Migrating 2003 DC/GL to Server 2008 - Authenticated users lose priveleges

Ok, I need some major help please.
We have a single domain, and 4 DC/GL servers. Here @ the main location we have one server, server1, that holds all the FSMO roles. I built a new Windows Server 2008, server2 and moved the all FSMO roles from server1 to server2. Everything seems to be functioning ok yesterday, until this morning when user began loggin in again, where they authenticated to the new server, server2.  

The main are issue appearing is listed below, but I can assume that there may be other authentication issues down the line:
-On server1, we have network printers setup for staff and when they authenticate to server2 they cannot print to them, the printers state Access denied. Once I restart the the pc, and they authenticate to another server everything is fine.....

Thank you for any help! =)
JimmyK0731Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

conradjonesCommented:
is the time the same on all servers?

is dns setup correctly and functioning?

can you check this servers event log for errors and post here so we can diagnose.
0
Darius GhassemCommented:
Make sure you are pointing to working internal DNS servers. Run dcdiag. If the users were logged in they need to log off then log back on.
0
JimmyK0731Author Commented:
1. Time - I just noticed that server 2 is wrong/or changed from yesterday.
             -Manually adjusted to match
2. DNS is loaded on server2, which it imported dynamically from server1

3. Logs from server2:
Attached, it looks like there are issues with the Directory Service
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

JimmyK0731Author Commented:
Ok, server2, AKA: Kronos is pointing to server1 for dns, and secondary to itself.
The DCDIAG results:
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\jim>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = kronos
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Coronado\KRONOS
      Starting test: Connectivity
         ......................... KRONOS passed test Connectivity

Doing primary tests

   Testing server: Coronado\KRONOS
      Starting test: Advertising
         ......................... KRONOS passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... KRONOS passed test FrsEvent
      Starting test: DFSREvent
         ......................... KRONOS passed test DFSREvent
      Starting test: SysVolCheck
         ......................... KRONOS passed test SysVolCheck
      Starting test: KccEvent
         An Error Event occurred.  EventID: 0xC0000620
            Time Generated: 04/08/2010   11:30:38
            Event String:
            None of the directory servers in the following site that replicate t
he following directory partition are configured to use the following transport,
even though the site itself is configured to allow replication over this transpo
rt.
         An Error Event occurred.  EventID: 0xC0000620
            Time Generated: 04/08/2010   11:30:38
            Event String:
            None of the directory servers in the following site that replicate t
he following directory partition are configured to use the following transport,
even though the site itself is configured to allow replication over this transpo
rt.
         An Error Event occurred.  EventID: 0xC0000620
            Time Generated: 04/08/2010   11:30:38
            Event String:
            None of the directory servers in the following site that replicate t
he following directory partition are configured to use the following transport,
even though the site itself is configured to allow replication over this transpo
rt.
         ......................... KRONOS failed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... KRONOS passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... KRONOS passed test MachineAccount
      Starting test: NCSecDesc
         ......................... KRONOS passed test NCSecDesc
      Starting test: NetLogons
         ......................... KRONOS passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... KRONOS passed test ObjectsReplicated
      Starting test: Replications
         ......................... KRONOS passed test Replications
      Starting test: RidManager
         ......................... KRONOS passed test RidManager
      Starting test: Services
         ......................... KRONOS passed test Services
      Starting test: SystemLog
         An Warning Event occurred.  EventID: 0xC25A008E
            Time Generated: 04/08/2010   11:25:10
            Event String:
            The time service has stopped advertising as a time source because th
e local clock is not synchronized.
         An Warning Event occurred.  EventID: 0xC25A0090
            Time Generated: 04/08/2010   11:25:10
            Event String:
            The time service has stopped advertising as a good time source.
         An Warning Event occurred.  EventID: 0x825A0032
            Time Generated: 04/08/2010   11:25:10
            Event String:
            The time service detected a time difference of greater than 5000 mil
liseconds for 900 seconds. The time difference might be caused by synchronizatio
n with low-accuracy time sources or by suboptimal network conditions. The time s
ervice is no longer synchronized and cannot provide the time to other clients or
 update the system clock. When a valid time stamp is received from a time servic
e provider, the time service will correct itself.
         An Warning Event occurred.  EventID: 0xC25A0090
            Time Generated: 04/08/2010   11:25:12
            Event String:
            The time service has stopped advertising as a good time source.
         ......................... KRONOS passed test SystemLog
      Starting test: VerifyReferences
         ......................... KRONOS passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : gsaz
      Starting test: CheckSDRefDom
         ......................... gsaz passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... gsaz passed test CrossRefValidation

   Running enterprise tests on : gsaz.local
      Starting test: LocatorCheck
         ......................... gsaz.local passed test LocatorCheck
      Starting test: Intersite
         ......................... gsaz.local passed test Intersite
0
JimmyK0731Author Commented:
Looks like Server2/Kronos is not replicating correctly.
Kronos is a Windows server 2008, the other DC/GL's are server 2003
0
conradjonesCommented:
i cant see the logs? did you attach them?

can you set all your server to sync from one you choose to be master

run this on each server except the master
timesrc == the server you want to be the master

net time \\TIMESRC /set /yes

windows will fail active directory authentication requests if the time is different between machine.
0
conradjonesCommented:
ok i see the logs ;)

set the servers to use itself as primary DNS and no secondary. It works well for us.

check replication settings in active directory sites and services that the servers are in the correct sites and that they are set to replicate with each other.
0
JimmyK0731Author Commented:
Yep I uploaded them, I'll do it again.
Ahh ok, I can choos the master correct?
0
JimmyK0731Author Commented:
Yep I uploaded them, I'll do it again.
Ahh ok, I can choos the master correct?
Eventlogs.zip
0
conradjonesCommented:
yes you can choose the master,

run the net time command on all servers (including the master)
0
JimmyK0731Author Commented:
I tried typing:
timesrc == 10.10.32.3 in a command prompt on a few of the servers and the reponse is 'timesrc' is not recognized as an interanl or external command, operable program or batch file
0
JimmyK0731Author Commented:
Ok I just looked over the Sites and services, and it looks like each server is replicating to and from each other, see pic attached
0
JimmyK0731Author Commented:
PIC, sorry
SitesnServices.jpg
0
conradjonesCommented:
can you list your domain controllers by name
0
JimmyK0731Author Commented:
yep:
confidence (server1)
conviction
clarendon
commitment
Kronos (server2)
0
conradjonesCommented:
Which servers are running DNS / DHCP.

Are all the settings consistent across each DHCP server.

Is DNS functioning correctly on each server, Is it configured to allow zone transfers to the other servers?

Your FRS log has the answers.
0
JimmyK0731Author Commented:
DNS are running on Confidence, Kronos.
Confidence holds DHCP, but I have installed DHCP on Kronos with no scopes yet.
DNS looks to be function correctly I will check the Zone transfers, n look @ th eFRS log.
The FRS log now says the following for each server on knronos:
The File Replication Service has enabled replication from CLARENDON to KRONOS for c:\windows\sysvol\domain after repeated retries.
0
conradjonesCommented:
type:

net time \\TIMESRC /set /yes


change TIMESRC to the name of the server you want to be your time source
0
JimmyK0731Author Commented:
gotcha, sorry bout that, worked =)
0
JimmyK0731Author Commented:
is there a way to force a pc to authenticate to the new server to test and see if these issues have gone away?
0
conradjonesCommented:
the only way I can think of is to have only that server in the AD site that matches the IP subnet of the PC.

Might be easier to try quite a few machines and reboot them a lot of times ;)
0
JimmyK0731Author Commented:
LOLOLOLOL ok =)
0
JimmyK0731Author Commented:
Ok, I'm still trying to get a pc or vm to authenticate to Kronos, I the logs have settled down and the only issue that I "see" inthe logs is:

None of the directory servers in the following site that replicate the following directory partition are configured to use the following transport, even though the site itself is configured to allow replication over this transport.
 
Site:
CN=LosOlivos,CN=Sites,CN=Configuration,DC=gsaz,DC=local
Directory partition:
CN=Configuration,DC=gsaz,DC=local
Transport:
CN=SMTP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=gsaz,DC=local
 
User Action
 
- Configure the site to not allow replication using this transport by modifying the appropriate siteLink objects.
- Enable one or more directory servers to use this transport. For the SMTP transport, this requires installation of the SMTP service and configuration of the mailAddress attribute on the corresponding Server object.
0
conradjonesCommented:
if you go into

active directory sites and services
>>> Inter-Site Services
>>>>>SMTP

is there a link defined there?


0
JimmyK0731Author Commented:
Ok, so I removed the SMTP Transport from LosOlivos/commitment server.  There is no need for for SMTP on commitmenmt or Kronos
LosOlivos.jpg
0
JimmyK0731Author Commented:
Ok, so the last issue, looks like it is when I try to replicate to Krons from any DC I get:
The Target principal name is incorrect... any ideas how to fix this?
SitenServices2.jpg
0
conradjonesCommented:
http://support.microsoft.com/kb/288167

although it says windows 2000 I think it applies.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JimmyK0731Author Commented:
Looks like the time synch was the initial issue, so I will close this Question and open a new one concerning the Replication.

THANKS AGAIN!!!!  =)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.