|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Event 1000 and AD inconsistenciesWe're trying to promote a new w2003 Server computer to DC, but we're having several problems. By now, we have a w2000 server acting as the only DC in our domain, but it seems its AD is not in a very healthy state. As a matter of fact, in "secpol" console we have detected that there are no users in the "effective setting" part of "Enable computer and user accounts to be trusted for delegation". And although we've tried to change that policy following a well known kb article (I don't remember the number at the moment, sorry), we are getting "event 1000" errors: "Windows cannot access the file gpt.ini for GPO. The file must be present at the location <>. (). Group policy processing aborted". Thus' it is likely that our problems to promote the new DC arise from this issue. ¿Is there any way to troubleshoot such a security policy issue? (we've just checked that SYSVOL permissions are correct and that gpt.ini exist in %systemroot%\sysvol\domain\Policies and %systemroot%\sysvol\sysvol\OURDOMAIN\Policies, but we're not experts in windows environments, unfortunately, and we don't know how to proceed further). Best regards, Jaume You can't promote a 2003 dc into a 2000 domain without taking some prepatory
steps first. Also you need to examine your domain, since you could have Exchange or older clients that might not be able to communicate once the upgrade is complete. Check out http://www.pbbergs.com Select articles and read the article "Upgrade Your Forest". Be sure to look at each of the hyperlinks listed within the article itself. -- Show quoteHide quotePaul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA http://www.pbbergs.com This posting is provided "AS IS" with no warranties, and confers no rights. "Jaume Tomàs Amella" <JaumeTomsAme***@discussions.microsoft.com> wrote in message news:E632CC69-633D-4D81-99D7-C6643B106524@microsoft.com... > Hi everybody > > We're trying to promote a new w2003 Server computer to DC, but we're > having > several problems. By now, we have a w2000 server acting as the only DC in > our > domain, but it seems its AD is not in a very healthy state. As a matter of > fact, in "secpol" console we have detected that there are no users in the > "effective setting" part of "Enable computer and user accounts to be > trusted > for delegation". And although we've tried to change that policy following > a > well known kb article (I don't remember the number at the moment, sorry), > we > are getting "event 1000" errors: "Windows cannot access the file gpt.ini > for > GPO. The file must be present at the location <>. (). Group policy > processing > aborted". Thus' it is likely that our problems to promote the new DC arise > from this issue. ¿Is there any way to troubleshoot such a security policy > issue? (we've just checked that SYSVOL permissions are correct and that > gpt.ini exist in %systemroot%\sysvol\domain\Policies and > %systemroot%\sysvol\sysvol\OURDOMAIN\Policies, but we're not experts in > windows environments, unfortunately, and we don't know how to proceed > further). > > > Best regards, > > Jaume Dear Paul,
Thank you very much for your reply. Hopefully, we have already taken the preliminary measures described in several articles to upgrade a windows 2000 domain (that means issuing "adprep" command on our windows 2000 server). Exchange is not a great deal by now, as we use sendmail in another server. Thus, our main concern is the default domain policy, we still think that being unable to apply the delegation rights is preventing server promotion. By the way, we have executed "dcdiag /v /fix" on our windows 2000 domain controller. All tests are passed EXCEPT systemlog test, where an "Access denied attempting to launch a DCOM server using DefaultLaunchPermission" error is obtained. Best regards, Jaume Show quoteHide quote "Paul Bergson" wrote: > You can't promote a 2003 dc into a 2000 domain without taking some prepatory > steps first. Also you need to examine your domain, since you could have > Exchange or older clients that might not be able to communicate once the > upgrade is complete. > > Check out http://www.pbbergs.com > Select articles and read the article "Upgrade Your Forest". Be sure to look > at each of the hyperlinks listed within the article itself. > > -- > > Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA > http://www.pbbergs.com > > This posting is provided "AS IS" with no warranties, and confers no rights. > > "Jaume Tomàs Amella" <JaumeTomsAme***@discussions.microsoft.com> wrote in > message news:E632CC69-633D-4D81-99D7-C6643B106524@microsoft.com... > > Hi everybody > > > > We're trying to promote a new w2003 Server computer to DC, but we're > > having > > several problems. By now, we have a w2000 server acting as the only DC in > > our > > domain, but it seems its AD is not in a very healthy state. As a matter of > > fact, in "secpol" console we have detected that there are no users in the > > "effective setting" part of "Enable computer and user accounts to be > > trusted > > for delegation". And although we've tried to change that policy following > > a > > well known kb article (I don't remember the number at the moment, sorry), > > we > > are getting "event 1000" errors: "Windows cannot access the file gpt.ini > > for > > GPO. The file must be present at the location <>. (). Group policy > > processing > > aborted". Thus' it is likely that our problems to promote the new DC arise > > from this issue. ¿Is there any way to troubleshoot such a security policy > > issue? (we've just checked that SYSVOL permissions are correct and that > > gpt.ini exist in %systemroot%\sysvol\domain\Policies and > > %systemroot%\sysvol\sysvol\OURDOMAIN\Policies, but we're not experts in > > windows environments, unfortunately, and we don't know how to proceed > > further). > > > > > > Best regards, > > > > Jaume > > > You could check out FRSdiag or Ultrasound. Your gpo are kept in the sysvol
location and this will help with this. FRSDiag is easier to setup but Ultrasound is more user friendly (It installs agents on the DC's) FRSDiag http://www.microsoft.com/downloads/details.aspx?FamilyId=43CB658E-8553-4DE7-811A-562563EB5EBF&displaylang=en Ultrasound http://www.microsoft.com/downloads/details.aspx?familyid=61acb9b9-c354-4f98-a823-24cc0da73b50&displaylang=en -- Show quoteHide quotePaul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA http://www.pbbergs.com This posting is provided "AS IS" with no warranties, and confers no rights. "Jaume Tomàs Amella" <JaumeTomsAme***@discussions.microsoft.com> wrote in message news:E5E74FE6-D221-46F3-A228-0BCB1442A3DE@microsoft.com... > Dear Paul, > > Thank you very much for your reply. Hopefully, we have already taken the > preliminary measures described in several articles to upgrade a windows > 2000 > domain (that means issuing "adprep" command on our windows 2000 server). > Exchange is not a great deal by now, as we use sendmail in another server. > Thus, our main concern is the default domain policy, we still think that > being unable to apply the delegation rights is preventing server > promotion. > > By the way, we have executed "dcdiag /v /fix" on our windows 2000 domain > controller. All tests are passed EXCEPT systemlog test, where an "Access > denied attempting to launch a DCOM server using DefaultLaunchPermission" > error is obtained. > > > Best regards, > > Jaume > > "Paul Bergson" wrote: > >> You can't promote a 2003 dc into a 2000 domain without taking some >> prepatory >> steps first. Also you need to examine your domain, since you could have >> Exchange or older clients that might not be able to communicate once the >> upgrade is complete. >> >> Check out http://www.pbbergs.com >> Select articles and read the article "Upgrade Your Forest". Be sure to >> look >> at each of the hyperlinks listed within the article itself. >> >> -- >> >> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA >> http://www.pbbergs.com >> >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> >> "Jaume Tomàs Amella" <JaumeTomsAme***@discussions.microsoft.com> wrote in >> message news:E632CC69-633D-4D81-99D7-C6643B106524@microsoft.com... >> > Hi everybody >> > >> > We're trying to promote a new w2003 Server computer to DC, but we're >> > having >> > several problems. By now, we have a w2000 server acting as the only DC >> > in >> > our >> > domain, but it seems its AD is not in a very healthy state. As a matter >> > of >> > fact, in "secpol" console we have detected that there are no users in >> > the >> > "effective setting" part of "Enable computer and user accounts to be >> > trusted >> > for delegation". And although we've tried to change that policy >> > following >> > a >> > well known kb article (I don't remember the number at the moment, >> > sorry), >> > we >> > are getting "event 1000" errors: "Windows cannot access the file >> > gpt.ini >> > for >> > GPO. The file must be present at the location <>. (). Group policy >> > processing >> > aborted". Thus' it is likely that our problems to promote the new DC >> > arise >> > from this issue. ¿Is there any way to troubleshoot such a security >> > policy >> > issue? (we've just checked that SYSVOL permissions are correct and that >> > gpt.ini exist in %systemroot%\sysvol\domain\Policies and >> > %systemroot%\sysvol\sysvol\OURDOMAIN\Policies, but we're not experts in >> > windows environments, unfortunately, and we don't know how to proceed >> > further). >> > >> > >> > Best regards, >> > >> > Jaume >> >> >>  
Thread options
Other interesting topics
Problem creating DFS roots
Rename Domain Need help with AD trusts using windows2003 R2 to be a domain controller in exsiting w2k3 do Delegation of Control Looking for a good AD restore utility GPO does not apply is it posible to change user's sid Restoring a single OU Cool tool add-on User Properties |
|||||||||||||||||||||||
