Solved

AD errors

Posted on 2014-03-13
20
661 Views
Last Modified: 2014-03-13
For the second time in 4 weeks we are getting errors when people try to log on to the Domain.
We have two servers, one 2003, that used to be the AD operations master and a 2008 newer one that currently is the operations master.
 One error is coming up on the DC
Group policy management: "the domain.local forest could not be loaded and will be removed. The error message was: group policy management could not contact any domain controller in the domain that contain your user account. This may be either  because of a network problem or because your account is not in active directory and a trust detection is enabled.
When i try to go to AD sites and services i get this: the directory schema is not accessible because: an invalid directory path name was passed. the menu may be inaccurate.

only noticeable errors in event log are 1053 group policy error could not resolve user name.

And 14550 DFS: namesapce service could not initialize cross forest trust information on this domain controller.
not sure where to start looking for the problem.
0
Comment
Question by:raffie613
  • 14
  • 6
20 Comments
 

Author Comment

by:raffie613
ID: 39926300
Also Just FYI, when i go to group policy service, it doesn't give me any options to restart stop or anything. everything is greyed  out.
0
 

Author Comment

by:raffie613
ID: 39926368
Found another error in AD event 2092: this server is the owner of the following FSMO tole but does not consider it valid. for the partition which contains the FSMO, this server has not replicated successfully with any of its partners since the server has been restarted. Replication errors are preventing validation of this role.
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
ID: 39926491
Try the following on the Win2K8 server:

1. Restart DFS by running the following in a command window lauched as Administrator and see if the issue is resolved:
      net stop dfs & net start dfs
2. Reboot the Win2K8 server
3. Run dcdiag and check if any tests fail
4. Ensure FSMO roles are assigned to the Win2K8 server
5. Add another Win2K8 server as a DC and retire the Win2K3 server
0
 

Author Comment

by:raffie613
ID: 39926502
Thank you for your reply.
Here is what I did. I rebooted the old 2003 dc and then everything came back. However, I am getting an error when replicating in AD sites and services from the 2003 DC or to the 2003 DC. says RPC server is unavailable.
0
 

Author Comment

by:raffie613
ID: 39926510
Why does everything in AD still seem to be connected to the old DC. Do I need to force FSMO roles over?
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
ID: 39926534
I believe you need to move the FSMO roles using NTDSUTIL utility.  If the roles cannot be transferred then shutdown Win2K3, ensure Win2K8 server is pointing to itself for DNS server, seize FSMO roles using NTDSUTIL.

Once the FSMO roles are transferred and everything works fine then do not power on Win2K3 server, perform metadata cleanup using NTDSUTIL and finally add a Win2K8 server as a secondary DC.  I would then upgrade AD to Win2K8 native.
0
 

Author Comment

by:raffie613
ID: 39926599
OK will do, just one more thing. the 2003 DC after i rebooted said it was rebuilding AD indexes.
So even though I changed the operations roles in AD users and computers, I still need to manually do it using ntdutil?
0
 

Author Comment

by:raffie613
ID: 39926645
Also the 2003 DC does show the newer 2008 DC as holding all 3 master roles when i check the AD users and computers. RID,RPC and infrastructure master roles.
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
ID: 39926648
No you don't.  Only do that if you are still getting RPC errors.
0
 

Author Comment

by:raffie613
ID: 39926701
ok, I found the Schema master and domain name master roles were not transferred. I got the naming master roles changed to new server but when trying to do the Schema master it is greyed out under change.
What am i doing wrong?
This is what i did.

Transferring the Schema Master Role

Click Start, click run, type mmc, and then click OK.
On the Console, menu click Add/Remove Snap-in.
Click Add.
Click Active Directory Schema.
Click Add.
Click Close to close the Add Standalone Snap-in dialog box.
Click OK to add the snap-in to the console.
Right-click the Active Directory Schema icon, and then click Change Domain Controller.NOTE: If you are not on the domain controller where you want to transfer the role ,you need to take this step. It is not necessary if you are connected to the domain controller whose role you want to transfer.

Click Specify Domain Controller, type the name of the domain controller that will be the new role holder, and then click OK.
Right-click Active Directory Schema, and then click Operation Masters.
In the Change Schema Master dialog box, click Change.
Click OK.
Click OK .
Click Cancel to close the dialog box.
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
ID: 39926717
Refer to article listed below to transfer or seize FSMO roles:

http://support.microsoft.com/kb/255504
0
 

Author Comment

by:raffie613
ID: 39926738
will that get rid of this freakin problem when AD messes up on the old server it won't take down entire AD?
0
 

Author Comment

by:raffie613
ID: 39926756
when i tried to transfer schema i get this error:


C:\Documents and Settings\Administrator>ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server server2
Binding to server2 ...
Connected to server2 using credentials of locally logged on user.
server connections: q
fsmo maintenance: transfer schema master
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-0315211E, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Server "server2" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=domain,DC=local
Domain - CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=domain,DC=local
PDC - CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=domain,DC=local
RID - CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=domain,DC=local
Infrastructure - CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
fsmo maintenance:
0
 

Author Comment

by:raffie613
ID: 39926773
seems to be giving me a permissions issue but I am logged in as the domain admin.

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.Domain>ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server server2
Binding to server2 ...
Connected to yserver2 using credentials of locally logged on user.
server connections: q
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-0315211E, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 00000005: SecErr: DSID-031521D0, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x5(Access is denied.)
)
fsmo maintenance:
0
 
LVL 24

Accepted Solution

by:
Mohammed Khawaja earned 500 total points
ID: 39926799
You need Enterprise Admin privileges to move schema.
0
 

Author Comment

by:raffie613
ID: 39926923
ok I added the administrator to the enterprise admin group and still getting same error.
0
 

Author Comment

by:raffie613
ID: 39927321
Any other ideas?
0
 

Author Comment

by:raffie613
ID: 39927553
should i create a new user and add them to the enterprise admin group  only?
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
ID: 39927673
Add the account to group Schema Admins.  Also look at article below for more information:

http://www.petri.co.il/seizing_fsmo_roles.htm
0
 

Author Comment

by:raffie613
ID: 39927764
I already added it to the schema admin. still getting same error. I do not understand the reference article you linked at the end. It doesn't say how to resolve the access error it just shows that it happens.
Also Not sure I understand how infrastructure role can't be on CG. what if you only have one DC?
Happens to be both my DC old and newer are CG. Should I remove the CG from the 2003 (older) server?

Thanks.
0

Join & Write a Comment

Suggested Solutions

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now