Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Domain computers using BDC to authenticate!? 2

Status
Not open for further replies.
kopar

kopar

IS-IT--Management
Dec 30, 2003
23
US
I've got a few problems, and I think they all stem from the same source, which I can't seem to track down.

We have a small 2003/2000 network. Our PDC is the 2003 server. It is also the DNS and DHCP server. There is a 2000 server that acts as a BDC. It is only being used as a file server and backup machine otherwise.

Computers joined to the domain are checking for security permissions and authentication information from the BDC.

For example: I create a new user on the PDC. I cannot log in as that user on domain computers. If I try and assign NTFS permissions on a folder, the user does not appear in the user list.

If I create a user on the BDC, I can do what I want with the user immediately.

The other problem is when I go to a log a user into the domain, it takes a loooooooong time for it to build the Domain List.

Please give me some ideas. I just can't seem to formulate the correct google search to find a solution.
 
Sort by date Sort by votes
First, there are no PDCs and BDCs in Active Directory. It sounds like you have some replication issues between the two domain controllers.

Please run dcdiag /v from the command line of both domain controllers and post the outputs here.
 
Upvote 0 Downvote
I am aware that there are no real PDCs and BDCs in AD, but there the 'PDC' is where I want everything to point to (And, it's the legacy PDC and the Primary Global Catalouge server)

I ran that command on both domain controllers and everything was a success except for the following lines on the PDC (it.company.com)

The date listed is when the following changes occured to the network:

>The PDC was moved from a 10.5.0.0 subnet to a 10.2.0.0 subnet.
>The BDC was dcpromoed to remove it's AD
>The BDC was dc promo'd to a backup domain controler for the PDC.

The BDC was a Domain controller on a subdomain in the same forest as the current PDC that we no longer needed.

Thanks!

################################################
[tt]
Domain Controller Diagnosis

Performing initial setup:
* Connecting to directory service on server it.company.com.
* Collecting site info.
* Identifying all servers.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\IT
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... IT passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\IT
Starting test: Replications
* Replications Check
[Replications Check,IT] A recent replication attempt failed:
From (unknown) to IT
Naming Context: CN=Configuration,DC=company,DC=com
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2004-05-20 16:58.31.
The last success occurred at 2004-05-16 13:10.46.
104 failures have occurred since the last success.
[Replications Check,IT] A recent replication attempt failed:
From (unknown) to IT
Naming Context: CN=Schema,CN=Configuration,DC=company,DC=com
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2004-05-20 16:58.31.
The last success occurred at 2004-05-16 13:10.46.
104 failures have occurred since the last success.
......................... IT passed test Replications
[/tt]
 
Upvote 0 Downvote
You have DNS problems. Make sure the second domain controller has the first DC has its preferred DNS server. Leave the alternate DNS server field blank.

Also make sure the preferred DNS server on the first DC is itself.

Then run ipconfig /flushdns on both servers and restart the netlogon service on both.

Keep in mind that when you fix replication, users will still be authenticated by either one of your DCs. There isnt anyway to point everyone to a particular DC.
 
Upvote 0 Downvote
In recent talks I've had with Microsoft PSS, they have suggested that the preferred method is to:

IPCONFIG /FLUSHDNS
IPCONFIG /REGISTERDNS
NET STOP NETLOGON
NET START NETLOGON

Probably 6 of one 1/2 dozen of another, but thought it worth mentioning.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark
 
Upvote 0 Downvote
Yep, that's pretty much what I said. I left out the /registerdns, which registers the A record. The restarting of netlogon registers the SRV records.

Maybe you talked to me when you called :)
 
Upvote 0 Downvote
I've been wondering if you worked for PSS. I'm a former TAM myself.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark
 
Upvote 0 Downvote
Worked perfectly. We no longer have the huge delay in replication between the servers. I havn't seen the 'Building Domain List' dialog today, so I guess that's all kosher as well.

hats off to you fellows.

--Tom
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
1K
goombawaho
goombawaho
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
388
ADB100
ADB100
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
613
DTGMI
DTGMI
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
1K
gbaughma
gbaughma
dpellegrini
  • Locked
  • Question
Website will load using hostname but not IP address
Replies
3
Views
1K
mangentle
mangentle

Part and Inventory Search

Sponsor

Back
Top