Re: Unable to create AD objects...

Okay...first of all, there is no PDC and BDC, there is only one server in
question, a PDC named mcp01.

As for the first command (NETDOM QUERY FSMO), here are the results:

Schema owner mcp01.mydomain.com
Domain role owner mcp01.mydomain.com
PDC role mcp01.mydomain.com
RID pool manager mcp01.mydomain.com
Infrastructure owner mcp01.mydomain.com

As for the second command (REPADMIN /OPTIONS <mcp01.mydomain.com>), here are
the results:

Current DC Options: IS_GC

And, yes, you are correct in that I can create a contact, but not a user.

As for the final command (DCDIAG /C /D /V), here are only the results of the
failures:

Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\MCP01\netlogon)
[MCP01] An net use or LsaPolicy operation failed with error 1203, No
network provider accepted the given network path..
.........................MCP01 failed test NetLogons

Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40011006
Time Generated: 06/18/2008 13:28:21
Event String: The connection was aborted by the remote WINS. Remote
WINS may not be configured to replicate with the server.
.........................MCP01 failed test systemlog

All other tests passed.

Any more suggestions will be greatly appreciated.

Thanx.



"Jorge de Almeida Pinto [MVP - DS]" wrote:

ORIGINAL QUESTION: (ANSWER BELOW)
---------------------------------------------
"Steven Sinclair" wrote:

Good morning, all.

We've recently run into a situation where an individual (who is no longer
with the company) decided to take our PDC offline and only left our BDC up
and running, but did not transfer control of the domain to the BDC, nor
did
he promote the BDC.

Now, we're unable to create new users (even though there are no users
listed
in ADUC...we simply get an error, "An error occurred. Contact your system
administrator." However, nothing ever shows up in the event viewer. Within
ADUC, even the "Raise Domain Function Level" command states the domain is
operating at the highest possible functional level and the "Operations
Masters" only lists the remaining server as the Operations master and the
PDC.

Any ideas on how we can get this remaining controller to "control" the
domain?

Thanx.
---------------------------------------------


ANSWER GIVEN BY ME:
first thing I would say is:

on that "BDC" check who owns the FSMO roles using: NETDOM QUERY FSMO

For ALL FSMO that are NOT owned by the "BDC" seize those roles. for more
info see: http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/373.aspx

on the BDC execute: REPADMIN /OPTIONS <NAME OF BDC SERVER>
OR
REPADMIN /OPTIONS <NAME OF BDC SERVER> +IS_GC

My guess is that the main reason that you cannot create users, groups, or
computers is because the RID master is owned by the "PDC" that was taken
offline
Can I say you are able to create a contact but not a user account?
If yes, the RID master is probably the issue

DCDIAG /C /D /V should give you more info abou the health of the "BDC"

also have a look at:
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/25/1040.aspx


--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Steven Sinclair" <StevenSinclair@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:DEA0DDEE-E96C-46DB-88D3-DAF0FD9F0F25@xxxxxxxxxxxxxxxx
Is anyone available to take a look at this thread...

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windows.server.active_directory&mid=be90de26-d4c1-4805-bd3a-8a70ab0e70d4&sloc=en-us

...and donate some invaluable assistance?

Thanx.


.

Relevant Pages

  • Re: Second Trust
    ... Will the Trust be there when I change my current PDC and make my new ... server a PDC? ... you'll have AD with the NT4 server as a BDC" Why would it be a BDC and ...
    (microsoft.public.win2000.active_directory)
  • Re: NT 4.0 to windows 2003 AD in place upgrade.
    ... PDC that I make a BDC is the one I will take offline before I do the ... Exchange server the PDC, allow to SYNC. ...
    (microsoft.public.windows.server.migration)
  • Re: PDC/BDC problem
    ... Did your BDC got all the FSMO rules after takeover? ... Seems that it is missing one of the roles after you take out the broken server and cleanup your metadata. ... The PDC arrived last Monday. ... everything to reestablish the trust. ...
    (microsoft.public.win2000.networking)
  • Re: PDC/BDC problem
    ... Even com away from PDC and BDC. ... So which server from you has which role in the moment? ... I tried everything to reestablish the trust. ...
    (microsoft.public.win2000.networking)
  • Re: BDC DCDIAG Problem
    ... PDC and BDC are obsolete terms, ... I am looking through my DNS entries and I am only able to find SRV records ... server Security Configuration Wizard on this server perhaps? ...
    (microsoft.public.windows.server.sbs)
Loading