I can yes, FQDN and computer name both work fine. So the server's can "see" each other to some extent.
what about ad sites and services anything there that shouldn't be isn't there that should as there may be a link to some long gone server in there (as iirc demoting a server dosent remove it from here) or possibly some long gone server has 1 or more fismo roles
Hmm, OK so I see no reason why you can't transfer FSMO roles! That's really got me stumped, I must admit.
Do the event logs show any errors which are of particular interest?
"Windows(R) Lightweight Directory Access Protocol (LDAP) failed a request to connect to Active Directory Domain Services(R) for Windows user <NT AUTHORITY\SYSTEM>.
Without the corresponding UNIX identity of the Windows user, the user cannot access Network File System (NFS) shared resources.
Verify that the Windows user is in Active Directory Domain Services and has access permissions."
Plus another one which shows the domain admin account instead of SYSTEM. I'm guessing that's not good?
Sites and Services is something I've never messed with as there's no need!
Looking at security of a DC I'm working on, it reads:
Authenticated Users - Read
SYSTEM - Full
Enterprise Read-only Domain Controllers (think this is optional)
Domain Admins - Full
Enterprise Admins - Full
This is on NTDS Settings.
As for UNIX, I'm not too worried about this so you should be able to ignore it. I presume you had a NAS or a server that was running UNIX?
We never had a UNIX server, but we do have 2 Mac clients which connect to file shares on the network (not joined to the domain as it seemed a bit of a fuss), so that could be what it's on about? Just checked and they can still connect to the shares so I'll just ignore that error for now.
Had a look at the security on these two, and the settings are the same as what you've posted above.
If this helps I've just tried connecting to a file share on the new server from the old one and got this message:
So, this old server thinks it doesn't have permission to access the new one I'm guessing?
Hmm that's interesting. I wonder if there's a problem with the computer account of the new server?
If possible, try demoting it and re-promoting as a DC. Certainly worth a try.
You'd be surprised at how many time's I've tried that the past few days. Every other computer on the network can access shares on it, just not the old DC. So with that in mind I'm thinking it's something with the old DC that's not right. It's always had errors with the RPC server as well (when you've tried to do a RSOP for example).
It's as if the old DC just won't let go. The domain originally ran on a 2003R2 box but that got replaced nearly 2 years ago now, and everything was fine then, so it is something recent I think.
Sorry to be late to the party again, but if you're having problems with AD, I would be a little wary about demoting a DC unless it won't have any impact.
Have you checked the output of "REPADMIN /SHOWREPS"? Might help...
A little bit of further research show that this might be useful for you: Troubleshooting AD Replication error 1396: Logon Failure: The target account name is incorrect.
Hmm looks to me like the answer may be in that KB article.
Of course your other option is to just 'ungracefully' trash the old DC - force the new one to take on the roles and then tidy up using ADSI edit.
I have been thinking about doing that, but the other day when I give the new server the roles and took the network cable out of the old server, everything stopped working. I suppose I didn't do that the correct way but I was interested in seeing what would stop if I were to just remove the old server.