none
GPO Management not working after moving AD from 2003 to 2008

    Question

  • Hi all,

    I already move my AD from win 2003 to 2008, already confirm FSOM already on the new domain controller. I didn't demote the 2003 server.

    So when i do edit GPO, i get an error

    Failed to open group policy object, You may not have appropriate rights.

    Details :  the network name cannot be found


    If i switch to the old domain controller, I can edit the policy without any problem. Any idea how to fix this? I need ot shutdown my 2003 server soon

    Monday, June 22, 2015 6:24 AM

Answers

  • Hello,

    let's start with some basic settings and post an unedited ipconfig /all from the old and new DC.

    Additional run "net share" in an elevated command prompt and check on both DCsthat NETLOGON and SYSVOL are there and then check on the new DC that it contains the same information as the old DC.


    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services

    My Blog: http://blogs.msmvps.com/MWeber

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Twitter:  

    Monday, June 22, 2015 8:11 AM
  • yes take a look at my tutorial here

    http://www.networkangel.net/active-directory-health-check-tools

    Or check out my list of free active directory tools that you can download which will help find any problems in your replication and help you troubleshoot


    Cheers,

    Andrew

    MCSE, MCSA, VCP, CCNA, SNIA

    Microsoft Infrastructure Consultant

    Blog: Network Angel LinkedIn:

    Note: Please remember to mark as "propose as answer" to help other members. Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Wednesday, June 24, 2015 10:45 AM

All replies

  • Hi,

    Do you get errors when editing any GPO or just that one using the new domain controller?

    Do you have SYSVOL in sync between the 2 domain controllers?

    Any errors on dcdiag /a on the domain controllers?

    Regards,

    Calin

    Monday, June 22, 2015 7:56 AM
  • Hello,

    let's start with some basic settings and post an unedited ipconfig /all from the old and new DC.

    Additional run "net share" in an elevated command prompt and check on both DCsthat NETLOGON and SYSVOL are there and then check on the new DC that it contains the same information as the old DC.


    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services

    My Blog: http://blogs.msmvps.com/MWeber

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Twitter:  

    Monday, June 22, 2015 8:11 AM
  • You may have an issue with your replication between the 2 domain controllers

    Run a health check on your DCs to check the replication, heres a tutorial on how to perform a health report on your DCs

    http://www.networkangel.net/active-directory-health-check-tools


    Cheers,

    Andrew

    MCSE, MCSA, VCP, CCNA, SNIA

    Microsoft Infrastructure Consultant

    Blog: Network Angel LinkedIn:

    Note: Please remember to mark as "propose as answer" to help other members. Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, June 22, 2015 8:16 AM
  • on the new DC, edit any gpo will give error..

    I notice the sysvol folder is empty on the new DC server..

    I guess the replication didn't work. Any guide that i can view or setup the replication for the gpo?

    Sorry my first time handling windows server, i'm used to do novell servers

    Tuesday, June 23, 2015 12:19 AM
  • yes take a look at my tutorial here

    http://www.networkangel.net/active-directory-health-check-tools

    Or check out my list of free active directory tools that you can download which will help find any problems in your replication and help you troubleshoot


    Cheers,

    Andrew

    MCSE, MCSA, VCP, CCNA, SNIA

    Microsoft Infrastructure Consultant

    Blog: Network Angel LinkedIn:

    Note: Please remember to mark as "propose as answer" to help other members. Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Wednesday, June 24, 2015 10:45 AM
  • Hello Partick,

    You can refer to below articles to trouble shoot the sysvol replication and rebuild the sysvol tree.

    https://support.microsoft.com/en-us/kb/2958414?wa=wsignin1.0

    https://support.microsoft.com/en-us/kb/315457

    Hope it helps.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 25, 2015 7:34 AM
    Moderator