• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1225
  • Last Modified:

Only Server 2003 AD Gurus Need Apply

Ok, everyone line up to kick me for going to Microsoft for help.

I recently got Microsoft support to help with an Active Directory issue where a parent domain controller was unable to access a share I set up on a child domain controller.  There were some replication issues that were resolved during the course of the support. However, now, while XP users can login to their local domain, they can't access their shares.  They can't even access the Netlogon or the SysVol share.  When they try, it prompts for a password and if I enter the domain administrator username and password, access is granted.

This also means that they get an error trying to apply gpt.ini.  After 3 days, Microsoft is still working on the issue, to no avail.  Also interesting is the fact that in the domain controller, under User properties, the AD username is missing while the pre-Windows 2000 username still exists.  I have entered the username, it allows me to select the fqdn for the correct domain, but doesn't help.  I removed the workstation from the domain and rejoined the domain, doesn't help.

It appears that all replication is good, secure channels are good, dns is good, it just seems that the domain just does not recognize the users.  I even removed the user and computer from ADUC, removed the workstation from the domain, set up a new user, rejoined the workstation to the domain and still no access.

I realize this is a complicated issue with very little details, but direction in this issue would be greatly appreciated.
0
cisdoz2
Asked:
cisdoz2
  • 3
  • 3
  • 2
  • +1
1 Solution
 
Chris DentPowerShell DeveloperCommented:

A full report from:

DCDiag /e /c /v /f:Output.Log

Would be useful. But from what you've said it's unlikely to be reporting problems - still it's worth checking.

If you add a user to the Domain Admins group (as a test) is access to SYSVOL / NETLOGON restored via the normal user account?

Can you check the exact permissions on both shares? File System level and Share level. The aim of that is to check the Domain Users Group isn't having a problem.

How would you feel about restoring / resetting the Default Domain Controller Policy to it's default?

Chris
0
 
beocom2500Commented:
I think you shut start a new question cisdoz2 and post it in my big Windows  2003 problems i think it very rude and i think it is against board rules but i am not 100% sure !
0
 
beocom2500Commented:
Update from 04/17/2005 06:56 CEST

I think you shut start a new question cisdoz2 and not post it in my big Windows  2003 problems  i think it is very rude and i think it is maybe against board rules but i am not 100% sure !

KG
Beocom2500
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
cisdoz2Author Commented:
Sorry if I was rude.

>>If you add a user to the Domain Admins group (as a test) is access to SYSVOL / NETLOGON restored via the normal user account?

I added a user to the Domain Admins group and logged in as that user.  Was still unable to access the Sysvol /Netlogon share.  Permissions for sysvol share include Everyone-Read and Authenticated Users-Read.  NetLogon share include Everyone-Read.

>>How would you feel about restoring / resetting the Default Domain Controller Policy to it's default?

I would not be beyond resetting t he Default Domain Controller Policy as it should be pretty much default at this point.

Here is the content of the Output.log:


Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine MsWinschl, is a DC.
   * Connecting to directory service on server MsWinschl.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 9 DC(s). Testing 9 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: MINC-Internal\DC1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... DC1 passed test Connectivity
   
   Testing server: MINC-Internal\MSWINSCHL
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... MSWINSCHL passed test Connectivity
   
   Testing server: MINC-Internal\RSC1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... RSC1 passed test Connectivity
   
   Testing server: MINC-Internal\NET-ANAL
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... NET-ANAL passed test Connectivity
   
   Testing server: MINC-Internal\Q3SERVER
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... Q3SERVER passed test Connectivity
   
   Testing server: MINC-Internal\NETOPS
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... NETOPS passed test Connectivity
   
   Testing server: MINC-Internal\CIS-APPSVR1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... CIS-APPSVR1 passed test Connectivity
   
   Testing server: MINC-Internal\DC2
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... DC2 passed test Connectivity
   
   Testing server: MINC-Internal\FLM-APPSVR
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... FLM-APPSVR passed test Connectivity

Doing primary tests
   
   Testing server: MINC-Internal\DC1
      Starting test: Replications
         * Replications Check
         [Replications Check,DC1] DsReplicaGetInfoW(PENDING_OPS) failed with error 8453,
         Replication access was denied..
         ......................... DC1 failed test Replications
      Starting test: Topology
         * Configuration Topology Integrity Check
         * Analyzing the connection topology for DC=TAPI3Directory,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=DomainDnsZones,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=ForestDnsZones,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for CN=Configuration,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=FLM,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=CIS,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=NOC,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=ADMIN,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=cms,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ......................... DC1 passed test Topology
      Starting test: CutoffServers
         * Configuration Topology Aliveness Check
         * Analyzing the alive system replication topology for DC=TAPI3Directory,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=DomainDnsZones,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=ForestDnsZones,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for CN=Configuration,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=FLM,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=CIS,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=NOC,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=ADMIN,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=cms,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ......................... DC1 passed test CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC DC1.
         * Security Permissions Check for
           DC=TAPI3Directory,DC=MerlotINC,DC=local
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=MerlotINC,DC=local
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=ForestDnsZones,DC=MerlotINC,DC=local
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=MerlotINC,DC=local
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=MerlotINC,DC=local
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=MerlotINC,DC=local
            (Domain,Version 2)
         * Security Permissions Check for
           DC=FLM,DC=MerlotINC,DC=local
            (Domain,Version 2)
         * Security Permissions Check for
           DC=CIS,DC=MerlotINC,DC=local
            (Domain,Version 2)
         * Security Permissions Check for
           DC=NOC,DC=MerlotINC,DC=local
            (Domain,Version 2)
         * Security Permissions Check for
           DC=ADMIN,DC=MerlotINC,DC=local
            (Domain,Version 2)
         * Security Permissions Check for
           DC=cms,DC=MerlotINC,DC=local
            (Domain,Version 2)
         ......................... DC1 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\DC1\netlogon
         Verified share \\DC1\sysvol
         [DC1] User credentials does not have permission to perform this operation.
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... DC1 failed test NetLogons
      Starting test: Advertising
         The DC DC1 is advertising itself as a DC and having a DS.
         The DC DC1 is advertising as an LDAP server
         The DC DC1 is advertising as having a writeable directory
         The DC DC1 is advertising as a Key Distribution Center
         The DC DC1 is advertising as a time server
         The DS DC1 is advertising as a GC.
         ......................... DC1 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=MINC-Internal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=MINC-Internal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=MINC-Internal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=MINC-Internal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=MINC-Internal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         ......................... DC1 passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 3105 to 1073741823
         * dc1.MerlotINC.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1105 to 1604
         * rIDPreviousAllocationPool is 1105 to 1604
         * rIDNextRID: 1131
         ......................... DC1 passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC DC1 on DC DC1.
         * SPN found :LDAP/dc1.MerlotINC.local/MerlotINC.local
         * SPN found :LDAP/dc1.MerlotINC.local
         * SPN found :LDAP/DC1
         * SPN found :LDAP/dc1.MerlotINC.local/MINCNETOP
         * SPN found :LDAP/99bc9531-3d24-469b-a43c-601fc4fd9b51._msdcs.MerlotINC.local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/99bc9531-3d24-469b-a43c-601fc4fd9b51/MerlotINC.local
         * SPN found :HOST/dc1.MerlotINC.local/MerlotINC.local
         * SPN found :HOST/dc1.MerlotINC.local
         * SPN found :HOST/DC1
         * SPN found :HOST/dc1.MerlotINC.local/MINCNETOP
         * SPN found :GC/dc1.MerlotINC.local/MerlotINC.local
         ......................... DC1 passed test MachineAccount
      Starting test: Services
         Could not open Service Control Manager on [DC1]:failed with 5: Access is denied.
         ......................... DC1 failed test Services
      Starting test: OutboundSecureChannels
         * The Outbound Secure Channels test
         ** Did not run Outbound Secure Channels test
         because /testdomain: was not entered
         ......................... DC1 passed test OutboundSecureChannels
      Starting test: ObjectsReplicated
         DC1 is in domain DC=MerlotINC,DC=local
         Checking for CN=DC1,OU=Domain Controllers,DC=MerlotINC,DC=local in domain DC=MerlotINC,DC=local on 5 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=DC1,CN=Servers,CN=MINC-Internal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local in domain CN=Configuration,DC=MerlotINC,DC=local on 9 servers
            Object is up-to-date on all servers.
         ......................... DC1 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         The registry lookup failed to determine the state of the SYSVOL.  The

         error returned  was 5 (Access is denied.).  Check the FRS event log to

         see if the SYSVOL has successfully been shared.
         ......................... DC1 failed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         Error 5 opening FRS eventlog \\DC1:File Replication Service:
 Access is denied.
         ......................... DC1 failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Error 5 opening FRS eventlog \\DC1:Directory Service:
 Access is denied.
         Failed to enumerate event log records, error Access is denied.
         ......................... DC1 failed test kccevent
      Starting test: systemlog
         * The System Event log test
         Error 5 opening FRS eventlog \\DC1:System:
 Access is denied.
         Failed to enumerate event log records, error Access is denied.
         ......................... DC1 failed test systemlog
      Starting test: VerifyReplicas
         ......................... DC1 passed test VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)

         CN=DC1,OU=Domain Controllers,DC=MerlotINC,DC=local and backlink on

         CN=DC1,CN=Servers,CN=MINC-Internal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local

         are correct.
         The system object reference (frsComputerReferenceBL)

         CN=DC1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MerlotINC,DC=local

         and backlink on CN=DC1,OU=Domain Controllers,DC=MerlotINC,DC=local are

         correct.
         The system object reference (serverReferenceBL)

         CN=DC1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MerlotINC,DC=local

         and backlink on

         CN=NTDS Settings,CN=DC1,CN=Servers,CN=MINC-Internal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local

         are correct.
         ......................... DC1 passed test VerifyReferences
      Starting test: VerifyEnterpriseReferences
         ......................... DC1 passed test VerifyEnterpriseReferences
      Starting test: CheckSecurityError
         * Dr Auth:  Beginning security errors check!
         Found KDC DC1 for domain MerlotINC.local in site MINC-Internal
         Checking machine account for DC DC1 on DC DC1.
         * SPN found :LDAP/dc1.MerlotINC.local/MerlotINC.local
         * SPN found :LDAP/dc1.MerlotINC.local
         * SPN found :LDAP/DC1
         * SPN found :LDAP/dc1.MerlotINC.local/MINCNETOP
         * SPN found :LDAP/99bc9531-3d24-469b-a43c-601fc4fd9b51._msdcs.MerlotINC.local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/99bc9531-3d24-469b-a43c-601fc4fd9b51/MerlotINC.local
         * SPN found :HOST/dc1.MerlotINC.local/MerlotINC.local
         * SPN found :HOST/dc1.MerlotINC.local
         * SPN found :HOST/DC1
         * SPN found :HOST/dc1.MerlotINC.local/MINCNETOP
         * SPN found :GC/dc1.MerlotINC.local/MerlotINC.local
            [DC1] DsReplicaGetInfo(KCC_DS_CONNECT_FAILURES) failed with error 8453,
            Replication access was denied..
            [DC1] Unable to query the list of KCC connection failures.  Continuing...
         [DC1] No security related replication errors were found on this DC!  To target the connection to a specific source DC use /ReplSource:<DC>.
         ......................... DC1 passed test CheckSecurityError
   
   Testing server: MINC-Internal\MSWINSCHL
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            CN=Schema,CN=Configuration,DC=MerlotINC,DC=local
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=MerlotINC,DC=local
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         * Replication Site Latency Check
         ......................... MSWINSCHL passed test Replications
      Starting test: Topology
         * Configuration Topology Integrity Check
         * Analyzing the connection topology for DC=cms,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for CN=Configuration,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ......................... MSWINSCHL passed test Topology
      Starting test: CutoffServers
         * Configuration Topology Aliveness Check
         * Analyzing the alive system replication topology for DC=cms,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for CN=Configuration,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ......................... MSWINSCHL passed test CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC MSWINSCHL.
         * Security Permissions Check for
           DC=cms,DC=MerlotINC,DC=local
            (Domain,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=MerlotINC,DC=local
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=MerlotINC,DC=local
            (Configuration,Version 2)
         ......................... MSWINSCHL passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\MSWINSCHL\netlogon
         Verified share \\MSWINSCHL\sysvol
         ......................... MSWINSCHL passed test NetLogons
      Starting test: Advertising
         The DC MSWINSCHL is advertising itself as a DC and having a DS.
         The DC MSWINSCHL is advertising as an LDAP server
         The DC MSWINSCHL is advertising as having a writeable directory
         The DC MSWINSCHL is advertising as a Key Distribution Center
         Warning: MSWINSCHL is not advertising as a time server.
         ......................... MSWINSCHL failed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=MINC-Internal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=MINC-Internal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=MSWINSCHL,CN=Servers,CN=MINC-Inter
nal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=MSWINSCHL,CN=Servers,CN=MINC-Inter
nal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=MSWINSCHL,CN=Ser
vers,CN=MINC-Internal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         ......................... MSWINSCHL passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 1933 to 1073741823
         * MsWinschl.cms.MerlotINC.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1433 to 1932
         * rIDPreviousAllocationPool is 1433 to 1932
         * Analyzing the alive system replication topology for DC=cms,DC=CenterI
SD,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for CN=Schema,CN=Conf
iguration,DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for CN=Configuration,
DC=MerlotINC,DC=local.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ......................... MSWINSCHL passed test CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC MSWINSCHL.
         * Security Permissions Check for
           DC=cms,DC=MerlotINC,DC=local
            (Domain,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=MerlotINC,DC=local
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=MerlotINC,DC=local
            (Configuration,Version 2)
         ......................... MSWINSCHL passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\MSWINSCHL\netlogon
         Verified share \\MSWINSCHL\sysvol
         ......................... MSWINSCHL passed test NetLogons
      Starting test: Advertising
         The DC MSWINSCHL is advertising itself as a DC and having a DS.
         The DC MSWINSCHL is advertising as an LDAP server
         The DC MSWINSCHL is advertising as having a writeable directory
         The DC MSWINSCHL is advertising as a Key Distribution Center
         Warning: MSWINSCHL is not advertising as a time server.
         ......................... MSWINSCHL failed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=MINC-Internal
,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=MINC-Internal
,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=MSWINSCHL,CN=Servers,CN=MINC-Inter
nal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=MSWINSCHL,CN=Servers,CN=MINC-Inter
nal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=MSWINSCHL,CN=Ser
vers,CN=MINC-Internal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         ......................... MSWINSCHL passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 1933 to 1073741823
         * MsWinschl.cms.MerlotINC.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1433 to 1932
         * rIDPreviousAllocationPool is 1433 to 1932
         * rIDNextRID: 1565
         ......................... MSWINSCHL passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC MSWINSCHL on DC MSWINSCHL.
         * SPN found :LDAP/MsWinschl.cms.MerlotINC.local/cms.MerlotINC.local
         * SPN found :LDAP/MsWinschl.cms.MerlotINC.local
         * SPN found :LDAP/MSWINSCHL
         * SPN found :LDAP/MsWinschl.cms.MerlotINC.local/JRHI_NT
         * SPN found :LDAP/eab47875-1146-4dc0-a4b1-9999d9c481d3._msdcs.MerlotINC
.local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/eab47875-1146-4dc0-a4
b1-9999d9c481d3/cms.MerlotINC.local
         * SPN found :HOST/MsWinschl.cms.MerlotINC.local/cms.MerlotINC.local
         * SPN found :HOST/MsWinschl.cms.MerlotINC.local
         * SPN found :HOST/MSWINSCHL
         * SPN found :HOST/MsWinschl.cms.MerlotINC.local/JRHI_NT
         * SPN found :GC/MsWinschl.cms.MerlotINC.local/MerlotINC.local
         ......................... MSWINSCHL passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         ......................... MSWINSCHL passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\MSWINSCHL\netlogon
         Verified share \\MSWINSCHL\sysvol
         ......................... MSWINSCHL passed test NetLogons
      Starting test: Advertising
         The DC MSWINSCHL is advertising itself as a DC and having a DS.
         The DC MSWINSCHL is advertising as an LDAP server
         The DC MSWINSCHL is advertising as having a writeable directory
         The DC MSWINSCHL is advertising as a Key Distribution Center
         Warning: MSWINSCHL is not advertising as a time server.
         ......................... MSWINSCHL failed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=MINC-Internal
,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=MINC-Internal
,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=MSWINSCHL,CN=Servers,CN=MINC-Inter
nal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=MSWINSCHL,CN=Servers,CN=MINC-Inter
nal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=MSWINSCHL,CN=Ser
vers,CN=MINC-Internal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         ......................... MSWINSCHL passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 1933 to 1073741823
         * MsWinschl.cms.MerlotINC.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1433 to 1932
         * rIDPreviousAllocationPool is 1433 to 1932
         * rIDNextRID: 1565
         ......................... MSWINSCHL passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC MSWINSCHL on DC MSWINSCHL.
         * SPN found :LDAP/MsWinschl.cms.MerlotINC.local/cms.MerlotINC.local
         * SPN found :LDAP/MsWinschl.cms.MerlotINC.local
         * SPN found :LDAP/MSWINSCHL
         * SPN found :LDAP/MsWinschl.cms.MerlotINC.local/JRHI_NT
         * SPN found :LDAP/eab47875-1146-4dc0-a4b1-9999d9c481d3._msdcs.MerlotINC
.local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/eab47875-1146-4dc0-a4
b1-9999d9c481d3/cms.MerlotINC.local
         * SPN found :HOST/MsWinschl.cms.MerlotINC.local/cms.MerlotINC.local
         * SPN found :HOST/MsWinschl.cms.MerlotINC.local
         * SPN found :HOST/MSWINSCHL
         * SPN found :HOST/MsWinschl.cms.MerlotINC.local/JRHI_NT
         * SPN found :GC/MsWinschl.cms.MerlotINC.local/MerlotINC.local
         ......................... MSWINSCHL passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... MSWINSCHL passed test Services
      Starting test: OutboundSecureChannels
         * The Outbound Secure Channels test
         ** Did not run Outbound Secure Channels test
         because /testdomain: was not entered
         ......................... MSWINSCHL passed test OutboundSecureChannels
      Starting test: ObjectsReplicated
         MSWINSCHL is in domain DC=cms,DC=MerlotINC,DC=local
         Checking for CN=MSWINSCHL,OU=Domain Controllers,DC=cms,DC=MerlotINC,DC=
local in domain DC=cms,DC=MerlotINC,DC=local on 5 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=MSWINSCHL,CN=Servers,CN=MINC-Internal,
CN=Sites,CN=Configuration,DC=MerlotINC,DC=local in domain CN=Configuration,DC=Ce
nterISD,DC=local on 9 servers
            Object is up-to-date on all servers.
         ......................... MSWINSCHL passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
nal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=MSWINSCHL,CN=Ser
vers,CN=MINC-Internal,CN=Sites,CN=Configuration,DC=MerlotINC,DC=local
         ......................... MSWINSCHL passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 1933 to 1073741823
         * MsWinschl.cms.MerlotINC.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1433 to 1932
         * rIDPreviousAllocationPool is 1433 to 1932
         * rIDNextRID: 1565
         ......................... MSWINSCHL passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC MSWINSCHL on DC MSWINSCHL.
         * SPN found :LDAP/MsWinschl.cms.MerlotINC.local/cms.MerlotINC.local
         * SPN found :LDAP/MsWinschl.cms.MerlotINC.local
         * SPN found :LDAP/MSWINSCHL
         * SPN found :LDAP/MsWinschl.cms.MerlotINC.local/JRHI_NT
         * SPN found :LDAP/eab47875-1146-4dc0-a4b1-9999d9c481d3._msdcs.MerlotINC
.local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/eab47875-1146-4dc0-a4
b1-9999d9c481d3/cms.MerlotINC.local
         * SPN found :HOST/MsWinschl.cms.MerlotINC.local/cms.MerlotINC.local
         * SPN found :HOST/MsWinschl.cms.MerlotINC.local
         * SPN found :HOST/MSWINSCHL
         * SPN found :HOST/MsWinschl.cms.MerlotINC.local/JRHI_NT
         * SPN found :GC/MsWinschl.cms.MerlotINC.local/MerlotINC.local
         ......................... MSWINSCHL passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... MSWINSCHL passed test Services
      Starting test: OutboundSecureChannels
         * The Outbound Secure Channels test
         ** Did not run Outbound Secure Channels test
         because /testdomain: was not entered
         ......................... MSWINSCHL passed test OutboundSecureChannels
      Starting test: ObjectsReplicated
         MSWINSCHL is in domain DC=cms,DC=MerlotINC,DC=local
         Checking for CN=MSWINSCHL,OU=Domain Controllers,DC=cms,DC=MerlotINC,DC=
local in domain DC=cms,DC=MerlotINC,DC=local on 5 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=MSWINSCHL,CN=Servers,CN=MINC-Internal,
CN=Sites,CN=Configuration,DC=MerlotINC,DC=local in domain CN=Configuration,DC=Ce
nterISD,DC=local on 9 servers
            Object is up-to-date on all servers.
         ......................... MSWINSCHL passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... MSWINSCHL passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         ......................... MSWINSCHL passed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minut
es.
         ......................... MSWINSCHL passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/17/2005   12:26:57
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/17/2005   12:59:19
            (Event String could not be retrieved)
         ......................... MSWINSCHL failed test systemlog
      Starting test: VerifyReplicas
0
 
Netman66Commented:
Have you applied Service Pack 1 to any of these servers?  If so, make certain that the Windows Firewall/ICS Service is disabled.

Also, in the local Group Policy (Default Domain Controller Policy) make sure that this element is set correctly:

Local Policies>User Rights Assignment>Access this computer from the network: Define these policy settings is checked

...and contains:

Administrators
Authenticated Users
Everyone
IUSR_servername
IWAN_servername


Let us know.
0
 
Netman66Commented:
Also, make sure the DC was moved into the Domain Controllers OU when it was DCPROMO'd.

More info can be found in this article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;329860

There is also mention of resetting the Secure Channel using NLTEST.


0
 
Chris DentPowerShell DeveloperCommented:

Before attempting this ensure you check the location of the DC computer accounts and firewall settings as Netman suggests.

The main reason I suggested resetting to the default policy is to rule out any mis-configuration in the default domain controller policy as a cause of your problem.

Any serious misconfiguration there will directly effect client and server access to any of the domain controllers.

This MS page has details on the use of the DCGPO fix tool:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/48872034-1907-4149-b6aa-9788d38209d2.mspx

But I suggest trying:

dcgpofix /target: dc

Which will restore the Default Domain Controller Policy to the domain default.

It may not have any impact on the problem, but it would be good to rule out policies as a cause.
0
 
cisdoz2Author Commented:
>>Have you applied Service Pack 1 to any of these servers?
Servers are currently running Service Pack 1

>>Also, in the local Group Policy (Default Domain Controller Policy) make sure that this element is set correctly:
I have verified policy settings as you suggested.  However, IUSR_servername and IWAN_servername were not listed though I assume that this is because I have not installed Internet Information Services, correct?

>>Also, make sure the DC was moved into the Domain Controllers OU when it was DCPROMO'd.
I have verified that the server is listed int he Domain Controllers OU.

>>There is also mention of resetting the Secure Channel using NLTEST.
NLTest indicated that the secure channel from the NT4 BDC and the Windows Server 2003 is valid.

I also  ran dcpofix /target: dc as suggested.

I found one user that could access the Sysvol share on the domain controller, but not a share that he has priviledges to on the NT4 box.  However, other users still could not access the SYSVOL.

Might you have any additional suggestions.  I am still waiting on a return call from Microsoft support, but I am beginning to feel that they too are baffled.
Thanks in advance.
0
 
Chris DentPowerShell DeveloperCommented:

Is this one the only DC on the child domain?
0
 
Netman66Commented:
You never mentioned NT4 before your last post - this could be of significance.

Please describe how many servers you have that are Domain Controllers, what role they play and if any are remotely connected.  Your test seems to indicate you have 9 DCs that it is aware of.

You should check the Domain and Forest functional levels - they MUST be at Windows 2000 mixed mode or the NT4 box is no longer being acknowledged as a DC.



0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now