Announcement

Collapse
No announcement yet.

DCs, FSMO, and dcpromo...

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DCs, FSMO, and dcpromo...

    ive found myself in a pickle... i have pages of failed kerberos tickets in my DC. i have tried to isolate the problem, but am at a loss....

    from best as i cant tell, the previous staff had added a domain controller to the existing network. the srver holding the FSMO was taken offline and the other was left on line... then the roles were seized after the change..

    no dcpromo to demote the old server, and no dcpromo to promote the next one... it was definatly not done by the books...

    this is the section from the AD repMon:
    Code:
    Current Transitive Replication Partner Status
    ---------------------------------------------
    
         Directory Partition: DC=MyDomain,DC=com
    
              Partner Name: **DELETED SERVER #2
                   Partner GUID: 1383C925-2759-4CC9-BD24-A9DC1166AEF3
                   USN:  794963
    
              Partner Name: Courthouse\OMEGA
                   Partner GUID: 2F963C91-36EF-4872-BBB4-D343092F1910
                   USN:  3759673
    
              Partner Name: **DELETED SERVER #3
                   Partner GUID: 43F9D274-2539-49E3-9C92-AB8403491035
                   USN:  773006
    
              Partner Name: **DELETED SERVER #4
                   Partner GUID: 55436A08-9246-41F9-B5C8-7C5713C327BA
                   USN:  37046
    
              Partner Name: **DELETED SERVER #5
                   Partner GUID: 728C6413-370F-43F0-95E8-53CD64E32194
                   USN:  78033
    
              Partner Name: **DELETED SERVER #6
                   Partner GUID: 72A57D53-9AD1-4255-9F27-B7333ED68109
                   USN:  55011
    
              Partner Name: **DELETED SERVER #7
                   Partner GUID: B1B1CEDF-29B1-44FE-82F6-8EA0D32DC1C8
                   USN:  205134
    
              Partner Name: **DELETED SERVER #8
                   Partner GUID: B34B4EC1-2B6B-4607-99E6-CF57DF008237
                   USN:  468597
    
              Partner Name: **DELETED SERVER #9
                   Partner GUID: BBCBFDDD-2243-4565-8BC0-7B90B8264603
                   USN:  795030
    
              Partner Name: Courthouse\ALPHA
                   Partner GUID: C19B5CA3-21E4-4126-9ABB-DCF25438BCF7
                   USN:  9780749
    
              Partner Name: **DELETED SERVER #10
                   Partner GUID: C51F3FA3-4133-483F-A708-E88AE4AEAA6B
                   USN:  29848
    
              Partner Name: **DELETED SERVER #11
                   Partner GUID: E23D7014-29D2-41A6-B4FF-DF85DFB61270
                   USN:  770182
    
         Directory Partition: CN=Configuration,DC=MyDomain,DC=com
    
              Partner Name: **DELETED SERVER #2
                   Partner GUID: 1383C925-2759-4CC9-BD24-A9DC1166AEF3
                   USN:  794889
    
              Partner Name: Courthouse\OMEGA
                   Partner GUID: 2F963C91-36EF-4872-BBB4-D343092F1910
                   USN:  3759430
    
              Partner Name: **DELETED SERVER #3
                   Partner GUID: 43F9D274-2539-49E3-9C92-AB8403491035
                   USN:  773006
    
              Partner Name: **DELETED SERVER #4
                   Partner GUID: 55436A08-9246-41F9-B5C8-7C5713C327BA
                   USN:  37046
    
              Partner Name: **DELETED SERVER #5
                   Partner GUID: 728C6413-370F-43F0-95E8-53CD64E32194
                   USN:  78033
    
              Partner Name: **DELETED SERVER #6
                   Partner GUID: 72A57D53-9AD1-4255-9F27-B7333ED68109
                   USN:  55011
    
              Partner Name: **DELETED SERVER #7
                   Partner GUID: B1B1CEDF-29B1-44FE-82F6-8EA0D32DC1C8
                   USN:  205134
    
              Partner Name: **DELETED SERVER #8
                   Partner GUID: B34B4EC1-2B6B-4607-99E6-CF57DF008237
                   USN:  468587
    
              Partner Name: **DELETED SERVER #9
                   Partner GUID: BBCBFDDD-2243-4565-8BC0-7B90B8264603
                   USN:  794723
    
              Partner Name: Courthouse\ALPHA
                   Partner GUID: C19B5CA3-21E4-4126-9ABB-DCF25438BCF7
                   USN:  9780749
    
              Partner Name: **DELETED SERVER #10
                   Partner GUID: C51F3FA3-4133-483F-A708-E88AE4AEAA6B
                   USN:  29848
    
              Partner Name: **DELETED SERVER #11
                   Partner GUID: E23D7014-29D2-41A6-B4FF-DF85DFB61270
                   USN:  770182
    
         Directory Partition: CN=Schema,CN=Configuration,DC=MyDomain,DC=com
    
              Partner Name: **DELETED SERVER #2
                   Partner GUID: 1383C925-2759-4CC9-BD24-A9DC1166AEF3
                   USN:  794889
    
              Partner Name: Courthouse\OMEGA
                   Partner GUID: 2F963C91-36EF-4872-BBB4-D343092F1910
                   USN:  3759430
    
              Partner Name: **DELETED SERVER #3
                   Partner GUID: 43F9D274-2539-49E3-9C92-AB8403491035
                   USN:  773006
    
              Partner Name: **DELETED SERVER #4
                   Partner GUID: 55436A08-9246-41F9-B5C8-7C5713C327BA
                   USN:  37046
    
              Partner Name: **DELETED SERVER #5
                   Partner GUID: 728C6413-370F-43F0-95E8-53CD64E32194
                   USN:  78033
    
              Partner Name: **DELETED SERVER #6
                   Partner GUID: 72A57D53-9AD1-4255-9F27-B7333ED68109
                   USN:  55011
    
              Partner Name: **DELETED SERVER #7
                   Partner GUID: B1B1CEDF-29B1-44FE-82F6-8EA0D32DC1C8
                   USN:  205134
    
              Partner Name: **DELETED SERVER #8
                   Partner GUID: B34B4EC1-2B6B-4607-99E6-CF57DF008237
                   USN:  468587
    
              Partner Name: **DELETED SERVER #9
                   Partner GUID: BBCBFDDD-2243-4565-8BC0-7B90B8264603
                   USN:  794418
    
              Partner Name: Courthouse\ALPHA
                   Partner GUID: C19B5CA3-21E4-4126-9ABB-DCF25438BCF7
                   USN:  9780749
    
              Partner Name: **DELETED SERVER #10
                   Partner GUID: C51F3FA3-4133-483F-A708-E88AE4AEAA6B
                   USN:  29848
    
              Partner Name: **DELETED SERVER #11
                   Partner GUID: E23D7014-29D2-41A6-B4FF-DF85DFB61270
                   USN:  770182
    
         Directory Partition: DC=DomainDnsZones,DC=MyDomain,DC=com
    
              Partner Name: **DELETED SERVER #2
                   Partner GUID: 1383C925-2759-4CC9-BD24-A9DC1166AEF3
                   USN:  794889
    
              Partner Name: Courthouse\OMEGA
                   Partner GUID: 2F963C91-36EF-4872-BBB4-D343092F1910
                   USN:  3759430
    
              Partner Name: **DELETED SERVER #3
                   Partner GUID: 43F9D274-2539-49E3-9C92-AB8403491035
                   USN:  771957
    
              Partner Name: **DELETED SERVER #5
                   Partner GUID: 728C6413-370F-43F0-95E8-53CD64E32194
                   USN:  78033
    
              Partner Name: **DELETED SERVER #6
                   Partner GUID: 72A57D53-9AD1-4255-9F27-B7333ED68109
                   USN:  55001
    
              Partner Name: **DELETED SERVER #7
                   Partner GUID: B1B1CEDF-29B1-44FE-82F6-8EA0D32DC1C8
                   USN:  205134
    
              Partner Name: **DELETED SERVER #8
                   Partner GUID: B34B4EC1-2B6B-4607-99E6-CF57DF008237
                   USN:  468587
    
              Partner Name: **DELETED SERVER #9
                   Partner GUID: BBCBFDDD-2243-4565-8BC0-7B90B8264603
                   USN:  794418
    
              Partner Name: Courthouse\ALPHA
                   Partner GUID: C19B5CA3-21E4-4126-9ABB-DCF25438BCF7
                   USN:  9780749
    
              Partner Name: **DELETED SERVER #11
                   Partner GUID: E23D7014-29D2-41A6-B4FF-DF85DFB61270
                   USN:  766361
    
         Directory Partition: DC=ForestDnsZones,DC=MyDomain,DC=com
    
              Partner Name: **DELETED SERVER #2
                   Partner GUID: 1383C925-2759-4CC9-BD24-A9DC1166AEF3
                   USN:  794894
    
              Partner Name: Courthouse\OMEGA
                   Partner GUID: 2F963C91-36EF-4872-BBB4-D343092F1910
                   USN:  3759430
    
              Partner Name: **DELETED SERVER #3
                   Partner GUID: 43F9D274-2539-49E3-9C92-AB8403491035
                   USN:  771962
    
              Partner Name: **DELETED SERVER #5
                   Partner GUID: 728C6413-370F-43F0-95E8-53CD64E32194
                   USN:  78038
    
              Partner Name: **DELETED SERVER #6
                   Partner GUID: 72A57D53-9AD1-4255-9F27-B7333ED68109
                   USN:  55000
    
              Partner Name: **DELETED SERVER #7
                   Partner GUID: B1B1CEDF-29B1-44FE-82F6-8EA0D32DC1C8
                   USN:  205134
    
              Partner Name: **DELETED SERVER #8
                   Partner GUID: B34B4EC1-2B6B-4607-99E6-CF57DF008237
                   USN:  468592
    
              Partner Name: **DELETED SERVER #9
                   Partner GUID: BBCBFDDD-2243-4565-8BC0-7B90B8264603
                   USN:  794418
    
              Partner Name: Courthouse\ALPHA
                   Partner GUID: C19B5CA3-21E4-4126-9ABB-DCF25438BCF7
                   USN:  9780749
    
              Partner Name: **DELETED SERVER #11
                   Partner GUID: E23D7014-29D2-41A6-B4FF-DF85DFB61270
                   USN:  766366
    so when i check to see whos got my 5 roles, i see that the DC here has 4... the 5th is the Domain Naming role which i understand isnt necssasary unless im changing domain names...

    so to this day, when i go to connect to the DHCP server, it still lists as the old name of the DHCP server (PDC1) even though PDC1 has been offline for 3 months. i can see some of the entries with ADSI but cant change them... i suppose i could, but i dont know how many places that attribute written.

    and also the Kerberos thing. i can only figure that the fail tickets that are being issued were based on a server previously online that was the key issuing server that is no longer there..

    with the exchange server being online now, i would like the K to work... any thoughts?

    will re-running dcpromo on the FSMO here change anything?

    im so stuck on this on... thanks again for your help guys!

    James
    its easier to beg forgiveness than ask permission.
    Give karma where karma is due...

  • #2
    Re: DCs, FSMO, and dcpromo...

    After the roles had been seized, was metadata cleanup done?
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: DCs, FSMO, and dcpromo...

      Originally posted by JeremyW
      After the roles had been seized, was metadata cleanup done?
      yes, i suppose it was. i dont see anyother servers in the active list.. the FSMO and secondary are the only servers online. yet, i still see the name of non-existant servers when i pull up some MMC consoles, like DHCP and also in ADSI.

      the only reason im checking is because of these damn kerberos errors... i have massive eventvwr logs of this kerberos shizzle... i mean like 65,000 in 2 days. i exported a log from the eventvwr that was 112 megs.
      112 MEGS!!!

      at first, i thought my techs were making imaged computers without changing the SID, but i am seeing computers with the factory image in the eventvwr too. that left me with the dcpromo thought.

      when i use the metadata, i dont see anything but alpha and omega. if i try to specificaly a computer to remove that isnt in the list, but that i can see on an MMC console, it doesnt find the server... so it looks as though they were removed.

      ****lets speak hypothetically for a moment****

      lets say that i grab another blade i have that is not is heavy use...
      i make it a DC and allow time for replication...
      i dcpromo and demote the current FSMO (alpha)...
      ...then dcpromo the second blade to allow it to seize all 5 roles.
      take alpha offline.
      ntdsutil to make sure all metadata is gone.
      this will leave me with one FSMO and the secondary.
      restore alpha and dcpromo/demote the new FSMO...
      allow the new alpha to take over FSMO operations...

      then i should only have one key issuing service... right?

      kerberos is such a love/hate relationship. i love to hate it, it hates loving me...

      thanks for the suggestion. i ran through that dev page and it was stuff ive already gone through.. but seriously: MUCH APPRICIATED!
      i am seriously going to have to use one of the 5 tickets i have prepaid m$ for to resolve this issue i believe. i cant figure it out... i know im on the right track, but i little bit of knowledge is a dangerous thing.

      any one else?
      its easier to beg forgiveness than ask permission.
      Give karma where karma is due...

      Comment


      • #4
        Re: DCs, FSMO, and dcpromo...

        Let's seperate the issues.

        DHCP:
        To clean up the data about stale DHCP servers, navigate to:
        CN=NetServices,CN=Services,CN=Configuration,DC=dom ain,DC=com
        You will find there at least 2 objects:
        CN=dhcpRoot
        CN=<DHCP Root Name - probably IP of first DHCP server>

        Use adsiedit.msc to edit the dhcpServers attribute of CN=<DHCP Root Name - probably IP of first DHCP server> and remove the lines referencing the stale DHCP servers - be carefull not to delete existing DHCP servers.

        Let the change replicate and you should be done (might need to restart DHCP server services to pick up the changes)

        As for Kerberos errors, could you please post some examples and event IDs ?
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          Re: DCs, FSMO, and dcpromo...

          yes.. your correct. 1 issue at a time...

          the DHCP entries in the schema... so i browse down to the cn=netservices and take a peek. yup, its there.
          Names Class dHCPClass
          CN=clerkpdc1.mydomain.com CN=clerkpdc1.mydomain.com,...com
          CN=DhcpRootCN=DhcpRoot,CN...=com
          ivi192.168.5.10$rcn=alpha.duvalflclerk.com$f0x0000 0000$salpha.*.com$

          so this is odd.. i found the places you referenced. i had seen them earlier, but figured there were more so i didnt make any changes. this time i did. i tried editing the "CN=clerkpdc1.mydomain.com" and it would not allow me.

          i find this odd being that im an everything admin.. schema, enterprise, domain... every one and no grey or special permissions. AD says i have full control when i check effective permisions on the object. i used it the other day to remove public folders from a failed front end, but it tells me these are system owned and cannot be changed.. so i made me the owner, but still no go.. i put it back and quit for the day.

          the error logs for the kerberos and the lsa stuff... there are so many but they are all the same type. here is a sample of an export of the raw text log (i wont bore you, they just repeat in the same fashion...):
          Code:
          Warning	8/29/2006	4:56:45 PM	LsaSrv	SPNEGO (Negotiator) 	40960	N/A	ALPHA
          Warning	8/29/2006	4:56:43 PM	LsaSrv	SPNEGO (Negotiator) 	40960	N/A	ALPHA
          Warning	8/29/2006	4:56:42 PM	LsaSrv	SPNEGO (Negotiator) 	40960	N/A	ALPHA
          Warning	8/29/2006	4:55:34 PM	LsaSrv	SPNEGO (Negotiator) 	40960	N/A	ALPHA
          Error	8/29/2006	4:55:21 PM	Kerberos	None	4	N/A	ALPHA
          Warning	8/29/2006	4:55:16 PM	LsaSrv	SPNEGO (Negotiator) 	40960	N/A	ALPHA
          Warning	8/29/2006	4:55:14 PM	LsaSrv	SPNEGO (Negotiator) 	40960	N/A	ALPHA
          Warning	8/29/2006	4:55:05 PM	LsaSrv	SPNEGO (Negotiator) 	40960	N/A	ALPHA
          Warning	8/29/2006	4:54:51 PM	LsaSrv	SPNEGO (Negotiator) 	40960	N/A	ALPHA
          Error	8/29/2006	4:54:50 PM	Kerberos	None	4	N/A	ALPHA
          Warning	8/29/2006	4:54:44 PM	LsaSrv	SPNEGO (Negotiator) 	40960	N/A	ALPHA
          Warning	8/29/2006	4:54:43 PM	LsaSrv	SPNEGO (Negotiator) 	40960	N/A	ALPHA
          Warning	8/29/2006	4:54:41 PM	LsaSrv	SPNEGO (Negotiator) 	40960	N/A	ALPHA
          Warning	8/29/2006	4:54:41 PM	LsaSrv	SPNEGO (Negotiator) 	40960	N/A	ALPHA
          Warning	8/29/2006	4:54:38 PM	LsaSrv	SPNEGO (Negotiator) 	40960	N/A	ALPHA
          the event 4s read:
          The kerberos client received a KRB_AP_ERR_MODIFIED error from the server LKHGC7P$. The target name used was cifs/LKCWW5F.MyDomain.com. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (MYDOMAIN.COM), and the client realm. Please contact your system administrator.
          (LKHGC7P is not a server at all.. its a client XP workstation. i get these on occasiopn. the XP box will force an election, wtf?)

          the other events look like:
          The Security System detected an authentication error for the server cifs/ka1f7t9.DuvalFlClerk.com. The failure code from authentication protocol Kerberos was "The attempted logon is invalid. This is either due to a bad username or authentication information.
          (0xc000006d)".

          The Security System detected an authentication error for the server cifs/DELTA. The failure code from authentication protocol Kerberos was "The attempted logon is invalid. This is either due to a bad username or authentication information.
          (0xc000006d)".
          in the above example, Delta is an SQL server...

          this is the master browser routine i get on occasion:
          The master browser has received a server announcement from the computer KLMLT8Y that believes that it is the master browser for the domain on transport NetBT_Tcpip_{D96AF763-03D3-4324-9. The master browser is stopping or an election is being forced.

          none of the event IDs yeild much info.. for example:
          Details
          Product: Windows Operating System
          Event ID: 40960
          Source: LSASRV
          Version: 5.2
          Symbolic Name: NEGOTIATE_DOWNGRADE_DETECTED
          Message: The Security System detected an authentication error for the server %1. The failure code from authentication protocol %2 was %3.



          sorry for the long post. thanks again for the input guys. me and one other guy manage a 35 plus server domain for a new government agency and its kickin my arse i little... Thank You again!
          its easier to beg forgiveness than ask permission.
          Give karma where karma is due...

          Comment


          • #6
            Re: DCs, FSMO, and dcpromo...

            From the first look I get an impression that you have a bunch of clinets&servers that have broken security channel with the AD, but first I'd run some tests on the DCs to make sure it is healthy.

            Run dcdiag and netdiag on the DCs and search for errors. If you can, post the errors/warnings here.

            The fact that you could not update the dhcpServers attribute on CN=clerkpdc1.mydomain.com makes me think that either you have permissions issue or something is broken, but let's not speculate without running diagnostics.

            Are you using the Administrator account or your own account ?

            btw, from the output of replmon it looks like you have remains of DCs that no longer exist and you should perform metadata cleanup as already suggested.
            Last edited by guyt; 30th August 2006, 00:08.
            Guy Teverovsky
            "Smith & Wesson - the original point and click interface"

            Comment


            • #7
              Re: DCs, FSMO, and dcpromo...

              Code:
              C:\>dcdiag
              
              Domain Controller Diagnosis
              
              Performing initial setup:
                 Done gathering initial info.
              
              Doing initial required tests
              
                 Testing server: Courthouse\ALPHA
                    Starting test: Connectivity
                       ......................... ALPHA passed test Connectivity
              
              Doing primary tests
              
                 Testing server: Courthouse\ALPHA
                    Starting test: Replications
                       ......................... ALPHA passed test Replications
                    Starting test: NCSecDesc
                       ......................... ALPHA passed test NCSecDesc
                    Starting test: NetLogons
                       ......................... ALPHA passed test NetLogons
                    Starting test: Advertising
                       ......................... ALPHA passed test Advertising
                    Starting test: KnowsOfRoleHolders
                       ......................... ALPHA passed test KnowsOfRoleHolders
                    Starting test: RidManager
                       ......................... ALPHA passed test RidManager
                    Starting test: MachineAccount
                       ......................... ALPHA passed test MachineAccount
                    Starting test: Services
                       ......................... ALPHA passed test Services
                    Starting test: ObjectsReplicated
                       ......................... ALPHA passed test ObjectsReplicated
                    Starting test: frssysvol
                       ......................... ALPHA passed test frssysvol
                    Starting test: frsevent
                       ......................... ALPHA passed test frsevent
                    Starting test: kccevent
                       ......................... ALPHA passed test kccevent
                    Starting test: systemlog
                       ......................... ALPHA passed test systemlog
                    Starting test: VerifyReferences
                       ......................... ALPHA passed test VerifyReferences
              
                 Running partition tests on : ForestDnsZones
                    Starting test: CrossRefValidation
                       ......................... ForestDnsZones passed test CrossRefValidation
              
                    Starting test: CheckSDRefDom
                       ......................... ForestDnsZones passed test CheckSDRefDom
              
                 Running partition tests on : DomainDnsZones
                    Starting test: CrossRefValidation
                       ......................... DomainDnsZones passed test CrossRefValidation
              
                    Starting test: CheckSDRefDom
                       ......................... DomainDnsZones passed test CheckSDRefDom
              
                 Running partition tests on : Schema
                    Starting test: CrossRefValidation
                       ......................... Schema passed test CrossRefValidation
                    Starting test: CheckSDRefDom
                       ......................... Schema passed test CheckSDRefDom
              
                 Running partition tests on : Configuration
                    Starting test: CrossRefValidation
                       ......................... Configuration passed test CrossRefValidation
                    Starting test: CheckSDRefDom
                       ......................... Configuration passed test CheckSDRefDom
              
                 Running partition tests on : DuvalFlClerk
                    Starting test: CrossRefValidation
                       ......................... MyDomain passed test CrossRefValidation
                    Starting test: CheckSDRefDom
                       ......................... MyDomain passed test CheckSDRefDom
              
                 Running enterprise tests on : DuvalFlClerk.com
                    Starting test: Intersite
                       ......................... DuvalFlClerk.com passed test Intersite
                    Starting test: FsmoCheck
                       ......................... MyDomain.com passed test FsmoCheck
              im not going to post the verbose log in its enirity because the output was 118 pages long, but ill put in the areas that say failed or warning...
              Code:
                      NetBT name test. . . . . . : Passed
                          NetBT_Tcpip_{D96AF763-03D3-4324-978A-3C28FE9CD1F1}
                          ALPHA          <00>  UNIQUE      REGISTERED
                          DUVALFLCLERK   <00>  GROUP       REGISTERED
                          DUVALFLCLERK   <1C>  GROUP       REGISTERED
                          ALPHA          <20>  UNIQUE      REGISTERED
                          DUVALFLCLERK   <1B>  UNIQUE      REGISTERED
                          DUVALFLCLERK   <1E>  GROUP       REGISTERED
                          DUVALFLCLERK   <1D>  UNIQUE      REGISTERED
                          ..__MSBROWSE__.<01>  GROUP       REGISTERED
                      [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
              r Service', <20> 'WINS' names is missing.
              
              IP General configuration
                  LMHOSTS Enabled. . . . . . . . : No
                  DNS for WINS resolution. . . . : Enabled
                  Node Type. . . . . . . . . . . : Hybrid
                  NBT Scope ID . . . . . . . . . :
                  Routing Enabled. . . . . . . . : No
                  WINS Proxy Enabled . . . . . . : No
                  DNS resolution for NETBIOS . . : No
              
              
              NetBT name test. . . . . . . . . . : Passed
                 No NetBT scope defined
                  [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
              ce', <03> 'Messenger Service', <20> 'WINS' names defined.
              
              Hostname: ALPHA.MyDomain.com.
                        Authoritative zone: MyDomain.com.
                        Primary DNS server: ALPHA.MyDomain.com 192.168.5.10
                        Authoritative NS:192.168.110.11 192.168.110.10 192.168.5.10 192.168.11
              0.12
              Check the DNS registration for DCs entries on DNS server '192.168.5.10'
              The Record is correct on DNS server '192.168.5.10'.
              
              The Record is different on DNS server '192.168.5.10'.
              DNS server has more than one entries for this name, usually this means there are
               multiple DCs for this domain.
              Your DC entry is one of them on DNS server '192.168.5.10', no need to re-registe
              r.
              +------------------------------------------------------+
              The record on your DC is:
              DNS NAME = _kerberos._tcp.dc._msdcs.MyDomain.com.
              DNS DATA =
                          SRV 0 100 88 ALPHA.MyDomain.com.
              
              The record on DNS server 192.168.5.10 is:
              DNS NAME = _kerberos._tcp.dc._msdcs.MyDomain.com
              DNS DATA =
                          SRV 0 100 88 alpha.MyDomain.com
                          SRV 0 100 88 omega.MyDomain.com
              +------------------------------------------------------+
              netdiag and dcdiag both pass. the kerberos portion of the test says that it passes...


              btw, from the output of replmon it looks like you have remains of DCs that no longer exist and you should perform metadata cleanup as already suggested.
              yeah... it does look like a mess. i made an attempt at the metadata cleanup... but i dont see how to "clean" it any more than it already is. if i were going to identify replication partners, i would go to AD sites/services and check the NTDS partners... i only see the two that are currently online. when i try to clean anything, the object cant be found by name.. i cannot resolve the names of the previous servers.

              the permissions issue.... i was logged in as myself. i am currently a member of domain admins, schema admins, enterprise admins, remote users, VPN users (security group i made for radius auth), domain users, exchange services, and exchange domain servers... i dont see where the deny would be... i can make changes to user objects nad public folders... though i do admit i have permission problems because of the overlapping roles i have here.

              i will create a new account as a schema admin and see if that resolves the modify permissions..

              at this point, i thnk i should just wait till the 24 IBM blades and the ds4000 get here. Vmotion could fix this with the quickness...

              And GuyT and Jeremy, thank you again for the advice... its hard to find a collection of skilled professionals with advice for free, and this place takes the cake.
              its easier to beg forgiveness than ask permission.
              Give karma where karma is due...

              Comment

              Working...
              X