Problems with GPO's after changing domain name in windows 2003

[Dominic Maricic]

Hi, I would greatly appreciate any help in this matter!

Because of constant problems with the single label domain name set up
I upgraded to windows 2003 and changed the domain name from xyz to
xyz.local. I finished the actual renaming but am now having problems
with gpfixup. I did not use the dfsutil because I have not used dfs
yet so there were no changes to make.

new dns zone looks correct.

gpfixup was giving me errors regarding gpt.ini not existing for a
policy, I couldn't get rid of the message so I ran gpfixup on one of
the domain controllers itself and it ran successfully. I was getting
event id 1058 and 1030 for policies that do exist (I can browse to the
folder) the message is access denied, but those seem to have gone away
now. Will this be sufficient or does the gpfixup have to run on the
member server I used as my control?

I also cannot access the domain security policy or domain policy, the
help guide says to right click, go to properties and change the
target, but the target box is blank and greyed out so I cant change
it. If I try looking at any of the group policies using ADUC they all
have exclamation marks next to them.

Ideas?

Thanks,
Dominic
Technology Coordinator

[Dominic Maricic]

I forgot to add that when running rendom /clean from the
member server I'm getting the following:

C:\DomainRename>rendom /clean
Couldn't Find a DC for the current Domain: The specified
domain either does not
exist or could not be contacted. :1355

>.
>

[Steven Liu]

Hi Dominic,

I think you probably forgot to follow the section of "Step-by-Step Guide to
Implementing Domain Rename", avalaible at
http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx,
which says:

STEP 12: Fix Group Policy Objects and Links

In this step, you will use the gpfixup.exe command-line tool to repair
Group Policy objects (GPOs) as well as GPO references in each renamed
domain. It is necessary to repair the GPOs and the Group Policy links after
a domain rename operation to update the old domain name embedded in these
GPOs and their links. This procedure is necessary so that Group Policy
continues to function normally in the new forest after the domain rename
operation has completed. The tool also repairs any Group Policy-based
Software Installation and Maintenance data (such as Software Distribution
Point network paths), if present in Active Directory, so that managed
software deployment continues to work in your environment. The GPO and link
fix-up tool needs to be run once in each renamed domain. There is no GPO
and link fix-up required corresponding to renamed application directory
partitions because you cannot apply Group Policy to an application
directory partition.

RESOLUTION:
===========

1- Download the DomainRename Tool from:
http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx

2- At the command prompt, browse to the location that you extracted the
domainrename tools and type the following command (the entire command must
be typed on a single line) and press ENTER:

gpfixup /olddns:OldDomainDnsName /newdns:NewDomainDNSName
/oldnb:OldDomainNetBIOSName /newnb:NewDomainNetBIOSName /dc:DcDnsName 2>&1
>gpfixup.log

-Where-

OldDomainDnsName is the old DNS name of the renamed domain.
NewDomainDnsName is the new DNS name of the renamed domain.
OldDomainNetBIOSName is the old NetBIOS name of the renamed domain.
NewDomainNetBIOSName is the new NetBIOS name of the renamed domain.
DcDnsName is the DNS host name of a domain controller in the renamed
domain, preferably the PDC emulator.

Thanks for using Microsoft Newsgroup!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

[Dominic]

Hi Steven,
Thanks for the response. I did run the gpfixup tool but I
initially recieved an error regarding a gpt.ini file so I
ran in on the DC and it worked fine. Should I try running
it again on the control machine? Can I run it again
safely? Thanks

Dominic

>.
>

[Dominic]

Hi Steven,
Thanks for responding to my post.
I did run the gpfixup and it ran successfully but I still
seem to have quite a few problems as I mentioned in my
first message on the newsgroup.
I also can't get into Domain Security Policy or the
Security Policy per the instructions because the Target
box on the icons properties are greyed out.
All the gpo's still have exclamation points on them. Do
you have any advice on where to go from here? The domain
rename went successfull and so did the domain controller
rename. So I don't have a single label dns anymore.

Thanks for any help you can provide! The users (mostly
teachers) and the high school I work at are getting
frustrated so I need to get this working correctly. The
can log in fine for the most part but they seem
to not know what the dc is all the time. DCDIAG comes
through perfectly fine. Netdiag shows a few problems.

Here is my dcdiag restults:

C:\DomainRename>netdiag /d:dhs.local

.....................................

Computer Name: YODA
DNS Host Name: yoda.dhs.local
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 2 Stepping 7,
GenuineIntel
List of installed hotfixes :
KB819696
KB823182
KB823559
KB823658
KB823980
KB824105
KB824141
KB824145
KB824146
KB825119
KB828028
KB828035
KB832894
Q147222
Q828026

Netcard queries test . . . . . . . : Passed
[WARNING] The net card 'RAS Async Adapter' may not be
working
because it ha
not received any packets.

Per interface results:

Adapter : Internal

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : yoda
IP Address . . . . . . . . : 10.0.0.4
Subnet Mask. . . . . . . . : 255.0.0.0
Default Gateway. . . . . . :
Primary WINS Server. . . . : 10.0.0.2
Dns Servers. . . . . . . . : 10.0.0.1
216.117.199.213

IpConfig results . . . . . : Failed
Pinging the Primary WINS server 10.0.0.2 - not
reachable

AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Skipped
[WARNING] No gateways defined for this adapter.

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation
Service', <03> 'Messeng
r Service', <20> 'WINS' names is missing.

WINS service test. . . . . : Failed
The test failed. We were unable to query the
WINS servers.

Adapter : External

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : yoda
IP Address . . . . . . . . : 216.117.204.230
Subnet Mask. . . . . . . . : 255.255.255.248
Default Gateway. . . . . . : 216.117.204.225
NetBIOS over Tcpip . . . . : Disabled
Dns Servers. . . . . . . . :

AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Skipped
NetBT is disabled on this interface. [Test
skipped]

WINS service test. . . . . : Skipped
NetBT is disable on this interface. [Test
skipped].

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{58CB528F-5DB3-4403-BC32-89C16BD41FF1}
1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the
<00> 'WorkStation
Serv
ce', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Passed

Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{58CB528F-5DB3-4403-BC32-89C16BD41FF1}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{58CB528F-5DB3-4403-BC32-89C16BD41FF1}
The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Failed
'DHS': No DCs are up.

Trust relationship test. . . . . . : Failed
'DHS': No DCs are up (Cannot run test).
Secure channel for domain 'DHS' is
to '\\server.dhs.local'.

Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/yoda.dhs.local.

LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on
DC 'admin-server.dhs.local'.
[WARNING] Failed to query SPN registration on
DC 'server.dhs.local'.

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped
No active remote access connections.

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run "netsh ipsec dynamic show /?" for more
detailed
information

The command completed successfully

C:\DomainRename>

[Steven Liu]

Hi Dominic,

Is the computer yoda your domain controller? Would you please give me the
detail configuration of the computer yoda? It seems that the adapter
"Internal" does not set with the Default Gateway. I think you should
configure itself as the default gateway. Input the 10.0.0.4 as the default
gateway.

The WINS IP address is 10.0.0.2. Does the WINS server available? What the
WINS server is?

The DNS IP address is 10.0.0.1. What the DNS server is?

If they are Windows 2000/2003 based server, let's remove and reinstall
them. Re-configure the servers and reboot the server and all clients to
renew all records. Test whether this works.

The rename domain name processor causes some problems now. The problem is
complex. Do you have backup the server before renaming the name? If yes, we
can restore the whole system back to the status when we did not rename the
domain.