Recently Moved FISMO roles, DNS, and DHCP to a new controller...issues

[dgarner58]

Ok, so last week we moved the aforementioned things to a new server. Everything SEEMED to go ok, but now I am getting a few windows xp clients with kerberos errors. I am also getting Netlogon errors on the new "PDC" referring to broken trusts for computer accounts and also corrupt computer accounts.

We have unjoined these pc's from the domain and rejoined them..the issue remains.

This is causing them to not be able to browse the old "PDC" nor the new one. Strangely if I ping the old one it resolves to the old IP it was using (now switched to the new operations master). It resolves..but not to a domain account. For instance...

Ping sbcg-pdc-atl

resolves to sbcg-pdc-atl not sbcg-pdc-atl.atlanta.com like it should.

If i ping the FQDN then it resolves to the proper IP. If I browse to the FQDN from the start/run prompt it works. If i browse to just sbcg-pdc-atl then it tells me the target name is invalid or perhaps i dont have permission to access the resource.

I thought at first that I should remove the old machine (still a DC) as a Global Catalog...so I did. This didn't help. I am at a loss currently and would like to avoid calling MS but I will if I have some serious AD issues. I am thinking perhaps I didn't give enough time for synching in between these changes and perhaps the security database is fubar.

Has ANYONE seen any issues like this before?

 

[dgarner58]

anyone have any ideas?

 

[buddafish]

from the server holding the pdc emulator role, do an nslookup. what does it resolve? check the DNS servers for valid records for each DC. check the SRV records too. make sure there are now old records (and PTR records) associated with the old address / name.

i am gunna take a guess at the kerberos as possible time and DNS issues. others probably know more about this, but i am aware of the critical nature of both time and DNS in a windows 2000 enviroment.

scottie

 

[lengoo]

Are you getting any odd messages in Event Viewer?

 

[dgarner58]

I am getting netlogon errors on the dc's...even the one that is no longer a global catalog and i am getting kerberos errors on the workstations that are being afflicted.

 

[mlichstein]

Can you elaborate on the errors?

Have you checked that all machines agree on the time?

 

[lengoo]

Can you post the actual event logs. I actually moved the FSMO roles to a new server a few months back.. mostly ok but there are some error messages in my logs.. interested to see if you have the same ones also.

 

[dgarner58]

netlogon errors are 5790 and 5723.

both errors are pointing to a broken trust or corrupt or missing computer account. strangely...these errors are on a machine that is no longer a global catalog. these errors also reference computer accounts that no longer exist.


one thing has come up in my research...someone mentioned time issues which made me remember that the old "pdc" was configured as THE time server for the rest of the domain...well this new one has never been configured so i have time issues.