Domain Controller Security Policy

[andysk]

Dear All,

I have a Win 2003 Std Server (A), as main domain controller and a Win 2003 Std Server (B), as secondary domain controller.

I am planning to shut off Server A, and switch it permanently to Server B, i do enable Global Catalog on both servers and have transferred all FSMO to server B, and have verified on Operation Master, everything (NETDOM query FSMO) are on Server B.

I leave Global Catalog enabled on server A and don't demote Domain Controller also on Server A, in account, that if something go wrong, i can just turn Server A on again.

Now i take down Server A, and restart Server B, and i can open Active Directory Users and Computer, Active Directory Sites and Services, Active Directory Domains and Trusts, however, i can't open Domain Controller Security Policy and Domain Security Policy, i got an error message : Failed to open the Group Policy Object. You may not have appropriate right, network path was wrong.

What might be wrong ? should disable Global Catalog on Server A and demote also Domain Controller on server A ? or there is another way?

Please advice.

Thanks,
Andy

 

[58sniper]

When you open the GPMC, right click on the domain name on the left, and choose "change domain controller". Pick domain controller B and see if that helps.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[andysk]

Hi Pat, i have tried to do as you say, but still can't work. and after i run GPMC and DCDiag, my active directory user and domain also don't work, and when i tried to issue NETDOM query FSMO, error message : Domain could not be contacted or does not existed

 

[andysk]

Now, after awhile, i recheck it, active directory users and computers came back to work and NETDOM query FSMO also back to work. how strange.

 

[karlisi]

Seems like DNS problem.
Have you DNS server installed on server B?
Is your B server pointing to itself for DNS server in TCP/IP settings?

===
Karlis
ECDL; MCSA

 

[andysk]

Hi All,

I have "forced" to copy sysvol directory from Server A to Server B, and share it like on Server A (Both Netlogon and SYSVOL), now the Domain Controller Security Policy worked finally.

The next problem is i try to join domain from one of the station (XP), and the error message is :
A domain controller for the domain Royalchemie.com could not be contacted.
Ensure that the domain name is typed correctly.
If the name is correct, click Details for the troubleshooting information.

Detail :
Note : This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain Royalchemie.com
The query was for the SRV record for _ldap._tcp.dc._msdcs.Royalchemie.com
The following domain controllers were identified by the query :
fileserver.royalchemie.com
file_server.royalchemie.com
Common causes of this error include:
- Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses.
- Domain controller registered in DNS are not connected to the network or are not running
For more information about correcting this problem, click Help.

Please advice. Thanks, Andy