Solved

Scripts not executing after a DC crash

Posted on 2006-11-30
10
207 Views
Last Modified: 2010-04-18
I had three domain controllers, two Windows 2000 and one Windows 2003.  One of the Windows 2000 servers crashed and had to be removed from the domain without demoting it.  I manually removed all entries from the active directory and transfered all FSMO roles to the other two servers. There are two scripts on our network, one is a vb script tied to the default domain policy under user logon which maps printers and the other is a .bat file which is defined for each user in the profile section which maps shared drives.  Since the domain controller failed, neither of these scripts execute, even after I cleaned up all of the domain issues.  Both scripts live in the SYSVOL and changes to either script replicate on both servers.  Anyone have any ideas?
0
Comment
Question by:jtgraphic
  • 5
  • 3
  • 2
10 Comments
 
LVL 38

Expert Comment

by:Shift-3
Comment Utility
When you say you manually removed entries for the old server, did you do this by running ntdsutil and using the metadata cleanup interface?

Running dcdiag and netdiag may give clues to the cause of the problem.  They can be found under Support\Tools on the Server 2003 CD.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
If you did complete a metadata cleanup, did you also remove the server from AD Sites and Services?

And in DNS?

0
 

Author Comment

by:jtgraphic
Comment Utility
Yes I used ntdsutil to clean up the metadata.  I ran both dcdiag and netdiag and they both passed all tests.  One thing I noticed was that WINS was not enabled; is this is problem?  There are problems throughout our network with extremely slow performance, connection issues to shared resources and I have a Windows 98 box (not by choice) that can no longer log into the domain.
0
 

Author Comment

by:jtgraphic
Comment Utility
OK I think I figured out the problem: There are errors in the application log saying that the server cannot access the group policy objects in the SYSVOL.  What permissions are needed in order for Windows to be able to access this information?
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Have a look at SMB signing then.

It may be that clients are having problems with that if it's enforced.

0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 38

Expert Comment

by:Shift-3
Comment Utility
Are there particular GPOs which can't be accessed?  Check the NTFS permissions on those folders under SYSVOL.

If the permissions are correct then the GPOs might be corrupted.  You might have to delete and re-create them through the Group Policy Management Console.
0
 

Author Comment

by:jtgraphic
Comment Utility
What should the correct permissions be for SYSVOL?
0
 
LVL 38

Accepted Solution

by:
Shift-3 earned 500 total points
Comment Utility
The directories under SYSVOL\<domain>\Policies should at least have these:

Administrators - Full Control
Authenticated Users - Read & Execute, List Folder Contents, Read
CREATOR OWNER
SYSTEM - Full Control
0
 

Author Comment

by:jtgraphic
Comment Utility
I set the permissions for the scripts and for the group policy section and it stopped the errors in the event manager.  The scripts are still not running, though.  I believe that this information is controlled by the default domain policy; will it screw everything up if I delete it and remake it?
0
 

Author Comment

by:jtgraphic
Comment Utility
Check that, doing the permissions did work.  There was also some stuff that got changed with the locations and the referencing of the scripts.  Thanks for the help!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now