Upgrade AD issues

[Rob Livermore]

I figure it's best if you have the "full-scope" of the
issue than to only give bits and pieces here and there.
With that being said...

I upgraded company xyz over the weekend from NT 4.0 Domain
to W2K Domain.

NT 4.0 Domain structure
Server A - PDC - OS NT 4.0
Server B - member server - OS W2K
Server C - BDC (demoted from PDC prior to upgrade)

W2K Domain structure
Server A - FSMO
Server B - DC (via dcpromo)

When I attempted to dcpromo Server B after Upgrading
Server A ran into errors - would not allow promo. Problem
was caused by the domain name not being changed from xyz
to xyz.com prior to running upgrade. Found MS Kb article
that gave Registry hack to fix issue.

Problem now is - I can not manually synchronize the DC
with Server A (via AD sites and services) - receive
error: "Access is Denied". I can however add a user
account on Server B and it will replicate to Server A.

Also of importance - on a client PC: If I attempt to add
a domain user via Control Panel receive the following
error: Trust relationship between the workstation and the
primary domain failed. The workaround is to add a LMHOST
file on the local PC and point it to ServerA.

On Server B event viewer reports:
Event ID: 16650 - SAM - allocator failed to initialize
properly.

Event ID: 5774 - NETLOGON - Registration of DNS
record '_kerberos_tcp.Default...dc_msdcs.twt.com
ServerB.xyz.com' failed. DNS operation refused.

I ran netdiag /test:dsgetdc and recv'd
sysvol has not completely replicated. Machine not working
as a DC.

ran dcdiag /test:replications and recv'd skipping all
tests because ServerB is not responding to DS requests.

DNS appears to be working fine. Since environment is
legacy - tested and confirmed WINS works.

I have researched/reviewed several articles regarding the
issues we are experiencing but am unable to really nail
down where the problem lies. All of the problems are
pointing to a DNS issue but I'm not able to determine
what/where is causing the issue. Servers and clients are
able to resolve both forward and reverse lookups.

Any insight you might be able to give is appreciated.

 

[Rob]

Ignore the following Event ID: 5774 - NETLOGON -
Registration of DNS
record '_kerberos_tcp.Default...dc_msdcs.twt.com
ServerB.xyz.com' failed. DNS operation refused.

Found the problem - simply pointed the DC over to ServerA
(DNS server).

But I failed to mention this error:
Event ID: 1000 - USERENV - Windows cannot determine the
username or computer name. Return value (5)

 

[Rob]

Also ran dcdiag -v on ServerA all systems passed except
the following.

Event String: The File Replication Service is having
trouble
enabling replication from ServerB to ServerA for
c:\winnt\sysvol\domain using the DNS name ServerB.xyz.com.
FRS will keep retrying.

Following are some of the reasons you would see this
warning
[1] FRS can not correctly resolve the DNS name
ServerB.xyz.com from this computer.
[2] FRS is not running on zechariah.twt.com.
[3] The topology information in the Active

Directory for this replica has not yet replicated
to all the Domain Controllers.

 

[Rob]

Broke down and called MS support. Here's the fix.

Opened local system policy on ServerA to "Authenticated
Users" and "Everyone" groups.

Goto:
-Active Directory Users and Computers
-Properties of Domain Controllers
-Group Policy tab
-Local Policy
-Windows Settings
-Security Settings
-Local Policies

Made adjustment here: "Access this computer from the
network"

All is well again. Most of the time it's the little
things that get over-looked - atleast it's that way for me.

-----Original Message-----
Also ran dcdiag -v on ServerA all systems passed except
the following.

Event String: The File Replication Service is having
trouble
enabling replication from ServerB to ServerA for
c:\winnt\sysvol\domain using the DNS name ServerB.xyz.com.
FRS will keep retrying.

Following are some of the reasons you would see this
warning
[1] FRS can not correctly resolve the DNS name
ServerB.xyz.com from this computer.
[2] FRS is not running on zechariah.twt.com.
[3] The topology information in the Active

Directory for this replica has not yet replicated
to all the Domain Controllers.

-----Original Message-----
Ignore the following Event ID: 5774 - NETLOGON -
Registration of DNS
record '_kerberos_tcp.Default...dc_msdcs.twt.com
ServerB.xyz.com' failed. DNS operation refused.

Found the problem - simply pointed the DC over to ServerA
(DNS server).

But I failed to mention this error:
Event ID: 1000 - USERENV - Windows cannot determine the
username or computer name. Return value (5)

.

.