Rob
Totally appreciate not bringing it live on the network if it is going to
stop logins.
Yeah big log file searching for warning or error can help parse the file to
highlight issues.
Have you tried DSR mode login to check the time is in sync on the server,
with your other DC as Yor Suiris suggests PS the sam accounts are still
there your just don't know it well hidden.
if you boot this way the DC is prepared for a Active Directory Restore,
during this mode it would not advertise it's self as available for login
request processing see below
quote from o'relly on DSR
Despite the fact that Active Directory is a core part of Windows 2000, it's
really just a big database and some associated services and interfaces that
allow you, and some system components, to modify, query, add, or remove
directory data. That's actually good news. In Windows NT, if the domain SAM
database were damaged, you couldn't boot the affected server, and you'd have
to restore it pretty much from the beginning. In Windows 2000, you can use a
special boot mode called Directory Services Restore (DSR) mode. You boot
into DSR mode by pressing F8 during the boot process. When you do, it's
essentially like booting a Unix machine into single-user mode: The system
starts normally, but the directory services don't start. This allows you to
restore the directory databases, services, and configuration from a backup
and restart those services only when you're ready.
However, when you boot into DSR mode you still have to log on. Since Active
Directory isn't available, the credentials you provide are validated against
the same type of SAM database used in Windows NT, and that means there's
still a SAM database on disk. This proto-SAM is built when you migrate an
existing Windows NT domain to Windows 2000, or when you create a new Windows
2000 domain. It contains credentials for the administrator account used to
log on in DSR mode as well as for some built-in users and groups, which are
required for the system to boot into DSR mode.
Have a check and post back
good luck
Steve
Appreciate that you w
Robert Zabaga said:
Steve -
I certainly appreciate that you took the time to reply.
I'm leaning toward my problem being a "rights issue" of
some sort.
I did look at the dc-promo log
but didn't see any
smoking gun. It's a large file and not easy to interpret.
I looked for "error" for instance. The only hint that
maybe it missed something is where it says "updated abc
number of objects out of xzy".....so, updated 1250 out of
3000 for instance. It never said, "updated 3000 out of
3000" which would certainly make me feel better. But still
no "error" listed.
In my environment, I have 1 DC and a handful or servers
plus 100 clients. I never had any time issues until I ran
DCPROMO on the new server. My only (original) DC runs DNS
server, DHCP server, WINS. I don't have any of those
services on the 2nd DC I added. I just wanted to spread AD
across 2 machines.
If I put my 2nd DC on the network, its gonna bring
people's PCs down (new logins that is). So, I have to
troubleshoot my new DC offline.
-z-
-----Original Message-----
Rob
did you review the dc promo log after the promotion?
A similar post was on the Win200Advance_Server newsgroup
a KB article that can cause it
http://support.microsoft.com/?kbid=232386
resources on time sync
http://labmice.techtarget.com/windows2000/timesynch.htm
Here is also some advice from the thread from Bob Qin that may also help
I recommend that you point all the DCs to itself in the DNS settings
and point all the clients to the old DC as the DNS server. Please do not
point any server to the public DNS server.
Now refer to the following document to set the time service on DCs and
clients.
How to Configure an Authoritative Time Server in Windows 2000
US;216734
rgds
Steve
