new accounts not recognized by remote BDC

[gbiello]

Hello all,
We an NT4 domain that goes across a WAN link to a remote site. Any NEW accounts that are created for users in the remote site cannot log in. There is a BDC at the remote site (SP6). They get an error saying that the user is not recognized, but the user clearly shows up in User Manager for Domains, on the BDC at the remote site.

I stopped the NETLOGON service on the remote BDC, which forced them to log on to a BDC at the main site, and they connected fine. Unfortunately, they still could not connect to any shares on the remote BDC. Some shares that could not be accessed, had permissions for Everyone/Full Control.

I even went in and explicitly gave a new remote user access with NTFS permissions. It found his account and applied the permissions, but when I went back in to double-check, it showed 'Account unknown', where it had his account before.

The remote BDC can be pinged by NETBIOS name from the main site. I have tried to force replications as well, but no events appear in the log.

Any ideas? Please?
Thanks,
-gbiello

 

[gbiello]

Here's some more info I found:
Event 4320, Source NetBT:
Another machine has sent a name release message to this machine probably because a duplicate name has been detected on the TCP network. The IP address of the node that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.

Node IpAddress: [10.0.1.3] Scope Id: []

NetBIOS Local Name Table Name Type Status
---------------------------------------------
CUTLER_PDC <00> UNIQUE Registered
CUTLER_NT <00> GROUP Registered
CUTLER_NT <1C> GROUP Conflict
CUTLER_PDC <20> UNIQUE Registered
CUTLER_NT <1B> UNIQUE Registered
CUTLER_NT <1E> GROUP Registered
CUTLER_NT <1D> UNIQUE Conflict
CUTLER_PDC <3D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
CUTLER_PDC <03> UNIQUE Registered
CUTLER_PDC <BE> UNIQUE Registered


from Wins database:
<PC> CUTLER_NT[1Bh] 10.0.1.3 A (PDC)
...
<PC> CUTLER_FL1[00h] 10.0.3.2 AS (Rem BDC)
<PC> CUTLER_FL1[03h] 10.0.3.2 AS
<PC> CUTLER_FL1[20h] 10.0.3.2 AS
<PC> CUTLER_FL1[BEh] 10.0.3.2 A
<DOM?> CUTLER_NT[00h] 10.0.1.5 A
<DOM?> CUTLER_NT[1Ch] 10.0.3.2 A <--problem?
<DOM?> CUTLER_NT[1Eh] 10.0.1.5 A

 

[ShackDaddy]

From the remote site, can you map a drive to a DC in the main site, using one of the standard, non-new user accounts? You problem is definitely related to SAM synchronization. Have you done a 'net accounts /sync' at the command-line on the remote BDC?

Which system registered the event that you detailed?

The WINS database should have a record for CUTLER_NT[1Ch] for each domain controller in your domain. The CUTLER_NT[1Bh] record doesn't necessarily denote the PDC, but points out the master browser for a subnet.

The [1C] entry that is marked as conflicted is an entry that denotes domain controllers. Do you have an LMHOSTS file on one of your domain controllers that might offer data that conflicts with WINS? Did you recently change the IP's on any systems, or change the name of a DC?

I would guess that it's your domain controllers and their WINS entries that are causing trouble. You might, after hours, delete the entries related to the two domain controllers from WINS, and then reboot each of the domain controllers separately. When they come back online, they will re-register all their records with WINS.

ShackDaddy

 

[gbiello]

Thanks for the feedback ShackDaddy,
We have no trouble accessing/mapping to the PDC with a new account from the remote site.

We're going to try your 'net accounts /sync' idea, although I'm not hopeful, because we've attempted forced replications.

After hours, we'll blow away the WINS entries listed above, shut down all PDC,BDC's and reboot, PDC first, then the others. I'm away until Tuesday, so I'll know what happens then...
Thanks again,
-gbiello

 

[gbiello]

Just got an email from the end-user. He says it's working now. Not sure what exactly fixed it. But thanks much for the advice.
-gbiello