Re: NT4 -> Win2K3 question

Hi,

Check following article:

839499 You cannot open file shares or Group Policy snap-ins when you
disable SMB signing for the Workstation or Server service on a domain
controller
http://support.microsoft.com/default.aspx?scid=kb;EN-US;839499

Regarding the GC aspect, Is tempBDC still available? If it is not available
now, please choose another DC to GC ASAP.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------
From: "tony@i-cable" <tony@xxxxxxxxxxxx>
References: <uqW0VocmGHA.1576@xxxxxxxxxxxxxxxxxxxx>
<C$oyBqlmGHA.4528@xxxxxxxxxxxxxxxxxxxxx>
<#L$hx0omGHA.4992@xxxxxxxxxxxxxxxxxxxx>
<Frt4FT0mGHA.5268@xxxxxxxxxxxxxxxxxxxxx>
<#YVhoFDnGHA.2264@xxxxxxxxxxxxxxxxxxxx>
<TGLEd9knGHA.4260@xxxxxxxxxxxxxxxxxxxxx>
<OKs7R3mnGHA.3440@xxxxxxxxxxxxxxxxxxxx>
<JdOnZnnnGHA.4188@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: NT4 -> Win2K3 question
Date: Mon, 3 Jul 2006 18:18:21 +0800
Lines: 541
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-ID: <OglYEoonGHA.5056@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: 59.188.32.186
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:24300
X-Tomcat-NG: microsoft.public.windows.server.migration

"not allow me logon to domain." I suspect you still unable to join the
client into domain, right?
Yes

1. Can you ping the DC by IP & Netbios & FQDN?
Yes, I did ping 192.168.1.32, ping dc2 and ping dc2.int.abc.com. All work

2. Did you set the DNS settings on the client properly?
Yes, all workstation get those setting from the same DHCP server which
hosts
on DC2. I double check the DNS and WINS setting, all correct and same as
the others.

3. Check the PDC's event log, can you see any error ?
Use DCDIAG -v to test, got the following error
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after
the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 07/01/2006 17:15:43
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034C4
Time Generated: 07/01/2006 18:15:42
(Event String could not be retrieved)
......................... DC2 failed test frsevent
************This error I believe I have fixed by repadmin /forestprep and
repaadmin /domainprep. Becuase after run that 2 commands, it said all
updated.

======================================================================
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x8000059B
Time Generated: 07/01/2006 18:11:38
Event String: The Knowledge Consistency Checker (KCC)
encountered an unexpected error while performing
an Active Directory operation.

Operation type:
KccAddEntry
Object distinguished name:
CN=bf624d1e-5126-4c28-9486-ad8806b83276,CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
at
ion,DC=int,DC=abc,DC=com


The operation will be retried at the next KCC
interval.

Additional Data
Error value:
5
0000200E: SvcErr: DSID-020C014B, problem 5001 (BUSY), data -1102


Internal ID:
f02030f
An Error Event occured. EventID: 0xC000046B
Time Generated: 07/01/2006 18:11:38
Event String: The Knowledge Consistency Checker (KCC)
encountered an error while adding a Connection
object from the following source domain
controller to the following destination domain
controller.

Source domain controller:
CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
at
ion,DC=int,DC=abc,DC=com

Destination domain controller:
CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
at
ion,DC=int,DC=abc,DC=com


Additional Data
Creation Point Internal ID:
f0a025d
......................... DC2 failed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40011006
Time Generated: 07/01/2006 18:13:55
Event String: The connection was aborted by the remote WINS.
Remote WINS may not be configured to replicate
with the server.
......................... DC2 failed test systemlog

********I think this related to I cannot seize Global Catalog.
==============================================================

Event ID 1655 Active Directory attempted to communicate with the following
global catalog and the attempts were unsuccessful.

Global catalog:
\\tempBDC.int.abc.com

The operation in progress might be unable to continue. Active Directory
will
use the domain controller locator to try to find an available global
catalog
server.

Additional Data
Error value:
1722 The RPC server is unavailable.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

******I think this also related to Global Catalog issue

4. Rename the client and join into domain to see if it works.
I did not try to do this one.


"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:JdOnZnnnGHA.4188@xxxxxxxxxxxxxxxxxxxxxxxx
Hi,

"not allow me logon to domain." I suspect you still unable to join the
client into domain, right?

Let me consider following things:

1. Can you ping the DC by IP & Netbios & FQDN?
2. Did you set the DNS settings on the client properly?
3. Check the PDC's event log, can you see any error ?
4. Rename the client and join into domain to see if it works.

Thanks.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
rights.
======================================================



--------------------
From: "tony@i-cable" <tony@xxxxxxxxxxxx>
References: <uqW0VocmGHA.1576@xxxxxxxxxxxxxxxxxxxx>
<C$oyBqlmGHA.4528@xxxxxxxxxxxxxxxxxxxxx>
<#L$hx0omGHA.4992@xxxxxxxxxxxxxxxxxxxx>
<Frt4FT0mGHA.5268@xxxxxxxxxxxxxxxxxxxxx>
<#YVhoFDnGHA.2264@xxxxxxxxxxxxxxxxxxxx>
<TGLEd9knGHA.4260@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: NT4 -> Win2K3 question
Date: Mon, 3 Jul 2006 14:56:31 +0800
Lines: 323
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-ID: <OKs7R3mnGHA.3440@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: 59.188.32.186
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:24297
X-Tomcat-NG: microsoft.public.windows.server.migration

For the LMHOSTS, I followed MS advise put the follow 2 lines in to
LMHOSTS
file and check Enable LMHOSTS Lookup on the NT workstation.
192.168.1.32 #PRE #DOM:EPO
192.168.1.32 "EPO \0x1b" #PRE

I logon locally, use nbtstat -c, it shows correctly. all <03>
<00><20>(1B)
records show correctly but still not allow me logon to domain.

After that, I base on http://support.microsoft.com/kb/323276 check
RSoP's
Resultant Set of Policy (Logging), it show Access Denied after I
fill-in
that computer name.

Then I open Active Directory Users and Computers on DC2-> Select that
PC's
name-> Manage. When I click the Device Manager, it said Access
denied.
It
also has a circle with cross icon at User and Group. I removed and
then
add
that computer into my DC again but still not work.


"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:TGLEd9knGHA.4260@xxxxxxxxxxxxxxxxxxxxxxxx
Hi Tony,

Glad to provide information. :)

Have a good day!


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your
newsreader
so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
rights.
======================================================



--------------------
From: "tony@i-cable" <tony@xxxxxxxxxxxx>
References: <uqW0VocmGHA.1576@xxxxxxxxxxxxxxxxxxxx>
<C$oyBqlmGHA.4528@xxxxxxxxxxxxxxxxxxxxx>
<#L$hx0omGHA.4992@xxxxxxxxxxxxxxxxxxxx>
<Frt4FT0mGHA.5268@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: NT4 -> Win2K3 question
Date: Fri, 30 Jun 2006 18:39:01 +0800
Lines: 220
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-ID: <#YVhoFDnGHA.2264@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: 59.188.32.186
Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:24281
X-Tomcat-NG: microsoft.public.windows.server.migration

In the lm hosts file, I only have "192.168.1.32 #PRE #DOM:EPO".
I'm
not
sure it is the reason or not because I demote all the DC back to
member
server and turn the backup BDC back to the normal. Thanks for
your
information. Hope I can smoothly migrate to Windows 2003 in next
Sat.
Thanks for your help.


"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> wrote in
message
news:Frt4FT0mGHA.5268@xxxxxxxxxxxxxxxxxxxxxxxx
Hi,

After you disjoin the domain, can you ping DC1 & DC2 by netbios
name
&IP?
Please try to ping either netbios name & IP and let mek know the
results.

I suspect it can be a name resolution issue and I suggest you
check
the
lmhosts file. See following article:

180094 How to write an Lmhosts file for domain validation and
other
name
resolution issues
http://support.microsoft.com/default.aspx?scid=kb;EN-US;180094

314108 How to Write an LMHOSTS File for Domain Validation and
Other
Name
Resolution Issues
http://support.microsoft.com/default.aspx?scid=kb;EN-US;314108

BTW: I see another thread in this Migration queue and I suspect
the
two
thread are talking about the same issue. Therefore, I'd like to
work
with
you in this thread? Let me know if I'm wrong.

Thanks.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your
newsreader
so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers
no
rights.
======================================================



--------------------
From: "tony@i-cable" <tony@xxxxxxxxxxxx>
References: <uqW0VocmGHA.1576@xxxxxxxxxxxxxxxxxxxx>
<C$oyBqlmGHA.4528@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: NT4 -> Win2K3 question
Date: Wed, 28 Jun 2006 16:30:36 +0800
Lines: 132
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-ID: <#L$hx0omGHA.4992@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: 59.188.32.186
Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:24263
X-Tomcat-NG: microsoft.public.windows.server.migration

3. For your description: Those 6 PCs *CAN* list DC1 & DC2
NetLogon
or
Sysvol directory even I logon as domain Administrator. It
said
Access
denied. I'm confused. Please check the symptoms you listed
and
let
me
know
if there are any incorrect.

Sorry, typo error. It should be "Those 6 PCs *CANNOT* list
DC1
&
DC2
NetLogon or Sysvol directory even I logon as domain
Administrator.
It
said
Access denied. I'm confused. Please check the symptoms you
listed
and
let
me know if there are any incorrect."

5. Try to dis-join one client out of domain and rejoin it to
see
the
results.
Tried. One of the PC dis-join the domain (change to join a
workgroup,
named
"WORKGROUP"), then I try to re-join the domain. But it should
cannot
find
the domain.



"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> wrote in
message
news:C$oyBqlmGHA.4528@xxxxxxxxxxxxxxxxxxxxxxxx
Hi,

I have following suggestions:

1. Change the dynamic update to nosecure & secure.

2. Verify if PDC emulator is working or you can install
dsclient
on
the
NT4
client.


http://support.microsoft.com/default.aspx?scid=kb;en-us;288358

3. For your description: Those 6 PCs *CAN* list DC1 & DC2
NetLogon
or
Sysvol directory even I logon as domain Administrator. It
said
Access
denied. I'm confused. Please check the symptoms you listed
and
let
me
know
if there are any incorrect.

4. Try: ipconfig /flushdns
ipconfig /registerdns

5. Try to dis-join one client out of domain and rejoin it to
see
the
results.

thanks.



Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your
newsreader
so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and
confers
no
rights.
======================================================



--------------------
From: "tony@i-cable" <tony@xxxxxxxxxxxx>
Subject: NT4 -> Win2K3 question
Date: Tue, 27 Jun 2006 17:14:12 +0800
Lines: 37
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-ID: <uqW0VocmGHA.1576@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: 59.188.32.186
Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:24253
X-Tomcat-NG: microsoft.public.windows.server.migration

I fail in my last migration due to some of the computers
(Windows
NT
workstation /w SP6) fail to access Windows 2003 server.
Do
you
have
any
idea why? Thanks.

Background
==========
We have total 50 PCs most of them are Windows NT
Workstation
and
the
rest
is
Windows 2000 in the network. All of them get IP and
TCP/IP
setting
from
DC1
DHCP server

We have 2 Win2003 standard edition DCs. DC1 installed DNS
integrated
with
AD and secure DDNS, WINS and DHCP. DC2 installed DNS
integrated
with
AD
and
secure DDNS, WINS and printer server.

We has 6 Windows NT Workstation PCs has problem.

Symptoms
=========
1. Those 6 PCs can get IP from DC1 DHCP server.

2. Those 6 PCs can logon to the domain

3. Those 6 PCs can ping DC1 and DC2.

4. Those 6 PCs can list DC1 & DC2 NetLogon or Sysvol
directory
even
I
logon
as domain Administrator. It said Access denied.

5. Those 6 PCs do not run the logon script. I believe it
is
because
those
PCs cannot access DC1/DC2 NetLogon directory

6. After change DNS integrated with AD and secure DDNS,
only
few
PCs
name
and IP address show in the zone under Forward Lookup Zone.























.

Relevant Pages

  • Re: Need help on ISA installation options
    ... controller, got everything working, ran the secure my server and then went ... to different security scans and it looks very secure to me. ... articles on the drawbacks to making it a domain controller but it seems like ... > This means that the users accessing ISA must be known to ISA or to a ...
    (microsoft.public.isa)
  • Re: write with cURL
    ... It takes time to set up an account for you, process the billing, etc. ... Sorry, my servers are secure. ... Nothing you have told me shows me you know how to lock down a server so that it is secure - other than to use the server's file security. ...
    (alt.php)
  • Re: installing certificate server issues
    ... How to remove data in Active Directory after an unsuccessful domain ... unsuccessful domain controller demotion. ... require you to reinstall Microsoft Windows 2000 Server, ... The attributes of the NTDS Settings object include data representing how the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Mini-ITX PCs a the future of HA
    ... I can't see how you could ever leave a media server ... automation system so that bits can be distributed as required. ... theater controller scenario, ... What's connected to all the serial cards. ...
    (comp.home.automation)
  • [OT] Re: RSA implementation, please comment.
    ... on a separate server is actually a very good idea, ... This web front uses a well defined and secure ... Don't store the private key on the server. ... Every client gets a smartcard for the decryption (or a HSM, ...
    (comp.lang.perl.misc)