dcgames
asked on
New DC in Home Lan. Client's can't log-in.
I had a network with a single Win2K domain controller that is also e-mail and web server. In order to replace it, I first installed Win2k Server on the new computer and used the AD wizard to create a "additional DC in an existing network".
It replicated. I transfered the 5 roles to the new DC (but forgot to transfer the Global Catalog).
I shut down the old DC, put a new NIC in the new DC and rebooted, configuring NAT, RRAS, DHCP, DNS, and IIS.
I also checked "global catalog" in the AD settings for the new DC and un-checked it for the old.
I went to log in from a client in the network, and I get an error that either the password is bad or the domain is incorrect.
I brought up the old DC off-line and removed DHCP, RRAS from it. Then I plugged it in.
The two Win2K servers can see each other, browse their respective shared folders, etc.
I noticed some event log errors that led me to find out that the Group Policies could not be opened on the new DC.
If I select "admin tools / Domain Controller Policies" (or group or local policies for that matter), I get an error.
Further digging led me to find that:
%SYSROOT%/SYSVOL/SYSVOL/ didn't replicate. On the old DC there are two directories. One is called "Policies" containing two entries {xxxx} a.k.a {GUID} and another called SCRIPTS I think is empty but was SHARED AS NETLOGON.
According to microsoft articles, I can create the missing folders and that's that, but the policies are created empty.
I dragged and dropped the two folders from the old system to the new and now my old policies are back in place.
HOWEVER, when I dragged & dropped, it MOVED the files instead of COPY the files, so it eliminiated the "SHARE" setting on SCRIPTS. I have no idea what the "SHARE" settings were. I right clicked on the SCRIPTS folder and said to share it with name "NETLOGON".
But I cant log on.
Ping, tracert, browsing, etc., is all working from the clients, I just cant log into the domain.
Dave
It replicated. I transfered the 5 roles to the new DC (but forgot to transfer the Global Catalog).
I shut down the old DC, put a new NIC in the new DC and rebooted, configuring NAT, RRAS, DHCP, DNS, and IIS.
I also checked "global catalog" in the AD settings for the new DC and un-checked it for the old.
I went to log in from a client in the network, and I get an error that either the password is bad or the domain is incorrect.
I brought up the old DC off-line and removed DHCP, RRAS from it. Then I plugged it in.
The two Win2K servers can see each other, browse their respective shared folders, etc.
I noticed some event log errors that led me to find out that the Group Policies could not be opened on the new DC.
If I select "admin tools / Domain Controller Policies" (or group or local policies for that matter), I get an error.
Further digging led me to find that:
%SYSROOT%/SYSVOL/SYSVOL/ didn't replicate. On the old DC there are two directories. One is called "Policies" containing two entries {xxxx} a.k.a {GUID} and another called SCRIPTS I think is empty but was SHARED AS NETLOGON.
According to microsoft articles, I can create the missing folders and that's that, but the policies are created empty.
I dragged and dropped the two folders from the old system to the new and now my old policies are back in place.
HOWEVER, when I dragged & dropped, it MOVED the files instead of COPY the files, so it eliminiated the "SHARE" setting on SCRIPTS. I have no idea what the "SHARE" settings were. I right clicked on the SCRIPTS folder and said to share it with name "NETLOGON".
But I cant log on.
Ping, tracert, browsing, etc., is all working from the clients, I just cant log into the domain.
Dave
ASKER
Hello Housenet. I've made the changes to the permissions and share permissions. I will go check to see if it works, but in the mean time, a question:
The articles you mention deal with "allowing the schema to be edited". I don't understand what this has to do with my situation. Should I change my system to allow schema editing?
Dave
The articles you mention deal with "allowing the schema to be edited". I don't understand what this has to do with my situation. Should I change my system to allow schema editing?
Dave
ASKER
Didn't work. Says:
"The domain password you supplied is not correct or access to your logon server has been denied" .
The old DC (machine name DCGATEWAY89) is off, only the new DC is on (machine name HDZSERVER).
Dave
"The domain password you supplied is not correct or access to your logon server has been denied" .
The old DC (machine name DCGATEWAY89) is off, only the new DC is on (machine name HDZSERVER).
Dave
ASKER
I enabled trace on that NIC and captured the attempt at logon with no other traffic on the network. The result
is 20 TCP/IP frames, which I captured into here:
http://hdzlan.dcgames.com/cap1.htm
I can't see anything wrong in that..
Dave
is 20 TCP/IP frames, which I captured into here:
http://hdzlan.dcgames.com/cap1.htm
I can't see anything wrong in that..
Dave
ASKER
ASKER
Oops. At least I know now what went wrong. There was a clock difference between the two domain controllers when I created the new one. See this log entry, for example:
Event Type: Error
Event Source: NtFrs
Computer: HDZSERVER
Description:
The File Replication Service is unable to replicate from a partner computer because the event time associated with the file to be replicated is too far into the future. It is 30 minutes greater than the current time. This can happen if the system time on the partner computer was set incorrectly when the file was created or updated. To preserve the integrity of the replica set this file update will not be performed or propagated further.
The file name is: "scripts"
The connection to the partner computer is:
"DOMAIN SYSTEM VOLUME (SYSVOL SHARE)\HDZSERVER\\\dc-gate
Same message is there for the contents of the "Policies" folder.
so the service didn't sync the contents of Policies or Scripts, which meant that the File Replication Service decided to tell NETLOGON that the new service was NOT authorized as a domain controller.
Eventually it gives up and does something "temporary", etc.
See:
http://support.microsoft.com/support/kb/articles/Q250/5/45.ASP
When I copied the sysvol manually, I thought I was fixing it, but I'm not sure if I duplicated it wrong since I have
two SYSVOL folders:
C:\WINNT\SYSVOL\
C:\WINNT\SYSVOL\sysvol\
Furthermore, it looks like when it gave up it created a \domain\ folder under the first sysvol (the word domain, not the domain name). This folder has Policies and Scripts.
Now my structure looks like this:
C:\WINNT\SYSVOL\domain\
C:\WINNT\SYSVOL\staging\
C:\WINNT\SYSVOL\staging areas\
C:\WINNT\SYSVOL\sysvol\
C:\WINNT\SYSVOL\sysvol\hdz
And under the first folder (\domain\) and the last one (\sysvol\hdzlan.dcgames.co
Now I'm not sure if \domain\ should be deleted and replaced with \hdzlan.dcgames.com\ and the double
\sysvol\sysvol\ is in error, or whether they both need to be there.
Per the article, I tried NET STOP NTFRS and NET START NTFRS. Don't know if it makes a difference at this time.
I noticed all this because I am getting this two log entries:
Event Type: Warning
Event Source: NtFrs
Computer: HDZSERVER
Description:
The File Replication Service is having trouble enabling replication from DC-GATEWAY89 to HDZSERVER for c:\winnt\sysvol\domain using the DNS name dc-gateway89.hdzlan.dcgame
But I turned off the old domain server, so this will never succeed.
Jees.. All because I didn't check that the two domains had the same time and I didn't configure the NTP (network time protocol) on either..
Any ideas on how to fix this?
Dave
Event Type: Error
Event Source: NtFrs
Computer: HDZSERVER
Description:
The File Replication Service is unable to replicate from a partner computer because the event time associated with the file to be replicated is too far into the future. It is 30 minutes greater than the current time. This can happen if the system time on the partner computer was set incorrectly when the file was created or updated. To preserve the integrity of the replica set this file update will not be performed or propagated further.
The file name is: "scripts"
The connection to the partner computer is:
"DOMAIN SYSTEM VOLUME (SYSVOL SHARE)\HDZSERVER\\\dc-gate
Same message is there for the contents of the "Policies" folder.
so the service didn't sync the contents of Policies or Scripts, which meant that the File Replication Service decided to tell NETLOGON that the new service was NOT authorized as a domain controller.
Eventually it gives up and does something "temporary", etc.
See:
http://support.microsoft.com/support/kb/articles/Q250/5/45.ASP
When I copied the sysvol manually, I thought I was fixing it, but I'm not sure if I duplicated it wrong since I have
two SYSVOL folders:
C:\WINNT\SYSVOL\
C:\WINNT\SYSVOL\sysvol\
Furthermore, it looks like when it gave up it created a \domain\ folder under the first sysvol (the word domain, not the domain name). This folder has Policies and Scripts.
Now my structure looks like this:
C:\WINNT\SYSVOL\domain\
C:\WINNT\SYSVOL\staging\
C:\WINNT\SYSVOL\staging areas\
C:\WINNT\SYSVOL\sysvol\
C:\WINNT\SYSVOL\sysvol\hdz
And under the first folder (\domain\) and the last one (\sysvol\hdzlan.dcgames.co
Now I'm not sure if \domain\ should be deleted and replaced with \hdzlan.dcgames.com\ and the double
\sysvol\sysvol\ is in error, or whether they both need to be there.
Per the article, I tried NET STOP NTFRS and NET START NTFRS. Don't know if it makes a difference at this time.
I noticed all this because I am getting this two log entries:
Event Type: Warning
Event Source: NtFrs
Computer: HDZSERVER
Description:
The File Replication Service is having trouble enabling replication from DC-GATEWAY89 to HDZSERVER for c:\winnt\sysvol\domain using the DNS name dc-gateway89.hdzlan.dcgame
But I turned off the old domain server, so this will never succeed.
Jees.. All because I didn't check that the two domains had the same time and I didn't configure the NTP (network time protocol) on either..
Any ideas on how to fix this?
Dave
ASKER
Housenet, I'm sorry for the million posts, I've now verified in
http://support.microsoft.com/support/kb/articles/Q257/3/38.ASP
That indeed "domain" and two sysvols is correct.
But logon still wont work and NTFRS still reports the wierd values.
I've checked the settings for NETLOGON in the registry and it says that sysvol is ready (i.e. netlogon doesn't think that sysvol is incomplete, in theory).
Dave
http://support.microsoft.com/support/kb/articles/Q257/3/38.ASP
That indeed "domain" and two sysvols is correct.
But logon still wont work and NTFRS still reports the wierd values.
I've checked the settings for NETLOGON in the registry and it says that sysvol is ready (i.e. netlogon doesn't think that sysvol is incomplete, in theory).
Dave
ASKER
Upped the points cause it's not clear what to do next..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Using the troubleshooting tools I figured there was a version difference between the AD version of SYSVOL and the physical version of SYSVOL policies.
After extensive cleanpup of anything I could figure out, I found out that WINS was not configured properly on the new server.
Removing and adding WINS back in solved the problem because the Win98 clients could then log in with pre-Win2000 authentication.
Makes me think that the GID for the Win98 computers was mis-matched or something.
So while I'm not sure exactly what finally DID fix the problem, I sure learned a lot about how to debug this things..
Now if I can only remember where I enabled all the logs, so I can turn them off before my hard drive fills up with log entries :)
Thanks Housenet..
Dave
After extensive cleanpup of anything I could figure out, I found out that WINS was not configured properly on the new server.
Removing and adding WINS back in solved the problem because the Win98 clients could then log in with pre-Win2000 authentication.
Makes me think that the GID for the Win98 computers was mis-matched or something.
So while I'm not sure exactly what finally DID fix the problem, I sure learned a lot about how to debug this things..
Now if I can only remember where I enabled all the logs, so I can turn them off before my hard drive fills up with log entries :)
Thanks Housenet..
Dave
-The Netlogon share is the location of the login scripts..
-Create a folder called scripts in winnt\sysvol\sysvol\DOMAIN
-Ntfs permissions = Administrators & system full control
Authenticated user= read, read&exicute & list folder contents.
-Share as NETLOGON .. Share permissions are Administrators=full control & everyone =read.
-This should allow you to logon again..
-Read these article to complete the change over..
http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=13393
http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=13390