Shot in the dark, but can you reboot the 2K dc and try again/check for
errors?
On 6/20/06, Al Lilianstrom <[EMAIL PROTECTED]> wrote:
> Al Mulnick wrote:
> > I'm with joe on getting that network trace. I'm curious if
replication
> > has been working and if you made any adjustments for having a windows
> > 2000 dc in a W2K3 environment? Any other applications?
> >
>
> Replication is working - both AD and FRS. GPOs apply. Everything seems
> to work except for the ability to access the admin$ share on the w2k3
> DCs so that I can demote the machine cleanly and remove it from the
domain.
>
> The trace is in my message sent around 11:00am Central.
>
> No other apps running.
>
> >
> > On 6/20/06, *joe* < [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
> > wrote:
> >
> > What do you see in the network trace? Is it attempting the
> > connection? Is it
> > establishing the TCP/IP connection and then blowing out in the
NetBIOS
> > handshake? Does it get through the handshake and then fail?
> >
> >
> > --
> > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > <mailto:[EMAIL PROTECTED]>
> > [mailto: [EMAIL PROTECTED]
> > <mailto:[EMAIL PROTECTED]>] On
Behalf Of Al Lilianstrom
> > Sent: Tuesday, June 20, 2006 10:53 AM
> > To: ActiveDir@mail.activedir.org
<mailto:ActiveDir@mail.activedir.org>
> > Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3
> > domain
> >
> > Al Mulnick wrote:
> > > Denying access? Hmm.... so logged on to the w2K machine you
can't
> > > access the admin$ share of either of the DC's right?
> >
> > Correct.
> >
> > I can access any member server admin$ share from the w2k
machine. I
can
> > access the w2k3 DC admin$ share from any other w2k3 machine in
the
> > domain.
> >
> > I just can't access the w2k3 DC admin$ share from the w2k DC.
> >
> > al
> >
> > >
> > > On 6/20/06, *Al Lilianstrom* < [EMAIL PROTECTED]
> > <mailto:[EMAIL PROTECTED]>
> > > <mailto:[EMAIL PROTECTED]
> > <mailto: [EMAIL PROTECTED]>>> wrote:
> > >
> > > Robert Rutherford wrote:
> > > > Hi,
> > > >
> > > > It does sound like our old pal DNS.
> > > >
> > > > If you run a dcdiag and netdiag, do they both run
clean?
> > If not
> > then
> > > > please post the results.
> > >
> > > Both clean. Every test I can think of comes up clean. The
> > only real
> > > symtom was in the orginal message - lack of admin
access to
> > the w2k3
> > DCs
> > > from the w2k DC. Checking the event log on the w2k3 DC
I see
the
> > > computer and user log in and out successfully. Just
something
> > denying
> > > access.
> > >
> > > > If all is clean and it's a test environment then
pull it
and
> > > clean it up
> > > > with ntdsutil et al.
> > >
> > > Sounds like a fun way to spend the morning. :-)
> > >
> > > al
> > >
> > > > If it's a new situation then just replicate and see
if you
> > still
> > have
> > > > the issue. I have always found a couple of hours helps
> > many ills.
> > > >
> > > > BR
> > > >
> > > > Rob
> > > >
> > > > Robert Rutherford
> > > > QuoStar Solutions Limited
> > > >
> > > > The Enterprise Pavilion
> > > > Fern Barrow
> > > > Wallisdown
> > > > Poole
> > > > Dorset
> > > > BH12 5HH
> > > > T: +44 (0) 8456 440
331
> > > > F: +44 (0) 8456 440 332
> > > > M: +44 (0) 7974 249 494
> > > > E: [EMAIL PROTECTED]
> > <mailto:[EMAIL PROTECTED]>
> > > <mailto: [EMAIL PROTECTED]
> > <mailto:[EMAIL PROTECTED]>>
> > > > W: www.quostar.com <http://www.quostar.com>
> > <http://www.quostar.com >
> > > > -----Original Message-----
> > > > From: [EMAIL PROTECTED]
> > <mailto: [EMAIL PROTECTED]>
> > > <mailto:[EMAIL PROTECTED]
> > <mailto: [EMAIL PROTECTED]>>
> > > >
[mailto:[EMAIL PROTECTED]
> > <mailto: [EMAIL PROTECTED]>
> > > <mailto:[EMAIL PROTECTED]
> > <mailto: [EMAIL PROTECTED]>>] On
Behalf Of Al
> > Lilianstrom
> > > > Sent: 19 June 2006 20:52
> > > > To: ActiveDir@mail.activedir.org
> > <mailto:ActiveDir@mail.activedir.org>
> > > <mailto: ActiveDir@mail.activedir.org
> > <mailto:ActiveDir@mail.activedir.org>>
> > > > Subject: [ActiveDir] Problem removing last w2k DC
from a
w2k3
> > domain
> > > >
> > > > I've in the process of upgrading my test domain (empty
> > root and 1
> > > child)
> > > >
> > > > to w2k3 R2 based DCs and (thanks to help from the
friendly
> > folks
> > > here)
> > > > am just about done. I have one last w2k dc left to
remove.
It
> > > doesn't
> > > > want to go peacefully.
> > > >
> > > > I moved the FSMO roles off and the next day tried to
> > dcpromo it
> > > down to
> > > > a simple server. I get
> > > >
> > > > Managing the network session with FBDC1.fnal.gov
> > <http://FBDC1.fnal.gov>
> > > < http://FBDC1.fnal.gov> failed
> > > >
> > > > "Access is denied. "
> > > > dcpromoui t:0x848
> > 00479 Exit State::GetFailureMessage The
> > > > operation failed because:
> > > >
> > > > Managing the network session with FBDC1.fnal.gov
> > < http://FBDC1.fnal.gov>
> > > <http://FBDC1.fnal.gov> failed
> > > >
> > > > A quick check shows that I can't get to the admin
shares
> > of my
> > > new w2k3
> > > > dc/FSMO role holder from the w2k dc. I can get to the
admin
> > > shares of
> > > > the other simple servers but not either of the 2 DCs.
Other
> > > systems can
> > > > access the admin shares via the domain admin account
I'm
> > using on
> > the
> > > > w2k DC.
> > > >
> > > > I've been searching and have found people having a
similar
> > > problem when
> > > > promoting a w2k machine to be a DC but not when
demoting.
I've
> > > tried a
> > > > number of the things that were suggested in those
articles
and
> > > they have
> > > >
> > > > had no affect.
> > > >
> > > > There is no firewall in the way. AD replication and FRS
work.
> > > >
> > > > Any ideas before I rip it out?
> > > >
> > > > al
> > > >
> --
>
> Al Lilianstrom
> CD/CSS/CSI
> [EMAIL PROTECTED]
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>