Failed to open the Group Policy Object. You may not have appropriate rights. The specified domain either does not exist or could not be contacted.

Hi Everyone,

I am having an issue with accessing the Domain Controller Security Policy and Domain Security Policy consoles on all of the 3 DCs in our domain. The error is:

Group Policy Error
Failed to open the Group Policy Object. You may not have appropriate rights.
Details:
The specified domain either does not exist or could not be contacted.

The shortcut to Domain Controller Security Policy is:
C:\WINDOWS\system32\dcpol.msc /gpobject:"LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=australia,DC=office"

The shortcut to Domain Security Policy is:
C:\WINDOWS\system32\dompol.msc /gpobject:"LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=australia,DC=office"

I have done netdiag, dcdiag, looked at a hunded KB articles and forum posts, but nothing fits/fixes the issue.

A little background. There is one DC in Australia (ERNIE) and there are two DCs in Seattle (DC03 and DATA03.) The Seattle DCs used to be on a different domain but were renamed to the Australian domain. I think it is this domain renaming that is the root of the issues. There are still entries in the DNS (all 3 DCs are DNS servers) that point to the old domain. I've paused the zones relating to the old domain in all 3 DNS servers. All of the replication is working well. No Event Log errors to really speak of. The only issue I have other than the error mentioned is that on both of the Seattle DCs (DC03 and DATA03) the netlogon.dns file in C:\WINDOWS\SYSTEM32\CONFIG has double entries for almost everything. One line entry for the new domain and a duplicate line for the old domain. I've gone through and removed the lines referring to the old domain, but when I restart the Netlogon service the entries reappear.

The only issue in dcdiag and netdiag log was this:

   Running enterprise tests on : australia.office
      Starting test: Intersite
         Doing intersite inbound replication test on site Seattle:
            Locating & Contacting Intersite Topology Generator (ISTG) ...
               *Warning: ISTG time stamp is 26660 minutes old on DC03.  Looking

               for a new ISTG.
               *Warning: The next ISTG could not be authoratively determined

               for site Seattle.  A DC should make an ISTG failover attempt in

               25 minutes.
               * Warning: Current ISTG failed, ISTG role should be taken by

               DATA03  in 25 minutes.
            Checking for down bridgeheads ...
               Bridghead Brisbane\ERNIE is up and replicating fine.
               Bridghead Seattle\DC03 is up and replicating fine.
            Doing in depth site analysis ...
               All expected sites and bridgeheads are replicating into site

               Seattle.
         Doing intersite inbound replication test on site Brisbane:
            Locating & Contacting Intersite Topology Generator (ISTG) ...
               *Warning: ISTG time stamp is 27878 minutes old on ERNIE.

               Looking for a new ISTG.
               ***Error: The current ISTG is down in site Brisbane and further

               dcdiag could not contact any other servers in the site that

               could take the ISTG role.  Ensure there is at least one up DC.

               Must abandon inbound intersite replication test for this site.
               *Warning: Could not locate the next ISTG or site Brisbane.

               Using the last known  ISTG ERNIE as the ISTG.
               The ISTG for site Brisbane is: ERNIE.
            Checking for down bridgeheads ...
               Bridghead Seattle\DC03 is up and replicating fine.
               Bridghead Brisbane\ERNIE is up and replicating fine.
            Doing in depth site analysis ...
               All expected sites and bridgeheads are replicating into site

               Brisbane.
         ......................... australia.office passed test Intersite

One other thing that some KB articles make reference to are the DNS settings on the NICs in the servers. At this stage, ERNIE has itself as the primary DNS and DC03 as the secondary. Vice versa for DC03 (itself as primary, ERNIE as secondary.) DATA03 has DC03 as primary and itself as secondary. None of them have any external DNS servers entered in their NIC settings.

The FSMO roles are as follows:

Schema owner                DC03.australia.office

Domain role owner           DC03.australia.office

PDC role                    ernie.australia.office

RID pool manager            DC03.australia.office

Infrastructure owner        DC03.australia.office

DC03 and ERNIE are Global Catalog servers.

The replication is set up to happen between DC03 and ERNIE and DC03 and DATA03.

All of the servers are Windows 2003.

I am sure I've forgotten something, but if you need any more info, please let me know. I am hoping someone can point me in the right direction, because I've been fighting with this for a day and a half now.

Thanks
B.
btechsydAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
Kini pradeepPrincipal Cloud and security consultantCommented:
after using the domain rename tool, were these servers dc03 and data servers in the same forest and what level (another domain in same forest/child domain) and did you run gpfixup after completing the rendom
0
 
btechsydAuthor Commented:
Hey kprad, the servers were both on the same level before and after the rename. Both of them are at the top level of the domain. Just to give you some more info, the way we did the rename was to rename the us.office domain to australia.office following the MS document step-by-step. Once the rename was complete, then ERNIE (in Australia) was joined to the domain and made a DC. We did run gpfixup and there were no errors. In fact, there were no errors or issues during the whole process. It was almost too easy.
0
 
GranModCommented:
PAQed with points refunded (500)

GranMod
Community Support Moderator
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.