Access Denied error while edit some of the GPOs in Windows 2003 AD

Hi

We are unable to edit some of the GPOs (Default Domain Policy, etc) and
getting Access Denied error. We checked the permission of SYSVOL folder and
found Administrators (Domain), System and Authenticated Users have full
control share permissions. Full access has been provided to Administrators,
creator owner & System and read & execute permission has been provided to
Authenticated users in Security tab.

Can anyone help me to resolve the issue and also any doc is available to
check the correct permissions with SYSVOL.

Thanks in advance for help

Regards
Lal
--
----Server Management Team----

Hello Laljeev,

The permissions at the moment sounds ok for me. Please run dcdiag /v on the
DCs and post the output here. Are you working on the DCs directly or from
a workstation with adminpak installed?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi
>
> We are unable to edit some of the GPOs (Default Domain Policy, etc)
> and getting Access Denied error. We checked the permission of SYSVOL
> folder and found Administrators (Domain), System and Authenticated
> Users have full control share permissions. Full access has been
> provided to Administrators, creator owner & System and read & execute
> permission has been provided to Authenticated users in Security tab.
>
> Can anyone help me to resolve the issue and also any doc is available
> to check the correct permissions with SYSVOL.
>
> Thanks in advance for help
>
> Regards
> La

Hi

Below is the output from dcdiag/v, I'm accessing the server through terminal
service (mstsc -admin). One of our DCs is down from this morning (jpdc02)

____________________


Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine rpdc04, is a DC.
* Connecting to directory service on server rpdc04.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 4 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: RHO\rpdc04
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... rpdc04 passed test Connectivity

Doing primary tests

Testing server: RHO\rpdc04
Starting test: Replications
* Replications Check
[Replications Check,rpdc04] No replication recently attempted:
From dbdc01 to rpdc04
Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
The last attempt occurred at 2010-03-14 15:47:00 (about 3 hours
ago).
[Replications Check,rpdc04] A recent replication attempt failed:
From jpdc02 to rpdc04
Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
The replication generated an error (1256):
The remote system is not available. For information about
network troubleshooting, see Windows Help.
The failure occurred at 2010-03-14 18:54:08.
The last success occurred at 2010-03-13 12:17:32.
122 failures have occurred since the last success.
[Replications Check,rpdc04] A recent replication attempt failed:
From jpdc02 to rpdc04
Naming Context: DC=DomainDnsZones,DC=mycompany,DC=com
The replication generated an error (1256):
The remote system is not available. For information about
network troubleshooting, see Windows Help.
The failure occurred at 2010-03-14 18:54:08.
The last success occurred at 2010-03-13 12:17:32.
122 failures have occurred since the last success.
[Replications Check,rpdc04] A recent replication attempt failed:
From jpdc02 to rpdc04
Naming Context: CN=Schema,CN=Configuration,DC=mycompany,DC=com
The replication generated an error (1727):
The remote procedure call failed and did not execute.
The failure occurred at 2010-03-14 18:46:47.
The last success occurred at 2010-03-13 12:17:31.
121 failures have occurred since the last success.
[Replications Check,rpdc04] A recent replication attempt failed:
From jpdc02 to rpdc04
Naming Context: CN=Configuration,DC=mycompany,DC=com
The replication generated an error (1727):
The remote procedure call failed and did not execute.
The failure occurred at 2010-03-14 19:01:22.
The last success occurred at 2010-03-13 12:17:24.
122 failures have occurred since the last success.
[Replications Check,rpdc04] A recent replication attempt failed:
From jpdc02 to rpdc04
Naming Context: DC=mycompany,DC=com
The replication generated an error (1727):
The remote procedure call failed and did not execute.
The failure occurred at 2010-03-14 18:54:08.
The last success occurred at 2010-03-13 12:17:23.
11 failures have occurred since the last success.
rpdc04: There are 21 replication work items in the queue.
REPLICATION LATENCY WARNING
rpdc04: A long-running replication operation is in progress
The job has been executing for 5 minutes and 2 seconds.
Replication of new changes along this path will be delayed.
Error: Higher priority replications are being blocked
Enqueued 2010-03-14 18:47:22 at priority 170
Op: SYNC FROM SOURCE
NC CN=Schema,CN=Configuration,DC=mycompany,DC=com
DSADN CN=NTDS
Settings,CN=jpdc02,CN=Servers,CN=JED,CN=Sites,CN=C onfiguration,DC=mycompany,DC=com
DSA transport addr
f9f5b45f-b5e6-4302-9e97-069c79fd1585._msdcs.mycompany.com
* Replication Latency Check
REPLICATION-RECEIVED LATENCY WARNING
rpdc04: Current time is 2010-03-14 19:06:31.
DC=ForestDnsZones,DC=mycompany,DC=com
Last replication recieved from jpdc02 at 2010-03-13 12:18:23.
Latency information for 12 entries in the vector were ignored.
12 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=mycompany,DC=com
Last replication recieved from jpdc02 at 2010-03-13 12:18:22.
Latency information for 12 entries in the vector were ignored.
12 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=mycompany,DC=com
Last replication recieved from jpdc02 at 2010-03-13 12:18:22.
Latency information for 19 entries in the vector were ignored.
19 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=mycompany,DC=com
Last replication recieved from jpdc02 at 2010-03-13 12:18:21.
Latency information for 19 entries in the vector were ignored.
19 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
DC=mycompany,DC=com
Last replication recieved from jpdc02 at 2010-03-13 12:18:22.
Latency information for 18 entries in the vector were ignored.
18 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
......................... rpdc04 passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC rpdc04.
* Security Permissions Check for
DC=ForestDnsZones,DC=mycompany,DC=com
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=mycompany,DC=com
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=mycompany,DC=com
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=mycompany,DC=com
(Configuration,Version 2)
* Security Permissions Check for
DC=mycompany,DC=com
(Domain,Version 2)
......................... rpdc04 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\rpdc04\netlogon
Verified share \\rpdc04\sysvol
......................... rpdc04 passed test NetLogons
Starting test: Advertising
The DC rpdc04 is advertising itself as a DC and having a DS.
The DC rpdc04 is advertising as an LDAP server
The DC rpdc04 is advertising as having a writeable directory
The DC rpdc04 is advertising as a Key Distribution Center
The DC rpdc04 is advertising as a time server
The DS rpdc04 is advertising as a GC.
......................... rpdc04 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=mycompany,DC=com
Role Domain Owner = CN=NTDS
Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=mycompany,DC=com
Role PDC Owner = CN=NTDS
Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=mycompany,DC=com
Role Rid Owner = CN=NTDS
Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=mycompany,DC=com
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=mycompany,DC=com
......................... rpdc04 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 22603 to 1073741823
* rpdc03.mycompany.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 20103 to 20602
* rIDPreviousAllocationPool is 20103 to 20602
* rIDNextRID: 20266
......................... rpdc04 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC rpdc04 on DC rpdc04.
* SPN found :LDAP/rpdc04.mycompany.com/mycompany.com
* SPN found :LDAP/rpdc04.mycompany.com
* SPN found :LDAP/rpdc04
* SPN found :LDAP/rpdc04.mycompany.com/mycompany
* SPN found
:LDAP/25671f81-8b4c-404c-991f-e5ae1eb35d62._msdcs.mycompany.com
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/25671f81-8b4c-404c-991f-e5ae1eb35d62/mycompany.com
* SPN found :HOST/rpdc04.mycompany.com/mycompany.com
* SPN found :HOST/rpdc04.mycompany.com
* SPN found :HOST/rpdc04
* SPN found :HOST/rpdc04.mycompany.com/mycompany
* SPN found :GC/rpdc04.mycompany.com/mycompany.com
......................... rpdc04 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... rpdc04 passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
rpdc04 is in domain DC=mycompany,DC=com
Checking for CN=rpdc04,OU=Domain Controllers,DC=mycompany,DC=com in
domain DC=mycompany,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=rpdc04,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=mycompany,DC=com in domain CN=Configuration,DC=mycompany,DC=com on 1 servers
Object is up-to-date on all servers.
......................... rpdc04 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... rpdc04 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may
cause

Group Policy problems.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 03/14/2010 14:22:14
(Event String could not be retrieved)
......................... rpdc04 failed test frsevent
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x8000061E
Time Generated: 03/14/2010 18:52:28
Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable.



Site:

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=c om



Directory partition:

DC=mycompany,DC=com

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=mycompany, DC=com


An Error Event occured. EventID: 0xC000051F
Time Generated: 03/14/2010 18:52:28
Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory

partition.



Directory partition:

DC=mycompany,DC=com



There is insufficient site connectivity

information in Active Directory Sites and

Services for the KCC to create a spanning tree

replication topology. Or, one or more domain

controllers with this directory partition are

unable to replicate the directory partition

information. This is probably due to inaccessible

domain controllers.



User Action

Use Active Directory Sites and Services to

perform one of the following actions:

- Publish sufficient site connectivity

information so that the KCC can determine a route

by which this directory partition can reach this

site. This is the preferred option.

- Add a Connection object to a domain controller

that contains the directory partition in this

site from a domain controller that contains the

same directory partition in another site.



If neither of the Active Directory Sites and

Services tasks correct this condition, see

previous events logged by the KCC that identify

the inaccessible domain controllers.
An Warning Event occured. EventID: 0x80000749
Time Generated: 03/14/2010 18:52:28
Event String: The Knowledge Consistency Checker (KCC) was

unable to form a complete spanning tree network

topology. As a result, the following list of

sites cannot be reached from the local site.



Sites:

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=c om
















An Warning Event occured. EventID: 0x8000061E
Time Generated: 03/14/2010 18:52:28
Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable.



Site:

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=c om



Directory partition:

DC=ForestDnsZones,DC=mycompany,DC=com

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=mycompany, DC=com


An Error Event occured. EventID: 0xC000051F
Time Generated: 03/14/2010 18:52:28
Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory

partition.



Directory partition:

DC=ForestDnsZones,DC=mycompany,DC=com



There is insufficient site connectivity

information in Active Directory Sites and

Services for the KCC to create a spanning tree

replication topology. Or, one or more domain

controllers with this directory partition are

unable to replicate the directory partition

information. This is probably due to inaccessible

domain controllers.



User Action

Use Active Directory Sites and Services to

perform one of the following actions:

- Publish sufficient site connectivity

information so that the KCC can determine a route

by which this directory partition can reach this

site. This is the preferred option.

- Add a Connection object to a domain controller

that contains the directory partition in this

site from a domain controller that contains the

same directory partition in another site.



If neither of the Active Directory Sites and

Services tasks correct this condition, see

previous events logged by the KCC that identify

the inaccessible domain controllers.
An Warning Event occured. EventID: 0x80000749
Time Generated: 03/14/2010 18:52:28
Event String: The Knowledge Consistency Checker (KCC) was

unable to form a complete spanning tree network

topology. As a result, the following list of

sites cannot be reached from the local site.



Sites:

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=c om
















An Warning Event occured. EventID: 0x8000061E
Time Generated: 03/14/2010 18:52:28
Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable.



Site:

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=c om



Directory partition:

DC=DomainDnsZones,DC=mycompany,DC=com

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=mycompany, DC=com


An Error Event occured. EventID: 0xC000051F
Time Generated: 03/14/2010 18:52:28
Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory

partition.



Directory partition:

DC=DomainDnsZones,DC=mycompany,DC=com



There is insufficient site connectivity

information in Active Directory Sites and

Services for the KCC to create a spanning tree

replication topology. Or, one or more domain

controllers with this directory partition are

unable to replicate the directory partition

information. This is probably due to inaccessible

domain controllers.



User Action

Use Active Directory Sites and Services to

perform one of the following actions:

- Publish sufficient site connectivity

information so that the KCC can determine a route

by which this directory partition can reach this

site. This is the preferred option.

- Add a Connection object to a domain controller

that contains the directory partition in this

site from a domain controller that contains the

same directory partition in another site.



If neither of the Active Directory Sites and

Services tasks correct this condition, see

previous events logged by the KCC that identify

the inaccessible domain controllers.
An Warning Event occured. EventID: 0x80000749
Time Generated: 03/14/2010 18:52:28
Event String: The Knowledge Consistency Checker (KCC) was

unable to form a complete spanning tree network

topology. As a result, the following list of

sites cannot be reached from the local site.



Sites:

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=c om
















An Warning Event occured. EventID: 0x8000061E
Time Generated: 03/14/2010 18:52:28
Event String: All domain controllers in the following site that

can replicate the directory partition over this

transport are currently unavailable.



Site:

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=c om



Directory partition:

CN=Configuration,DC=mycompany,DC=com

Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=mycompany, DC=com


An Error Event occured. EventID: 0xC000051F
Time Generated: 03/14/2010 18:52:28
Event String: The Knowledge Consistency Checker (KCC) has

detected problems with the following directory

partition.



Directory partition:

CN=Configuration,DC=mycompany,DC=com



There is insufficient site connectivity

information in Active Directory Sites and

Services for the KCC to create a spanning tree

replication topology. Or, one or more domain

controllers with this directory partition are

unable to replicate the directory partition

information. This is probably due to inaccessible

domain controllers.



User Action

Use Active Directory Sites and Services to

perform one of the following actions:

- Publish sufficient site connectivity

information so that the KCC can determine a route

by which this directory partition can reach this

site. This is the preferred option.

- Add a Connection object to a domain controller

that contains the directory partition in this

site from a domain controller that contains the

same directory partition in another site.



If neither of the Active Directory Sites and

Services tasks correct this condition, see

previous events logged by the KCC that identify

the inaccessible domain controllers.
An Warning Event occured. EventID: 0x80000749
Time Generated: 03/14/2010 18:52:28
Event String: The Knowledge Consistency Checker (KCC) was

unable to form a complete spanning tree network

topology. As a result, the following list of

sites cannot be reached from the local site.



Sites:

CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=c om
















......................... rpdc04 failed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x0000165B
Time Generated: 03/14/2010 18:28:42
Event String: The session setup from computer 'RIYDTP110'

failed because the security database does not

contain a trust account 'RIYDTP110$' referenced

by the specified computer.



USER ACTION

If this is the first occurrence of this event for

the specified computer and account, this may be a

transient issue that doesn't require any action

at this time. Otherwise, the following steps may

be taken to resolve this problem:



If 'RIYDTP110$' is a legitimate machine account

for the computer 'RIYDTP110', then 'RIYDTP110'

should be rejoined to the domain.



If 'RIYDTP110$' is a legitimate interdomain trust

account, then the trust should be recreated.



Otherwise, assuming that 'RIYDTP110$' is not a

legitimate account, the following action should

be taken on 'RIYDTP110':



If 'RIYDTP110' is a Domain Controller, then the

trust associated with 'RIYDTP110$' should be

deleted.



If 'RIYDTP110' is not a Domain Controller, it

should be disjoined from the domain.
An Error Event occured. EventID: 0x000016AD
Time Generated: 03/14/2010 18:33:21
Event String: The session setup from the computer RIYDTP110

failed to authenticate. The following error

occurred:

%%5
......................... rpdc04 failed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)

CN=rpdc04,OU=Domain Controllers,DC=mycompany,DC=com and backlink on


CN=rpdc04,CN=Servers,CN=RHO,CN=Sites,CN=Configurat ion,DC=mycompany,DC=com

are correct.
The system object reference (frsComputerReferenceBL)

CN=rpdc04,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=mycompany,DC=com

and backlink on CN=rpdc04,OU=Domain Controllers,DC=mycompany,DC=com

are correct.
The system object reference (serverReferenceBL)

CN=rpdc04,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=mycompany,DC=com

and backlink on

CN=NTDS
Settings,CN=rpdc04,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=mycompany,DC=com

are correct.
......................... rpdc04 passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : mycompany
Starting test: CrossRefValidation
......................... mycompany passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... mycompany passed test CheckSDRefDom

Running enterprise tests on : mycompany.com
Starting test: Intersite
Skipping site RHO, this site is outside the scope provided by the

command line arguments provided.
Skipping site DAM, this site is outside the scope provided by the

command line arguments provided.
Skipping site JED, this site is outside the scope provided by the

command line arguments provided.
......................... mycompany.com passed test Intersite
Starting test: FsmoCheck
GC Name: \\rpdc04.mycompany.com
Locator Flags: 0xe00001fc
PDC Name: \\rpdc03.mycompany.com
Locator Flags: 0xe00003fd
Time Server Name: \\rpdc04.mycompany.com
Locator Flags: 0xe00001fc
Preferred Time Server Name: \\rpdc03.mycompany.com
Locator Flags: 0xe00003fd
KDC Name: \\rpdc04.mycompany.com
Locator Flags: 0xe00001fc
......................... mycompany.com passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS
---------------------

Regards
Lal
--
----Server Management Team----


"Meinolf Weber [MVP-DS]" wrote:

> Hello Laljeev,
>
> The permissions at the moment sounds ok for me. Please run dcdiag /v on the
> DCs and post the output here. Are you working on the DCs directly or from
> a workstation with adminpak installed?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Hi
> >
> > We are unable to edit some of the GPOs (Default Domain Policy, etc)
> > and getting Access Denied error. We checked the permission of SYSVOL
> > folder and found Administrators (Domain), System and Authenticated
> > Users have full control share permissions. Full access has been
> > provided to Administrators, creator owner & System and read & execute
> > permission has been provided to Authenticated users in Security tab.
> >
> > Can anyone help me to resolve the issue and also any doc is available
> > to check the correct permissions with SYSVOL.
> >
> > Thanks in advance for help
> >
> > Regards
> > Lal
>
>
> .
>

Hello Laljeev,

Hopefully the second DC is back soon for you. Did you check the event viewer
for errors on the DC where ryou logged in to when the access denied pop up?

As you wrote you can't edit some of the GPOs, so you are able to edit some
other? Did you check that the content of sysvol and netlogon is the same
on all DCs in the domain and replication is working on each DC with repadmin
/showrepl?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi
>
> Below is the output from dcdiag/v, I'm accessing the server through
> terminal service (mstsc -admin). One of our DCs is down from this
> morning (jpdc02)
>
> ____________________
>
> Domain Controller Diagnosis
>
> Performing initial setup:
> * Verifying that the local machine rpdc04, is a DC.
> * Connecting to directory service on server rpdc04.
> * Collecting site info.
> * Identifying all servers.
> * Identifying all NC cross-refs.
> * Found 4 DC(s). Testing 1 of them.
> Done gathering initial info.
> Doing initial required tests
>
> Testing server: RHO\rpdc04
> Starting test: Connectivity
> * Active Directory LDAP Services Check
> * Active Directory RPC Services Check
> ......................... rpdc04 passed test Connectivity
> Doing primary tests
>
> Testing server: RHO\rpdc04
> Starting test: Replications
> * Replications Check
> [Replications Check,rpdc04] No replication recently
> attempted:
> From dbdc01 to rpdc04
> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> The last attempt occurred at 2010-03-14 15:47:00 (about 3
> hours
> ago).
> [Replications Check,rpdc04] A recent replication attempt
> failed:
> From jpdc02 to rpdc04
> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> The replication generated an error (1256):
> The remote system is not available. For information about
> network troubleshooting, see Windows Help.
> The failure occurred at 2010-03-14 18:54:08.
> The last success occurred at 2010-03-13 12:17:32.
> 122 failures have occurred since the last success.
> [Replications Check,rpdc04] A recent replication attempt
> failed:
> From jpdc02 to rpdc04
> Naming Context: DC=DomainDnsZones,DC=mycompany,DC=com
> The replication generated an error (1256):
> The remote system is not available. For information about
> network troubleshooting, see Windows Help.
> The failure occurred at 2010-03-14 18:54:08.
> The last success occurred at 2010-03-13 12:17:32.
> 122 failures have occurred since the last success.
> [Replications Check,rpdc04] A recent replication attempt
> failed:
> From jpdc02 to rpdc04
> Naming Context:
> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> The replication generated an error (1727):
> The remote procedure call failed and did not execute.
> The failure occurred at 2010-03-14 18:46:47.
> The last success occurred at 2010-03-13 12:17:31.
> 121 failures have occurred since the last success.
> [Replications Check,rpdc04] A recent replication attempt
> failed:
> From jpdc02 to rpdc04
> Naming Context: CN=Configuration,DC=mycompany,DC=com
> The replication generated an error (1727):
> The remote procedure call failed and did not execute.
> The failure occurred at 2010-03-14 19:01:22.
> The last success occurred at 2010-03-13 12:17:24.
> 122 failures have occurred since the last success.
> [Replications Check,rpdc04] A recent replication attempt
> failed:
> From jpdc02 to rpdc04
> Naming Context: DC=mycompany,DC=com
> The replication generated an error (1727):
> The remote procedure call failed and did not execute.
> The failure occurred at 2010-03-14 18:54:08.
> The last success occurred at 2010-03-13 12:17:23.
> 11 failures have occurred since the last success.
> rpdc04: There are 21 replication work items in the queue.
> REPLICATION LATENCY WARNING
> rpdc04: A long-running replication operation is in progress
> The job has been executing for 5 minutes and 2 seconds.
> Replication of new changes along this path will be
> delayed.
> Error: Higher priority replications are being blocked
> Enqueued 2010-03-14 18:47:22 at priority 170
> Op: SYNC FROM SOURCE
> NC CN=Schema,CN=Configuration,DC=mycompany,DC=com
> DSADN CN=NTDS
> Settings,CN=jpdc02,CN=Servers,CN=JED,CN=Sites,CN=C onfiguration,DC=myco
> mpany,DC=com
> DSA transport addr
> f9f5b45f-b5e6-4302-9e97-069c79fd1585._msdcs.mycompany.com
> * Replication Latency Check
> REPLICATION-RECEIVED LATENCY WARNING
> rpdc04: Current time is 2010-03-14 19:06:31.
> DC=ForestDnsZones,DC=mycompany,DC=com
> Last replication recieved from jpdc02 at 2010-03-13
> 12:18:23.
> Latency information for 12 entries in the vector were
> ignored.
> 12 were retired Invocations. 0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc. 0 had no latency information (Win2K DC).
> DC=DomainDnsZones,DC=mycompany,DC=com
> Last replication recieved from jpdc02 at 2010-03-13
> 12:18:22.
> Latency information for 12 entries in the vector were
> ignored.
> 12 were retired Invocations. 0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc. 0 had no latency information (Win2K DC).
> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> Last replication recieved from jpdc02 at 2010-03-13
> 12:18:22.
> Latency information for 19 entries in the vector were
> ignored.
> 19 were retired Invocations. 0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc. 0 had no latency information (Win2K DC).
> CN=Configuration,DC=mycompany,DC=com
> Last replication recieved from jpdc02 at 2010-03-13
> 12:18:21.
> Latency information for 19 entries in the vector were
> ignored.
> 19 were retired Invocations. 0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc. 0 had no latency information (Win2K DC).
> DC=mycompany,DC=com
> Last replication recieved from jpdc02 at 2010-03-13
> 12:18:22.
> Latency information for 18 entries in the vector were
> ignored.
> 18 were retired Invocations. 0 were either:
> read-only
> replicas and are not verifiably latent, or dc's no longer replicating
> this
> nc. 0 had no latency information (Win2K DC).
> ......................... rpdc04 passed test Replications
> Test omitted by user request: Topology
> Test omitted by user request: CutoffServers
> Starting test: NCSecDesc
> * Security Permissions check for all NC's on DC rpdc04.
> * Security Permissions Check for
> DC=ForestDnsZones,DC=mycompany,DC=com
> (NDNC,Version 2)
> * Security Permissions Check for
> DC=DomainDnsZones,DC=mycompany,DC=com
> (NDNC,Version 2)
> * Security Permissions Check for
> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> (Schema,Version 2)
> * Security Permissions Check for
> CN=Configuration,DC=mycompany,DC=com
> (Configuration,Version 2)
> * Security Permissions Check for
> DC=mycompany,DC=com
> (Domain,Version 2)
> ......................... rpdc04 passed test NCSecDesc
> Starting test: NetLogons
> * Network Logons Privileges Check
> Verified share \\rpdc04\netlogon
> Verified share \\rpdc04\sysvol
> ......................... rpdc04 passed test NetLogons
> Starting test: Advertising
> The DC rpdc04 is advertising itself as a DC and having a DS.
> The DC rpdc04 is advertising as an LDAP server
> The DC rpdc04 is advertising as having a writeable directory
> The DC rpdc04 is advertising as a Key Distribution Center
> The DC rpdc04 is advertising as a time server
> The DS rpdc04 is advertising as a GC.
> ......................... rpdc04 passed test Advertising
> Starting test: KnowsOfRoleHolders
> Role Schema Owner = CN=NTDS
> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=myco
> mpany,DC=com
> Role Domain Owner = CN=NTDS
> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=myco
> mpany,DC=com
> Role PDC Owner = CN=NTDS
> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=myco
> mpany,DC=com
> Role Rid Owner = CN=NTDS
> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=myco
> mpany,DC=com
> Role Infrastructure Update Owner = CN=NTDS
> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=myco
> mpany,DC=com
> ......................... rpdc04 passed test
> KnowsOfRoleHolders
> Starting test: RidManager
> * Available RID Pool for the Domain is 22603 to 1073741823
> * rpdc03.mycompany.com is the RID Master
> * DsBind with RID Master was successful
> * rIDAllocationPool is 20103 to 20602
> * rIDPreviousAllocationPool is 20103 to 20602
> * rIDNextRID: 20266
> ......................... rpdc04 passed test RidManager
> Starting test: MachineAccount
> Checking machine account for DC rpdc04 on DC rpdc04.
> * SPN found :LDAP/rpdc04.mycompany.com/mycompany.com
> * SPN found :LDAP/rpdc04.mycompany.com
> * SPN found :LDAP/rpdc04
> * SPN found :LDAP/rpdc04.mycompany.com/mycompany
> * SPN found
> :LDAP/25671f81-8b4c-404c-991f-e5ae1eb35d62._msdcs.mycompany.com
> * SPN found
> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/25671f81-8b4c-404c-991f-e5ae1eb3
> 5d62/mycompany.com
> * SPN found :HOST/rpdc04.mycompany.com/mycompany.com
> * SPN found :HOST/rpdc04.mycompany.com
> * SPN found :HOST/rpdc04
> * SPN found :HOST/rpdc04.mycompany.com/mycompany
> * SPN found :GC/rpdc04.mycompany.com/mycompany.com
> ......................... rpdc04 passed test MachineAccount
> Starting test: Services
> * Checking Service: Dnscache
> * Checking Service: NtFrs
> * Checking Service: IsmServ
> * Checking Service: kdc
> * Checking Service: SamSs
> * Checking Service: LanmanServer
> * Checking Service: LanmanWorkstation
> * Checking Service: RpcSs
> * Checking Service: w32time
> * Checking Service: NETLOGON
> ......................... rpdc04 passed test Services
> Test omitted by user request: OutboundSecureChannels
> Starting test: ObjectsReplicated
> rpdc04 is in domain DC=mycompany,DC=com
> Checking for CN=rpdc04,OU=Domain
> Controllers,DC=mycompany,DC=com in
> domain DC=mycompany,DC=com on 1 servers
> Object is up-to-date on all servers.
> Checking for CN=NTDS
> Settings,CN=rpdc04,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=myco
> mpany,DC=com in domain CN=Configuration,DC=mycompany,DC=com on 1
> servers
> Object is up-to-date on all servers.
> ......................... rpdc04 passed test
> ObjectsReplicated
> Starting test: frssysvol
> * The File Replication Service SYSVOL ready test
> File Replication Service's SYSVOL is ready
> ......................... rpdc04 passed test frssysvol
> Starting test: frsevent
> * The File Replication Service Event log test
> There are warning or error events within the last 24 hours
> after the
> SYSVOL has been shared. Failing SYSVOL replication problems
> may cause
>
> Group Policy problems.
> An Warning Event occured. EventID: 0x800034C4
> Time Generated: 03/14/2010 14:22:14
> (Event String could not be retrieved)
> ......................... rpdc04 failed test frsevent
> Starting test: kccevent
> * The KCC Event log test
> An Warning Event occured. EventID: 0x8000061E
> Time Generated: 03/14/2010 18:52:28
> Event String: All domain controllers in the following site
> that
> can replicate the directory partition over this
>
> transport are currently unavailable.
>
> Site:
>
> CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=c om
>
> Directory partition:
>
> DC=mycompany,DC=com
>
> Transport:
>
> CN=IP,CN=Inter-Site
> Transports,CN=Sites,CN=Configuration,DC=mycompany, DC=com
>
> An Error Event occured. EventID: 0xC000051F
> Time Generated: 03/14/2010 18:52:28
> Event String: The Knowledge Consistency Checker (KCC) has
> detected problems with the following directory
>
> partition.
>
> Directory partition:
>
> DC=mycompany,DC=com
>
> There is insufficient site connectivity
>
> information in Active Directory Sites and
>
> Services for the KCC to create a spanning tree
>
> replication topology. Or, one or more domain
>
> controllers with this directory partition are
>
> unable to replicate the directory partition
>
> information. This is probably due to inaccessible
>
> domain controllers.
>
> User Action
>
> Use Active Directory Sites and Services to
>
> perform one of the following actions:
>
> - Publish sufficient site connectivity
>
> information so that the KCC can determine a route
>
> by which this directory partition can reach this
>
> site. This is the preferred option.
>
> - Add a Connection object to a domain controller
>
> that contains the directory partition in this
>
> site from a domain controller that contains the
>
> same directory partition in another site.
>
> If neither of the Active Directory Sites and
>
> Services tasks correct this condition, see
>
> previous events logged by the KCC that identify
>
> the inaccessible domain controllers.
> An Warning Event occured. EventID: 0x80000749
> Time Generated: 03/14/2010 18:52:28
> Event String: The Knowledge Consistency Checker (KCC) was
> unable to form a complete spanning tree network
>
> topology. As a result, the following list of
>
> sites cannot be reached from the local site.
>
> Sites:
>
> CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=c om
>
> An Warning Event occured. EventID: 0x8000061E
> Time Generated: 03/14/2010 18:52:28
> Event String: All domain controllers in the following site
> that
> can replicate the directory partition over this
>
> transport are currently unavailable.
>
> Site:
>
> CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=c om
>
> Directory partition:
>
> DC=ForestDnsZones,DC=mycompany,DC=com
>
> Transport:
>
> CN=IP,CN=Inter-Site
> Transports,CN=Sites,CN=Configuration,DC=mycompany, DC=com
>
> An Error Event occured. EventID: 0xC000051F
> Time Generated: 03/14/2010 18:52:28
> Event String: The Knowledge Consistency Checker (KCC) has
> detected problems with the following directory
>
> partition.
>
> Directory partition:
>
> DC=ForestDnsZones,DC=mycompany,DC=com
>
> There is insufficient site connectivity
>
> information in Active Directory Sites and
>
> Services for the KCC to create a spanning tree
>
> replication topology. Or, one or more domain
>
> controllers with this directory partition are
>
> unable to replicate the directory partition
>
> information. This is probably due to inaccessible
>
> domain controllers.
>
> User Action
>
> Use Active Directory Sites and Services to
>
> perform one of the following actions:
>
> - Publish sufficient site connectivity
>
> information so that the KCC can determine a route
>
> by which this directory partition can reach this
>
> site. This is the preferred option.
>
> - Add a Connection object to a domain controller
>
> that contains the directory partition in this
>
> site from a domain controller that contains the
>
> same directory partition in another site.
>
> If neither of the Active Directory Sites and
>
> Services tasks correct this condition, see
>
> previous events logged by the KCC that identify
>
> the inaccessible domain controllers.
> An Warning Event occured. EventID: 0x80000749
> Time Generated: 03/14/2010 18:52:28
> Event String: The Knowledge Consistency Checker (KCC) was
> unable to form a complete spanning tree network
>
> topology. As a result, the following list of
>
> sites cannot be reached from the local site.
>
> Sites:
>
> CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=c om
>
> An Warning Event occured. EventID: 0x8000061E
> Time Generated: 03/14/2010 18:52:28
> Event String: All domain controllers in the following site
> that
> can replicate the directory partition over this
>
> transport are currently unavailable.
>
> Site:
>
> CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=c om
>
> Directory partition:
>
> DC=DomainDnsZones,DC=mycompany,DC=com
>
> Transport:
>
> CN=IP,CN=Inter-Site
> Transports,CN=Sites,CN=Configuration,DC=mycompany, DC=com
>
> An Error Event occured. EventID: 0xC000051F
> Time Generated: 03/14/2010 18:52:28
> Event String: The Knowledge Consistency Checker (KCC) has
> detected problems with the following directory
>
> partition.
>
> Directory partition:
>
> DC=DomainDnsZones,DC=mycompany,DC=com
>
> There is insufficient site connectivity
>
> information in Active Directory Sites and
>
> Services for the KCC to create a spanning tree
>
> replication topology. Or, one or more domain
>
> controllers with this directory partition are
>
> unable to replicate the directory partition
>
> information. This is probably due to inaccessible
>
> domain controllers.
>
> User Action
>
> Use Active Directory Sites and Services to
>
> perform one of the following actions:
>
> - Publish sufficient site connectivity
>
> information so that the KCC can determine a route
>
> by which this directory partition can reach this
>
> site. This is the preferred option.
>
> - Add a Connection object to a domain controller
>
> that contains the directory partition in this
>
> site from a domain controller that contains the
>
> same directory partition in another site.
>
> If neither of the Active Directory Sites and
>
> Services tasks correct this condition, see
>
> previous events logged by the KCC that identify
>
> the inaccessible domain controllers.
> An Warning Event occured. EventID: 0x80000749
> Time Generated: 03/14/2010 18:52:28
> Event String: The Knowledge Consistency Checker (KCC) was
> unable to form a complete spanning tree network
>
> topology. As a result, the following list of
>
> sites cannot be reached from the local site.
>
> Sites:
>
> CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=c om
>
> An Warning Event occured. EventID: 0x8000061E
> Time Generated: 03/14/2010 18:52:28
> Event String: All domain controllers in the following site
> that
> can replicate the directory partition over this
>
> transport are currently unavailable.
>
> Site:
>
> CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=c om
>
> Directory partition:
>
> CN=Configuration,DC=mycompany,DC=com
>
> Transport:
>
> CN=IP,CN=Inter-Site
> Transports,CN=Sites,CN=Configuration,DC=mycompany, DC=com
>
> An Error Event occured. EventID: 0xC000051F
> Time Generated: 03/14/2010 18:52:28
> Event String: The Knowledge Consistency Checker (KCC) has
> detected problems with the following directory
>
> partition.
>
> Directory partition:
>
> CN=Configuration,DC=mycompany,DC=com
>
> There is insufficient site connectivity
>
> information in Active Directory Sites and
>
> Services for the KCC to create a spanning tree
>
> replication topology. Or, one or more domain
>
> controllers with this directory partition are
>
> unable to replicate the directory partition
>
> information. This is probably due to inaccessible
>
> domain controllers.
>
> User Action
>
> Use Active Directory Sites and Services to
>
> perform one of the following actions:
>
> - Publish sufficient site connectivity
>
> information so that the KCC can determine a route
>
> by which this directory partition can reach this
>
> site. This is the preferred option.
>
> - Add a Connection object to a domain controller
>
> that contains the directory partition in this
>
> site from a domain controller that contains the
>
> same directory partition in another site.
>
> If neither of the Active Directory Sites and
>
> Services tasks correct this condition, see
>
> previous events logged by the KCC that identify
>
> the inaccessible domain controllers.
> An Warning Event occured. EventID: 0x80000749
> Time Generated: 03/14/2010 18:52:28
> Event String: The Knowledge Consistency Checker (KCC) was
> unable to form a complete spanning tree network
>
> topology. As a result, the following list of
>
> sites cannot be reached from the local site.
>
> Sites:
>
> CN=JED,CN=Sites,CN=Configuration,DC=mycompany,DC=c om
>
> ......................... rpdc04 failed test kccevent
> Starting test: systemlog
> * The System Event log test
> An Error Event occured. EventID: 0x0000165B
> Time Generated: 03/14/2010 18:28:42
> Event String: The session setup from computer 'RIYDTP110'
> failed because the security database does not
>
> contain a trust account 'RIYDTP110$' referenced
>
> by the specified computer.
>
> USER ACTION
>
> If this is the first occurrence of this event for
>
> the specified computer and account, this may be a
>
> transient issue that doesn't require any action
>
> at this time. Otherwise, the following steps may
>
> be taken to resolve this problem:
>
> If 'RIYDTP110$' is a legitimate machine account
>
> for the computer 'RIYDTP110', then 'RIYDTP110'
>
> should be rejoined to the domain.
>
> If 'RIYDTP110$' is a legitimate interdomain trust
>
> account, then the trust should be recreated.
>
> Otherwise, assuming that 'RIYDTP110$' is not a
>
> legitimate account, the following action should
>
> be taken on 'RIYDTP110':
>
> If 'RIYDTP110' is a Domain Controller, then the
>
> trust associated with 'RIYDTP110$' should be
>
> deleted.
>
> If 'RIYDTP110' is not a Domain Controller, it
>
> should be disjoined from the domain.
> An Error Event occured. EventID: 0x000016AD
> Time Generated: 03/14/2010 18:33:21
> Event String: The session setup from the computer
> RIYDTP110
> failed to authenticate. The following error
>
> occurred:
>
> %%5
> ......................... rpdc04 failed test systemlog
> Test omitted by user request: VerifyReplicas
> Starting test: VerifyReferences
> The system object reference (serverReference)
> CN=rpdc04,OU=Domain Controllers,DC=mycompany,DC=com and
> backlink on
>
> CN=rpdc04,CN=Servers,CN=RHO,CN=Sites,CN=Configurat ion,DC=mycompany,DC=
> com
>
> are correct.
> The system object reference (frsComputerReferenceBL)
> CN=rpdc04,CN=Domain System Volume (SYSVOL share),CN=File
> Replication Service,CN=System,DC=mycompany,DC=com
>
> and backlink on CN=rpdc04,OU=Domain
> Controllers,DC=mycompany,DC=com
>
> are correct.
> The system object reference (serverReferenceBL)
> CN=rpdc04,CN=Domain System Volume (SYSVOL share),CN=File
> Replication Service,CN=System,DC=mycompany,DC=com
>
> and backlink on
>
> CN=NTDS
> Settings,CN=rpdc04,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=myco
> mpany,DC=com
>
> are correct.
> ......................... rpdc04 passed test VerifyReferences
> Test omitted by user request: VerifyEnterpriseReferences
> Test omitted by user request: CheckSecurityError
> Running partition tests on : ForestDnsZones
> Starting test: CrossRefValidation
> ......................... ForestDnsZones passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... ForestDnsZones passed test
> CheckSDRefDom
> Running partition tests on : DomainDnsZones
> Starting test: CrossRefValidation
> ......................... DomainDnsZones passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... DomainDnsZones passed test
> CheckSDRefDom
> Running partition tests on : Schema
> Starting test: CrossRefValidation
> ......................... Schema passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... Schema passed test CheckSDRefDom
> Running partition tests on : Configuration
> Starting test: CrossRefValidation
> ......................... Configuration passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... Configuration passed test
> CheckSDRefDom
> Running partition tests on : mycompany
> Starting test: CrossRefValidation
> ......................... mycompany passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... mycompany passed test CheckSDRefDom
> Running enterprise tests on : mycompany.com
> Starting test: Intersite
> Skipping site RHO, this site is outside the scope provided by
> the
> command line arguments provided.
> Skipping site DAM, this site is outside the scope provided by
> the
> command line arguments provided.
> Skipping site JED, this site is outside the scope provided by
> the
> command line arguments provided.
> ......................... mycompany.com passed test Intersite
> Starting test: FsmoCheck
> GC Name: \\rpdc04.mycompany.com
> Locator Flags: 0xe00001fc
> PDC Name: \\rpdc03.mycompany.com
> Locator Flags: 0xe00003fd
> Time Server Name: \\rpdc04.mycompany.com
> Locator Flags: 0xe00001fc
> Preferred Time Server Name: \\rpdc03.mycompany.com
> Locator Flags: 0xe00003fd
> KDC Name: \\rpdc04.mycompany.com
> Locator Flags: 0xe00001fc
> ......................... mycompany.com passed test FsmoCheck
> Test omitted by user request: DNS
> Test omitted by user request: DNS
> ---------------------
> Regards
> Lal
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Laljeev,
>>
>> The permissions at the moment sounds ok for me. Please run dcdiag /v
>> on the DCs and post the output here. Are you working on the DCs
>> directly or from a workstation with adminpak installed?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi
>>>
>>> We are unable to edit some of the GPOs (Default Domain Policy, etc)
>>> and getting Access Denied error. We checked the permission of SYSVOL
>>> folder and found Administrators (Domain), System and Authenticated
>>> Users have full control share permissions. Full access has been
>>> provided to Administrators, creator owner & System and read &
>>> execute permission has been provided to Authenticated users in
>>> Security tab.
>>>
>>> Can anyone help me to resolve the issue and also any doc is
>>> available to check the correct permissions with SYSVOL.
>>>
>>> Thanks in advance for help
>>>
>>> Regards
>>> Lal
>> .
>>

Hi

The contents of both SYSVOL and Netlogon are same on all Dcs and Repadmin
shows the replication as successfull. Shall we remove those GPOs which are
not allowing to edit and create new GPOs with same config

Regards
Lal
--
----Server Management Team----


"Meinolf Weber [MVP-DS]" wrote:

> Hello Laljeev,
>
> Hopefully the second DC is back soon for you. Did you check the event viewer
> for errors on the DC where ryou logged in to when the access denied pop up?
>
> As you wrote you can't edit some of the GPOs, so you are able to edit some
> other? Did you check that the content of sysvol and netlogon is the same
> on all DCs in the domain and replication is working on each DC with repadmin
> /showrepl?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Hi
> >
> > Below is the output from dcdiag/v, I'm accessing the server through
> > terminal service (mstsc -admin). One of our DCs is down from this
> > morning (jpdc02)
> >
> > ____________________
> >
> > Domain Controller Diagnosis
> >
> > Performing initial setup:
> > * Verifying that the local machine rpdc04, is a DC.
> > * Connecting to directory service on server rpdc04.
> > * Collecting site info.
> > * Identifying all servers.
> > * Identifying all NC cross-refs.
> > * Found 4 DC(s). Testing 1 of them.
> > Done gathering initial info.
> > Doing initial required tests
> >
> > Testing server: RHO\rpdc04
> > Starting test: Connectivity
> > * Active Directory LDAP Services Check
> > * Active Directory RPC Services Check
> > ......................... rpdc04 passed test Connectivity
> > Doing primary tests
> >
> > Testing server: RHO\rpdc04
> > Starting test: Replications
> > * Replications Check
> > [Replications Check,rpdc04] No replication recently
> > attempted:
> > From dbdc01 to rpdc04
> > Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> > The last attempt occurred at 2010-03-14 15:47:00 (about 3
> > hours
> > ago).
> > [Replications Check,rpdc04] A recent replication attempt
> > failed:
> > From jpdc02 to rpdc04
> > Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> > The replication generated an error (1256):
> > The remote system is not available. For information about
> > network troubleshooting, see Windows Help.
> > The failure occurred at 2010-03-14 18:54:08.
> > The last success occurred at 2010-03-13 12:17:32.
> > 122 failures have occurred since the last success.
> > [Replications Check,rpdc04] A recent replication attempt
> > failed:
> > From jpdc02 to rpdc04
> > Naming Context: DC=DomainDnsZones,DC=mycompany,DC=com
> > The replication generated an error (1256):
> > The remote system is not available. For information about
> > network troubleshooting, see Windows Help.
> > The failure occurred at 2010-03-14 18:54:08.
> > The last success occurred at 2010-03-13 12:17:32.
> > 122 failures have occurred since the last success.
> > [Replications Check,rpdc04] A recent replication attempt
> > failed:
> > From jpdc02 to rpdc04
> > Naming Context:
> > CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > The replication generated an error (1727):
> > The remote procedure call failed and did not execute.
> > The failure occurred at 2010-03-14 18:46:47.
> > The last success occurred at 2010-03-13 12:17:31.
> > 121 failures have occurred since the last success.
> > [Replications Check,rpdc04] A recent replication attempt
> > failed:
> > From jpdc02 to rpdc04
> > Naming Context: CN=Configuration,DC=mycompany,DC=com
> > The replication generated an error (1727):
> > The remote procedure call failed and did not execute.
> > The failure occurred at 2010-03-14 19:01:22.
> > The last success occurred at 2010-03-13 12:17:24.
> > 122 failures have occurred since the last success.
> > [Replications Check,rpdc04] A recent replication attempt
> > failed:
> > From jpdc02 to rpdc04
> > Naming Context: DC=mycompany,DC=com
> > The replication generated an error (1727):
> > The remote procedure call failed and did not execute.
> > The failure occurred at 2010-03-14 18:54:08.
> > The last success occurred at 2010-03-13 12:17:23.
> > 11 failures have occurred since the last success.
> > rpdc04: There are 21 replication work items in the queue.
> > REPLICATION LATENCY WARNING
> > rpdc04: A long-running replication operation is in progress
> > The job has been executing for 5 minutes and 2 seconds.
> > Replication of new changes along this path will be
> > delayed.
> > Error: Higher priority replications are being blocked
> > Enqueued 2010-03-14 18:47:22 at priority 170
> > Op: SYNC FROM SOURCE
> > NC CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > DSADN CN=NTDS
> > Settings,CN=jpdc02,CN=Servers,CN=JED,CN=Sites,CN=C onfiguration,DC=myco
> > mpany,DC=com
> > DSA transport addr
> > f9f5b45f-b5e6-4302-9e97-069c79fd1585._msdcs.mycompany.com
> > * Replication Latency Check
> > REPLICATION-RECEIVED LATENCY WARNING
> > rpdc04: Current time is 2010-03-14 19:06:31.
> > DC=ForestDnsZones,DC=mycompany,DC=com
> > Last replication recieved from jpdc02 at 2010-03-13
> > 12:18:23.
> > Latency information for 12 entries in the vector were
> > ignored.
> > 12 were retired Invocations. 0 were either:
> > read-only
> > replicas and are not verifiably latent, or dc's no longer replicating
> > this
> > nc. 0 had no latency information (Win2K DC).
> > DC=DomainDnsZones,DC=mycompany,DC=com
> > Last replication recieved from jpdc02 at 2010-03-13
> > 12:18:22.
> > Latency information for 12 entries in the vector were
> > ignored.
> > 12 were retired Invocations. 0 were either:
> > read-only
> > replicas and are not verifiably latent, or dc's no longer replicating
> > this
> > nc. 0 had no latency information (Win2K DC).
> > CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > Last replication recieved from jpdc02 at 2010-03-13
> > 12:18:22.
> > Latency information for 19 entries in the vector were
> > ignored.
> > 19 were retired Invocations. 0 were either:
> > read-only
> > replicas and are not verifiably latent, or dc's no longer replicating
> > this
> > nc. 0 had no latency information (Win2K DC).
> > CN=Configuration,DC=mycompany,DC=com
> > Last replication recieved from jpdc02 at 2010-03-13
> > 12:18:21.
> > Latency information for 19 entries in the vector were
> > ignored.
> > 19 were retired Invocations. 0 were either:
> > read-only
> > replicas and are not verifiably latent, or dc's no longer replicating
> > this
> > nc. 0 had no latency information (Win2K DC).
> > DC=mycompany,DC=com
> > Last replication recieved from jpdc02 at 2010-03-13
> > 12:18:22.
> > Latency information for 18 entries in the vector were
> > ignored.
> > 18 were retired Invocations. 0 were either:
> > read-only
> > replicas and are not verifiably latent, or dc's no longer replicating
> > this
> > nc. 0 had no latency information (Win2K DC).
> > ......................... rpdc04 passed test Replications
> > Test omitted by user request: Topology
> > Test omitted by user request: CutoffServers
> > Starting test: NCSecDesc
> > * Security Permissions check for all NC's on DC rpdc04.
> > * Security Permissions Check for
> > DC=ForestDnsZones,DC=mycompany,DC=com
> > (NDNC,Version 2)
> > * Security Permissions Check for
> > DC=DomainDnsZones,DC=mycompany,DC=com
> > (NDNC,Version 2)
> > * Security Permissions Check for
> > CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > (Schema,Version 2)
> > * Security Permissions Check for
> > CN=Configuration,DC=mycompany,DC=com
> > (Configuration,Version 2)
> > * Security Permissions Check for
> > DC=mycompany,DC=com
> > (Domain,Version 2)
> > ......................... rpdc04 passed test NCSecDesc
> > Starting test: NetLogons
> > * Network Logons Privileges Check
> > Verified share \\rpdc04\netlogon
> > Verified share \\rpdc04\sysvol
> > ......................... rpdc04 passed test NetLogons
> > Starting test: Advertising
> > The DC rpdc04 is advertising itself as a DC and having a DS.
> > The DC rpdc04 is advertising as an LDAP server
> > The DC rpdc04 is advertising as having a writeable directory
> > The DC rpdc04 is advertising as a Key Distribution Center
> > The DC rpdc04 is advertising as a time server
> > The DS rpdc04 is advertising as a GC.
> > ......................... rpdc04 passed test Advertising
> > Starting test: KnowsOfRoleHolders
> > Role Schema Owner = CN=NTDS
> > Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=myco
> > mpany,DC=com
> > Role Domain Owner = CN=NTDS
> > Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=myco
> > mpany,DC=com
> > Role PDC Owner = CN=NTDS
> > Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=myco
> > mpany,DC=com
> > Role Rid Owner = CN=NTDS
> > Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=myco
> > mpany,DC=com
> > Role Infrastructure Update Owner = CN=NTDS
> > Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=myco
> > mpany,DC=com
> > ......................... rpdc04 passed test
> > KnowsOfRoleHolders
> > Starting test: RidManager
> > * Available RID Pool for the Domain is 22603 to 1073741823
> > * rpdc03.mycompany.com is the RID Master
> > * DsBind with RID Master was successful
> > * rIDAllocationPool is 20103 to 20602
> > * rIDPreviousAllocationPool is 20103 to 20602
> > * rIDNextRID: 20266
> > ......................... rpdc04 passed test RidManager
> > Starting test: MachineAccount
> > Checking machine account for DC rpdc04 on DC rpdc04.
> > * SPN found :LDAP/rpdc04.mycompany.com/mycompany.com
> > * SPN found :LDAP/rpdc04.mycompany.com
> > * SPN found :LDAP/rpdc04
> > * SPN found :LDAP/rpdc04.mycompany.com/mycompany
> > * SPN found
> > :LDAP/25671f81-8b4c-404c-991f-e5ae1eb35d62._msdcs.mycompany.com
> > * SPN found
> > :E3514235-4B06-11D1-AB04-00C04FC2DCD2/25671f81-8b4c-404c-991f-e5ae1eb3
> > 5d62/mycompany.com
> > * SPN found :HOST/rpdc04.mycompany.com/mycompany.com
> > * SPN found :HOST/rpdc04.mycompany.com
> > * SPN found :HOST/rpdc04
> > * SPN found :HOST/rpdc04.mycompany.com/mycompany
> > * SPN found :GC/rpdc04.mycompany.com/mycompany.com
> > ......................... rpdc04 passed test MachineAccount
> > Starting test: Services
> > * Checking Service: Dnscache
> > * Checking Service: NtFrs
> > * Checking Service: IsmServ
> > * Checking Service: kdc
> > * Checking Service: SamSs
> > * Checking Service: LanmanServer
> > * Checking Service: LanmanWorkstation
> > * Checking Service: RpcSs
> > * Checking Service: w32time
> > * Checking Service: NETLOGON
> > ......................... rpdc04 passed test Services
> > Test omitted by user request: OutboundSecureChannels
> > Starting test: ObjectsReplicated
> > rpdc04 is in domain DC=mycompany,DC=com
> > Checking for CN=rpdc04,OU=Domain
> > Controllers,DC=mycompany,DC=com in
> > domain DC=mycompany,DC=com on 1 servers
> > Object is up-to-date on all servers.
> > Checking for CN=NTDS
> > Settings,CN=rpdc04,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=myco
> > mpany,DC=com in domain CN=Configuration,DC=mycompany,DC=com on 1
> > servers
> > Object is up-to-date on all servers.
> > ......................... rpdc04 passed test
> > ObjectsReplicated
> > Starting test: frssysvol
> > * The File Replication Service SYSVOL ready test
> > File Replication Service's SYSVOL is ready
> > ......................... rpdc04 passed test frssysvol
> > Starting test: frsevent
> > * The File Replication Service Event log test
> > There are warning or error events within the last 24 hours
> > after the
> > SYSVOL has been shared. Failing SYSVOL replication problems
> > may cause
> >
> > Group Policy problems.
> > An Warning Event occured. EventID: 0x800034C4
> > Time Generated: 03/14/2010 14:22:14
> > (Event String could not be retrieved)
> > ......................... rpdc04 failed test frsevent
> > Starting test: kccevent
> > * The KCC Event log test
> > An Warning Event occured. EventID: 0x8000061E
> > Time Generated: 03/14/2010 18:52:28
> > Event String: All domain controllers in the following site
> > that
> > can replicate the directory partition over this
> >
> > transport are currently unavailable.

Hello Laljeev,

I wouldn't, there must be a reason. Was there a restore from a DC some time
ago?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi
>
> The contents of both SYSVOL and Netlogon are same on all Dcs and
> Repadmin shows the replication as successfull. Shall we remove those
> GPOs which are not allowing to edit and create new GPOs with same
> config
>
> Regards
> Lal
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Laljeev,
>>
>> Hopefully the second DC is back soon for you. Did you check the event
>> viewer for errors on the DC where ryou logged in to when the access
>> denied pop up?
>>
>> As you wrote you can't edit some of the GPOs, so you are able to edit
>> some other? Did you check that the content of sysvol and netlogon is
>> the same on all DCs in the domain and replication is working on each
>> DC with repadmin /showrepl?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi
>>>
>>> Below is the output from dcdiag/v, I'm accessing the server through
>>> terminal service (mstsc -admin). One of our DCs is down from this
>>> morning (jpdc02)
>>>
>>> ____________________
>>>
>>> Domain Controller Diagnosis
>>>
>>> Performing initial setup:
>>> * Verifying that the local machine rpdc04, is a DC.
>>> * Connecting to directory service on server rpdc04.
>>> * Collecting site info.
>>> * Identifying all servers.
>>> * Identifying all NC cross-refs.
>>> * Found 4 DC(s). Testing 1 of them.
>>> Done gathering initial info.
>>> Doing initial required tests
>>> Testing server: RHO\rpdc04
>>> Starting test: Connectivity
>>> * Active Directory LDAP Services Check
>>> * Active Directory RPC Services Check
>>> ......................... rpdc04 passed test Connectivity
>>> Doing primary tests
>>> Testing server: RHO\rpdc04
>>> Starting test: Replications
>>> * Replications Check
>>> [Replications Check,rpdc04] No replication recently
>>> attempted:
>>> From dbdc01 to rpdc04
>>> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
>>> The last attempt occurred at 2010-03-14 15:47:00 (about 3
>>> hours
>>> ago).
>>> [Replications Check,rpdc04] A recent replication attempt
>>> failed:
>>> From jpdc02 to rpdc04
>>> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
>>> The replication generated an error (1256):
>>> The remote system is not available. For information about
>>> network troubleshooting, see Windows Help.
>>> The failure occurred at 2010-03-14 18:54:08.
>>> The last success occurred at 2010-03-13 12:17:32.
>>> 122 failures have occurred since the last success.
>>> [Replications Check,rpdc04] A recent replication attempt
>>> failed:
>>> From jpdc02 to rpdc04
>>> Naming Context: DC=DomainDnsZones,DC=mycompany,DC=com
>>> The replication generated an error (1256):
>>> The remote system is not available. For information about
>>> network troubleshooting, see Windows Help.
>>> The failure occurred at 2010-03-14 18:54:08.
>>> The last success occurred at 2010-03-13 12:17:32.
>>> 122 failures have occurred since the last success.
>>> [Replications Check,rpdc04] A recent replication attempt
>>> failed:
>>> From jpdc02 to rpdc04
>>> Naming Context:
>>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
>>> The replication generated an error (1727):
>>> The remote procedure call failed and did not execute.
>>> The failure occurred at 2010-03-14 18:46:47.
>>> The last success occurred at 2010-03-13 12:17:31.
>>> 121 failures have occurred since the last success.
>>> [Replications Check,rpdc04] A recent replication attempt
>>> failed:
>>> From jpdc02 to rpdc04
>>> Naming Context: CN=Configuration,DC=mycompany,DC=com
>>> The replication generated an error (1727):
>>> The remote procedure call failed and did not execute.
>>> The failure occurred at 2010-03-14 19:01:22.
>>> The last success occurred at 2010-03-13 12:17:24.
>>> 122 failures have occurred since the last success.
>>> [Replications Check,rpdc04] A recent replication attempt
>>> failed:
>>> From jpdc02 to rpdc04
>>> Naming Context: DC=mycompany,DC=com
>>> The replication generated an error (1727):
>>> The remote procedure call failed and did not execute.
>>> The failure occurred at 2010-03-14 18:54:08.
>>> The last success occurred at 2010-03-13 12:17:23.
>>> 11 failures have occurred since the last success.
>>> rpdc04: There are 21 replication work items in the queue.
>>> REPLICATION LATENCY WARNING
>>> rpdc04: A long-running replication operation is in progress
>>> The job has been executing for 5 minutes and 2 seconds.
>>> Replication of new changes along this path will be
>>> delayed.
>>> Error: Higher priority replications are being blocked
>>> Enqueued 2010-03-14 18:47:22 at priority 170
>>> Op: SYNC FROM SOURCE
>>> NC CN=Schema,CN=Configuration,DC=mycompany,DC=com
>>> DSADN CN=NTDS
>>> Settings,CN=jpdc02,CN=Servers,CN=JED,CN=Sites,CN=C onfiguration,DC=my
>>> co
>>> mpany,DC=com
>>> DSA transport addr
>>> f9f5b45f-b5e6-4302-9e97-069c79fd1585._msdcs.mycompany.com
>>> * Replication Latency Check
>>> REPLICATION-RECEIVED LATENCY WARNING
>>> rpdc04: Current time is 2010-03-14 19:06:31.
>>> DC=ForestDnsZones,DC=mycompany,DC=com
>>> Last replication recieved from jpdc02 at 2010-03-13
>>> 12:18:23.
>>> Latency information for 12 entries in the vector were
>>> ignored.
>>> 12 were retired Invocations. 0 were either:
>>> read-only
>>> replicas and are not verifiably latent, or dc's no longer
>>> replicating
>>> this
>>> nc. 0 had no latency information (Win2K DC).
>>> DC=DomainDnsZones,DC=mycompany,DC=com
>>> Last replication recieved from jpdc02 at 2010-03-13
>>> 12:18:22.
>>> Latency information for 12 entries in the vector were
>>> ignored.
>>> 12 were retired Invocations. 0 were either:
>>> read-only
>>> replicas and are not verifiably latent, or dc's no longer
>>> replicating
>>> this
>>> nc. 0 had no latency information (Win2K DC).
>>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
>>> Last replication recieved from jpdc02 at 2010-03-13
>>> 12:18:22.
>>> Latency information for 19 entries in the vector were
>>> ignored.
>>> 19 were retired Invocations. 0 were either:
>>> read-only
>>> replicas and are not verifiably latent, or dc's no longer
>>> replicating
>>> this
>>> nc. 0 had no latency information (Win2K DC).
>>> CN=Configuration,DC=mycompany,DC=com
>>> Last replication recieved from jpdc02 at 2010-03-13
>>> 12:18:21.
>>> Latency information for 19 entries in the vector were
>>> ignored.
>>> 19 were retired Invocations. 0 were either:
>>> read-only
>>> replicas and are not verifiably latent, or dc's no longer
>>> replicating
>>> this
>>> nc. 0 had no latency information (Win2K DC).
>>> DC=mycompany,DC=com
>>> Last replication recieved from jpdc02 at 2010-03-13
>>> 12:18:22.
>>> Latency information for 18 entries in the vector were
>>> ignored.
>>> 18 were retired Invocations. 0 were either:
>>> read-only
>>> replicas and are not verifiably latent, or dc's no longer
>>> replicating
>>> this
>>> nc. 0 had no latency information (Win2K DC).
>>> ......................... rpdc04 passed test Replications
>>> Test omitted by user request: Topology
>>> Test omitted by user request: CutoffServers
>>> Starting test: NCSecDesc
>>> * Security Permissions check for all NC's on DC rpdc04.
>>> * Security Permissions Check for
>>> DC=ForestDnsZones,DC=mycompany,DC=com
>>> (NDNC,Version 2)
>>> * Security Permissions Check for
>>> DC=DomainDnsZones,DC=mycompany,DC=com
>>> (NDNC,Version 2)
>>> * Security Permissions Check for
>>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
>>> (Schema,Version 2)
>>> * Security Permissions Check for
>>> CN=Configuration,DC=mycompany,DC=com
>>> (Configuration,Version 2)
>>> * Security Permissions Check for
>>> DC=mycompany,DC=com
>>> (Domain,Version 2)
>>> ......................... rpdc04 passed test NCSecDesc
>>> Starting test: NetLogons
>>> * Network Logons Privileges Check
>>> Verified share \\rpdc04\netlogon
>>> Verified share \\rpdc04\sysvol
>>> ......................... rpdc04 passed test NetLogons
>>> Starting test: Advertising
>>> The DC rpdc04 is advertising itself as a DC and having a DS.
>>> The DC rpdc04 is advertising as an LDAP server
>>> The DC rpdc04 is advertising as having a writeable directory
>>> The DC rpdc04 is advertising as a Key Distribution Center
>>> The DC rpdc04 is advertising as a time server
>>> The DS rpdc04 is advertising as a GC.
>>> ......................... rpdc04 passed test Advertising
>>> Starting test: KnowsOfRoleHolders
>>> Role Schema Owner = CN=NTDS
>>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=my
>>> co
>>> mpany,DC=com
>>> Role Domain Owner = CN=NTDS
>>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=my
>>> co
>>> mpany,DC=com
>>> Role PDC Owner = CN=NTDS
>>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=my
>>> co
>>> mpany,DC=com
>>> Role Rid Owner = CN=NTDS
>>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=my
>>> co
>>> mpany,DC=com
>>> Role Infrastructure Update Owner = CN=NTDS
>>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=my
>>> co
>>> mpany,DC=com
>>> ......................... rpdc04 passed test
>>> KnowsOfRoleHolders
>>> Starting test: RidManager
>>> * Available RID Pool for the Domain is 22603 to 1073741823
>>> * rpdc03.mycompany.com is the RID Master
>>> * DsBind with RID Master was successful
>>> * rIDAllocationPool is 20103 to 20602
>>> * rIDPreviousAllocationPool is 20103 to 20602
>>> * rIDNextRID: 20266
>>> ......................... rpdc04 passed test RidManager
>>> Starting test: MachineAccount
>>> Checking machine account for DC rpdc04 on DC rpdc04.
>>> * SPN found :LDAP/rpdc04.mycompany.com/mycompany.com
>>> * SPN found :LDAP/rpdc04.mycompany.com
>>> * SPN found :LDAP/rpdc04
>>> * SPN found :LDAP/rpdc04.mycompany.com/mycompany
>>> * SPN found
>>> :LDAP/25671f81-8b4c-404c-991f-e5ae1eb35d62._msdcs.mycompany.com
>>> * SPN found
>>> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/25671f81-8b4c-404c-991f-e5ae1e
>>> b3
>>> 5d62/mycompany.com
>>> * SPN found :HOST/rpdc04.mycompany.com/mycompany.com
>>> * SPN found :HOST/rpdc04.mycompany.com
>>> * SPN found :HOST/rpdc04
>>> * SPN found :HOST/rpdc04.mycompany.com/mycompany
>>> * SPN found :GC/rpdc04.mycompany.com/mycompany.com
>>> ......................... rpdc04 passed test MachineAccount
>>> Starting test: Services
>>> * Checking Service: Dnscache
>>> * Checking Service: NtFrs
>>> * Checking Service: IsmServ
>>> * Checking Service: kdc
>>> * Checking Service: SamSs
>>> * Checking Service: LanmanServer
>>> * Checking Service: LanmanWorkstation
>>> * Checking Service: RpcSs
>>> * Checking Service: w32time
>>> * Checking Service: NETLOGON
>>> ......................... rpdc04 passed test Services
>>> Test omitted by user request: OutboundSecureChannels
>>> Starting test: ObjectsReplicated
>>> rpdc04 is in domain DC=mycompany,DC=com
>>> Checking for CN=rpdc04,OU=Domain
>>> Controllers,DC=mycompany,DC=com in
>>> domain DC=mycompany,DC=com on 1 servers
>>> Object is up-to-date on all servers.
>>> Checking for CN=NTDS
>>> Settings,CN=rpdc04,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=my
>>> co
>>> mpany,DC=com in domain CN=Configuration,DC=mycompany,DC=com on 1
>>> servers
>>> Object is up-to-date on all servers.
>>> ......................... rpdc04 passed test
>>> ObjectsReplicated
>>> Starting test: frssysvol
>>> * The File Replication Service SYSVOL ready test
>>> File Replication Service's SYSVOL is ready
>>> ......................... rpdc04 passed test frssysvol
>>> Starting test: frsevent
>>> * The File Replication Service Event log test
>>> There are warning or error events within the last 24 hours
>>> after the
>>> SYSVOL has been shared. Failing SYSVOL replication problems
>>> may cause
>>> Group Policy problems.
>>> An Warning Event occured. EventID: 0x800034C4
>>> Time Generated: 03/14/2010 14:22:14
>>> (Event String could not be retrieved)
>>> ......................... rpdc04 failed test frsevent
>>> Starting test: kccevent
>>> * The KCC Event log test
>>> An Warning Event occured. EventID: 0x8000061E
>>> Time Generated: 03/14/2010 18:52:28
>>> Event String: All domain controllers in the following site
>>> that
>>> can replicate the directory partition over this
>>> transport are currently unavailable.
>>>

Hi Meinolf

2 years back we demoted a DC in another site (which is down now because of
Hardware failure), then again promoted to DC using dcpromo /adv from the
backup of one of the DCs in the main site. But this issue started recently.
Again we are planning to promote the same failed DC using the same procedure.

What do you think of this issue?

Regards
Lal
--
----Server Management Team----


"Meinolf Weber [MVP-DS]" wrote:

> Hello Laljeev,
>
> I wouldn't, there must be a reason. Was there a restore from a DC some time
> ago?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Hi
> >
> > The contents of both SYSVOL and Netlogon are same on all Dcs and
> > Repadmin shows the replication as successfull. Shall we remove those
> > GPOs which are not allowing to edit and create new GPOs with same
> > config
> >
> > Regards
> > Lal
> > "Meinolf Weber [MVP-DS]" wrote:
> >
> >> Hello Laljeev,
> >>
> >> Hopefully the second DC is back soon for you. Did you check the event
> >> viewer for errors on the DC where ryou logged in to when the access
> >> denied pop up?
> >>
> >> As you wrote you can't edit some of the GPOs, so you are able to edit
> >> some other? Did you check that the content of sysvol and netlogon is
> >> the same on all DCs in the domain and replication is working on each
> >> DC with repadmin /showrepl?
> >>
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> Hi
> >>>
> >>> Below is the output from dcdiag/v, I'm accessing the server through
> >>> terminal service (mstsc -admin). One of our DCs is down from this
> >>> morning (jpdc02)
> >>>
> >>> ____________________
> >>>
> >>> Domain Controller Diagnosis
> >>>
> >>> Performing initial setup:
> >>> * Verifying that the local machine rpdc04, is a DC.
> >>> * Connecting to directory service on server rpdc04.
> >>> * Collecting site info.
> >>> * Identifying all servers.
> >>> * Identifying all NC cross-refs.
> >>> * Found 4 DC(s). Testing 1 of them.
> >>> Done gathering initial info.
> >>> Doing initial required tests
> >>> Testing server: RHO\rpdc04
> >>> Starting test: Connectivity
> >>> * Active Directory LDAP Services Check
> >>> * Active Directory RPC Services Check
> >>> ......................... rpdc04 passed test Connectivity
> >>> Doing primary tests
> >>> Testing server: RHO\rpdc04
> >>> Starting test: Replications
> >>> * Replications Check
> >>> [Replications Check,rpdc04] No replication recently
> >>> attempted:
> >>> From dbdc01 to rpdc04
> >>> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> >>> The last attempt occurred at 2010-03-14 15:47:00 (about 3
> >>> hours
> >>> ago).
> >>> [Replications Check,rpdc04] A recent replication attempt
> >>> failed:
> >>> From jpdc02 to rpdc04
> >>> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> >>> The replication generated an error (1256):
> >>> The remote system is not available. For information about
> >>> network troubleshooting, see Windows Help.
> >>> The failure occurred at 2010-03-14 18:54:08.
> >>> The last success occurred at 2010-03-13 12:17:32.
> >>> 122 failures have occurred since the last success.
> >>> [Replications Check,rpdc04] A recent replication attempt
> >>> failed:
> >>> From jpdc02 to rpdc04
> >>> Naming Context: DC=DomainDnsZones,DC=mycompany,DC=com
> >>> The replication generated an error (1256):
> >>> The remote system is not available. For information about
> >>> network troubleshooting, see Windows Help.
> >>> The failure occurred at 2010-03-14 18:54:08.
> >>> The last success occurred at 2010-03-13 12:17:32.
> >>> 122 failures have occurred since the last success.
> >>> [Replications Check,rpdc04] A recent replication attempt
> >>> failed:
> >>> From jpdc02 to rpdc04
> >>> Naming Context:
> >>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> >>> The replication generated an error (1727):
> >>> The remote procedure call failed and did not execute.
> >>> The failure occurred at 2010-03-14 18:46:47.
> >>> The last success occurred at 2010-03-13 12:17:31.
> >>> 121 failures have occurred since the last success.
> >>> [Replications Check,rpdc04] A recent replication attempt
> >>> failed:
> >>> From jpdc02 to rpdc04
> >>> Naming Context: CN=Configuration,DC=mycompany,DC=com
> >>> The replication generated an error (1727):
> >>> The remote procedure call failed and did not execute.
> >>> The failure occurred at 2010-03-14 19:01:22.
> >>> The last success occurred at 2010-03-13 12:17:24.
> >>> 122 failures have occurred since the last success.
> >>> [Replications Check,rpdc04] A recent replication attempt
> >>> failed:
> >>> From jpdc02 to rpdc04
> >>> Naming Context: DC=mycompany,DC=com
> >>> The replication generated an error (1727):
> >>> The remote procedure call failed and did not execute.
> >>> The failure occurred at 2010-03-14 18:54:08.
> >>> The last success occurred at 2010-03-13 12:17:23.
> >>> 11 failures have occurred since the last success.
> >>> rpdc04: There are 21 replication work items in the queue.
> >>> REPLICATION LATENCY WARNING
> >>> rpdc04: A long-running replication operation is in progress
> >>> The job has been executing for 5 minutes and 2 seconds.
> >>> Replication of new changes along this path will be
> >>> delayed.
> >>> Error: Higher priority replications are being blocked
> >>> Enqueued 2010-03-14 18:47:22 at priority 170
> >>> Op: SYNC FROM SOURCE
> >>> NC CN=Schema,CN=Configuration,DC=mycompany,DC=com
> >>> DSADN CN=NTDS
> >>> Settings,CN=jpdc02,CN=Servers,CN=JED,CN=Sites,CN=C onfiguration,DC=my
> >>> co
> >>> mpany,DC=com
> >>> DSA transport addr
> >>> f9f5b45f-b5e6-4302-9e97-069c79fd1585._msdcs.mycompany.com
> >>> * Replication Latency Check
> >>> REPLICATION-RECEIVED LATENCY WARNING
> >>> rpdc04: Current time is 2010-03-14 19:06:31.
> >>> DC=ForestDnsZones,DC=mycompany,DC=com
> >>> Last replication recieved from jpdc02 at 2010-03-13
> >>> 12:18:23.
> >>> Latency information for 12 entries in the vector were
> >>> ignored.
> >>> 12 were retired Invocations. 0 were either:
> >>> read-only
> >>> replicas and are not verifiably latent, or dc's no longer
> >>> replicating
> >>> this
> >>> nc. 0 had no latency information (Win2K DC).
> >>> DC=DomainDnsZones,DC=mycompany,DC=com
> >>> Last replication recieved from jpdc02 at 2010-03-13
> >>> 12:18:22.
> >>> Latency information for 12 entries in the vector were
> >>> ignored.
> >>> 12 were retired Invocations. 0 were either:
> >>> read-only
> >>> replicas and are not verifiably latent, or dc's no longer
> >>> replicating
> >>> this
> >>> nc. 0 had no latency information (Win2K DC).
> >>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> >>> Last replication recieved from jpdc02 at 2010-03-13
> >>> 12:18:22.
> >>> Latency information for 19 entries in the vector were
> >>> ignored.
> >>> 19 were retired Invocations. 0 were either:
> >>> read-only
> >>> replicas and are not verifiably latent, or dc's no longer
> >>> replicating
> >>> this
> >>> nc. 0 had no latency information (Win2K DC).
> >>> CN=Configuration,DC=mycompany,DC=com
> >>> Last replication recieved from jpdc02 at 2010-03-13
> >>> 12:18:21.
> >>> Latency information for 19 entries in the vector were
> >>> ignored.
> >>> 19 were retired Invocations. 0 were either:
> >>> read-only
> >>> replicas and are not verifiably latent, or dc's no longer
> >>> replicating
> >>> this
> >>> nc. 0 had no latency information (Win2K DC).
> >>> DC=mycompany,DC=com
> >>> Last replication recieved from jpdc02 at 2010-03-13
> >>> 12:18:22.
> >>> Latency information for 18 entries in the vector were
> >>> ignored.
> >>> 18 were retired Invocations. 0 were either:
> >>> read-only
> >>> replicas and are not verifiably latent, or dc's no longer
> >>> replicating
> >>> this
> >>> nc. 0 had no latency information (Win2K DC).
> >>> ......................... rpdc04 passed test Replications
> >>> Test omitted by user request: Topology
> >>> Test omitted by user request: CutoffServers
> >>> Starting test: NCSecDesc
> >>> * Security Permissions check for all NC's on DC rpdc04.
> >>> * Security Permissions Check for
> >>> DC=ForestDnsZones,DC=mycompany,DC=com
> >>> (NDNC,Version 2)
> >>> * Security Permissions Check for
> >>> DC=DomainDnsZones,DC=mycompany,DC=com
> >>> (NDNC,Version 2)
> >>> * Security Permissions Check for
> >>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> >>> (Schema,Version 2)
> >>> * Security Permissions Check for
> >>> CN=Configuration,DC=mycompany,DC=com
> >>> (Configuration,Version 2)
> >>> * Security Permissions Check for
> >>> DC=mycompany,DC=com
> >>> (Domain,Version 2)
> >>> ......................... rpdc04 passed test NCSecDesc
> >>> Starting test: NetLogons
> >>> * Network Logons Privileges Check
> >>> Verified share \\rpdc04\netlogon
> >>> Verified share \\rpdc04\sysvol
> >>> ......................... rpdc04 passed test NetLogons
> >>> Starting test: Advertising
> >>> The DC rpdc04 is advertising itself as a DC and having a DS.
> >>> The DC rpdc04 is advertising as an LDAP server
> >>> The DC rpdc04 is advertising as having a writeable directory
> >>> The DC rpdc04 is advertising as a Key Distribution Center
> >>> The DC rpdc04 is advertising as a time server
> >>> The DS rpdc04 is advertising as a GC.
> >>> ......................... rpdc04 passed test Advertising
> >>> Starting test: KnowsOfRoleHolders
> >>> Role Schema Owner = CN=NTDS
> >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=my
> >>> co
> >>> mpany,DC=com
> >>> Role Domain Owner = CN=NTDS
> >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=my
> >>> co
> >>> mpany,DC=com
> >>> Role PDC Owner = CN=NTDS
> >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=my
> >>> co
> >>> mpany,DC=com
> >>> Role Rid Owner = CN=NTDS
> >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=my
> >>> co
> >>> mpany,DC=com
> >>> Role Infrastructure Update Owner = CN=NTDS
> >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=my
> >>> co
> >>> mpany,DC=com
> >>> ......................... rpdc04 passed test
> >>> KnowsOfRoleHolders
> >>> Starting test: RidManager
> >>> * Available RID Pool for the Domain is 22603 to 1073741823
> >>> * rpdc03.mycompany.com is the RID Master
> >>> * DsBind with RID Master was successful
> >>> * rIDAllocationPool is 20103 to 20602
> >>> * rIDPreviousAllocationPool is 20103 to 20602
> >>> * rIDNextRID: 20266
> >>> ......................... rpdc04 passed test RidManager
> >>> Starting test: MachineAccount
> >>> Checking machine account for DC rpdc04 on DC rpdc04.
> >>> * SPN found :LDAP/rpdc04.mycompany.com/mycompany.com
> >>> * SPN found :LDAP/rpdc04.mycompany.com
> >>> * SPN found :LDAP/rpdc04
> >>> * SPN found :LDAP/rpdc04.mycompany.com/mycompany
> >>> * SPN found
> >>> :LDAP/25671f81-8b4c-404c-991f-e5ae1eb35d62._msdcs.mycompany.com
> >>> * SPN found
> >>> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/25671f81-8b4c-404c-991f-e5ae1e
> >>> b3
> >>> 5d62/mycompany.com
> >>> * SPN found :HOST/rpdc04.mycompany.com/mycompany.com
> >>> * SPN found :HOST/rpdc04.mycompany.com
> >>> * SPN found :HOST/rpdc04
> >>> * SPN found :HOST/rpdc04.mycompany.com/mycompany
> >>> * SPN found :GC/rpdc04.mycompany.com/mycompany.com
> >>> ......................... rpdc04 passed test MachineAccount
> >>> Starting test: Services
> >>> * Checking Service: Dnscache
> >>> * Checking Service: NtFrs
> >>> * Checking Service: IsmServ
> >>> * Checking Service: kdc
> >>> * Checking Service: SamSs
> >>> * Checking Service: LanmanServer
> >>> * Checking Service: LanmanWorkstation
> >>> * Checking Service: RpcSs
> >>> * Checking Service: w32time
> >>> * Checking Service: NETLOGON
> >>> ......................... rpdc04 passed test Services
> >>> Test omitted by user request: OutboundSecureChannels
> >>> Starting test: ObjectsReplicated
> >>> rpdc04 is in domain DC=mycompany,DC=com
> >>> Checking for CN=rpdc04,OU=Domain

Hi Meinolf

I forgot to tell you one thing, while installing the new DC (for the failed
one) we upgraded the schema to windows 2003 R2. Now I tried to edit all GPOs
and we are facing problem for all those old GPOs which were there before
schema upgradation.
All new GPOs can be edited

Regards
Lal-
----Server Management Team----


"Laljeev M" wrote:

> Hi Meinolf
>
> 2 years back we demoted a DC in another site (which is down now because of
> Hardware failure), then again promoted to DC using dcpromo /adv from the
> backup of one of the DCs in the main site. But this issue started recently.
> Again we are planning to promote the same failed DC using the same procedure.
>
> What do you think of this issue?
>
> Regards
> Lal
> --
> ----Server Management Team----
>
>
> "Meinolf Weber [MVP-DS]" wrote:
>
> > Hello Laljeev,
> >
> > I wouldn't, there must be a reason. Was there a restore from a DC some time
> > ago?
> >
> > Best regards
> >
> > Meinolf Weber
> > Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> > no rights.
> > ** Please do NOT email, only reply to Newsgroups
> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >
> >
> > > Hi
> > >
> > > The contents of both SYSVOL and Netlogon are same on all Dcs and
> > > Repadmin shows the replication as successfull. Shall we remove those
> > > GPOs which are not allowing to edit and create new GPOs with same
> > > config
> > >
> > > Regards
> > > Lal
> > > "Meinolf Weber [MVP-DS]" wrote:
> > >
> > >> Hello Laljeev,
> > >>
> > >> Hopefully the second DC is back soon for you. Did you check the event
> > >> viewer for errors on the DC where ryou logged in to when the access
> > >> denied pop up?
> > >>
> > >> As you wrote you can't edit some of the GPOs, so you are able to edit
> > >> some other? Did you check that the content of sysvol and netlogon is
> > >> the same on all DCs in the domain and replication is working on each
> > >> DC with repadmin /showrepl?
> > >>
> > >> Best regards
> > >>
> > >> Meinolf Weber
> > >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> > >> confers
> > >> no rights.
> > >> ** Please do NOT email, only reply to Newsgroups
> > >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> > >>> Hi
> > >>>
> > >>> Below is the output from dcdiag/v, I'm accessing the server through
> > >>> terminal service (mstsc -admin). One of our DCs is down from this
> > >>> morning (jpdc02)
> > >>>
> > >>> ____________________
> > >>>
> > >>> Domain Controller Diagnosis
> > >>>
> > >>> Performing initial setup:
> > >>> * Verifying that the local machine rpdc04, is a DC.
> > >>> * Connecting to directory service on server rpdc04.
> > >>> * Collecting site info.
> > >>> * Identifying all servers.
> > >>> * Identifying all NC cross-refs.
> > >>> * Found 4 DC(s). Testing 1 of them.
> > >>> Done gathering initial info.
> > >>> Doing initial required tests
> > >>> Testing server: RHO\rpdc04
> > >>> Starting test: Connectivity
> > >>> * Active Directory LDAP Services Check
> > >>> * Active Directory RPC Services Check
> > >>> ......................... rpdc04 passed test Connectivity
> > >>> Doing primary tests
> > >>> Testing server: RHO\rpdc04
> > >>> Starting test: Replications
> > >>> * Replications Check
> > >>> [Replications Check,rpdc04] No replication recently
> > >>> attempted:
> > >>> From dbdc01 to rpdc04
> > >>> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> > >>> The last attempt occurred at 2010-03-14 15:47:00 (about 3
> > >>> hours
> > >>> ago).
> > >>> [Replications Check,rpdc04] A recent replication attempt
> > >>> failed:
> > >>> From jpdc02 to rpdc04
> > >>> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
> > >>> The replication generated an error (1256):
> > >>> The remote system is not available. For information about
> > >>> network troubleshooting, see Windows Help.
> > >>> The failure occurred at 2010-03-14 18:54:08.
> > >>> The last success occurred at 2010-03-13 12:17:32.
> > >>> 122 failures have occurred since the last success.
> > >>> [Replications Check,rpdc04] A recent replication attempt
> > >>> failed:
> > >>> From jpdc02 to rpdc04
> > >>> Naming Context: DC=DomainDnsZones,DC=mycompany,DC=com
> > >>> The replication generated an error (1256):
> > >>> The remote system is not available. For information about
> > >>> network troubleshooting, see Windows Help.
> > >>> The failure occurred at 2010-03-14 18:54:08.
> > >>> The last success occurred at 2010-03-13 12:17:32.
> > >>> 122 failures have occurred since the last success.
> > >>> [Replications Check,rpdc04] A recent replication attempt
> > >>> failed:
> > >>> From jpdc02 to rpdc04
> > >>> Naming Context:
> > >>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > >>> The replication generated an error (1727):
> > >>> The remote procedure call failed and did not execute.
> > >>> The failure occurred at 2010-03-14 18:46:47.
> > >>> The last success occurred at 2010-03-13 12:17:31.
> > >>> 121 failures have occurred since the last success.
> > >>> [Replications Check,rpdc04] A recent replication attempt
> > >>> failed:
> > >>> From jpdc02 to rpdc04
> > >>> Naming Context: CN=Configuration,DC=mycompany,DC=com
> > >>> The replication generated an error (1727):
> > >>> The remote procedure call failed and did not execute.
> > >>> The failure occurred at 2010-03-14 19:01:22.
> > >>> The last success occurred at 2010-03-13 12:17:24.
> > >>> 122 failures have occurred since the last success.
> > >>> [Replications Check,rpdc04] A recent replication attempt
> > >>> failed:
> > >>> From jpdc02 to rpdc04
> > >>> Naming Context: DC=mycompany,DC=com
> > >>> The replication generated an error (1727):
> > >>> The remote procedure call failed and did not execute.
> > >>> The failure occurred at 2010-03-14 18:54:08.
> > >>> The last success occurred at 2010-03-13 12:17:23.
> > >>> 11 failures have occurred since the last success.
> > >>> rpdc04: There are 21 replication work items in the queue.
> > >>> REPLICATION LATENCY WARNING
> > >>> rpdc04: A long-running replication operation is in progress
> > >>> The job has been executing for 5 minutes and 2 seconds.
> > >>> Replication of new changes along this path will be
> > >>> delayed.
> > >>> Error: Higher priority replications are being blocked
> > >>> Enqueued 2010-03-14 18:47:22 at priority 170
> > >>> Op: SYNC FROM SOURCE
> > >>> NC CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > >>> DSADN CN=NTDS
> > >>> Settings,CN=jpdc02,CN=Servers,CN=JED,CN=Sites,CN=C onfiguration,DC=my
> > >>> co
> > >>> mpany,DC=com
> > >>> DSA transport addr
> > >>> f9f5b45f-b5e6-4302-9e97-069c79fd1585._msdcs.mycompany.com
> > >>> * Replication Latency Check
> > >>> REPLICATION-RECEIVED LATENCY WARNING
> > >>> rpdc04: Current time is 2010-03-14 19:06:31.
> > >>> DC=ForestDnsZones,DC=mycompany,DC=com
> > >>> Last replication recieved from jpdc02 at 2010-03-13
> > >>> 12:18:23.
> > >>> Latency information for 12 entries in the vector were
> > >>> ignored.
> > >>> 12 were retired Invocations. 0 were either:
> > >>> read-only
> > >>> replicas and are not verifiably latent, or dc's no longer
> > >>> replicating
> > >>> this
> > >>> nc. 0 had no latency information (Win2K DC).
> > >>> DC=DomainDnsZones,DC=mycompany,DC=com
> > >>> Last replication recieved from jpdc02 at 2010-03-13
> > >>> 12:18:22.
> > >>> Latency information for 12 entries in the vector were
> > >>> ignored.
> > >>> 12 were retired Invocations. 0 were either:
> > >>> read-only
> > >>> replicas and are not verifiably latent, or dc's no longer
> > >>> replicating
> > >>> this
> > >>> nc. 0 had no latency information (Win2K DC).
> > >>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > >>> Last replication recieved from jpdc02 at 2010-03-13
> > >>> 12:18:22.
> > >>> Latency information for 19 entries in the vector were
> > >>> ignored.
> > >>> 19 were retired Invocations. 0 were either:
> > >>> read-only
> > >>> replicas and are not verifiably latent, or dc's no longer
> > >>> replicating
> > >>> this
> > >>> nc. 0 had no latency information (Win2K DC).
> > >>> CN=Configuration,DC=mycompany,DC=com
> > >>> Last replication recieved from jpdc02 at 2010-03-13
> > >>> 12:18:21.
> > >>> Latency information for 19 entries in the vector were
> > >>> ignored.
> > >>> 19 were retired Invocations. 0 were either:
> > >>> read-only
> > >>> replicas and are not verifiably latent, or dc's no longer
> > >>> replicating
> > >>> this
> > >>> nc. 0 had no latency information (Win2K DC).
> > >>> DC=mycompany,DC=com
> > >>> Last replication recieved from jpdc02 at 2010-03-13
> > >>> 12:18:22.
> > >>> Latency information for 18 entries in the vector were
> > >>> ignored.
> > >>> 18 were retired Invocations. 0 were either:
> > >>> read-only
> > >>> replicas and are not verifiably latent, or dc's no longer
> > >>> replicating
> > >>> this
> > >>> nc. 0 had no latency information (Win2K DC).
> > >>> ......................... rpdc04 passed test Replications
> > >>> Test omitted by user request: Topology
> > >>> Test omitted by user request: CutoffServers
> > >>> Starting test: NCSecDesc
> > >>> * Security Permissions check for all NC's on DC rpdc04.
> > >>> * Security Permissions Check for
> > >>> DC=ForestDnsZones,DC=mycompany,DC=com
> > >>> (NDNC,Version 2)
> > >>> * Security Permissions Check for
> > >>> DC=DomainDnsZones,DC=mycompany,DC=com
> > >>> (NDNC,Version 2)
> > >>> * Security Permissions Check for
> > >>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
> > >>> (Schema,Version 2)
> > >>> * Security Permissions Check for
> > >>> CN=Configuration,DC=mycompany,DC=com
> > >>> (Configuration,Version 2)
> > >>> * Security Permissions Check for
> > >>> DC=mycompany,DC=com
> > >>> (Domain,Version 2)
> > >>> ......................... rpdc04 passed test NCSecDesc
> > >>> Starting test: NetLogons
> > >>> * Network Logons Privileges Check
> > >>> Verified share \\rpdc04\netlogon
> > >>> Verified share \\rpdc04\sysvol
> > >>> ......................... rpdc04 passed test NetLogons
> > >>> Starting test: Advertising
> > >>> The DC rpdc04 is advertising itself as a DC and having a DS.
> > >>> The DC rpdc04 is advertising as an LDAP server
> > >>> The DC rpdc04 is advertising as having a writeable directory
> > >>> The DC rpdc04 is advertising as a Key Distribution Center
> > >>> The DC rpdc04 is advertising as a time server
> > >>> The DS rpdc04 is advertising as a GC.
> > >>> ......................... rpdc04 passed test Advertising
> > >>> Starting test: KnowsOfRoleHolders
> > >>> Role Schema Owner = CN=NTDS
> > >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=my
> > >>> co
> > >>> mpany,DC=com
> > >>> Role Domain Owner = CN=NTDS
> > >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=my
> > >>> co
> > >>> mpany,DC=com
> > >>> Role PDC Owner = CN=NTDS
> > >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=my
> > >>> co
> > >>> mpany,DC=com
> > >>> Role Rid Owner = CN=NTDS
> > >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=my
> > >>> co
> > >>> mpany,DC=com
> > >>> Role Infrastructure Update Owner = CN=NTDS
> > >>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=my
> > >>> co
> > >>> mpany,DC=com
> > >>> ......................... rpdc04 passed test
> > >>> KnowsOfRoleHolders
> > >>> Starting test: RidManager
> > >>> * Available RID Pool for the Domain is 22603 to 1073741823
> > >>> * rpdc03.mycompany.com is the RID Master
> > >>> * DsBind with RID Master was successful
> > >>> * rIDAllocationPool is 20103 to 20602
> > >>> * rIDPreviousAllocationPool is 20103 to 20602
> > >>> * rIDNextRID: 20266
> > >>> ......................... rpdc04 passed test RidManager
> > >>> Starting test: MachineAccount
> > >>> Checking machine account for DC rpdc04 on DC rpdc04.
> > >>> * SPN found :LDAP/rpdc04.mycompany.com/mycompany.com
> > >>> * SPN found :LDAP/rpdc04.mycompany.com
> > >>> * SPN found :LDAP/rpdc04
> > >>> * SPN found :LDAP/rpdc04.mycompany.com/mycompany
> > >>> * SPN found
> > >>> :LDAP/25671f81-8b4c-404c-991f-e5ae1eb35d62._msdcs.mycompany.com
> > >>> * SPN found
> > >>> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/25671f81-8b4c-404c-991f-e5ae1e
> > >>> b3
> > >>> 5d62/mycompany.com
> > >>> * SPN found :HOST/rpdc04.mycompany.com/mycompany.com
> > >>> * SPN found :HOST/rpdc04.mycompany.com
> > >>> * SPN found :HOST/rpdc04
> > >>> * SPN found :HOST/rpdc04.mycompany.com/mycompany
> > >>> * SPN found :GC/rpdc04.mycompany.com/mycompany.com

Hello Laljeev,

To understand you correct, you promoted a new DC from the backup of an old
one? What kind of backup was used, system state? Please be more specific
how this was done. Also un repadmin /showrepl on all DCs and post the output
here or add it as textfile.

repadmin /showrepl >c:\repadmindc1.log

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi Meinolf
>
> 2 years back we demoted a DC in another site (which is down now
> because of Hardware failure), then again promoted to DC using dcpromo
> /adv from the backup of one of the DCs in the main site. But this
> issue started recently. Again we are planning to promote the same
> failed DC using the same procedure.
>
> What do you think of this issue?
>
> Regards
> Lal
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Laljeev,
>>
>> I wouldn't, there must be a reason. Was there a restore from a DC
>> some time ago?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi
>>>
>>> The contents of both SYSVOL and Netlogon are same on all Dcs and
>>> Repadmin shows the replication as successfull. Shall we remove those
>>> GPOs which are not allowing to edit and create new GPOs with same
>>> config
>>>
>>> Regards
>>> Lal
>>> "Meinolf Weber [MVP-DS]" wrote:
>>>> Hello Laljeev,
>>>>
>>>> Hopefully the second DC is back soon for you. Did you check the
>>>> event viewer for errors on the DC where ryou logged in to when the
>>>> access denied pop up?
>>>>
>>>> As you wrote you can't edit some of the GPOs, so you are able to
>>>> edit some other? Did you check that the content of sysvol and
>>>> netlogon is the same on all DCs in the domain and replication is
>>>> working on each DC with repadmin /showrepl?
>>>>
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers
>>>> no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> Hi
>>>>>
>>>>> Below is the output from dcdiag/v, I'm accessing the server
>>>>> through terminal service (mstsc -admin). One of our DCs is down
>>>>> from this morning (jpdc02)
>>>>>
>>>>> ____________________
>>>>>
>>>>> Domain Controller Diagnosis
>>>>>
>>>>> Performing initial setup:
>>>>> * Verifying that the local machine rpdc04, is a DC.
>>>>> * Connecting to directory service on server rpdc04.
>>>>> * Collecting site info.
>>>>> * Identifying all servers.
>>>>> * Identifying all NC cross-refs.
>>>>> * Found 4 DC(s). Testing 1 of them.
>>>>> Done gathering initial info.
>>>>> Doing initial required tests
>>>>> Testing server: RHO\rpdc04
>>>>> Starting test: Connectivity
>>>>> * Active Directory LDAP Services Check
>>>>> * Active Directory RPC Services Check
>>>>> ......................... rpdc04 passed test Connectivity
>>>>> Doing primary tests
>>>>> Testing server: RHO\rpdc04
>>>>> Starting test: Replications
>>>>> * Replications Check
>>>>> [Replications Check,rpdc04] No replication recently
>>>>> attempted:
>>>>> From dbdc01 to rpdc04
>>>>> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
>>>>> The last attempt occurred at 2010-03-14 15:47:00 (about 3
>>>>> hours
>>>>> ago).
>>>>> [Replications Check,rpdc04] A recent replication attempt
>>>>> failed:
>>>>> From jpdc02 to rpdc04
>>>>> Naming Context: DC=ForestDnsZones,DC=mycompany,DC=com
>>>>> The replication generated an error (1256):
>>>>> The remote system is not available. For information about
>>>>> network troubleshooting, see Windows Help.
>>>>> The failure occurred at 2010-03-14 18:54:08.
>>>>> The last success occurred at 2010-03-13 12:17:32.
>>>>> 122 failures have occurred since the last success.
>>>>> [Replications Check,rpdc04] A recent replication attempt
>>>>> failed:
>>>>> From jpdc02 to rpdc04
>>>>> Naming Context: DC=DomainDnsZones,DC=mycompany,DC=com
>>>>> The replication generated an error (1256):
>>>>> The remote system is not available. For information about
>>>>> network troubleshooting, see Windows Help.
>>>>> The failure occurred at 2010-03-14 18:54:08.
>>>>> The last success occurred at 2010-03-13 12:17:32.
>>>>> 122 failures have occurred since the last success.
>>>>> [Replications Check,rpdc04] A recent replication attempt
>>>>> failed:
>>>>> From jpdc02 to rpdc04
>>>>> Naming Context:
>>>>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
>>>>> The replication generated an error (1727):
>>>>> The remote procedure call failed and did not execute.
>>>>> The failure occurred at 2010-03-14 18:46:47.
>>>>> The last success occurred at 2010-03-13 12:17:31.
>>>>> 121 failures have occurred since the last success.
>>>>> [Replications Check,rpdc04] A recent replication attempt
>>>>> failed:
>>>>> From jpdc02 to rpdc04
>>>>> Naming Context: CN=Configuration,DC=mycompany,DC=com
>>>>> The replication generated an error (1727):
>>>>> The remote procedure call failed and did not execute.
>>>>> The failure occurred at 2010-03-14 19:01:22.
>>>>> The last success occurred at 2010-03-13 12:17:24.
>>>>> 122 failures have occurred since the last success.
>>>>> [Replications Check,rpdc04] A recent replication attempt
>>>>> failed:
>>>>> From jpdc02 to rpdc04
>>>>> Naming Context: DC=mycompany,DC=com
>>>>> The replication generated an error (1727):
>>>>> The remote procedure call failed and did not execute.
>>>>> The failure occurred at 2010-03-14 18:54:08.
>>>>> The last success occurred at 2010-03-13 12:17:23.
>>>>> 11 failures have occurred since the last success.
>>>>> rpdc04: There are 21 replication work items in the queue.
>>>>> REPLICATION LATENCY WARNING
>>>>> rpdc04: A long-running replication operation is in progress
>>>>> The job has been executing for 5 minutes and 2 seconds.
>>>>> Replication of new changes along this path will be
>>>>> delayed.
>>>>> Error: Higher priority replications are being blocked
>>>>> Enqueued 2010-03-14 18:47:22 at priority 170
>>>>> Op: SYNC FROM SOURCE
>>>>> NC CN=Schema,CN=Configuration,DC=mycompany,DC=com
>>>>> DSADN CN=NTDS
>>>>> Settings,CN=jpdc02,CN=Servers,CN=JED,CN=Sites,CN=C onfiguration,DC=
>>>>> my
>>>>> co
>>>>> mpany,DC=com
>>>>> DSA transport addr
>>>>> f9f5b45f-b5e6-4302-9e97-069c79fd1585._msdcs.mycompany.com
>>>>> * Replication Latency Check
>>>>> REPLICATION-RECEIVED LATENCY WARNING
>>>>> rpdc04: Current time is 2010-03-14 19:06:31.
>>>>> DC=ForestDnsZones,DC=mycompany,DC=com
>>>>> Last replication recieved from jpdc02 at 2010-03-13
>>>>> 12:18:23.
>>>>> Latency information for 12 entries in the vector were
>>>>> ignored.
>>>>> 12 were retired Invocations. 0 were either:
>>>>> read-only
>>>>> replicas and are not verifiably latent, or dc's no longer
>>>>> replicating
>>>>> this
>>>>> nc. 0 had no latency information (Win2K DC).
>>>>> DC=DomainDnsZones,DC=mycompany,DC=com
>>>>> Last replication recieved from jpdc02 at 2010-03-13
>>>>> 12:18:22.
>>>>> Latency information for 12 entries in the vector were
>>>>> ignored.
>>>>> 12 were retired Invocations. 0 were either:
>>>>> read-only
>>>>> replicas and are not verifiably latent, or dc's no longer
>>>>> replicating
>>>>> this
>>>>> nc. 0 had no latency information (Win2K DC).
>>>>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
>>>>> Last replication recieved from jpdc02 at 2010-03-13
>>>>> 12:18:22.
>>>>> Latency information for 19 entries in the vector were
>>>>> ignored.
>>>>> 19 were retired Invocations. 0 were either:
>>>>> read-only
>>>>> replicas and are not verifiably latent, or dc's no longer
>>>>> replicating
>>>>> this
>>>>> nc. 0 had no latency information (Win2K DC).
>>>>> CN=Configuration,DC=mycompany,DC=com
>>>>> Last replication recieved from jpdc02 at 2010-03-13
>>>>> 12:18:21.
>>>>> Latency information for 19 entries in the vector were
>>>>> ignored.
>>>>> 19 were retired Invocations. 0 were either:
>>>>> read-only
>>>>> replicas and are not verifiably latent, or dc's no longer
>>>>> replicating
>>>>> this
>>>>> nc. 0 had no latency information (Win2K DC).
>>>>> DC=mycompany,DC=com
>>>>> Last replication recieved from jpdc02 at 2010-03-13
>>>>> 12:18:22.
>>>>> Latency information for 18 entries in the vector were
>>>>> ignored.
>>>>> 18 were retired Invocations. 0 were either:
>>>>> read-only
>>>>> replicas and are not verifiably latent, or dc's no longer
>>>>> replicating
>>>>> this
>>>>> nc. 0 had no latency information (Win2K DC).
>>>>> ......................... rpdc04 passed test Replications
>>>>> Test omitted by user request: Topology
>>>>> Test omitted by user request: CutoffServers
>>>>> Starting test: NCSecDesc
>>>>> * Security Permissions check for all NC's on DC rpdc04.
>>>>> * Security Permissions Check for
>>>>> DC=ForestDnsZones,DC=mycompany,DC=com
>>>>> (NDNC,Version 2)
>>>>> * Security Permissions Check for
>>>>> DC=DomainDnsZones,DC=mycompany,DC=com
>>>>> (NDNC,Version 2)
>>>>> * Security Permissions Check for
>>>>> CN=Schema,CN=Configuration,DC=mycompany,DC=com
>>>>> (Schema,Version 2)
>>>>> * Security Permissions Check for
>>>>> CN=Configuration,DC=mycompany,DC=com
>>>>> (Configuration,Version 2)
>>>>> * Security Permissions Check for
>>>>> DC=mycompany,DC=com
>>>>> (Domain,Version 2)
>>>>> ......................... rpdc04 passed test NCSecDesc
>>>>> Starting test: NetLogons
>>>>> * Network Logons Privileges Check
>>>>> Verified share \\rpdc04\netlogon
>>>>> Verified share \\rpdc04\sysvol
>>>>> ......................... rpdc04 passed test NetLogons
>>>>> Starting test: Advertising
>>>>> The DC rpdc04 is advertising itself as a DC and having a DS.
>>>>> The DC rpdc04 is advertising as an LDAP server
>>>>> The DC rpdc04 is advertising as having a writeable directory
>>>>> The DC rpdc04 is advertising as a Key Distribution Center
>>>>> The DC rpdc04 is advertising as a time server
>>>>> The DS rpdc04 is advertising as a GC.
>>>>> ......................... rpdc04 passed test Advertising
>>>>> Starting test: KnowsOfRoleHolders
>>>>> Role Schema Owner = CN=NTDS
>>>>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=
>>>>> my
>>>>> co
>>>>> mpany,DC=com
>>>>> Role Domain Owner = CN=NTDS
>>>>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=
>>>>> my
>>>>> co
>>>>> mpany,DC=com
>>>>> Role PDC Owner = CN=NTDS
>>>>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=
>>>>> my
>>>>> co
>>>>> mpany,DC=com
>>>>> Role Rid Owner = CN=NTDS
>>>>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=
>>>>> my
>>>>> co
>>>>> mpany,DC=com
>>>>> Role Infrastructure Update Owner = CN=NTDS
>>>>> Settings,CN=rpdc03,CN=Servers,CN=RHO,CN=Sites,CN=C onfiguration,DC=
>>>>> my
>>>>> co
>>>>> mpany,DC=com
>>>>> ......................... rpdc04 passed test
>>>>> KnowsOfRoleHolders
>>>>> Starting test: RidManager
>>>>> * Available RID Pool for the Domain is 22603 to 1073741823
>>>>> * rpdc03.mycompany.com is the RID Master
>>>>> * DsBind with RID Master was successful
>>>>> * rIDAllocationPool is 20103 to 20602
>>>>> * rIDPreviousAllocationPool is 20103 to 20602
>>>>> * rIDNextRID: 20266
>>>>> ......................... rpdc04 passed test RidManager
>>>>> Starting test: MachineAccount
>>>>> Checking machine account for DC rpdc04 on DC rpdc04.
>>>>> * SPN found :LDAP/rpdc04.mycompany.com/mycompany.com
>>>>> * SPN found :LDAP/rpdc04.mycompany.com
>>>>> * SPN found :LDAP/rpdc04
>>>>> * SPN found :LDAP/rpdc04.mycompany.com/mycompany
>>>>> * SPN found
>>>>> :LDAP/25671f81-8b4c-404c-991f-e5ae1eb35d62._msdcs.mycompany.com
>>>>> * SPN found
>>>>> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/25671f81-8b4c-404c-991f-e5ae
>>>>> 1e
>>>>> b3
>>>>> 5d62/mycompany.com
>>>>> * SPN found :HOST/rpdc04.mycompany.com/mycompany.com
>>>>> * SPN found :HOST/rpdc04.mycompany.com
>>>>> * SPN found :HOST/rpdc04
>>>>> * SPN found :HOST/rpdc04.mycompany.com/mycompany
>>>>> * SPN found :GC/rpdc04.mycompany.com/mycompany.com
>>>>> ......................... rpdc04 passed test MachineAccount
>>>>> Starting test: Services
>>>>> * Checking Service: Dnscache
>>>>> * Checking Service: NtFrs
>>>>> * Checking Service: IsmServ
>>>>> * Checking Service: kdc
>>>>> * Checking Service: SamSs
>>>>> * Checking Service: LanmanServer
>>>>> * Checking Service: LanmanWorkstation
>>>>> * Checking Service: RpcSs
>>>>> * Checking Service: w32time
>>>>> * Checking Service: NETLOGON
>>>>> ......................... rpdc04 passed test Services
>>>>> Test omitted by user request: OutboundSecureChannels
>>>>> Starting test: ObjectsReplicated
>>>>> rpdc04 is in domain DC=mycompany,DC=com
>>>>> Checking for CN=rpdc04,OU=Domain

Hi

We took system state back from a working DC, where all roles are installed.
Then using dcpromo /adv command promoted the new DC.

Below are results from repadmin from each DCs

---------
----dco3 output----



repadmin running command /showrepl against server localhost



RHO\dc03

DC Options: IS_GC

Site Options: (none)

DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480

DC invocationID: 0c0e7c99-ee98-4f22-b3a9-f5b0e841c29b



==== INBOUND NEIGHBORS ======================================



DC=mycomp,DC=com

RHO\dc04 via RPC

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

Last attempt @ 2010-03-16 12:05:45 was successful.



CN=Configuration,DC=mycomp,DC=com

RHO\dc04 via RPC

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

Last attempt @ 2010-03-16 12:05:45 was successful.



CN=Schema,CN=Configuration,DC=mycomp,DC=com

RHO\dc04 via RPC

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

Last attempt @ 2010-03-16 12:05:45 was successful.



DC=DomainDnsZones,DC=mycomp,DC=com

RHO\dc04 via RPC

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

Last attempt @ 2010-03-16 12:05:45 was successful.



DC=ForestDnsZones,DC=mycomp,DC=com

RHO\dc04 via RPC

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

Last attempt @ 2010-03-16 12:05:45 was successful.


-----dc04 output----




repadmin running command /showrepl against server localhost



RHO\dc04

DC Options: IS_GC

Site Options: (none)

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

DC invocationID: 402b9c2f-63e3-4bd4-9dfe-0c079a6fca57



==== INBOUND NEIGHBORS ======================================



DC=mycomp,DC=com

DAM\bdc01 via RPC

DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af

Last attempt @ 2010-03-16 12:02:29 was successful.

RHO\dc03 via RPC

DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480

Last attempt @ 2010-03-16 12:11:04 was successful.



CN=Configuration,DC=mycomp,DC=com

RHO\dc03 via RPC

DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480

Last attempt @ 2010-03-16 12:02:29 was successful.

DAM\bdc01 via RPC

DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af

Last attempt @ 2010-03-16 12:02:29 was successful.



CN=Schema,CN=Configuration,DC=mycomp,DC=com

RHO\dc03 via RPC

DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480

Last attempt @ 2010-03-16 12:02:29 was successful.

DAM\bdc01 via RPC

DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af

Last attempt @ 2010-03-16 12:02:29 was successful.



DC=DomainDnsZones,DC=mycomp,DC=com

RHO\dc03 via RPC

DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480

Last attempt @ 2010-03-16 12:02:29 was successful.

DAM\bdc01 via RPC

DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af

Last attempt @ 2010-03-16 12:02:30 was successful.



DC=ForestDnsZones,DC=mycomp,DC=com

RHO\dc03 via RPC

DC object GUID: c3a73c12-ffd0-478a-b13a-8e522ef33480

Last attempt @ 2010-03-16 12:02:29 was successful.

DAM\bdc01 via RPC

DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af

Last attempt @ 2010-03-16 12:02:30 was successful.

---From BDc01---

repadmin running command /showrepl against server localhost



DAM\bdc01

DC Options: IS_GC

Site Options: (none)

DC object GUID: d0589f5b-3879-4ed9-b94c-db6d0b33b0af

DC invocationID: 3c658661-677a-4a29-821f-0e00ba288862



==== INBOUND NEIGHBORS ======================================



DC=mycomp,DC=com

RHO\dc04 via RPC

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

Last attempt @ 2010-03-16 11:48:21 was successful.



CN=Configuration,DC=mycomp,DC=com

RHO\dc04 via RPC

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

Last attempt @ 2010-03-16 11:48:20 was successful.



CN=Schema,CN=Configuration,DC=mycomp,DC=com

RHO\dc04 via RPC

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

Last attempt @ 2010-03-16 11:48:20 was successful.



DC=DomainDnsZones,DC=mycomp,DC=com

RHO\dc04 via RPC

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

Last attempt @ 2010-03-16 11:48:21 was successful.



DC=ForestDnsZones,DC=mycomp,DC=com

RHO\dc04 via RPC

DC object GUID: 25671f81-8b4c-404c-991f-e5ae1eb35d62

Last attempt @ 2010-03-16 11:48:22 was successful.

-----

Regards
Lal
--
Server Management Team