Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


New DC in Home Lan. Client's can't log-in.

Posted on 2001-06-27
Medium Priority
Last Modified: 2010-04-13
I had a network with a single Win2K domain controller that is also e-mail and web server. In order to replace it, I first installed Win2k Server on the new computer and used the AD wizard to create a "additional DC in an existing network".

It replicated. I transfered the 5 roles to the new DC (but forgot to transfer the Global Catalog).

I shut down the old DC, put a new NIC in the new DC and rebooted, configuring NAT, RRAS, DHCP, DNS, and IIS.

I also checked "global catalog" in the AD settings for the new DC and un-checked it for the old.

I went to log in from a client in the network, and I get an error that either the password is bad or the domain is incorrect.

I brought up the old DC off-line and removed DHCP, RRAS from it. Then I plugged it in.

The two Win2K servers can see each other, browse their respective shared folders, etc.

I noticed some event log errors that led me to find out that the Group Policies could not be opened on the new DC.

If I select "admin tools / Domain Controller Policies" (or group or local policies for that matter), I get an error.

Further digging led me to find that:

%SYSROOT%/SYSVOL/SYSVOL/ didn't replicate. On the old DC there are two directories. One is called "Policies" containing two entries {xxxx} a.k.a {GUID} and another called SCRIPTS I think is empty but was SHARED AS NETLOGON.

According to microsoft articles, I can create the missing folders and that's that, but the policies are created empty.

I dragged and dropped the two folders from the old system to the new and now my old policies are back in place.

HOWEVER, when I dragged & dropped, it MOVED the files instead of COPY the files, so it eliminiated the "SHARE" setting on SCRIPTS. I have no idea what the "SHARE" settings were. I right clicked on the SCRIPTS folder and said to share it with name "NETLOGON".

But I cant log on.

Ping, tracert, browsing, etc., is all working from the clients, I just cant log into the domain.

Question by:dcgames
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 2
LVL 12

Expert Comment

ID: 6233340
Hey Dave,
 -The Netlogon share is the location of the login scripts..
-Create a folder called scripts in winnt\sysvol\sysvol\DOMAIN.NAME\
-Ntfs permissions = Administrators & system full control
Authenticated user= read, read&exicute & list folder contents.
-Share as NETLOGON .. Share permissions are Administrators=full control & everyone =read.

-This should allow you to logon again..

-Read these article to complete the change over..

Author Comment

ID: 6233698
Hello Housenet. I've made the changes to the permissions and share permissions. I will go check to see if it works, but in the mean time, a question:

The articles you mention deal with "allowing the schema to be edited".  I don't understand what this has to do with my situation. Should I change my system to allow schema editing?  


Author Comment

ID: 6233707
Didn't work. Says:

"The domain password you supplied is not correct or access to your logon server has been denied" .

The old DC (machine name DCGATEWAY89) is off, only the new DC is on (machine name HDZSERVER).

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.


Author Comment

ID: 6233773
I enabled trace on that NIC and captured the attempt at logon with no other traffic on the network. The result
is 20 TCP/IP frames, which I captured into here:

I can't see anything wrong in that..


Author Comment

ID: 6233814

Author Comment

ID: 6233888
Oops. At least I know now what went wrong. There was a clock difference between the two domain controllers when I created the new one. See this log entry, for example:

Event Type:     Error
Event Source:     NtFrs
Computer:     HDZSERVER
The File Replication Service is unable to replicate from a partner computer because the event time associated with the file to be replicated is too far into the future.  It is 30 minutes greater than the current time.  This can happen if the system time on the partner computer was set incorrectly when the file was created or updated.  To preserve the integrity of the replica set this file update will not be performed or propagated further.
The file name is: "scripts"
The connection to the partner computer is:

Same message is there for the contents of the "Policies" folder.
so the service didn't sync the contents of Policies or Scripts, which meant that the File Replication Service decided to tell NETLOGON that the new service was NOT authorized as a domain controller.

Eventually it gives up and does something "temporary", etc.

When I copied the sysvol manually, I thought I was fixing it, but I'm not sure if I duplicated it wrong since I have
two SYSVOL folders:

Furthermore, it looks like when it gave up it created a \domain\ folder under the first sysvol (the word domain, not the domain name). This folder has Policies and Scripts.

Now my structure looks like this:

C:\WINNT\SYSVOL\staging areas\

And under the first folder (\domain\) and the last one (\sysvol\\) I have Policies and Scripts.

Now I'm not sure if \domain\ should be deleted and replaced with \\ and the double
\sysvol\sysvol\ is in error, or whether they both need to be there.

Per the article, I tried NET STOP NTFRS and NET START NTFRS. Don't know if it makes a difference at this time.

I noticed all this because I am getting this two log entries:

Event Type:     Warning
Event Source:     NtFrs
Computer:     HDZSERVER
The File Replication Service is having trouble enabling replication from DC-GATEWAY89 to HDZSERVER for c:\winnt\sysvol\domain using the DNS name FRS will keep retrying.

But I turned off the old domain server, so this will never succeed.

Jees.. All because I didn't check that the two domains had the same time and I didn't configure the NTP (network time protocol) on either..

Any ideas on how to fix this?



Author Comment

ID: 6233927
Housenet, I'm sorry for the million posts, I've now verified in

That indeed "domain" and two sysvols is correct.

But logon still wont work and NTFRS still reports the wierd values.

I've checked the settings for NETLOGON in the registry and it says that sysvol is ready (i.e. netlogon doesn't think that sysvol is incomplete, in theory).


Author Comment

ID: 6234984
Upped the points cause it's not clear what to do next..

LVL 12

Accepted Solution

Housenet earned 800 total points
ID: 6236335
-Dave it sounds like an active directory problem that can easily be solved by performing an authorative active directory restore.. Do you have a backup of the system state from just before you deleted the scripts folder ?

-Lets assume ..not...
Download the ADChecker... Run the tests & check the advice it offers to overcome the problems..

-Also check out these articles..

Author Comment

ID: 6245783
Using the troubleshooting tools I figured there was a version difference between the AD version of SYSVOL and the physical version of SYSVOL policies.

After extensive cleanpup of anything I could figure out, I found out that WINS was not configured properly on the new server.

Removing and adding WINS back in solved the problem because the Win98 clients could then log in with pre-Win2000 authentication.

Makes me think that the GID for the Win98 computers was mis-matched or something.

So while I'm not sure exactly what finally DID fix the problem, I sure learned a lot about how to debug this things..

Now if I can only remember where I enabled all the logs, so I can turn them off before my hard drive fills up with log entries :)

Thanks Housenet..


Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Instead of error trapping or hard-coding for non-updateable fields when using QODBC, let VBA automatically disable them when forms open. This way, users can view but not change the data. Part 1 explained how to use schema tables to do this. Part 2 h…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question