Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 220
  • Last Modified:

Scripts not executing after a DC crash

I had three domain controllers, two Windows 2000 and one Windows 2003.  One of the Windows 2000 servers crashed and had to be removed from the domain without demoting it.  I manually removed all entries from the active directory and transfered all FSMO roles to the other two servers. There are two scripts on our network, one is a vb script tied to the default domain policy under user logon which maps printers and the other is a .bat file which is defined for each user in the profile section which maps shared drives.  Since the domain controller failed, neither of these scripts execute, even after I cleaned up all of the domain issues.  Both scripts live in the SYSVOL and changes to either script replicate on both servers.  Anyone have any ideas?
0
jtgraphic
Asked:
jtgraphic
  • 5
  • 3
  • 2
1 Solution
 
Shift-3Commented:
When you say you manually removed entries for the old server, did you do this by running ntdsutil and using the metadata cleanup interface?

Running dcdiag and netdiag may give clues to the cause of the problem.  They can be found under Support\Tools on the Server 2003 CD.
0
 
Netman66Commented:
If you did complete a metadata cleanup, did you also remove the server from AD Sites and Services?

And in DNS?

0
 
jtgraphicAuthor Commented:
Yes I used ntdsutil to clean up the metadata.  I ran both dcdiag and netdiag and they both passed all tests.  One thing I noticed was that WINS was not enabled; is this is problem?  There are problems throughout our network with extremely slow performance, connection issues to shared resources and I have a Windows 98 box (not by choice) that can no longer log into the domain.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
jtgraphicAuthor Commented:
OK I think I figured out the problem: There are errors in the application log saying that the server cannot access the group policy objects in the SYSVOL.  What permissions are needed in order for Windows to be able to access this information?
0
 
Netman66Commented:
Have a look at SMB signing then.

It may be that clients are having problems with that if it's enforced.

0
 
Shift-3Commented:
Are there particular GPOs which can't be accessed?  Check the NTFS permissions on those folders under SYSVOL.

If the permissions are correct then the GPOs might be corrupted.  You might have to delete and re-create them through the Group Policy Management Console.
0
 
jtgraphicAuthor Commented:
What should the correct permissions be for SYSVOL?
0
 
Shift-3Commented:
The directories under SYSVOL\<domain>\Policies should at least have these:

Administrators - Full Control
Authenticated Users - Read & Execute, List Folder Contents, Read
CREATOR OWNER
SYSTEM - Full Control
0
 
jtgraphicAuthor Commented:
I set the permissions for the scripts and for the group policy section and it stopped the errors in the event manager.  The scripts are still not running, though.  I believe that this information is controlled by the default domain policy; will it screw everything up if I delete it and remake it?
0
 
jtgraphicAuthor Commented:
Check that, doing the permissions did work.  There was also some stuff that got changed with the locations and the referencing of the scripts.  Thanks for the help!
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now