• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 858
  • Last Modified:

AD errors

For the second time in 4 weeks we are getting errors when people try to log on to the Domain.
We have two servers, one 2003, that used to be the AD operations master and a 2008 newer one that currently is the operations master.
 One error is coming up on the DC
Group policy management: "the domain.local forest could not be loaded and will be removed. The error message was: group policy management could not contact any domain controller in the domain that contain your user account. This may be either  because of a network problem or because your account is not in active directory and a trust detection is enabled.
When i try to go to AD sites and services i get this: the directory schema is not accessible because: an invalid directory path name was passed. the menu may be inaccurate.

only noticeable errors in event log are 1053 group policy error could not resolve user name.

And 14550 DFS: namesapce service could not initialize cross forest trust information on this domain controller.
not sure where to start looking for the problem.
0
raffie613
Asked:
raffie613
  • 14
  • 6
1 Solution
 
raffie613Author Commented:
Also Just FYI, when i go to group policy service, it doesn't give me any options to restart stop or anything. everything is greyed  out.
0
 
raffie613Author Commented:
Found another error in AD event 2092: this server is the owner of the following FSMO tole but does not consider it valid. for the partition which contains the FSMO, this server has not replicated successfully with any of its partners since the server has been restarted. Replication errors are preventing validation of this role.
0
 
Mohammed KhawajaManager - Infrastructure: Information TechnologyCommented:
Try the following on the Win2K8 server:

1. Restart DFS by running the following in a command window lauched as Administrator and see if the issue is resolved:
      net stop dfs & net start dfs
2. Reboot the Win2K8 server
3. Run dcdiag and check if any tests fail
4. Ensure FSMO roles are assigned to the Win2K8 server
5. Add another Win2K8 server as a DC and retire the Win2K3 server
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
raffie613Author Commented:
Thank you for your reply.
Here is what I did. I rebooted the old 2003 dc and then everything came back. However, I am getting an error when replicating in AD sites and services from the 2003 DC or to the 2003 DC. says RPC server is unavailable.
0
 
raffie613Author Commented:
Why does everything in AD still seem to be connected to the old DC. Do I need to force FSMO roles over?
0
 
Mohammed KhawajaManager - Infrastructure: Information TechnologyCommented:
I believe you need to move the FSMO roles using NTDSUTIL utility.  If the roles cannot be transferred then shutdown Win2K3, ensure Win2K8 server is pointing to itself for DNS server, seize FSMO roles using NTDSUTIL.

Once the FSMO roles are transferred and everything works fine then do not power on Win2K3 server, perform metadata cleanup using NTDSUTIL and finally add a Win2K8 server as a secondary DC.  I would then upgrade AD to Win2K8 native.
0
 
raffie613Author Commented:
OK will do, just one more thing. the 2003 DC after i rebooted said it was rebuilding AD indexes.
So even though I changed the operations roles in AD users and computers, I still need to manually do it using ntdutil?
0
 
raffie613Author Commented:
Also the 2003 DC does show the newer 2008 DC as holding all 3 master roles when i check the AD users and computers. RID,RPC and infrastructure master roles.
0
 
Mohammed KhawajaManager - Infrastructure: Information TechnologyCommented:
No you don't.  Only do that if you are still getting RPC errors.
0
 
raffie613Author Commented:
ok, I found the Schema master and domain name master roles were not transferred. I got the naming master roles changed to new server but when trying to do the Schema master it is greyed out under change.
What am i doing wrong?
This is what i did.

Transferring the Schema Master Role

Click Start, click run, type mmc, and then click OK.
On the Console, menu click Add/Remove Snap-in.
Click Add.
Click Active Directory Schema.
Click Add.
Click Close to close the Add Standalone Snap-in dialog box.
Click OK to add the snap-in to the console.
Right-click the Active Directory Schema icon, and then click Change Domain Controller.NOTE: If you are not on the domain controller where you want to transfer the role ,you need to take this step. It is not necessary if you are connected to the domain controller whose role you want to transfer.

Click Specify Domain Controller, type the name of the domain controller that will be the new role holder, and then click OK.
Right-click Active Directory Schema, and then click Operation Masters.
In the Change Schema Master dialog box, click Change.
Click OK.
Click OK .
Click Cancel to close the dialog box.
0
 
Mohammed KhawajaManager - Infrastructure: Information TechnologyCommented:
Refer to article listed below to transfer or seize FSMO roles:

http://support.microsoft.com/kb/255504
0
 
raffie613Author Commented:
will that get rid of this freakin problem when AD messes up on the old server it won't take down entire AD?
0
 
raffie613Author Commented:
when i tried to transfer schema i get this error:


C:\Documents and Settings\Administrator>ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server server2
Binding to server2 ...
Connected to server2 using credentials of locally logged on user.
server connections: q
fsmo maintenance: transfer schema master
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-0315211E, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Server "server2" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=domain,DC=local
Domain - CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=domain,DC=local
PDC - CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=domain,DC=local
RID - CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=domain,DC=local
Infrastructure - CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
fsmo maintenance:
0
 
raffie613Author Commented:
seems to be giving me a permissions issue but I am logged in as the domain admin.

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.Domain>ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server server2
Binding to server2 ...
Connected to yserver2 using credentials of locally logged on user.
server connections: q
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-0315211E, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 00000005: SecErr: DSID-031521D0, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x5(Access is denied.)
)
fsmo maintenance:
0
 
Mohammed KhawajaManager - Infrastructure: Information TechnologyCommented:
You need Enterprise Admin privileges to move schema.
0
 
raffie613Author Commented:
ok I added the administrator to the enterprise admin group and still getting same error.
0
 
raffie613Author Commented:
Any other ideas?
0
 
raffie613Author Commented:
should i create a new user and add them to the enterprise admin group  only?
0
 
Mohammed KhawajaManager - Infrastructure: Information TechnologyCommented:
Add the account to group Schema Admins.  Also look at article below for more information:

http://www.petri.co.il/seizing_fsmo_roles.htm
0
 
raffie613Author Commented:
I already added it to the schema admin. still getting same error. I do not understand the reference article you linked at the end. It doesn't say how to resolve the access error it just shows that it happens.
Also Not sure I understand how infrastructure role can't be on CG. what if you only have one DC?
Happens to be both my DC old and newer are CG. Should I remove the CG from the 2003 (older) server?

Thanks.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 14
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now