Re: Unable to create AD objects...

by the way, you are the one talking about PDCs and BDCs. I'm just referencing them so that things do not get mixed

I would like to see the FULL DCDIAG output (attach it to your reply)

I forgot to mention:

Has the OLD "PDC" been removed from the domain by cleaning its metadata with NTDSUTIL?

see:
http://blogs.dirteam.com/blogs/jorge/archive/2005/12/03/213.aspx

if the OLD "PDC" still exists then the "BDC" (the new "PDC") still thinks there is another DC, Because of that it wants to replicate with it, but it fails of course. Until replication succeeds or you tell the DC there is no other DC, it will start handing out RID pools

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Steven Sinclair" <StevenSinclair@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:2E5CA26A-7444-4303-96BB-DE2544555406@xxxxxxxxxxxxxxxx
Okay...first of all, there is no PDC and BDC, there is only one server in
question, a PDC named mcp01.

As for the first command (NETDOM QUERY FSMO), here are the results:

Schema owner mcp01.mydomain.com
Domain role owner mcp01.mydomain.com
PDC role mcp01.mydomain.com
RID pool manager mcp01.mydomain.com
Infrastructure owner mcp01.mydomain.com

As for the second command (REPADMIN /OPTIONS <mcp01.mydomain.com>), here are
the results:

Current DC Options: IS_GC

And, yes, you are correct in that I can create a contact, but not a user.

As for the final command (DCDIAG /C /D /V), here are only the results of the
failures:

Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\MCP01\netlogon)
[MCP01] An net use or LsaPolicy operation failed with error 1203, No
network provider accepted the given network path..
.........................MCP01 failed test NetLogons

Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40011006
Time Generated: 06/18/2008 13:28:21
Event String: The connection was aborted by the remote WINS. Remote
WINS may not be configured to replicate with the server.
.........................MCP01 failed test systemlog

All other tests passed.

Any more suggestions will be greatly appreciated.

Thanx.



"Jorge de Almeida Pinto [MVP - DS]" wrote:

ORIGINAL QUESTION: (ANSWER BELOW)
---------------------------------------------
"Steven Sinclair" wrote:

> Good morning, all.
>
> We've recently run into a situation where an individual (who is no > longer
> with the company) decided to take our PDC offline and only left our BDC > up
> and running, but did not transfer control of the domain to the BDC, nor
> did
> he promote the BDC.
>
> Now, we're unable to create new users (even though there are no users
> listed
> in ADUC...we simply get an error, "An error occurred. Contact your > system
> administrator." However, nothing ever shows up in the event viewer. > Within
> ADUC, even the "Raise Domain Function Level" command states the domain > is
> operating at the highest possible functional level and the "Operations
> Masters" only lists the remaining server as the Operations master and > the
> PDC.
>
> Any ideas on how we can get this remaining controller to "control" the
> domain?
>
> Thanx.
---------------------------------------------


ANSWER GIVEN BY ME:
first thing I would say is:

on that "BDC" check who owns the FSMO roles using: NETDOM QUERY FSMO

For ALL FSMO that are NOT owned by the "BDC" seize those roles. for more
info see: http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/373.aspx

on the BDC execute: REPADMIN /OPTIONS <NAME OF BDC SERVER>
OR
REPADMIN /OPTIONS <NAME OF BDC SERVER> +IS_GC

My guess is that the main reason that you cannot create users, groups, or
computers is because the RID master is owned by the "PDC" that was taken
offline
Can I say you are able to create a contact but not a user account?
If yes, the RID master is probably the issue

DCDIAG /C /D /V should give you more info abou the health of the "BDC"

also have a look at:
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/25/1040.aspx


--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Steven Sinclair" <StevenSinclair@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:DEA0DDEE-E96C-46DB-88D3-DAF0FD9F0F25@xxxxxxxxxxxxxxxx
> Is anyone available to take a look at this thread...
>
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windows.server.active_directory&mid=be90de26-d4c1-4805-bd3a-8a70ab0e70d4&sloc=en-us
>
> ...and donate some invaluable assistance?
>
> Thanx.



.

Relevant Pages

  • Re: Unable to create AD objects...
    ... question, a PDC named mcp01. ... WINS may not be configured to replicate with the server. ... with the company) decided to take our PDC offline and only left our BDC up ... the RID master is probably the issue ...
    (microsoft.public.windows.server.active_directory)
  • DNS Issue
    ... Both running Win2k Server with Sp4 ... However NTFRS is failing to sycn PDC and BDC. ... The specified service does not exist as an installed service. ...
    (microsoft.public.win2000.active_directory)
  • Re: Domain Server will not sychronize
    ... Hey the PDC and BDC concept Microsoft got rid of with Windows 2000. ... | account for an NT 4 BDC I tried to add a month ago. ...
    (microsoft.public.win2000.active_directory)
  • Re: BDC DCDIAG Problem
    ... PDC and BDC are obsolete terms, ... I am looking through my DNS entries and I am only able to find SRV records ... server Security Configuration Wizard on this server perhaps? ...
    (microsoft.public.windows.server.sbs)
  • Re: Update from NT4 to Server 2003 domain
    ... There are two DCs in the existing NT4 domain (PDC and BDC). ... To minimize this loss, you could periodically turn the safe BDC on and off during the upgrade process, to update its safe copy of the directory. ... Windows 2000-based clients connect only to the domain controller that was upgraded from Windows NT 4.0 in a mixed-mode domain ...
    (microsoft.public.windows.server.active_directory)
Loading