Our environment: two ancient Win2K server Domain Controllers, very old, and a
mix of 2000 and 2003 servers. A few months back we added a new 2003 r2
server, and promoted it up to DC. We didn't add any other tasks to it
immediately but when we did, this is what we saw:

In essence the issue is this: Windows XP and 2000 computers denied access to
shared resources on this one 2003 DC computer. Other 2003 computers can
access it fully, regardless of the user account.

Example:
But when logged onto a XP workstation or a 2000 server, and trying to
navigate to the PFPDC server results in a “Connect to” prompt that will not
accept valid login info, be it “administrator” or any other.

But RDC connections work from XP workstations and 2000 servers.

Logging onto the 03 DC server via our 2003 Remote Access with a basic test
domain user account, browse manually through the network neighborhood to the
server, and see all of its shared printers and folders. It’s the same
experience logged on as admin from any 2003 server.



Firewall has been ruled out. AD seems to be working fine on the new DC, its
list with the old 2K's underdomain controller in AD. GPO gereated on it runs
well across the network. But XP clients cannot navigate to its shared
resources.

What we do see is this when running dcdiag /e from the new 03 DC:
all tests pass on the new 03 DC except for this:
Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 11/06/2007 14:15:09
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 11/06/2007 14:15:10
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 11/06/2007 14:15:10
(Event String could not be retrieved)

all tests pass on the old 2K dcs except this is on both:
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.

after rebooting the 03 dc this was in the event log:

Event Type: Information
Event Source: MSDTC
Event Category: SVC
Event ID: 4143
Date: 11/6/2007
Time: 3:08:52 AM
User: N/A
Computer: 03_DC
Description:
MS DTC has detected that a DC Promotion has happened since the last time the
MS DTC service was started.

evidently a reference to the promotion that took place weeks ago.

any help is deeply appreciated. Thanks.

In news:EF6310CE-0F10-41EC-84C8-5F3C3ED4C12A@microsoft.com,
totoro <totoro@discussions.microsoft.com> typed:

Quote:

Our environment: two ancient Win2K server Domain Controllers, very old, and a mix of 2000 and 2003 servers. A few months back we added a new 2003 r2 server, and promoted it up to DC. We didn't add any other tasks to it immediately but when we did, this is what we saw: In essence the issue is this: Windows XP and 2000 computers denied access to shared resources on this one 2003 DC computer. Other 2003 computers can access it fully, regardless of the user account. Example: But when logged onto a XP workstation or a 2000 server, and trying to navigate to the PFPDC server results in a "Connect to" prompt that will not accept valid login info, be it "administrator" or any other. But RDC connections work from XP workstations and 2000 servers. Logging onto the 03 DC server via our 2003 Remote Access with a basic test domain user account, browse manually through the network neighborhood to the server, and see all of its shared printers and folders. It's the same experience logged on as admin from any 2003 server. Firewall has been ruled out. AD seems to be working fine on the new DC, its list with the old 2K's underdomain controller in AD. GPO gereated on it runs well across the network. But XP clients cannot navigate to its shared resources. What we do see is this when running dcdiag /e from the new 03 DC: all tests pass on the new 03 DC except for this: Starting test: systemlog An Error Event occured. EventID: 0x00000457 Time Generated: 11/06/2007 14:15:09 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 11/06/2007 14:15:10 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 11/06/2007 14:15:10 (Event String could not be retrieved) all tests pass on the old 2K dcs except this is on both: Starting test: frsevent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. after rebooting the 03 dc this was in the event log: Event Type: Information Event Source: MSDTC Event Category: SVC Event ID: 4143 Date: 11/6/2007 Time: 3:08:52 AM User: N/A Computer: 03_DC Description: MS DTC has detected that a DC Promotion has happened since the last time the MS DTC service was started. evidently a reference to the promotion that took place weeks ago. any help is deeply appreciated. Thanks.

Your post kind of jumbles around a bit, missing key info (such as the
EventID #'s and Source), and I am having some difficulty getting a handle on
everything you are saying. Let's start with the MSDTC error. Is the Event ID
53258? If so, check this link out to fix it and look at David Grant's
section on how to fix it:
http://eventid.net/display.asp?eventid=53258&eventno=4493&source=MSDTC&phase=1

As for the replication errors, please state the EventIDs and Source.

Please provide an ipconfig /all (unedited please) of your domain controllers
and a sample client machine please.

Based on the following statement, what exact "tasks" did you add to this DC?
A few months back we added a

Quote:

new 2003 r2 server, and promoted it up to DC. We didn't add any other tasks to it immediately but when we did, this is what we saw:

Did you run the R2 AD upgrade?
Did you make this R2 server the DNM, Schema Master and a GC?

You may have to disable SMB signing to allow communication, but let's
address the above first.

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Try using Outlook Express or any other newsreader, configure a news
account, and point it to news.microsoft.com. Anonymous access. It's
easy and it's free:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

"Life isn't like a box of chocolates or a bowl of cherries or
peaches... Life is more like a jar of jalapenos. What you do today
may burn your butt tomorrow." - Garfield

"Ace Fekay [MVP]" wrote:

Quote:

Your post kind of jumbles around a bit, missing key info (such as the EventID #'s and Source), and I am having some difficulty getting a handle on everything you are saying.

Let's start with the MSDTC error. Is the Event ID

Quote:

53258? yes also seeing in combination with events 4143, and 4193

If so, check this link out to fix it and look at David Grant's

Quote:

section on how to fix it: http://eventid.net/display.asp?eventid=53258&eventno=4493&source=MSDTC&phase=1 As for the replication errors, please state the EventIDs and Source. Please provide an ipconfig /all (unedited please) of your domain controllers and a sample client machine please. from the 2003 r2 machine with the problems:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator.PPG>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : D94C4BD1
Primary Dns Suffix . . . . . . . : pinfoodpro.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : pinfoodpro.com

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
Physical Address. . . . . . . . . : 00-19-B9-F7-9F-C8
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 1.1.1.236
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 1.1.1.101
DNS Servers . . . . . . . . . . . : 1.1.1.2
1.1.1.4
Primary WINS Server . . . . . . . : 1.1.1.4

from the old 2K DC
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\Administrator.PPG>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : pfpsvc
Primary DNS Suffix . . . . . . . : pinfoodpro.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : pinfoodpro.com

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . : pinfoodpro.com
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Server
Adapter
Physical Address. . . . . . . . . : 00-0E-0C-77-5F-7E
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 1.1.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 1.1.1.101
DNS Servers . . . . . . . . . . . : 1.1.1.2
Primary WINS Server . . . . . . . : 1.1.1.4

C:\Documents and Settings\Administrator.PPG>

Quote:

Based on the following statement, what exact "tasks" did you add to this DC?

another admin did this, he said he ran the prep off the r2 CD-ROM

Quote:

Did you run the R2 AD upgrade? Do you mean ADPREP? yes

Quote:

Did you make this R2 server the DNM, do you mean DNS? No, what's DNM?

Schema Master? No, the old 2000 service is

and a GC? No, the 2000 serves both are

Quote:

You may have to disable SMB signing to allow communication, but let's address the above first. Regards, Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP Microsoft MVP - Directory Services Microsoft Certified Trainer thank you Ace!

"Ace Fekay [MVP]" wrote:

Quote:

Did you run the R2 AD upgrade? not personally

Quote:

Did you make this R2 server the DNM, Schema Master and a GC? not any of the 5 FSMO roles was transfered over. The system has been used

solely for editing GPO, and this is our first attempts to add to its duties
since it was deployed

I'd want to eventually though.

Quote:

You may have to disable SMB signing to allow communication... I disabled on the server side using this (kb 887429) but have not rebooted

it, but it had no effect.
would you have used GPO to disable SMB? locally or network wide?

I appreciate your help. Thanks.

In news:594600F2-6D4C-49BC-BD67-A1259D5D0083@microsoft.com,
totoro <totoro@discussions.microsoft.com> typed:

Quote:

"Ace Fekay [MVP]" wrote: Did you run the R2 AD upgrade? not personally Did you make this R2 server the DNM, Schema Master and a GC? not any of the 5 FSMO roles was transfered over. The system has been used solely for editing GPO, and this is our first attempts to add to its duties since it was deployed I'd want to eventually though. You may have to disable SMB signing to allow communication... I disabled on the server side using this (kb 887429) but have not rebooted it, but it had no effect. would you have used GPO to disable SMB? locally or network wide? I appreciate your help. Thanks.

I'm somewhat surprised GPMC is functioning despite the errors you are
having. I would immediately move all roles to the new 2003 R2 server. There
are certain functions and features with R2 AD since the adprep was run, that
require the Schema Master to be on this machine. I would also move the
Domain Name Master (DNM) to this machine too, as well as all the others.
Since it will now be the DNM, I would also make it a GC. I would also
install DNS. If the AD zone in DNS on the 2000 servers is AD Integrated, I
would just install DNS and let the zone auto-populate. Do not try to force
it by creating the zone name manually or you will just compound your
problems.

Disabling SMB signing on the server using the Local Domain Controller policy
on the 2003 R2 server should be sufficient. It is not a guarantee this will
work, but it reduces the possibility this is causing the comm issue. Reboot
is not required.

Ace

In news:04CC9C31-250C-4082-8813-42C7BDAA3567@microsoft.com,
totoro <totoro@discussions.microsoft.com> typed:

Quote:

yes also seeing in combination with events 4143, and 4193

For 4143:
http://eventid.net/display.asp?eventid=4143&eventno=2461&source=MSDTC&phase=1



For 4193, the above link should help. This link is similar to the one I
posted yesterday for you. By the way, I don't see any mention that you tried
to follow the fix or not. Did you?

Quote:

If so, check this link out to fix it and look at David Grant's section on how to fix it: http://eventid.net/display.asp?eventid=53258&eventno=4493&source=MSDTC&phase=1 As for the replication errors, please state the EventIDs and Source.

Did you follow the link above? Did it work? Did it eliminate the 53258 and
the others??

Quote:

Please provide an ipconfig /all (unedited please) of your domain controllers and a sample client machine please. from the 2003 r2 machine with the problems: Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\Documents and Settings\Administrator.PPG>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : D94C4BD1 Primary Dns Suffix . . . . . . . : pinfoodpro.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : pinfoodpro.com Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2 Physical Address. . . . . . . . . : 00-19-B9-F7-9F-C8 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 1.1.1.236 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 1.1.1.101 DNS Servers . . . . . . . . . . . : 1.1.1.2 1.1.1.4 Primary WINS Server . . . . . . . : 1.1.1.4 from the old 2K DC Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\Documents and Settings\Administrator.PPG>ipconfig /all Windows 2000 IP Configuration Host Name . . . . . . . . . . . . : pfpsvc Primary DNS Suffix . . . . . . . : pinfoodpro.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : pinfoodpro.com Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : pinfoodpro.com Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Server Adapter Physical Address. . . . . . . . . : 00-0E-0C-77-5F-7E DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 1.1.1.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 1.1.1.101 DNS Servers . . . . . . . . . . . : 1.1.1.2 Primary WINS Server . . . . . . . : 1.1.1.4 C:\Documents and Settings\Administrator.PPG

Thanks for posting the ipconfig /all.

After you install DNS on this box, and the zone auto-populates, change the
DNS entries on all the DCs to use 1.1.1.236 as the first entry, and itself
as the second. If 1.1.1.236 is the same box, just leave it as the only one.

Quote:

Did you make this R2 server the DNM, do you mean DNS? No, what's DNM? Schema Master? No, the old 2000 service is and a GC? No, the 2000 serves both are

DNM = Domain Name Master
The R2 upgrade introduces numerous upgrades to AD's schema. The Schema
Master should be moved to the new box to support these changes. The Schema
Master should have actually been moved to the 2003 server prior to the R2
adprep being run. Once moved, move the DNM as well. The DNM must also be a
GC.

Quote:

thank you Ace!

You're welcome. I'm trying...

Ace

In news:594600F2-6D4C-49BC-BD67-A1259D5D0083@microsoft.com,
totoro <totoro@discussions.microsoft.com> typed:

Quote:

"Ace Fekay [MVP]" wrote:

Also, if enabled, disable the firewall on the XP machine and try accessing.
If enabled on the DC, make sure you disable it please. If Afv software is
installed on XP, make sure it is allowed to create temp folders and run
exe's from the temp folder.

Ace

Hi Ace, I am muddling through your recomendations.

regarding this:

Quote:

Disabling SMB signing on the server using the Local Domain Controller policy on the 2003 R2 server should be sufficient. It is not a guarantee this will work, but it reduces the possibility this is causing the comm issue.

I had disbaled SMB using REGEDIT. After this post I attempt to use
GPEDIT.msc, but the two items detailed in the article (887429) were not
editable, grayed out. I went in and restared the registry to its original
state and only one of two were then editable.

Microsoft network server: Digitally sign communications (always) THIS I CAN
CHANGED
Microsoft network server: Digitally sign communications (if client agrees)
THIS IS STILL GRAYED OUT

also
after moving the FSMA roles to the new server the following events tooks
place in this order
4145
4143
53258
53258
4193

I was seeing these after restarts, but I did notsee them after last nights
restart. This happened right after the new roles were added.

Thanks Ace

Ace, I completed all the steps recomended above and my XP & 2K clients can
see the shares, I am happy to report.
I went a step further and set the time service on the new DC to point to an
internet source.
Will I have to convert the old 2k DC servers to look at the new DC as time
source?

Thanks for everything Ace!!

"Ace Fekay [MVP]" wrote:

Quote:

In news:594600F2-6D4C-49BC-BD67-A1259D5D0083@microsoft.com, totoro <totoro@discussions.microsoft.com> typed: "Ace Fekay [MVP]" wrote: Also, if enabled, disable the firewall on the XP machine and try accessing. If enabled on the DC, make sure you disable it please. If Afv software is installed on XP, make sure it is allowed to create temp folders and run exe's from the temp folder. Ace

In news:49C17576-DCB5-4D9C-B48B-F820460F7671@microsoft.com,
totoro <totoro@discussions.microsoft.com> typed:

Quote:

I had disbaled SMB using REGEDIT. After this post I attempt to use GPEDIT.msc, but the two items detailed in the article (887429) were not editable, grayed out. I went in and restared the registry to its original state and only one of two were then editable. Microsoft network server: Digitally sign communications (always) THIS I CAN CHANGED Microsoft network server: Digitally sign communications (if client agrees) THIS IS STILL GRAYED OUT

Did you do this on the 2003's Admin Tools - Domain Controller Policy?

Quote:

also after moving the FSMA roles to the new server the following events tooks place in this order 4145 4143 53258 53258 4193 I was seeing these after restarts, but I did notsee them after last nights restart. This happened right after the new roles were added.

Well, that sounds good. As long as the errors don;t come back, that will be
great.

Quote:

Thanks Ace

No problem.

In news:70BEFC73-B8EB-4E36-8947-DB5345E90D32@microsoft.com,
totoro <totoro@discussions.microsoft.com> typed:

Quote:

Ace, I completed all the steps recomended above and my XP & 2K clients can see the shares, I am happy to report. I went a step further and set the time service on the new DC to point to an internet source. Will I have to convert the old 2k DC servers to look at the new DC as time source? Thanks for everything Ace!!

As long as the new 2003 is the PDC Emulator, all machines in the domain will
look to it as their time server. No otehr action required.

Good to hear everything is running. My pleasure for the help.

Ace