Solved

Group Policy Errors

Posted on 2003-12-03
44
5,104 Views
Last Modified: 2007-12-19
Getting Message - Event Id 16650
The account-identifier allocator failed to initialize properly.  The record data contains the NT error code that caused the failure.  Windows 2000 will retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller.  Please look for other SAM event logs that may indicate the exact reason for the failure.

If I try to open domain security policy or domain controller security policy I get The Message:

Failed to open the group ploicy object, you may not have the appropriate rights..
The specified domain controller either does not exist or could not be contacted...

The network consists of three windows 2000 advanced servers, all of which are domain controllers, with server 1 being the global catalog..

I know nothing about policys and these systems are in accounting and only have 2 users, talk about overkill.....

Help...
0
Comment
Question by:eenderle
  • 22
  • 20
  • 2
44 Comments
 
LVL 24

Expert Comment

by:shivsa
ID: 9871808
0
 
LVL 24

Expert Comment

by:shivsa
ID: 9871815
0
 

Author Comment

by:eenderle
ID: 9871947
Also Getting Message Event Id..1265 The attempt to establish a replication link with parameters
 
 Partition: CN=Schema,CN=Configuration,DC=VALLEYFORGE,DC=LOCAL
 Source DSA DN: CN=NTDS Settings,CN=SERVER-4,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=VALLEYFORGE,DC=LOCAL
 Source DSA Address: 9e1dfbea-625b-4335-a8ff-0e1d05ca1996._msdcs.VALLEYFORGE.LOCAL
 Inter-site Transport (if any):
 
 failed with the following status:
 
 There are no more endpoints available from the endpoint mapper.
 
 The record data is the status code.  This operation will be retried.

Have tried 2 suggestions above already found on this site....no luck...
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9872311
What does your replication log say? Are your servers talking? I would assume so, but with three servers, you never know...
0
 

Author Comment

by:eenderle
ID: 9876887
if you could tell me where to check thsi log I will check it and get back to you........thanks.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9877131
Look in your event viewer under file replication service.
0
 

Author Comment

by:eenderle
ID: 9879422
File Replication Event Log Says...(with only 1 entry)

The File Replication Service is having trouble enabling replication from SERVER-4 to SERVER-1 for c:\winnt\sysvol\domain using the DNS name server-4.VALLEYFORGE.LOCAL. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name server-4.VALLEYFORGE.LOCAL from this computer.
 [2] FRS is not running on server-4.VALLEYFORGE.LOCAL.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

Server-4 is not a windows 2000 advanced server, it is just windows 2000 server and is not a domain controller...

Thanks..
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9879604
You have setup to contact that server, either in DNS or something. That's most likely the cause of your error messages.
0
 

Author Comment

by:eenderle
ID: 9883139
I agree that the file replication log is logging messages from server-4 and this really does not concern me much, what does concern me is that when i try to open group policy on any of the 3 domain controllers it displays

Failed to open the group ploicy object, you may not have the appropriate rights..
The specified domain controller either does not exist or could not be contacted...


This does concern me to some extent even though i do not know much about policys..... I am thinking DNS may be where my problem is, but I know even less about DNS.

Thanks
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9883177
Well, in order to straighten out the GPO issue, we have to get the network stabilized. You have other issues related to connectivity, and in fact, your GPO issues are related, as stated in the error message. So, unfortunately, we have to do this on a step by step basis. Your GPO issue wll probably be resolved once we have your DC's talking to each other properly. Right now, they aren't.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9883215
Your initial post listed an error 16650, detailing no account creation will occur. This means the GC and or schema master are not able to be contacted by this DC. Once we have all the DC's synched up, that error message will go away, and then your second error will also most likely be cleared, as it to is related to communication.
Sorry for the second post, but I reviewed the question again, and wanted to clarify why I was looking at what, on the surface, seemed to be unrelated issues. But as any MCSE can tell you, Rule two of Implementing AD is to stabilize the network (Rule one being to document the implementation... 8-)
0
 

Author Comment

by:eenderle
ID: 9883702
Ok, let me know what you wnat me to do and i will do it to it, i don,t have access to these machines during the day, just at night and on the weekends, so anything you tell me to do will be done tonight, then i will post a reply, thanks for your help so far.....



Eric.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9883924
Well, that's cool, we can work through it this evening... 8-)
First thing first, test for TCP/IP connectivity. Make sure all the servers have basic connection.
Then, We need to determine which server is the GC. The main reason we want to do this is hopefully none of the server roles have been moved, and this will be the First server, and has all the master roles. Just gives us an arbitrary starting point. Once we know the "Master" server, for want of a better word, we make sure all servers communicate and replicate to that server.
 First thing is to essentially clear out all the DNS; Might need to remove all the server records except the SOA and let them get rebuilt.
How many DNS servers are you running, and are they AD integrated?

0
 

Author Comment

by:eenderle
ID: 9883991
I can answer some of your questions now, all three servers are seen by the others on the network, clients are able to connect to all three servers and copy files and print things ok, server-1 is the GC and is the machine reporting the errors, the accounting people tell me it was the machine that the manager (who was laid off) was having problems with,  all three have dns setup with active directory, they do provide dns and dhcp to the clients, there is no dhcp overlap (i checked) but how to setup/check dns or policys i am not familiar with........thanks....

Eric.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9884475
Ok, then what you will want to do is in DNS on Server-1, open the zone, go to the Zone name, and I will walk through what the settings should be.
General:
Under type: Verify is AD Integrated.
Make sure allow Dynamic updates is Yes.
SOA tab:
You want to confirm the information listed there is correct, especially the primary server.
Name Servers:
Make sure only DNS servers for your domain are listed. If all of them are not, add the missing one(s)
WINS:
Do you even use? If yes, confirm information.
Zone Transfers:
Make sure you have a check in allow Zone Transfers.
Set to "Only to servers in the Name Servers Tab" for security.
Security:
Just confirm the entries.
Administrators, DNS Admins, Domain Admins and Enterprise should be listed, and most should have varying degress of authority.
Authenticated users and everyone should have create, and Everyone should have read.

Once you have confirmed that, make the other DNS servers match.
That should clear up the replication messages, but we might have more to resolve, so keep me posted. 8-)
TTYL
0
 

Author Comment

by:eenderle
ID: 9885308
Ok will do tonight, thanks for the help........(:>
0
 

Author Comment

by:eenderle
ID: 9886947
Allow Dynamic Updates Is "Yes", Type is "Active Directory Integrated"
SOA Shows
Serial Numer = 307
Primary Server = server-1.valleyforge.local
Responsible Person = admin
Rehresh interval = 15 Min
Retry interval = 10 Minutes
Expires after = 1 Days
Minimum (default) TTL = 0 :1:0:0
TTL for this record = 0 :1:0:0

Servers (Appear Correct)
server-1.valleyforge.local. [192.168.10.3]
server-2.valleyforge.local. [192.168.10.4]
server-3.valleyforge.local. [192.168.10.5]

Wins = (nothing filled in)

Zone Transfers
Allow Zone Transfers Is Checked
Only To Servers Listed On The Name Servers Tab
Nothing Else Is Filled In Here

Security Tab
F=Full, R=Read, W=Write, C=Create Child, D=Delete Child
Administrators(Valleyforge\Administrators) - R - W - C
Authenticated Users - C
DnsAdmins (Valleyforge\DnsAdmins) - F - R - W - C - D
Domain Admins (Valleyforge\Domain Admins) - F - R - W - C - D
Enterprise Admins (Valleyforge\Enterprise Admins) - F - R - W - C - D
Enterprise Domain Controllers - F - R - W - C - D
Everyone - R    * This does not have a  C
Pre-Windows 2000 Compatible Access (Valleyforge\Pre-Windows 2000 Compatible Access) - Nothing
System - F - R - W - C - D

Please Confirm This Is Good And I Will Do Other Servers.....
Thanks For The Help.....

0
 
LVL 6

Expert Comment

by:Casca1
ID: 9886988
Looks good so far. Compare it to the other servers. Once we get all those matching, we will begin looking at the other services.
0
 

Author Comment

by:eenderle
ID: 9887089
Ok Will Do..
0
 

Author Comment

by:eenderle
ID: 9887122
Server-2 Dns
Everything The Same Except
Serial Number 308
Primary Server Is server-2.valleyforge.local.

Server-3 Dns
Everything The Same Except
Serial Number 308 - (Same As Server 2 But Not Server-1)
Primary Server Is server-3.valleyforge.local.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9887238
Ok; You have a difference in the record number between your primary and the secondaries. I know, AD integrated, no primary and secondary, but server 1 IS the start.
Most likely, you had an update during that time, so probably not an issue.
What does the FRS log say on those two systems?
Go ahead and check all three again, just to be safe.
0
 

Author Comment

by:eenderle
ID: 9888810
Server-1 FRS Log
12/06/03 04:00.32
The File Replication Service is having trouble enabling replication from SERVER-4 to SERVER-1 for c:\winnt\sysvol\domain using the DNS name server-4.VALLEYFORGE.LOCAL. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name server-4.VALLEYFORGE.LOCAL from this computer.
 [2] FRS is not running on server-4.VALLEYFORGE.LOCAL.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

Server-2 FRS Log
12/06/03 - 9:21:02
The File Replication Service is having trouble enabling replication from SERVER-1 to SERVER-2 for c:\winnt\sysvol\domain using the DNS name server-1.VALLEYFORGE.LOCAL. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name server-1.VALLEYFORGE.LOCAL from this computer.
 [2] FRS is not running on server-1.VALLEYFORGE.LOCAL.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

Server-3 FRS Log
12/06/03 4:20:03
The File Replication Service is having trouble enabling replication from SERVER-4 to SERVER-3 for c:\winnt\sysvol\domain using the DNS name server-4.VALLEYFORGE.LOCAL. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name server-4.VALLEYFORGE.LOCAL from this computer.
 [2] FRS is not running on server-4.VALLEYFORGE.LOCAL.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

it would appear server 1 & 3 are tring to replicate with server-4 which is not a dc, therefore this is probably not an issue, server-2 appears to have a problem with server-1..

Thanks.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 6

Expert Comment

by:Casca1
ID: 9889080
Verify remote procedure call (RPC) connectivity between Computer A and Computer B. An appropriate test may be to open Event Viewer on Computer B from Computer A (which uses RPC). Check FRS event logs on both computers. If Event ID 13508 is present, there may be a problem with the RPC service on either computer or with creating a secure connection between Computer A and Computer B.

Use the Active Directory Sites and Services console to verify the replication schedule on the Connection object. Ensure that replication is enabled between Computer A and Computer B and that the connection is enabled. The Connection object is the inbound connection under Computer A's NTFRS_MEMBER object from Computer B. For System Volume (SYSVOL), the Connection object resides in the Sites\Site_name\Servers\Server_name\Ntds Settings\Connection_name folder.

Seems RPC MAY be having trouble. Lets look into that. Also, using the above, make sure server 1 and 3 quit trying to replicate to server 4. Was server a DC at one time? You might need to remove the server. Are you using DFS?
It will work, but if you have changed something that could be the cause of the error messages.

Now for some other questions.
Has the original server that you setup AD been removed? I mean the server you ran the DCPromo command on FIRST? If that is gone, or been demoted without grabbing the FSMO roles, it could cause some of these issues, but if you hadn't grabbed at least the GC, you would have other issues. The reason I ask is the initial server, unless you move the FSMO roles, will have the Schema master and Infrasturcture m aster roles, and if you had to take it down, these roles are gone. This isn't a problem, as there are ways to get the roles back, even if the server is wiped, but it could certainly cause this issue.
'Course, there should be other issues, as well.
Do you have any other errors in any of the logs, particularly the DNS, System, and of course FRS logs?
Any warnigns listed there may be the cause, even if they don't really seem connected.
0
 

Author Comment

by:eenderle
ID: 9889314
Server-1 Is able to open the event logs of server-2, server-3.
FRS Logs,
Server-1
   13508 - Server-1 To Server-4
Server-2
   13508 - Server-4 To Server-2
   13508 - Server-1 To Server-2
Server-3
   13508 - Server 4 To Server-3
   13508 - Server 1 To Server-3

You Lost Me On Sites And Services...

Heres What I Have

Sites
    Default-First-Site
        Servers
            Server-1
               Ntds Settings
                    Auto-Gen - Server-2 - Default First Site - Connection
                        Under Object
                            VALLEYFORGE.LOCAL/Configuration/Sites/Default-First-Site/Servers/SERVER-1/NTDS Settings/<automatically generated>
                    Auto-Gen - Server-4 - Default First Site - Connection
                        Under Object
                             VALLEYFORGE.LOCAL/Configuration/Sites/Default-First-Site/Servers/SERVER-1/NTDS Settings/543d364f-5690-42ce-b265-f830655f0579
                    Auto-Gen - Server-3 - Default First Site - Connection
                         Under Object
                              VALLEYFORGE.LOCAL/Configuration/Sites/Default-First-Site/Servers/SERVER-1/NTDS Settings/718e32d8-593e-44b5-9775-21a52d501594

            Server-2
                Ntds Settings
                Auto-Gen - Server-4 - Default First Site - Connection
                    Under Object
                        VALLEYFORGE.LOCAL/Configuration/Sites/Default-First-Site/Servers/SERVER-2/NTDS Settings/09420b9a-0e55-4edf-88da-31fb9badb811
                Auto-Gen - Server-3 - Default First Site - Connection
                   Under Object
                        VALLEYFORGE.LOCAL/Configuration/Sites/Default-First-Site/Servers/SERVER-2/NTDS Settings/4b141941-34a8-4118-9944-3c0e1a5b460e
                Auto-Gen - Server-1 - Default First Site - Connection
                     Under Object
                         VALLEYFORGE.LOCAL/Configuration/Sites/Default-First-Site/Servers/SERVER-2/NTDS Settings/d0f1e775-f354-462d-b9a9-05acc8e20ff1

            Server-3
               Ntds Settings
                 Auto-Gen - Server-4 - Default First Site - Connection
                     Under Object
                         VALLEYFORGE.LOCAL/Configuration/Sites/Default-First-Site/Servers/SERVER-3/NTDS Settings/4d9d222e-54dd-4882-b26c-a5add63cffeb
                 Auto-Gen - Server-2 - Default First Site - Connection
                    Under Object
                        VALLEYFORGE.LOCAL/Configuration/Sites/Default-First-Site/Servers/SERVER-3/NTDS Settings/7605a206-99a0-48b6-b374-74d525dcec08
                 Auto-Gen - Server-1 - Default First Site - Connection
                      Under Object
                          VALLEYFORGE.LOCAL/Configuration/Sites/Default-First-Site/Servers/SERVER-3/NTDS Settings/9123-462d-ab5f-072366b83067

            Server-4
                Ntds Settings
                 Auto-Gen - Server-3 - Default First Site - Connection
                     Under Object
                         VALLEYFORGE.LOCAL/Configuration/Sites/Default-First-Site/Servers/SERVER-4/NTDS Settings/<automatically generated>
                 Auto-Gen - Server-1 - Default First Site - Connection
                    Under Object
                        VALLEYFORGE.LOCAL/Configuration/Sites/Default-First-Site/Servers/SERVER-4/NTDS Settings/64e0178f-51d1-43fe-9902-eee849b637cb
                 Auto-Gen - Server-2 - Default First Site - Connection
                      Under Object
                          VALLEYFORGE.LOCAL/Configuration/Sites/Default-First-Site/Servers/SERVER-4/NTDS Settings/d94c3e48-9b7e-49bd-a235-4164e95e7421
       
Under Security Tab On All Servers All Connections:
Authenticated Users - R
Domain Admins - F - R - W
Enterprise Admins - F - R - W
System - F - R - W

Server-4 Was Never A Domain Controller - Just Plain Old Windows 2000 Server, DNS is not configured On This Machine And DHCP Was Running But Not Configured...

Confirm Remove Server-4 From Active Directory Sites And Services - Servers Section ?

Believe My Predecessor did do dcpromo on server-1 he mentioned losing connection with it and every time one of the employees would try to connect the system would give them an error message, server-1 is the primary (first server) to be setup in this department....

Posting Compiled Error Log In Next Message......
0
 

Author Comment

by:eenderle
ID: 9889341
This program compiles all logs on the network and reports a count on the unique ones...
1 12/03/2003
19:47:36 12/06/2003
12:12:02 SAM Error 16650 System SERVER-1 1933 <- (This is the number of times this error is reported on the network),  The account-identifier allocator failed to initialize properly. The record data contains the NT error code that caused the failure. Windows 2000 will retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller. Please look for other SAM event logs that may indicate the exact reason for the failure.  

2 12/02/2003
20:52:09 12/06/2003
11:42:34 Service Control Manager Error 7031 System SERVER-2 149 The File Replication Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1800000 milliseconds: Restart the service.  

3 11/16/2003
00:34:09 12/06/2003
10:53:07 BROWSER Error 8032 System ALEX 24 The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{370D8A84-82ED-4E3B-B369-3FBD3EA995E2}. The backup browser is stopping.  

4 12/03/2003
13:21:56 12/04/2003
08:01:11 Norton AntiVirus Error 5 Application SERVER-2 2

Virus Found!Virus name: EICAR Test String in File: C:\Documents and Settings\Administrator.VALLEYFORGE\Local Settings\Temporary Internet Files\Content.IE5\W6UJNPSF\eicar[1].com by: Defwatch scan. Action: Leave Alone succeeded :
 
5 12/02/2003
20:29:42 12/02/2003
20:29:42 SQLSERVERAGENT Error 318 Application SERVER-2 1 Unable to read local eventlog (reason: The event log file has changed between read operations).  

6 12/02/2003
20:10:30 12/02/2003
20:10:30 Security Success Audit 517 Security SERVER-1 1 The audit log was cleared
Primary User Name: SYSTEM
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0xnnnn)
Client User Name: Administrator
Client Domain: VALLEYFORGE
Client Logon ID: (0x0,0x11FE7)
 
7 12/01/2003
22:01:11 12/01/2003
22:01:11 Userenv Error 1000 Application ALEX 1 Windows cannot access the registry information at \\VALLEYFORGE.LOCAL\sysvol\VALLEYFORGE.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol with (5).  

8 12/01/2003
21:38:49 12/01/2003
21:38:49 Print Error 33 System SERVER-4 2 The PrintQueue Container could not be found because the DNS Domain name could not be retrieved. Error: 54b  

9 11/25/2003
11:13:46 12/01/2003
21:38:40 Removable Storage Service Error 1 System SERVER-4 2 Unable to auto-configure library unit Changer0. The current setup of the library unit does not support automatic configuration. You will either have to modify the current setup of the library to adhere to automatic configuration guidelines (if possible) or manually configure the device.  

10 12/01/2003
21:37:54 12/01/2003
21:37:54 NETLOGON Error 5719 System SERVER-4 1 No Windows NT or Windows 2000 Domain Controller is available for domain VALLEYFORGE. The following error occurred:
There are currently no logon servers available to service the logon request.  

11 12/01/2003
21:37:37 12/01/2003
21:37:37 NETLOGON Error 5719 System ALEX 1 No Windows NT or Windows 2000 Domain Controller is available for domain VALLEYFORGE. The following error occurred:
There are currently no logon servers available to service the logon request.  

12 12/01/2003
21:37:23 12/01/2003
21:37:23 EventLog Error 6008 System SERVER-4 1 The previous system shutdown at 9:35:00 PM on 12/1/2003 was unexpected.  

13 11/30/2003
15:26:29 11/30/2003
15:26:29 Server Error 2510 System SERVER-4 2 The server service was unable to map error code 1797.  

14 11/25/2003
11:39:16 11/26/2003
10:09:15 BROWSER Error 8032 System SERVER-4 10 The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{B5DCDDE4-4888-4F17-A46F-6B1F7EC809BF}. The backup browser is stopping.  

15 11/13/2003
08:01:27 11/13/2003
08:01:57 DCOM Error 10010 System ALEX 2 The server {03E0E6C2-363B-11D3-B536-00902771A435} did not register with DCOM within the required timeout.  

16 11/09/2003
09:42:14 11/12/2003
23:32:11 Userenv Error 1000 Application ALEX 86 Windows cannot determine the user or computer name. Return value (1722).  

17 11/12/2003
17:59:39 11/12/2003
17:59:39 Security Success Audit 517 Security SERVER-2 1 The audit log was cleared
Primary User Name: SYSTEM
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0xnnnn)
Client User Name: Administrator
Client Domain: VALLEYFORGE
Client Logon ID: (0x0,0xEFAC)
 
18 11/12/2003
17:53:34 11/12/2003
17:53:34 Security Success Audit 517 Security SERVER-3 1 The audit log was cleared
Primary User Name: SYSTEM
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0xnnnn)
Client User Name: Administrator
Client Domain: VALLEYFORGE
Client Logon ID: (0x0,0x1AF31)
 
19 08/15/2002
19:03:44 08/15/2002
19:03:44 Security Success Audit 517 Security ALEX 1 The audit log was cleared
Primary User Name: SYSTEM
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0xnnnn)
Client User Name: Alexv
Client Domain: VALLEYFORGE
Client Logon ID: (0x0,0xF653)
 

Go to www.eventid.net

Filtering criteria

Occurrence All events
Consolidated Yes
Information No
Warning No
Error Yes
Success Audit Yes
Failure Audit Yes
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9890241
Yes, Remove server 4 from the Sites and services section. Your domain is trying to replicate to it.
Now on to other busines...
Click Start, click Run, type cmd in the Open box, and then press ENTER.
Type ntdsutil, and then press ENTER.
Type domain management, and then press ENTER.
Type connections, and then press ENTER.
Type connect to server Server1, and then press ENTER.
Type quit, and then press ENTER.
Type select operation target, and then press ENTER.
Type list roles for connected server, and then press ENTER.

You might need to do this with each server. Once again, remove server4; That is most likely what is generating your error messages in event viewer.
The other error, unable to access the GPO's, is what I am on the track of now. 8-)
0
 

Author Comment

by:eenderle
ID: 9890764
Server-4 Will Not Let me Delete It, Message Is :The DSA Object Cannot be Deleted.

Cmd Results  
Server "server-1" knows about 5 roles
Schema — CN="NTDS Settings DEL:4S404fc5—2363—46fe—h513—0Sd9a43a4bcf".CN=SERUER—1.CN=Servers.CN=Default—Firs t—Site.CN=Sites.CN=Configuration.DC=UALLEYFORCE.DC=LOCAL
Domain — CN="NTDS Settings DEL:4S404fc5—2363—46fe—h513—0Sd9a43a4bcf".CN=SERUER—1.CN=Servers.CN=Default—Firs t—Site.CN=Sites.CN=Configuration.DC=UALLEYFORCE.DC=LOCAL
PDC — CN="NTDS Settings DEL:4S404fc5—2363—46fe—h513—0Sd9a43a4bcf".CN=SERUER—1.CN=Servers.CN=Default—Firs t—Site.CN=Sites.CN=Configuration.DC=UALLEYFORCE.DC=LOCAL
RID — CN="NTDS Settings DEL:4S404fc5—2363—46fe—h513—0Sd9a43a4bcf".CN=SERUER—1.CN=Servers.CN=Default—Firs t—Site.CN=Sites.CN=Configuration.DC=UALLEYFORCE.DC=LOCAL
Infrastructure — CN="NTDS Settings DEL:4S404fc5—2363—46fe—h513—0Sd9a43a4bcf".CN=SERUER—1.CN=Servers.CN=Default—Firs t—Site.CN=Sites.CN=Configuration.DC=UALLEYFORGE.DC=LOCAL

Server "server—2" knows about 5 roles
Schema — CH="HTDS Settings DEL:4S404fc5—2363—46fe—h513—0Sd9a43a4bcf".CH=SERUER—1.CN=Servers.CN=Default—Firs t—Site.CN=Sites.CH=Configuration.DC=UALLEYFORCE.DC=LOCAL
Domain — CH="HTDS Settings DEL:4S404fc5—2363—46fe—h513—0Sd9a43a4bcf".CH=SERUER—1.CN=Servers.CN=Default—Firs t—Site.CN=Sites.CH=Configuration.DC=UALLEYFORCE.DC=LOCAL
PDC — CH="HTDS Settings DEL:4S404fc5—2363—46fe—h513—0Sd9a43a4bcf".CH=SERUER—1.CN=Servers.CN=Default—Firs t—Site.CN=Sites.CH=Configuration.DC=UALLEYFORCE.DC=LOCAL
RID — CH="HTDS Settings DEL:4S404fc5—2363—46fe—h513—0Sd9a43a4bcf".CH=SERUER—1.CN=Servers.CN=Default—Firs t—Site.CN=Sites.CH=Configuration.DC=UALLEYFORCE.DC=LOCAL
Infrastructure — CH="HTDS Settings DEL:4S404fc5—2363—46fe—h513—0Sd9a43a4bcf".CH=SERUER—1.CN=Servers.CN=Default—Firs t—Site.CN=Sites.CH=Configuration.DC=UALLEYFORCE.DC=LOCAL

Server "server—3" knows about 5 roles
Schema — CN="NTDS Settings DEL:4S404fc5—2363—46fe—h513—0Sd9a43a4hcf".CN=SERUER—1.CN=Servers.CN=Default—Firs t—Site.CN=Sites.CN=Configuration.DC=UALLEYFORCE.DC=LOCAL
Domain — CN="NTDS Settings DEL:4S404fc5—2363—46fe—h513—0Sd9a43a4hcf".CN=SERUER—1.CN=Servers.CN=Default—Firs t—Site.CN=Sites.CN=Configuration.DC=UALLEYFORCE.DC=LOCAL
PDC — CN="NTDS Settings DEL:4S404fc5—2363—46fe—h513—0Sd9a43a4hcf".CN=SERUER—1.CN=Servers.CN=Default—Firs t—Site.CN=Sites.CN=Configuration.DC=UALLEYFORCE.DC=LOCAL
RID — CN="NTDS Settings DEL:4S404fc5—2363—46fe—h513—0Sd9a43a4hcf".CN=SERUER—1.CN=Servers.CN=Default—Firs t—Site.CN=Sites.CN=Configuration.DC=UALLEYFORGE.DC=LOCAL
Infrastructure — CN="NTDS Settings DEL:48404fc5-2363-46fe-b513-08d9a43a4bcf",CN=SERUER-1,CN=Seruers,CN=Default-Firs t-Site,CN=Sites,CN=Configuration,DC=UALLEYFORGE,DC=LOCAL

Thanks For Your Help....
Eric.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9890937
Hey, it's my pleasure. 'Sides, you never know WHAt you'll learn in the process.
Seems that everything else is fine. I assume you are logged on as administrator, and are not able to access either GPO's... Just checking, you understand... 8-)
Verify the security on the two GPO's, and make sure you have proper access.

http://support.microsoft.com/default.aspx?scid=kb;en-us;318698&Product=win2000
This will tell you how to resolve the error where you are unable to delete the server4.
0
 

Author Comment

by:eenderle
ID: 9891100
correct, logon is administrator, and no machine can access Group Policy....

When I Run ADSI Edit On Either server-4 or any of the other servers i get the message:

Snap-in failed to initialize
  Name:not available
  CLSDID {1c5dacfa-16ba-11d2-81do-0000f87a7aa3}

Eric.

0
 
LVL 6

Expert Comment

by:Casca1
ID: 9891177
Well, you will need to run the tool from any of the DC's, not server 4.
Hmmm, let's try this. DCPromo server4, let all repl traffic happen, then DCPromo it back to a member server.
This way, with all servers online when the event occurs, maybe they will all agree that server 4 is no longer a DC. 8-)
I think the issue with the GPO's is related to the server-4 issue. At least, whatever is causing the ADSI tool, the DS tools, and the GPO tools issue all seem connected.
Lemme know what happens.
0
 

Author Comment

by:eenderle
ID: 9891267
I dcpromo'ed Server-4, and will leave it overnight as a dc, if messages decrease why not leave it a dc..?, let me know what you think...
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9891311
Well, if it solves the issue...
The only reason you might NOT want to do so would be to cut down replication traffice. While that shouldn't be an issue, it's still something to consider.
I hope this resolves the issue. ALMOST as musch as you do... 8-)
0
 

Author Comment

by:eenderle
ID: 9892463
Im demoting it back down, messages are the same.....

Is there any eays way of restoring the FSMO Roles to Server-1, I think I have Complete Backup Tapes For Server-1....



0
 
LVL 6

Expert Comment

by:Casca1
ID: 9892589
According to the posts you sent, it looks like all the roles are already assigned to server-1.
Gosh, still getting the same error indicating that two of the servers can't replicate to server-4?
I'm about out of ideas. You might need to tear down the domain and reset.
You might demote server one. That should hand all the roles off to one of the other servers.
Hmmmm....
0
 

Author Comment

by:eenderle
ID: 9892633
After Demoting the server-4 down the message between it and the others has stopped, this is much better than it was, the only problem i am having now is that i can,t open group policy on any of the machines still, is that something that can be fixed or should i tear down and rebuild....?


Eric.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9892808
Ok; We have corrected one thing.
Let's try this. First, have you looked at the GPO security? How is that set? Is your admin account listed as the creator, or have modify privileges?
Umm, have you tried to create a new GPO?
You might need to remove the GPO's (AFTER you write down the entries!!!) and recreate them.
Hmmmm. Maybe scan the files using ntdsutil. Is this the only domain?
Was there another domain listed when you ran the dsutil from the prompt?
0
 

Author Comment

by:eenderle
ID: 9892933
When I Select Start-Programs-Admin Tools-Domain Controller Security Policy, The Message That Comes Up Is...

Group Policy Error

Failed to open Group Policy Object, You May Not Have Appropriate Rights
Details: The Specified Domain either does not exists or could not be contacted...

I get the same message with domain security policy.....

This is the only domain...
0
 
LVL 6

Accepted Solution

by:
Casca1 earned 500 total points
ID: 9893088
Ok; THere is another way to access the policy files.
Open AD Users and Computers.
Right click the domain name to access the domain policy.
Rigt click the Domain COntrollers to access the controller security policy.
0
 

Author Comment

by:eenderle
ID: 9893208
Talked with boss on phone, he wants them replaced with windows 2000 servers, no need for advanced server, we don,t use terminal services or any of the other stuff, thanks for your help.....
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9893509
You know, there is no difference on the servers until you get into Datacenter and like Clusters... 8-)
Before you just trash them, try demoting the 1st server, and see if you can get into it on one of the other servers.
Just a thought. I appreciate the points and grade, but I sunk my teeth into this one, and it's hard to let go...
8-)=)
0
 

Author Comment

by:eenderle
ID: 9893857
I know what you mean, I demoted server-1 and can see it on the network, but the policys are gone, it will not go back to be a domain controller because it says 'failed to fin a suitable domain controller for the domain valleyforge.local, it is very weird becuase when you run dcpromo and input the administrator, password and domain, it will not except the domain valleforge.local but will except valleyforge, then when it asks you for the domain again, the same thing, it will not except the domain valleforge.local but will except valleyforge, its like it does not have the right domain in and maybe has something to do with DNS being screwed up.... I don, know...



Eric.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9894069
I had that issue once.
Hmmm, wipe server one. When you demoted it, it should have shoved the FSMO roles onto the other DC's. You might need to make one of the servers a GC. Then try running the DCPromo command again.
If not, then wipe server1.
Hows that? 8-)
0
 

Author Comment

by:eenderle
ID: 9899998
I was able to demote it and it now does not show as being a dc, i have made another server the gc, will try re-promoting it back tonight and see what happens........thx
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9900201
Cool. good Luck!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
What is Backup? Backup software creates one or more copies of the data on your digital devices in case your original data is lost or damaged. Different backup solutions protect different kinds of data and different combinations of devices. For e…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now