"Nick" <nicklosf@gmail.com> wrote in message
news:e63d5003-d57b-457e-a44f-7bb7403abd65@r24g2000prf.googlegroups.com...
On Sep 8, 1:26 pm, "Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org>
wrote:

Quote:

"Nick" <nickl...@gmail.com> wrote in message news:509cb631-a008-4bcf-b04a-18ec4a3d9265@g1g2000pra.googlegroups.com... what if the zone is a primary? Then you can create a secondary on the other server, allow the transfer, then change it to a primary, then point to itself for DNS. Point the other DC to this one for DNS, too until you demote it. Ace

this mess was inherited.
thanks for your help.

Nick


You are welcome. I can understand inheriting a mess. That's how I got some
of my customers in my area. Not that I was trying to take business from
anyone, but after an evaluation and a course of action to fix things, some
of them ask me to be their point of contact. :-)

If you're still not sure of anything, post back! :-)

Ace

Quote:

On Sep 8, 6:35 pm, "Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org wrote: "Nick" <nickl...@gmail.com> wrote in message news:e63d5003-d57b-457e-a44f-7bb7403abd65@r24g2000prf.googlegroups.com... On Sep 8, 1:26 pm, "Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org wrote: "Nick" <nickl...@gmail.com> wrote in message news:509cb631-a008-4bcf-b04a-18ec4a3d9265@g1g2000pra.googlegroups.com... what if the zone is a primary? Then you can create a secondary on the other server, allow the transfer, then change it to a primary, then point to itself for DNS. Point the other DC to this one for DNS, too until you demote it. Ace this mess was inherited. thanks for your help. Nick You are welcome. I can understand inheriting a mess. That's how I got some of my customers in my area. Not that I was trying to take business from anyone, but after an evaluation and a course of action to fix things, some of them ask me to be their point of contact. :-) If you're still not sure of anything, post back! :-) Ace i now have a new set of issues. When i try to demote the old server (dcpromo) and promote the new server (dcpromo). it fails. when i try to promote i get. "The operation failed because: The Active Directory Installation Wizard was unable to convert the computer account SEC- DC2$ to a domain controller account. "Access is denied." . it asks me to log in again and when i do it fails at the same place. the Dcpromo to demote fails also but with just a little different error. i cant post that exact error because i shutdown that server for the time being. i was able to move dhcp, dns and move the fsmo roles from the server before i tried to demote it. Nick

I assume you followed the suggested step by step with the DNS settings
changes?

It sounds like you are trying to do this simultaneously. Concentrate on
the demotion first, otherwise I can't see how you are trying to promote
the new server and expect to use the same name, unless I misunderstood
your intentions?

From what I remember, read back, and understodd, you are trying to keep
the same name and IP. So you must take care of the demotion first and
allow replication, delete the demoted DC object in Sites, etc, prior to
promoting the new one.

You can't do them simulatenously and expect to keep the same name and
IP address.

Correct my assumptions please, if I am wrong.

What's in the event logs?

Ace

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit
among responding engineers, and to help others benefit from your
resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

On Sep 8, 6:35 pm, "Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org>
wrote:

Quote:

"Nick" <nickl...@gmail.com> wrote in message news:e63d5003-d57b-457e-a44f-7bb7403abd65@r24g2000prf.googlegroups.com... On Sep 8, 1:26 pm, "Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org wrote: "Nick" <nickl...@gmail.com> wrote in message news:509cb631-a008-4bcf-b04a-18ec4a3d9265@g1g2000pra.googlegroups.com... what if the zone is a primary? Then you can create a secondary on the other server, allow the transfer, then change it to a primary, then point to itself for DNS. Point the other DC to this one for DNS, too until you demote it. Ace this mess was inherited. thanks for your help. Nick You are welcome. I can understand inheriting a mess. That's how I got some of my customers in my area. Not that I was trying to take business from anyone, but after an evaluation and a course of action to fix things, some of them ask me to be their point of contact. :-) If you're still not sure of anything, post back! :-) Ace

i now have a new set of issues. When i try to demote the old server
(dcpromo) and promote the new server (dcpromo). it fails. when i try
to promote i get. "The operation failed because: The Active Directory
Installation Wizard was unable to convert the computer account SEC-
DC2$ to a domain controller account. "Access is denied." . it asks me
to log in again and when i do it fails at the same place. the Dcpromo
to demote fails also but with just a little different error. i cant
post that exact error because i shutdown that server for the time
being. i was able to move dhcp, dns and move the fsmo roles from the
server before i tried to demote it.

Nick

On Sep 10, 8:46 pm, Ace Fekay [MCT] <ace...@mvps.RemoveThisPart.org>
wrote:

Quote:

On Sep 8, 6:35 pm, "Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org wrote: "Nick" <nickl...@gmail.com> wrote in message news:e63d5003-d57b-457e-a44f-7bb7403abd65@r24g2000prf.googlegroups.com.... On Sep 8, 1:26 pm, "Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org wrote: "Nick" <nickl...@gmail.com> wrote in message news:509cb631-a008-4bcf-b04a-18ec4a3d9265@g1g2000pra.googlegroups.com.... what if the zone is a primary? Then you can create a secondary on the other server, allow the transfer, then change it to a primary, then point to itself for DNS. Point the other DC to this one for DNS, too until you demote it. Ace this mess was inherited. thanks for your help. Nick You are welcome. I can understand inheriting a mess. That's how I got some of my customers in my area. Not that I was trying to take business from anyone, but after an evaluation and a course of action to fix things, some of them ask me to be their point of contact. :-) If you're still not sure of anything, post back! :-) Ace i now have a new set of issues. When i try to demote the old server (dcpromo) and promote the new server (dcpromo). it fails. when i try to promote i get. "The operation failed because: The Active Directory Installation Wizard was unable to convert the computer account SEC- DC2$ to a domain controller account.  "Access is denied." . it asks me to log in again and when i do it fails at the same place. the Dcpromo to demote fails also but with just a little different error. i cant post that exact error because i shutdown that server for the time being. i was able to move dhcp, dns and move the fsmo roles from the server before i tried to demote it. Nick I assume you followed the suggested step by step with the DNS settings changes? It sounds like you are trying to do this simultaneously. Concentrate on the demotion first, otherwise I can't see how you are trying to promote the new server and expect to use the same name, unless I misunderstood your intentions? From what I remember, read back, and understodd, you are trying to keep the same name and IP. So you must take care of the demotion first and allow replication, delete the demoted DC object in Sites, etc, prior to promoting the new one. You can't do them simulatenously and expect to keep the same name and IP address. Correct my assumptions please, if I am wrong. What's in the event logs? Ace -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging Microsoft Certified Trainer For urgent issues, please contact Microsoft PSS directly. Please checkhttp://support.microsoft.comfor regional support phone numbers.

i'm not keeping the same name, only the same IP address. i tried the
demotion first and waited 4 hours before i tried to promote the new
server but since i'm not keeping the name it really shouldnt matter.
there are no errors in the event viewer that pertains to not allowing
dcpromo to work either way.

Quote:

On Sep 10, 8:46 pm, Ace Fekay [MCT] <ace...@mvps.RemoveThisPart.org wrote: On Sep 8, 6:35 pm, "Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org wrote: "Nick" <nickl...@gmail.com> wrote in message news:e63d5003-d57b-457e-a44f-7bb7403abd65@r24g2000prf.googlegroups.com... On Sep 8, 1:26 pm, "Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org wrote: "Nick" <nickl...@gmail.com> wrote in message news:509cb631-a008-4bcf-b04a-18ec4a3d9265@g1g2000pra.googlegroups.com... what if the zone is a primary? Then you can create a secondary on the other server, allow the transfer, then change it to a primary, then point to itself for DNS. Point the other DC to this one for DNS, too until you demote it. Ace this mess was inherited. thanks for your help. Nick You are welcome. I can understand inheriting a mess. That's how I got some of my customers in my area. Not that I was trying to take business from anyone, but after an evaluation and a course of action to fix things, some of them ask me to be their point of contact. If you're still not sure of anything, post back! Ace i now have a new set of issues. When i try to demote the old server (dcpromo) and promote the new server (dcpromo). it fails. when i try to promote i get. "The operation failed because: The Active Directory Installation Wizard was unable to convert the computer account SEC- DC2$ to a domain controller account.  "Access is denied." . it asks me to log in again and when i do it fails at the same place. the Dcpromo to demote fails also but with just a little different error. i cant post that exact error because i shutdown that server for the time being. i was able to move dhcp, dns and move the fsmo roles from the server before i tried to demote it. Nick I assume you followed the suggested step by step with the DNS settings changes? It sounds like you are trying to do this simultaneously. Concentrate on the demotion first, otherwise I can't see how you are trying to promote the new server and expect to use the same name, unless I misunderstood your intentions? From what I remember, read back, and understodd, you are trying to keep the same name and IP. So you must take care of the demotion first and allow replication, delete the demoted DC object in Sites, etc, prior to promoting the new one. You can't do them simulatenously and expect to keep the same name and IP address. Correct my assumptions please, if I am wrong. What's in the event logs? Ace -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging Microsoft Certified Trainer For urgent issues, please contact Microsoft PSS directly. Please checkhttp://support.microsoft.comfor regional support phone numbers. i'm not keeping the same name, only the same IP address. i tried the demotion first and waited 4 hours before i tried to promote the new server but since i'm not keeping the name it really shouldnt matter. there are no errors in the event viewer that pertains to not allowing dcpromo to work either way.

Ok, I thought you were keeping the name.

Let's take this one step at a time. Let's concentrate on the demotion,
firts. I thought you said the demotion failed in your previous post?
Are you now saying the demotion was successful?

Ace

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit
among responding engineers, and to help others benefit from your
resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

"Nick" <nicklosf@gmail.com> wrote in message
news:2813a7e2-5bfd-498a-bcc6-f814f868796a@b18g2000vbl.googlegroups.com...

Quote:

Ace, Sorry for not replying back sooner. I finally got my new server promoted and my old server demoted. i had to do everything manually. BUT!!!...I have random users (including myself) that their accounts get locked out for no reason. this is happening everyday but not necessarly to the same users, just random but happens about 20 times each day. Is there some way to trouble shoot this? i''ve updated my virus software and re-scanned everything and found nothing. Nick

No problem, Nick, for the late reply. I figured you got it going by now.

How exactly did you do it "manually?"

Are the user accounts being used by a service or an app?

Is it possible the users were never logged off during the transition?

Ace

On Sep 10, 11:21 pm, Ace Fekay [MCT] <ace...@mvps.RemoveThisPart.org>
wrote:

Quote:

On Sep 10, 8:46 pm, Ace Fekay [MCT] <ace...@mvps.RemoveThisPart.org wrote: On Sep 8, 6:35 pm, "Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org wrote: "Nick" <nickl...@gmail.com> wrote in message news:e63d5003-d57b-457e-a44f-7bb7403abd65@r24g2000prf.googlegroups.com... On Sep 8, 1:26 pm, "Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org wrote: "Nick" <nickl...@gmail.com> wrote in message news:509cb631-a008-4bcf-b04a-18ec4a3d9265@g1g2000pra.googlegroups.com... what if the zone is a primary? Then you can create a secondary on the other server, allow the transfer, then change it to a primary, then point to itself for DNS. Point the other DC to this one for DNS, too until you demote it. Ace this mess was inherited. thanks for your help. Nick You are welcome. I can understand inheriting a mess. That's how I got some of my customers in my area. Not that I was trying to take business from anyone, but after an evaluation and a course of action to fix things, some of them ask me to be their point of contact. If you're still not sure of anything, post back! Ace i now have a new set of issues. When i try to demote the old server (dcpromo) and promote the new server (dcpromo). it fails. when i try to promote i get. "The operation failed because: The Active Directory Installation Wizard was unable to convert the computer account SEC- DC2$ to a domain controller account.  "Access is denied." . it asks me to log in again and when i do it fails at the same place. the Dcpromo to demote fails also but with just a little different error. i cant post that exact error because i shutdown that server for the time being. i was able to move dhcp, dns and move the fsmo roles from the server before i tried to demote it. Nick I assume you followed the suggested step by step with the DNS settings changes? It sounds like you are trying to do this simultaneously. Concentrate on the demotion first, otherwise I can't see how you are trying to promote the new server and expect to use the same name, unless I misunderstood your intentions? From what I remember, read back, and understodd, you are trying to keep the same name and IP. So you must take care of the demotion first and allow replication, delete the demoted DC object in Sites, etc, prior to promoting the new one. You can't do them simulatenously and expect to keep the same name and IP address. Correct my assumptions please, if I am wrong. What's in the event logs? Ace -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging Microsoft Certified Trainer For urgent issues, please contact Microsoft PSS directly. Please checkhttp://support.microsoft.comforregional support phone numbers. i'm not keeping the same name, only the same IP address. i tried the demotion first and waited 4 hours before i tried to promote the new server but since i'm not keeping the name it really shouldnt matter. there are no errors in the event viewer that pertains to not allowing dcpromo to work either way. Ok, I thought you were keeping the name. Let's take this one step at a time. Let's concentrate on the demotion, firts. I thought you said the demotion failed in your previous post? Are you now saying the demotion was successful? Ace -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging Microsoft Certified Trainer For urgent issues, please contact Microsoft PSS directly. Please checkhttp://support.microsoft.comfor regional support phone numbers.

Ace,
Sorry for not replying back sooner. I finally got my new server
promoted and my old server demoted. i had to do everything manually.

BUT!!!...I have random users (including myself) that their accounts
get locked out for no reason. this is happening everyday but not
necessarly to the same users, just random but happens about 20 times
each day. Is there some way to trouble shoot this? i''ve updated my
virus software and re-scanned everything and found nothing.

Nick

"Nick" <nicklosf@gmail.com> wrote in message
news:07be755a-ed06-435a-b490-d749c269203f@z34g2000vbl.googlegroups.com...

Quote:

i did the promotions using meta data, ntdsutil and AD. All the users have been logged off several times. i'm wondering if GPO is the problem?

Well, a MetaData Cleanup procedure is used to manually remove a DC's and
other data from the AD database. You wouldn't use that for promoting a
machine to a DC, rather use that to manually remove a failed DC or a DC that
cannot be demoted, which you would unplug and rebuild, and then use Metadata
Cleanup to remove its reference. So I am not quite sure what you mean when
you say you used 'meta data' to promote it.

What exactly did you use ntdsutil for? To seize or transfer roles or was it
for something else?

GPOs would NOT cause problems with user accounts getting locked out. GPOs
are simply policies changing default settings of a machine for the machine
or user that is logged in, that get applied to a machine or user account
once logged on or started up. So no, GPOs would not do this. Now that you
mentioned GPOs, how many GPOs do you have, and what are their settings?

So that we are on the same page and up to date, can you provide specific
step by steps that you did with each machine, timeline, time spent, tools
used and what the tools were used for?

Sorry for this request, but I am truly having difficulty following what
exactly you've done to be able to provide any specific diagnosis or
suggestions. Providing specifics will help versus providing general
descriptions.

Also, if you haven't yet, please provide updated ipconfigs of the DCs and
event log errors.

Ace

On Sep 15, 8:54 am, "Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org>
wrote:

Quote:

"Nick" <nickl...@gmail.com> wrote in message news:2813a7e2-5bfd-498a-bcc6-f814f868796a@b18g2000vbl.googlegroups.com... Ace,  Sorry for not replying back sooner. I finally got my new server promoted and my old server demoted. i had to do everything manually. BUT!!!...I have random users (including myself) that their accounts get locked out for no reason. this is happening everyday but not necessarly to the same users, just random but happens about 20 times each day. Is there some way to trouble shoot this? i''ve updated my virus software and re-scanned everything and found nothing. Nick No problem, Nick, for the late reply. I figured you got it going by now. How exactly did you do it "manually?" Are the user accounts being used by a service or an app? Is it possible the users were never logged off during the transition? Ace

i did the promotions using meta data, ntdsutil and AD. All the users
have been logged off several times.
i'm wondering if GPO is the problem?

Quote:

On Sep 15, 10:43 am, "Ace Fekay [MCT]" ace...@mvps.RemoveThisPart.org> wrote: "Nick" <nickl...@gmail.com> wrote in message news:07be755a-ed06-435a-b490-d749c269203f@z34g2000vbl.googlegroups.com... Ace, I losely used the word promottions because DCPromo is used whether you promote or demote a DC. I disconnected a DC that was my PDC (roles master or whatever other names there are for the main DC) because dcpromo failed. i used ntsdutil to seize and remove the failed DC,I was able to transfer the roles but not demote this DC before i disconnected it. GPO may not lock out accounts but it gives instructions to lock out the account if the policy is broken if that policy is set (ex: failed login attempts). My issue is now i'm having accounts being locked for no reason or at least no obvious reason. not in the event viewers shouting failed attempts either. Nick

Nick,

I assume you've ran a metadata cleanup to remove the old DC with
ntdsutil (KB216498).

Run:
netdiag /v /fix
dcdiag /v /fix
Report any errors.

Also run a gpresults at a workstation with a user account that's
getting locked out.

What errors now exist, if any, in the event logs?

Ace

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit
among responding engineers, and to help others benefit from your
resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

On Sep 15, 10:43 am, "Ace Fekay [MCT]"
<ace...@mvps.RemoveThisPart.org> wrote:

Quote:

"Nick" <nickl...@gmail.com> wrote in message news:07be755a-ed06-435a-b490-d749c269203f@z34g2000vbl.googlegroups.com... i did the promotions using meta data, ntdsutil and AD. All the users have been logged off several times. i'm wondering if GPO is the problem? Well, a MetaData Cleanup procedure is used to manually remove a DC's and other data from the AD database. You wouldn't use that for promoting a machine to a DC, rather use that to manually remove a failed DC or a DC that cannot be demoted, which you would unplug and rebuild, and then use Metadata Cleanup to remove its reference. So I am not quite sure what you mean when you say you used 'meta data' to promote it. What exactly did you use ntdsutil for? To seize or transfer roles or was it for something else? GPOs would NOT cause problems with user accounts getting locked out. GPOs are simply policies changing default settings of a machine for the machine or user that is logged in, that get applied to a machine or user account once logged on or started up. So no, GPOs would not do this. Now that you mentioned GPOs, how many GPOs do you have, and what are their settings? So that we are on the same page and up to date, can you provide specific step by steps that you did with each machine, timeline, time spent, tools used and what the tools were used for? Sorry for this request, but I am truly having difficulty following what exactly you've done to be able to provide any specific diagnosis or suggestions. Providing specifics will help versus providing general descriptions. Also, if you haven't yet, please provide updated ipconfigs of the DCs and event log errors. Ace

Ace,
I losely used the word promottions because DCPromo is used whether
you promote or demote a DC.
I disconnected a DC that was my PDC (roles master or whatever other
names there are for the main DC) because dcpromo failed. i used
ntsdutil to seize and remove the failed DC,I was able to transfer the
roles but not demote this DC before i disconnected it.
GPO may not lock out accounts but it gives instructions to lock out
the account if the policy is broken if that policy is set (ex: failed
login attempts). My issue is now i'm having accounts being locked for
no reason or at least no obvious reason. not in the event viewers
shouting failed attempts either.

Nick

"Nick" <nicklosf@gmail.com> wrote in message
news:aa455566-12e0-48db-99e9-3d32bbc5d3d2@33g2000vbe.googlegroups.com...
On Sep 15, 12:23 pm, Ace Fekay [MCT] <ace...@mvps.RemoveThisPart.org>
wrote:

Quote:

Ace, netdiag is huge, want me to send them to your email account? the only error i see was in the dcdiag : Starting test: frsevent * The File Replication Service Event log test There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. An Warning Event occured. EventID: 0x800034C4 Time Generated: 09/15/2009 12:32:49 (Event String could not be retrieved) An Warning Event occured. EventID: 0x800034C5 Time Generated: 09/15/2009 12:35:52 (Event String could not be retrieved) ......................... SEC-DC2 failed test frsevent Nick

No, no need to email them.

Go through DNS with a fine toothed comb, and make sure the old server name
no longer exists. Go through each and every SRV folder one by one, that is
Every one of them, please, and make sure IPs and names are correct for the
existing DCs. If not, you can manually delete them. Even check each zone
properties, Nameserver tab, as well as the _msdcs grayed out folder
properties for its delegation to make sure it is pointing to the correct
existing DC's FQDN.

Then once done, run:

ipconfig /registerdns
net stop netlogon
net start netlogon

This can be done during prod hours.

Then go through DNS again to make sure nothing that doesn't belong didn't
get re-registered.

Ace

On Sep 15, 12:23 pm, Ace Fekay [MCT] <ace...@mvps.RemoveThisPart.org>
wrote:

Quote:

On Sep 15, 10:43 am, "Ace Fekay [MCT]" ace...@mvps.RemoveThisPart.org> wrote: "Nick" <nickl...@gmail.com> wrote in message news:07be755a-ed06-435a-b490-d749c269203f@z34g2000vbl.googlegroups.com.... Ace,  I losely used the word promottions because DCPromo is used whether you promote or demote a DC.  I disconnected a DC that was my PDC (roles master or whatever other names there are for the main DC) because dcpromo failed. i used ntsdutil to seize and remove the failed DC,I  was able to transfer the roles but not demote this DC before i disconnected it. GPO may not lock out accounts but it gives instructions to lock out the account if the policy is broken if that policy is set (ex: failed login attempts). My issue is now i'm having accounts being locked for no reason or at least no obvious reason. not in the event viewers shouting failed attempts either. Nick Nick, I assume you've ran a metadata cleanup to remove the old DC with ntdsutil (KB216498). Run: netdiag /v /fix dcdiag /v /fix Report any errors. Also run a gpresults at a workstation with a user account that's getting locked out. What errors now exist, if any, in the event logs? Ace -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging Microsoft Certified Trainer For urgent issues, please contact Microsoft PSS directly. Please checkhttp://support.microsoft.comfor regional support phone numbers.

Ace,
netdiag is huge, want me to send them to your email account? the only
error i see was in the dcdiag :
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after
the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 09/15/2009 12:32:49
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034C5
Time Generated: 09/15/2009 12:35:52
(Event String could not be retrieved)
......................... SEC-DC2 failed test frsevent

Nick

"Nick" <nicklosf@gmail.com> wrote in message
news:7d1a0540-8370-41b7-ac79-bf264cee12c8@d23g2000vbm.googlegroups.com...
On Sep 15, 4:43 pm, "Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org>
wrote:

Quote:

ACE, I've resolved my issue. I had a hacker break pass my firewall at a remote location. He was locking my accounts trying to break the passwords. It should have been an obvious find but with all the other issues i missed it. Thanks for all your help. One more question, I want to force a password change to all my users without going to each account. where can i globally set this? also, i want to set a network mapped drive for all users in the GPO. where would i do that? Thanks again Nick

Interesting. Glad you caught it.

As for the other questions, they are separate topics that I would rather see
you start a new thread in the GPO for the GPO question, and the AD
newsgroup, for the password question. This way you can see a broader view
and a mix of responses and suggestions from a few people. It's to your
benefit.

Password change to all users, hmm - force them to expire at the domain level
GPO, password policies, so it will prompt everyone, including the
administrator account, to change it at next logon. Be careful if someone
comes in through OWA, however. You will also have to check any services that
use accounts, too, to change them (backups, SQL, etc).

Mapped drives can be set in a logon script in a GPO. Here are results I
Googled for "create gpo logon script:"

Setting up a Logon Script through GPO in Windows Server 2008Create the logon
script and give it the appropriate name (for example: ... In that case you
don't need to create a new GPO, you can use the existing one. ...
www.petri.co.il/setting-up-logon-script-through-gpo-windows-server-2008.htm

Logon Script Assign Logon Scripts via Group PolicyIntroduction to Assigning
Logon Script via Group Policy ... Directory then either use an existing
Group Policy, or create a new Group Policy from scratch. ...
www.computerperformance.co.uk/Logon/logon_script_assign.htm

Logon Script FAQJump to What about Logoff, Startup, and Shutdown scripts in
Group Policy??: Similar to the Logon script setting, it applies to all users
in the ...
www.rlmueller.net/LogonScriptFAQ.htm

I hope that helps.

Ace

On Sep 15, 4:43 pm, "Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org>
wrote:

Quote:

"Nick" <nickl...@gmail.com> wrote in message news:aa455566-12e0-48db-99e9-3d32bbc5d3d2@33g2000vbe.googlegroups.com... On Sep 15, 12:23 pm, Ace Fekay [MCT] <ace...@mvps.RemoveThisPart.org wrote: Ace,  netdiag is huge, want me to send them to your email account? the only error i see was in the dcdiag : Starting test: frsevent     * The File Replication Service Event log test     There are warning or error events within the last 24 hours after the     SYSVOL has been shared.  Failing SYSVOL replication problems may cause     Group Policy problems.     An Warning Event occured.  EventID: 0x800034C4        Time Generated: 09/15/2009   12:32:49        (Event String could not be retrieved)     An Warning Event occured.  EventID: 0x800034C5        Time Generated: 09/15/2009   12:35:52        (Event String could not be retrieved)     ......................... SEC-DC2 failed test frsevent Nick No, no need to email them. Go through DNS with a fine toothed comb, and make sure the old server name no longer exists. Go through each and every SRV folder one by one, that is Every one of them, please, and make sure IPs and names are correct for the existing DCs. If not, you can manually delete them. Even check each zone properties, Nameserver tab, as well as the _msdcs grayed out folder properties for its delegation to make sure it is pointing to the correct existing DC's FQDN. Then once done, run: ipconfig /registerdns net stop netlogon net start netlogon This can be done during prod hours. Then go through DNS again to make sure nothing that doesn't belong didn't get re-registered. Ace

ACE,
I've resolved my issue. I had a hacker break pass my firewall at a
remote location. He was locking my accounts trying to break the
passwords. It should have been an obvious find but with all the other
issues i missed it.
Thanks for all your help.
One more question, I want to force a password change to all my users
without going to each account. where can i globally set this? also, i
want to set a network mapped drive for all users in the GPO. where
would i do that?

Thanks again
Nick

On Sep 15, 4:43 pm, "Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org>
wrote:

Quote:

"Nick" <nickl...@gmail.com> wrote in message news:aa455566-12e0-48db-99e9-3d32bbc5d3d2@33g2000vbe.googlegroups.com... On Sep 15, 12:23 pm, Ace Fekay [MCT] <ace...@mvps.RemoveThisPart.org wrote: Ace,  netdiag is huge, want me to send them to your email account? the only error i see was in the dcdiag : Starting test: frsevent     * The File Replication Service Event log test     There are warning or error events within the last 24 hours after the     SYSVOL has been shared.  Failing SYSVOL replication problems may cause     Group Policy problems.     An Warning Event occured.  EventID: 0x800034C4        Time Generated: 09/15/2009   12:32:49        (Event String could not be retrieved)     An Warning Event occured.  EventID: 0x800034C5        Time Generated: 09/15/2009   12:35:52        (Event String could not be retrieved)     ......................... SEC-DC2 failed test frsevent Nick No, no need to email them. Go through DNS with a fine toothed comb, and make sure the old server name no longer exists. Go through each and every SRV folder one by one, that is Every one of them, please, and make sure IPs and names are correct for the existing DCs. If not, you can manually delete them. Even check each zone properties, Nameserver tab, as well as the _msdcs grayed out folder properties for its delegation to make sure it is pointing to the correct existing DC's FQDN. Then once done, run: ipconfig /registerdns net stop netlogon net start netlogon This can be done during prod hours. Then go through DNS again to make sure nothing that doesn't belong didn't get re-registered. Ace

ACE,
I've resolved my issue. I had a hacker break pass my firewall at a
remote location. He was locking my accounts trying to break the
passwords. It should have been an obvious find but with all the other
issues i missed it.
Thanks for all your help.
One more question, I want to force a password change to all my users
without going to each account. where can i globally set this? also, i
want to set a network mapped drive for all users in the GPO. where
would i do that?

Thanks again
Nick