Domain Controller Security Policy error

Dear All,

I have a Win 2003 Std Server (A), as main domain controller and a Win 2003
Std Server (B), as secondary domain controller.

I am planning to shut off Server A, and switch it permanently to Server B, i
do enable Global Catalog on both servers and have transferred all FSMO to
server B, and have verified on Operation Master, everything (NETDOM query
FSMO) are on Server B.

I leave Global Catalog enabled on server A and don't demote Domain
Controller also on Server A, in account, that if something go wrong, i can
just turn Server A on again.

Now i take down Server A, and restart Server B, and i can open Active
Directory Users and Computer, Active Directory Sites and Services, Active
Directory Domains and Trusts, however, i can't open Domain Controller
Security Policy and Domain Security Policy, i got an error message : Failed
to open the Group Policy Object. You may not have appropriate right, network
path was wrong.

What might be wrong ? should disable Global Catalog on Server A and demote
also Domain Controller on server A ? or there is another way?

Please advice.

Thanks,
Andy

Hello Andy,

Start the other DC and check that replication is done correct with repadmin
/showrepl or use replmon from the run line. Also run dcdiag /v and netdiag
/v to check for errors on both DC's. If you have errors please post the output
complete here.

Before shutting down or removing a DC you should always check that the other
DC is healthy.

Hi Meinolf,

Here is NetDiag /V result. both DCDiag and NetDiag are on server B

Hello Andy,

I looked at your reports, It seems your new domain controller fileserver
have not completed initialization of sysvol, hence it is not acting yet as a
domain controller. I will suggest to bring file_server (the old domain
controller) back online and wait until initialization is complete, do a
dcdiag /v or dcdiag /q and if no errors, then proceed to shutdown the old
server. Just to let you know, you mentioned about shutting down the old dc
and to bring it back online only if there is an issue, remember that if you
do that, you will need to atleast bring it back online once in say every 60
days (tombstone lifecycle) so it could replicate with the new dc.

Hello Andy,

If not done start the other DC asap. Seems that they where not ready with
replication when you shutdown the other DC. Please reconfigure the new DC
with the preferred DNS only to the older one and restart the DC.

Make sure that replication occurs with repadmin command or replmon GUI.

Also post an unedited ipconfig /all from the other DC.

Hi Isaac and Meinolf,

I have "forced" to copy sysvol directory from Server A to Server B, and
share it like on Server A (Both Netlogon and SYSVOL), now the Domain
Controller Security Policy worked finally.

The next problem is i try to join domain from one of the station (XP), and
the error message is :
A domain controller for the domain Royalchemie.com could not be contacted.
Ensure that the domain name is typed correctly.
If the name is correct, click Details for the troubleshooting information.

Detail :
Note : This information is intended for a network administrator. If you are
not your network's administrator, notify the administrator that you received
this information, which has been recorded in the file
C:\WINDOWS\debug\dcdiag.txt.
DNS was successfully queried for the service location (SRV) resource record
used to locate a domain controller for domain Royalchemie.com
The query was for the SRV record for _ldap._tcp.dc._msdcs.Royalchemie.com
The following domain controllers were identified by the query :
fileserver.royalchemie.com
file_server.royalchemie.com
Common causes of this error include:
- Host (A) records that map the name of the domain controller to its IP
addresses are missing or contain incorrect addresses.
- Domain controller registered in DNS are not connected to the network or
are not running
For more information about correcting this problem, click Help.

Please advice. Thanks, Andy

Hi Paul,

Is that means that i have to activate Server A, Disable Global Catalog, and
Demote Domain Controller on Server A ?

I am looking other way that perhaps might work without any action on server
A, the reason are :
1. if something really urgent happened, i can just shutdown server B and
activate again server A.
2. Let's say in normal case, Server A and Server B running on the same time,
suddenly Server A crashed, i want server B should be take over all operation
of Domain Controller without business interruption. Just like in NT (although
NT and 2003 is a huge different), PDC down, BDC will take over all operation
of Domain and all i need is just promote BDC to PDC.

Hello Andy,

Please post an unedited ipconfig /all from both DC's and the client machine.
If you are worry about the ipaddresses, the private ip ranges 10.x.x.x, 172.x.x.x
and 192.168.x.x are not reachable from the internet.

Have you had a chance to read the link I provided? It should list out the
roles transfer, etc...

You need to make sure you have all your clients pointing to the new dns
server, the second dc needs to be a GC and yes you need to gracefully
transfer the fsmo roles. There are no longer bdc's and the PDC role is
emulation (PDCe fsmo role). I would suggest you keep your second server up
and running if you don't plan on replacing it. You should always have at
least to dc's within each domain. Thereby protecting yourself in the event
of a lost dc. What happens to your users if you have no dc to authenticate
them? They won't be able to use domain services.

Hi Meinolf,

here are unedited ipconfig/all

Server A
======
Windows IP Configuration



Host Name . . . . . . . . . . . . : file_server

Primary Dns Suffix . . . . . . . : Royalchemie.com

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : Yes

WINS Proxy Enabled. . . . . . . . : Yes

DNS Suffix Search List. . . . . . : Royalchemie.com



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection

Physical Address. . . . . . . . . : 00-0F-20-93-AC-2C

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.1.2

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.5

DNS Servers . . . . . . . . . . . : 192.168.1.2



Server B
======


Windows IP Configuration



Host Name . . . . . . . . . . . . : fileserver

Primary Dns Suffix . . . . . . . : Royalchemie.com

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : royalchemie.com



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : HP NC105i PCIe Gigabit Server Adapter

Physical Address. . . . . . . . . : 00-22-64-FD-B6-B2

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.1.2

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.5

DNS Servers . . . . . . . . . . . : 192.168.1.2


Thanks,
Andy

Hi Paul,

I had read your article. and actually a had enable GC on both server, also
had transferred FSMO to new server (B). Right now i don't dare to demote
server A, until i am sure server B will run well.

Regards,
Andy