Try rerunning adprep /domainprep - looks like you have ACL problems which are preventing replication.
Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian From: Steven M. Caesare [mailto:scaes...@caesare.com] Sent: Tuesday, March 24, 2009 12:56 PM To: NT System Admin Issues Subject: Win2K8 DC's not playing nice in Win2K3 domain Trying to migrate a small domain from Win2K8 from Win2K3. Added two new 2K8 DC's to an existing 2K3 domain by doing the following: -Forestprep'd from Win2K8 Server -ADPrep'd -Added DC role -DCpromo'd up (installing DNS automagically), included GC option (but not RODC) -Pointed all hosts in domain at these 2 new DNS servers. -Tranferred all FSMO roles to new DC -Made sure everything was patched up Did this on 2 machines (DC01 and DC02). No problems reported. However the funkiness now begins: - Attempting to dcpromo old Win2K3 server down: DC believes he's the last DC in domain - Exchange 2K3 (w/ latest SP/patches) doesn't want to automatically find new DC's in Directory Services - No Netlogon ot Sysvol shares on new DC's Interesting (and perhaps even helpful) tidbits: - DNS looks OK an all 3 hosts (A records for DC's, CNAMES in _msdcs, correct SRV records in _sites, etc...) - Sites & Svcs MMC shows new DC's as part of Default First Site. Also correctly ID's them as GC's - No All DC's now pointing at DC1 for primary DNS and DC02 as secondary. Name resolution for all hosts works fine - The only interesting event log entries I can find are some 13508's in the FRS app log which states (these entries exist for all 3 DC's, and I suspect the lack of a sysval share might indeed make this problematic): o "The File Replication Service is having trouble enabling replication from DC02 to DC01 for c:\windows\sysvol\domain using the DNS name dc02.caesare.com. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name dc02.caesare.com from this computer. [2] FRS is not running on dc02.caesare.com. [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established." - Netdiag has a few interesting things to say, such as: o "Warning: DsGetDcName returned information for \\rosalyn.caesare.com<file:///\\rosalyn.caesare.com>, when we were trying to reach DC01. SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE. o "Starting test: FrsEvent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. o Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=ForestDnsZones,DC=caesare,DC=com Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=DomainDnsZones,DC=caesare,DC=com ......................... DC01 failed test NCSecDesc - DC01 and DC02 both show up as DC's in the Domain Controllers container in ADUC. Soo... any thoughts as the where I should begin banging my head next? Googling on the dcdiag error text hasn't turned up much applicable this far... most articles seem to want to talk about slow link environments (which I do not have). ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
