I'm with joe on getting that network trace. I'm curious if replication has been working and if you made any adjustments for having a windows 2000 dc in a W2K3 environment? Any other applications?
On 6/20/06, joe <[EMAIL PROTECTED]> wrote:
What do you see in the network trace? Is it attempting the connection? Is it
establishing the TCP/IP connection and then blowing out in the NetBIOS
handshake? Does it get through the handshake and then fail?
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] ] On Behalf Of Al Lilianstrom
Sent: Tuesday, June 20, 2006 10:53 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
Al Mulnick wrote:
> Denying access? Hmm.... so logged on to the w2K machine you can't
> access the admin$ share of either of the DC's right?
Correct.
I can access any member server admin$ share from the w2k machine. I can
access the w2k3 DC admin$ share from any other w2k3 machine in the domain.
I just can't access the w2k3 DC admin$ share from the w2k DC.
al
>
> On 6/20/06, *Al Lilianstrom* < [EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>> wrote:
>
> Robert Rutherford wrote:
> > Hi,
> >
> > It does sound like our old pal DNS.
> >
> > If you run a dcdiag and netdiag, do they both run clean? If not
then
> > please post the results.
>
> Both clean. Every test I can think of comes up clean. The only real
> symtom was in the orginal message - lack of admin access to the w2k3
DCs
> from the w2k DC. Checking the event log on the w2k3 DC I see the
> computer and user log in and out successfully. Just something denying
> access.
>
> > If all is clean and it's a test environment then pull it and
> clean it up
> > with ntdsutil et al.
>
> Sounds like a fun way to spend the morning. :-)
>
> al
>
> > If it's a new situation then just replicate and see if you still
have
> > the issue. I have always found a couple of hours helps many ills.
> >
> > BR
> >
> > Rob
> >
> > Robert Rutherford
> > QuoStar Solutions Limited
> >
> > The Enterprise Pavilion
> > Fern Barrow
> > Wallisdown
> > Poole
> > Dorset
> > BH12 5HH
> > T: +44 (0) 8456 440 331
> > F: +44 (0) 8456 440 332
> > M: +44 (0) 7974 249 494
> > E: [EMAIL PROTECTED]
> <mailto: [EMAIL PROTECTED]>
> > W: www.quostar.com <http://www.quostar.com>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED] >
> > [mailto:[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED] >] On Behalf Of Al
Lilianstrom
> > Sent: 19 June 2006 20:52
> > To: ActiveDir@mail.activedir.org
> <mailto: ActiveDir@mail.activedir.org>
> > Subject: [ActiveDir] Problem removing last w2k DC from a w2k3
domain
> >
> > I've in the process of upgrading my test domain (empty root and 1
> child)
> >
> > to w2k3 R2 based DCs and (thanks to help from the friendly folks
> here)
> > am just about done. I have one last w2k dc left to remove. It
> doesn't
> > want to go peacefully.
> >
> > I moved the FSMO roles off and the next day tried to dcpromo it
> down to
> > a simple server. I get
> >
> > Managing the network session with FBDC1.fnal.gov
> <http://FBDC1.fnal.gov> failed
> >
> > "Access is denied. "
> > dcpromoui t:0x848 00479 Exit State::GetFailureMessage The
> > operation failed because:
> >
> > Managing the network session with FBDC1.fnal.gov
> <http://FBDC1.fnal.gov> failed
> >
> > A quick check shows that I can't get to the admin shares of my
> new w2k3
> > dc/FSMO role holder from the w2k dc. I can get to the admin
> shares of
> > the other simple servers but not either of the 2 DCs. Other
> systems can
> > access the admin shares via the domain admin account I'm using on
the
> > w2k DC.
> >
> > I've been searching and have found people having a similar
> problem when
> > promoting a w2k machine to be a DC but not when demoting. I've
> tried a
> > number of the things that were suggested in those articles and
> they have
> >
> > had no affect.
> >
> > There is no firewall in the way. AD replication and FRS work.
> >
> > Any ideas before I rip it out?
> >
> > al
> >
>
> --
>
> Al Lilianstrom
> CD/CSS/CSI
> [EMAIL PROTECTED] <mailto: [EMAIL PROTECTED]>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> <http://www.activedir.org/ml/threads.aspx >
>
>
--
Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx