| Author | Messages | |
darren
Posts:168
 | | 07/16/2008 7:43 PM |
| All-
Just had one of those "oh shi*" moments and am trying to figure out why.
Yesterday I DCPromo'd a 2008 box that was a member server in my test domain.
The domain now has a 2003 DC and a 2008 one. The 2003 box held all the FSMO
roles. I transferred a couple of roles (RID & PDC) to the new 2008 box last
night, primarily because the 2008 box is faster and ,not unexpectedly, I do
a lot of GP stuff against the PDC. Today I came in and discovered some weird
behavior from my desktop client. I could not create GPOs (it was looking for
the PDC and either not finding it or finding the 2008 box and not liking it)
and if I did a "net view" to either DC, I got "access denied" messages. Once
I transferred to the two FSMO roles back to the 2003 box, everything
immediately cleared up. Question is, why? What happened?
I'm not sure where to start looking for culprits.
Darren
| | | |
| danholme
Posts:134
| | 07/16/2008 7:43 PM |
| Darren: this is definitely weird. As you surmise, this should not be
happening.
I assume you did/saw all the normal steps:
Adprep
Add ADDS role
If you were a "normal" person I wouldn't even ask this since you promo'd
the DC, but you might have used some of your super-brain voodoo magic
and somehow worked around what we mere mortals go through...
FWIW NET VIEW is a terrible test. Does a share enumeration which, if
the DC doesn't also have the File Services role, may produce un-useful
results.
NETDOM QUERY FSMO is a much better test.
Would be an interesting test to move the FSMO back and try NETDOM QUERY
FSMO from both the client and the 2003 box; and then to use ADUC
Operations Master tab from all three... see if it's a directory service
problem or something on the client.
"Duh" things, but just in case: check DNS & time.
I'd be happy to help you offline then we can post the results back to
the list if you'd prefer. Feel free to call me also.
Dan
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, June 06, 2008 10:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] strange behavior after transferring FSMO roles
All-
Just had one of those "oh shi*" moments and am trying to figure out why.
Yesterday I DCPromo'd a 2008 box that was a member server in my test
domain. The domain now has a 2003 DC and a 2008 one. The 2003 box held
all the FSMO roles. I transferred a couple of roles (RID & PDC) to the
new 2008 box last night, primarily because the 2008 box is faster and
,not unexpectedly, I do a lot of GP stuff against the PDC. Today I came
in and discovered some weird behavior from my desktop client. I could
not create GPOs (it was looking for the PDC and either not finding it or
finding the 2008 box and not liking it) and if I did a "net view" to
either DC, I got "access denied" messages. Once I transferred to the two
FSMO roles back to the 2003 box, everything immediately cleared up.
Question is, why? What happened?
I'm not sure where to start looking for culprits.
Darren
| | | |
| MThommes
Posts:76
| | 07/16/2008 7:45 PM |
| 2008 server has a firewall (bi-directional, I believe) enabled by
default, right? Could that be getting in your way? Just a thought.
Mike Thommes
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, June 06, 2008 4:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
OK. Good idea. Thanks joe. The weird part was that, sitting on the 2008
box, if I fired up ADUC, it told me that, of the two DCs, the 2008 one
was "unavailable". Huh? Also, when I tried to logon to the console of
the 2003 DC, it told me the domain was not available. Really weird.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Friday, June 06, 2008 1:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Try connecting via IP to rule out Kerb items.
Next I would try a a network trace to see when the access denied is
coming in. Is it on the SMB handshake or ???
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, June 06, 2008 4:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] strange behavior after transferring FSMO roles
All-
Just had one of those "oh shi*" moments and am trying to figure out why.
Yesterday I DCPromo'd a 2008 box that was a member server in my test
domain. The domain now has a 2003 DC and a 2008 one. The 2003 box held
all the FSMO roles. I transferred a couple of roles (RID & PDC) to the
new 2008 box last night, primarily because the 2008 box is faster and
,not unexpectedly, I do a lot of GP stuff against the PDC. Today I came
in and discovered some weird behavior from my desktop client. I could
not create GPOs (it was looking for the PDC and either not finding it or
finding the 2008 box and not liking it) and if I did a "net view" to
either DC, I got "access denied" messages. Once I transferred to the two
FSMO roles back to the 2003 box, everything immediately cleared up.
Question is, why? What happened?
I'm not sure where to start looking for culprits.
Darren
| | | |
| nicolasblank
Posts:14
| | 07/16/2008 7:45 PM |
| Event logs not showing anything? Not on the client or any of the dc's ?
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: 07 June 2008 12:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
The firewall is disabled, but it was a good thought Mike!
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thommes, Michael M.
Sent: Friday, June 06, 2008 3:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
2008 server has a firewall (bi-directional, I believe) enabled by default,
right? Could that be getting in your way? Just a thought.
Mike Thommes
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, June 06, 2008 4:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
OK. Good idea. Thanks joe. The weird part was that, sitting on the 2008 box,
if I fired up ADUC, it told me that, of the two DCs, the 2008 one was
"unavailable". Huh? Also, when I tried to logon to the console of the 2003
DC, it told me the domain was not available. Really weird.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Friday, June 06, 2008 1:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Try connecting via IP to rule out Kerb items.
Next I would try a a network trace to see when the access denied is coming
in. Is it on the SMB handshake or ???
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, June 06, 2008 4:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] strange behavior after transferring FSMO roles
All-
Just had one of those "oh shi*" moments and am trying to figure out why.
Yesterday I DCPromo'd a 2008 box that was a member server in my test domain.
The domain now has a 2003 DC and a 2008 one. The 2003 box held all the FSMO
roles. I transferred a couple of roles (RID & PDC) to the new 2008 box last
night, primarily because the 2008 box is faster and ,not unexpectedly, I do
a lot of GP stuff against the PDC. Today I came in and discovered some weird
behavior from my desktop client. I could not create GPOs (it was looking for
the PDC and either not finding it or finding the 2008 box and not liking it)
and if I did a "net view" to either DC, I got "access denied" messages. Once
I transferred to the two FSMO roles back to the 2003 box, everything
immediately cleared up. Question is, why? What happened?
I'm not sure where to start looking for culprits.
Darren
| | | |
| darren
Posts:168
| | 07/16/2008 7:49 PM |
| Guido-
Hah. Sadly the cat is no longer in this world, so unless the puppy got
particularly jumpy, I can *almost* guarantee it wasn't pet-related. In any
case, after trading a few off list emails with Dan, I think I'm going to try
to dcpromo back down and try the dcpromo again. It's the weirdest thing.
Neither of the DCs are virtual-both physical boxes. AD replication is
happening just fine. All the various tests one performs in this case show
all is well, except that SYSVOL is not sharing on the new 2008 DC (nor is it
replicating any data). I confirmed that the FSMOs had moved so that wasn't
an issue. But the darn FRS thing just won't budge. And what's a GPO GUY to
do without a SYSVOL share on the PDC emulator? Answer.nothing. I even tried
some burflags D2 non-auth FRS action to no avail.
Sigh..sometimes technology is just too complicated for its own good.
Darren
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Grillenmeier, Guido
Sent: Saturday, June 07, 2008 1:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Darren - how about taking you cat off the keyboard so she can't hit the
"undo" button. ;-)
I presume this is a virtual test/demo-environment you're talking about -
could it be that for some reason you reverted to a previous version of the
VMs? Those FSMOs don't move automatically. Were you even sure it moved
successfully to 2008 in the first place?
/Guido
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Saturday, June 07, 2008 12:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Nope. Nothing useful.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Nicolas Blank
Sent: Friday, June 06, 2008 3:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Event logs not showing anything? Not on the client or any of the dc's ?
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: 07 June 2008 12:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
The firewall is disabled, but it was a good thought Mike!
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thommes, Michael M.
Sent: Friday, June 06, 2008 3:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
2008 server has a firewall (bi-directional, I believe) enabled by default,
right? Could that be getting in your way? Just a thought.
Mike Thommes
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, June 06, 2008 4:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
OK. Good idea. Thanks joe. The weird part was that, sitting on the 2008 box,
if I fired up ADUC, it told me that, of the two DCs, the 2008 one was
"unavailable". Huh? Also, when I tried to logon to the console of the 2003
DC, it told me the domain was not available. Really weird.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Friday, June 06, 2008 1:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Try connecting via IP to rule out Kerb items.
Next I would try a a network trace to see when the access denied is coming
in. Is it on the SMB handshake or ???
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, June 06, 2008 4:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] strange behavior after transferring FSMO roles
All-
Just had one of those "oh shi*" moments and am trying to figure out why.
Yesterday I DCPromo'd a 2008 box that was a member server in my test domain.
The domain now has a 2003 DC and a 2008 one. The 2003 box held all the FSMO
roles. I transferred a couple of roles (RID & PDC) to the new 2008 box last
night, primarily because the 2008 box is faster and ,not unexpectedly, I do
a lot of GP stuff against the PDC. Today I came in and discovered some weird
behavior from my desktop client. I could not create GPOs (it was looking for
the PDC and either not finding it or finding the 2008 box and not liking it)
and if I did a "net view" to either DC, I got "access denied" messages. Once
I transferred to the two FSMO roles back to the 2003 box, everything
immediately cleared up. Question is, why? What happened?
I'm not sure where to start looking for culprits.
Darren
| | | |
| gabriel/tfi
Posts:159
| | 07/16/2008 8:01 PM |
| While reading this thread with big posters such as Darren, Guido, Joe and
Dan. I thought: "Hey! Also they might have problems with AD, so. THEY ARE
HUMANS!" LOL! - Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: sabato 7 giugno 2008 23.10
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Guido-
Hah. Sadly the cat is no longer in this world, so unless the puppy got
particularly jumpy, I can *almost* guarantee it wasn't pet-related. In any
case, after trading a few off list emails with Dan, I think I'm going to try
to dcpromo back down and try the dcpromo again. It's the weirdest thing.
Neither of the DCs are virtual-both physical boxes. AD replication is
happening just fine. All the various tests one performs in this case show
all is well, except that SYSVOL is not sharing on the new 2008 DC (nor is it
replicating any data). I confirmed that the FSMOs had moved so that wasn't
an issue. But the darn FRS thing just won't budge. And what's a GPO GUY to
do without a SYSVOL share on the PDC emulator? Answer.nothing. I even tried
some burflags D2 non-auth FRS action to no avail.
Sigh..sometimes technology is just too complicated for its own good.
Darren
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Grillenmeier, Guido
Sent: Saturday, June 07, 2008 1:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Darren - how about taking you cat off the keyboard so she can't hit the
"undo" button. ;-)
I presume this is a virtual test/demo-environment you're talking about -
could it be that for some reason you reverted to a previous version of the
VMs? Those FSMOs don't move automatically. Were you even sure it moved
successfully to 2008 in the first place?
/Guido
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Saturday, June 07, 2008 12:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Nope. Nothing useful.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Nicolas Blank
Sent: Friday, June 06, 2008 3:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Event logs not showing anything? Not on the client or any of the dc's ?
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: 07 June 2008 12:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
The firewall is disabled, but it was a good thought Mike!
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thommes, Michael M.
Sent: Friday, June 06, 2008 3:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
2008 server has a firewall (bi-directional, I believe) enabled by default,
right? Could that be getting in your way? Just a thought.
Mike Thommes
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, June 06, 2008 4:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
OK. Good idea. Thanks joe. The weird part was that, sitting on the 2008 box,
if I fired up ADUC, it told me that, of the two DCs, the 2008 one was
"unavailable". Huh? Also, when I tried to logon to the console of the 2003
DC, it told me the domain was not available. Really weird.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Friday, June 06, 2008 1:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Try connecting via IP to rule out Kerb items.
Next I would try a a network trace to see when the access denied is coming
in. Is it on the SMB handshake or ???
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, June 06, 2008 4:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] strange behavior after transferring FSMO roles
All-
Just had one of those "oh shi*" moments and am trying to figure out why.
Yesterday I DCPromo'd a 2008 box that was a member server in my test domain.
The domain now has a 2003 DC and a 2008 one. The 2003 box held all the FSMO
roles. I transferred a couple of roles (RID & PDC) to the new 2008 box last
night, primarily because the 2008 box is faster and ,not unexpectedly, I do
a lot of GP stuff against the PDC. Today I came in and discovered some weird
behavior from my desktop client. I could not create GPOs (it was looking for
the PDC and either not finding it or finding the 2008 box and not liking it)
and if I did a "net view" to either DC, I got "access denied" messages. Once
I transferred to the two FSMO roles back to the 2003 box, everything
immediately cleared up. Question is, why? What happened?
I'm not sure where to start looking for culprits.
Darren
| | | |
| darren
Posts:168
| | 07/16/2008 8:01 PM |
| J. Well just to loop back around on this, turns out that my one and only DC
(prior to the 2008 box) had journal wrap problems with FRS. So, once I
solved that, life with the 2008 box appears to be good.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Monday, June 09, 2008 3:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
While reading this thread with big posters such as Darren, Guido, Joe and
Dan. I thought: "Hey! Also they might have problems with AD, so. THEY ARE
HUMANS!" LOL! - Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: sabato 7 giugno 2008 23.10
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Guido-
Hah. Sadly the cat is no longer in this world, so unless the puppy got
particularly jumpy, I can *almost* guarantee it wasn't pet-related. In any
case, after trading a few off list emails with Dan, I think I'm going to try
to dcpromo back down and try the dcpromo again. It's the weirdest thing.
Neither of the DCs are virtual-both physical boxes. AD replication is
happening just fine. All the various tests one performs in this case show
all is well, except that SYSVOL is not sharing on the new 2008 DC (nor is it
replicating any data). I confirmed that the FSMOs had moved so that wasn't
an issue. But the darn FRS thing just won't budge. And what's a GPO GUY to
do without a SYSVOL share on the PDC emulator? Answer.nothing. I even tried
some burflags D2 non-auth FRS action to no avail.
Sigh..sometimes technology is just too complicated for its own good.
Darren
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Grillenmeier, Guido
Sent: Saturday, June 07, 2008 1:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Darren - how about taking you cat off the keyboard so she can't hit the
"undo" button. ;-)
I presume this is a virtual test/demo-environment you're talking about -
could it be that for some reason you reverted to a previous version of the
VMs? Those FSMOs don't move automatically. Were you even sure it moved
successfully to 2008 in the first place?
/Guido
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Saturday, June 07, 2008 12:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Nope. Nothing useful.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Nicolas Blank
Sent: Friday, June 06, 2008 3:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Event logs not showing anything? Not on the client or any of the dc's ?
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: 07 June 2008 12:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
The firewall is disabled, but it was a good thought Mike!
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thommes, Michael M.
Sent: Friday, June 06, 2008 3:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
2008 server has a firewall (bi-directional, I believe) enabled by default,
right? Could that be getting in your way? Just a thought.
Mike Thommes
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, June 06, 2008 4:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
OK. Good idea. Thanks joe. The weird part was that, sitting on the 2008 box,
if I fired up ADUC, it told me that, of the two DCs, the 2008 one was
"unavailable". Huh? Also, when I tried to logon to the console of the 2003
DC, it told me the domain was not available. Really weird.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Friday, June 06, 2008 1:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Try connecting via IP to rule out Kerb items.
Next I would try a a network trace to see when the access denied is coming
in. Is it on the SMB handshake or ???
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, June 06, 2008 4:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] strange behavior after transferring FSMO roles
All-
Just had one of those "oh shi*" moments and am trying to figure out why.
Yesterday I DCPromo'd a 2008 box that was a member server in my test domain.
The domain now has a 2003 DC and a 2008 one. The 2003 box held all the FSMO
roles. I transferred a couple of roles (RID & PDC) to the new 2008 box last
night, primarily because the 2008 box is faster and ,not unexpectedly, I do
a lot of GP stuff against the PDC. Today I came in and discovered some weird
behavior from my desktop client. I could not create GPOs (it was looking for
the PDC and either not finding it or finding the 2008 box and not liking it)
and if I did a "net view" to either DC, I got "access denied" messages. Once
I transferred to the two FSMO roles back to the 2003 box, everything
immediately cleared up. Question is, why? What happened?
I'm not sure where to start looking for culprits.
Darren
| | | |
| bsonposh
Posts:171
| | 07/16/2008 8:03 PM |
| Dont want to know how you journal wrapped a single DC environment 
On 6/9/08, Darren Mar-Elia <darren@sdmsoftware.com> wrote:
> J. Well just to loop back around on this, turns out that my one and only DC
> (prior to the 2008 box) had journal wrap problems with FRS. So, once I
> solved that, life with the 2008 box appears to be good.
>
>
>
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
> Sent: Monday, June 09, 2008 3:40 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
>
>
>
> While reading this thread with big posters such as Darren, Guido, Joe and
> Dan. I thought: "Hey! Also they might have problems with AD, so. THEY ARE
> HUMANS!" LOL! - Gabriele.
>
>
>
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
> Sent: sabato 7 giugno 2008 23.10
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
>
>
>
> Guido-
>
> Hah. Sadly the cat is no longer in this world, so unless the puppy got
> particularly jumpy, I can *almost* guarantee it wasn't pet-related. In any
> case, after trading a few off list emails with Dan, I think I'm going to try
> to dcpromo back down and try the dcpromo again. It's the weirdest thing.
> Neither of the DCs are virtual-both physical boxes. AD replication is
> happening just fine. All the various tests one performs in this case show
> all is well, except that SYSVOL is not sharing on the new 2008 DC (nor is it
> replicating any data). I confirmed that the FSMOs had moved so that wasn't
> an issue. But the darn FRS thing just won't budge. And what's a GPO GUY to
> do without a SYSVOL share on the PDC emulator? Answer.nothing. I even tried
> some burflags D2 non-auth FRS action to no avail.
>
>
>
> Sigh..sometimes technology is just too complicated for its own good.
>
>
>
> Darren
>
>
>
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Grillenmeier, Guido
> Sent: Saturday, June 07, 2008 1:29 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
>
>
>
> Darren - how about taking you cat off the keyboard so she can't hit the
> "undo" button. ;-)
>
>
>
> I presume this is a virtual test/demo-environment you're talking about -
> could it be that for some reason you reverted to a previous version of the
> VMs? Those FSMOs don't move automatically. Were you even sure it moved
> successfully to 2008 in the first place?
>
>
>
> /Guido
>
>
>
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
> Sent: Saturday, June 07, 2008 12:50 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
>
>
>
> Nope. Nothing useful.
>
>
>
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Nicolas Blank
> Sent: Friday, June 06, 2008 3:44 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
>
>
>
> Event logs not showing anything? Not on the client or any of the dc's ?
>
>
>
> _____
>
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
> Sent: 07 June 2008 12:41 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
>
> The firewall is disabled, but it was a good thought Mike!
>
>
>
>
>
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thommes, Michael M.
> Sent: Friday, June 06, 2008 3:33 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
>
>
>
> 2008 server has a firewall (bi-directional, I believe) enabled by default,
> right? Could that be getting in your way? Just a thought.
>
>
>
> Mike Thommes
>
>
>
> _____
>
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
> Sent: Friday, June 06, 2008 4:51 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
>
>
>
> OK. Good idea. Thanks joe. The weird part was that, sitting on the 2008 box,
> if I fired up ADUC, it told me that, of the two DCs, the 2008 one was
> "unavailable". Huh? Also, when I tried to logon to the console of the 2003
> DC, it told me the domain was not available. Really weird.
>
>
>
>
>
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
> Sent: Friday, June 06, 2008 1:57 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
>
>
>
> Try connecting via IP to rule out Kerb items.
>
>
>
> Next I would try a a network trace to see when the access denied is coming
> in. Is it on the SMB handshake or ???
>
>
>
>
>
>
>
> --
>
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
>
>
>
>
> _____
>
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
> Sent: Friday, June 06, 2008 4:24 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] strange behavior after transferring FSMO roles
>
> All-
>
> Just had one of those "oh shi*" moments and am trying to figure out why.
> Yesterday I DCPromo'd a 2008 box that was a member server in my test domain.
> The domain now has a 2003 DC and a 2008 one. The 2003 box held all the FSMO
> roles. I transferred a couple of roles (RID & PDC) to the new 2008 box last
> night, primarily because the 2008 box is faster and ,not unexpectedly, I do
> a lot of GP stuff against the PDC. Today I came in and discovered some weird
> behavior from my desktop client. I could not create GPOs (it was looking for
> the PDC and either not finding it or finding the 2008 box and not liking it)
> and if I did a "net view" to either DC, I got "access denied" messages. Once
> I transferred to the two FSMO roles back to the 2003 box, everything
> immediately cleared up. Question is, why? What happened?
>
>
>
> I'm not sure where to start looking for culprits.
>
>
>
> Darren
>
>
>
>
>
>
--
Sent from Gmail for mobile | mobile.google.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| sbradcpa
Posts:320
| | 07/16/2008 8:03 PM |
| PG&E shut down the power breaker on the house, I didn't have a
functional UPS, Dad didn't tell me he told them it was okay and the
server was up and running at the time. That's how I journal wrapped a
single DC environment. It can happen even in single DCs if you shut
down AD in an ungraceful manner.
BTW the SBS migration best practices tool is recommended to be run
before starting migration.
Prob wise to do likewise (run any of the corresponding BPA tools) before
moving to 2k8.
http://www.microsoft.com/downloads/details.aspx?familyid=dbab201f-4bee-4943-ac22-e2ddbd258df3
http://www.microsoft.com/downloadS/details.aspx?FamilyID=47f11b02-8ee4-450b-bf13-880b91ba4566&displaylang=en
Brandon Shell wrote:
> Dont want to know how you journal wrapped a single DC environment
>
>
>
> On 6/9/08, Darren Mar-Elia <darren@sdmsoftware.com> wrote:
>
>> J. Well just to loop back around on this, turns out that my one and only DC
>> (prior to the 2008 box) had journal wrap problems with FRS. So, once I
>> solved that, life with the 2008 box appears to be good.
>>
>>
>>
>> From: ActiveDir-owner@mail.activedir.org
>> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
>> Sent: Monday, June 09, 2008 3:40 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
>>
>>
>>
>> While reading this thread with big posters such as Darren, Guido, Joe and
>> Dan. I thought: "Hey! Also they might have problems with AD, so. THEY ARE
>> HUMANS!" LOL! - Gabriele.
>>
>>
>>
>> From: ActiveDir-owner@mail.activedir.org
>> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
>> Sent: sabato 7 giugno 2008 23.10
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
>>
>>
>>
>> Guido-
>>
>> Hah. Sadly the cat is no longer in this world, so unless the puppy got
>> particularly jumpy, I can *almost* guarantee it wasn't pet-related. In any
>> case, after trading a few off list emails with Dan, I think I'm going to try
>> to dcpromo back down and try the dcpromo again. It's the weirdest thing.
>> Neither of the DCs are virtual-both physical boxes. AD replication is
>> happening just fine. All the various tests one performs in this case show
>> all is well, except that SYSVOL is not sharing on the new 2008 DC (nor is it
>> replicating any data). I confirmed that the FSMOs had moved so that wasn't
>> an issue. But the darn FRS thing just won't budge. And what's a GPO GUY to
>> do without a SYSVOL share on the PDC emulator? Answer.nothing. I even tried
>> some burflags D2 non-auth FRS action to no avail.
>>
>>
>>
>> Sigh..sometimes technology is just too complicated for its own good.
>>
>>
>>
>> Darren
>>
>>
>>
>> From: ActiveDir-owner@mail.activedir.org
>> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Grillenmeier, Guido
>> Sent: Saturday, June 07, 2008 1:29 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
>>
>>
>>
>> Darren - how about taking you cat off the keyboard so she can't hit the
>> "undo" button. ;-)
>>
>>
>>
>> I presume this is a virtual test/demo-environment you're talking about -
>> could it be that for some reason you reverted to a previous version of the
>> VMs? Those FSMOs don't move automatically. Were you even sure it moved
>> successfully to 2008 in the first place?
>>
>>
>>
>> /Guido
>>
>>
>>
>> From: ActiveDir-owner@mail.activedir.org
>> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
>> Sent: Saturday, June 07, 2008 12:50 AM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
>>
>>
>>
>> Nope. Nothing useful.
>>
>>
>>
>> From: ActiveDir-owner@mail.activedir.org
>> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Nicolas Blank
>> Sent: Friday, June 06, 2008 3:44 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
>>
>>
>>
>> Event logs not showing anything? Not on the client or any of the dc's ?
>>
>>
>>
>> _____
>>
>> From: ActiveDir-owner@mail.activedir.org
>> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
>> Sent: 07 June 2008 12:41 AM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
>>
>> The firewall is disabled, but it was a good thought Mike!
>>
>>
>>
>>
>>
>> From: ActiveDir-owner@mail.activedir.org
>> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thommes, Michael M.
>> Sent: Friday, June 06, 2008 3:33 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
>>
>>
>>
>> 2008 server has a firewall (bi-directional, I believe) enabled by default,
>> right? Could that be getting in your way? Just a thought.
>>
>>
>>
>> Mike Thommes
>>
>>
>>
>> _____
>>
>> From: ActiveDir-owner@mail.activedir.org
>> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
>> Sent: Friday, June 06, 2008 4:51 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
>>
>>
>>
>> OK. Good idea. Thanks joe. The weird part was that, sitting on the 2008 box,
>> if I fired up ADUC, it told me that, of the two DCs, the 2008 one was
>> "unavailable". Huh? Also, when I tried to logon to the console of the 2003
>> DC, it told me the domain was not available. Really weird.
>>
>>
>>
>>
>>
>> From: ActiveDir-owner@mail.activedir.org
>> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
>> Sent: Friday, June 06, 2008 1:57 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
>>
>>
>>
>> Try connecting via IP to rule out Kerb items.
>>
>>
>>
>> Next I would try a a network trace to see when the access denied is coming
>> in. Is it on the SMB handshake or ???
>>
>>
>>
>>
>>
>>
>>
>> --
>>
>> O'Reilly Active Directory Third Edition -
>> http://www.joeware.net/win/ad3e.htm
>>
>>
>>
>>
>>
>>
>>
>> _____
>>
>> From: ActiveDir-owner@mail.activedir.org
>> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
>> Sent: Friday, June 06, 2008 4:24 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: [ActiveDir] strange behavior after transferring FSMO roles
>>
>> All-
>>
>> Just had one of those "oh shi*" moments and am trying to figure out why.
>> Yesterday I DCPromo'd a 2008 box that was a member server in my test domain.
>> The domain now has a 2003 DC and a 2008 one. The 2003 box held all the FSMO
>> roles. I transferred a couple of roles (RID & PDC) to the new 2008 box last
>> night, primarily because the 2008 box is faster and ,not unexpectedly, I do
>> a lot of GP stuff against the PDC. Today I came in and discovered some weird
>> behavior from my desktop client. I could not create GPOs (it was looking for
>> the PDC and either not finding it or finding the 2008 box and not liking it)
>> and if I did a "net view" to either DC, I got "access denied" messages. Once
>> I transferred to the two FSMO roles back to the 2003 box, everything
>> immediately cleared up. Question is, why? What happened?
>>
>>
>>
>> I'm not sure where to start looking for culprits.
>>
>>
>>
>> Darren
>>
>>
>>
>>
>>
>>
>>
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| bdesmond
Posts:374
| | 07/16/2008 8:52 PM |
| If you leave them powered off long enough this will happen too.
--brian
On Mon, Jun 9, 2008 at 6:03 PM, Brandon Shell <tshell@gmail.com> wrote:
> Dont want to know how you journal wrapped a single DC environment
>
>
>
> On 6/9/08, Darren Mar-Elia <darren@sdmsoftware.com> wrote:
> > J. Well just to loop back around on this, turns out that my one and only
> DC
> > (prior to the 2008 box) had journal wrap problems with FRS. So, once I
> > solved that, life with the 2008 box appears to be good.
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele
> Scolaro
> > Sent: Monday, June 09, 2008 3:40 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
> >
> >
> >
> > While reading this thread with big posters such as Darren, Guido, Joe and
> > Dan. I thought: "Hey! Also they might have problems with AD, so. THEY ARE
> > HUMANS!" LOL! - Gabriele.
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
> > Sent: sabato 7 giugno 2008 23.10
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
> >
> >
> >
> > Guido-
> >
> > Hah. Sadly the cat is no longer in this world, so unless the puppy got
> > particularly jumpy, I can *almost* guarantee it wasn't pet-related. In
> any
> > case, after trading a few off list emails with Dan, I think I'm going to
> try
> > to dcpromo back down and try the dcpromo again. It's the weirdest thing.
> > Neither of the DCs are virtual-both physical boxes. AD replication is
> > happening just fine. All the various tests one performs in this case show
> > all is well, except that SYSVOL is not sharing on the new 2008 DC (nor is
> it
> > replicating any data). I confirmed that the FSMOs had moved so that
> wasn't
> > an issue. But the darn FRS thing just won't budge. And what's a GPO GUY
> to
> > do without a SYSVOL share on the PDC emulator? Answer.nothing. I even
> tried
> > some burflags D2 non-auth FRS action to no avail.
> >
> >
> >
> > Sigh..sometimes technology is just too complicated for its own good.
> >
> >
> >
> > Darren
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Grillenmeier,
> Guido
> > Sent: Saturday, June 07, 2008 1:29 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
> >
> >
> >
> > Darren - how about taking you cat off the keyboard so she can't hit the
> > "undo" button. ;-)
> >
> >
> >
> > I presume this is a virtual test/demo-environment you're talking about -
> > could it be that for some reason you reverted to a previous version of
> the
> > VMs? Those FSMOs don't move automatically. Were you even sure it moved
> > successfully to 2008 in the first place?
> >
> >
> >
> > /Guido
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
> > Sent: Saturday, June 07, 2008 12:50 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
> >
> >
> >
> > Nope. Nothing useful.
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Nicolas Blank
> > Sent: Friday, June 06, 2008 3:44 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
> >
> >
> >
> > Event logs not showing anything? Not on the client or any of the dc's ?
> >
> >
> >
> > _____
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
> > Sent: 07 June 2008 12:41 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
> >
> > The firewall is disabled, but it was a good thought Mike!
> >
> >
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thommes,
> Michael M.
> > Sent: Friday, June 06, 2008 3:33 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
> >
> >
> >
> > 2008 server has a firewall (bi-directional, I believe) enabled by
> default,
> > right? Could that be getting in your way? Just a thought.
> >
> >
> >
> > Mike Thommes
> >
> >
> >
> > _____
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
> > Sent: Friday, June 06, 2008 4:51 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
> >
> >
> >
> > OK. Good idea. Thanks joe. The weird part was that, sitting on the 2008
> box,
> > if I fired up ADUC, it told me that, of the two DCs, the 2008 one was
> > "unavailable". Huh? Also, when I tried to logon to the console of the
> 2003
> > DC, it told me the domain was not available. Really weird.
> >
> >
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
> > Sent: Friday, June 06, 2008 1:57 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
> >
> >
> >
> > Try connecting via IP to rule out Kerb items.
> >
> >
> >
> > Next I would try a a network trace to see when the access denied is
> coming
> > in. Is it on the SMB handshake or ???
> >
> >
> >
> >
> >
> >
> >
> > --
> >
> > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> >
> >
> >
> >
> >
> > _____
> >
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
> > Sent: Friday, June 06, 2008 4:24 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] strange behavior after transferring FSMO roles
> >
> > All-
> >
> > Just had one of those "oh shi*" moments and am trying to figure out why.
> > Yesterday I DCPromo'd a 2008 box that was a member server in my test
> domain.
> > The domain now has a 2003 DC and a 2008 one. The 2003 box held all the
> FSMO
> > roles. I transferred a couple of roles (RID & PDC) to the new 2008 box
> last
> > night, primarily because the 2008 box is faster and ,not unexpectedly, I
> do
> > a lot of GP stuff against the PDC. Today I came in and discovered some
> weird
> > behavior from my desktop client. I could not create GPOs (it was looking
> for
> > the PDC and either not finding it or finding the 2008 box and not liking
> it)
> > and if I did a "net view" to either DC, I got "access denied" messages.
> Once
> > I transferred to the two FSMO roles back to the 2003 box, everything
> > immediately cleared up. Question is, why? What happened?
> >
> >
> >
> > I'm not sure where to start looking for culprits.
> >
> >
> >
> > Darren
> >
> >
> >
> >
> >
> >
>
> --
> Sent from Gmail for mobile | mobile.google.com
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
| | | |
| listmail
Posts:463
| | 07/16/2008 8:52 PM |
| My goodness the number of issues I have caused with my AD test labs...
Some I have recovered from, some I have wiped and forgotten the existence
of... Its all part of learning, if things work perfectly all the time, most
people won't learn anything.
In fact one of the questions I ask when interviewing people is to describe
some real bad issue they ran into and had to work through. Surprisingly a
large number say, never had a big issue that I worked through, our stuff
just worked.... That is kind of a flag to me in that I want admins who have
had some form of bad thing happen and they have worked through it. Sort of a
trial by fire. I consider myself a pretty good admin and I have had more
fires I have worked through the last 10-15 years than I care to recall
except when telling funny stories.
Many times I set up AD's specifically for the purpose of breaking them and
seeing if I can recover. It is a good exercise and makes you more
comfortable and knowledgable when you hit it in "real life". You learn the
most about the true implementation of things that way too I feel. You get
past the propaganda and into the guts.
So in summary, I think any truly good AD Admin, or admin of anything really,
has seen a lot of problems with their stuff and they worked through it, that
is part of what made them good.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Monday, June 09, 2008 6:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
While reading this thread with big posters such as Darren, Guido, Joe and
Dan. I thought: "Hey! Also they might have problems with AD, so. THEY ARE
HUMANS!" LOL! - Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: sabato 7 giugno 2008 23.10
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Guido-
Hah. Sadly the cat is no longer in this world, so unless the puppy got
particularly jumpy, I can *almost* guarantee it wasn't pet-related. In any
case, after trading a few off list emails with Dan, I think I'm going to try
to dcpromo back down and try the dcpromo again. It's the weirdest thing.
Neither of the DCs are virtual-both physical boxes. AD replication is
happening just fine. All the various tests one performs in this case show
all is well, except that SYSVOL is not sharing on the new 2008 DC (nor is it
replicating any data). I confirmed that the FSMOs had moved so that wasn't
an issue. But the darn FRS thing just won't budge. And what's a GPO GUY to
do without a SYSVOL share on the PDC emulator? Answer.nothing. I even tried
some burflags D2 non-auth FRS action to no avail.
Sigh..sometimes technology is just too complicated for its own good.
Darren
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Grillenmeier, Guido
Sent: Saturday, June 07, 2008 1:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Darren - how about taking you cat off the keyboard so she can't hit the
"undo" button. ;-)
I presume this is a virtual test/demo-environment you're talking about -
could it be that for some reason you reverted to a previous version of the
VMs? Those FSMOs don't move automatically. Were you even sure it moved
successfully to 2008 in the first place?
/Guido
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Saturday, June 07, 2008 12:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Nope. Nothing useful.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Nicolas Blank
Sent: Friday, June 06, 2008 3:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Event logs not showing anything? Not on the client or any of the dc's ?
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: 07 June 2008 12:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
The firewall is disabled, but it was a good thought Mike!
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thommes, Michael M.
Sent: Friday, June 06, 2008 3:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
2008 server has a firewall (bi-directional, I believe) enabled by default,
right? Could that be getting in your way? Just a thought.
Mike Thommes
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, June 06, 2008 4:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
OK. Good idea. Thanks joe. The weird part was that, sitting on the 2008 box,
if I fired up ADUC, it told me that, of the two DCs, the 2008 one was
"unavailable". Huh? Also, when I tried to logon to the console of the 2003
DC, it told me the domain was not available. Really weird.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Friday, June 06, 2008 1:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] strange behavior after transferring FSMO roles
Try connecting via IP to rule out Kerb items.
Next I would try a a network trace to see when the access denied is coming
in. Is it on the SMB handshake or ???
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, June 06, 2008 4:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] strange behavior after transferring FSMO roles
All-
Just had one of those "oh shi*" moments and am trying to figure out why.
Yesterday I DCPromo'd a 2008 box that was a member server in my test domain.
The domain now has a 2003 DC and a 2008 one. The 2003 box held all the FSMO
roles. I transferred a couple of roles (RID & PDC) to the new 2008 box last
night, primarily because the 2008 box is faster and ,not unexpectedly, I do
a lot of GP stuff against the PDC. Today I came in and discovered some weird
behavior from my desktop client. I could not create GPOs (it was looking for
the PDC and either not finding it or finding the 2008 box and not liking it)
and if I did a "net view" to either DC, I got "access denied" messages. Once
I transferred to the two FSMO roles back to the 2003 box, everything
immediately cleared up. Question is, why? What happened?
I'm not sure where to start looking for culprits.
Darren
| | | |
|
|