Migrating 2003 DC/GL to Server 2008 - Authenticated users lose priveleges
Ok, I need some major help please.
We have a single domain, and 4 DC/GL servers. Here @ the main location we have one server, server1, that holds all the FSMO roles. I built a new Windows Server 2008, server2 and moved the all FSMO roles from server1 to server2. Everything seems to be functioning ok yesterday, until this morning when user began loggin in again, where they authenticated to the new server, server2.
The main are issue appearing is listed below, but I can assume that there may be other authentication issues down the line:
-On server1, we have network printers setup for staff and when they authenticate to server2 they cannot print to them, the printers state Access denied. Once I restart the the pc, and they authenticate to another server everything is fine.....
Thank you for any help! =)
We have a single domain, and 4 DC/GL servers. Here @ the main location we have one server, server1, that holds all the FSMO roles. I built a new Windows Server 2008, server2 and moved the all FSMO roles from server1 to server2. Everything seems to be functioning ok yesterday, until this morning when user began loggin in again, where they authenticated to the new server, server2.
The main are issue appearing is listed below, but I can assume that there may be other authentication issues down the line:
-On server1, we have network printers setup for staff and when they authenticate to server2 they cannot print to them, the printers state Access denied. Once I restart the the pc, and they authenticate to another server everything is fine.....
Thank you for any help! =)
Make sure you are pointing to working internal DNS servers. Run dcdiag. If the users were logged in they need to log off then log back on.
ASKER
1. Time - I just noticed that server 2 is wrong/or changed from yesterday.
-Manually adjusted to match
2. DNS is loaded on server2, which it imported dynamically from server1
3. Logs from server2:
Attached, it looks like there are issues with the Directory Service
-Manually adjusted to match
2. DNS is loaded on server2, which it imported dynamically from server1
3. Logs from server2:
Attached, it looks like there are issues with the Directory Service
ASKER
Ok, server2, AKA: Kronos is pointing to server1 for dns, and secondary to itself.
The DCDIAG results:
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Users\jim>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = kronos
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Coronado\KRONOS
Starting test: Connectivity
......................... KRONOS passed test Connectivity
Doing primary tests
Testing server: Coronado\KRONOS
Starting test: Advertising
......................... KRONOS passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... KRONOS passed test FrsEvent
Starting test: DFSREvent
......................... KRONOS passed test DFSREvent
Starting test: SysVolCheck
......................... KRONOS passed test SysVolCheck
Starting test: KccEvent
An Error Event occurred. EventID: 0xC0000620
Time Generated: 04/08/2010 11:30:38
Event String:
None of the directory servers in the following site that replicate t
he following directory partition are configured to use the following transport,
even though the site itself is configured to allow replication over this transpo
rt.
An Error Event occurred. EventID: 0xC0000620
Time Generated: 04/08/2010 11:30:38
Event String:
None of the directory servers in the following site that replicate t
he following directory partition are configured to use the following transport,
even though the site itself is configured to allow replication over this transpo
rt.
An Error Event occurred. EventID: 0xC0000620
Time Generated: 04/08/2010 11:30:38
Event String:
None of the directory servers in the following site that replicate t
he following directory partition are configured to use the following transport,
even though the site itself is configured to allow replication over this transpo
rt.
......................... KRONOS failed test KccEvent
Starting test: KnowsOfRoleHolders
......................... KRONOS passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... KRONOS passed test MachineAccount
Starting test: NCSecDesc
......................... KRONOS passed test NCSecDesc
Starting test: NetLogons
......................... KRONOS passed test NetLogons
Starting test: ObjectsReplicated
......................... KRONOS passed test ObjectsReplicated
Starting test: Replications
......................... KRONOS passed test Replications
Starting test: RidManager
......................... KRONOS passed test RidManager
Starting test: Services
......................... KRONOS passed test Services
Starting test: SystemLog
An Warning Event occurred. EventID: 0xC25A008E
Time Generated: 04/08/2010 11:25:10
Event String:
The time service has stopped advertising as a time source because th
e local clock is not synchronized.
An Warning Event occurred. EventID: 0xC25A0090
Time Generated: 04/08/2010 11:25:10
Event String:
The time service has stopped advertising as a good time source.
An Warning Event occurred. EventID: 0x825A0032
Time Generated: 04/08/2010 11:25:10
Event String:
The time service detected a time difference of greater than 5000 mil
liseconds for 900 seconds. The time difference might be caused by synchronizatio
n with low-accuracy time sources or by suboptimal network conditions. The time s
ervice is no longer synchronized and cannot provide the time to other clients or
update the system clock. When a valid time stamp is received from a time servic
e provider, the time service will correct itself.
An Warning Event occurred. EventID: 0xC25A0090
Time Generated: 04/08/2010 11:25:12
Event String:
The time service has stopped advertising as a good time source.
......................... KRONOS passed test SystemLog
Starting test: VerifyReferences
......................... KRONOS passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : gsaz
Starting test: CheckSDRefDom
......................... gsaz passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... gsaz passed test CrossRefValidation
Running enterprise tests on : gsaz.local
Starting test: LocatorCheck
......................... gsaz.local passed test LocatorCheck
Starting test: Intersite
......................... gsaz.local passed test Intersite
The DCDIAG results:
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Users\jim>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = kronos
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Coronado\KRONOS
Starting test: Connectivity
......................... KRONOS passed test Connectivity
Doing primary tests
Testing server: Coronado\KRONOS
Starting test: Advertising
......................... KRONOS passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... KRONOS passed test FrsEvent
Starting test: DFSREvent
......................... KRONOS passed test DFSREvent
Starting test: SysVolCheck
......................... KRONOS passed test SysVolCheck
Starting test: KccEvent
An Error Event occurred. EventID: 0xC0000620
Time Generated: 04/08/2010 11:30:38
Event String:
None of the directory servers in the following site that replicate t
he following directory partition are configured to use the following transport,
even though the site itself is configured to allow replication over this transpo
rt.
An Error Event occurred. EventID: 0xC0000620
Time Generated: 04/08/2010 11:30:38
Event String:
None of the directory servers in the following site that replicate t
he following directory partition are configured to use the following transport,
even though the site itself is configured to allow replication over this transpo
rt.
An Error Event occurred. EventID: 0xC0000620
Time Generated: 04/08/2010 11:30:38
Event String:
None of the directory servers in the following site that replicate t
he following directory partition are configured to use the following transport,
even though the site itself is configured to allow replication over this transpo
rt.
......................... KRONOS failed test KccEvent
Starting test: KnowsOfRoleHolders
......................... KRONOS passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... KRONOS passed test MachineAccount
Starting test: NCSecDesc
......................... KRONOS passed test NCSecDesc
Starting test: NetLogons
......................... KRONOS passed test NetLogons
Starting test: ObjectsReplicated
......................... KRONOS passed test ObjectsReplicated
Starting test: Replications
......................... KRONOS passed test Replications
Starting test: RidManager
......................... KRONOS passed test RidManager
Starting test: Services
......................... KRONOS passed test Services
Starting test: SystemLog
An Warning Event occurred. EventID: 0xC25A008E
Time Generated: 04/08/2010 11:25:10
Event String:
The time service has stopped advertising as a time source because th
e local clock is not synchronized.
An Warning Event occurred. EventID: 0xC25A0090
Time Generated: 04/08/2010 11:25:10
Event String:
The time service has stopped advertising as a good time source.
An Warning Event occurred. EventID: 0x825A0032
Time Generated: 04/08/2010 11:25:10
Event String:
The time service detected a time difference of greater than 5000 mil
liseconds for 900 seconds. The time difference might be caused by synchronizatio
n with low-accuracy time sources or by suboptimal network conditions. The time s
ervice is no longer synchronized and cannot provide the time to other clients or
update the system clock. When a valid time stamp is received from a time servic
e provider, the time service will correct itself.
An Warning Event occurred. EventID: 0xC25A0090
Time Generated: 04/08/2010 11:25:12
Event String:
The time service has stopped advertising as a good time source.
......................... KRONOS passed test SystemLog
Starting test: VerifyReferences
......................... KRONOS passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : gsaz
Starting test: CheckSDRefDom
......................... gsaz passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... gsaz passed test CrossRefValidation
Running enterprise tests on : gsaz.local
Starting test: LocatorCheck
......................... gsaz.local passed test LocatorCheck
Starting test: Intersite
......................... gsaz.local passed test Intersite
ASKER
Looks like Server2/Kronos is not replicating correctly.
Kronos is a Windows server 2008, the other DC/GL's are server 2003
Kronos is a Windows server 2008, the other DC/GL's are server 2003
i cant see the logs? did you attach them?
can you set all your server to sync from one you choose to be master
run this on each server except the master
timesrc == the server you want to be the master
net time \\TIMESRC /set /yes
windows will fail active directory authentication requests if the time is different between machine.
can you set all your server to sync from one you choose to be master
run this on each server except the master
timesrc == the server you want to be the master
net time \\TIMESRC /set /yes
windows will fail active directory authentication requests if the time is different between machine.
ok i see the logs ;)
set the servers to use itself as primary DNS and no secondary. It works well for us.
check replication settings in active directory sites and services that the servers are in the correct sites and that they are set to replicate with each other.
set the servers to use itself as primary DNS and no secondary. It works well for us.
check replication settings in active directory sites and services that the servers are in the correct sites and that they are set to replicate with each other.
ASKER
Yep I uploaded them, I'll do it again.
Ahh ok, I can choos the master correct?
Ahh ok, I can choos the master correct?
ASKER
yes you can choose the master,
run the net time command on all servers (including the master)
run the net time command on all servers (including the master)
ASKER
I tried typing:
timesrc == 10.10.32.3 in a command prompt on a few of the servers and the reponse is 'timesrc' is not recognized as an interanl or external command, operable program or batch file
timesrc == 10.10.32.3 in a command prompt on a few of the servers and the reponse is 'timesrc' is not recognized as an interanl or external command, operable program or batch file
ASKER
Ok I just looked over the Sites and services, and it looks like each server is replicating to and from each other, see pic attached
ASKER
PIC, sorry
SitesnServices.jpg
SitesnServices.jpg
can you list your domain controllers by name
ASKER
yep:
confidence (server1)
conviction
clarendon
commitment
Kronos (server2)
confidence (server1)
conviction
clarendon
commitment
Kronos (server2)
Which servers are running DNS / DHCP.
Are all the settings consistent across each DHCP server.
Is DNS functioning correctly on each server, Is it configured to allow zone transfers to the other servers?
Your FRS log has the answers.
Are all the settings consistent across each DHCP server.
Is DNS functioning correctly on each server, Is it configured to allow zone transfers to the other servers?
Your FRS log has the answers.
ASKER
DNS are running on Confidence, Kronos.
Confidence holds DHCP, but I have installed DHCP on Kronos with no scopes yet.
DNS looks to be function correctly I will check the Zone transfers, n look @ th eFRS log.
The FRS log now says the following for each server on knronos:
The File Replication Service has enabled replication from CLARENDON to KRONOS for c:\windows\sysvol\domain after repeated retries.
Confidence holds DHCP, but I have installed DHCP on Kronos with no scopes yet.
DNS looks to be function correctly I will check the Zone transfers, n look @ th eFRS log.
The FRS log now says the following for each server on knronos:
The File Replication Service has enabled replication from CLARENDON to KRONOS for c:\windows\sysvol\domain after repeated retries.
type:
net time \\TIMESRC /set /yes
change TIMESRC to the name of the server you want to be your time source
net time \\TIMESRC /set /yes
change TIMESRC to the name of the server you want to be your time source
ASKER
gotcha, sorry bout that, worked =)
ASKER
is there a way to force a pc to authenticate to the new server to test and see if these issues have gone away?
the only way I can think of is to have only that server in the AD site that matches the IP subnet of the PC.
Might be easier to try quite a few machines and reboot them a lot of times ;)
Might be easier to try quite a few machines and reboot them a lot of times ;)
ASKER
LOLOLOLOL ok =)
ASKER
Ok, I'm still trying to get a pc or vm to authenticate to Kronos, I the logs have settled down and the only issue that I "see" inthe logs is:
None of the directory servers in the following site that replicate the following directory partition are configured to use the following transport, even though the site itself is configured to allow replication over this transport.
Site:
CN=LosOlivos,CN=Sites,CN=C
Directory partition:
CN=Configuration,DC=gsaz,D
Transport:
CN=SMTP,CN=Inter-Site Transports,CN=Sites,CN=Con
User Action
- Configure the site to not allow replication using this transport by modifying the appropriate siteLink objects.
- Enable one or more directory servers to use this transport. For the SMTP transport, this requires installation of the SMTP service and configuration of the mailAddress attribute on the corresponding Server object.
None of the directory servers in the following site that replicate the following directory partition are configured to use the following transport, even though the site itself is configured to allow replication over this transport.
Site:
CN=LosOlivos,CN=Sites,CN=C
Directory partition:
CN=Configuration,DC=gsaz,D
Transport:
CN=SMTP,CN=Inter-Site Transports,CN=Sites,CN=Con
User Action
- Configure the site to not allow replication using this transport by modifying the appropriate siteLink objects.
- Enable one or more directory servers to use this transport. For the SMTP transport, this requires installation of the SMTP service and configuration of the mailAddress attribute on the corresponding Server object.
if you go into
active directory sites and services
>>> Inter-Site Services
>>>>>SMTP
is there a link defined there?
active directory sites and services
>>> Inter-Site Services
>>>>>SMTP
is there a link defined there?
ASKER
Ok, so I removed the SMTP Transport from LosOlivos/commitment server. There is no need for for SMTP on commitmenmt or Kronos
LosOlivos.jpg
LosOlivos.jpg
ASKER
Ok, so the last issue, looks like it is when I try to replicate to Krons from any DC I get:
The Target principal name is incorrect... any ideas how to fix this?
SitenServices2.jpg
The Target principal name is incorrect... any ideas how to fix this?
SitenServices2.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Looks like the time synch was the initial issue, so I will close this Question and open a new one concerning the Replication.
THANKS AGAIN!!!! =)
THANKS AGAIN!!!! =)
is dns setup correctly and functioning?
can you check this servers event log for errors and post here so we can diagnose.