dsmod returns 0x80005000

[Tom Penharston]

My domain is 2000 native, but I'm considering promotion it to 2003
native. Over the last few days I transfered all five FSMO roles from
2000 to 2003. Additionally, I selected Global Catalog Server on the
2003 DC, so by this point, I should have two Global Catalogs: the
original on the 2000 DC and a second one on the 2003 DC

I had some minor errors in my error logs, but nothing too problematic.
When I attempted to transfer the schema master role as administrator I
was denied access, errors were generated, however I logged in as
Enterprise Admin and transfered without errors. Other errors in my
logs include DCOM 10009 errors going back a couple of months, by most
accounts these errors are related to shared printers, annoying, but not
serious. I've also seen W32Time errors during failure to synchronize,
the last one was three days ago, but lately it seems fine. In short, I
haven't seen a real strong error message to indicate that my directory
is having problems after the FSMO transfers.

Unfortunately, I have dsmod scripts that no longer run. The following
worked for several months, but now generates errors:

dsmod computer .... -reset

error code 0x80005000

I've researched this error code, but most accounts are MSDN
information, in a programing context. I haven't found info in the
context of dsmod. (The difference may be moot, but I'm still looking.)

Clearly, there is something wrong with my directory, I just can't
figure it out. When I run ntdsutil everything checks out correctly.
Please advise!
-Tom

 

[Kidem]

not sure if this applys to you but is what i found for that code


0x80005000 ("The specified directory service attribute or value does not
exist").

 

[Paul Williams [MVP]]

Please post the DSMOD syntax. I have a vague recollection that that error
is bad DN, or something similar, but can't clarify at this point.

 

[Tom Penharston]

Yes, that was a syntax error, my nested OUs were scripted in the wrong
order. During this testing I got another error: "No Superior Reference
has been configured for the directory service. The directory service
is therefore unable to issue referrals to objects outside this forest."
That also seems to be syntax.

Is DSMOD case sensitive?

 

[Paul Williams [MVP]]

Is DSMOD case sensitive?

No. Although you should consider case when dealing with proxyAddresses.

"No Superior Reference has been configured for the directory service. The
directory service is therefore unable to issue referrals to objects
outside this forest."

Your submitting an incorrect DN. You can send a DN for any domain in your
forest to any DC and it will generate an LDAP referral as it has knowledge
of all other domains in the forest (because of cross reference objects).
You can also add external references and achieve the same behaviour for LDAP
partitions outside of your forest (by adding new crossRef objects).
However, anything else will generate an error such as no referral, invalid
syntax, etc.

 

[Tom Penharston]

True, but here's the short answer:

"0x80005000" occurs when there are undesirable space(s) in the command,
eliminate all spaces between CN,OU,OU,DN,DN

"a referral was returned from the server" occurs with incorrect DN

"Directory object not found" occurs with incorrect OU

The only error I couldn't recreate was "No Superior Reference"

 

[Paul Williams [MVP]]

You'll probably get that if you have a root DC of DC=root, DC=domain-name,
DC=com and you ask it for DC=domain-name, DC=com.

 

[Tom Penharston]

Now, I'm getting a Kerberos error in my DC system log for the machines
that were reset from my test script. The machines got the dsmod -reset
several times during testing. No other paramters of dsmod were used.
No additional commands were used.

http://www.eventid.net/display.asp?eventid=4&source=Kerberos

"The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server <computer name>$. This indicates that the password used to
encrypt the kerberos service ticket is different than that on the
target server. Commonly, this is due to identically named machine
accounts in the target realm (<domain name>), and the client realm.
Please contact your system administrator."

Normally, I run my reset script because I'm re-imaging the client. I
don't know the right way to fix the secure channel after an uneccessary
-reset
-Tom