Hi, first post. My issue manifested as complaints that printing was not working. the printers in question are shared on my primary DC. Clients were also not getting GP updates. resetting file permissions on PDc's sysvol to match AD took care of the GP updates, but shared printers are still farked. in fact, any service on the affected PDC that runs under network service account fails with access denied errors. Logged in to the console on PDC, i am unable to edit GPOs, though i can still do so from a workstation as a domain admin.- it seems like the machine account of the PDC is somehow no longer valid in AD--? any workstation i would just reset the machine account and be done with it, but i dont imagine id get very far doing that to a DC, so how would i go about reinstating the PDC in its own domain? my apologies for the long post, i really like typing :)

There is no such thing as a PDC in Active Directory. Appling NT concepts to AD is a serious misunderstanding. There is the pdc emulator which is one of five FSMO roles but that's not the same as pdc in NT. Just like there are no bdc's in AD. You say "primary dc". Do you have others? Start with reviewing your event viewer logs. From what you describe there should be errors posted which from the looking up the error codes will give you a clue to what is wrong and how to fix it. Imagine the power if you knew how to internet search

thx wanderer, for your response. i should have been more clear in my use of PDC. i have two DCs, one in each of two sites, and they are replicating properly. the machine i called PDC was just the first DC in the forest. client attempts to use shared printers generate id 10000 errors (dcom failure) attempts to read group policy generate 1058s any attempt to start a service that runs under the network service account throws an access denied, this includes dns and dhcp clients, msdtc. i have troubleshooted each of these issues individually, but solutions to each assume machine rights to AD are intact, and do not address my root cause. i have attempted to reset the machine account password with netdom, without any apparent change. for all intents i have a dc that is behaving like a member server that just happens to have a replica of AD on it. i cannot write to AD with this machine, logged in as domain admin

Sounds bad. Under the conditions you describe I would doubt AD replication is really working. If it is you may have two corrupted DCs What do your event viewer logs say? On the internet? Have you done av and spyware scans? Imagine the power if you knew how to internet search

AV and spyware are good- this machine is locked down pretty well anyway. i should probably add that on my day off, another admin saw that the machine had crashed, and when he restarted there was a failed drive. he did not take notes but told me it displayed some message about "default" file permissions. the first time i fired up GP editor from my workstation i got a lot of messages about files permissions for the GPOs not matching AD. i allowed GP editor to fix these, and group policy has been applying properly to workstations. Event logs show limited errors, just what i have already described- as is probably obvious, i am no AD pro, is there perhaps some tool that checks whether the rest of AD permissions agree with the actual file permissions on the machine in question? is there a standard way of auditing a DCs rights within AD? one last thing, replication really appears to be working as it should- i made a few minor edits here and there, and they propagated ok thanks again, wanderer, for your time.

hah! talk about back to basics: with no other tactic coming to mind, i began comparing file permissions on both DCs- starting with sysvol. yeah, you guessed it- once i gave the SYSTEM account the correct permission in the windows directory and restarted, the server straightened itself out. wanderer, thanks again- sometimes you just need a person complain at to get the problem sorted :)

Great catch dynamitejacket! That permissions error was just the clue you needed. Best of luck! Imagine the power if you knew how to internet search