Link to home
Start Free TrialLog in
Avatar of Jonathan Jones
Jonathan Jones

asked on

AD FSMO Issues

Hello,

I am having problems with Schema and FSMO I believe. I was moving the 5 roles to another Domain Controller, the netdom query showed the roles transferred to the new DC, but when I ran netdom query on the demoted DC it reported the the Schema Role was on a different DC, not I can not access AD Users and Groups, Site Manager etc except where the Schema Role was being reported?? Users can log in and authenticate, but I can not access the remaining servers NTDS.dit or any related services, plus replication is now reporting broken: I did a dcdiag and this is what I got:

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = PR-DC01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\PR-DC01
      Starting test: Connectivity
         ......................... PR-DC01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\PR-DC01
      Starting test: Advertising
         ......................... PR-DC01 passed test Advertising
      Starting test: FrsEvent
         The event log File Replication Service on server PR-DC01.prsdnj.org
         could not be queried, error 0x5 "Access is denied."
         ......................... PR-DC01 failed test FrsEvent
      Starting test: DFSREvent
         ......................... PR-DC01 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... PR-DC01 passed test SysVolCheck
      Starting test: KccEvent
         ......................... PR-DC01 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... PR-DC01 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... PR-DC01 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=prsdnj,DC=org
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=prsdnj,DC=org
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         CN=Schema,CN=Configuration,DC=prsdnj,DC=org
         Error BUILTIN\Administrators doesn't have
            Replicating Directory Changes
            Replicating Directory Changes All
            Replication Synchronization
            Manage Replication Topology
         access rights for the naming context:
         CN=Schema,CN=Configuration,DC=prsdnj,DC=org
         Error PRSDNJ\Enterprise Read-only Domain Controllers doesn't have
            Replicating Directory Changes
            Replicating Directory Changes All
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         CN=Schema,CN=Configuration,DC=prsdnj,DC=org
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=prsdnj,DC=org
         ......................... PR-DC01 failed test NCSecDesc
      Starting test: NetLogons
         ......................... PR-DC01 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... PR-DC01 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,PR-DC01] A recent replication attempt failed:
            From PR-DC03 to PR-DC01
            Naming Context: DC=DomainDnsZones,DC=prsdnj,DC=org
            The replication generated an error (8456):
            The source server is currently rejecting replication requests.
            The failure occurred at 2016-11-02 13:49:44.
            The last success occurred at 2016-11-01 14:45:37.
            26 failures have occurred since the last success.
            Replication has been explicitly disabled through the server
            options.
         [Replications Check,PR-DC01] A recent replication attempt failed:
            From PR-DC03 to PR-DC01
            Naming Context: DC=ForestDnsZones,DC=prsdnj,DC=org
            The replication generated an error (8456):
            The source server is currently rejecting replication requests.
            The failure occurred at 2016-11-02 13:49:44.
            The last success occurred at 2016-11-01 14:48:15.
            30 failures have occurred since the last success.
            Replication has been explicitly disabled through the server
            options.
         [Replications Check,PR-DC01] A recent replication attempt failed:
            From PR-DC03 to PR-DC01
            Naming Context: CN=Schema,CN=Configuration,DC=prsdnj,DC=org
            The replication generated an error (8456):
            The source server is currently rejecting replication requests.
            The failure occurred at 2016-11-02 13:49:44.
            The last success occurred at 2016-11-01 14:45:37.
            26 failures have occurred since the last success.
            Replication has been explicitly disabled through the server
            options.
         [Replications Check,PR-DC01] A recent replication attempt failed:
            From PR-DC03 to PR-DC01
            Naming Context: CN=Configuration,DC=prsdnj,DC=org
            The replication generated an error (8456):
            The source server is currently rejecting replication requests.
            The failure occurred at 2016-11-02 13:55:57.
            The last success occurred at 2016-11-01 14:45:37.
            117 failures have occurred since the last success.
            Replication has been explicitly disabled through the server
            options.
         [Replications Check,PR-DC01] A recent replication attempt failed:
            From PR-DC03 to PR-DC01
            Naming Context: DC=prsdnj,DC=org
            The replication generated an error (8456):
            The source server is currently rejecting replication requests.
            The failure occurred at 2016-11-02 14:01:11.
            The last success occurred at 2016-11-01 14:55:51.
            3040 failures have occurred since the last success.
            Replication has been explicitly disabled through the server
            options.
         ......................... PR-DC01 failed test Replications
      Starting test: RidManager
         ......................... PR-DC01 passed test RidManager
      Starting test: Services
         ......................... PR-DC01 passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 11/02/2016   13:02:39
            Event String:
            Windows failed to apply the Group Policy Services settings. Group Po
licy Services settings might have its own log file. Please click on the "More in
formation" link.
         An error event occurred.  EventID: 0x0000165B
            Time Generated: 11/02/2016   13:07:38
            Event String:
            The session setup from computer 'WIN10-PARENT' failed because the se
curity database does not contain a trust account 'WIN10-PARENT$' referenced by t
he specified computer.
         An error event occurred.  EventID: 0x000016AD
            Time Generated: 11/02/2016   13:11:05
            Event String:
            The session setup from the computer WIN10-PARENT failed to authentic
ate. The following error occurred:
         A warning event occurred.  EventID: 0x00000090
            Time Generated: 11/02/2016   13:21:02
            Event String:
            The time service has stopped advertising as a good time source.
         An error event occurred.  EventID: 0x0000165B
            Time Generated: 11/02/2016   13:22:16
            Event String:
            The session setup from computer 'PR-STAFF-VM-051' failed because the
 security database does not contain a trust account 'PR-STAFF-VM-051$' reference
d by the specified computer.
         An error event occurred.  EventID: 0x000016AD
            Time Generated: 11/02/2016   13:24:27
            Event String:
            The session setup from the computer PR-STAFF-VM-051 failed to authen
ticate. The following error occurred:
         An error event occurred.  EventID: 0x00000429
            Time Generated: 11/02/2016   14:00:39
            Event String:
            The processing of Group Policy failed. Windows could not evaluate th
e Windows Management Instrumentation (WMI) filter for the Group Policy object cn
={65FE5720-070B-40B6-B584-86A1201E4699},cn=policies,cn=system,DC=prsdnj,DC=org.
This could be caused by RSOP being disabled  or Windows Management Instrumentati
on (WMI) service being disabled, stopped, or other WMI errors. Make sure the WMI
 service is started and the startup type is set to automatic. New Group Policy o
bjects or settings will not process until this event has been resolved.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 11/02/2016   14:00:43
            Event String:
            Driver WebEx Document Loader required for printer WebEx Document Loa
der is unknown. Contact the administrator to install the driver before you log i
n again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 11/02/2016   14:00:43
            Event String:
            Driver Lexmark T652 required for printer !!Prsdprint!PRHS146LEXT652
is unknown. Contact the administrator to install the driver before you log in ag
ain.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 11/02/2016   14:00:43
            Event String:
            Driver Dell B2360d-dn Laser Printer XL required for printer !!Hsprin
t!PRHS1392360DN is unknown. Contact the administrator to install the driver befo
re you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 11/02/2016   14:00:44
            Event String:
            Driver Microsoft Print To PDF required for printer Microsoft Print t
o PDF is unknown. Contact the administrator to install the driver before you log
 in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 11/02/2016   14:00:44
            Event String:
            Driver Dell Open Print Driver (PS) required for printer !!Hsprint!PR
HSMEDIA5200 is unknown. Contact the administrator to install the driver before y
ou log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 11/02/2016   14:00:45
            Event String:
            Driver SAVIN C7570 PCL 6 required for printer !!hsprint!District Sav
in C7570 is unknown. Contact the administrator to install the driver before you
log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 11/02/2016   14:00:47
            Event String:
            Driver Dell Color MFP E525w PCL 6 required for printer !!JHSPRINT!JG
uercioni-Dell E525W Printer is unknown. Contact the administrator to install the
 driver before you log in again.
         ......................... PR-DC01 failed test SystemLog
      Starting test: VerifyReferences
         ......................... PR-DC01 passed test VerifyReferences


   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : prsdnj
      Starting test: CheckSDRefDom
         ......................... prsdnj passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... prsdnj passed test CrossRefValidation

   Running enterprise tests on : prsdnj.org
      Starting test: LocatorCheck
         ......................... prsdnj.org passed test LocatorCheck
      Starting test: Intersite
         ......................... prsdnj.org passed test Intersite

C:\Users\administrator.PRSDNJ>
Avatar of Paul MacDonald
Paul MacDonald
Flag of United States of America image

Sounds like you need to seize the Schema Master role.  

Alternate instructions via TechNet.
Avatar of Jonathan Jones
Jonathan Jones

ASKER

paulmacd,

Thanks, I tried that (2008 R2) and it keeps giving me these errors:

ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server pr-dc03
Binding to pr-dc03 ...
Connected to pr-dc03 using credentials of locally logged on user.
server connections: q
fsmo maintenance: ?

 ?                             - Show this help information
 Connections                   - Connect to a specific AD DC/LDS instance
 Help                          - Show this help information
 Quit                          - Return to the prior menu
 Seize infrastructure master   - Overwrite infrastructure role on connected serv
er
 Seize naming master           - Overwrite Naming Master role on connected serve
r
 Seize PDC                     - Overwrite PDC role on connected server
 Seize RID master              - Overwrite RID role on connected server
 Seize schema master           - Overwrite schema role on connected server
 Select operation target       - Select sites, servers, domains, roles and
                                 naming contexts
 Transfer infrastructure master - Make connected server the infrastructure maste
r
 Transfer naming master        - Make connected server the naming master
 Transfer PDC                  - Make connected server the PDC
 Transfer RID master           - Make connected server the RID master
 Transfer schema master        - Make connected server the schema master

fsmo maintenance: seize infrastructure master
Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-032103C6, problem 5002 (UN
AVAILABLE), data -2146893022

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of infrastructure FSMO failed, proceeding with seizure ...
Server "pr-dc03" knows about 5 roles
Schema - CN=NTDS Settings,CN=PR-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=prsdnj,DC=org
Naming Master - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=prsdnj,DC=org
PDC - CN=NTDS Settings,CN=PR-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=prsdnj,DC=org
RID - CN=NTDS Settings,CN=PR-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=prsdnj,DC=org
Infrastructure - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=prsdnj,DC=org
fsmo maintenance: seize naming master
Attempting safe transfer of domain naming FSMO before seizure.
ldap_modify_sW error 0xc(12 (Unavailable Critical Extension).
Ldap extended error message is 000020AE: SvcErr: DSID-032103B3, problem 5010 (UN
AVAIL_EXTENSION), data 8610

Win32 error returned is 0x20ae(The role owner attribute could not be read.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of domain naming FSMO failed, proceeding with seizure ...
Server "pr-dc03" knows about 5 roles
Schema - CN=NTDS Settings,CN=PR-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=prsdnj,DC=org
Naming Master - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=prsdnj,DC=org
PDC - CN=NTDS Settings,CN=PR-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=prsdnj,DC=org
RID - CN=NTDS Settings,CN=PR-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=prsdnj,DC=org
Infrastructure - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=prsdnj,DC=org
fsmo maintenance:
fsmo maintenance: seize PDC
Attempting safe transfer of PDC FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-032105B0, problem 5002 (UN
AVAILABLE), data -2146893022

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of PDC FSMO failed, proceeding with seizure ...
Server "pr-dc03" knows about 5 roles
Schema - CN=NTDS Settings,CN=PR-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=prsdnj,DC=org
Naming Master - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=prsdnj,DC=org
PDC - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=prsdnj,DC=org
RID - CN=NTDS Settings,CN=PR-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=prsdnj,DC=org
Infrastructure - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=prsdnj,DC=org
fsmo maintenance:
fsmo maintenance: seize RID master
Attempting safe transfer of RID FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210CE0, problem 5002 (UN
AVAILABLE), data -2146893022

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of RID FSMO failed, proceeding with seizure ...
Searching for highest rid pool in domain
Server "pr-dc03" knows about 5 roles
Schema - CN=NTDS Settings,CN=PR-DC02,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=prsdnj,DC=org
Naming Master - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=prsdnj,DC=org
PDC - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=prsdnj,DC=org
RID - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=prsdnj,DC=org
Infrastructure - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=prsdnj,DC=org
fsmo maintenance:
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-032103C6, problem 5002 (UN
AVAILABLE), data -2146893022

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
Server "pr-dc03" knows about 5 roles
Schema - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=prsdnj,DC=org
Naming Master - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=prsdnj,DC=org
PDC - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=prsdnj,DC=org
RID - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=prsdnj,DC=org
Infrastructure - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=prsdnj,DC=org
fsmo maintenance:
Check again by running...
   netdom /query FSMO
...at the command prompt.  It looks like all five roles are on PR-DC03:

Server "pr-dc03" knows about 5 roles
Schema - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=prsdnj,DC=org
Naming Master - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=prsdnj,DC=org
PDC - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=prsdnj,DC=org
RID - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=prsdnj,DC=org
Infrastructure - CN=NTDS Settings,CN=PR-DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=prsdnj,DC=org
paulmacd,

When I go to that PR-DC03, is says PR-DC01 is the roles holder, as does all of the remaining DC server, but PR-DC03 is the only one I can access the users and groups etc:


C:\Users\administrator.PRSDNJ>netdom /query FSMO
Schema master               PR-DC01.prsdnj.org
Domain naming master        PR-DC01.prsdnj.org
PDC                         PR-DC01.prsdnj.org
RID pool manager            PR-DC01.prsdnj.org
Infrastructure master       PR-DC01.prsdnj.org
The command completed successfully.
Also I am seeing this on one of the DCs, which leads me to believe that its a permissions issue:

Starting test: NCSecDesc
   Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
      Replicating Directory Changes In Filtered Set
   access rights for the naming context:
   DC=DomainDnsZones,DC=prsdnj,DC=org
   Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
      Replicating Directory Changes In Filtered Set
   access rights for the naming context:
   DC=ForestDnsZones,DC=prsdnj,DC=org
   Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
      Replicating Directory Changes In Filtered Set
   access rights for the naming context:
   CN=Schema,CN=Configuration,DC=prsdnj,DC=org
   Error BUILTIN\Administrators doesn't have
      Replicating Directory Changes
      Replicating Directory Changes All
      Replication Synchronization
      Manage Replication Topology
   access rights for the naming context:
   CN=Schema,CN=Configuration,DC=prsdnj,DC=org
   Error PRSDNJ\Enterprise Read-only Domain Controllers doesn't have
      Replicating Directory Changes
      Replicating Directory Changes All
      Replicating Directory Changes In Filtered Set
   access rights for the naming context:
   CN=Schema,CN=Configuration,DC=prsdnj,DC=org
   Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
      Replicating Directory Changes In Filtered Set
   access rights for the naming context:
   DC=prsdnj,DC=org

Also with Repadmin I get this:


DC=DomainDnsZones,DC=prsdnj,DC=org
    Default-First-Site-Name\PR-DC03 via RPC
        DSA object GUID: 87cd5396-756e-4e41-9ea1-7e1d6316dc3c
        Last attempt @ 2016-11-03 07:49:46 failed, result 8456 (0x2108):
            The source server is currently rejecting replication requests.
        44 consecutive failure(s).
        Last success @ 2016-11-01 14:45:37.
    Default-First-Site-Name\PR-DC02 via RPC
        DSA object GUID: e31eac56-84ec-4fea-9b40-e3749f4f1074
        Last attempt @ 2016-11-03 07:49:46 was successful.
    Default-First-Site-Name\PR-DC04 via RPC
        DSA object GUID: 0b299f27-8279-4071-9aa2-9e93e630e82d
        Last attempt @ 2016-11-03 07:49:46 was successful.
    ETESDNJ\ETESD-DC01 via RPC
        DSA object GUID: 156cdf94-304b-401e-b01c-c95d14e5086d
        Last attempt @ 2016-11-03 08:34:46 was successful.

Source: Default-First-Site-Name\PR-DC03
******* 5557 CONSECUTIVE FAILURES since 2016-11-01 14:55:51
Last error: 8456 (0x2108):
            The source server is currently rejecting replication requests.
On the alternate solution, fails to find DC=ForestDnsZoones,DC=prsdnj,DC=org in ADSI edit, which I think is the root of the problem, is there a way to reset the partition perms?
"ForestDnsZoones" should be ForestDnsZones.  That was a typo in the example.  You can see the correct spelling in the image above the step.
Paul,

I think I found the problem, not sure how to fix though ... the fsmo roles report themselves on 2 servers simultaneously PR-DC03, and PR-DC01, anyway to fix this? I have tried to seize but does not change the PDC
Turn off the bad server (PR-DC01?), then seize the role.
Did not work at all, I am panicking, is there a utility that can fix this? NTDSUTIL says the ntds.dit is clean??
"Did not work at all..."
What didn't work?  How do you know?  What symptoms are you seeing of a problem?
paulmacd,

I was able to fix it, it was a permission issue that was stopping Users and Groups/GPO Manager/ADSIEdit from opening. I had to go to Command Prompt -> ldp.exe navigate to CN=Schema and change the permissions on Authenticated Users to be able to Read all Objects AND Descending Objects. The Descending Objects was missing and breaking the AD partition
ASKER CERTIFIED SOLUTION
Avatar of Paul MacDonald
Paul MacDonald
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial