Solved

Force authentication to BDC

Posted on 2003-11-24
13
2,201 Views
Last Modified: 2012-06-22
Here's a brief breakdown of my network:

Servers - (4) Windows NT 4 w/ all SP's and patches
Workstations - (150) Windows 2000 Pro all patches minus SP4 (hasn't been approved)
Switch - (1) Cisco 5500 w/ no VLAN
Routers - (2) Cisco 3700's

Domain controllers - We have one BDC and three file servers

Scenerio - All users were on an old domain, and I have migrated them to a new domain.

Problem - All of my workstations are not authenticating on my local BDC. First I can tell that it's not authenticating simply because my logon script does not run. Secondly, if I do a %logonserver% from the command prompt; it's authenticating on a remote BDC (about 1500 miles away!).

The problem can never be consistantly repeated. Sometimes it works, and other times it does not. I've changed my LMHOSTS file to include my BDC and used the #PRE and #DOM commands... I've also messed with some registry changes that uses and old school Win95 technique of creating a "PreferredServer" key.

Does *anyone* have any suggestions on how to force workstations to authenticated to my local BDC? This is causing my headaches like you wouldn't believe. Thanks for any help that you could offer.
0
Comment
Question by:search66
  • 7
  • 6
13 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 9818132
From your description, it sounds like you have a remote office within a larger network.   Which is cool.  

The 1st big question is areyou network running AD in mixed mode and your NT BDC a leftover from an NT network?    

Is WINS running on your local BDC?  

The LMHost lookup might not take precedence over WINS depending upon certain DHCP settings.   Do you use DHCP and do you have access to the SCOPE definitions?

Who is registered as your domain master browser?  (The 1Bh record)  

Authentication is handled though WINS resolution or through LMHosts as you already know.   But you may need to verify the correctness of the resolution.  


Try these articles for starters.
http://support.microsoft.com/?kbid=225130

http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_WINS_add_NetbiosNamesReference.htm
0
 
LVL 1

Author Comment

by:search66
ID: 9818440
To answer your questions first:

- It *is* a mixed domain.  All of our workstations are 2000 but our servers are still under NT4.  It's a strange situation, but basically we had 3 servers running one domain.  We then migrated to a new domain and received a BDC.  My other DC's really do nothing but file share, run DHCP and WINS.

- WINS is not running on our local BDC, but I do have access to it.

- We are using DHCP, and I have control over it.

- Not to sound ignorant, but I don't know where the master browser record is.  I know there is a registry setting for it, but do I want that for my BDC?

I'll check those articles, but I was hoping that DHCP would fix this.  I recently tried this LMHOSTS entry; and it may or may not work... What do you think?

xxx.xxx.xxx.xxx "DOMAIN         \0x1c" #PRE

Of course I used the IP addie of the BDC and DOMAIN was replaced with my domain...
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 9818541
1) By Mixed Domain I meant if you have ANY 2000 Domain Controllers ANYWHERE in the Domain, not just your subnet.  

2)  You mentioned you have other DC's.   What are they (NT or 2K) and where are they located.

3) If WINS is not running on your local BDC, who is your Pri and Sec WINS Servers.  (Run a IPCONFIG /ALL on the Workstation to see the info)

4) That LMHOST file entry is incorrect.   Lets concentrate on WINS first.  

The Master Browser record is a WINS table entry.   If you search the WINS table you should see the 1Bh entry.   Who is it?
0
 
LVL 1

Author Comment

by:search66
ID: 9820295
Mixed domain... Yes.  We do have 2000 DC's in our domain.  Our PDC is a 2000 box.

We do have other DC's, but not really... My BDC is part of the "new" domain.  My other three servers are still on the "old" domain, but still act as file servers and a DHCP and WINS server(s).

Ok, the 1Bh entry lists our old PDC's IP under our old domain.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 9820391
We need to define a few terms here because I'm getting a little confused.  

First off, I need to establish how many Domains you have.   When your PC signs in, what is in the domain Field.   This is different than subnet or physical location.      

Each Domain must have either a DC with Global catalog server, etc...  for 2000 server, or a PDC for NT Server domains.   If a Domain has both 2000 Domain controllers and NT Domain Controllers it is in Mixed mode.  

Why this is important?   Well we need to establish where your clients are trying to authenticate and how are they getting there.    With an All NT shop, the Workstations would query WINS and select the closest BDC to authenticate against.   the 1Bh record inicates the browse maset.  

In an Active Directory,  the NT client (with Directoryt Services loaded wout act differently.    

So I guess what I'm saying is,  I need a bit more specific information about your setup to help.   List your servers, list your subnets, list your physical locations, list what operating systems you have, do you use wins or DNS, who serves wins and/or DNS, do you use DHCP, who is the DHCP, can you give me your DCHP options.  
0
 
LVL 1

Author Comment

by:search66
ID: 9820634
Maybe I should have been more specific.  Initially I was on my own domain within the office... this was about 120 users and workstations.  I had three servers: a PDC and 2 BDC's.  

About three weeks ago, I replaced most of these PC's with Dell GX260 footprints... so now I have about 180 workstations.  They all are running Windows 2000 Pro.  During this installation process, I also migrated the users from my old domain into the new domain.  This domain literally has thousands of users and dozens of servers (2000 and NT).

In the interim, I installed a new server for the new domain... its a Dell PowerEdge 2650 (and a BDC for the new domain running NT4).  This is the server I want my users to authenticate on.

My other three servers are still sitting on our old domain.  All of the users are off of that domain, and are on the new domain.  So currently, I have my old PDC and 2 BDC's just sitting in the old domain as file servers (+WINS, DHCP).  In the near future, they will be rebuilt with 2000 and become a member server.  Actually, tomorrow I'm taking one of the BDC's offline and rebuilding it w/ 2000 and make it a TNG Unicenter deployment station.

As far as  your other questions go... I'll try to be as specific as possible without breaching security.  ;)

Physical location: My location as well as the servers listed above is in Baltimore.  The PDC is located in Tempe.  Our DNS servers are also housed in Baltimore, but a different shop.  My primary WINS server is located in my shop (and it also used to be my old PDC).  

DHCP options?  Here ya go...

003 Router
006 DNS Servers
044 WINS/NBNS Servers
046 WINS/NBT Node Type

Our DHCP is also on our old PDC...

Hope this helps!  ;)

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 33

Expert Comment

by:MikeKane
ID: 9820708
Does the new domain, the one you just joined have WINS and DNS available?   If so you should speak to the Admin and make your WINS Server a replication partner for the Enterprise WINS.    You should also setup a secondary DNS in your subnet as well.    

Will your domain be a child off of the enterprise domain? I imagine so.    You should get the Admin for the enterprise involved here to help setup the resolution you need.    

If the clients are members of the new domain, they will try to find a 2000 DC to use for authentication.    

Curious,  what is your 046 option set to?  Is it 0x8 for Hybrid?  

0
 
LVL 1

Author Comment

by:search66
ID: 9820843
Yes.  It does have WINS and DNS.  I spoke to the admin about two weeks back, because WINS kept pointing to our old sevrer... Since then it has been corrected and scavaged.

My old domain will eventually go away... and they will join the new domain as a member server.

And yes it's "0x8".
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 250 total points
ID: 9820904
Well, Since you have all 2000 PCs, think about installing a local secondary dns server.   Once you get a local 2000 DC your authentication issues should be taken care of.    

0
 
LVL 1

Author Comment

by:search66
ID: 9820926
Right.  I'll see if I'm "allowed" to do that from the big-joes.

I'm still not sure why the image they supplied me with for the BDC was NT4...  Nevertheless, I really appreciate your help and you've given me enough avenues to keep me busy..

Thanks!
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 9820949
Your local 2k's will prompt for an server to authenticate against.    Your Enterprise DNS are pointing to a DC somewhere else (logically since you have no 2000 DC on your   subnet).    


Is your local DNS set as a secondary DNS and are you getting the zone transfers from the Pri zone?    

   
0
 
LVL 1

Author Comment

by:search66
ID: 9824034
My local 2k wrkstations will prompt for a server?  How?  Where?

And no, I do not have any local DNS servers...
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 9824547

The workstation will recieve information from DHCP on WINS and/or DNS.    When a workstation needs to fins a domain controller, it will query the WINS or DNS for any DC's.   WINS tables and AD DNS, keep information on more than just names, they also list browse master, controllers, domains,  check the full wins tables for which hex codes belong to which types of records.  
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now