I've been all over looking for a solution to this very strange problem. I am running a VM of our two DC's running windows 2000 on a host-only network to simulate the addition of two more DC's that will be running 2003. Ultimately we want to remove the 2000 DC's from our environment. But I digress. When applying the inetorgpersonprevent script, I'm getting the error "the role owner attribute cannot be read", which in all of my reading points me to investigate my FSMO roles. I ran the FSMO query command and it came back as it should. dcdiag and netdiag are clean. I even tried to seize the roles to the other DC, but I get an error that "The current FSMO holder could not be contacted", which leads me back to thinking that something is wrong with the FSMO roles. I'm getting other errors about assigning group policies and one other that I can't recall exactly here that also lead me to believe there to be something wrong with the FSMO roles, but like I said, the tests come up clean. I am not getting this on the actual DC's by the way. I'm lead to believe it might have had something to do with putting these images in a virtual network, but the only thing I changed is the IP of the servers and their corresponding DNS entries.