dcpromo- select source DC?

Hi all,

I've an issue promoting a new DC into an existing domain and think it's
trying to use a DC as it's source which I've discovered has a problem.

Is it possible to select a source DC for the new server?

Cheers, Andy

If you have a problem dc, I would get thst resolved before promoting
anything else into the domain. If that is not possible, how about just
disconnecting it during the promo. I think you should resolve first, you
are just asking for trouble.


Run diagnostics against your Active Directory domain.

If you don't have the support tools installed, install them from your server
install disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
-> ntfrsutl ds your_dc_name > c:\sysvol.log
-> dnslint /ad /s "ip address of your dc"

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take into
account slow links to dc's will also add to the testing time.

If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests without
having to learn all the switch options. The details will be output in
notepad text files that pop up automagically.

The script is located on my website at
http://www.pbbergs.com/windows/downloads.htm

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.

Description and download for dnslint
http://support.microsoft.com/kb/321045


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
news:...
> Hi all,
>
> I've an issue promoting a new DC into an existing domain and think it's
> trying to use a DC as it's source which I've discovered has a problem.
>
> Is it possible to select a source DC for the new server?
>
> Cheers, Andy
>

Hello Paul,

The other DC's are good (I run dcpromo across the enterprise every weekend).
The issue with the one DC I've discovered is bad has event ID 1202 every 5
minutes:

Source SceCli

Security policies are propagated with warning. 0x5 : Access is denied.

For best results in resolving this event, log on with a non-administrative
account and search http://support.microsoft.com for "Troubleshooting Event
1202s". 0x5 access is denied.


Also every 5 minutes is event ID 427

Source ESENT

Security policies are propagated with warning. 0x5 : Access is denied.

For best results in resolving this event, log on with a non-administrative
account and search http://support.microsoft.com for "Troubleshooting Event
1202s".


I've read technote http://support.microsoft.com/kb/284461 but it doesn;t
apply, the errors in the winlogon.log file are as below:

*************************

Error 0 to send control flag 1 over to server.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

[Mapping] gpt00000.dom = .JW Global Client Settings

Done some googling and it appears to be permissions base don the
winnt\security folder although I can;t spot anything.

Any ideas?



"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:%...
> If you have a problem dc, I would get thst resolved before promoting
> anything else into the domain. If that is not possible, how about just
> disconnecting it during the promo. I think you should resolve first, you
> are just asking for trouble.
>
>
> Run diagnostics against your Active Directory domain.
>
> If you don't have the support tools installed, install them from your
> server install disk.
> d:\support\tools\setup.exe
>
> Run dcdiag, netdiag and repadmin in verbose mode.
> -> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
> -> netdiag.exe /v > c:\netdiag.log (On each dc)
> -> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
> -> ntfrsutl ds your_dc_name > c:\sysvol.log
> -> dnslint /ad /s "ip address of your dc"
>
> **Note: Using the /E switch in dcdiag will run diagnostics against ALL
> dc's in the forest. If you have significant numbers of DC's this test
> could generate significant detail and take a long time. You also want to
> take into account slow links to dc's will also add to the testing time.
>
> If you download a gui script I wrote it should be simple to set and run
> (DCDiag and NetDiag). It also has the option to run individual tests
> without having to learn all the switch options. The details will be output
> in notepad text files that pop up automagically.
>
> The script is located on my website at
> http://www.pbbergs.com/windows/downloads.htm
>
> Just select both dcdiag and netdiag make sure verbose is set. (Leave the
> default settings for dcdiag as set when selected)
>
> When complete search for fail, error and warning messages.
>
> Description and download for dnslint
> http://support.microsoft.com/kb/321045
>
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
> news:...
>> Hi all,
>>
>> I've an issue promoting a new DC into an existing domain and think it's
>> trying to use a DC as it's source which I've discovered has a problem.
>>
>> Is it possible to select a source DC for the new server?
>>
>> Cheers, Andy
>>
>
>

I'd still be inclined to rid myself of a troublesome DC before adding
another, but depending upon the versions, use an "install from media"
method, or a command line or unattended dcpromo using
"ReplicationSourceDC:".


Andrew Story wrote:
> Hello Paul,
>
> The other DC's are good (I run dcpromo across the enterprise every
> weekend). The issue with the one DC I've discovered is bad has event
> ID 1202 every 5 minutes:
>
> Source SceCli
>
> Security policies are propagated with warning. 0x5 : Access is denied.
>
> For best results in resolving this event, log on with a
> non-administrative account and search http://support.microsoft.com
> for "Troubleshooting Event 1202s". 0x5 access is denied.
>
>
> Also every 5 minutes is event ID 427
>
> Source ESENT
>
> Security policies are propagated with warning. 0x5 : Access is denied.
>
> For best results in resolving this event, log on with a
> non-administrative account and search http://support.microsoft.com
> for "Troubleshooting Event 1202s".
>
>
> I've read technote http://support.microsoft.com/kb/284461 but it
> doesn;t apply, the errors in the winlogon.log file are as below:
>
> *************************
>
> Error 0 to send control flag 1 over to server.
> GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
> GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
> GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
>
> [Mapping] gpt00000.dom = .JW Global Client Settings
>
> Done some googling and it appears to be permissions base don the
> winnt\security folder although I can;t spot anything.
>
> Any ideas?
>
>
>
> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> news:%...
>> If you have a problem dc, I would get thst resolved before promoting
>> anything else into the domain. If that is not possible, how about
>> just disconnecting it during the promo. I think you should resolve
>> first, you are just asking for trouble.
>>
>>
>> Run diagnostics against your Active Directory domain.
>>
>> If you don't have the support tools installed, install them from your
>> server install disk.
>> d:\support\tools\setup.exe
>>
>> Run dcdiag, netdiag and repadmin in verbose mode.
>> -> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
>> -> netdiag.exe /v > c:\netdiag.log (On each dc)
>> -> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
>> -> ntfrsutl ds your_dc_name > c:\sysvol.log
>> -> dnslint /ad /s "ip address of your dc"
>>
>> **Note: Using the /E switch in dcdiag will run diagnostics against
>> ALL dc's in the forest. If you have significant numbers of DC's this
>> test could generate significant detail and take a long time. You
>> also want to take into account slow links to dc's will also add to
>> the testing time. If you download a gui script I wrote it should be
>> simple to set and
>> run (DCDiag and NetDiag). It also has the option to run individual
>> tests without having to learn all the switch options. The details
>> will be output in notepad text files that pop up automagically.
>>
>> The script is located on my website at
>> http://www.pbbergs.com/windows/downloads.htm
>>
>> Just select both dcdiag and netdiag make sure verbose is set. (Leave
>> the default settings for dcdiag as set when selected)
>>
>> When complete search for fail, error and warning messages.
>>
>> Description and download for dnslint
>> http://support.microsoft.com/kb/321045
>>
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights. "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in
>> message
>> news:...
>>> Hi all,
>>>
>>> I've an issue promoting a new DC into an existing domain and think
>>> it's trying to use a DC as it's source which I've discovered has a
>>> problem. Is it possible to select a source DC for the new server?
>>>
>>> Cheers, Andy

--
/kj

Hello Andrew,

Please provide the outputs requested from Paul. Also what do you mean you
run dcpromo every weekend across the enterprise?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello Paul,
>
> The other DC's are good (I run dcpromo across the enterprise every
> weekend). The issue with the one DC I've discovered is bad has event
> ID 1202 every 5 minutes:
>
> Source SceCli
>
> Security policies are propagated with warning. 0x5 : Access is denied.
>
> For best results in resolving this event, log on with a
> non-administrative account and search http://support.microsoft.com for
> "Troubleshooting Event 1202s". 0x5 access is denied.
>
> Also every 5 minutes is event ID 427
>
> Source ESENT
>
> Security policies are propagated with warning. 0x5 : Access is denied.
>
> For best results in resolving this event, log on with a
> non-administrative account and search http://support.microsoft.com for
> "Troubleshooting Event 1202s".
>
> I've read technote http://support.microsoft.com/kb/284461 but it
> doesn;t apply, the errors in the winlogon.log file are as below:
>
> *************************
>
> Error 0 to send control flag 1 over to server.
> GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
> GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
> GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
> [Mapping] gpt00000.dom = .JW Global Client Settings
>
> Done some googling and it appears to be permissions base don the
> winnt\security folder although I can;t spot anything.
>
> Any ideas?
>
> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> news:%...
>
>> If you have a problem dc, I would get thst resolved before promoting
>> anything else into the domain. If that is not possible, how about
>> just disconnecting it during the promo. I think you should resolve
>> first, you are just asking for trouble.
>>
>> Run diagnostics against your Active Directory domain.
>>
>> If you don't have the support tools installed, install them from your
>> server install disk.
>> d:\support\tools\setup.exe
>> Run dcdiag, netdiag and repadmin in verbose mode.
>> -> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
>> -> netdiag.exe /v > c:\netdiag.log (On each dc)
>> -> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
>> -> ntfrsutl ds your_dc_name > c:\sysvol.log
>> -> dnslint /ad /s "ip address of your dc"
>> **Note: Using the /E switch in dcdiag will run diagnostics against
>> ALL dc's in the forest. If you have significant numbers of DC's this
>> test could generate significant detail and take a long time. You also
>> want to take into account slow links to dc's will also add to the
>> testing time.
>>
>> If you download a gui script I wrote it should be simple to set and
>> run (DCDiag and NetDiag). It also has the option to run individual
>> tests without having to learn all the switch options. The details
>> will be output in notepad text files that pop up automagically.
>>
>> The script is located on my website at
>> http://www.pbbergs.com/windows/downloads.htm
>>
>> Just select both dcdiag and netdiag make sure verbose is set. (Leave
>> the default settings for dcdiag as set when selected)
>>
>> When complete search for fail, error and warning messages.
>>
>> Description and download for dnslint
>> http://support.microsoft.com/kb/321045
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
>> news:...
>>
>>> Hi all,
>>>
>>> I've an issue promoting a new DC into an existing domain and think
>>> it's trying to use a DC as it's source which I've discovered has a
>>> problem.
>>>
>>> Is it possible to select a source DC for the new server?
>>>
>>> Cheers, Andy
>>>

Sorry meant dcdiag is run every week!


"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:. com...
> Hello Andrew,
>
> Please provide the outputs requested from Paul. Also what do you mean you
> run dcpromo every weekend across the enterprise?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hello Paul,
>>
>> The other DC's are good (I run dcpromo across the enterprise every
>> weekend). The issue with the one DC I've discovered is bad has event
>> ID 1202 every 5 minutes:
>>
>> Source SceCli
>>
>> Security policies are propagated with warning. 0x5 : Access is denied.
>>
>> For best results in resolving this event, log on with a
>> non-administrative account and search http://support.microsoft.com for
>> "Troubleshooting Event 1202s". 0x5 access is denied.
>>
>> Also every 5 minutes is event ID 427
>>
>> Source ESENT
>>
>> Security policies are propagated with warning. 0x5 : Access is denied.
>>
>> For best results in resolving this event, log on with a
>> non-administrative account and search http://support.microsoft.com for
>> "Troubleshooting Event 1202s".
>>
>> I've read technote http://support.microsoft.com/kb/284461 but it
>> doesn;t apply, the errors in the winlogon.log file are as below:
>>
>> *************************
>>
>> Error 0 to send control flag 1 over to server.
>> GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
>> GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
>> GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
>> [Mapping] gpt00000.dom = .JW Global Client Settings
>>
>> Done some googling and it appears to be permissions base don the
>> winnt\security folder although I can;t spot anything.
>>
>> Any ideas?
>>
>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>> news:%...
>>
>>> If you have a problem dc, I would get thst resolved before promoting
>>> anything else into the domain. If that is not possible, how about
>>> just disconnecting it during the promo. I think you should resolve
>>> first, you are just asking for trouble.
>>>
>>> Run diagnostics against your Active Directory domain.
>>>
>>> If you don't have the support tools installed, install them from your
>>> server install disk.
>>> d:\support\tools\setup.exe
>>> Run dcdiag, netdiag and repadmin in verbose mode.
>>> -> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
>>> -> netdiag.exe /v > c:\netdiag.log (On each dc)
>>> -> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
>>> -> ntfrsutl ds your_dc_name > c:\sysvol.log
>>> -> dnslint /ad /s "ip address of your dc"
>>> **Note: Using the /E switch in dcdiag will run diagnostics against
>>> ALL dc's in the forest. If you have significant numbers of DC's this
>>> test could generate significant detail and take a long time. You also
>>> want to take into account slow links to dc's will also add to the
>>> testing time.
>>>
>>> If you download a gui script I wrote it should be simple to set and
>>> run (DCDiag and NetDiag). It also has the option to run individual
>>> tests without having to learn all the switch options. The details
>>> will be output in notepad text files that pop up automagically.
>>>
>>> The script is located on my website at
>>> http://www.pbbergs.com/windows/downloads.htm
>>>
>>> Just select both dcdiag and netdiag make sure verbose is set. (Leave
>>> the default settings for dcdiag as set when selected)
>>>
>>> When complete search for fail, error and warning messages.
>>>
>>> Description and download for dnslint
>>> http://support.microsoft.com/kb/321045
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>> 2008, 2003, 2000 (Early Achiever), NT4
>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
>>> news:...
>>>
>>>> Hi all,
>>>>
>>>> I've an issue promoting a new DC into an existing domain and think
>>>> it's trying to use a DC as it's source which I've discovered has a
>>>> problem.
>>>>
>>>> Is it possible to select a source DC for the new server?
>>>>
>>>> Cheers, Andy
>>>>
>
>

Believe it or not a reboot of the DC in question has fixed this particular
issues with access on the sysvol share and GPO's applying correclty.

Been online for 2 hours now with no errors reported in event viewer.

Can't beat working in IT can you :-]


"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:. com...
> Hello Andrew,
>
> Please provide the outputs requested from Paul. Also what do you mean you
> run dcpromo every weekend across the enterprise?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hello Paul,
>>
>> The other DC's are good (I run dcpromo across the enterprise every
>> weekend). The issue with the one DC I've discovered is bad has event
>> ID 1202 every 5 minutes:
>>
>> Source SceCli
>>
>> Security policies are propagated with warning. 0x5 : Access is denied.
>>
>> For best results in resolving this event, log on with a
>> non-administrative account and search http://support.microsoft.com for
>> "Troubleshooting Event 1202s". 0x5 access is denied.
>>
>> Also every 5 minutes is event ID 427
>>
>> Source ESENT
>>
>> Security policies are propagated with warning. 0x5 : Access is denied.
>>
>> For best results in resolving this event, log on with a
>> non-administrative account and search http://support.microsoft.com for
>> "Troubleshooting Event 1202s".
>>
>> I've read technote http://support.microsoft.com/kb/284461 but it
>> doesn;t apply, the errors in the winlogon.log file are as below:
>>
>> *************************
>>
>> Error 0 to send control flag 1 over to server.
>> GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
>> GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
>> GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
>> [Mapping] gpt00000.dom = .JW Global Client Settings
>>
>> Done some googling and it appears to be permissions base don the
>> winnt\security folder although I can;t spot anything.
>>
>> Any ideas?
>>
>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>> news:%...
>>
>>> If you have a problem dc, I would get thst resolved before promoting
>>> anything else into the domain. If that is not possible, how about
>>> just disconnecting it during the promo. I think you should resolve
>>> first, you are just asking for trouble.
>>>
>>> Run diagnostics against your Active Directory domain.
>>>
>>> If you don't have the support tools installed, install them from your
>>> server install disk.
>>> d:\support\tools\setup.exe
>>> Run dcdiag, netdiag and repadmin in verbose mode.
>>> -> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
>>> -> netdiag.exe /v > c:\netdiag.log (On each dc)
>>> -> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
>>> -> ntfrsutl ds your_dc_name > c:\sysvol.log
>>> -> dnslint /ad /s "ip address of your dc"
>>> **Note: Using the /E switch in dcdiag will run diagnostics against
>>> ALL dc's in the forest. If you have significant numbers of DC's this
>>> test could generate significant detail and take a long time. You also
>>> want to take into account slow links to dc's will also add to the
>>> testing time.
>>>
>>> If you download a gui script I wrote it should be simple to set and
>>> run (DCDiag and NetDiag). It also has the option to run individual
>>> tests without having to learn all the switch options. The details
>>> will be output in notepad text files that pop up automagically.
>>>
>>> The script is located on my website at
>>> http://www.pbbergs.com/windows/downloads.htm
>>>
>>> Just select both dcdiag and netdiag make sure verbose is set. (Leave
>>> the default settings for dcdiag as set when selected)
>>>
>>> When complete search for fail, error and warning messages.
>>>
>>> Description and download for dnslint
>>> http://support.microsoft.com/kb/321045
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>> 2008, 2003, 2000 (Early Achiever), NT4
>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
>>> news:...
>>>
>>>> Hi all,
>>>>
>>>> I've an issue promoting a new DC into an existing domain and think
>>>> it's trying to use a DC as it's source which I've discovered has a
>>>> problem.
>>>>
>>>> Is it possible to select a source DC for the new server?
>>>>
>>>> Cheers, Andy
>>>>
>
>

Hello Andrew,

Nice to hear, sometimes it needs only a reboot after some changes. Just keep
on checking with the support tools.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Believe it or not a reboot of the DC in question has fixed this
> particular issues with access on the sysvol share and GPO's applying
> correclty.
>
> Been online for 2 hours now with no errors reported in event viewer.
>
> Can't beat working in IT can you :-]
>
> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
> news:. com...
>
>> Hello Andrew,
>>
>> Please provide the outputs requested from Paul. Also what do you mean
>> you run dcpromo every weekend across the enterprise?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hello Paul,
>>>
>>> The other DC's are good (I run dcpromo across the enterprise every
>>> weekend). The issue with the one DC I've discovered is bad has event
>>> ID 1202 every 5 minutes:
>>>
>>> Source SceCli
>>>
>>> Security policies are propagated with warning. 0x5 : Access is
>>> denied.
>>>
>>> For best results in resolving this event, log on with a
>>> non-administrative account and search http://support.microsoft.com
>>> for "Troubleshooting Event 1202s". 0x5 access is denied.
>>>
>>> Also every 5 minutes is event ID 427
>>>
>>> Source ESENT
>>>
>>> Security policies are propagated with warning. 0x5 : Access is
>>> denied.
>>>
>>> For best results in resolving this event, log on with a
>>> non-administrative account and search http://support.microsoft.com
>>> for "Troubleshooting Event 1202s".
>>>
>>> I've read technote http://support.microsoft.com/kb/284461 but it
>>> doesn;t apply, the errors in the winlogon.log file are as below:
>>>
>>> *************************
>>>
>>> Error 0 to send control flag 1 over to server.
>>> GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
>>> GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
>>> GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
>>> [Mapping] gpt00000.dom = .JW Global Client Settings
>>> Done some googling and it appears to be permissions base don the
>>> winnt\security folder although I can;t spot anything.
>>>
>>> Any ideas?
>>>
>>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>>> news:%...
>>>
>>>> If you have a problem dc, I would get thst resolved before
>>>> promoting anything else into the domain. If that is not possible,
>>>> how about just disconnecting it during the promo. I think you
>>>> should resolve first, you are just asking for trouble.
>>>>
>>>> Run diagnostics against your Active Directory domain.
>>>>
>>>> If you don't have the support tools installed, install them from
>>>> your
>>>> server install disk.
>>>> d:\support\tools\setup.exe
>>>> Run dcdiag, netdiag and repadmin in verbose mode.
>>>> -> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
>>>> -> netdiag.exe /v > c:\netdiag.log (On each dc)
>>>> -> repadmin.exe /showrepl dc* /verbose /all /intersite >
>>>> c:\repl.txt
>>>> -> ntfrsutl ds your_dc_name > c:\sysvol.log
>>>> -> dnslint /ad /s "ip address of your dc"
>>>> **Note: Using the /E switch in dcdiag will run diagnostics against
>>>> ALL dc's in the forest. If you have significant numbers of DC's
>>>> this
>>>> test could generate significant detail and take a long time. You
>>>> also
>>>> want to take into account slow links to dc's will also add to the
>>>> testing time.
>>>> If you download a gui script I wrote it should be simple to set and
>>>> run (DCDiag and NetDiag). It also has the option to run individual
>>>> tests without having to learn all the switch options. The details
>>>> will be output in notepad text files that pop up automagically.
>>>>
>>>> The script is located on my website at
>>>> http://www.pbbergs.com/windows/downloads.htm
>>>> Just select both dcdiag and netdiag make sure verbose is set.
>>>> (Leave the default settings for dcdiag as set when selected)
>>>>
>>>> When complete search for fail, error and warning messages.
>>>>
>>>> Description and download for dnslint
>>>> http://support.microsoft.com/kb/321045
>>>> --
>>>> Paul Bergson
>>>> MVP - Directory Services
>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>> http://www.pbbergs.com
>>>> Please no e-mails, any questions should be posted in the NewsGroup
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights.
>>>>
>>>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
>>>> news:...
>>>>
>>>>> Hi all,
>>>>>
>>>>> I've an issue promoting a new DC into an existing domain and think
>>>>> it's trying to use a DC as it's source which I've discovered has a
>>>>> problem.
>>>>>
>>>>> Is it possible to select a source DC for the new server?
>>>>>
>>>>> Cheers, Andy
>>>>>

What do you mean you have run dcpromom across the enterprise every weekend?
Did you mean dcdiag?
Is there a firewall in there somewhere that could be blocking replication?

I guess I would start using dfsdiag to help diagnose this issue, if you have
run dcdiag without any reported errors. Even though the below line points
to server 2008, you said you were using 2003 R2 so this should work for you
as well.

http://blogs.technet.com/filecab/arc...fsdiag-do.aspx

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
news:...
> Hello Paul,
>
> The other DC's are good (I run dcpromo across the enterprise every
> weekend). The issue with the one DC I've discovered is bad has event ID
> 1202 every 5 minutes:
>
> Source SceCli
>
> Security policies are propagated with warning. 0x5 : Access is denied.
>
> For best results in resolving this event, log on with a non-administrative
> account and search http://support.microsoft.com for "Troubleshooting Event
> 1202s". 0x5 access is denied.
>
>
> Also every 5 minutes is event ID 427
>
> Source ESENT
>
> Security policies are propagated with warning. 0x5 : Access is denied.
>
> For best results in resolving this event, log on with a non-administrative
> account and search http://support.microsoft.com for "Troubleshooting Event
> 1202s".
>
>
> I've read technote http://support.microsoft.com/kb/284461 but it doesn;t
> apply, the errors in the winlogon.log file are as below:
>
> *************************
>
> Error 0 to send control flag 1 over to server.
> GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
> GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
> GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
>
> [Mapping] gpt00000.dom = .JW Global Client Settings
>
> Done some googling and it appears to be permissions base don the
> winnt\security folder although I can;t spot anything.
>
> Any ideas?
>
>
>
> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> news:%...
>> If you have a problem dc, I would get thst resolved before promoting
>> anything else into the domain. If that is not possible, how about just
>> disconnecting it during the promo. I think you should resolve first, you
>> are just asking for trouble.
>>
>>
>> Run diagnostics against your Active Directory domain.
>>
>> If you don't have the support tools installed, install them from your
>> server install disk.
>> d:\support\tools\setup.exe
>>
>> Run dcdiag, netdiag and repadmin in verbose mode.
>> -> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
>> -> netdiag.exe /v > c:\netdiag.log (On each dc)
>> -> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
>> -> ntfrsutl ds your_dc_name > c:\sysvol.log
>> -> dnslint /ad /s "ip address of your dc"
>>
>> **Note: Using the /E switch in dcdiag will run diagnostics against ALL
>> dc's in the forest. If you have significant numbers of DC's this test
>> could generate significant detail and take a long time. You also want to
>> take into account slow links to dc's will also add to the testing time.
>>
>> If you download a gui script I wrote it should be simple to set and run
>> (DCDiag and NetDiag). It also has the option to run individual tests
>> without having to learn all the switch options. The details will be
>> output in notepad text files that pop up automagically.
>>
>> The script is located on my website at
>> http://www.pbbergs.com/windows/downloads.htm
>>
>> Just select both dcdiag and netdiag make sure verbose is set. (Leave the
>> default settings for dcdiag as set when selected)
>>
>> When complete search for fail, error and warning messages.
>>
>> Description and download for dnslint
>> http://support.microsoft.com/kb/321045
>>
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
>> news:...
>>> Hi all,
>>>
>>> I've an issue promoting a new DC into an existing domain and think it's
>>> trying to use a DC as it's source which I've discovered has a problem.
>>>
>>> Is it possible to select a source DC for the new server?
>>>
>>> Cheers, Andy
>>>
>>
>>
>
>