I have just installed the first 2008R2 domain controller into a widows 2003 domain. Everything went well and replication was good during the initial dcpromo. After the process finished I looked at my logs. I notice that 15508 was showing up. The computer group policy was also failing. I have seen a few post that mentioned the KDC. I restarted the KDC on the 2008r2 DC and replication and group policy working with no problems. The problem is if I have to reboot the new server with the KDC cause problems again? If there a security issue between 2003 and 2008R2 KDC and if so how is this fixed. Thanks, norman mattox

Hi, Following article might help Troubleshooting File Replication Service : http://technet.microsoft.com/en-us/library/bb727056.aspx I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

Hello Norman, Check for the replication errors using repadmin failcache /v or dcdiag/test:replications I suggest you check similar discussion:http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/44a7406a-c79a-4213-a93e-8c0010a9266dRegards, Ravikumar P

The problem is if I have to reboot the new server with the KDC cause problems again? If KDC issues are already fixed, you would NOT likely to have further problems.I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

Let me just add to this. I did reboot the server and had to turn off the KDC to get the computer GPO to work. Doesn't seem to be bothering replication now. Is thiere something that needs to be changed in the 2008R2 KDC to make it work well with 2003? norman mattox

Is thiere something that needs to be changed in the 2008R2 KDC to make it work well with 2003? NOT anything I know of. If you are still facing problems with KDC, try restarting KDC service on all the domain controllers one by one and post which check the replication and group policy applicability. You might want to use Active Directory Replication Status Tool http://www.microsoft.com/en-us/download/details.aspx?id=30005 I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

Hi, This is because of file replication issues, Please find this article you get thru "http://technet.microsoft.com/en-us/library/bb727056.aspx" follow the instruction as per the link, in order to avoid "Journel Wrap Error". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

I am only getting 13508 errors. They sysvol and netlogon shares are created and replication is fine. Computer GPO's will not load when I reboot the server. I have to stop the KCC run gpupdate and restart the KCC then everyhing is fine. I have tested replication by creating and deleting folders on the various DC's. Replication happens fast. I am just confused why the KCC needs to be stopped and restarted after a reboot. This just seems to be happening on the W2kR2 DC. The WK3 DC's are filenorman mattox

See if following discussion helps Event ID:13568 , Event ID:13508 http://social.technet.microsoft.com/Forums/en/winserverDS/thread/5f5ccc19-9b00-492d-9509-da0c25b02fd6I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

Is there any known issues with bringing up a 2008R2 into a 2003 domain? I am getting some errors with users trying to log in. I am using Cert authentication but have all certs installed and tunbleweed DV running. One error they get is not enough resources to log in when I have the 2008r2 server on. norman mattox

Is there any known issues with bringing up a 2008R2 into a 2003 domain? Known Issues for Upgrading Active Directory to Windows Server 2008R2 from Windows 2003 http://blogs.technet.com/b/tangent_thoughts/archive/2012/05/19/known-issues-for-upgrading-active-directory-to-windows-server-2008r2-from-windows-2003.aspx not enough resources to log in Looks like a client machine issues not related to the DC. I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

Thanks for you help. I have just one more question you may be able to help me with. I ran dcdiag /s:2003DC /test:replications. This failed with the following. [2008DC] dsbindwith spnExP{} faile wiht error 5. Access is denied. It works from the 2003dc to the 2008dc. Is there a security setting inthe 2003DC I need to make for the 2008r2 server to complete this test without failure? It seems to be replicating all the objects and I have full control over the domain from the R2 DC. I have noticed in order to perform a full gpo update I have to stop the KCC and restart after. This is after a reboot. Just a note I do not have the server in the default domain controllers OU because I created a new set of policies for the 2008r2DC. Is this an issue. norman mattox

dcdaig error is not clear enough to me. Can you please upload the results on skydrive & post the link here ? Just a note I do not have the server in the default domain controllers OU because I created a new set of policies for the 2008r2DC. Is this an issue. Moving DC computer object from default DC container is NOT a good practice ! I would suggest you to move the DC computer object back to Default DC OU. Please refer the thread below for more details. Default Domain Controllers OU vs other OU with Domain Controller Policy Applied? http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1cb96762-a6a7-4cd1-8fc6-2b68529d9fcc/ I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

Here is the result of running dcdiag /s:windows2003DC /test:replications from the w2k8dc. Doing initial required tests Testing server: W2k3DC Starting test: Connectivity ......................... W2k3DC passed test Connectivity Doing primary tests Testing server: W2k3DC Starting test: Replications [W2k8DC] DsBindWithSpnEx() failed with error 5, Access is denied.. ......................... W2k3DC failed test Replicationsnorman mattox

Here is the result of running dcdiag /s:windows2003DC /test:replications from the w2k8dc. Doing initial required tests Testing server: W2k3DC Starting test: Connectivity ......................... W2k3DC passed test Connectivity Doing primary tests Testing server: W2k3DC Starting test: Replications [W2k8DC] DsBindWithSpnEx() failed with error 5, Access is denied.. ......................... W2k3DC failed test Replications norman mattox I suggest you check this article to Troubleshooting AD Replication error 5: Access is denied: http://support.microsoft.com/kb/2002013Regards, Ravikumar P

I second Ravikumar.I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

Thanks, This looks like a good article. I demoted the server because it was causing me a lot of problems. I am going to start clean in a couple of days. Any suggestions you have for adding 2k8r2 to 2003? I will put this one in a OU that I create inside the default domain controllers. I don't want it to pick up the current GPO though. Thanks again for everyone's help. Hopefully next try will be golden. I would like to eliminate 2003 by end of year. Thanks, norman mattox

Make sure you cleanup meta data for demoted DC. Clean Up Server Metadata http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx >> I will put this one in a OU that I create inside the default domain controllers. Whenever a server is promoted as a domain controller, by default the computer object corresponding to the promoted DC is created in default Domain controller container. No need to move that object explicitly, please leave that as it is. Good luck ! I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

Thanks again, The only problem I have with leaving it in the default OU is that the GPO there are built for the 2003 DC's. There are different settings for 2008 so I wanted to link that GPO but did not want it to get picked up by the current DC's. norman mattox

Sorry for the delayed response, somehow missed your previous reply through alert mail. The only problem I have with leaving it in the default OU is that the GPO there are built for the 2003 DC's. There are different settings for 2008 so I wanted to link that GPO but did not want it to get picked up by the current DC's. All DCs ahould have only one GPO configured and enabled in DDCP. AFAIK, there is no problem applying 2008/R2 DC specific policy settings on default Domain controllers OU which have 2003 DC objects in it. The 2008/R2 policy settings which are not applicable to 2003 DCs will be simply ignored on 2003 DCs. What you can do here is, edit your DDCP (Default Domain controller Policy) and update the policy setting specific to 2008 Server. To simply this task, you might want to use WMI filters. Here are some of links which might be useful. please go through them Create WMI Filters for the GPO http://technet.microsoft.com/en-us/library/cc947846(v=ws.10).aspx Fun with WMI Filters in Group Policy http://blogs.technet.com/b/askds/archive/2008/09/11/fun-with-wmi-filters-in-group-policy.aspx Using WMI to Filter GPOs based on Windows Version and Role http://jpaloma.wordpress.com/category/windows-server-2008-r2/ WMI GPO Filters for Operating System Types http://derek858.blogspot.in/2010/07/wmi-gpo-filters-for-operating-system.html HTHI do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

Hi, I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help. Regards, Arthur Li TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Arthur Li TechNet Community Support

Thanks for you help. I will read everything and then attempt to bring up the DC. I have done this before without issues but for some reason this domain is having problems. norman mattox