Solved

New DC in Home Lan. Client's can't log-in.

Posted on 2001-06-27
10
214 Views
Last Modified: 2010-04-13
I had a network with a single Win2K domain controller that is also e-mail and web server. In order to replace it, I first installed Win2k Server on the new computer and used the AD wizard to create a "additional DC in an existing network".

It replicated. I transfered the 5 roles to the new DC (but forgot to transfer the Global Catalog).

I shut down the old DC, put a new NIC in the new DC and rebooted, configuring NAT, RRAS, DHCP, DNS, and IIS.

I also checked "global catalog" in the AD settings for the new DC and un-checked it for the old.

I went to log in from a client in the network, and I get an error that either the password is bad or the domain is incorrect.

I brought up the old DC off-line and removed DHCP, RRAS from it. Then I plugged it in.

The two Win2K servers can see each other, browse their respective shared folders, etc.

I noticed some event log errors that led me to find out that the Group Policies could not be opened on the new DC.

If I select "admin tools / Domain Controller Policies" (or group or local policies for that matter), I get an error.

Further digging led me to find that:

%SYSROOT%/SYSVOL/SYSVOL/ didn't replicate. On the old DC there are two directories. One is called "Policies" containing two entries {xxxx} a.k.a {GUID} and another called SCRIPTS I think is empty but was SHARED AS NETLOGON.

According to microsoft articles, I can create the missing folders and that's that, but the policies are created empty.

I dragged and dropped the two folders from the old system to the new and now my old policies are back in place.

HOWEVER, when I dragged & dropped, it MOVED the files instead of COPY the files, so it eliminiated the "SHARE" setting on SCRIPTS. I have no idea what the "SHARE" settings were. I right clicked on the SCRIPTS folder and said to share it with name "NETLOGON".

But I cant log on.

Ping, tracert, browsing, etc., is all working from the clients, I just cant log into the domain.

Dave
0
Comment
Question by:dcgames
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 2
10 Comments
 
LVL 12

Expert Comment

by:Housenet
ID: 6233340
Hey Dave,
 -The Netlogon share is the location of the login scripts..
-Create a folder called scripts in winnt\sysvol\sysvol\DOMAIN.NAME\
-Ntfs permissions = Administrators & system full control
Authenticated user= read, read&exicute & list folder contents.
-Share as NETLOGON .. Share permissions are Administrators=full control & everyone =read.

-This should allow you to logon again..

-Read these article to complete the change over..

http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=13393
http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=13390
0
 
LVL 5

Author Comment

by:dcgames
ID: 6233698
Hello Housenet. I've made the changes to the permissions and share permissions. I will go check to see if it works, but in the mean time, a question:

The articles you mention deal with "allowing the schema to be edited".  I don't understand what this has to do with my situation. Should I change my system to allow schema editing?  

Dave
0
 
LVL 5

Author Comment

by:dcgames
ID: 6233707
Didn't work. Says:

"The domain password you supplied is not correct or access to your logon server has been denied" .

The old DC (machine name DCGATEWAY89) is off, only the new DC is on (machine name HDZSERVER).

Dave
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 5

Author Comment

by:dcgames
ID: 6233773
I enabled trace on that NIC and captured the attempt at logon with no other traffic on the network. The result
is 20 TCP/IP frames, which I captured into here:

http://hdzlan.dcgames.com/cap1.htm

I can't see anything wrong in that..

Dave
0
 
LVL 5

Author Comment

by:dcgames
ID: 6233814
0
 
LVL 5

Author Comment

by:dcgames
ID: 6233888
Oops. At least I know now what went wrong. There was a clock difference between the two domain controllers when I created the new one. See this log entry, for example:

Event Type:     Error
Event Source:     NtFrs
Computer:     HDZSERVER
Description:
The File Replication Service is unable to replicate from a partner computer because the event time associated with the file to be replicated is too far into the future.  It is 30 minutes greater than the current time.  This can happen if the system time on the partner computer was set incorrectly when the file was created or updated.  To preserve the integrity of the replica set this file update will not be performed or propagated further.
 
The file name is: "scripts"
The connection to the partner computer is:
  "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)\HDZSERVER\\\dc-gateway89.hdzlan.dcgames.com <- \\dc-gateway89.hdzlan.dcgames.com RemoteCxt"

Same message is there for the contents of the "Policies" folder.
 
so the service didn't sync the contents of Policies or Scripts, which meant that the File Replication Service decided to tell NETLOGON that the new service was NOT authorized as a domain controller.

Eventually it gives up and does something "temporary", etc.
See:

http://support.microsoft.com/support/kb/articles/Q250/5/45.ASP

When I copied the sysvol manually, I thought I was fixing it, but I'm not sure if I duplicated it wrong since I have
two SYSVOL folders:
C:\WINNT\SYSVOL\
C:\WINNT\SYSVOL\sysvol\

Furthermore, it looks like when it gave up it created a \domain\ folder under the first sysvol (the word domain, not the domain name). This folder has Policies and Scripts.

Now my structure looks like this:

C:\WINNT\SYSVOL\domain\
C:\WINNT\SYSVOL\staging\
C:\WINNT\SYSVOL\staging areas\
C:\WINNT\SYSVOL\sysvol\
C:\WINNT\SYSVOL\sysvol\hdzlan.dcgames.com\

And under the first folder (\domain\) and the last one (\sysvol\hdzlan.dcgames.com\) I have Policies and Scripts.

Now I'm not sure if \domain\ should be deleted and replaced with \hdzlan.dcgames.com\ and the double
\sysvol\sysvol\ is in error, or whether they both need to be there.

Per the article, I tried NET STOP NTFRS and NET START NTFRS. Don't know if it makes a difference at this time.

I noticed all this because I am getting this two log entries:

Event Type:     Warning
Event Source:     NtFrs
Computer:     HDZSERVER
Description:
The File Replication Service is having trouble enabling replication from DC-GATEWAY89 to HDZSERVER for c:\winnt\sysvol\domain using the DNS name dc-gateway89.hdzlan.dcgames.com. FRS will keep retrying.

But I turned off the old domain server, so this will never succeed.

Jees.. All because I didn't check that the two domains had the same time and I didn't configure the NTP (network time protocol) on either..

Any ideas on how to fix this?

Dave

0
 
LVL 5

Author Comment

by:dcgames
ID: 6233927
Housenet, I'm sorry for the million posts, I've now verified in

http://support.microsoft.com/support/kb/articles/Q257/3/38.ASP

That indeed "domain" and two sysvols is correct.

But logon still wont work and NTFRS still reports the wierd values.

I've checked the settings for NETLOGON in the registry and it says that sysvol is ready (i.e. netlogon doesn't think that sysvol is incomplete, in theory).

Dave
0
 
LVL 5

Author Comment

by:dcgames
ID: 6234984
Upped the points cause it's not clear what to do next..

0
 
LVL 12

Accepted Solution

by:
Housenet earned 200 total points
ID: 6236335
-Dave it sounds like an active directory problem that can easily be solved by performing an authorative active directory restore.. Do you have a backup of the system state from just before you deleted the scripts folder ?

-Lets assume ..not...
Download the ADChecker... Run the tests & check the advice it offers to overcome the problems.. http://www.netiq.com/form/form.asp?id=17

-Also check out these articles..
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=7872

http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=14723
0
 
LVL 5

Author Comment

by:dcgames
ID: 6245783
Using the troubleshooting tools I figured there was a version difference between the AD version of SYSVOL and the physical version of SYSVOL policies.

After extensive cleanpup of anything I could figure out, I found out that WINS was not configured properly on the new server.

Removing and adding WINS back in solved the problem because the Win98 clients could then log in with pre-Win2000 authentication.

Makes me think that the GID for the Win98 computers was mis-matched or something.

So while I'm not sure exactly what finally DID fix the problem, I sure learned a lot about how to debug this things..

Now if I can only remember where I enabled all the logs, so I can turn them off before my hard drive fills up with log entries :)

Thanks Housenet..

Dave
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question