Cannot edit GP on new DC

tech-vc
tech-vc used Ask the Experts™
on
I recently created a new Windows Server 2003 to decommission the old Server 2000 primary Domain control. I have transferred all FSMO role to the 2003 server as the 2000 DC will not demote (I did dcpromo /forceremoval but it hangs trying to stop the netlogon service been there for 15hrs). Nonetheless the Windows 2003 DC has take over most of the responsibilities. Users are able to logon and obtain DNS and DHCP from the Server. However, I went to create a new GPO and I get the following error.
 Error when accessing GPEdit
My DNS seems fine and to be on the safe side I removed all record of the Old DC even though I cannot remove it from the network. Also I have numerous errors in the event log.

Event ID 1030
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

Event ID 1006
Windows cannot bind to mydomain.local domain. (Local Error). Group Policy processing aborted.

Event Id 1054
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Justin OwensITIL Problem Manager

Commented:
Are you SURE all FSMO roles transferred to your new server?

http://www.petri.co.il/determining_fsmo_role_holders.htm

Justin

Author

Commented:
Yes, I just verity by listing the roles for the server.
Schnell SolutionsSystems Infrastructure Engineer

Commented:

When you use dcpromo /forceremoval, it just uninstall the AD binary finles on the DC where you ran the command but doesn't erase the AD objects

so... it doesn't clean the active directory metadata, if the Metadata hasn't been cleaned you can follow the following KB, it explain there how to use ntdsutil:

http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx

Try to validate it, if you have problems trying to make it let us know



Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

Justin OwensITIL Problem Manager

Commented:
Do you, by any chance, have multiple network adapters on any of your DCs?
How long did you wait between adding the new DC and removing the old DC? GPO's use SYSVOL which uses FRS for replication. It is possible that the SYSVOL hasn't been replicated between the servers if you didn't leave enough time for it to replicate first. You may need to re-create your domain's sysvol or restore it from a backup. Does the sysvol share/filesystem location exist? I think it should be at %systemroot%\sysvol

Author

Commented:
schnell... the dcpromo /forceremoval is "STOPING NETLOGON"

No multiple nic's
The Sysvol\domain folder is empty on the original but on the new server it exist along with the gp.ini that the event log references:
Event ID 1058
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=local. The file must be present at the location <\\mydomain.local\sysvol\mydomain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (The network name cannot be found. ). Group Policy processing aborted.

I can open it no problem there is just a version number but i can open it.
What is the DNS server setting on the new DC's IP stack? Is it pointing to the old DC or the new DC?

Author

Commented:
there is no listing of the old dc under the ip stack
What IP are you using for DNS resolution on both the DC's?

Author

Commented:
here is the DC Diag.... looks like it still sees the olddc....



Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\NEWDC
      Starting test: Connectivity
         ......................... NEWDC passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\NEWDC
      Starting test: Replications
         ......................... NEWDC passed test Replications
      Starting test: NCSecDesc
         ......................... NEWDC passed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\NEWDC\netlogon)
         [NEWDC] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
         ......................... NEWDC failed test NetLogons
      Starting test: Advertising
         Warning: DsGetDcName returned information for \\olddc.mydomain.local, when we were trying to reach NEWDC.
         Server is not responding or is not considered suitable.
         Warning: NEWDC is not advertising as a global catalog.
         Check that server finished GC promotion.
         Check the event log on server that enough source replicas for the GC are available.
         ......................... NEWDC failed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... NEWDC passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... NEWDC passed test RidManager
      Starting test: MachineAccount
         ......................... NEWDC passed test MachineAccount
      Starting test: Services
         ......................... NEWDC passed test Services
      Starting test: ObjectsReplicated
         ......................... NEWDC passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... NEWDC passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... NEWDC failed test frsevent
      Starting test: kccevent
         ......................... NEWDC passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x40011006
            Time Generated: 10/20/2010   13:52:29
            Event String: The connection was aborted by the remote WINS.

         An Error Event occured.  EventID: 0xC001106C
            Time Generated: 10/20/2010   14:03:47
            Event String: WINS could not read from the User Datagram

         An Error Event occured.  EventID: 0x40011006
            Time Generated: 10/20/2010   14:22:29
            Event String: The connection was aborted by the remote WINS.

         An Error Event occured.  EventID: 0xC001106C
            Time Generated: 10/20/2010   14:43:47
            Event String: WINS could not read from the User Datagram

         ......................... NEWDC failed test systemlog
      Starting test: VerifyReferences
         ......................... NEWDC passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : mydomain
      Starting test: CrossRefValidation
         ......................... sjoberg passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... sjoberg passed test CheckSDRefDom
   
   Running enterprise tests on : mydomain.local
      Starting test: Intersite
         ......................... mydomain.local passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         ......................... mydomain.local failed test FsmoCheck

Author

Commented:
InteraX the DNS server for all server is the IP of the NEWDC
Looking at the dcdiag result the following looks to be of issue.

Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\NEWDC\netlogon)
         [NEWDC] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
         ......................... NEWDC failed test NetLogons
      Starting test: Advertising
         Warning: DsGetDcName returned information for \\olddc.mydomain.local, when we were trying to reach NEWDC.
         Server is not responding or is not considered suitable.
         Warning: NEWDC is not advertising as a global catalog.
         Check that server finished GC promotion.
         Check the event log on server that enough source replicas for the GC are available.

Starting test: frsevent
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.

Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         ......................... mydomain.local failed test FsmoCheck

A couple of new questions have cropped up from this.

1. Has the new DC been made a global catalog?
2. Is there a netlogon share setup on the new DC?
3. How long was left between promotion of newdc and demotion of olddc?

Author

Commented:
1). Yes
2). No
3). all night and I ran repadmin to ensure replication
Justin OwensITIL Problem Manager

Commented:
A functioning DC must have a Netlogon share set up.

There is another Question which goes through what to do when that is missing.....

http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21257895.html

Justin
1 night doesn't really sound like long enough to make sure the new server is up, running and functioniong. I suspect you have demoted to old server before everything has been replicated, especially the sysvol content. Do you have a valid backup of the old DC? It may be useful to restore the sysvol data.

Author

Commented:
Created the shares and some errors when away. Now my GC is the issue and the olddc being listed.

Author

Commented:
hree is the new dcdiag report... i have the old sysvol folder still....
Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\NEWDC
      Starting test: Connectivity
         ......................... NEWDC passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\NEWDC
      Starting test: Replications
         ......................... NEWDC passed test Replications
      Starting test: NCSecDesc
         ......................... NEWDC passed test NCSecDesc
      Starting test: NetLogons
         ......................... NEWDC passed test NetLogons
      Starting test: Advertising
         Warning: DsGetDcName returned information for \\olddc.mydomain.local, when we were trying to reach NEWDC.
         Server is not responding or is not considered suitable.
         Warning: NEWDC is not advertising as a global catalog.
         Check that server finished GC promotion.
         Check the event log on server that enough source replicas for the GC are available.
         ......................... NEWDC failed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... NEWDC passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... NEWDC passed test RidManager
      Starting test: MachineAccount
         ......................... NEWDC passed test MachineAccount
      Starting test: Services
         ......................... NEWDC passed test Services
      Starting test: ObjectsReplicated
         ......................... NEWDC passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... NEWDC passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... NEWDC failed test frsevent
      Starting test: kccevent
         ......................... NEWDC passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0xC001106C
            Time Generated: 10/20/2010   14:43:47
            Event String: WINS could not read from the User Datagram

         An Error Event occured.  EventID: 0x40011006
            Time Generated: 10/20/2010   14:52:29
            Event String: The connection was aborted by the remote WINS.

         An Error Event occured.  EventID: 0x40011006
            Time Generated: 10/20/2010   15:22:29
            Event String: The connection was aborted by the remote WINS.

         An Error Event occured.  EventID: 0xC001106C
            Time Generated: 10/20/2010   15:23:47
            Event String: WINS could not read from the User Datagram

         ......................... NEWDC failed test systemlog
      Starting test: VerifyReferences
         ......................... NEWDC passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : sjoberg
      Starting test: CrossRefValidation
         ......................... sjoberg passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... sjoberg passed test CheckSDRefDom
   
   Running enterprise tests on : mydomain.local
      Starting test: Intersite
         ......................... mydomain.local passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         ......................... mydomain.local failed test FsmoCheck

Author

Commented:
I already did that.?

Author

Commented:
and replicated the connections.
It probably hasn't registered itself in DNS yet. A reboot of the new DC may help. Has the old DC completed it's DC promo yet?

Author

Commented:
negitive the old DC have not completed the dcpromo /forceremoval process. I will reboot.
It looks liek to dcpromo of the old server is stuck and may well have failed. After the reboot, you may need to forcefully remove the old server from AD and run a metdata cleanup and then possibly restore the contents of the old sysvol from a backup to the new server.
Some details on sysvol replication for info.

http://technet.microsoft.com/en-us/library/cc962199.aspx
http://technet.microsoft.com/en-us/library/cc781582(WS.10).aspx

Once a domain has been upgraded to 2008 native mode, DFS-R is used for sysvol replication. This is just some useful info for future reference.

Author

Commented:
Restarting did not help... I restarted server01. I wondering how to restore the GC. now
The GC can be recreated from the exisitng info in the forest, assuming you haven't lost any info from the directory.

Are there any GC's listed in DNS in the zone _msdcs.<forestDNSname> in the gc folder?

Are you still having problems creating GPO's? Did you have any existing GPO's? There should be 2 defaults at a minimum. Do you have a valid backup of the original server? You should be able to restore the sysvol from that to the sysvol on the new server and this should recover the existing GPOs.

GPO's will have a reference in the directory, but the actual info of what they do is stored in SYSVOL.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial