[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 446
  • Last Modified:

BDC Not authenticating users.

Situation:  My domain spans a WAN, connected via T1's.  At my location I have the PDC and a BDC.  The other side has 2 bdc's.  
My network has net beui bridged, essentially making our expensive CISCO routers into B-Routers.  This is another mess in-and-of itself.  Anyway, My local users on my end are authenticating across the WAN to one of the BDC's their, instead of my PDC, or BDC here.  (Question - Is it true that a workstation will look to authenticate to a BDC instead of a PDC & will search for one until it finds it?)  My BDC appears to be working fine in every area, exept one!  In Server Manager everything is grayed out.  Nothing is "blue"  It is acting like it does not see the domain servers or workstations.  In network neighborhood, everything is there!  I can ping, netuse to anything!  I stopped and restarted the Server Service - nothing! I tried, several times, to resynch the domain.  It says that it is done & I get no errors back.  Some users do authenticate to it, but it is not consistent.  If I add a user to my BDC - It shows up on the other servers.  The servers are communicating that way.
FYI - I know where my users are authenticating to by the title in the Login Script.  The location of that login script is on the top line of the script.  Any help will be appreciated.  In the meantime I will be building a new BDC - have to get this working!!!!!
0
kevinr99
Asked:
kevinr99
  • 4
  • 3
  • 2
  • +2
1 Solution
 
LermitteCommented:
When you create a new user on the PDC is there a replication to the BDC?

If the computer being connected to is a BDC for the domain in which the user account is defined but the BDC fails to authenticate the user’s password, this indicates that the password has changed but the BDC is not synchronized at the time the user logs on. In this case, the BDC passes the logon request through to the PDC in the same domain

Mario
0
 
LermitteCommented:
Domain controllers maintain a password-protected channel between each other.
When a BDC is brought into a domain, the PDC gives the BDC the current password
to use when connecting to the PDC for authentication, account database
replication, and other system activities. This password changes automatically on
a regular basis. If the BDC is offline when the password changes, or if a BDC is
restored from a backup that has an old password, the BDC will not be able to
authenticate with the PDC, and Netlogon will fail.
 
RESOLUTION
==========
 
In the simplest case, all that has happened is that the domain password has
changed. To reslove the problem, do the following:
 
1. Start the BDC, and open Server Manager
 
2. Select the BDC's name, and select Synchronize with Primary Domain Controller.
 
If this procedure is successful, you will get a message that the LSA Database has
been updated and Netlogon will start automatically. No other action is
necessary.
 
However, if synchronizing with the PDC does not work on the first attempt, try
carrying out the same command again. Often, a second attempt will succeed.
However, if the BDC will not synchronize and Netlogon fails to start after three
attempts, you should create a new machine account for the BDC. These
instructions are taken from a related article, Q137987:
 
1. Using Server Manager, create a new computer name.
 
2. Synchronize entire domain (check another BDC's event viewer to see if it
   synchronized).
 
3. At the problem BDC, use the Network tool in Control Panel to change the name
   to the new name created in Step 1.
 
4. Shut down the BDC, restart, and log on to Windows NT. Note any error
   messages. You must logon to the domain the BDC belongs to, not a trusted
   domain.
 
5. Using Server Manager, synchronize the entire domain.
 
6. From the PDC, delete the old computer name(use Server Manager).
 
7. Synchronize the entire domain, using Server Manager.
 
8. Make sure the old BDC name has been deleted in Server Manager before
   proceeding.
 
9. After the old BDC name is gone from Server Manager, re-create it.
 
10. Synchronize the entire domain, using Server Manager.
 
11. At the problem BDC, change computer name to the old name created in step 9,
   using the Network tool in Control Panel.
 
12. Shut down the BDC, restart, and log on to the domain. Note any error
   messages.
 
13. Synchronize entire domain.
 
At this point the BDC should be synchronized with the PDC, netlogon should be
running, and the accounts database should be up to date.
 
You can see also for this.

Mario
0
 
kevinr99Author Commented:
Yes- If I add a user to the PDC it appears on all the BDC's.  The passwrods we are using are all the same & are never changed (operator call center)  
Few things that I discovered - If I DESELECT "Show Domain Members Only"  Everything appears normal.  All of these workstations are members of the domain.  I built them, I know, plus they all authenticate to the domain.  What doe that mean!!  Are those workstations not part of the domain.  That is a very hard pill to swallow!  
If I SELECT (It was not selected when I checked) the Show DOMAIN Members Only - on the PDC - everything is grayed out, just like the BDC.  
Another Problem That I detected.  For some reason my BDC (the one causing problems) had an IP in the DHCP scope.  That IP was not reserved.  I do have conflict detection enabled so there was no duplicate IP problem.  After changing the IP - Things worked a little better.  I had about 50% of the workstations that I tested wuthenticate to my local BDC.  
Then I sat down side by side on 2 workstations.  1 would always go to my BDC, the other to a REMOTE BDC.  What the heck is going on.
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LermitteCommented:
What if you remove a workstation from the domain. Delete the entry in server manager and bring the workstation back to the domain.

So make Wkst a member of a workgroup. Delete entry in server manager.
Make wkst domain member.

Mario



0
 
kevinr99Author Commented:
Yes- If I add a user to the PDC it appears on all the BDC's.  The passwrods we are using are all the same & are never changed (operator call center)  
Few things that I discovered - If I DESELECT "Show Domain Members Only"  Everything appears normal.  All of these workstations are members of the domain.  I built them, I know, plus they all authenticate to the domain.  What doe that mean!!  Are those workstations not part of the domain.  That is a very hard pill to swallow!  
If I SELECT (It was not selected when I checked) the Show DOMAIN Members Only - on the PDC - everything is grayed out, just like the BDC.  
Another Problem That I detected.  For some reason my BDC (the one causing problems) had an IP in the DHCP scope.  That IP was not reserved.  I do have conflict detection enabled so there was no duplicate IP problem.  After changing the IP - Things worked a little better.  I had about 50% of the workstations that I tested wuthenticate to my local BDC.  
Then I sat down side by side on 2 workstations.  1 would always go to my BDC, the other to a REMOTE BDC.  What the heck is going on.
0
 
kevinr99Author Commented:
I am now thinking that my one BDC can't handle the load of user authentication alone.   My solution is to build another BDC for my location (I will have 1 PDC & 2 BDC's) for 157 operator workstations on my side of the WAN.  I will update to with the reults of that.  I should have it online by tonight.

In regards to having all my stations greyed out - if you select 'Show Domain Memebers Only - Everything is greyed out!  I think what that does is only show all workstations (w-95-98 boxes will not be listed here) that have joined the domain.  If you deslect it all active sessions turn blue.  My problem was selecting "Show Domain Members Only".  Once I deslected it - everything is fine.  Try it on your domain - tell me if your results differ.  
0
 
kevinr99Author Commented:
I am now thinking that my one BDC can't handle the load of user authentication alone.   My solution is to build another BDC for my location (I will have 1 PDC & 2 BDC's) for 157 operator workstations on my side of the WAN.  I will update to with the reults of that.  I should have it online by tonight.

In regards to having all my stations greyed out - if you select 'Show Domain Memebers Only - Everything is greyed out!  I think what that does is only show all workstations (w-95-98 boxes will not be listed here) that have joined the domain.  If you deslect it all active sessions turn blue.  My problem was selecting "Show Domain Members Only".  Once I deslected it - everything is fine.  Try it on your domain - tell me if your results differ.  
0
 
mazharCommented:
A couple of comments are in order, I think:

1)  Logon/Authentication requests are sent from MS clients to all DCs of a domain.  Then the client waits for the first response from one of those DCs and then carries on with the DC that responds first, ignoring all the others.  For some reason, the response from your DC across the WAN is getting to the client first.

2)  Are your client workstations in the same domain as your users?  or are we talking about multiple domains with the associated headaches of trust relationships?
0
 
Tim HolmanCommented:
I think a couple of WINS servers would sort things out for you here.
It's quite possible that your T1 line is faster than your LAN speed...

0
 
ravenoneCommented:
I don't think you need more than the two BDCs at your location.  You already have three that are authenticating logins, and unless you've built them to the Microsoft minimum requirements, that should be plenty. Adding another BDC will just increase network traffic without helping much with your authentication issues.  

I'd agree with Tim, that it's possible the remote BDC is replying before the local one.  Also, how many hops to the local BDC as opposed to the remote BDC?  How flat is your network?  Are the local machines on the same segment as the BDC, or do they need to travel up three routers to reach the local BDC compared to only two to reach the remote BDC?

-Tabo
0
 
Tim HolmanCommented:
Is this fixed then ?
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now