infinitytech
asked on
After moving FSMO and GC, servers cannot connect to new clients
I have a client that we inherited in the middle of a network upgrade. Here is the scenario...
They have two servers, the newest is running Windows Server 2003, and the older is running Server 2000. The 2000 box is the original domain controller on the network, and the previous network admin was part way through trying to upgrade the old machine to Windows 2003. Here is what we have done:
On the Windows Server 2003 box, the previous network admin had run DCpromo so that the server was part of the AD structure in the domain. He had also set up DNS on the 2003 box. We went in and set the 2003 box to be a global catalog server, installed and set up DHCP, with all client and server DNS pointing to the 2003 box, then disabled DHCP on the 2000 box. We transferred the FSMO roles per http://support.microsoft.com/kb/324801. All of the transfer procedures went off without a problem, and everything seemed to transfer successfully. To test the success, we shut down the old 2000 box, renewed the DHCP lease on a client machine so that its IP was obtained from the 2003 box and its DNS pointed to the 2003 box. We then created a new account in the AD on the 2003 box, tried to log in from the client. Everything went off with no problems whatsoever.
So here is the problem that we are encountering....neither of the servers (the 2000 or 2003) are able to connect to shares on NEW clients. From the 2003 box, I can run to the other server or to an old client (one that existed prior to the FSMO and GC move) and I can get to all of the shares on that machine. However, if we add a new machine onto the network, we cannot connect to the shares on that client machine from the server, but all of the other client machines CAN get to the shares. Also, ALL of the client machines (new and old) are able to get to the shares on either server with no problems. From the 2003 server, we get the error message that an unexpected network error occured. If we try to browse to the new client through My Network Places, we can see the new client machine, but when trying to connect to it, you receive the error "\\spcsclient is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. An unexpected network error occurred."
Since all of the FSMO and GC functions seem to have transferred, and this issue only exists when connecting from the server to NEW clients, I am at a loss as to what to check next. Any and all help will be greatly appreciated!
They have two servers, the newest is running Windows Server 2003, and the older is running Server 2000. The 2000 box is the original domain controller on the network, and the previous network admin was part way through trying to upgrade the old machine to Windows 2003. Here is what we have done:
On the Windows Server 2003 box, the previous network admin had run DCpromo so that the server was part of the AD structure in the domain. He had also set up DNS on the 2003 box. We went in and set the 2003 box to be a global catalog server, installed and set up DHCP, with all client and server DNS pointing to the 2003 box, then disabled DHCP on the 2000 box. We transferred the FSMO roles per http://support.microsoft.com/kb/324801. All of the transfer procedures went off without a problem, and everything seemed to transfer successfully. To test the success, we shut down the old 2000 box, renewed the DHCP lease on a client machine so that its IP was obtained from the 2003 box and its DNS pointed to the 2003 box. We then created a new account in the AD on the 2003 box, tried to log in from the client. Everything went off with no problems whatsoever.
So here is the problem that we are encountering....neither of the servers (the 2000 or 2003) are able to connect to shares on NEW clients. From the 2003 box, I can run to the other server or to an old client (one that existed prior to the FSMO and GC move) and I can get to all of the shares on that machine. However, if we add a new machine onto the network, we cannot connect to the shares on that client machine from the server, but all of the other client machines CAN get to the shares. Also, ALL of the client machines (new and old) are able to get to the shares on either server with no problems. From the 2003 server, we get the error message that an unexpected network error occured. If we try to browse to the new client through My Network Places, we can see the new client machine, but when trying to connect to it, you receive the error "\\spcsclient is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. An unexpected network error occurred."
Since all of the FSMO and GC functions seem to have transferred, and this issue only exists when connecting from the server to NEW clients, I am at a loss as to what to check next. Any and all help will be greatly appreciated!
Daryl Ponting
Had the previous admin run ADPREP on the domain before promoting the Windows 2003 DC? (I'm not sure what happens if you promote a 2003 box without doing it so I don't know if a "successful" promotion is possible).
ASKER
I honestly don't know the answer to that question. The previous admin was forced out, and we got VERY little information on what was actually done. I assumed that the promotion was successful simply because we could add new user accounts and all of the domain clients recognized them (without the old DC on-line).
Sounds like DNS issues and though the FSMO roles were successfully transferred off and DNS moved DNS could still be pointing to the old 2000 box. If you go to a workstation and ping your AD name (such as corp.company.com or just company.com) as it's displayed using AD snap-ins, does it resolve to the correct IP address? So, lets say your old 2000 server was 192.168.1.1 and the new 2003 is 192.168.1.2 if you ping the internal AD by name does it resolve to the old .1 or new .2 IP address? Go into DNS and turn on advanced view - check if the old box is listed under name servers, or anything else OTHER than a regular A record. Also, was the new DHCP scope modified so that it's handing out the 2003 as primary DNS?
~ CFJ
~ CFJ
ASKER
CFJ -
There did appear to be residual Name Server entries pointing to the old 2000 box. I removed those, and now when I ping the AD name, it resolves to the new 2003 box. However, that has not fixed the problem. Something I noticed tonight is that if I try to run to the box via IP address, I get the message that No Network provider accepted the given path.
If I try to run by name, I now get either the above message or "The specified network name is no longer available" (depending on what client I try to get to.
Not sure if this is getting better or worse!
There did appear to be residual Name Server entries pointing to the old 2000 box. I removed those, and now when I ping the AD name, it resolves to the new 2003 box. However, that has not fixed the problem. Something I noticed tonight is that if I try to run to the box via IP address, I get the message that No Network provider accepted the given path.
If I try to run by name, I now get either the above message or "The specified network name is no longer available" (depending on what client I try to get to.
Not sure if this is getting better or worse!
Are there any errors that stand out in the eventvwr's on the serrvers particularly DNS, directory service and FRS? If you install windows support tools on both servers and run a dcdiag and netdiag from cmd does everything pass? Can workstation1 ping workstation2 by name and do any workstations have hardhoded DNS servers? From a workstation, from the run window type in "%logonserver%" (without the quotes) and does it open a window to the 2000 or 2003 box?
If DNS was removed from the old 2000 box, did you remove it from the name servers tab on the 2003 box? Is DNS installed and running on both the 2000 and 2003 servers - if so, when you create a new record does it replicate properly? Does a new AD account replicate? Are the servers pointing to themselves as primary DNS or eachother?
~ CFJ
If DNS was removed from the old 2000 box, did you remove it from the name servers tab on the 2003 box? Is DNS installed and running on both the 2000 and 2003 servers - if so, when you create a new record does it replicate properly? Does a new AD account replicate? Are the servers pointing to themselves as primary DNS or eachother?
~ CFJ
Any update?
~ CFJ
~ CFJ
Any update on this? Is the old 2000 box still live and available on the network? Is it listed as a server under AD Sites & Services - if so, does it have the GC role checked under NTDS? You may have to clean up your AD metadata using ntdsutil. If you install Windows support tools and run a dcdiag & netdiag from your 2003 box - do they pass?
~ CFJ
~ CFJ
ASKER
Sorry this has taken so long to respond. The client is a private school, and they were off for most of the summer...
Okay..here is what I have found....when I run Netdiag and DCdiag from the 2003 server, everything passes. However, when I run Netdiag from the 2000 box, I get a failure on DC List. The failure is Failed to enumerate domain controllers by usthing the browser [Error_login_wksta_restric
When doing %logonserver% from the 2003 box, it opens itself. When you do it from the 2000 box or any of the clients, it opens the 2000 box.
AD accounts if created on EITHER server do replicate to the other server. The 2000 box is listed as a server, but it does NOT have GC checked.
Again, to reiterate what the end result is that I am looking for....the 2000 box is going to go away and be reformatted to a 2003 server (we need to completely blow it away to correct partitioning errors). So I need to put the 2003 box in complete control of the domain.
Thanks again for the help!
Okay..here is what I have found....when I run Netdiag and DCdiag from the 2003 server, everything passes. However, when I run Netdiag from the 2000 box, I get a failure on DC List. The failure is Failed to enumerate domain controllers by usthing the browser [Error_login_wksta_restric
When doing %logonserver% from the 2003 box, it opens itself. When you do it from the 2000 box or any of the clients, it opens the 2000 box.
AD accounts if created on EITHER server do replicate to the other server. The 2000 box is listed as a server, but it does NOT have GC checked.
Again, to reiterate what the end result is that I am looking for....the 2000 box is going to go away and be reformatted to a 2003 server (we need to completely blow it away to correct partitioning errors). So I need to put the 2003 box in complete control of the domain.
Thanks again for the help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
THe manual removal FINALLY did the trick! Thank you SO much for all of your help!
Hey my pleasure, glad it all worked out... I know how frustrating it can be :)
~ CFJ
~ CFJ