Al, Thank you for your input on this matter. I did not haul off and implement. I further researched, called Microsoft and spoke to several others. They all said to try alternative ways before trying this and then use it in a test environment first.
Well, I had tried everything that Microsoft had told me, seriously considered Za's suggestion and looked at all other sites etc that anyone referred me to and came up empty. I then used the utility on our live environment - not the smartest move I know but it was the only one I had left. All went fine with using the utility and accessing Group Policy. Unfortunately - numerous other problems occurred with our Exchange5.5 (due to the migration not yet complete), tape backup software lost privileges and some services would not start on both the current and only DC and services would not start for Exchange5.5 I had to change several permissions within Group Policy to allow the Admin Account and other Accounts to have access to certain policy / security settings. After a few hours of working on this the network was fully functional again - I tried another dcpromo and received a different error but that is a post for another time. This was just to say thank you and explain the problems I ran into when resetting the Group Policy. Rodney -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, 14 October 2004 11:08 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy on existing DC As you were reading this, did you check the dcpromo log on the failed promotion? Are you trying to use the same domain controller name when you promote it? Are all of these domains in the same forest? If so, how's the FRS logs? Any errors? Al P.S. GPRESULT.EXE from the reskit will tell you some information of value about the applied policies. Also, have a look at this for some other things to check http://support.microsoft.com/?kbid=830062 I don't think I'd haul off and just implement this, but it's something to consider. You'll want to test this stuff out before implementing it I'm sure. You may also do well to call Microsoft support and have a more in-depth look of your environment done. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Wednesday, October 13, 2004 10:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy on existing DC Al, I understand the article to a degree. I understand that I am in over my head here. I understand it but just do not seem to be able to get it to work. ********* From the article ************* To fix the problem: Make sure that existing domain controllers have applied security policy and that the Enable computer and users accounts to be trusted for delegation user right has been granted to the Administrators group (Default Domain Controller Policy / Computer Configuration / Windows Settings / Security Settings / Local Policies). If a domain controller does not have this right, confirm that GPOs have replicated, and then manually apply the policy by typing the following command: secedit /refreshpolicy machine_policy NOTE: If the Application event log contains: Event ID 1704: Security Policy in the Group policy objects are applied successfully. the GPOs have been appliced. If you're in a hurry, stop the Netlogon service on the source domain controller that doesn't have this right, to discover another DC that does. ************************************ How do you check what it states to do in the first paragraph of "To fix the problem:"? I do not believe that I can get the second part to work as I do not believe that I can replicate as there is only 1 DC so to speak. Yes, there are other BDC's but they are all WinNT4.0. Anyway, I tried the "secedit /refreshpolicy machine_policy" and it stated in the DOS Screen to check the app log for any errors etc. Nothing appeared in the apps event log so far and it has been about an hour so I assume that it did not work. Any further help would be appreciated AL. Rodney -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, 13 October 2004 11:08 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy on existing DC Yep, it's very likely that the two are related. (here's a good reference of what's happening when and why I say the two are related: http://www.jsiinc.com/SUBG/TIP3000/rh3034.htm) You need to start by fixing the default policy issues. Deleting the default policy is not necessarily what you want to do, but rather it's the file system you are working on. Re-read that article and see if it makes better sense today. If not, let us know. Meanwhile, is this a single domain environment? Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Wednesday, October 13, 2004 3:22 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Unable to Promote a 2nd DC or Access Group Policy on existing DC Well, I am hoping someone will be able to help me. I can not dcpromo another Win2000 Server on my network. I was originally able to do this but then active directory corrupted on the 2nd DC. This was then forced removed from being a DC. I used KB332199 and KB216498 to do this. I have since tried doing a dcpromo to create another DC but receive the following error at the end of the wizard when it states "The wizard is configuring Active Directory. This process can take several minutes......":- The operation failed because: Failed to modify the necessary properties for the machine account VLSSYDSHR1$ "Access is denied" This happens on ANY Win2000 machine that I try to promote with the only difference being the account name. Second to this the Group Policy can not be accessed. Every time I try to edit it on the only DC I receive the following error:- Failed to open the Group Policy Object. You may not have the appropriate rights. Details: The system can not find the path specified I have referred to KB253268 for this problem. I can see the {GUID} but do not really know what I am looking at. Is there a way of deleting the existing Default Group Policy and creating a new one? I have screen dumps of anything that may be required. Any help that can be given would be very much appreciated. I am not sure if the two problems I am having are related to one another or not. Rodney List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
