.phx.gbl...
>>
Will I was unaware of the icmp options and will have to research
this. I
>>
don't have an answer for you but will attempt to get one for you.
>>
>>
--
>>
Paul Bergson
>>
MVP - Directory Services
>>
MCT, MCSE, MCSA, Security+, BS CSci
>>
2003, 2000 (Early Achiever), NT
>>
>>
http://www.pbbergs.com
>>
>>
Please no e-mails, any questions should be posted in the NewsGroup
>>
This posting is provided "AS IS" with no warranties, and confers
no
>>
rights.
>>
>>
"Will" <westes-usc@noemail.nospam> wrote in message
>>
news:Z6KdnU-O4avjwmTbnZ2dnUVZ_vamnZ2d@giganews.com...
>>>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>>>
news:uW3cMt2$HHA.4496@TK2MSFTNGP06.phx.gbl...
>>>>
I only know of one icmp type traffic. What exactly are you referring
>>>>
to?
>>>
>>>
Open Windows Firewall.
>>>
>>>
Select Advanced tab.
>>>
>>>
Select ICMP Settings button.
>>>
>>>
Those are the options I want to know about. Which ICMP subtypes
do DCs
>>>
use
>>>
between DCs?
>>>
>>>
--
>>>
Will
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: User logging in as limited account
Date:
09/26/2007 12:47:02
Hi
To
install software he needs Admin permisssions, check if that account is
member
of local Administrators Security group.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
<PeterDowney01@gmail.com>
wrote in message
news:1190828315.082730.276700@n39g2000hsh.googlegroups.com...
>
I've got a customer running server 2003. We added an account for his
>
computer to log in to the server with. Using his client computer when
>
we log into the account (his system has xp installed) it logs us in as
>
a limited account. We need his computer to log in as an administrator
>
because we have to install software on his computer, and he wants to
>
be able to enable and disable his wireless card.
>
>
What am I doing wrong that it's logging in as a limited account?
>
Top
From: Technical
<Technical@discussions.microsoft.com>
To:
none
Subject:
RE: Using netdom.exe to join active directory
Date:
09/26/2007 07:30:05
Hello
Sransom ,
Insead
of /D write /Domain:domainname
"sransom"
wrote:
>
Hi All,
>
>
Im trying to write a small batch file to let me join new computers to our
>
domain. The line is as follows:
>
>
NETDOM join %ComputerName% /D:mydomain.nsw.edu.au /UserD:Admin
>
/passwordD:xxxxx UserO:Administrator /PasswordO:xxx /reboot:10
>
>
When i run it all i get is a line saying "the syntax for this command
is"
>
and then the help commands for netdom. I have gon crosseyed trying to find
>
what im doing wrong.
>
>
Any ideas please?
>
>
>
--
>
I Run A Help Desk, Not A Resume Service
Top
From: sransom
<sransom@discussions.microsoft.com>
To:
none
Subject:
RE: Using netdom.exe to join active directory
Date:
09/26/2007 18:48:01
Tried
that, but the problem persists..
Scott
--
I
Run A Help Desk, Not A Resume Service
"Technical"
wrote:
>
Hello Sransom ,
>
>
Insead of /D write /Domain:domainname
>
>
"sransom" wrote:
>
>
> Hi All,
>
>
>
> Im trying to write a small batch file to let me join new computers to
our
>
> domain. The line is as follows:
>
>
>
> NETDOM join %ComputerName% /D:mydomain.nsw.edu.au /UserD:Admin
>
> /passwordD:xxxxx UserO:Administrator /PasswordO:xxx /reboot:10
>
>
>
> When i run it all i get is a line saying "the syntax for this
command is"
>
> and then the help commands for netdom. I have gon crosseyed trying to
find
>
> what im doing wrong.
>
>
>
> Any ideas please?
>
>
>
>
>
> --
>
> I Run A Help Desk, Not A Resume Service
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: w2k3 logs me off right after user/password
Date:
09/25/2007 14:48:42
Hi
check inline:
>
- if I log on as a *normal* user, once I typed in the credential, it
>
logs me off right after - the logging off window pops up followed by
>
the ctrl-alt-del window. This doesn't always happen but happens 9 out
>
of 10 attemps(or more frequent)
Logs
are full, or maybe some virus on that machine.
>
- however if I type in my credential again, I can get into the
>
desktop
So
you can log successfully after the second atempt?
>
- admin doesn' t have this problem
That's
good, you can use that account to check log errors or if logs are
full,
or if you have any process (like a virus) that doesn't like the normal
user
account.
>
- if I log on as Admin, and in the System properties window,
>
profile, highlight the *normal* user account, the "copy to" and
>
"remove" button is grayed out.
Can
you rename the profile manually, and then try to logon with a new user
and
check if the same behavior applies.
>
- there was once or twice if I unplugged the power completely then
>
log back in as Admin, the above "copy to" and "remove"
buttons became
>
availabe again.
Try
the rename, if you can rename,you must first talke ownershipt of the
folder
and subfolders and files..
>
- newly created profile didn't help
New
profile for what user the domain admin or the normal account?
>
- absolutely nothing noticeable in event viewer
>
- if I log in as Admin, then open a RDP session to itself( mstsc /
>
v:localhost), log in as the user in question, it won't ask me for
>
password twice. However, I can't launch certain programs within the
>
session (such as firefox, outlook). They are terminated at some point
>
(for example, I can see the prompt from firefox "restore sessions/new
>
session", but then nothing)
That
suggests something wrong with the profile or GPO security.
>
- I reset the security policy by importing the setupsec.inf but this
>
didn't help either
It
doesn't matter if the policy is being applied at domain or OU level, the
local
GPO is the one that is overwrited by alll others.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"future2Bunknown"
<johnlan@gmail.com> wrote in message
news:1190748178.396470.231270@50g2000hsm.googlegroups.com...
>I
have a windows 2003 in workgroup having following symptoms:
>
- if I log on as a *normal* user, once I typed in the credential, it
>
logs me off right after - the logging off window pops up followed by
>
the ctrl-alt-del window. This doesn't always happen but happens 9 out
>
of 10 attemps(or more frequent)
>
- however if I type in my credential again, I can get into the
>
desktop
>
- admin doesn' t have this problem
>
- if I log on as Admin, and in the System properties window,
>
profile, highlight the *normal* user account, the "copy to" and
>
"remove" button is grayed out.
>
- there was once or twice if I unplugged the power completely then
>
log back in as Admin, the above "copy to" and "remove"
buttons became
>
availabe again.
>
- newly created profile didn't help
>
- absolutely nothing noticeable in event viewer
>
- if I log in as Admin, then open a RDP session to itself( mstsc /
>
v:localhost), log in as the user in question, it won't ask me for
>
password twice. However, I can't launch certain programs within the
>
session (such as firefox, outlook). They are terminated at some point
>
(for example, I can see the prompt from firefox "restore sessions/new
>
session", but then nothing)
>
- I reset the security policy by importing the setupsec.inf but this
>
didn't help either
>
>
Any help appreciated.
>
Top
From: future2Bunknown
<johnlan@gmail.com>
To:
none
Subject:
Re: w2k3 logs me off right after user/password
Date:
09/26/2007 09:18:32
Jorge,
Thanks
for the reply. Please see my reply to your comments:
1.
This is a workgroup server therefore no upper level GP will
override
local policy
2.
Second attempt to log on always suceeds
3.
If, as I myself suspected and as you pointed out, profile and/or
security
settings are to blamed, I've replaced both to no avail
4.
logs in event has been cleared multiple times during my
troubleshooting.
And I don't believe there is any other size limit on
text-based
logs. Plus, all disks have sufficient space
5.
I didn't bother to verify if other users have same problem because
this
is the only account I need to keep and make it workable. But I
believe
the others don't have this issue. I will try later though and
post
back.
6.
while I can't say 100% sure that I am not hit by virus, I am very
confident
my compupter is clean. Having worked in security field, I am
always
cautious what's installed and my computer is well protected.
The
symptoms don't look like virus either.
7.
I do have the userenv.log if you want to see it.
On
Sep 25, 3:48 pm, "Jorge Silva" <jorgesilva...@hotmail.com>
wrote:
>
Hi check inline:
>
>
> - if I log on as a *normal* user, once I typed in the
credential, it
>
> logs me off right after - the logging off window pops up followed by
>
> the ctrl-alt-del window. This doesn't always happen but happens 9 out
>
> of 10 attemps(or more frequent)
>
>
Logs are full, or maybe some virus on that machine.
>
>
> - however if I type in my credential again, I can get into the
>
> desktop
>
>
So you can log successfully after the second atempt?
>
>
> - admin doesn' t have this problem
>
>
That's good, you can use that account to check log errors or if logs are
>
full, or if you have any process (like a virus) that doesn't like the
normal
>
user account.
>
>
> - if I log on as Admin, and in the System properties window,
>
> profile, highlight the *normal* user account, the "copy to"
and
>
> "remove" button is grayed out.
>
>
Can you rename the profile manually, and then try to logon with a new user
>
and check if the same behavior applies.
>
>
> - there was once or twice if I unplugged the power completely
then
>
> log back in as Admin, the above "copy to" and
"remove" buttons became
>
> availabe again.
>
>
Try the rename, if you can rename,you must first talke ownershipt of the
>
folder and subfolders and files..
>
>
> - newly created profile didn't help
>
>
New profile for what user the domain admin or the normal account?
>
>
> - absolutely nothing noticeable in event viewer
>
> - if I log in as Admin, then open a RDP session to itself( mstsc
/
>
> v:localhost), log in as the user in question, it won't ask me for
>
> password twice. However, I can't launch certain programs within the
>
> session (such as firefox, outlook). They are terminated at some point
>
> (for example, I can see the prompt from firefox "restore
sessions/new
>
> session", but then nothing)
>
>
That suggests something wrong with the profile or GPO security.
>
>
> - I reset the security policy by importing the setupsec.inf but this
>
> didn't help either
>
>
It doesn't matter if the policy is being applied at domain or OU level, the
>
local GPO is the one that is overwrited by alll others.
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services"future2Bunknown"
<john...@gmail.com> wrote in message
>
>
news:1190748178.396470.231270@50g2000hsm.googlegroups.com...
>
>
>I have a windows 2003 in workgroup having following symptoms:
>
> - if I log on as a *normal* user, once I typed in the
credential, it
>
> logs me off right after - the logging off window pops up followed by
>
> the ctrl-alt-del window. This doesn't always happen but happens 9 out
>
> of 10 attemps(or more frequent)
>
> - however if I type in my credential again, I can get into the
>
> desktop
>
> - admin doesn' t have this problem
>
> - if I log on as Admin, and in the System properties window,
>
> profile, highlight the *normal* user account, the "copy to"
and
>
> "remove" button is grayed out.
>
> - there was once or twice if I unplugged the power completely
then
>
> log back in as Admin, the above "copy to" and
"remove" buttons became
>
> availabe again.
>
> - newly created profile didn't help
>
> - absolutely nothing noticeable in event viewer
>
> - if I log in as Admin, then open a RDP session to itself( mstsc
/
>
> v:localhost), log in as the user in question, it won't ask me for
>
> password twice. However, I can't launch certain programs within the
>
> session (such as firefox, outlook). They are terminated at some point
>
> (for example, I can see the prompt from firefox "restore
sessions/new
>
> session", but then nothing)
>
> - I reset the security policy by importing the setupsec.inf but this
>
> didn't help either
>
>
> Any help appreciated.
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: w2k3 logs me off right after user/password
Date:
09/26/2007 11:48:10
Inline
>
1. This is a workgroup server therefore no upper level GP will
>
override local policy
Ok.
But you can also check local policy.
>
2. Second attempt to log on always suceeds
Yeah
this is the weird part. Never saw something similar, that's why I
suggested
that may be a Virus problem or GPO restriction.
>
3. If, as I myself suspected and as you pointed out, profile and/or
>
security settings are to blamed, I've replaced both to no avail
1
place less to search ;)
>
4. logs in event has been cleared multiple times during my
>
troubleshooting. And I don't believe there is any other size limit on
>
text-based logs. Plus, all disks have sufficient space
Ok.
>
5. I didn't bother to verify if other users have same problem because
>
this is the only account I need to keep and make it workable. But I
>
believe the others don't have this issue. I will try later though and
>
post back.
Yes
try to create a different account and check with that account (I never
know,
strange behaviors lead to strange solutions)
>
6. while I can't say 100% sure that I am not hit by virus, I am very
>
confident my compupter is clean. Having worked in security field, I am
>
always cautious what's installed and my computer is well protected.
>
The symptoms don't look like virus either.
You
wan't waste to much time by running the antivirus, just in case.
>
7. I do have the userenv.log if you want to see it.
Only
the things that contains errors or strange things
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"future2Bunknown"
<johnlan@gmail.com> wrote in message
news:1190816312.730005.167360@22g2000hsm.googlegroups.com...
>
Jorge,
>
>
Thanks for the reply. Please see my reply to your comments:
>
>
1. This is a workgroup server therefore no upper level GP will
>
override local policy
>
2. Second attempt to log on always suceeds
>
3. If, as I myself suspected and as you pointed out, profile and/or
>
security settings are to blamed, I've replaced both to no avail
>
4. logs in event has been cleared multiple times during my
>
troubleshooting. And I don't believe there is any other size limit on
>
text-based logs. Plus, all disks have sufficient space
>
5. I didn't bother to verify if other users have same problem because
>
this is the only account I need to keep and make it workable. But I
>
believe the others don't have this issue. I will try later though and
>
post back.
>
6. while I can't say 100% sure that I am not hit by virus, I am very
>
confident my compupter is clean. Having worked in security field, I am
>
always cautious what's installed and my computer is well protected.
>
The symptoms don't look like virus either.
>
7. I do have the userenv.log if you want to see it.
>
>
On Sep 25, 3:48 pm, "Jorge Silva"
<jorgesilva...@hotmail.com> wrote:
>>
Hi check inline:
>>
>>
> - if I log on as a *normal* user, once I typed in the credential,
it
>>
> logs me off right after - the logging off window pops up followed by
>>
> the ctrl-alt-del window. This doesn't always happen but happens 9 out
>>
> of 10 attemps(or more frequent)
>>
>>
Logs are full, or maybe some virus on that machine.
>>
>>
> - however if I type in my credential again, I can get into the
>>
> desktop
>>
>>
So you can log successfully after the second atempt?
>>
>>
> - admin doesn' t have this problem
>>
>>
That's good, you can use that account to check log errors or if logs are
>>
full, or if you have any process (like a virus) that doesn't like the
>>
normal
>>
user account.
>>
>>
> - if I log on as Admin, and in the System properties window,
>>
> profile, highlight the *normal* user account, the "copy to"
and
>>
> "remove" button is grayed out.
>>
>>
Can you rename the profile manually, and then try to logon with a new
>>
user
>>
and check if the same behavior applies.
>>
>>
> - there was once or twice if I unplugged the power completely
then
>>
> log back in as Admin, the above "copy to" and
"remove" buttons became
>>
> availabe again.
>>
>>
Try the rename, if you can rename,you must first talke ownershipt of the
>>
folder and subfolders and files..
>>
>>
> - newly created profile didn't help
>>
>>
New profile for what user the domain admin or the normal account?
>>
>>
> - absolutely nothing noticeable in event viewer
>>
> - if I log in as Admin, then open a RDP session to itself( mstsc
/
>>
> v:localhost), log in as the user in question, it won't ask me for
>>
> password twice. However, I can't launch certain programs within the
>>
> session (such as firefox, outlook). They are terminated at some point
>>
> (for example, I can see the prompt from firefox "restore
sessions/new
>>
> session", but then nothing)
>>
>>
That suggests something wrong with the profile or GPO security.
>>
>>
> - I reset the security policy by importing the setupsec.inf but this
>>
> didn't help either
>>
>>
It doesn't matter if the policy is being applied at domain or OU level,
>>
the
>>
local GPO is the one that is overwrited by alll others.
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services"future2Bunknown"
<john...@gmail.com> wrote
>>
in message
>>
>>
news:1190748178.396470.231270@50g2000hsm.googlegroups.com...
>>
>>
>I have a windows 2003 in workgroup having following symptoms:
>>
> - if I log on as a *normal* user, once I typed in the
credential, it
>>
> logs me off right after - the logging off window pops up followed by
>>
> the ctrl-alt-del window. This doesn't always happen but happens 9 out
>>
> of 10 attemps(or more frequent)
>>
> - however if I type in my credential again, I can get into the
>>
> desktop
>>
> - admin doesn' t have this problem
>>
> - if I log on as Admin, and in the System properties window,
>>
> profile, highlight the *normal* user account, the "copy to"
and
>>
> "remove" button is grayed out.
>>
> - there was once or twice if I unplugged the power completely
then
>>
> log back in as Admin, the above "copy to" and
"remove" buttons became
>>
> availabe again.
>>
> - newly created profile didn't help
>>
> - absolutely nothing noticeable in event viewer
>>
> - if I log in as Admin, then open a RDP session to itself( mstsc
/
>>
> v:localhost), log in as the user in question, it won't ask me for
>>
> password twice. However, I can't launch certain programs within the
>>
> session (such as firefox, outlook). They are terminated at some point
>>
> (for example, I can see the prompt from firefox "restore
sessions/new
>>
> session", but then nothing)
>>
> - I reset the security policy by importing the setupsec.inf but this
>>
> didn't help either
>>
>>
> Any help appreciated.
Top
From: Cyberstorme
<Cyberstorme@discussions.microsoft.com>
To:
none
Subject:
Re: w2k3 logs me off right after user/password
Date:
09/28/2007 02:50:02
I
remember seeing this behaviour during the early W2K3 days. I believe the
issue
was corrected in SP1. Is your system at SP1?
"future2Bunknown"
wrote:
>
Jorge,
>
>
Thanks for the reply. Please see my reply to your comments:
>
>
1. This is a workgroup server therefore no upper level GP will
>
override local policy
>
2. Second attempt to log on always suceeds
>
3. If, as I myself suspected and as you pointed out, profile and/or
>
security settings are to blamed, I've replaced both to no avail
>
4. logs in event has been cleared multiple times during my
>
troubleshooting. And I don't believe there is any other size limit on
>
text-based logs. Plus, all disks have sufficient space
>
5. I didn't bother to verify if other users have same problem because
>
this is the only account I need to keep and make it workable. But I
>
believe the others don't have this issue. I will try later though and
>
post back.
>
6. while I can't say 100% sure that I am not hit by virus, I am very
>
confident my compupter is clean. Having worked in security field, I am
>
always cautious what's installed and my computer is well protected.
>
The symptoms don't look like virus either.
>
7. I do have the userenv.log if you want to see it.
>
>
On Sep 25, 3:48 pm, "Jorge Silva"
<jorgesilva...@hotmail.com> wrote:
>
> Hi check inline:
>
>
>
> > - if I log on as a *normal* user, once I typed in the
credential, it
>
> > logs me off right after - the logging off window pops up followed
by
>
> > the ctrl-alt-del window. This doesn't always happen but happens 9
out
>
> > of 10 attemps(or more frequent)
>
>
>
> Logs are full, or maybe some virus on that machine.
>
>
>
> > - however if I type in my credential again, I can get into
the
>
> > desktop
>
>
>
> So you can log successfully after the second atempt?
>
>
>
> > - admin doesn' t have this problem
>
>
>
> That's good, you can use that account to check log errors or if logs
are
>
> full, or if you have any process (like a virus) that doesn't like the
normal
>
> user account.
>
>
>
> > - if I log on as Admin, and in the System properties
window,
>
> > profile, highlight the *normal* user account, the "copy
to" and
>
> > "remove" button is grayed out.
>
>
>
> Can you rename the profile manually, and then try to logon with a new
user
>
> and check if the same behavior applies.
>
>
>
> > - there was once or twice if I unplugged the power
completely then
>
> > log back in as Admin, the above "copy to" and
"remove" buttons became
>
> > availabe again.
>
>
>
> Try the rename, if you can rename,you must first talke ownershipt of
the
>
> folder and subfolders and files..
>
>
>
> > - newly created profile didn't help
>
>
>
> New profile for what user the domain admin or the normal account?
>
>
>
> > - absolutely nothing noticeable in event viewer
>
> > - if I log in as Admin, then open a RDP session to itself(
mstsc /
>
> > v:localhost), log in as the user in question, it won't ask me for
>
> > password twice. However, I can't launch certain programs within
the
>
> > session (such as firefox, outlook). They are terminated at some
point
>
> > (for example, I can see the prompt from firefox "restore
sessions/new
>
> > session", but then nothing)
>
>
>
> That suggests something wrong with the profile or GPO security.
>
>
>
> > - I reset the security policy by importing the setupsec.inf but
this
>
> > didn't help either
>
>
>
> It doesn't matter if the policy is being applied at domain or OU
level, the
>
> local GPO is the one that is overwrited by alll others.
>
>
>
> --
>
> I hope that the information above helps you.
>
> Have a Nice day.
>
>
>
> Jorge Silva
>
> MCSE, MVP Directory Services"future2Bunknown"
<john...@gmail.com> wrote in message
>
>
>
> news:1190748178.396470.231270@50g2000hsm.googlegroups.com...
>
>
>
> >I have a windows 2003 in workgroup having following symptoms:
>
> > - if I log on as a *normal* user, once I typed in the
credential, it
>
> > logs me off right after - the logging off window pops up followed
by
>
> > the ctrl-alt-del window. This doesn't always happen but happens 9
out
>
> > of 10 attemps(or more frequent)
>
> > - however if I type in my credential again, I can get into
the
>
> > desktop
>
> > - admin doesn' t have this problem
>
> > - if I log on as Admin, and in the System properties
window,
>
> > profile, highlight the *normal* user account, the "copy
to" and
>
> > "remove" button is grayed out.
>
> > - there was once or twice if I unplugged the power
completely then
>
> > log back in as Admin, the above "copy to" and
"remove" buttons became
>
> > availabe again.
>
> > - newly created profile didn't help
>
> > - absolutely nothing noticeable in event viewer
>
> > - if I log in as Admin, then open a RDP session to itself(
mstsc /
>
> > v:localhost), log in as the user in question, it won't ask me for
>
> > password twice. However, I can't launch certain programs within
the
>
> > session (such as firefox, outlook). They are terminated at some
point
>
> > (for example, I can see the prompt from firefox "restore
sessions/new
>
> > session", but then nothing)
>
> > - I reset the security policy by importing the setupsec.inf but
this
>
> > didn't help either
>
>
>
> > Any help appreciated.
>
Top
From: JayDee <dopamine@mail.com>
To:
none
Subject:
Re: W32Time problem
Date:
09/25/2007 20:05:38
On
Sep 25, 12:43 am, "Jorge Silva" <jorgesilva...@hotmail.com>
wrote:
>
Hi
>
If you move the role of the PDC emulator to a new domain controller you
must
>
also Change the Windows Time service configuration on the previous PDC
>
emulator. here's how:
>
>
http://technet2.microsoft.com/WindowsServer/en/library/ce8890cf-ef46-...
>
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services"JayDee" <dopam...@mail.com>
wrote in message
>
>
news:1190690630.848609.135610@y42g2000hsy.googlegroups.com...
>
>
> this is weird. I set up a disaster recovery environment and brought up
>
> a copy of one of our DC's, I then seized all the roles. Things seem to
>
> work, except I get a W32Time warning whenever member servers are
>
> rebooted:
>
>
> Event ID 54
>
> The Windows Time Service was not able to find a Domain Controller. A
>
> time and date update was not possible.
>
>
> IF I do "net time \\dcname /set /y"
>
> I get:
>
> Could not locate a time-server.
>
>
> However, I do get a valid time on the DC if I simply do a "net
time \
>
> \dcname".
>
>
> I confirmed that all the roles (including PDCe) have been successfully
>
> siezed by the DC.
>
>
> Any ideas? I really wanna figure this out. The registry on the clients
>
> is configured with "Nt5DS" and the clients as well as the dc
are all
>
> in the same Site.
>
>
> Thank you.
>
>
> - JD- Hide quoted text -
>
>
- Show quoted text -
That
article did the trick... Thanks!
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: W32Time problem
Date:
09/26/2007 07:08:33
Great.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"JayDee"
<dopamine@mail.com> wrote in message
news:1190768738.131098.277250@d55g2000hsg.googlegroups.com...
>
On Sep 25, 12:43 am, "Jorge Silva"
<jorgesilva...@hotmail.com> wrote:
>>
Hi
>>
If you move the role of the PDC emulator to a new domain controller you
>>
must
>>
also Change the Windows Time service configuration on the previous PDC
>>
emulator. here's how:
>>
>>
http://technet2.microsoft.com/WindowsServer/en/library/ce8890cf-ef46-...
>>
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services"JayDee" <dopam...@mail.com>
wrote in message
>>
>>
news:1190690630.848609.135610@y42g2000hsy.googlegroups.com...
>>
>>
> this is weird. I set up a disaster recovery environment and brought up
>>
> a copy of one of our DC's, I then seized all the roles. Things seem to
>>
> work, except I get a W32Time warning whenever member servers are
>>
> rebooted:
>>
>>
> Event ID 54
>>
> The Windows Time Service was not able to find a Domain Controller. A
>>
> time and date update was not possible.
>>
>>
> IF I do "net time \\dcname /set /y"
>>
> I get:
>>
> Could not locate a time-server.
>>
>>
> However, I do get a valid time on the DC if I simply do a "net
time \
>>
> \dcname".
>>
>>
> I confirmed that all the roles (including PDCe) have been successfully
>>
> siezed by the DC.
>>
>>
> Any ideas? I really wanna figure this out. The registry on the clients
>>
> is configured with "Nt5DS" and the clients as well as the dc
are all
>>
> in the same Site.
>>
>>
> Thank you.
>>
>>
> - JD- Hide quoted text -
>>
>>
- Show quoted text -
>
>
That article did the trick... Thanks!
>
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Windows 2003 & 2000 Servers
Date:
09/26/2007 16:52:28
Hello
bblakistone@gmail.com,
Yes,
you are right.
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
Hi all,
>
>
I have two servers, one a 2003 running active directory in mixed 2000
>
mode, the second a Win2k running in workgroup mode. They have come
>
over from another company, and I want to rename the domain on the
>
2003. I see there is a rename tool, and have gone through the docs on
>
that, but in order to do a rename I must switch to 2003 mode on the
>
directory.
>
>
My question is if I switch to 2003 forest functionality, can I bring
>
the 2000 server into the directory as long as I don't use it as backup
>
or primary domain controller? Also when I do, I am guessing there is
>
no way to bring those workgroup based security setups into the domain,
>
is that right?
>
>
Thanks for any help.
>
>
Best regards,
>
Brian Blakistone
Top
From: bblakistone@gmail.com
To:
none
Subject:
Re: Windows 2003 & 2000 Servers
Date:
09/27/2007 09:24:09
Thanks
Meinolf!
On
Sep 26, 2:52 pm, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
>
Hello bblakist...@gmail.com,
>
Yes, you are right.
>
Meinolf Weber
>
> I have two servers, one a 2003 running active directory in mixed 2000
>
> mode, the second a Win2k running in workgroup mode. They have
come
>
> over from another company, and I want to rename the domain on the
>
> 2003. I see there is a rename tool, and have gone through the
docs on
>
> that, but in order to do a rename I must switch to 2003 mode on the
>
> directory.
>
>
> My question is if I switch to 2003 forest functionality, can I bring
>
> the 2000 server into the directory as long as I don't use it as backup
>
> or primary domain controller? Also when I do, I am guessing
there is
>
> no way to bring those workgroup based security setups into the domain,
>
> is that right?
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Windows 2003 NtFrs Event 13508 sysvol\domain
Date:
09/26/2007 01:10:09
Hello
Thylo,
Please
post an ipconfig /all from both DC/DNS server.
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
Hi,
>
>
We have a Windows 2003 domain, with two domain controllers. Both
>
domain controllers are running Windows 2003 SP2, fully patched. The
>
same warning appears in the File Replication Service Log on both
>
servers, with the server names reveresed on the other server (I have
>
changed the names of the servers and domain here).
>
>
Event Type: Warning
>
Event Source: NtFrs
>
Event Category: None
>
Event ID: 13508
>
Date: 25/09/2007
>
Time: 3:00:03 PM
>
User: N/A
>
Computer: DomainDC1
>
Description:
>
The File Replication Service is having trouble enabling replication
>
from
>
DomainDC2 to DomainDC1 for c:\windows\sysvol\domain using the DNS name
>
domaindc2.domain.org.au. FRS will keep retrying.
>
Following are some of the reasons you would see this warning.
>
[1] FRS can not correctly resolve the DNS name
>
domaindc2.domain.org.au from
>
this computer.
>
[2] FRS is not running on domaindc2.domain.org.au.
>
[3] The topology information in the Active Directory for this replica
>
has
>
not yet replicated to all the Domain Controllers.
>
This event log message will appear once per connection, After the
>
problem is fixed you will see another event log message indicating
>
that the connection has been established.
>
>
****
>
>
There are no 13509 events after these. I have been searching the
>
groups trying to find something that will help. Both servers are able
>
to ping each other using their FQDN, the FRS service is running on
>
both servers and replication appears to be working, as changes to
>
Sites and Services are replicated almost immediately when they are
>
made, inlcuding changing the site name and deleting and regenerating
>
Active Directory Connections (which I did as a test). I have also
>
tried changing both servers so that they are using the same DNS server
>
(all combinations) to no avail.
>
>
I ran the FRSDiag utility, from both my workstation and on the
>
servers. All of them report an RPC error trying to connect to both
>
servers. On the server I was logged in as the Administrator, so
>
permissions shouldn't have been a problem. I have the logs from the
>
FRSDiag utility if that will help anyone!
>
>
When I run "ntfrsutl version" on both servers, I get:
>
>
NtFrsApi Version Information
>
NtFrsApi Major : 0
>
NtFrsApi Minor : 0
>
NtFrsApi Compiled on: Feb 16 2007 20:01:19
>
ERROR - Cannot bind w/authentication to computer, (null)
>
ERROR - Cannot bind w/o authentication to computer, (nul ERROR -
>
Cannot RPC to computer, (null); 000006d9 (1753)
>
>
****
>
>
(null) is replaced by the FQDN of both servers when I enter that
>
information in the command line as well.
>
>
I have followed all of the kb articles and usergroup threads that I
>
can find, with no luck. Hopefully there's something that I've missed
>
that someone can point me to.
>
>
Other events that may help (or could confuse the matter further), is
>
that when users change their passwords, the Windows 2000 ISA Server
>
prompts them for their password, even when they log off (or even
>
restart their computers completely) and log back on with the new
>
password. Even once that is sorted out, which can involve re-creating
>
their profile or resetting the password again on one of the DCs,
>
failed logon attempts are regularly recorded in the security log on
>
both DCs. Profiles have also become completely corrupted afer a
>
password change on a couple of occassions.
>
>
I look forward to any suggestion. Thanks in advance.
>
Top
From: Thylo
<Thylo@discussions.microsoft.com>
To:
none
Subject:
Re: Windows 2003 NtFrs Event 13508 sysvol\domain
Date:
09/26/2007 01:28:30
Hi
Meinolf,
Below
are the ipconfig /all results from domain controller, they are the
only
DNS servers on the network as well:
Windows
IP Configuration
Host Name . . . . . . . . . . . . : domaindc1
Primary Dns Suffix . . . . . . . : domain.org.au
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.org.au
org.au
Ethernet
adapter Intel Pro 1000 CT Gigabit Ethernet Adapter - Onboard:
Connection-specific DNS Suffix . : domain.org.au
Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network Connection
Physical Address. . . . . . . . . : 00-C0-9F-4B-9E-5D
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.30.14.7
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.30.14.1
DNS Servers . . . . . . . . . . . : 172.30.14.2
172.30.14.7
Primary WINS Server . . . . . . . : 172.30.14.7
Secondary WINS Server . . . . . . : 172.30.14.2
Windows
IP Configuration
Host Name . . . . . . . . . . . . : domaindc2
Primary Dns Suffix . . . . . . . : domain.org.au
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.org.au
org.au
Ethernet
adapter Local Area Connection:
Connection-specific DNS Suffix . : domain.org.au
Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network Connection
Physical Address. . . . . . . . . : 00-11-43-CE-40-E6
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.30.14.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.30.14.1
DNS Servers . . . . . . . . . . . : 172.30.14.2
172.30.14.7
Primary WINS Server . . . . . . . : 172.30.14.2
Secondary WINS Server . . . . . . : 172.30.14.7
***
Cheers,
--
Leigh
MCSE
(NT4, 2000)
"Meinolf
Weber" wrote:
>
Hello Thylo,
>
>
Please post an ipconfig /all from both DC/DNS server.
>
>
Best regards
>
>
Meinolf Weber
>
Disclaimer: This posting is provided "AS IS" with no warranties,
and confers
>
no rights.
>
>
> Hi,
>
>
>
> We have a Windows 2003 domain, with two domain controllers. Both
>
> domain controllers are running Windows 2003 SP2, fully patched. The
>
> same warning appears in the File Replication Service Log on both
>
> servers, with the server names reveresed on the other server (I have
>
> changed the names of the servers and domain here).
>
>
>
> Event Type: Warning
>
> Event Source: NtFrs
>
> Event Category: None
>
> Event ID: 13508
>
> Date: 25/09/2007
>
> Time: 3:00:03 PM
>
> User: N/A
>
> Computer: DomainDC1
>
> Description:
>
> The File Replication Service is having trouble enabling replication
>
> from
>
> DomainDC2 to DomainDC1 for c:\windows\sysvol\domain using the DNS name
>
> domaindc2.domain.org.au. FRS will keep retrying.
>
> Following are some of the reasons you would see this warning.
>
> [1] FRS can not correctly resolve the DNS name
>
> domaindc2.domain.org.au from
>
> this computer.
>
> [2] FRS is not running on domaindc2.domain.org.au.
>
> [3] The topology information in the Active Directory for this replica
>
> has
>
> not yet replicated to all the Domain Controllers.
>
> This event log message will appear once per connection, After the
>
> problem is fixed you will see another event log message indicating
>
> that the connection has been established.
>
>
>
> ****
>
>
>
> There are no 13509 events after these. I have been searching the
>
> groups trying to find something that will help. Both servers are able
>
> to ping each other using their FQDN, the FRS service is running on
>
> both servers and replication appears to be working, as changes to
>
> Sites and Services are replicated almost immediately when they are
>
> made, inlcuding changing the site name and deleting and regenerating
>
> Active Directory Connections (which I did as a test). I have also
>
> tried changing both servers so that they are using the same DNS server
>
> (all combinations) to no avail.
>
>
>
> I ran the FRSDiag utility, from both my workstation and on the
>
> servers. All of them report an RPC error trying to connect to both
>
> servers. On the server I was logged in as the Administrator, so
>
> permissions shouldn't have been a problem. I have the logs from the
>
> FRSDiag utility if that will help anyone!
>
>
>
> When I run "ntfrsutl version" on both servers, I get:
>
>
>
> NtFrsApi Version Information
>
> NtFrsApi Major : 0
>
> NtFrsApi Minor : 0
>
> NtFrsApi Compiled on: Feb 16 2007 20:01:19
>
> ERROR - Cannot bind w/authentication to computer, (null)
>
> ERROR - Cannot bind w/o authentication to computer, (nul ERROR -
>
> Cannot RPC to computer, (null); 000006d9 (1753)
>
>
>
> ****
>
>
>
> (null) is replaced by the FQDN of both servers when I enter that
>
> information in the command line as well.
>
>
>
> I have followed all of the kb articles and usergroup threads that I
>
> can find, with no luck. Hopefully there's something that I've missed
>
> that someone can point me to.
>
>
>
> Other events that may help (or could confuse the matter further), is
>
> that when users change their passwords, the Windows 2000 ISA Server
>
> prompts them for their password, even when they log off (or even
>
> restart their computers completely) and log back on with the new
>
> password. Even once that is sorted out, which can involve re-creating
>
> their profile or resetting the password again on one of the DCs,
>
> failed logon attempts are regularly recorded in the security log on
>
> both DCs. Profiles have also become completely corrupted afer a
>
> password change on a couple of occassions.
>
>
>
> I look forward to any suggestion. Thanks in advance.
>
>
>
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Windows 2003 NtFrs Event 13508 sysvol\domain
Date:
09/26/2007 01:53:15
Hello
Thylo,
Have
a look here:
http://www.eventid.net/display.asp?eventid=13508&eventno=349&source=ntfrs&phase=1
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
Hi Meinolf,
>
>
Below are the ipconfig /all results from domain controller, they are
>
the only DNS servers on the network as well:
>
>
Windows IP Configuration
>
>
Host Name . . . . . . . . . . . . : domaindc1
>
Primary Dns Suffix . . . . . . . : domain.org.au
>
Node Type . . . . . . . . . . . . : Hybrid
>
IP Routing Enabled. . . . . . . . : No
>
WINS Proxy Enabled. . . . . . . . : No
>
DNS Suffix Search List. . . . . . : domain.org.au
>
org.au
>
Ethernet adapter Intel Pro 1000 CT Gigabit Ethernet Adapter - Onboard:
>
>
Connection-specific DNS Suffix . : domain.org.au
>
Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network
>
Connection
>
Physical Address. . . . . . . . . : 00-C0-9F-4B-9E-5D
>
DHCP Enabled. . . . . . . . . . . : No
>
IP Address. . . . . . . . . . . . : 172.30.14.7
>
Subnet Mask . . . . . . . . . . . : 255.255.255.0
>
Default Gateway . . . . . . . . . : 172.30.14.1
>
DNS Servers . . . . . . . . . . . : 172.30.14.2
>
172.30.14.7
>
Primary WINS Server . . . . . . . : 172.30.14.7
>
Secondary WINS Server . . . . . . : 172.30.14.2
>
Windows IP Configuration
>
>
Host Name . . . . . . . . . . . . : domaindc2
>
Primary Dns Suffix . . . . . . . : domain.org.au
>
Node Type . . . . . . . . . . . . : Hybrid
>
IP Routing Enabled. . . . . . . . : No
>
WINS Proxy Enabled. . . . . . . . : No
>
DNS Suffix Search List. . . . . . : domain.org.au
>
org.au
>
Ethernet adapter Local Area Connection:
>
>
Connection-specific DNS Suffix . : domain.org.au
>
Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network
>
Connection
>
Physical Address. . . . . . . . . : 00-11-43-CE-40-E6
>
DHCP Enabled. . . . . . . . . . . : No
>
IP Address. . . . . . . . . . . . : 172.30.14.2
>
Subnet Mask . . . . . . . . . . . : 255.255.255.0
>
Default Gateway . . . . . . . . . : 172.30.14.1
>
DNS Servers . . . . . . . . . . . : 172.30.14.2
>
172.30.14.7
>
Primary WINS Server . . . . . . . : 172.30.14.2
>
Secondary WINS Server . . . . . . : 172.30.14.7
>
***
>
>
Cheers,
>
>
"Meinolf Weber" wrote:
>
>>
Hello Thylo,
>>
>>
Please post an ipconfig /all from both DC/DNS server.
>>
>>
Best regards
>>
>>
Meinolf Weber
>>
Disclaimer: This posting is provided "AS IS" with no warranties,
and
>>
confers
>>
no rights.
>>>
Hi,
>>>
>>>
We have a Windows 2003 domain, with two domain controllers. Both
>>>
domain controllers are running Windows 2003 SP2, fully patched. The
>>>
same warning appears in the File Replication Service Log on both
>>>
servers, with the server names reveresed on the other server (I have
>>>
changed the names of the servers and domain here).
>>>
>>>
Event Type: Warning
>>>
Event Source: NtFrs
>>>
Event Category: None
>>>
Event ID: 13508
>>>
Date: 25/09/2007
>>>
Time: 3:00:03 PM
>>>
User: N/A
>>>
Computer: DomainDC1
>>>
Description:
>>>
The File Replication Service is having trouble enabling replication
>>>
from
>>>
DomainDC2 to DomainDC1 for c:\windows\sysvol\domain using the DNS
>>>
name
>>>
domaindc2.domain.org.au. FRS will keep retrying.
>>>
Following are some of the reasons you would see this warning.
>>>
[1] FRS can not correctly resolve the DNS name
>>>
domaindc2.domain.org.au from
>>>
this computer.
>>>
[2] FRS is not running on domaindc2.domain.org.au.
>>>
[3] The topology information in the Active Directory for this
>>>
replica
>>>
has
>>>
not yet replicated to all the Domain Controllers.
>>>
This event log message will appear once per connection, After the
>>>
problem is fixed you will see another event log message indicating
>>>
that the connection has been established.
>>>
****
>>>
>>>
There are no 13509 events after these. I have been searching the
>>>
groups trying to find something that will help. Both servers are
>>>
able to ping each other using their FQDN, the FRS service is running
>>>
on both servers and replication appears to be working, as changes to
>>>
Sites and Services are replicated almost immediately when they are
>>>
made, inlcuding changing the site name and deleting and regenerating
>>>
Active Directory Connections (which I did as a test). I have also
>>>
tried changing both servers so that they are using the same DNS
>>>
server (all combinations) to no avail.
>>>
>>>
I ran the FRSDiag utility, from both my workstation and on the
>>>
servers. All of them report an RPC error trying to connect to both
>>>
servers. On the server I was logged in as the Administrator, so
>>>
permissions shouldn't have been a problem. I have the logs from the
>>>
FRSDiag utility if that will help anyone!
>>>
>>>
When I run "ntfrsutl version" on both servers, I get:
>>>
>>>
NtFrsApi Version Information
>>>
NtFrsApi Major : 0
>>>
NtFrsApi Minor : 0
>>>
NtFrsApi Compiled on: Feb 16 2007 20:01:19
>>>
ERROR - Cannot bind w/authentication to computer, (null)
>>>
ERROR - Cannot bind w/o authentication to computer, (nul ERROR -
>>>
Cannot RPC to computer, (null); 000006d9 (1753)
>>>
****
>>>
>>>
(null) is replaced by the FQDN of both servers when I enter that
>>>
information in the command line as well.
>>>
>>>
I have followed all of the kb articles and usergroup threads that I
>>>
can find, with no luck. Hopefully there's something that I've missed
>>>
that someone can point me to.
>>>
>>>
Other events that may help (or could confuse the matter further), is
>>>
that when users change their passwords, the Windows 2000 ISA Server
>>>
prompts them for their password, even when they log off (or even
>>>
restart their computers completely) and log back on with the new
>>>
password. Even once that is sorted out, which can involve
>>>
re-creating their profile or resetting the password again on one of
>>>
the DCs, failed logon attempts are regularly recorded in the
>>>
security log on both DCs. Profiles have also become completely
>>>
corrupted afer a password change on a couple of occassions.
>>>
>>>
I look forward to any suggestion. Thanks in advance.
>>>
Top
From: Technical
<Technical@discussions.microsoft.com>
To:
none
Subject:
Re: Windows 2003 NtFrs Event 13508 sysvol\domain
Date:
09/26/2007 04:44:02
check
this article
http://technet.microsoft.com/en-us/library/Bb727056.aspx#EMAA
"Meinolf
Weber" wrote:
>
Hello Thylo,
>
>
Have a look here:
>
http://www.eventid.net/display.asp?eventid=13508&eventno=349&source=ntfrs&phase=1
>
>
Best regards
>
>
Meinolf Weber
>
Disclaimer: This posting is provided "AS IS" with no warranties,
and confers
>
no rights.
>
>
> Hi Meinolf,
>
>
>
> Below are the ipconfig /all results from domain controller, they are
>
> the only DNS servers on the network as well:
>
>
>
> Windows IP Configuration
>
>
>
> Host Name . . . . . . . . . . . . : domaindc1
>
> Primary Dns Suffix . . . . . . . : domain.org.au
>
> Node Type . . . . . . . . . . . . : Hybrid
>
> IP Routing Enabled. . . . . . . . : No
>
> WINS Proxy Enabled. . . . . . . . : No
>
> DNS Suffix Search List. . . . . . : domain.org.au
>
> org.au
>
> Ethernet adapter Intel Pro 1000 CT Gigabit Ethernet Adapter - Onboard:
>
>
>
> Connection-specific DNS Suffix . : domain.org.au
>
> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network
>
> Connection
>
> Physical Address. . . . . . . . . : 00-C0-9F-4B-9E-5D
>
> DHCP Enabled. . . . . . . . . . . : No
>
> IP Address. . . . . . . . . . . . : 172.30.14.7
>
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>
> Default Gateway . . . . . . . . . : 172.30.14.1
>
> DNS Servers . . . . . . . . . . . : 172.30.14.2
>
> 172.30.14.7
>
> Primary WINS Server . . . . . . . : 172.30.14.7
>
> Secondary WINS Server . . . . . . : 172.30.14.2
>
> Windows IP Configuration
>
>
>
> Host Name . . . . . . . . . . . . : domaindc2
>
> Primary Dns Suffix . . . . . . . : domain.org.au
>
> Node Type . . . . . . . . . . . . : Hybrid
>
> IP Routing Enabled. . . . . . . . : No
>
> WINS Proxy Enabled. . . . . . . . : No
>
> DNS Suffix Search List. . . . . . : domain.org.au
>
> org.au
>
> Ethernet adapter Local Area Connection:
>
>
>
> Connection-specific DNS Suffix . : domain.org.au
>
> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network
>
> Connection
>
> Physical Address. . . . . . . . . : 00-11-43-CE-40-E6
>
> DHCP Enabled. . . . . . . . . . . : No
>
> IP Address. . . . . . . . . . . . : 172.30.14.2
>
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>
> Default Gateway . . . . . . . . . : 172.30.14.1
>
> DNS Servers . . . . . . . . . . . : 172.30.14.2
>
> 172.30.14.7
>
> Primary WINS Server . . . . . . . : 172.30.14.2
>
> Secondary WINS Server . . . . . . : 172.30.14.7
>
> ***
>
>
>
> Cheers,
>
>
>
> "Meinolf Weber" wrote:
>
>
>
>> Hello Thylo,
>
>>
>
>> Please post an ipconfig /all from both DC/DNS server.
>
>>
>
>> Best regards
>
>>
>
>> Meinolf Weber
>
>> Disclaimer: This posting is provided "AS IS" with no
warranties, and
>
>> confers
>
>> no rights.
>
>>> Hi,
>
>>>
>
>>> We have a Windows 2003 domain, with two domain controllers.
Both
>
>>> domain controllers are running Windows 2003 SP2, fully
patched. The
>
>>> same warning appears in the File Replication Service Log on
both
>
>>> servers, with the server names reveresed on the other server
(I have
>
>>> changed the names of the servers and domain here).
>
>>>
>
>>> Event Type: Warning
>
>>> Event Source: NtFrs
>
>>> Event Category: None
>
>>> Event ID: 13508
>
>>> Date: 25/09/2007
>
>>> Time: 3:00:03 PM
>
>>> User: N/A
>
>>> Computer: DomainDC1
>
>>> Description:
>
>>> The File Replication Service is having trouble enabling
replication
>
>>> from
>
>>> DomainDC2 to DomainDC1 for c:\windows\sysvol\domain using the
DNS
>
>>> name
>
>>> domaindc2.domain.org.au. FRS will keep retrying.
>
>>> Following are some of the reasons you would see this warning.
>
>>> [1] FRS can not correctly resolve the DNS name
>
>>> domaindc2.domain.org.au from
>
>>> this computer.
>
>>> [2] FRS is not running on domaindc2.domain.org.au.
>
>>> [3] The topology information in the Active Directory for this
>
>>> replica
>
>>> has
>
>>> not yet replicated to all the Domain Controllers.
>
>>> This event log message will appear once per connection, After
the
>
>>> problem is fixed you will see another event log message
indicating
>
>>> that the connection has been established.
>
>>> ****
>
>>>
>
>>> There are no 13509 events after these. I have been searching
the
>
>>> groups trying to find something that will help. Both servers
are
>
>>> able to ping each other using their FQDN, the FRS service is
running
>
>>> on both servers and replication appears to be working, as
changes to
>
>>> Sites and Services are replicated almost immediately when they
are
>
>>> made, inlcuding changing the site name and deleting and
regenerating
>
>>> Active Directory Connections (which I did as a test). I have
also
>
>>> tried changing both servers so that they are using the same
DNS
>
>>> server (all combinations) to no avail.
>
>>>
>
>>> I ran the FRSDiag utility, from both my workstation and on the
>
>>> servers. All of them report an RPC error trying to connect to
both
>
>>> servers. On the server I was logged in as the Administrator,
so
>
>>> permissions shouldn't have been a problem. I have the logs
from the
>
>>> FRSDiag utility if that will help anyone!
>
>>>
>
>>> When I run "ntfrsutl version" on both servers, I
get:
>
>>>
>
>>> NtFrsApi Version Information
>
>>> NtFrsApi Major : 0
>
>>> NtFrsApi Minor : 0
>
>>> NtFrsApi Compiled on: Feb 16 2007 20:01:19
>
>>> ERROR - Cannot bind w/authentication to computer, (null)
>
>>> ERROR - Cannot bind w/o authentication to computer, (nul ERROR
-
>
>>> Cannot RPC to computer, (null); 000006d9 (1753)
>
>>> ****
>
>>>
>
>>> (null) is replaced by the FQDN of both servers when I enter
that
>
>>> information in the command line as well.
>
>>>
>
>>> I have followed all of the kb articles and usergroup threads
that I
>
>>> can find, with no luck. Hopefully there's something that I've
missed
>
>>> that someone can point me to.
>
>>>
>
>>> Other events that may help (or could confuse the matter
further), is
>
>>> that when users change their passwords, the Windows 2000 ISA
Server
>
>>> prompts them for their password, even when they log off (or
even
>
>>> restart their computers completely) and log back on with the
new
>
>>> password. Even once that is sorted out, which can involve
>
>>> re-creating their profile or resetting the password again on
one of
>
>>> the DCs, failed logon attempts are regularly recorded in the
>
>>> security log on both DCs. Profiles have also become
completely
>
>>> corrupted afer a password change on a couple of occassions.
>
>>>
>
>>> I look forward to any suggestion. Thanks in advance.
>
>>>
>
Top
From: Thylo
<Thylo@discussions.microsoft.com>
To:
none
Subject:
Re: Windows 2003 NtFrs Event 13508 sysvol\domain
Date:
09/26/2007 20:10:02
Hey
Meinolf,
I'm
sure I had gone through that page before, but I double checked all of
them
anyway to make sure. The times are synchronised between all servers on
the
network, there aren't any firewalls (apart from Windows 2003 own which is
configured
as required) between the servers, there is plenty of disk space
(20GB+),
non of the other errors come up that "should" for the other
solutions,
it is a native Windows 2003 domain with only Windows 2003 server
and
it was upgraded from a Windows 2000 domain before I started here.
It
is a very frustrating issue!!
Cheers,
--
Leigh
MCSE
(NT4, 2000)
"Meinolf
Weber" wrote:
>
Hello Thylo,
>
>
Have a look here:
>
http://www.eventid.net/display.asp?eventid=13508&eventno=349&source=ntfrs&phase=1
>
>
Best regards
>
>
Meinolf Weber
>
Disclaimer: This posting is provided "AS IS" with no warranties,
and confers
>
no rights.
>
>
> Hi Meinolf,
>
>
>
> Below are the ipconfig /all results from domain controller, they are
>
> the only DNS servers on the network as well:
>
>
>
> Windows IP Configuration
>
>
>
> Host Name . . . . . . . . . . . . : domaindc1
>
> Primary Dns Suffix . . . . . . . : domain.org.au
>
> Node Type . . . . . . . . . . . . : Hybrid
>
> IP Routing Enabled. . . . . . . . : No
>
> WINS Proxy Enabled. . . . . . . . : No
>
> DNS Suffix Search List. . . . . . : domain.org.au
>
> org.au
>
> Ethernet adapter Intel Pro 1000 CT Gigabit Ethernet Adapter - Onboard:
>
>
>
> Connection-specific DNS Suffix . : domain.org.au
>
> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network
>
> Connection
>
> Physical Address. . . . . . . . . : 00-C0-9F-4B-9E-5D
>
> DHCP Enabled. . . . . . . . . . . : No
>
> IP Address. . . . . . . . . . . . : 172.30.14.7
>
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>
> Default Gateway . . . . . . . . . : 172.30.14.1
>
> DNS Servers . . . . . . . . . . . : 172.30.14.2
>
> 172.30.14.7
>
> Primary WINS Server . . . . . . . : 172.30.14.7
>
> Secondary WINS Server . . . . . . : 172.30.14.2
>
> Windows IP Configuration
>
>
>
> Host Name . . . . . . . . . . . . : domaindc2
>
> Primary Dns Suffix . . . . . . . : domain.org.au
>
> Node Type . . . . . . . . . . . . : Hybrid
>
> IP Routing Enabled. . . . . . . . : No
>
> WINS Proxy Enabled. . . . . . . . : No
>
> DNS Suffix Search List. . . . . . : domain.org.au
>
> org.au
>
> Ethernet adapter Local Area Connection:
>
>
>
> Connection-specific DNS Suffix . : domain.org.au
>
> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network
>
> Connection
>
> Physical Address. . . . . . . . . : 00-11-43-CE-40-E6
>
> DHCP Enabled. . . . . . . . . . . : No
>
> IP Address. . . . . . . . . . . . : 172.30.14.2
>
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>
> Default Gateway . . . . . . . . . : 172.30.14.1
>
> DNS Servers . . . . . . . . . . . : 172.30.14.2
>
> 172.30.14.7
>
> Primary WINS Server . . . . . . . : 172.30.14.2
>
> Secondary WINS Server . . . . . . : 172.30.14.7
>
> ***
>
>
>
> Cheers,
>
>
>
> "Meinolf Weber" wrote:
>
>
>
>> Hello Thylo,
>
>>
>
>> Please post an ipconfig /all from both DC/DNS server.
>
>>
>
>> Best regards
>
>>
>
>> Meinolf Weber
>
>> Disclaimer: This posting is provided "AS IS" with no
warranties, and
>
>> confers
>
>> no rights.
>
>>> Hi,
>
>>>
>
>>> We have a Windows 2003 domain, with two domain controllers.
Both
>
>>> domain controllers are running Windows 2003 SP2, fully
patched. The
>
>>> same warning appears in the File Replication Service Log on
both
>
>>> servers, with the server names reveresed on the other server
(I have
>
>>> changed the names of the servers and domain here).
>
>>>
>
>>> Event Type: Warning
>
>>> Event Source: NtFrs
>
>>> Event Category: None
>
>>> Event ID: 13508
>
>>> Date: 25/09/2007
>
>>> Time: 3:00:03 PM
>
>>> User: N/A
>
>>> Computer: DomainDC1
>
>>> Description:
>
>>> The File Replication Service is having trouble enabling
replication
>
>>> from
>
>>> DomainDC2 to DomainDC1 for c:\windows\sysvol\domain using the
DNS
>
>>> name
>
>>> domaindc2.domain.org.au. FRS will keep retrying.
>
>>> Following are some of the reasons you would see this warning.
>
>>> [1] FRS can not correctly resolve the DNS name
>
>>> domaindc2.domain.org.au from
>
>>> this computer.
>
>>> [2] FRS is not running on domaindc2.domain.org.au.
>
>>> [3] The topology information in the Active Directory for this
>
>>> replica
>
>>> has
>
>>> not yet replicated to all the Domain Controllers.
>
>>> This event log message will appear once per connection, After
the
>
>>> problem is fixed you will see another event log message
indicating
>
>>> that the connection has been established.
>
>>> ****
>
>>>
>
>>> There are no 13509 events after these. I have been searching
the
>
>>> groups trying to find something that will help. Both servers
are
>
>>> able to ping each other using their FQDN, the FRS service is
running
>
>>> on both servers and replication appears to be working, as
changes to
>
>>> Sites and Services are replicated almost immediately when they
are
>
>>> made, inlcuding changing the site name and deleting and
regenerating
>
>>> Active Directory Connections (which I did as a test). I have
also
>
>>> tried changing both servers so that they are using the same
DNS
>
>>> server (all combinations) to no avail.
>
>>>
>
>>> I ran the FRSDiag utility, from both my workstation and on the
>
>>> servers. All of them report an RPC error trying to connect to
both
>
>>> servers. On the server I was logged in as the Administrator,
so
>
>>> permissions shouldn't have been a problem. I have the logs
from the
>
>>> FRSDiag utility if that will help anyone!
>
>>>
>
>>> When I run "ntfrsutl version" on both servers, I
get:
>
>>>
>
>>> NtFrsApi Version Information
>
>>> NtFrsApi Major : 0
>
>>> NtFrsApi Minor : 0
>
>>> NtFrsApi Compiled on: Feb 16 2007 20:01:19
>
>>> ERROR - Cannot bind w/authentication to computer, (null)
>
>>> ERROR - Cannot bind w/o authentication to computer, (nul ERROR
-
>
>>> Cannot RPC to computer, (null); 000006d9 (1753)
>
>>> ****
>
>>>
>
>>> (null) is replaced by the FQDN of both servers when I enter
that
>
>>> information in the command line as well.
>
>>>
>
>>> I have followed all of the kb articles and usergroup threads
that I
>
>>> can find, with no luck. Hopefully there's something that I've
missed
>
>>> that someone can point me to.
>
>>>
>
>>> Other events that may help (or could confuse the matter
further), is
>
>>> that when users change their passwords, the Windows 2000 ISA
Server
>
>>> prompts them for their password, even when they log off (or
even
>
>>> restart their computers completely) and log back on with the
new
>
>>> password. Even once that is sorted out, which can involve
>
>>> re-creating their profile or resetting the password again on
one of
>
>>> the DCs, failed logon attempts are regularly recorded in the
>
>>> security log on both DCs. Profiles have also become
completely
>
>>> corrupted afer a password change on a couple of occassions.
>
>>>
>
>>> I look forward to any suggestion. Thanks in advance.
>
>>>
>
Top
From: Thylo
<Thylo@discussions.microsoft.com>
To:
none
Subject:
Re: Windows 2003 NtFrs Event 13508 sysvol\domain
Date:
09/26/2007 20:18:00
Hi
Technical,
I
have seen and been through that article numerous times, however non of the
solutions
or hints there make any difference. Actice Directory replication
appears
to be working fine, as when a new person is added or OU, it is
replicated
to the other server. New user additions are often done on the
Exchange
2003 member server, but still replication appears to work just fine
wherever
additions or alterations are made.
Each
server can ping the other using their FQDN and there aren't any
hardware
firewalls between the servers, only the Windows 2003 firewall, which
I
have triple and quadruple checked is done correctly.
Cheers,
--
Leigh
MCSE
(NT4, 2000)
"Technical"
wrote:
>
check this article
>
http://technet.microsoft.com/en-us/library/Bb727056.aspx#EMAA
>
>
"Meinolf Weber" wrote:
>
>
> Hello Thylo,
>
>
>
> Have a look here:
>
>
http://www.eventid.net/display.asp?eventid=13508&eventno=349&source=ntfrs&phase=1
>
>
>
> Best regards
>
>
>
> Meinolf Weber
>
> Disclaimer: This posting is provided "AS IS" with no
warranties, and confers
>
> no rights.
>
>
>
> > Hi Meinolf,
>
> >
>
> > Below are the ipconfig /all results from domain controller, they
are
>
> > the only DNS servers on the network as well:
>
> >
>
> > Windows IP Configuration
>
> >
>
> > Host Name . . . . . . . . . . . . : domaindc1
>
> > Primary Dns Suffix . . . . . . . : domain.org.au
>
> > Node Type . . . . . . . . . . . . : Hybrid
>
> > IP Routing Enabled. . . . . . . . : No
>
> > WINS Proxy Enabled. . . . . . . . : No
>
> > DNS Suffix Search List. . . . . . : domain.org.au
>
> > org.au
>
> > Ethernet adapter Intel Pro 1000 CT Gigabit Ethernet Adapter -
Onboard:
>
> >
>
> > Connection-specific DNS Suffix . : domain.org.au
>
> > Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network
>
> > Connection
>
> > Physical Address. . . . . . . . . : 00-C0-9F-4B-9E-5D
>
> > DHCP Enabled. . . . . . . . . . . : No
>
> > IP Address. . . . . . . . . . . . : 172.30.14.7
>
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
>
> > Default Gateway . . . . . . . . . : 172.30.14.1
>
> > DNS Servers . . . . . . . . . . . : 172.30.14.2
>
> > 172.30.14.7
>
> > Primary WINS Server . . . . . . . : 172.30.14.7
>
> > Secondary WINS Server . . . . . . : 172.30.14.2
>
> > Windows IP Configuration
>
> >
>
> > Host Name . . . . . . . . . . . . : domaindc2
>
> > Primary Dns Suffix . . . . . . . : domain.org.au
>
> > Node Type . . . . . . . . . . . . : Hybrid
>
> > IP Routing Enabled. . . . . . . . : No
>
> > WINS Proxy Enabled. . . . . . . . : No
>
> > DNS Suffix Search List. . . . . . : domain.org.au
>
> > org.au
>
> > Ethernet adapter Local Area Connection:
>
> >
>
> > Connection-specific DNS Suffix . : domain.org.au
>
> > Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network
>
> > Connection
>
> > Physical Address. . . . . . . . . : 00-11-43-CE-40-E6
>
> > DHCP Enabled. . . . . . . . . . . : No
>
> > IP Address. . . . . . . . . . . . : 172.30.14.2
>
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
>
> > Default Gateway . . . . . . . . . : 172.30.14.1
>
> > DNS Servers . . . . . . . . . . . : 172.30.14.2
>
> > 172.30.14.7
>
> > Primary WINS Server . . . . . . . : 172.30.14.2
>
> > Secondary WINS Server . . . . . . : 172.30.14.7
>
> > ***
>
> >
>
> > Cheers,
>
> >
>
> > "Meinolf Weber" wrote:
>
> >
>
> >> Hello Thylo,
>
> >>
>
> >> Please post an ipconfig /all from both DC/DNS server.
>
> >>
>
> >> Best regards
>
> >>
>
> >> Meinolf Weber
>
> >> Disclaimer: This posting is provided "AS IS" with
no warranties, and
>
> >> confers
>
> >> no rights.
>
> >>> Hi,
>
> >>>
>
> >>> We have a Windows 2003 domain, with two domain
controllers. Both
>
> >>> domain controllers are running Windows 2003 SP2, fully
patched. The
>
> >>> same warning appears in the File Replication Service Log
on both
>
> >>> servers, with the server names reveresed on the other
server (I have
>
> >>> changed the names of the servers and domain here).
>
> >>>
>
> >>> Event Type: Warning
>
> >>> Event Source: NtFrs
>
> >>> Event Category: None
>
> >>> Event ID: 13508
>
> >>> Date: 25/09/2007
>
> >>> Time: 3:00:03 PM
>
> >>> User: N/A
>
> >>> Computer: DomainDC1
>
> >>> Description:
>
> >>> The File Replication Service is having trouble enabling
replication
>
> >>> from
>
> >>> DomainDC2 to DomainDC1 for c:\windows\sysvol\domain using
the DNS
>
> >>> name
>
> >>> domaindc2.domain.org.au. FRS will keep retrying.
>
> >>> Following are some of the reasons you would see this
warning.
>
> >>> [1] FRS can not correctly resolve the DNS name
>
> >>> domaindc2.domain.org.au from
>
> >>> this computer.
>
> >>> [2] FRS is not running on domaindc2.domain.org.au.
>
> >>> [3] The topology information in the Active Directory for
this
>
> >>> replica
>
> >>> has
>
> >>> not yet replicated to all the Domain Controllers.
>
> >>> This event log message will appear once per connection,
After the
>
> >>> problem is fixed you will see another event log message
indicating
>
> >>> that the connection has been established.
>
> >>> ****
>
> >>>
>
> >>> There are no 13509 events after these. I have been
searching the
>
> >>> groups trying to find something that will help. Both
servers are
>
> >>> able to ping each other using their FQDN, the FRS service
is running
>
> >>> on both servers and replication appears to be working, as
changes to
>
> >>> Sites and Services are replicated almost immediately when
they are
>
> >>> made, inlcuding changing the site name and deleting and
regenerating
>
> >>> Active Directory Connections (which I did as a test). I
have also
>
> >>> tried changing both servers so that they are using the
same DNS
>
> >>> server (all combinations) to no avail.
>
> >>>
>
> >>> I ran the FRSDiag utility, from both my workstation and
on the
>
> >>> servers. All of them report an RPC error trying to
connect to both
>
> >>> servers. On the server I was logged in as the
Administrator, so
>
> >>> permissions shouldn't have been a problem. I have the
logs from the
>
> >>> FRSDiag utility if that will help anyone!
>
> >>>
>
> >>> When I run "ntfrsutl version" on both servers,
I get:
>
> >>>
>
> >>> NtFrsApi Version Information
>
> >>> NtFrsApi Major : 0
>
> >>> NtFrsApi Minor : 0
>
> >>> NtFrsApi Compiled on: Feb 16 2007 20:01:19
>
> >>> ERROR - Cannot bind w/authentication to computer, (null)
>
> >>> ERROR - Cannot bind w/o authentication to computer, (nul
ERROR -
>
> >>> Cannot RPC to computer, (null); 000006d9 (1753)
>
> >>> ****
>
> >>>
>
> >>> (null) is replaced by the FQDN of both servers when I
enter that
>
> >>> information in the command line as well.
>
> >>>
>
> >>> I have followed all of the kb articles and usergroup
threads that I
>
> >>> can find, with no luck. Hopefully there's something that
I've missed
>
> >>> that someone can point me to.
>
> >>>
>
> >>> Other events that may help (or could confuse the matter
further), is
>
> >>> that when users change their passwords, the Windows 2000
ISA Server
>
> >>> prompts them for their password, even when they log off
(or even
>
> >>> restart their computers completely) and log back on with
the new
>
> >>> password. Even once that is sorted out, which can involve
>
> >>> re-creating their profile or resetting the password again
on one of
>
> >>> the DCs, failed logon attempts are regularly recorded in
the
>
> >>> security log on both DCs. Profiles have also become
completely
>
> >>> corrupted afer a password change on a couple of
occassions.
>
> >>>
>
> >>> I look forward to any suggestion. Thanks in advance.
>
> >>>
>
>
>
>
>
>
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Windows 2003 NtFrs Event 13508 sysvol\domain
Date:
09/27/2007 02:30:11
Hello
Thylo,
Did
you also check for errors with dcdiag and netdiag?
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
Hey Meinolf,
>
>
I'm sure I had gone through that page before, but I double checked all
>
of them anyway to make sure. The times are synchronised between all
>
servers on the network, there aren't any firewalls (apart from Windows
>
2003 own which is configured as required) between the servers, there
>
is plenty of disk space (20GB+), non of the other errors come up that
>
"should" for the other solutions, it is a native Windows 2003
domain
>
with only Windows 2003 server and it was upgraded from a Windows 2000
>
domain before I started here.
>
>
It is a very frustrating issue!!
>
>
Cheers,
>
>
"Meinolf Weber" wrote:
>
>>
Hello Thylo,
>>
>>
Have a look here:
>>
http://www.eventid.net/display.asp?eventid=13508&eventno=349&source=n
>>
tfrs&phase=1
>>
Best regards
>>
>>
Meinolf Weber
>>
Disclaimer: This posting is provided "AS IS" with no warranties,
and
>>
confers
>>
no rights.
>>>
Hi Meinolf,
>>>
>>>
Below are the ipconfig /all results from domain controller, they are
>>>
the only DNS servers on the network as well:
>>>
>>>
Windows IP Configuration
>>>
>>>
Host Name . . . . . . . . . . . . : domaindc1
>>>
Primary Dns Suffix . . . . . . . : domain.org.au
>>>
Node Type . . . . . . . . . . . . : Hybrid
>>>
IP Routing Enabled. . . . . . . . : No
>>>
WINS Proxy Enabled. . . . . . . . : No
>>>
DNS Suffix Search List. . . . . . : domain.org.au
>>>
org.au
>>>
Ethernet adapter Intel Pro 1000 CT Gigabit Ethernet Adapter -
>>>
Onboard:
>>>
Connection-specific DNS Suffix . : domain.org.au
>>>
Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network
>>>
Connection
>>>
Physical Address. . . . . . . . . : 00-C0-9F-4B-9E-5D
>>>
DHCP Enabled. . . . . . . . . . . : No
>>>
IP Address. . . . . . . . . . . . : 172.30.14.7
>>>
Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>
Default Gateway . . . . . . . . . : 172.30.14.1
>>>
DNS Servers . . . . . . . . . . . : 172.30.14.2
>>>
172.30.14.7
>>>
Primary WINS Server . . . . . . . : 172.30.14.7
>>>
Secondary WINS Server . . . . . . : 172.30.14.2
>>>
Windows IP Configuration
>>>
Host Name . . . . . . . . . . . . : domaindc2
>>>
Primary Dns Suffix . . . . . . . : domain.org.au
>>>
Node Type . . . . . . . . . . . . : Hybrid
>>>
IP Routing Enabled. . . . . . . . : No
>>>
WINS Proxy Enabled. . . . . . . . : No
>>>
DNS Suffix Search List. . . . . . : domain.org.au
>>>
org.au
>>>
Ethernet adapter Local Area Connection:
>>>
Connection-specific DNS Suffix . : domain.org.au
>>>
Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network
>>>
Connection
>>>
Physical Address. . . . . . . . . : 00-11-43-CE-40-E6
>>>
DHCP Enabled. . . . . . . . . . . : No
>>>
IP Address. . . . . . . . . . . . : 172.30.14.2
>>>
Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>
Default Gateway . . . . . . . . . : 172.30.14.1
>>>
DNS Servers . . . . . . . . . . . : 172.30.14.2
>>>
172.30.14.7
>>>
Primary WINS Server . . . . . . . : 172.30.14.2
>>>
Secondary WINS Server . . . . . . : 172.30.14.7
>>>
***
>>>
Cheers,
>>>
>>>
"Meinolf Weber" wrote:
>>>
>>>>
Hello Thylo,
>>>>
>>>>
Please post an ipconfig /all from both DC/DNS server.
>>>>
>>>>
Best regards
>>>>
>>>>
Meinolf Weber
>>>>
Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>
and
>>>>
confers
>>>>
no rights.
>>>>>
Hi,
>>>>>
>>>>>
We have a Windows 2003 domain, with two domain controllers. Both
>>>>>
domain controllers are running Windows 2003 SP2, fully patched.
>>>>>
The same warning appears in the File Replication Service Log on
>>>>>
both servers, with the server names reveresed on the other server
>>>>>
(I have changed the names of the servers and domain here).
>>>>>
>>>>>
Event Type: Warning
>>>>>
Event Source: NtFrs
>>>>>
Event Category: None
>>>>>
Event ID: 13508
>>>>>
Date: 25/09/2007
>>>>>
Time: 3:00:03 PM
>>>>>
User: N/A
>>>>>
Computer: DomainDC1
>>>>>
Description:
>>>>>
The File Replication Service is having trouble enabling
>>>>>
replication
>>>>>
from
>>>>>
DomainDC2 to DomainDC1 for c:\windows\sysvol\domain using the DNS
>>>>>
name
>>>>>
domaindc2.domain.org.au. FRS will keep retrying.
>>>>>
Following are some of the reasons you would see this warning.
>>>>>
[1] FRS can not correctly resolve the DNS name
>>>>>
domaindc2.domain.org.au from
>>>>>
this computer.
>>>>>
[2] FRS is not running on domaindc2.domain.org.au.
>>>>>
[3] The topology information in the Active Directory for this
>>>>>
replica
>>>>>
has
>>>>>
not yet replicated to all the Domain Controllers.
>>>>>
This event log message will appear once per connection, After the
>>>>>
problem is fixed you will see another event log message indicating
>>>>>
that the connection has been established.
>>>>>
****
>>>>>
There are no 13509 events after these. I have been searching the
>>>>>
groups trying to find something that will help. Both servers are
>>>>>
able to ping each other using their FQDN, the FRS service is
>>>>>
running on both servers and replication appears to be working, as
>>>>>
changes to Sites and Services are replicated almost immediately
>>>>>
when they are made, inlcuding changing the site name and deleting
>>>>>
and regenerating Active Directory Connections (which I did as a
>>>>>
test). I have also tried changing both servers so that they are
>>>>>
using the same DNS server (all combinations) to no avail.
>>>>>
>>>>>
I ran the FRSDiag utility, from both my workstation and on the
>>>>>
servers. All of them report an RPC error trying to connect to both
>>>>>
servers. On the server I was logged in as the Administrator, so
>>>>>
permissions shouldn't have been a problem. I have the logs from
>>>>>
the FRSDiag utility if that will help anyone!
>>>>>
>>>>>
When I run "ntfrsutl version" on both servers, I get:
>>>>>
>>>>>
NtFrsApi Version Information
>>>>>
NtFrsApi Major : 0
>>>>>
NtFrsApi Minor : 0
>>>>>
NtFrsApi Compiled on: Feb 16 2007 20:01:19
>>>>>
ERROR - Cannot bind w/authentication to computer, (null)
>>>>>
ERROR - Cannot bind w/o authentication to computer, (nul ERROR -
>>>>>
Cannot RPC to computer, (null); 000006d9 (1753)
>>>>>
****
>>>>>
(null) is replaced by the FQDN of both servers when I enter that
>>>>>
information in the command line as well.
>>>>>
>>>>>
I have followed all of the kb articles and usergroup threads that
>>>>>
I can find, with no luck. Hopefully there's something that I've
>>>>>
missed that someone can point me to.
>>>>>
>>>>>
Other events that may help (or could confuse the matter further),
>>>>>
is that when users change their passwords, the Windows 2000 ISA
>>>>>
Server prompts them for their password, even when they log off (or
>>>>>
even restart their computers completely) and log back on with the
>>>>>
new password. Even once that is sorted out, which can involve
>>>>>
re-creating their profile or resetting the password again on one
>>>>>
of the DCs, failed logon attempts are regularly recorded in the
>>>>>
security log on both DCs. Profiles have also become completely
>>>>>
corrupted afer a password change on a couple of occassions.
>>>>>
>>>>>
I look forward to any suggestion. Thanks in advance.
>>>>>
Top
From: Thylo
<Thylo@discussions.microsoft.com>
To:
none
Subject:
Re: Windows 2003 NtFrs Event 13508 sysvol\domain
Date:
09/27/2007 19:16:00
Hi
Meinolf,
Both
the dcdiag and net diag results are clean, I have pasted them below
just
incase I have gone too cross eyes looking at everything to not notice
something
obvious, a fresh set of eyes can do wonders!! The only "failures"
that
I can see are is the frsevent, which is what I'm trying to solve and the
modem
diagnositcs, understanable as there is no modem. ICMP is disabled on
our
gateway, the servers are on the same segment/subnet anyway.
Domain
Controller Diagnosis
Performing
initial setup:
Done gathering initial info.
Doing
initial required tests
Testing server: Flemington\domainDC1
Starting test: Connectivity
......................... domainDC1 passed test Connectivity
Doing
primary tests
Testing server: Flemington\domainDC1
Starting test: Replications
......................... domainDC1 passed test Replications
Starting test: NCSecDesc
......................... domainDC1 passed test NCSecDesc
Starting test: NetLogons
......................... domainDC1 passed test NetLogons
Starting test: Advertising
......................... domainDC1 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... domainDC1 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... domainDC1 passed test RidManager
Starting test: MachineAccount
......................... domainDC1 passed test MachineAccount
Starting test: Services
......................... domainDC1 passed test Services
Starting test: ObjectsReplicated
......................... domainDC1 passed test ObjectsReplicated
Starting test: frssysvol
......................... domainDC1 passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.
......................... domainDC1 failed test frsevent
Starting test: kccevent
......................... domainDC1 passed test kccevent
Starting test: systemlog
......................... domainDC1 passed test systemlog
Starting test: VerifyReferences
......................... domainDC1 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : domain
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Running enterprise tests on : domain.org.au
Starting test: Intersite
......................... domain.org.au passed test Intersite
Starting test: FsmoCheck
......................... domain.org.au passed test FsmoCheck
****
Domain
Controller Diagnosis
Performing
initial setup:
Done gathering initial info.
Doing
initial required tests
Testing server: Flemington\domainDC2
Starting test: Connectivity
......................... domainDC2 passed test Connectivity
Doing
primary tests
Testing server: Flemington\domainDC2
Starting test: Replications
......................... domainDC2 passed test Replications
Starting test: NCSecDesc
......................... domainDC2 passed test NCSecDesc
Starting test: NetLogons
......................... domainDC2 passed test NetLogons
Starting test: Advertising
......................... domainDC2 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... domainDC2 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... domainDC2 passed test RidManager
Starting test: MachineAccount
......................... domainDC2 passed test MachineAccount
Starting test: Services
......................... domainDC2 passed test Services
Starting test: ObjectsReplicated
......................... domainDC2 passed test ObjectsReplicated
Starting test: frssysvol
......................... domainDC2 passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.
......................... domainDC2 failed test frsevent
Starting test: kccevent
......................... domainDC2 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0xC0002716
Time Generated: 09/28/2007 09:05:21
(Event String could not be retrieved)
......................... domainDC2 failed test systemlog
Starting test: VerifyReferences
......................... domainDC2 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : domain
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Running enterprise tests on : domain.org.au
Starting test: Intersite
......................... domain.org.au passed test Intersite
Starting test: FsmoCheck
......................... domain.org.au passed test FsmoCheck
****
Computer Name: domainDC1
DNS Host Name: domaindc1.domain.org.au
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 3 Stepping 4, GenuineIntel
List of installed hotfixes :
KB909520
KB911564
KB921503
KB925398_WMP64
KB925876
KB925902
KB926122
KB927891
KB929123
KB930178
KB931768
KB931784
KB931836
KB932168
KB933360
KB933566
KB933854
KB935839
KB935840
KB935966
KB936021
KB936357
KB936782
KB937143
KB937143-IE7
KB938127
KB938127-IE7
Q147222
Netcard
queries test . . . . . . . : Passed
Per
interface results:
Adapter : Intel Pro 1000 CT Gigabit Ethernet Adapter - Onboard
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : domaindc1.domain.org.au
IP Address . . . . . . . . : 172.30.14.7
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 172.30.14.1
Primary WINS Server. . . . : 172.30.14.7
Secondary WINS Server. . . : 172.30.14.2
Dns Servers. . . . . . . . : 172.30.14.2
172.30.14.7
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Failed
No gateway reachable for this adapter.
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenge
r
Service', <20> 'WINS' names is missing.
No remote names have been found.
WINS service test. . . . . : Passed
Global
results:
Domain
membership test . . . . . . : Passed
NetBT
transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{4F560CD5-3A18-429E-946D-0BF9FF8297DD}
1 NetBt transport currently configured.
Autonet
address test . . . . . . . : Passed
IP
loopback ping test. . . . . . . : Passed
Default
gateway test . . . . . . . : Failed
[FATAL] NO GATEWAYS ARE REACHABLE.
You have no connectivity to other network segments.
If you configured the IP protocol manually then
you need to add at least one valid gateway.
NetBT
name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00>
'WorkStation
Servi
ce',
<03> 'Messenger Service', <20> 'WINS' names defined.
Winsock
test . . . . . . . . . . . : Passed
DNS
test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'172.30.14.2'
and
other DCs also have some of the names registered.
PASS - All the DNS entries for DC are registered on DNS server
'172.30.14.7'
and
other DCs also have some of the names registered.
Redir
and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{4F560CD5-3A18-429E-946D-0BF9FF8297DD}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{4F560CD5-3A18-429E-946D-0BF9FF8297DD}
The browser is bound to 1 NetBt transport.
DC
discovery test. . . . . . . . . : Passed
DC
list test . . . . . . . . . . . : Passed
Trust
relationship test. . . . . . : Skipped
Kerberos
test. . . . . . . . . . . : Passed
LDAP
test. . . . . . . . . . . . . : Passed
Bindings
test. . . . . . . . . . . : Passed
WAN
configuration test . . . . . . : Skipped
No active remote access connections.
Modem
diagnostics test . . . . . . : Failed
[FATAL] Cannot initialize TAPI. Failed with error(0x80000048).
IP
Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed
information
The
command completed successfully
******
Computer Name: domainDC2
DNS Host Name: domaindc2.domain.org.au
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
List of installed hotfixes :
KB911564
KB921503
KB925398_WMP64
KB925876
KB925902
KB926122
KB927891
KB929123
KB930178
KB931768
KB931784
KB931836
KB932168
KB933360
KB933566
KB933854
KB935839
KB935840
KB935966
KB936021
KB936357
KB936782
KB937143
KB937143-IE7
KB938127
KB938127-IE7
Q147222
Netcard
queries test . . . . . . . : Passed
Per
interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : domaindc2.domain.org.au
IP Address . . . . . . . . : 172.30.14.2
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 172.30.14.1
Primary WINS Server. . . . : 172.30.14.2
Secondary WINS Server. . . : 172.30.14.7
Dns Servers. . . . . . . . : 172.30.14.2
172.30.14.7
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Failed
No gateway reachable for this adapter.
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenger
Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Passed
Global
results:
Domain
membership test . . . . . . : Passed
NetBT
transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{D8CF205A-978A-4B53-83B4-E5C818075579}
1 NetBt transport currently configured.
Autonet
address test . . . . . . . : Passed
IP
loopback ping test. . . . . . . : Passed
Default
gateway test . . . . . . . : Failed
[FATAL] NO GATEWAYS ARE REACHABLE.
You have no connectivity to other network segments.
If you configured the IP protocol manually then
you need to add at least one valid gateway.
NetBT
name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00>
'WorkStation
Service',
<03> 'Messenger Service', <20> 'WINS' names defined.
Winsock
test . . . . . . . . . . . : Passed
DNS
test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'172.30.14.2'
and other DCs also have some of the names registered.
PASS - All the DNS entries for DC are registered on DNS server
'172.30.14.7'
and other DCs also have some of the names registered.
Redir
and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{D8CF205A-978A-4B53-83B4-E5C818075579}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{D8CF205A-978A-4B53-83B4-E5C818075579}
The browser is bound to 1 NetBt transport.
DC
discovery test. . . . . . . . . : Passed
DC
list test . . . . . . . . . . . : Passed
Trust
relationship test. . . . . . : Passed
Secure channel for domain 'domain' is to '\\domaindc1.domain.org.au'.
Kerberos
test. . . . . . . . . . . : Passed
LDAP
test. . . . . . . . . . . . . : Passed
Bindings
test. . . . . . . . . . . : Passed
WAN
configuration test . . . . . . : Skipped
No active remote access connections.
Modem
diagnostics test . . . . . . : Failed
[FATAL] Cannot initialize TAPI. Failed with error(0x80000048).
IP
Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed
information
The
command completed successfully
*********
Cheers,
--
Leigh
MCSE
(NT4, 2000)
"Meinolf
Weber" wrote:
>
Hello Thylo,
>
>
Did you also check for errors with dcdiag and netdiag?
>
>
Best regards
>
>
Meinolf Weber
>
Disclaimer: This posting is provided "AS IS" with no warranties,
and confers
>
no rights.
>
>
> Hey Meinolf,
>
>
>
> I'm sure I had gone through that page before, but I double checked all
>
> of them anyway to make sure. The times are synchronised between all
>
> servers on the network, there aren't any firewalls (apart from Windows
>
> 2003 own which is configured as required) between the servers, there
>
> is plenty of disk space (20GB+), non of the other errors come up that
>
> "should" for the other solutions, it is a native Windows
2003 domain
>
> with only Windows 2003 server and it was upgraded from a Windows 2000
>
> domain before I started here.
>
>
>
> It is a very frustrating issue!!
>
>
>
> Cheers,
>
>
>
> "Meinolf Weber" wrote:
>
>
>
>> Hello Thylo,
>
>>
>
>> Have a look here:
>
>>
http://www.eventid.net/display.asp?eventid=13508&eventno=349&source=n
>
>> tfrs&phase=1
>
>> Best regards
>
>>
>
>> Meinolf Weber
>
>> Disclaimer: This posting is provided "AS IS" with no
warranties, and
>
>> confers
>
>> no rights.
>
>>> Hi Meinolf,
>
>>>
>
>>> Below are the ipconfig /all results from domain controller,
they are
>
>>> the only DNS servers on the network as well:
>
>>>
>
>>> Windows IP Configuration
>
>>>
>
>>> Host Name . . . . . . . . . . . . : domaindc1
>
>>> Primary Dns Suffix . . . . . . . : domain.org.au
>
>>> Node Type . . . . . . . . . . . . : Hybrid
>
>>> IP Routing Enabled. . . . . . . . : No
>
>>> WINS Proxy Enabled. . . . . . . . : No
>
>>> DNS Suffix Search List. . . . . . : domain.org.au
>
>>> org.au
>
>>> Ethernet adapter Intel Pro 1000 CT Gigabit Ethernet Adapter -
>
>>> Onboard:
>
>>> Connection-specific DNS Suffix . : domain.org.au
>
>>> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT
Network
>
>>> Connection
>
>>> Physical Address. . . . . . . . . : 00-C0-9F-4B-9E-5D
>
>>> DHCP Enabled. . . . . . . . . . . : No
>
>>> IP Address. . . . . . . . . . . . : 172.30.14.7
>
>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>
>>> Default Gateway . . . . . . . . . : 172.30.14.1
>
>>> DNS Servers . . . . . . . . . . . : 172.30.14.2
>
>>> 172.30.14.7
>
>>> Primary WINS Server . . . . . . . : 172.30.14.7
>
>>> Secondary WINS Server . . . . . . : 172.30.14.2
>
>>> Windows IP Configuration
>
>>> Host Name . . . . . . . . . . . . : domaindc2
>
>>> Primary Dns Suffix . . . . . . . : domain.org.au
>
>>> Node Type . . . . . . . . . . . . : Hybrid
>
>>> IP Routing Enabled. . . . . . . . : No
>
>>> WINS Proxy Enabled. . . . . . . . : No
>
>>> DNS Suffix Search List. . . . . . : domain.org.au
>
>>> org.au
>
>>> Ethernet adapter Local Area Connection:
>
>>> Connection-specific DNS Suffix . : domain.org.au
>
>>> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT
Network
>
>>> Connection
>
>>> Physical Address. . . . . . . . . : 00-11-43-CE-40-E6
>
>>> DHCP Enabled. . . . . . . . . . . : No
>
>>> IP Address. . . . . . . . . . . . : 172.30.14.2
>
>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>
>>> Default Gateway . . . . . . . . . : 172.30.14.1
>
>>> DNS Servers . . . . . . . . . . . : 172.30.14.2
>
>>> 172.30.14.7
>
>>> Primary WINS Server . . . . . . . : 172.30.14.2
>
>>> Secondary WINS Server . . . . . . : 172.30.14.7
>
>>> ***
>
>>> Cheers,
>
>>>
>
>>> "Meinolf Weber" wrote:
>
>>>
>
>>>> Hello Thylo,
>
>>>>
>
>>>> Please post an ipconfig /all from both DC/DNS server.
>
>>>>
>
>>>> Best regards
>
>>>>
>
>>>> Meinolf Weber
>
>>>> Disclaimer: This posting is provided "AS IS"
with no warranties,
>
>>>> and
>
>>>> confers
>
>>>> no rights.
>
>>>>> Hi,
>
>>>>>
>
>>>>> We have a Windows 2003 domain, with two domain
controllers. Both
>
>>>>> domain controllers are running Windows 2003 SP2, fully
patched.
>
>>>>> The same warning appears in the File Replication
Service Log on
>
>>>>> both servers, with the server names reveresed on the
other server
>
>>>>> (I have changed the names of the servers and domain
here).
>
>>>>>
>
>>>>> Event Type: Warning
>
>>>>> Event Source: NtFrs
>
>>>>> Event Category: None
>
>>>>> Event ID: 13508
>
>>>>> Date: 25/09/2007
>
>>>>> Time: 3:00:03 PM
>
>>>>> User: N/A
>
>>>>> Computer: DomainDC1
>
>>>>> Description:
>
>>>>> The File Replication Service is having trouble
enabling
>
>>>>> replication
>
>>>>> from
>
>>>>> DomainDC2 to DomainDC1 for c:\windows\sysvol\domain
using the DNS
>
>>>>> name
>
>>>>> domaindc2.domain.org.au. FRS will keep retrying.
>
>>>>> Following are some of the reasons you would see this
warning.
>
>>>>> [1] FRS can not correctly resolve the DNS name
>
>>>>> domaindc2.domain.org.au from
>
>>>>> this computer.
>
>>>>> [2] FRS is not running on domaindc2.domain.org.au.
>
>>>>> [3] The topology information in the Active Directory
for this
>
>>>>> replica
>
>>>>> has
>
>>>>> not yet replicated to all the Domain Controllers.
>
>>>>> This event log message will appear once per
connection, After the
>
>>>>> problem is fixed you will see another event log message
indicating
>
>>>>> that the connection has been established.
>
>>>>> ****
>
>>>>> There are no 13509 events after these. I have been
searching the
>
>>>>> groups trying to find something that will help. Both
servers are
>
>>>>> able to ping each other using their FQDN, the FRS
service is
>
>>>>> running on both servers and replication appears to be
working, as
>
>>>>> changes to Sites and Services are replicated almost
immediately
>
>>>>> when they are made, inlcuding changing the site name
and deleting
>
>>>>> and regenerating Active Directory Connections (which I
did as a
>
>>>>> test). I have also tried changing both servers so that
they are
>
>>>>> using the same DNS server (all combinations) to no
avail.
>
>>>>>
>
>>>>> I ran the FRSDiag utility, from both my workstation
and on the
>
>>>>> servers. All of them report an RPC error trying to
connect to both
>
>>>>> servers. On the server I was logged in as the
Administrator, so
>
>>>>> permissions shouldn't have been a problem. I have the
logs from
>
>>>>> the FRSDiag utility if that will help anyone!
>
>>>>>
>
>>>>> When I run "ntfrsutl version" on both
servers, I get:
>
>>>>>
>
>>>>> NtFrsApi Version Information
>
>>>>> NtFrsApi Major : 0
>
>>>>> NtFrsApi Minor : 0
>
>>>>> NtFrsApi Compiled on: Feb 16 2007 20:01:19
>
>>>>> ERROR - Cannot bind w/authentication to computer,
(null)
>
>>>>> ERROR - Cannot bind w/o authentication to computer,
(nul ERROR -
>
>>>>> Cannot RPC to computer, (null); 000006d9 (1753)
>
>>>>> ****
>
>>>>> (null) is replaced by the FQDN of both servers when I
enter that
>
>>>>> information in the command line as well.
>
>>>>>
>
>>>>> I have followed all of the kb articles and usergroup
threads that
>
>>>>> I can find, with no luck. Hopefully there's something
that I've
>
>>>>> missed that someone can point me to.
>
>>>>>
>
>>>>> Other events that may help (or could confuse the
matter further),
>
>>>>> is that when users change their passwords, the Windows
2000 ISA
>
>>>>> Server prompts them for their password, even when they
log off (or
>
>>>>> even restart their computers completely) and log back
on with the
>
>>>>> new password. Even once that is sorted out, which can
involve
>
>>>>> re-creating their profile or resetting the password
again on one
>
>>>>> of the DCs, failed logon attempts are regularly
recorded in the
>
>>>>> security log on both DCs. Profiles have also
become completely
>
>>>>> corrupted afer a password change on a couple of
occassions.
>
>>>>>
>
>>>>> I look forward to any suggestion. Thanks in advance.
>
>>>>>
>
Top
From: Thylo
<Thylo@discussions.microsoft.com>
To:
none
Subject:
Re: Windows 2003 NtFrs Event 13508 sysvol\domain
Date:
09/27/2007 20:31:01
Hi
Meinolf,
I
have found something that may shed some light on the situtation, although
I'm
not sure how to proceed given that most things seem ok. I re-ran dcdiag
with
some extra options and the following differences showed up:
when
run on domaindc2:
DC: domaindc2.domain.org.au
Domain: domain.org.au
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
Microsoft(R) Windows(R) Server 2003, Standard Edition
(Service
Pack level: 2.0) is supported
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000001] Intel(R) PRO/1000 CT Network Connection:
MAC address is 00:11:43:CE:40:E6
IP address is static
IP address: 172.30.14.2
DNS servers:
172.30.14.2 (<name unavailable>) [Valid]
172.30.14.7 (<name unavailable>) [Valid]
The A record for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found
(primary)
Root zone on this DC/DNS server was not found
****
when
run on domaindc1:
DC: domaindc2.domain.org.au
Domain: domain.org.au
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
Microsoft(R) Windows(R) Server 2003, Standard Edition
(Service
Pack level: 2.0) is supported
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000001] Intel(R) PRO/1000 CT Network Connection:
MAC address is 00:11:43:CE:40:E6
IP address is static
IP address: 172.30.14.2
DNS servers:
172.30.14.2 (<name unavailable>) [Valid]
172.30.14.7 (<name unavailable>) [Valid]
The A record for this DC was found
The SOA record for the Active Directory zone was found
Warning: no DNS RPC connectivity (error or non Microsoft
DNS
server is running)
[Error details: 1753 (Type: Win32 - Description: There are
no
more endpoints available from the endpoint mapper.)]
****
I
have seen it before while checking this problem now that I think of it,
however
I couldn't find any useful information relating to it, other than
checking
that the RPC services were set to start correctly, which they are,
so
I forgot about it! Probably not a good move on my behalf!
Any
thoughts on this one?!!
--
Leigh
MCSE
(NT4, 2000)
"Meinolf
Weber" wrote:
>
Hello Thylo,
>
>
Did you also check for errors with dcdiag and netdiag?
>
>
Best regards
>
>
Meinolf Weber
>
Disclaimer: This posting is provided "AS IS" with no warranties,
and confers
>
no rights.
>
>
> Hey Meinolf,
>
>
>
> I'm sure I had gone through that page before, but I double checked all
>
> of them anyway to make sure. The times are synchronised between all
>
> servers on the network, there aren't any firewalls (apart from Windows
>
> 2003 own which is configured as required) between the servers, there
>
> is plenty of disk space (20GB+), non of the other errors come up that
>
> "should" for the other solutions, it is a native Windows
2003 domain
>
> with only Windows 2003 server and it was upgraded from a Windows 2000
>
> domain before I started here.
>
>
>
> It is a very frustrating issue!!
>
>
>
> Cheers,
>
>
>
> "Meinolf Weber" wrote:
>
>
>
>> Hello Thylo,
>
>>
>
>> Have a look here:
>
>>
http://www.eventid.net/display.asp?eventid=13508&eventno=349&source=n
>
>> tfrs&phase=1
>
>> Best regards
>
>>
>
>> Meinolf Weber
>
>> Disclaimer: This posting is provided "AS IS" with no
warranties, and
>
>> confers
>
>> no rights.
>
>>> Hi Meinolf,
>
>>>
>
>>> Below are the ipconfig /all results from domain controller,
they are
>
>>> the only DNS servers on the network as well:
>
>>>
>
>>> Windows IP Configuration
>
>>>
>
>>> Host Name . . . . . . . . . . . . : domaindc1
>
>>> Primary Dns Suffix . . . . . . . : domain.org.au
>
>>> Node Type . . . . . . . . . . . . : Hybrid
>
>>> IP Routing Enabled. . . . . . . . : No
>
>>> WINS Proxy Enabled. . . . . . . . : No
>
>>> DNS Suffix Search List. . . . . . : domain.org.au
>
>>> org.au
>
>>> Ethernet adapter Intel Pro 1000 CT Gigabit Ethernet Adapter -
>
>>> Onboard:
>
>>> Connection-specific DNS Suffix . : domain.org.au
>
>>> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT
Network
>
>>> Connection
>
>>> Physical Address. . . . . . . . . : 00-C0-9F-4B-9E-5D
>
>>> DHCP Enabled. . . . . . . . . . . : No
>
>>> IP Address. . . . . . . . . . . . : 172.30.14.7
>
>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>
>>> Default Gateway . . . . . . . . . : 172.30.14.1
>
>>> DNS Servers . . . . . . . . . . . : 172.30.14.2
>
>>> 172.30.14.7
>
>>> Primary WINS Server . . . . . . . : 172.30.14.7
>
>>> Secondary WINS Server . . . . . . : 172.30.14.2
>
>>> Windows IP Configuration
>
>>> Host Name . . . . . . . . . . . . : domaindc2
>
>>> Primary Dns Suffix . . . . . . . : domain.org.au
>
>>> Node Type . . . . . . . . . . . . : Hybrid
>
>>> IP Routing Enabled. . . . . . . . : No
>
>>> WINS Proxy Enabled. . . . . . . . : No
>
>>> DNS Suffix Search List. . . . . . : domain.org.au
>
>>> org.au
>
>>> Ethernet adapter Local Area Connection:
>
>>> Connection-specific DNS Suffix . : domain.org.au
>
>>> Description . . . . . . . . . . . : Intel(R) PRO/1000 CT
Network
>
>>> Connection
>
>>> Physical Address. . . . . . . . . : 00-11-43-CE-40-E6
>
>>> DHCP Enabled. . . . . . . . . . . : No
>
>>> IP Address. . . . . . . . . . . . : 172.30.14.2
>
>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>
>>> Default Gateway . . . . . . . . . : 172.30.14.1
>
>>> DNS Servers . . . . . . . . . . . : 172.30.14.2
>
>>> 172.30.14.7
>
>>> Primary WINS Server . . . . . . . : 172.30.14.2
>
>>> Secondary WINS Server . . . . . . : 172.30.14.7
>
>>> ***
>
>>> Cheers,
>
>>>
>
>>> "Meinolf Weber" wrote:
>
>>>
>
>>>> Hello Thylo,
>
>>>>
>
>>>> Please post an ipconfig /all from both DC/DNS server.
>
>>>>
>
>>>> Best regards
>
>>>>
>
>>>> Meinolf Weber
>
>>>> Disclaimer: This posting is provided "AS IS"
with no warranties,
>
>>>> and
>
>>>> confers
>
>>>> no rights.
>
>>>>> Hi,
>
>>>>>
>
>>>>> We have a Windows 2003 domain, with two domain
controllers. Both
>
>>>>> domain controllers are running Windows 2003 SP2, fully
patched.
>
>>>>> The same warning appears in the File Replication
Service Log on
>
>>>>> both servers, with the server names reveresed on the
other server
>
>>>>> (I have changed the names of the servers and domain
here).
>
>>>>>
>
>>>>> Event Type: Warning
>
>>>>> Event Source: NtFrs
>
>>>>> Event Category: None
>
>>>>> Event ID: 13508
>
>>>>> Date: 25/09/2007
>
>>>>> Time: 3:00:03 PM
>
>>>>> User: N/A
>
>>>>> Computer: DomainDC1
>
>>>>> Description:
>
>>>>> The File Replication Service is having trouble
enabling
>
>>>>> replication
>
>>>>> from
>
>>>>> DomainDC2 to DomainDC1 for c:\windows\sysvol\domain
using the DNS
>
>>>>> name
>
>>>>> domaindc2.domain.org.au. FRS will keep retrying.
>
>>>>> Following are some of the reasons you would see this
warning.
>
>>>>> [1] FRS can not correctly resolve the DNS name
>
>>>>> domaindc2.domain.org.au from
>
>>>>> this computer.
>
>>>>> [2] FRS is not running on domaindc2.domain.org.au.
>
>>>>> [3] The topology information in the Active Directory
for this
>
>>>>> replica
>
>>>>> has
>
>>>>> not yet replicated to all the Domain Controllers.
>
>>>>> This event log message will appear once per
connection, After the
>
>>>>> problem is fixed you will see another event log
message indicating
>
>>>>> that the connection has been established.
>
>>>>> ****
>
>>>>> There are no 13509 events after these. I have been
searching the
>
>>>>> groups trying to find something that will help. Both
servers are
>
>>>>> able to ping each other using their FQDN, the FRS
service is
>
>>>>> running on both servers and replication appears to be
working, as
>
>>>>> changes to Sites and Services are replicated almost immediately
>
>>>>> when they are made, inlcuding changing the site name
and deleting
>
>>>>> and regenerating Active Directory Connections (which I
did as a
>
>>>>> test). I have also tried changing both servers so that
they are
>
>>>>> using the same DNS server (all combinations) to no
avail.
>
>>>>>
>
>>>>> I ran the FRSDiag utility, from both my workstation
and on the
>
>>>>> servers. All of them report an RPC error trying to
connect to both
>
>>>>> servers. On the server I was logged in as the Administrator,
so
>
>>>>> permissions shouldn't have been a problem. I have the
logs from
>
>>>>> the FRSDiag utility if that will help anyone!
>
>>>>>
>
>>>>> When I run "ntfrsutl version" on both
servers, I get:
>
>>>>>
>
>>>>> NtFrsApi Version Information
>
>>>>> NtFrsApi Major : 0
>
>>>>> NtFrsApi Minor : 0
>
>>>>> NtFrsApi Compiled on: Feb 16 2007 20:01:19
>
>>>>> ERROR - Cannot bind w/authentication to computer,
(null)
>
>>>>> ERROR - Cannot bind w/o authentication to computer,
(nul ERROR -
>
>>>>> Cannot RPC to computer, (null); 000006d9 (1753)
>
>>>>> ****
>
>>>>> (null) is replaced by the FQDN of both servers when I
enter that
>
>>>>> information in the command line as well.
>
>>>>>
>
>>>>> I have followed all of the kb articles and usergroup threads
that
>
>>>>> I can find, with no luck. Hopefully there's something
that I've
>
>>>>> missed that someone can point me to.
>
>>>>>
>
>>>>> Other events that may help (or could confuse the
matter further),
>
>>>>> is that when users change their passwords, the Windows
2000 ISA
>
>>>>> Server prompts them for their password, even when they
log off (or
>
>>>>> even restart their computers completely) and log back
on with the
>
>>>>> new password. Even once that is sorted out, which can
involve
>
>>>>> re-creating their profile or resetting the password
again on one
>
>>>>> of the DCs, failed logon attempts are regularly
recorded in the
>
>>>>> security log on both DCs. Profiles have also
become completely
>
>>>>> corrupted afer a password change on a couple of
occassions.
>
>>>>>
>
>>>>> I look forward to any suggestion. Thanks in advance.
>
>>>>>
>
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Windows 2003 NtFrs Event 13508 sysvol\domain
Date:
09/28/2007 01:39:45
Hello
Thylo,
In
the dcdiag the Default gateway test FAILED. No gateway reachable for this
adapter?
Can you take out the ISA for testing?
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
Hi Meinolf,
>
>
Both the dcdiag and net diag results are clean, I have pasted them
>
below just incase I have gone too cross eyes looking at everything to
>
not notice something obvious, a fresh set of eyes can do wonders!! The
>
only "failures" that I can see are is the frsevent, which is what
I'm
>
trying to solve and the modem diagnositcs, understanable as there is
>
no modem. ICMP is disabled on our gateway, the servers are on the same
>
segment/subnet anyway.
>
>
Domain Controller Diagnosis
>
>
Performing initial setup:
>
Done gathering initial info.
>
Doing initial required tests
>
>
Testing server: Flemington\domainDC1
>
Starting test: Connectivity
>
......................... domainDC1 passed test Connectivity
>
Doing primary tests
>
>
Testing server: Flemington\domainDC1
>
Starting test: Replications
>
......................... domainDC1 passed test Replications
>
Starting test: NCSecDesc
>
......................... domainDC1 passed test NCSecDesc
>
Starting test: NetLogons
>
......................... domainDC1 passed test NetLogons
>
Starting test: Advertising
>
......................... domainDC1 passed test Advertising
>
Starting test: KnowsOfRoleHolders
>
......................... domainDC1 passed test
>
KnowsOfRoleHolders
>
Starting test: RidManager
>
......................... domainDC1 passed test RidManager
>
Starting test: MachineAccount
>
......................... domainDC1 passed test
>
MachineAccount
>
Starting test: Services
>
......................... domainDC1 passed test Services
>
Starting test: ObjectsReplicated
>
......................... domainDC1 passed test
>
ObjectsReplicated
>
Starting test: frssysvol
>
......................... domainDC1 passed test frssysvol
>
Starting test: frsevent
>
There are warning or error events within the last 24 hours
>
after the
>
SYSVOL has been shared. Failing SYSVOL replication problems
>
may
>
cause
>
Group Policy problems.
>
......................... domainDC1 failed test frsevent
>
Starting test: kccevent
>
......................... domainDC1 passed test kccevent
>
Starting test: systemlog
>
......................... domainDC1 passed test systemlog
>
Starting test: VerifyReferences
>
......................... domainDC1 passed test
>
VerifyReferences
>
Running partition tests on : ForestDnsZones
>
Starting test: CrossRefValidation
>
......................... ForestDnsZones passed test
>
CrossRefValidation
>
Starting test: CheckSDRefDom
>
......................... ForestDnsZones passed test
>
CheckSDRefDom
>
Running partition tests on : DomainDnsZones
>
Starting test: CrossRefValidation
>
......................... DomainDnsZones passed test
>
CrossRefValidation
>
Starting test: CheckSDRefDom
>
......................... DomainDnsZones passed test
>
CheckSDRefDom
>
Running partition tests on : Schema
>
Starting test: CrossRefValidation
>
......................... Schema passed test
>
CrossRefValidation
>
Starting test: CheckSDRefDom
>
......................... Schema passed test CheckSDRefDom
>
Running partition tests on : Configuration
>
Starting test: CrossRefValidation
>
......................... Configuration passed test
>
CrossRefValidation
>
Starting test: CheckSDRefDom
>
......................... Configuration passed test
>
CheckSDRefDom
>
Running partition tests on : domain
>
Starting test: CrossRefValidation
>
......................... domain passed test
>
CrossRefValidation
>
Starting test: CheckSDRefDom
>
......................... domain passed test CheckSDRefDom
>
Running enterprise tests on : domain.org.au
>
Starting test: Intersite
>
......................... domain.org.au passed test Intersite
>
Starting test: FsmoCheck
>
......................... domain.org.au passed test FsmoCheck
>
****
>
>
Domain Controller Diagnosis
>
>
Performing initial setup:
>
Done gathering initial info.
>
Doing initial required tests
>
>
Testing server: Flemington\domainDC2
>
Starting test: Connectivity
>
......................... domainDC2 passed test Connectivity
>
Doing primary tests
>
>
Testing server: Flemington\domainDC2
>
Starting test: Replications
>
......................... domainDC2 passed test Replications
>
Starting test: NCSecDesc
>
......................... domainDC2 passed test NCSecDesc
>
Starting test: NetLogons
>
......................... domainDC2 passed test NetLogons
>
Starting test: Advertising
>
......................... domainDC2 passed test Advertising
>
Starting test: KnowsOfRoleHolders
>
......................... domainDC2 passed test
>
KnowsOfRoleHolders
>
Starting test: RidManager
>
......................... domainDC2 passed test RidManager
>
Starting test: MachineAccount
>
......................... domainDC2 passed test
>
MachineAccount
>
Starting test: Services
>
......................... domainDC2 passed test Services
>
Starting test: ObjectsReplicated
>
......................... domainDC2 passed test
>
ObjectsReplicated
>
Starting test: frssysvol
>
......................... domainDC2 passed test frssysvol
>
Starting test: frsevent
>
There are warning or error events within the last 24 hours
>
after the
>
SYSVOL has been shared. Failing SYSVOL replication problems
>
may
>
cause
>
Group Policy problems.
>
......................... domainDC2 failed test frsevent
>
Starting test: kccevent
>
......................... domainDC2 passed test kccevent
>
Starting test: systemlog
>
An Error Event occured. EventID: 0xC0002716
>
Time Generated: 09/28/2007 09:05:21
>
(Event String could not be retrieved)
>
......................... domainDC2 failed test systemlog
>
Starting test: VerifyReferences
>
......................... domainDC2 passed test
>
VerifyReferences
>
Running partition tests on : ForestDnsZones
>
Starting test: CrossRefValidation
>
......................... ForestDnsZones passed test
>
CrossRefValidation
>
Starting test: CheckSDRefDom
>
......................... ForestDnsZones passed test
>
CheckSDRefDom
>
Running partition tests on : DomainDnsZones
>
Starting test: CrossRefValidation
>
......................... DomainDnsZones passed test
>
CrossRefValidation
>
Starting test: CheckSDRefDom
>
......................... DomainDnsZones passed test
>
CheckSDRefDom
>
Running partition tests on : Schema
>
Starting test: CrossRefValidation
>
......................... Schema passed test
>
CrossRefValidation
>
Starting test: CheckSDRefDom
>
......................... Schema passed test CheckSDRefDom
>
Running partition tests on : Configuration
>
Starting test: CrossRefValidation
>
......................... Configuration passed test
>
CrossRefValidation
>
Starting test: CheckSDRefDom
>
......................... Configuration passed test
>
CheckSDRefDom
>
Running partition tests on : domain
>
Starting test: CrossRefValidation
>
......................... domain passed test
>
CrossRefValidation
>
Starting test: CheckSDRefDom
>
......................... domain passed test CheckSDRefDom
>
Running enterprise tests on : domain.org.au
>
Starting test: Intersite
>
......................... domain.org.au passed test Intersite
>
Starting test: FsmoCheck
>
......................... domain.org.au passed test FsmoCheck
>
****
>
Computer Name: domainDC1
>
DNS Host Name: domaindc1.domain.org.au
>
System info : Windows 2000 Server (Build 3790)
>
Processor : x86 Family 15 Model 3 Stepping 4, GenuineIntel
>
List of installed hotfixes :
>
KB909520
>
KB911564
>
KB921503
>
KB925398_WMP64
>
KB925876
>
KB925902
>
KB926122
>
KB927891
>
KB929123
>
KB930178
>
KB931768
>
KB931784
>
KB931836
>
KB932168
>
KB933360
>
KB933566
>
KB933854
>
KB935839
>
KB935840
>
KB935966
>
KB936021
>
KB936357
>
KB936782
>
KB937143
>
KB937143-IE7
>
KB938127
>
KB938127-IE7
>
Q147222
>
Netcard queries test . . . . . . . : Passed
>
>
Per interface results:
>
>
Adapter : Intel Pro 1000 CT Gigabit Ethernet Adapter - Onboard
>
>
Netcard queries test . . . : Passed
>
>
Host Name. . . . . . . . . : domaindc1.domain.org.au
>
IP Address . . . . . . . . : 172.30.14.7
>
Subnet Mask. . . . . . . . : 255.255.255.0
>
Default Gateway. . . . . . : 172.30.14.1
>
Primary WINS Server. . . . : 172.30.14.7
>
Secondary WINS Server. . . : 172.30.14.2
>
Dns Servers. . . . . . . . : 172.30.14.2
>
172.30.14.7
>
AutoConfiguration results. . . . . . : Passed
>
>
Default gateway test . . . : Failed
>
No gateway reachable for this adapter.
>
NetBT name test. . . . . . : Passed
>
[WARNING] At least one of the <00> 'WorkStation Service', <03>
>
'Messenge
>
r Service', <20> 'WINS' names is missing.
>
No remote names have been found.
>
WINS service test. . . . . : Passed
>
>
Global results:
>
>
Domain membership test . . . . . . : Passed
>
>
NetBT transports test. . . . . . . : Passed
>
List of NetBt transports currently configured:
>
NetBT_Tcpip_{4F560CD5-3A18-429E-946D-0BF9FF8297DD}
>
1 NetBt transport currently configured.
>
Autonet address test . . . . . . . : Passed
>
>
IP loopback ping test. . . . . . . : Passed
>
>
Default gateway test . . . . . . . : Failed
>
>
[FATAL] NO GATEWAYS ARE REACHABLE.
>
You have no connectivity to other network segments.
>
If you configured the IP protocol manually then
>
you need to add at least one valid gateway.
>
NetBT name test. . . . . . . . . . : Passed
>
[WARNING] You don't have a single interface with the <00>
>
'WorkStation
>
Servi
>
ce', <03> 'Messenger Service', <20> 'WINS' names defined.
>
>
Winsock test . . . . . . . . . . . : Passed
>
>
DNS test . . . . . . . . . . . . . : Passed
>
PASS - All the DNS entries for DC are registered on DNS server
>
'172.30.14.2'
>
and other DCs also have some of the names registered.
>
PASS - All the DNS entries for DC are registered on DNS server
>
'172.30.14.7'
>
and other DCs also have some of the names registered.
>
Redir and Browser test . . . . . . : Passed
>
List of NetBt transports currently bound to the Redir
>
NetBT_Tcpip_{4F560CD5-3A18-429E-946D-0BF9FF8297DD}
>
The redir is bound to 1 NetBt transport.
>
List of NetBt transports currently bound to the browser
>
NetBT_Tcpip_{4F560CD5-3A18-429E-946D-0BF9FF8297DD}
>
The browser is bound to 1 NetBt transport.
>
DC discovery test. . . . . . . . . : Passed
>
>
DC list test . . . . . . . . . . . : Passed
>
>
Trust relationship test. . . . . . : Skipped
>
>
Kerberos test. . . . . . . . . . . : Passed
>
>
LDAP test. . . . . . . . . . . . . : Passed
>
>
Bindings test. . . . . . . . . . . : Passed
>
>
WAN configuration test . . . . . . : Skipped
>
No active remote access connections.
>
Modem diagnostics test . . . . . . : Failed
>
[FATAL] Cannot initialize TAPI. Failed with error(0x80000048).
>
IP Security test . . . . . . . . . : Skipped
>
>
Note: run "netsh ipsec dynamic show /?" for more detailed
>
information
>
>
The command completed successfully
>
>
******
>
Computer Name: domainDC2
>
DNS Host Name: domaindc2.domain.org.au
>
System info : Windows 2000 Server (Build 3790)
>
Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
>
List of installed hotfixes :
>
KB911564
>
KB921503
>
KB925398_WMP64
>
KB925876
>
KB925902
>
KB926122
>
KB927891
>
KB929123
>
KB930178
>
KB931768
>
KB931784
>
KB931836
>
KB932168
>
KB933360
>
KB933566
>
KB933854
>
KB935839
>
KB935840
>
KB935966
>
KB936021
>
KB936357
>
KB936782
>
KB937143
>
KB937143-IE7
>
KB938127
>
KB938127-IE7
>
Q147222
>
Netcard queries test . . . . . . . : Passed
>
>
Per interface results:
>
>
Adapter : Local Area Connection
>
>
Netcard queries test . . . : Passed
>
>
Host Name. . . . . . . . . : domaindc2.domain.org.au
>
IP Address . . . . . . . . : 172.30.14.2
>
Subnet Mask. . . . . . . . : 255.255.255.0
>
Default Gateway. . . . . . : 172.30.14.1
>
Primary WINS Server. . . . : 172.30.14.2
>
Secondary WINS Server. . . : 172.30.14.7
>
Dns Servers. . . . . . . . : 172.30.14.2
>
172.30.14.7
>
AutoConfiguration results. . . . . . : Passed
>
>
Default gateway test . . . : Failed
>
No gateway reachable for this adapter.
>
NetBT name test. . . . . . : Passed
>
[WARNING] At least one of the <00> 'WorkStation Service', <03>
>
'Messenger Service', <20> 'WINS' names is missing.
>
WINS service test. . . . . : Passed
>
>
Global results:
>
>
Domain membership test . . . . . . : Passed
>
>
NetBT transports test. . . . . . . : Passed
>
List of NetBt transports currently configured:
>
NetBT_Tcpip_{D8CF205A-978A-4B53-83B4-E5C818075579}
>
1 NetBt transport currently configured.
>
Autonet address test . . . . . . . : Passed
>
>
IP loopback ping test. . . . . . . : Passed
>
>
Default gateway test . . . . . . . : Failed
>
>
[FATAL] NO GATEWAYS ARE REACHABLE.
>
You have no connectivity to other network segments.
>
If you configured the IP protocol manually then
>
you need to add at least one valid gateway.
>
NetBT name test. . . . . . . . . . : Passed
>
[WARNING] You don't have a single interface with the <00>
>
'WorkStation
>
Service', <03> 'Messenger Service', <20> 'WINS' names defined.
>
Winsock test . . . . . . . . . . . : Passed
>
>
DNS test . . . . . . . . . . . . . : Passed
>
PASS - All the DNS entries for DC are registered on DNS server
>
'172.30.14.2' and other DCs also have some of the names registered.
>
PASS - All the DNS entries for DC are registered on DNS server
>
'172.30.14.7' and other DCs also have some of the names registered.
>
Redir and Browser test . . . . . . : Passed
>
List of NetBt transports currently bound to the Redir
>
NetBT_Tcpip_{D8CF205A-978A-4B53-83B4-E5C818075579}
>
The redir is bound to 1 NetBt transport.
>
List of NetBt transports currently bound to the browser
>
NetBT_Tcpip_{D8CF205A-978A-4B53-83B4-E5C818075579}
>
The browser is bound to 1 NetBt transport.
>
DC discovery test. . . . . . . . . : Passed
>
>
DC list test . . . . . . . . . . . : Passed
>
>
Trust relationship test. . . . . . : Passed
>
Secure channel for domain 'domain' is to
>
'\\domaindc1.domain.org.au'.
>
Kerberos test. . . . . . . . . . . : Passed
>
>
LDAP test. . . . . . . . . . . . . : Passed
>
>
Bindings test. . . . . . . . . . . : Passed
>
>
WAN configuration test . . . . . . : Skipped
>
No active remote access connections.
>
Modem diagnostics test . . . . . . : Failed
>
[FATAL] Cannot initialize TAPI. Failed with error(0x80000048).
>
IP Security test . . . . . . . . . : Skipped
>
>
Note: run "netsh ipsec dynamic show /?" for more detailed
>
information
>
>
The command completed successfully
>
>
*********
>
>
Cheers,
>
>
"Meinolf Weber" wrote:
>
>>
Hello Thylo,
>>
>>
Did you also check for errors with dcdiag and netdiag?
>>
>>
Best regards
>>
>>
Meinolf Weber
>>
Disclaimer: This posting is provided "AS IS" with no warranties,
and
>>
confers
>>
no rights.
>>>
Hey Meinolf,
>>>
>>>
I'm sure I had gone through that page before, but I double checked
>>>
all of them anyway to make sure. The times are synchronised between
>>>
all servers on the network, there aren't any firewalls (apart from
>>>
Windows 2003 own which is configured as required) between the
>>>
servers, there is plenty of disk space (20GB+), non of the other
>>>
errors come up that "should" for the other solutions, it is a
native
>>>
Windows 2003 domain with only Windows 2003 server and it was
>>>
upgraded from a Windows 2000 domain before I started here.
>>>
>>>
It is a very frustrating issue!!
>>>
>>>
Cheers,
>>>
>>>
"Meinolf Weber" wrote:
>>>
>>>>
Hello Thylo,
>>>>
>>>>
Have a look here:
>>>>
http://www.eventid.net/display.asp?eventid=13508&eventno=349&source
>>>>
=n
>>>>
tfrs&phase=1
>>>>
Best regards
>>>>
Meinolf Weber
>>>>
Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>
and
>>>>
confers
>>>>
no rights.
>>>>>
Hi Meinolf,
>>>>>
>>>>>
Below are the ipconfig /all results from domain controller, they
>>>>>
are the only DNS servers on the network as well:
>>>>>
>>>>>
Windows IP Configuration
>>>>>
>>>>>
Host Name . . . . . . . . . . . . : domaindc1
>>>>>
Primary Dns Suffix . . . . . . . : domain.org.au
>>>>>
Node Type . . . . . . . . . . . . : Hybrid
>>>>>
IP Routing Enabled. . . . . . . . : No
>>>>>
WINS Proxy Enabled. . . . . . . . : No
>>>>>
DNS Suffix Search List. . . . . . : domain.org.au
>>>>>
org.au
>>>>>
Ethernet adapter Intel Pro 1000 CT Gigabit Ethernet Adapter -
>>>>>
Onboard:
>>>>>
Connection-specific DNS Suffix . : domain.org.au
>>>>>
Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network
>>>>>
Connection
>>>>>
Physical Address. . . . . . . . . : 00-C0-9F-4B-9E-5D
>>>>>
DHCP Enabled. . . . . . . . . . . : No
>>>>>
IP Address. . . . . . . . . . . . : 172.30.14.7
>>>>>
Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>>>
Default Gateway . . . . . . . . . : 172.30.14.1
>>>>>
DNS Servers . . . . . . . . . . . : 172.30.14.2
>>>>>
172.30.14.7
>>>>>
Primary WINS Server . . . . . . . : 172.30.14.7
>>>>>
Secondary WINS Server . . . . . . : 172.30.14.2
>>>>>
Windows IP Configuration
>>>>>
Host Name . . . . . . . . . . . . : domaindc2
>>>>>
Primary Dns Suffix . . . . . . . : domain.org.au
>>>>>
Node Type . . . . . . . . . . . . : Hybrid
>>>>>
IP Routing Enabled. . . . . . . . : No
>>>>>
WINS Proxy Enabled. . . . . . . . : No
>>>>>
DNS Suffix Search List. . . . . . : domain.org.au
>>>>>
org.au
>>>>>
Ethernet adapter Local Area Connection:
>>>>>
Connection-specific DNS Suffix . : domain.org.au
>>>>>
Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network
>>>>>
Connection
>>>>>
Physical Address. . . . . . . . . : 00-11-43-CE-40-E6
>>>>>
DHCP Enabled. . . . . . . . . . . : No
>>>>>
IP Address. . . . . . . . . . . . : 172.30.14.2
>>>>>
Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>>>
Default Gateway . . . . . . . . . : 172.30.14.1
>>>>>
DNS Servers . . . . . . . . . . . : 172.30.14.2
>>>>>
172.30.14.7
>>>>>
Primary WINS Server . . . . . . . : 172.30.14.2
>>>>>
Secondary WINS Server . . . . . . : 172.30.14.7
>>>>>
***
>>>>>
Cheers,
>>>>>
"Meinolf Weber" wrote:
>>>>>
>>>>>>
Hello Thylo,
>>>>>>
>>>>>>
Please post an ipconfig /all from both DC/DNS server.
>>>>>>
>>>>>>
Best regards
>>>>>>
>>>>>>
Meinolf Weber
>>>>>>
Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>>>
and
>>>>>>
confers
>>>>>>
no rights.
>>>>>>>
Hi,
>>>>>>>
>>>>>>>
We have a Windows 2003 domain, with two domain controllers. Both
>>>>>>>
domain controllers are running Windows 2003 SP2, fully patched.
>>>>>>>
The same warning appears in the File Replication Service Log on
>>>>>>>
both servers, with the server names reveresed on the other
>>>>>>>
server (I have changed the names of the servers and domain
>>>>>>>
here).
>>>>>>>
>>>>>>>
Event Type: Warning
>>>>>>>
Event Source: NtFrs
>>>>>>>
Event Category: None
>>>>>>>
Event ID: 13508
>>>>>>>
Date: 25/09/2007
>>>>>>>
Time: 3:00:03 PM
>>>>>>>
User: N/A
>>>>>>>
Computer: DomainDC1
>>>>>>>
Description:
>>>>>>>
The File Replication Service is having trouble enabling
>>>>>>>
replication
>>>>>>>
from
>>>>>>>
DomainDC2 to DomainDC1 for c:\windows\sysvol\domain using the
>>>>>>>
DNS
>>>>>>>
name
>>>>>>>
domaindc2.domain.org.au. FRS will keep retrying.
>>>>>>>
Following are some of the reasons you would see this warning.
>>>>>>>
[1] FRS can not correctly resolve the DNS name
>>>>>>>
domaindc2.domain.org.au from
>>>>>>>
this computer.
>>>>>>>
[2] FRS is not running on domaindc2.domain.org.au.
>>>>>>>
[3] The topology information in the Active Directory for this
>>>>>>>
replica
>>>>>>>
has
>>>>>>>
not yet replicated to all the Domain Controllers.
>>>>>>>
This event log message will appear once per connection, After
>>>>>>>
the
>>>>>>>
problem is fixed you will see another event log message
>>>>>>>
indicating
>>>>>>>
that the connection has been established.
>>>>>>>
****
>>>>>>>
There are no 13509 events after these. I have been searching the
>>>>>>>
groups trying to find something that will help. Both servers are
>>>>>>>
able to ping each other using their FQDN, the FRS service is
>>>>>>>
running on both servers and replication appears to be working,
>>>>>>>
as
>>>>>>>
changes to Sites and Services are replicated almost immediately
>>>>>>>
when they are made, inlcuding changing the site name and
>>>>>>>
deleting
>>>>>>>
and regenerating Active Directory Connections (which I did as a
>>>>>>>
test). I have also tried changing both servers so that they are
>>>>>>>
using the same DNS server (all combinations) to no avail.
>>>>>>>
I ran the FRSDiag utility, from both my workstation and on the
>>>>>>>
servers. All of them report an RPC error trying to connect to
>>>>>>>
both servers. On the server I was logged in as the
>>>>>>>
Administrator, so permissions shouldn't have been a problem. I
>>>>>>>
have the logs from the FRSDiag utility if that will help anyone!
>>>>>>>
>>>>>>>
When I run "ntfrsutl version" on both servers, I get:
>>>>>>>
>>>>>>>
NtFrsApi Version Information
>>>>>>>
NtFrsApi Major : 0
>>>>>>>
NtFrsApi Minor : 0
>>>>>>>
NtFrsApi Compiled on: Feb 16 2007 20:01:19
>>>>>>>
ERROR - Cannot bind w/authentication to computer, (null)
>>>>>>>
ERROR - Cannot bind w/o authentication to computer, (nul ERROR -
>>>>>>>
Cannot RPC to computer, (null); 000006d9 (1753)
>>>>>>>
****
>>>>>>>
(null) is replaced by the FQDN of both servers when I enter that
>>>>>>>
information in the command line as well.
>>>>>>>
I have followed all of the kb articles and usergroup threads
>>>>>>>
that I can find, with no luck. Hopefully there's something that
>>>>>>>
I've missed that someone can point me to.
>>>>>>>
>>>>>>>
Other events that may help (or could confuse the matter
>>>>>>>
further), is that when users change their passwords, the Windows
>>>>>>>
2000 ISA Server prompts them for their password, even when they
>>>>>>>
log off (or even restart their computers completely) and log
>>>>>>>
back on with the new password. Even once that is sorted out,
>>>>>>>
which can involve re-creating their profile or resetting the
>>>>>>>
password again on one of the DCs, failed logon attempts are
>>>>>>>
regularly recorded in the security log on both DCs. Profiles
>>>>>>>
have also become completely corrupted afer a password change on
>>>>>>>
a couple of occassions.
>>>>>>>
>>>>>>>
I look forward to any suggestion. Thanks in advance.
>>>>>>>
Top
From: Mathieu CHATEAU <gollum123@free.fr>
To:
none
Subject:
Re: Would You Advise Adding a Domain?
Date:
09/27/2007 14:47:08
Hello,
OU
are often used to apply different policy based on OU membership.
They
can also be used to represent the company organization.
If
you set a lot of things through gpo, you may let them in a different OU,
to
not "hurt" them directly. But it will be then harder to make them
just
like
others.
A
domain seems not appropriate to me (too much for 15 users), and not
usefull
since you seem to be the only admin ;)
I
vote for OU ;)
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"razor"
<razor@discussions.microsoft.com> wrote in message
news:FB9CBD32-5E6A-4485-B094-A6590FFD4666@microsoft.com...
>
Hello--
>
>
We have a small, single domain network of about 100 machines, including 12
>
servers with about 50 users. We have three subnets, one in the host
>
office,
>
and one each for two remote locations connected via a WAN. All servers are
>
running Windows Server 2003 and all workstations are running Windows XP
>
Pro.
>
>
We are just about to finalize negotiations where a partner of ours is
>
going
>
to have us manage them. They will stay a separate company at a separate
>
physical location, but will need to access some, but not all, of our
>
network
>
resources via a dedicated Terminal Server.
>
>
They only have about 15 users, and so I was not sure if there is any
"best
>
practice" suggestions on whether we should create another domain for
them
>
on
>
our network or just another OU?
>
>
Any suggestions would be appreciated.
Top
From: razor
<razor@discussions.microsoft.com>
To:
none
Subject:
Re: Would You Advise Adding a Domain?
Date:
09/27/2007 15:04:00
Yes,
I agree--but it's always good to get a 2nd opinion ;-)
Thanks,
sd
"Mathieu
CHATEAU" wrote:
>
Hello,
>
>
OU are often used to apply different policy based on OU membership.
>
They can also be used to represent the company organization.
>
If you set a lot of things through gpo, you may let them in a different OU,
>
to not "hurt" them directly. But it will be then harder to make
them just
>
like others.
>
>
A domain seems not appropriate to me (too much for 15 users), and not
>
usefull since you seem to be the only admin ;)
>
>
I vote for OU ;)
>
>
--
>
Cordialement,
>
Mathieu CHATEAU
>
http://lordoftheping.blogspot.com
>
>
>
"razor" <razor@discussions.microsoft.com> wrote in message
>
news:FB9CBD32-5E6A-4485-B094-A6590FFD4666@microsoft.com...
>
> Hello--
>
>
>
> We have a small, single domain network of about 100 machines,
including 12
>
> servers with about 50 users. We have three subnets, one in the host
>
> office,
>
> and one each for two remote locations connected via a WAN. All servers
are
>
> running Windows Server 2003 and all workstations are running Windows
XP
>
> Pro.
>
>
>
> We are just about to finalize negotiations where a partner of ours is
>
> going
>
> to have us manage them. They will stay a separate company at a
separate
>
> physical location, but will need to access some, but not all, of our
>
> network
>
> resources via a dedicated Terminal Server.
>
>
>
> They only have about 15 users, and so I was not sure if there is any
"best
>
> practice" suggestions on whether we should create another domain
for them
>
> on
>
> our network or just another OU?
>
>
>
> Any suggestions would be appreciated.
Top
From: Ryan Hanisco <RyanHanisco@discussions.microsoft.com>
To:
none
Subject:
Re: Would You Advise Adding a Domain?
Date:
09/27/2007 17:17:03
Razor,
AN
OU seems to fit the bill for what you're looking to do -- at least as
tersely
as your have explained the challenge you are facing. Remember,
though,
that they will have to log in again and will be operating under your
domain
when they are connected to the terminal session.
You
will want to get a copy of their AUP and make sure that they are aware
of
any of your policies so there isn't trouble down the line. You will
also
want
to make absolutely certain that you have all security settings reviewed
and
confirmed on the t-server as you'll have "foreign" users inside
your
network
perimeter.
Hope
this helps.
--
Ryan
Hanisco
MCSE,
MCTS: SQL 2005, Project+
www.techsterity.com
Chicago,
IL
Remember:
Marking helpful answers helps everyone find the info they need
quickly.
"razor"
wrote:
>
Yes, I agree--but it's always good to get a 2nd opinion ;-)
>
>
Thanks,
>
>
sd
>
>
"Mathieu CHATEAU" wrote:
>
>
> Hello,
>
>
>
> OU are often used to apply different policy based on OU membership.
>
> They can also be used to represent the company organization.
>
> If you set a lot of things through gpo, you may let them in a
different OU,
>
> to not "hurt" them directly. But it will be then harder to
make them just
>
> like others.
>
>
>
> A domain seems not appropriate to me (too much for 15 users), and not
>
> usefull since you seem to be the only admin ;)
>
>
>
> I vote for OU ;)
>
>
>
> --
>
> Cordialement,
>
> Mathieu CHATEAU
>
> http://lordoftheping.blogspot.com
>
>
>
>
>
> "razor" <razor@discussions.microsoft.com> wrote in
message
>
> news:FB9CBD32-5E6A-4485-B094-A6590FFD4666@microsoft.com...
>
> > Hello--
>
> >
>
> > We have a small, single domain network of about 100 machines,
including 12
>
> > servers with about 50 users. We have three subnets, one in the
host
>
> > office,
>
> > and one each for two remote locations connected via a WAN. All
servers are
>
> > running Windows Server 2003 and all workstations are running
Windows XP
>
> > Pro.
>
> >
>
> > We are just about to finalize negotiations where a partner of
ours is
>
> > going
>
> > to have us manage them. They will stay a separate company at a
separate
>
> > physical location, but will need to access some, but not all, of
our
>
> > network
>
> > resources via a dedicated Terminal Server.
>
> >
>
> > They only have about 15 users, and so I was not sure if there is
any "best
>
> > practice" suggestions on whether we should create another
domain for them
>
> > on
>
> > our network or just another OU?
>
> >
>
> > Any suggestions would be appreciated.
>
>
>
>
Top
From: razor <razor@discussions.microsoft.com>
To:
none
Subject:
Re: Would You Advise Adding a Domain?
Date:
09/27/2007 17:23:04
Yes,
all good stuff--thank you. Right now our GPO's are connected to our
domain,
and so I will need to move those to just our main OU (We really don't
use
OUs here) otherwise that might cause issues--especially since we are
deliberating
having them connect to the TS via a VPN on our concentrator and
it
assigns a private IP via DHCP.
sd
"Ryan
Hanisco" wrote:
>
Razor,
>
>
AN OU seems to fit the bill for what you're looking to do -- at least as
>
tersely as your have explained the challenge you are facing.
Remember,
>
though, that they will have to log in again and will be operating under
your
>
domain when they are connected to the terminal session.
>
>
You will want to get a copy of their AUP and make sure that they are aware
>
of any of your policies so there isn't trouble down the line. You
will also
>
want to make absolutely certain that you have all security settings
reviewed
>
and confirmed on the t-server as you'll have "foreign" users
inside your
>
network perimeter.
>
>
Hope this helps.
>
--
>
Ryan Hanisco
>
MCSE, MCTS: SQL 2005, Project+
>
www.techsterity.com
>
Chicago, IL
>
>
Remember: Marking helpful answers helps everyone find the info they need
>
quickly.
>
>
>
"razor" wrote:
>
>
> Yes, I agree--but it's always good to get a 2nd opinion ;-)
>
>
>
> Thanks,
>
>
>
> sd
>
>
>
> "Mathieu CHATEAU" wrote:
>
>
>
> > Hello,
>
> >
>
> > OU are often used to apply different policy based on OU
membership.
>
> > They can also be used to represent the company organization.
>
> > If you set a lot of things through gpo, you may let them in a
different OU,
>
> > to not "hurt" them directly. But it will be then harder
to make them just
>
> > like others.
>
> >
>
> > A domain seems not appropriate to me (too much for 15 users), and
not
>
> > usefull since you seem to be the only admin ;)
>
> >
>
> > I vote for OU ;)
>
> >
>
> > --
>
> > Cordialement,
>
> > Mathieu CHATEAU
>
> > http://lordoftheping.blogspot.com
>
> >
>
> >
>
> > "razor" <razor@discussions.microsoft.com> wrote
in message
>
> > news:FB9CBD32-5E6A-4485-B094-A6590FFD4666@microsoft.com...
>
> > > Hello--
>
> > >
>
> > > We have a small, single domain network of about 100
machines, including 12
>
> > > servers with about 50 users. We have three subnets, one in
the host
>
> > > office,
>
> > > and one each for two remote locations connected via a WAN.
All servers are
>
> > > running Windows Server 2003 and all workstations are running
Windows XP
>
> > > Pro.
>
> > >
>
> > > We are just about to finalize negotiations where a partner
of ours is
>
> > > going
>
> > > to have us manage them. They will stay a separate company at
a separate
>
> > > physical location, but will need to access some, but not
all, of our
>
> > > network
>
> > > resources via a dedicated Terminal Server.
>
> > >
>
> > > They only have about 15 users, and so I was not sure if
there is any "best
>
> > > practice" suggestions on whether we should create
another domain for them
>
> > > on
>
> > > our network or just another OU?
>
> > >
>
> > > Any suggestions would be appreciated.
>
> >
>
> >
Top
From: Lanwench [MVP - Exchange]
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com>
To:
none
Subject:
Re: Would You Advise Adding a Domain?
Date:
09/27/2007 16:50:08
razor
<razor@discussions.microsoft.com> wrote:
>
Hello--
>
>
We have a small, single domain network of about 100 machines,
>
including 12 servers with about 50 users. We have three subnets, one
>
in the host office, and one each for two remote locations connected
>
via a WAN. All servers are running Windows Server 2003 and all
>
workstations are running Windows XP Pro.
>
>
We are just about to finalize negotiations where a partner of ours is
>
going to have us manage them. They will stay a separate company at a
>
separate physical location, but will need to access some, but not
>
all, of our network resources via a dedicated Terminal Server.
>
>
They only have about 15 users, and so I was not sure if there is any
>
"best practice" suggestions on whether we should create another
>
domain for them on our network or just another OU?
>
>
Any suggestions would be appreciated.
I
agree with Mathieu. Since another domain doesn't offer you anything in the
way
of security, it's only going to add complexity with no benefit.
If
their network is to be integrated with yours at all their office could be
in
the same AD domain but in a separate site/subnet, and you can use OUs to
organize
things.
However,
that said, all you've mentioned they will be touching/accessing is
Terminal
Services - so do they even need to be part of your domain? Will you
be
responsible for centrally managing *their* local server/workstations
across
a WAN link? It isn't clear from your post. If all they need is TS,
perhaps
none of this is necessary - they could use thin clients for that.
Top
From: razor
<razor@discussions.microsoft.com>
To:
none
Subject:
Re: Would You Advise Adding a Domain?
Date:
09/27/2007 19:22:00
If
by saying thin clients you mean users with limited permissions, that is
what
I have in mind. I would just like to put them all in one OU to keep them
organized
and removed from any GPOs we have.
They
will be running a third-party application on the TS that accesses their
own
client information in a db located on our SQL server within the same
subnet
as the TS.
sd
"Lanwench
[MVP - Exchange]" wrote:
>
razor <razor@discussions.microsoft.com> wrote:
>
> Hello--
>
>
>
> We have a small, single domain network of about 100 machines,
>
> including 12 servers with about 50 users. We have three subnets, one
>
> in the host office, and one each for two remote locations connected
>
> via a WAN. All servers are running Windows Server 2003 and all
>
> workstations are running Windows XP Pro.
>
>
>
> We are just about to finalize negotiations where a partner of ours is
>
> going to have us manage them. They will stay a separate company at a
>
> separate physical location, but will need to access some, but not
>
> all, of our network resources via a dedicated Terminal Server.
>
>
>
> They only have about 15 users, and so I was not sure if there is any
>
> "best practice" suggestions on whether we should create
another
>
> domain for them on our network or just another OU?
>
>
>
> Any suggestions would be appreciated.
>
>
I agree with Mathieu. Since another domain doesn't offer you anything in
the
>
way of security, it's only going to add complexity with no benefit.
>
>
If their network is to be integrated with yours at all their office could
be
>
in the same AD domain but in a separate site/subnet, and you can use OUs to
>
organize things.
>
>
However, that said, all you've mentioned they will be touching/accessing is
>
Terminal Services - so do they even need to be part of your domain? Will
you
>
be responsible for centrally managing *their* local server/workstations
>
across a WAN link? It isn't clear from your post. If all they need is TS,
>
perhaps none of this is necessary - they could use thin clients for that.
>
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: You have exceeded the maximum number of computer accounts
...
Date:
09/28/2007 01:18:04
Hello,
http://lordoftheping.blogspot.com/2007/09/default-limit-to-number-of-workstations.html
By
default, users can only add 10 workstations to the domain before loosing
their
delegation
If
you may need to increase this:
http://support.microsoft.com/kb/243327/en-us
The
guilty attribute is ms-DS-MachineAccountQuota
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"ali
kemal" <alikemal@discussions.microsoft.com> wrote in message
news:BA9CFAEB-060F-4966-B8ED-40738C4BAEAA@microsoft.com...
>
Hi,
>
>
There is a remote office of our company and we gave a user a right to
>
create
>
computer object in AD in order to join th computer.
>
Now, the user get the error "You have exceeded the maximum number of
>
computer accounts ". Hence he can't add any computer to the domain.
>
>
So how can we solve this problem.
>
>
Thanks in advance.
>
Ali Kemal.
>
Tunca.
>
Top
From: David Shen
<davidsunshine2000@hotmail.com>
To:
none
Subject:
Re: [X-POST] Person and User.
Date:
09/28/2007 01:36:07
To
Alessandro,
You can use Sysinternals tool ADExplorer to view userPrincipalName very
easily.You
may download it with www.sysinternals.com
"AM"
<AM@AM.AM> ??????:%23GArXW1wHHA.424@TK2MSFTNGP06.phx.gbl...
>
Hi all,
>
>
is there anyone who can kindly tell me how the object/category specified
>
in the subject play the role in the big picture of Active Directory?
>
>
I need to access the attribute userPrincipalName and someone told me to
>
refer to the object (?-I hope to call it with the right name) USER instead
>
of PERSON.
>
>
Browsing the AD through an LDAP browser the "user" has both the
>
objectclass User and Person so I can not see any difference between them
>
and I can not understand why to use the first instead of the second. Maybe
>
I'm missing something.
>
>
I would be interested in some drawings that explains at which level those
>
"object" are placed and which is the "role" of each
one.
>
>
Many thanks in advance.
>
>
Alessandro
Top
Post your
questions, comments, feedbacks and suggestions
|