Solved

BDC > PDC TRANSFER PROBLEMS

Posted on 2004-04-28
10
1,127 Views
Last Modified: 2013-12-28
Hi

We have a Windows NT 4 Domain and have recently transfered over the BDC PDC roles on new machines.  The PDC was working correctly the BDC was rebuilt from scratch.  The PDC and BDC were syncronised and the the BDC was promoted to PDC.  Now errors all appeared well - BDC and PDC could see each other in the respective server managers.  Users could log into the network.

First we knew of a problem is that 2 users cannot reset their respective passwords - checking on the new PDC logs no errors.  Accounts can be created but no looged into - PDC appears to be readonly.... We also disable an account and the user can still log in - although the PDC in its opinion has locked out the account (security log) Help.... as staff are requested to change passwords we will lose them from the domain.

Byron
0
Comment
Question by:BYRONJACKSON
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 4

Assisted Solution

by:averyb
averyb earned 250 total points
ID: 10942155
Tell me exactly how you installed the new domain controller.  Did you change machine name or IP address.

It sounds like you have two different domains, but both have the same name.

Download pstools v2.01 from sysinternals.com.  It has a command line tool called psGetSid.  This will let you compare the SIDS for each domain.  Run it on the PDC and BDC.  Post the results back here.



0
 
LVL 7

Accepted Solution

by:
magus123 earned 250 total points
ID: 10942231
after looking at other posts ,

it seems that sometimes it takes several minutes or hours  for the
bdc or pdc to update properly.

also reading other posts it seems when you add a  service or other
major change in  NT , you must reapply the latest service pack
which is  SP6a. did you have a service pack applied on both the pdc
and bdc when you promoted. having the same service back on both
servers can make a world of difference.

heres where i got it from
http://www.experts-exchange.com/Operating_Systems/WinNT/Q_20936248.html

can synchronization help your problem
maybe settings havent been updated http://seamonkey.ed.asu.edu/~alex/computer/windows/sync.html
0
 

Author Comment

by:BYRONJACKSON
ID: 10943914
OK - Thanks for the above not quite sure what is going on to be honest... In answer to AveryB and Magus123 I had PDC and BDC the BDC was sick so a new server was built and introduced to the network as BDC syncronised OK.  I then (because this machine was higher spec) promoted it via the old PDC and the old PDC was left in situi in its BDC state. Both OS were NT4 SP6a prior to the switch being made and the Sync took place with no errors.  The test users created are replicated however on a log on attempt the user is not known - however the PDC event log shows nothing. Existing users that are disable are able to log in - however the security log shows them as haviing been denied access..

Changes appeared to have carried across and all appeared well on the service. I have checked the usual cfg file recreated and still no joy. Hasve checked te registry secuirty keys set to 3 and 2 for PDC/BDC and master browser for the PDC - TRUE.   I have a little time as my users are currently blissfully unaware of the problem - yet!  I wil get back to you once I have tried the above.

Thanks for the response
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 4

Expert Comment

by:averyb
ID: 10944060
Are you running WINS?

If a WINS server finds out about a name mapping from a replication partner, and that replication partner goes away, then the WINS mapping sticks around.

Look over the WINS database too.
0
 
LVL 16

Expert Comment

by:ahmedbahgat
ID: 10944319
if you promote the old PDC back to PDC, will the problem stay?


cheers
0
 

Author Comment

by:BYRONJACKSON
ID: 10946848
In answer to all we utilise WINS (W2K) the entries for these machines are static and no changes made to IP addressing promotion of the old PDC had the same problem - Still in read only mode.  Again tried to force the issue using the usual registry keys to no avail.

Thanks for the response

Byron
0
 
LVL 16

Expert Comment

by:ahmedbahgat
ID: 10947169
did you have auditing on before you checked the Security Log??,

cheers
0
 

Author Comment

by:BYRONJACKSON
ID: 10947372
Hi auditing was on - one of the strange things is that users already in existance - when disabled are able to log in - however the security log states the account had been locked out.

Byron
0
 
LVL 4

Expert Comment

by:averyb
ID: 10948248
It sounds like they are using cached credentials or the BDC is authenticating them.  The PDC sees the change in security, but the changes aren't getting replicated to the BDC.
0
 

Author Comment

by:BYRONJACKSON
ID: 11003081
I have given points to Averyb and Magus123 as they assisted the most - problems were resolved it appeared that we had somehow corrupted our transfer - we brought up another offline reserve BDC and promoted it against the new box - one we switched roles again all appeared to be well - Thanks to all who contributed.

Byron
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question