Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 223
  • Last Modified:

New DC in Home Lan. Client's can't log-in.

I had a network with a single Win2K domain controller that is also e-mail and web server. In order to replace it, I first installed Win2k Server on the new computer and used the AD wizard to create a "additional DC in an existing network".

It replicated. I transfered the 5 roles to the new DC (but forgot to transfer the Global Catalog).

I shut down the old DC, put a new NIC in the new DC and rebooted, configuring NAT, RRAS, DHCP, DNS, and IIS.

I also checked "global catalog" in the AD settings for the new DC and un-checked it for the old.

I went to log in from a client in the network, and I get an error that either the password is bad or the domain is incorrect.

I brought up the old DC off-line and removed DHCP, RRAS from it. Then I plugged it in.

The two Win2K servers can see each other, browse their respective shared folders, etc.

I noticed some event log errors that led me to find out that the Group Policies could not be opened on the new DC.

If I select "admin tools / Domain Controller Policies" (or group or local policies for that matter), I get an error.

Further digging led me to find that:

%SYSROOT%/SYSVOL/SYSVOL/ didn't replicate. On the old DC there are two directories. One is called "Policies" containing two entries {xxxx} a.k.a {GUID} and another called SCRIPTS I think is empty but was SHARED AS NETLOGON.

According to microsoft articles, I can create the missing folders and that's that, but the policies are created empty.

I dragged and dropped the two folders from the old system to the new and now my old policies are back in place.

HOWEVER, when I dragged & dropped, it MOVED the files instead of COPY the files, so it eliminiated the "SHARE" setting on SCRIPTS. I have no idea what the "SHARE" settings were. I right clicked on the SCRIPTS folder and said to share it with name "NETLOGON".

But I cant log on.

Ping, tracert, browsing, etc., is all working from the clients, I just cant log into the domain.

  • 8
  • 2
1 Solution
Hey Dave,
 -The Netlogon share is the location of the login scripts..
-Create a folder called scripts in winnt\sysvol\sysvol\DOMAIN.NAME\
-Ntfs permissions = Administrators & system full control
Authenticated user= read, read&exicute & list folder contents.
-Share as NETLOGON .. Share permissions are Administrators=full control & everyone =read.

-This should allow you to logon again..

-Read these article to complete the change over..
dcgamesAuthor Commented:
Hello Housenet. I've made the changes to the permissions and share permissions. I will go check to see if it works, but in the mean time, a question:

The articles you mention deal with "allowing the schema to be edited".  I don't understand what this has to do with my situation. Should I change my system to allow schema editing?  

dcgamesAuthor Commented:
Didn't work. Says:

"The domain password you supplied is not correct or access to your logon server has been denied" .

The old DC (machine name DCGATEWAY89) is off, only the new DC is on (machine name HDZSERVER).

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

dcgamesAuthor Commented:
I enabled trace on that NIC and captured the attempt at logon with no other traffic on the network. The result
is 20 TCP/IP frames, which I captured into here:

I can't see anything wrong in that..

dcgamesAuthor Commented:
dcgamesAuthor Commented:
Oops. At least I know now what went wrong. There was a clock difference between the two domain controllers when I created the new one. See this log entry, for example:

Event Type:     Error
Event Source:     NtFrs
Computer:     HDZSERVER
The File Replication Service is unable to replicate from a partner computer because the event time associated with the file to be replicated is too far into the future.  It is 30 minutes greater than the current time.  This can happen if the system time on the partner computer was set incorrectly when the file was created or updated.  To preserve the integrity of the replica set this file update will not be performed or propagated further.
The file name is: "scripts"
The connection to the partner computer is:

Same message is there for the contents of the "Policies" folder.
so the service didn't sync the contents of Policies or Scripts, which meant that the File Replication Service decided to tell NETLOGON that the new service was NOT authorized as a domain controller.

Eventually it gives up and does something "temporary", etc.

When I copied the sysvol manually, I thought I was fixing it, but I'm not sure if I duplicated it wrong since I have
two SYSVOL folders:

Furthermore, it looks like when it gave up it created a \domain\ folder under the first sysvol (the word domain, not the domain name). This folder has Policies and Scripts.

Now my structure looks like this:

C:\WINNT\SYSVOL\staging areas\

And under the first folder (\domain\) and the last one (\sysvol\\) I have Policies and Scripts.

Now I'm not sure if \domain\ should be deleted and replaced with \\ and the double
\sysvol\sysvol\ is in error, or whether they both need to be there.

Per the article, I tried NET STOP NTFRS and NET START NTFRS. Don't know if it makes a difference at this time.

I noticed all this because I am getting this two log entries:

Event Type:     Warning
Event Source:     NtFrs
Computer:     HDZSERVER
The File Replication Service is having trouble enabling replication from DC-GATEWAY89 to HDZSERVER for c:\winnt\sysvol\domain using the DNS name FRS will keep retrying.

But I turned off the old domain server, so this will never succeed.

Jees.. All because I didn't check that the two domains had the same time and I didn't configure the NTP (network time protocol) on either..

Any ideas on how to fix this?


dcgamesAuthor Commented:
Housenet, I'm sorry for the million posts, I've now verified in

That indeed "domain" and two sysvols is correct.

But logon still wont work and NTFRS still reports the wierd values.

I've checked the settings for NETLOGON in the registry and it says that sysvol is ready (i.e. netlogon doesn't think that sysvol is incomplete, in theory).

dcgamesAuthor Commented:
Upped the points cause it's not clear what to do next..

-Dave it sounds like an active directory problem that can easily be solved by performing an authorative active directory restore.. Do you have a backup of the system state from just before you deleted the scripts folder ?

-Lets assume ..not...
Download the ADChecker... Run the tests & check the advice it offers to overcome the problems..

-Also check out these articles..
dcgamesAuthor Commented:
Using the troubleshooting tools I figured there was a version difference between the AD version of SYSVOL and the physical version of SYSVOL policies.

After extensive cleanpup of anything I could figure out, I found out that WINS was not configured properly on the new server.

Removing and adding WINS back in solved the problem because the Win98 clients could then log in with pre-Win2000 authentication.

Makes me think that the GID for the Win98 computers was mis-matched or something.

So while I'm not sure exactly what finally DID fix the problem, I sure learned a lot about how to debug this things..

Now if I can only remember where I enabled all the logs, so I can turn them off before my hard drive fills up with log entries :)

Thanks Housenet..

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 8
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now