Force authentication to BDC

Here's a brief breakdown of my network:

Servers - (4) Windows NT 4 w/ all SP's and patches
Workstations - (150) Windows 2000 Pro all patches minus SP4 (hasn't been approved)
Switch - (1) Cisco 5500 w/ no VLAN
Routers - (2) Cisco 3700's

Domain controllers - We have one BDC and three file servers

Scenerio - All users were on an old domain, and I have migrated them to a new domain.

Problem - All of my workstations are not authenticating on my local BDC. First I can tell that it's not authenticating simply because my logon script does not run. Secondly, if I do a %logonserver% from the command prompt; it's authenticating on a remote BDC (about 1500 miles away!).

The problem can never be consistantly repeated. Sometimes it works, and other times it does not. I've changed my LMHOSTS file to include my BDC and used the #PRE and #DOM commands... I've also messed with some registry changes that uses and old school Win95 technique of creating a "PreferredServer" key.

Does *anyone* have any suggestions on how to force workstations to authenticated to my local BDC? This is causing my headaches like you wouldn't believe. Thanks for any help that you could offer.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

From your description, it sounds like you have a remote office within a larger network.   Which is cool.  

The 1st big question is areyou network running AD in mixed mode and your NT BDC a leftover from an NT network?    

Is WINS running on your local BDC?  

The LMHost lookup might not take precedence over WINS depending upon certain DHCP settings.   Do you use DHCP and do you have access to the SCOPE definitions?

Who is registered as your domain master browser?  (The 1Bh record)  

Authentication is handled though WINS resolution or through LMHosts as you already know.   But you may need to verify the correctness of the resolution.  

Try these articles for starters.
search66Author Commented:
To answer your questions first:

- It *is* a mixed domain.  All of our workstations are 2000 but our servers are still under NT4.  It's a strange situation, but basically we had 3 servers running one domain.  We then migrated to a new domain and received a BDC.  My other DC's really do nothing but file share, run DHCP and WINS.

- WINS is not running on our local BDC, but I do have access to it.

- We are using DHCP, and I have control over it.

- Not to sound ignorant, but I don't know where the master browser record is.  I know there is a registry setting for it, but do I want that for my BDC?

I'll check those articles, but I was hoping that DHCP would fix this.  I recently tried this LMHOSTS entry; and it may or may not work... What do you think? "DOMAIN         \0x1c" #PRE

Of course I used the IP addie of the BDC and DOMAIN was replaced with my domain...
1) By Mixed Domain I meant if you have ANY 2000 Domain Controllers ANYWHERE in the Domain, not just your subnet.  

2)  You mentioned you have other DC's.   What are they (NT or 2K) and where are they located.

3) If WINS is not running on your local BDC, who is your Pri and Sec WINS Servers.  (Run a IPCONFIG /ALL on the Workstation to see the info)

4) That LMHOST file entry is incorrect.   Lets concentrate on WINS first.  

The Master Browser record is a WINS table entry.   If you search the WINS table you should see the 1Bh entry.   Who is it?
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

search66Author Commented:
Mixed domain... Yes.  We do have 2000 DC's in our domain.  Our PDC is a 2000 box.

We do have other DC's, but not really... My BDC is part of the "new" domain.  My other three servers are still on the "old" domain, but still act as file servers and a DHCP and WINS server(s).

Ok, the 1Bh entry lists our old PDC's IP under our old domain.
We need to define a few terms here because I'm getting a little confused.  

First off, I need to establish how many Domains you have.   When your PC signs in, what is in the domain Field.   This is different than subnet or physical location.      

Each Domain must have either a DC with Global catalog server, etc...  for 2000 server, or a PDC for NT Server domains.   If a Domain has both 2000 Domain controllers and NT Domain Controllers it is in Mixed mode.  

Why this is important?   Well we need to establish where your clients are trying to authenticate and how are they getting there.    With an All NT shop, the Workstations would query WINS and select the closest BDC to authenticate against.   the 1Bh record inicates the browse maset.  

In an Active Directory,  the NT client (with Directoryt Services loaded wout act differently.    

So I guess what I'm saying is,  I need a bit more specific information about your setup to help.   List your servers, list your subnets, list your physical locations, list what operating systems you have, do you use wins or DNS, who serves wins and/or DNS, do you use DHCP, who is the DHCP, can you give me your DCHP options.  
search66Author Commented:
Maybe I should have been more specific.  Initially I was on my own domain within the office... this was about 120 users and workstations.  I had three servers: a PDC and 2 BDC's.  

About three weeks ago, I replaced most of these PC's with Dell GX260 footprints... so now I have about 180 workstations.  They all are running Windows 2000 Pro.  During this installation process, I also migrated the users from my old domain into the new domain.  This domain literally has thousands of users and dozens of servers (2000 and NT).

In the interim, I installed a new server for the new domain... its a Dell PowerEdge 2650 (and a BDC for the new domain running NT4).  This is the server I want my users to authenticate on.

My other three servers are still sitting on our old domain.  All of the users are off of that domain, and are on the new domain.  So currently, I have my old PDC and 2 BDC's just sitting in the old domain as file servers (+WINS, DHCP).  In the near future, they will be rebuilt with 2000 and become a member server.  Actually, tomorrow I'm taking one of the BDC's offline and rebuilding it w/ 2000 and make it a TNG Unicenter deployment station.

As far as  your other questions go... I'll try to be as specific as possible without breaching security.  ;)

Physical location: My location as well as the servers listed above is in Baltimore.  The PDC is located in Tempe.  Our DNS servers are also housed in Baltimore, but a different shop.  My primary WINS server is located in my shop (and it also used to be my old PDC).  

DHCP options?  Here ya go...

003 Router
006 DNS Servers
044 WINS/NBNS Servers
046 WINS/NBT Node Type

Our DHCP is also on our old PDC...

Hope this helps!  ;)

Does the new domain, the one you just joined have WINS and DNS available?   If so you should speak to the Admin and make your WINS Server a replication partner for the Enterprise WINS.    You should also setup a secondary DNS in your subnet as well.    

Will your domain be a child off of the enterprise domain? I imagine so.    You should get the Admin for the enterprise involved here to help setup the resolution you need.    

If the clients are members of the new domain, they will try to find a 2000 DC to use for authentication.    

Curious,  what is your 046 option set to?  Is it 0x8 for Hybrid?  

search66Author Commented:
Yes.  It does have WINS and DNS.  I spoke to the admin about two weeks back, because WINS kept pointing to our old sevrer... Since then it has been corrected and scavaged.

My old domain will eventually go away... and they will join the new domain as a member server.

And yes it's "0x8".
Well, Since you have all 2000 PCs, think about installing a local secondary dns server.   Once you get a local 2000 DC your authentication issues should be taken care of.    

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
search66Author Commented:
Right.  I'll see if I'm "allowed" to do that from the big-joes.

I'm still not sure why the image they supplied me with for the BDC was NT4...  Nevertheless, I really appreciate your help and you've given me enough avenues to keep me busy..

Your local 2k's will prompt for an server to authenticate against.    Your Enterprise DNS are pointing to a DC somewhere else (logically since you have no 2000 DC on your   subnet).    

Is your local DNS set as a secondary DNS and are you getting the zone transfers from the Pri zone?    

search66Author Commented:
My local 2k wrkstations will prompt for a server?  How?  Where?

And no, I do not have any local DNS servers...

The workstation will recieve information from DHCP on WINS and/or DNS.    When a workstation needs to fins a domain controller, it will query the WINS or DNS for any DC's.   WINS tables and AD DNS, keep information on more than just names, they also list browse master, controllers, domains,  check the full wins tables for which hex codes belong to which types of records.  
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.