×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Second DC not allowing logins

Second DC not allowing logins

Second DC not allowing logins

(OP)
Hello Everybody,

I am having a strange problem with a new DC which is running Server 2012 R2. Here is a the setup:

SBS 2003 Server running as a DC
Server 2008 R2 running as a terminal server
new Server 2012 R2 running as a DC

The first two servers have been running for a while and work fine. However I would like to get rid of the SBS 2003 server sometime soon. Therefore I have added in the Server 2012 R2 as a DC. It is also running as a Global Catalog Server as is the SBS. For now SBS is running all FSMO roles since it is required by SBS. Once I can get the other server to allow logons I will seize these roles.
All servers are running under VMware 5.5 Server.

Here is the problem, if the Small Business Server is turned off, nobody can login with domain credentials on the terminal server. If memory serves me correctly you cannot login into a local workstation either. I have disabled all GPO's to make sure they are not causing a time out issue. I can login into the Server 2012 system even if the SBS server is off. In testing I have logged into the terminal server locally through VMware and checked to make sure DNS was working on the new 2012 server which it is. The terminal server does have both DC servers set in as its DNS servers.

Some testing I did with nslookup (this taken from another site as some suggestions to try):
typed in domain name incorrectly and received the error "*** 2012-servername can't find domain: non-existent domain
I then noticed my incorrect spelling and type it in correctly and got this response:

Server: 2012ServerName.domain-name
Address: <the IPv4 Address of the 2012 Server>

Name: domain-name
Addresses: <first the SBS server IPv4 address then on the next line the 2012 IPv4 address>

I then issued the command "set type=SRV" then type in "_ldap._tcp.domain-name"

The result I got back is:
Server: 2012ServerName.domain-name
Address: <the IPv4 Address of the 2012 Server>

-ldap._tcp.domainname SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = SBS-Server-Name.domain-name
ldap._tcp.domainname SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = 2012-Server-Name.domain-name
sbs-server-name.domain-name internet address = <the IPv4 IP Address of that server>
2012-server-name.domain-name internet address = <the IPv4 IP Address of that server>

These commands where run while the SBS Server was turned off. So it looks like it is responding correctly to those commands. I also logged into the 2012 Server while the SBS server was down and tried to take a look at the GPO's to verify that they where turned off. When adding in the forest domain it told me it that the domain was not found or available. When I turned the SBS server back on I was able to add in the forest domain normally and it showed me all of the GPO's.

If anybody has any possible tests I can run or ideas why the 2012 Server is not processing domain logins I would be happy to explore them. From what I understand, as long as a server is setup as a DC, and it is running DNS, and setup as a Catalog Server, it should process domain requests and logon requests. Before disabling the GPO's I was getting some errors in the event log showing a GPO error and then another error I cannot remember. Both indicating a problem with active directory domain issues. Once I disabled the GPO's I no longer see any problems in the event logs.

RE: Second DC not allowing logins

(OP)
I wanted to post an update on this in case somebody may have some knowledge regarding this issue. It seems like the AD sync did not complete. Apparently you can fix this with Burflags like in this post.

So I was getting ready to do this when I noticed the 2003 server is in a journal wrap error state. There is also a fix for this but from my understanding it deletes the server from the AD domain then adds it back in and syncs the AD. If this is true then it sounds like it would delete my main AD server and try to sync with a server that is incomplete. If this is true it may wipe out my good AD and leave me with a mess. Is this correct? How do I go about removing this error without wiping the data? I am thinking about removing the 2012 server as a DC to see what happens then adding it back in as a DC after I check to see if the journal wrap error is gone. Would this be a recommended fix?

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close