Group Policy Error.

**SSuperdoc** · 21-06-2008

I'm running into a new problem, Previously i posted that i had DNS ADS Issues but i resolved them somehow, I have windows server 2003 Enterprise edition with SP1 on it, it has 1 DC, DNS configured, its working fine, after the migration from server 2000 DC machine to new server 2003 machine everything was running fine and its ok even now BUT when i try to open Domain Security Policy or Domain Controller Security Policy i get this error

"Group Policy Error: Failed to open the Group Policy Object. You may not have appropriate rights, Details:The specified domain either does not exist or could not be contacted.

I Immediately ran netdiag, dcdiag and other tools but They all were success and there was no errors, How do i make the changes that the GPO will use the new server 2003 dc as its PDC? i think its still seeking for the server 2000 DC which is now gone cuz new server 2003 has taken its place.. Thank you for ur help.

Regards

**Big Fish** · 21-06-2008

The GPO will not actually have a preferred DC and nor does it seek for the PDC. It will be the computer that you are trying to open the policy that is searching for the PDC. It seems to me like its a DNS problem so you can check nslookup if everything is okay. Is there any other DCs than the 2003 server? The machine you are editing the policies from is acutally the 2003 DC or not? When you are downloading GPMC on a client then what happens, when you are try it from there?

**SSuperdoc** · 23-06-2008

Thanks for replying my friend, Here is what i checked in eventviewer in DNS, it gives me this all the time "event id: 6702" DNS server has updated its own host (A) records. In order to ensure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update. An error was encountered during this update, the record data is the error code.

If this DNS server does not have any DS-integrated peers, then this error should be ignored.
If this DNS server's Active Directory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.

To ensure proper replication:
1) Find this server's Active Directory replication partners that run the DNS server.
2) Open DnsManager and connect in turn to each of the replication partners.
3) On each server, check the host (A record) registration for THIS server.
4) Delete any A records that do NOT correspond to IP addresses of this server.
5) If there are no A records for this server, add at least one A record corresponding to an address on this server, that the replication partner can contact. (In other words, if there multiple IP addresses for this DNS server, add at least one that is on the same network as the Active Directory DNS server you are updating.)
6) Note, that is not necessary to update EVERY replication partner. It is only necessary that the records are fixed up on enough replication partners so that every server that replicates with this server will receive (through replication) the new data.

For more information, see Help and Support Center at http://support.microsoft.com. Data: 0000: 0000267c "

I ran gpresult.exe and it shows in one of the lines Domain Type: Windows 2000, its not really Windows 2000, its a Server 2003, why is it showing wrong?

I did NSlookup host, but it says like this "*** Can't find server name for address 192.168.2.198: Timed out
*** Default servers are not available
Default Server: Unknown
Address: 192.168.2.98"

192.168.2.98 is the IP of the server and i've configured dns and gateway on it.

Thank you.

**Tomthegreat** · 23-06-2008

So, you mean to say that it is still one DC, are you sure? Also, on the DC as well on a client, fire up "nslookup <domain.local>" to check whether the DC solves it properly or not.

**SSuperdoc** · 23-06-2008

The Entire ADS was Migrated from a Windows 2000 Server to Windows Server 2003, I had DNS troubles earlier which i fixed, everything was working fine till i recently discovered Domain Controller Security Policy is not recognizing the Domain, when i did NSlookup it says "Can't Find Server Name for Address 192.168.2.98" Says Domain Non-Existant. i ran GPOTool that says Domain Found but has no policies so its ignoring. Yes There is only ONE DC at the moment and that is Server 2003, I Demoted the Old Server 2000 after migration and also raised Domain level on Server 2003.

**SSuperdoc** · 25-06-2008

Can anyone help me??

Thanks.

**SSuperdoc** · 26-06-2008

I did nslookup domain.local This is what it shows

Server: appsrvr2.apppoint
Address: 192.168.2.98

*** appsrvr2.apppoint can't find domain.local: Server failed

There is only one DC at the moment.

Thanks Regards