Shot in the dark, but can you reboot the 2K dc and try again/check for errors?
On 6/20/06, Al Lilianstrom <[EMAIL PROTECTED]> wrote:
Al Mulnick wrote:
> I'm with joe on getting that network trace. I'm curious if replication
> has been working and if you made any adjustments for having a windows
> 2000 dc in a W2K3 environment? Any other applications?
>
Replication is working - both AD and FRS. GPOs apply. Everything seems
to work except for the ability to access the admin$ share on the w2k3
DCs so that I can demote the machine cleanly and remove it from the domain.
The trace is in my message sent around 11:00am Central.
No other apps running.
>
> On 6/20/06, *joe* < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
> wrote:
>
> What do you see in the network trace? Is it attempting the
> connection? Is it
> establishing the TCP/IP connection and then blowing out in the NetBIOS
> handshake? Does it get through the handshake and then fail?
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>
> [mailto: [EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>] On Behalf Of Al Lilianstrom
> Sent: Tuesday, June 20, 2006 10:53 AM
> To: [email protected] <mailto:[email protected]>
> Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3
> domain
>
> Al Mulnick wrote:
> > Denying access? Hmm.... so logged on to the w2K machine you can't
> > access the admin$ share of either of the DC's right?
>
> Correct.
>
> I can access any member server admin$ share from the w2k machine. I can
> access the w2k3 DC admin$ share from any other w2k3 machine in the
> domain.
>
> I just can't access the w2k3 DC admin$ share from the w2k DC.
>
> al
>
> >
> > On 6/20/06, *Al Lilianstrom* < [EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>
> > <mailto:[EMAIL PROTECTED]
> <mailto: [EMAIL PROTECTED]>>> wrote:
> >
> > Robert Rutherford wrote:
> > > Hi,
> > >
> > > It does sound like our old pal DNS.
> > >
> > > If you run a dcdiag and netdiag, do they both run clean?
> If not
> then
> > > please post the results.
> >
> > Both clean. Every test I can think of comes up clean. The
> only real
> > symtom was in the orginal message - lack of admin access to
> the w2k3
> DCs
> > from the w2k DC. Checking the event log on the w2k3 DC I see the
> > computer and user log in and out successfully. Just something
> denying
> > access.
> >
> > > If all is clean and it's a test environment then pull it and
> > clean it up
> > > with ntdsutil et al.
> >
> > Sounds like a fun way to spend the morning. :-)
> >
> > al
> >
> > > If it's a new situation then just replicate and see if you
> still
> have
> > > the issue. I have always found a couple of hours helps
> many ills.
> > >
> > > BR
> > >
> > > Rob
> > >
> > > Robert Rutherford
> > > QuoStar Solutions Limited
> > >
> > > The Enterprise Pavilion
> > > Fern Barrow
> > > Wallisdown
> > > Poole
> > > Dorset
> > > BH12 5HH
> > > T: +44 (0) 8456 440 331
> > > F: +44 (0) 8456 440 332
> > > M: +44 (0) 7974 249 494
> > > E: [EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>
> > <mailto: [EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>>
> > > W: www.quostar.com <http://www.quostar.com>
> <http://www.quostar.com >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> <mailto: [EMAIL PROTECTED]>
> > <mailto:[EMAIL PROTECTED]
> <mailto: [EMAIL PROTECTED]>>
> > > [mailto:[EMAIL PROTECTED]
> <mailto: [EMAIL PROTECTED]>
> > <mailto:[EMAIL PROTECTED]
> <mailto: [EMAIL PROTECTED]>>] On Behalf Of Al
> Lilianstrom
> > > Sent: 19 June 2006 20:52
> > > To: [email protected]
> <mailto:[email protected]>
> > <mailto: [email protected]
> <mailto:[email protected]>>
> > > Subject: [ActiveDir] Problem removing last w2k DC from a w2k3
> domain
> > >
> > > I've in the process of upgrading my test domain (empty
> root and 1
> > child)
> > >
> > > to w2k3 R2 based DCs and (thanks to help from the friendly
> folks
> > here)
> > > am just about done. I have one last w2k dc left to remove. It
> > doesn't
> > > want to go peacefully.
> > >
> > > I moved the FSMO roles off and the next day tried to
> dcpromo it
> > down to
> > > a simple server. I get
> > >
> > > Managing the network session with FBDC1.fnal.gov
> <http://FBDC1.fnal.gov>
> > < http://FBDC1.fnal.gov> failed
> > >
> > > "Access is denied. "
> > > dcpromoui t:0x848
> 00479 Exit State::GetFailureMessage The
> > > operation failed because:
> > >
> > > Managing the network session with FBDC1.fnal.gov
> < http://FBDC1.fnal.gov>
> > <http://FBDC1.fnal.gov> failed
> > >
> > > A quick check shows that I can't get to the admin shares
> of my
> > new w2k3
> > > dc/FSMO role holder from the w2k dc. I can get to the admin
> > shares of
> > > the other simple servers but not either of the 2 DCs. Other
> > systems can
> > > access the admin shares via the domain admin account I'm
> using on
> the
> > > w2k DC.
> > >
> > > I've been searching and have found people having a similar
> > problem when
> > > promoting a w2k machine to be a DC but not when demoting. I've
> > tried a
> > > number of the things that were suggested in those articles and
> > they have
> > >
> > > had no affect.
> > >
> > > There is no firewall in the way. AD replication and FRS work.
> > >
> > > Any ideas before I rip it out?
> > >
> > > al
> > >
--
Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
