Solved

New DC in Home Lan. Client's can't log-in.

Posted on 2001-06-27
10
204 Views
Last Modified: 2010-04-13
I had a network with a single Win2K domain controller that is also e-mail and web server. In order to replace it, I first installed Win2k Server on the new computer and used the AD wizard to create a "additional DC in an existing network".

It replicated. I transfered the 5 roles to the new DC (but forgot to transfer the Global Catalog).

I shut down the old DC, put a new NIC in the new DC and rebooted, configuring NAT, RRAS, DHCP, DNS, and IIS.

I also checked "global catalog" in the AD settings for the new DC and un-checked it for the old.

I went to log in from a client in the network, and I get an error that either the password is bad or the domain is incorrect.

I brought up the old DC off-line and removed DHCP, RRAS from it. Then I plugged it in.

The two Win2K servers can see each other, browse their respective shared folders, etc.

I noticed some event log errors that led me to find out that the Group Policies could not be opened on the new DC.

If I select "admin tools / Domain Controller Policies" (or group or local policies for that matter), I get an error.

Further digging led me to find that:

%SYSROOT%/SYSVOL/SYSVOL/ didn't replicate. On the old DC there are two directories. One is called "Policies" containing two entries {xxxx} a.k.a {GUID} and another called SCRIPTS I think is empty but was SHARED AS NETLOGON.

According to microsoft articles, I can create the missing folders and that's that, but the policies are created empty.

I dragged and dropped the two folders from the old system to the new and now my old policies are back in place.

HOWEVER, when I dragged & dropped, it MOVED the files instead of COPY the files, so it eliminiated the "SHARE" setting on SCRIPTS. I have no idea what the "SHARE" settings were. I right clicked on the SCRIPTS folder and said to share it with name "NETLOGON".

But I cant log on.

Ping, tracert, browsing, etc., is all working from the clients, I just cant log into the domain.

Dave
0
Comment
Question by:dcgames
  • 8
  • 2
10 Comments
 
LVL 12

Expert Comment

by:Housenet
Comment Utility
Hey Dave,
 -The Netlogon share is the location of the login scripts..
-Create a folder called scripts in winnt\sysvol\sysvol\DOMAIN.NAME\
-Ntfs permissions = Administrators & system full control
Authenticated user= read, read&exicute & list folder contents.
-Share as NETLOGON .. Share permissions are Administrators=full control & everyone =read.

-This should allow you to logon again..

-Read these article to complete the change over..

http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=13393
http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=13390
0
 
LVL 5

Author Comment

by:dcgames
Comment Utility
Hello Housenet. I've made the changes to the permissions and share permissions. I will go check to see if it works, but in the mean time, a question:

The articles you mention deal with "allowing the schema to be edited".  I don't understand what this has to do with my situation. Should I change my system to allow schema editing?  

Dave
0
 
LVL 5

Author Comment

by:dcgames
Comment Utility
Didn't work. Says:

"The domain password you supplied is not correct or access to your logon server has been denied" .

The old DC (machine name DCGATEWAY89) is off, only the new DC is on (machine name HDZSERVER).

Dave
0
 
LVL 5

Author Comment

by:dcgames
Comment Utility
I enabled trace on that NIC and captured the attempt at logon with no other traffic on the network. The result
is 20 TCP/IP frames, which I captured into here:

http://hdzlan.dcgames.com/cap1.htm

I can't see anything wrong in that..

Dave
0
 
LVL 5

Author Comment

by:dcgames
Comment Utility
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 5

Author Comment

by:dcgames
Comment Utility
Oops. At least I know now what went wrong. There was a clock difference between the two domain controllers when I created the new one. See this log entry, for example:

Event Type:     Error
Event Source:     NtFrs
Computer:     HDZSERVER
Description:
The File Replication Service is unable to replicate from a partner computer because the event time associated with the file to be replicated is too far into the future.  It is 30 minutes greater than the current time.  This can happen if the system time on the partner computer was set incorrectly when the file was created or updated.  To preserve the integrity of the replica set this file update will not be performed or propagated further.
 
The file name is: "scripts"
The connection to the partner computer is:
  "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)\HDZSERVER\\\dc-gateway89.hdzlan.dcgames.com <- \\dc-gateway89.hdzlan.dcgames.com RemoteCxt"

Same message is there for the contents of the "Policies" folder.
 
so the service didn't sync the contents of Policies or Scripts, which meant that the File Replication Service decided to tell NETLOGON that the new service was NOT authorized as a domain controller.

Eventually it gives up and does something "temporary", etc.
See:

http://support.microsoft.com/support/kb/articles/Q250/5/45.ASP

When I copied the sysvol manually, I thought I was fixing it, but I'm not sure if I duplicated it wrong since I have
two SYSVOL folders:
C:\WINNT\SYSVOL\
C:\WINNT\SYSVOL\sysvol\

Furthermore, it looks like when it gave up it created a \domain\ folder under the first sysvol (the word domain, not the domain name). This folder has Policies and Scripts.

Now my structure looks like this:

C:\WINNT\SYSVOL\domain\
C:\WINNT\SYSVOL\staging\
C:\WINNT\SYSVOL\staging areas\
C:\WINNT\SYSVOL\sysvol\
C:\WINNT\SYSVOL\sysvol\hdzlan.dcgames.com\

And under the first folder (\domain\) and the last one (\sysvol\hdzlan.dcgames.com\) I have Policies and Scripts.

Now I'm not sure if \domain\ should be deleted and replaced with \hdzlan.dcgames.com\ and the double
\sysvol\sysvol\ is in error, or whether they both need to be there.

Per the article, I tried NET STOP NTFRS and NET START NTFRS. Don't know if it makes a difference at this time.

I noticed all this because I am getting this two log entries:

Event Type:     Warning
Event Source:     NtFrs
Computer:     HDZSERVER
Description:
The File Replication Service is having trouble enabling replication from DC-GATEWAY89 to HDZSERVER for c:\winnt\sysvol\domain using the DNS name dc-gateway89.hdzlan.dcgames.com. FRS will keep retrying.

But I turned off the old domain server, so this will never succeed.

Jees.. All because I didn't check that the two domains had the same time and I didn't configure the NTP (network time protocol) on either..

Any ideas on how to fix this?

Dave

0
 
LVL 5

Author Comment

by:dcgames
Comment Utility
Housenet, I'm sorry for the million posts, I've now verified in

http://support.microsoft.com/support/kb/articles/Q257/3/38.ASP

That indeed "domain" and two sysvols is correct.

But logon still wont work and NTFRS still reports the wierd values.

I've checked the settings for NETLOGON in the registry and it says that sysvol is ready (i.e. netlogon doesn't think that sysvol is incomplete, in theory).

Dave
0
 
LVL 5

Author Comment

by:dcgames
Comment Utility
Upped the points cause it's not clear what to do next..

0
 
LVL 12

Accepted Solution

by:
Housenet earned 200 total points
Comment Utility
-Dave it sounds like an active directory problem that can easily be solved by performing an authorative active directory restore.. Do you have a backup of the system state from just before you deleted the scripts folder ?

-Lets assume ..not...
Download the ADChecker... Run the tests & check the advice it offers to overcome the problems.. http://www.netiq.com/form/form.asp?id=17

-Also check out these articles..
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=7872

http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=14723
0
 
LVL 5

Author Comment

by:dcgames
Comment Utility
Using the troubleshooting tools I figured there was a version difference between the AD version of SYSVOL and the physical version of SYSVOL policies.

After extensive cleanpup of anything I could figure out, I found out that WINS was not configured properly on the new server.

Removing and adding WINS back in solved the problem because the Win98 clients could then log in with pre-Win2000 authentication.

Makes me think that the GID for the Win98 computers was mis-matched or something.

So while I'm not sure exactly what finally DID fix the problem, I sure learned a lot about how to debug this things..

Now if I can only remember where I enabled all the logs, so I can turn them off before my hard drive fills up with log entries :)

Thanks Housenet..

Dave
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now