The obvious answer is that you're not using an account that is authorised to access that resource. Once you've restarted the DC's and cleared out any errors from BPA, can you log on to a workstation using an account created after the upgrade?
Are the clients XP or 7? If XP what does netdiag report? Not sure what tool replicates that functionality in Vista or 7.
@psydii - It was a suggestion in case RODC were/are being used. The issue and root cause are unknown. Putting in a call to MSFT is the best option in any case. However, given this situation, turn-around for initial response will be 4 hours, then after that no guarantee and impact is minimal, i.e you have another DC, also no users are effected.
But like I say, MSFT is you best contact or your support provider. However, the articles I normally post here do NOT always been YOU should do it. If they are specific then I will make sure I state that. In this case I suggested 'Also see'.
I expect one to read any post/KB articles before making a change to the production enviornment or if they take the risk and not to then it's up to them.
Changing settings on the infrasructure should be thought of carefully.
looks like the two largest files are 10mb each, which is some sort of log. The rest are anything up to 2mb
thats what i would assume that meant... Im pretty sure the problem is linked to dc01. When i did a reboot on dc02 i could view the network and see what was there but not the browse those machines, however as soon as dc02 came back up i could browse to the machines and see printers/shares
@sukh I quite agree, I found that article just after you did and the initial version of my post I berated myself for not googling it before posting. The article's phrasing suggest to me that the error itself is not cause for concern, but whether root causes are related is one avenue for investigation.
I do read the impact of this problem differently though: GP is not applying on at least 50% of clients properly and logons are very slow - in an environment where each workstation logs on/off 6+ times a day, to me that's a huge impact!
After BPA results, the next big question is: Are the Clients Authenticating to the Domain properly? Which is what we'll find out with the new user test.
After rebooting the servers in the order advised, are there unresolved errors in the event logs on either server?
Could you clarify exactly what steps you took that provided evidence for the following statement:
"When i did a reboot on dc02 i could view the network and see what was there but not the browse those machines, however as soon as dc02 came back up i could browse to the machines and see printers/shares"
Specifically expanding around the following phrases
"i could view the network"
"see what was there"
"but not browse those machines"
Have the workstations been restarted and logon speeds tested following the DC reboots?
For example, i can browse network neighborhood and see a list of clients. I can browse into a client and see the printers & faxes/sheduled tasks. However, when i reboot dc02 i loose that ability even though dc01 is still up and running. As soon as the server has rebooted and back online i can again browse those clients as before.
If i however go to browse dc01 at any time, i get the dc01 in not accessible error with a reason of network path not found.
i dont notice any red event errors in application, system, dfs, dns, file replication logs.
Have you got an output from the AD DS BPA?
Have you rebooted the client computer since the server reboots?
Are you logged on as an Domain/Enterprise Administrator?
What OS are the clients running?
If XP what is the output of netdiag?
Is DC02 your WINS server?
Can you browse DC01 from DC02?
I note from your DCDiag report that both DCs appear to agree that DC01 holds all the FSMO roles and that replication is working. I also note that no further indication that this assessment should be changed since reboot as the event log is showing without further errors.
Yes i have rebooted the clients. Ive been logged onto the server with domain admin account and can browse from dc01-dc02 and vice versa and can see the sysvol and netlogon shares. The clients are running xpsp3. Wins isnt installed as far as im aware as we're only xpsp3 clients and above.
Attatched is a readout of net diag from a problem client. Makes reference to spn issues.
Thanks for your time helping me, its much appreciated!
Ok can you try re-running netdiag on a client while logged on as a Domain Admin. I'm hoping those errors will vanish.
Initial look suggests your dns may not have reverse lookups setup possibly.
Also when you migrated did you have any Cert Authorities on the old servers?
Hmm. I'd be surprised if DCDiag gave such a clean bill of health if a DC was missing its PTR record. But since 99% of all AD issues are in fact DNS issues, best confirm it's there!
What does AD DS BPA have to say?
How many other client machines are affected?
What OS are they running? I note that your laptop appears to be Windows 2000.
Can you 'sacrifice' one showing the same symptoms? If so, remove it form the domain and try adding it back.
Any IPSec policies enabled anywhere (say, on the DCs)?
Another possibility is that there is a mismatch between netdiag version and the sp level of your laptop. Ensure both are SP4, and some of the errors aren't in fact red herrings.
Also since the information presented in netfiag conflicts with your statement regarding XP SP3, perhaps your copy of netdiag needs updating to XP SP2 (the latest available)? Again to eliminate red herrings.
Is there a Firewall on DC01?
Is there a firewall on your clients?