Solved

NT to Windows 2000 Server Login Issues.

Posted on 2004-08-16
37
163 Views
Last Modified: 2012-05-05
We have been in the process of upgrading from NT to Active Directory. Here is the basic rundown of how that was accomplished:

1. Promote BDC to PDC
2. Upgrade new PDC to Windows 2000 Server

Last night I flipped the switch and shutdown all NT Domain Controllers, just leaving the one Active Directory Domain Controller running. Made sure they I could log into my W2K Pro machine, and assumed everything was fine.

Come in to the office this morning and all hell is breaking loose. People either can't login to their Win98 machines or the 2000 Pro users cannot get into their email (exchange). I turned the NT BDC back on and everything was fine.

 Did I miss something in this upgrade? The new 2000 DC is running DNS, WINS & DHCP and everything is configured properly. I can ping and perform lookups agains the DC from the workstations having issues. Any ideas? Would these machines still be trying to find the NT DC?
0
Comment
Question by:jeremywatco
  • 19
  • 18
37 Comments
 

Author Comment

by:jeremywatco
ID: 11811806
Also, something I noticed. From my W2K Pro machine, if I go into Start > Search > For People.. only address book is available. I cannot search the directory for users. I can search it for printers fine. Just thought that was odd & maybe related.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11813516
Most of you machines probably used WINS to do a lookup for the BDC's and tried to authenticate against servers that are not there. So alot of stuff has too be cleaned up. I will get you some more info in a few.

Joel
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11813544
Here is the article you need from Microsoft.

http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/cookchp2.mspx

Upgrading the PDC to Windows 2000 is ther first step. But that does not remove the need for the BDC's. They are still part of your environment. Please review the article.

J
0
 

Author Comment

by:jeremywatco
ID: 11813652
Thanks for the response. But I am still pretty confused. I didn't really get anything out of that article. Any specifics that can help me in this situation. What I am try to do is retire the old BDC completly and switch to native mode with just one DC (will create a secondary DC later).

Also, another odd thing. The NT BDC sometimes cannot contact the 2000 DC, thats odd. If I go into NT server manager about 2/3 of the time it says it cannot locate the Primary DC, and the other 1/3 time it works just fine and I can perform domain wide operations.

Something is really fishy.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11813677
What were the steps you followed to upgrade your domain. What happened to the original PDC etc.?

J
0
 

Author Comment

by:jeremywatco
ID: 11813705
ok here are the steps i did:

1. brought in a temp server and loaded it as a NT4 BDC & sync'd
2. promoted the temp server to PDC & took old PDC offline as a backup
3. upgraded the temp server to 2000 server
4. did a clean install of 2000 server on a new machine
5. allowed temp 2000 server to replicate with new machine
6. took temp server down
7. brought original pdc back up as a bdc.


now i am trying to get rid of that original pdc which is now a bdc.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11813720
Whe you installed the Second 2000 server and let Active Directory syncronize, did you uninstall Active Directory on the first Windows 2000 server before removing it?
0
 

Author Comment

by:jeremywatco
ID: 11813729
Yes. I ran DCPromo & made it a member server first so that all the roles and config were transfered over.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11814178
I would try removing the BDC's, then remove them from DNS and WINS. After that you will need to reboot every computer. If any of your workstations are holding browse lists, etc, they can be telling the machines to go to the BDCs. How many subnets and workstations do you have?

0
 

Author Comment

by:jeremywatco
ID: 11814743
Single Subnet.

I will try what you suggested and report back tomorrow.
0
 

Author Comment

by:jeremywatco
ID: 11822111
Ok... I did the above and that did not fix it. I was however able to resolve the problem with my 2K & XP Machines. Their SIDS must have gotten messed up because I re-added them to the domain and they function just fine.

However 98 machines will not authenticate against the 2000 Server. Here is what I did to try and force them to:

Changed DHCP over To Static IP, Static WINS, Static DNS -- Did Nothing
Created LMHOSTS with Domain Info in it -- Did Nothing
Rebooted 100's of times --- Did Nothing

They simply say "No Domain Server was Available to Validate your Password", but I can still browse network resources and gain access, so something is off!
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11822372
Go to one of the Windows 98 machines and open its Network Configuration, from within make sure Microsoft Networking is installed and then add it to a workgroup and reboot, when it comes back, put the Domain back in and reboot again.

Did you rename the domain, or make any changes at all when you installed the Active Directory server.. ?
0
 

Author Comment

by:jeremywatco
ID: 11822586
Domain was not renamed.

Went to the 98 machine and made the changes you suggested.. still no luck :(
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11823629
Did you know if there were any changes to the security provider such as, NTLM etc. and did you make the new server a Native AD DC, or is it still in mixed mode?

In addition, make sure you can ping the new domain controller from the win98 machine by name.

And last but not least, when Windows 98 boots up to the login screen are you getting prompted for a Username,

J
0
 

Author Comment

by:jeremywatco
ID: 11823669
No changes have been made. & we are still running in mixed mode.

I can ping fine.. the clients are able to resolve names just fine (which is why i dont understand this issue)

I do get prompted for a username & password & domain

I tried installing the Active Directory Client... but that didnt do anything for me.

I am thinking of possibly bandaiding this by trying NETBEUI on just these 98 machines... do i need that on the server too? could that fix this? Any other ideas? I dont get it... the Windows 95 machines can login just fine.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11823721
That is odd, win95 but no win98. I am not sure. Is there an option for Netbios over TCP/IP in the TCP/IP settings? Netbeui should not have anything to do with it, but it could be NETBIOS. If it is not checked, please check it and try a reboot.

J
0
 

Author Comment

by:jeremywatco
ID: 11823773
Yes.. its checked.... i am totally confused about this. I just dont get it.. if it was truley a name resolution issue the LMHOSTS file would have cleared it up.. maybe TCPIP needs a reinstall?

Any other suggestions before I pick up the computers and throw them out the window? :)
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11823934
You didn't create a computer account in the domain for the windows 98 computers did you?

J
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:jeremywatco
ID: 11823952
Actually I tried that with no luck. I guess windows 9X clients do not require computer accounts.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11823976
There should not be any computer accounts with those names, they don't have SIDS for the computers so having anythign in the AD with there computer name will prevent them from logging onto the domain.

J
0
 

Author Comment

by:jeremywatco
ID: 11824055
I tried them out briefly and deleted them right after that. This was after I was already having the issue
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11824078
OK... figured as much... I will have to think more about this... I am wondering why no one else has responded... I will also see if I can get some more brains on this.

J
0
 

Author Comment

by:jeremywatco
ID: 11842258
OK.. I fixed the login problem but now have another related issue....

The login issue was because someone had originally setup this new server with multihoming NIC's on the same subnet :( wish i would have checked that first.

Now the issue I am having is that all these 98 clients are having Outlook Issues (Exchange2000) when they are authenticated to Active Directory. It seems that Outlook will freeze for about 30 seconds and then resume what its doing, then lockup, then resume, etc. When I power the NT BDC back up again everything works fine... very odd indeed.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11842412
You are having a rough time. You disabled the other NIC, right? Or did you put it in another subnet? This is important.

0
 

Author Comment

by:jeremywatco
ID: 11842431
I actually Teamed them both for load balancing.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11842477
OK. You need to go through WINS and DNS, and try to find all entries relating to the Domain and this server and make sure everything is set to the proper address. Additionally, if you Teamed them for load balancing  (not fault-tolerance), then you switch must support load balancing and it must be configured for it. If it is not you will have many problems with the teaming configuration. Because of these issues most people run them in fail over mode.

J
0
 

Author Comment

by:jeremywatco
ID: 11843303
Actually this machine is setup to do transmit load balancing which does not rely on the switch, so that is not the issue.

Also, I reviewed all entries in DNS & WINS, and they are all acurate... i wonder why outlook would hang.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11843398
Ok... sit down on one of those machine and do a "ping -t exchangeservername", wait a while and hit ctrl-c. Are you getting 100% response? This is odd.

J
0
 

Author Comment

by:jeremywatco
ID: 11845533
Good idea.. however.. no suck luch.. 100% response.. sending an email locks outlook up for about 25 seconds or so.. then it goes out fine.. if i fire up the old server then everything works perfect... strange that this is effecting outlook now.. exchange is a different server from the DC and we have never had issues with it.. so it must be some sort of auth issue.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11846007
the Exchange 2000 server is on a Windows 2000 member server, that was a member of the NT domain and is now a member of the new AD domain, right?

0
 

Author Comment

by:jeremywatco
ID: 11846520
It's exchange 2000 and depends on AD, it was never a part of the NT domain. The old 5.5 server that we upgraded was.. but that has been decomisioned for some time now.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11846545
So the Exchange 2000 server, is brand new, you just set it up, after you upgraded the PDC to AD?

J
0
 

Author Comment

by:jeremywatco
ID: 11846551
Yeah.. then I moved all the mailboxes from the old 5.5 server to the 2000 server.... so it is new.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11846576
OK... You probably have a known issue, regarding the Address book, Outlook and moving the mailboxes. It has to do with the Personal Address Book. It can happen to any user, but it usually occurs when you send email to someone that is not in the Exchange System. Could this be the issue? If it is I could probably track down the KB.

J
0
 

Author Comment

by:jeremywatco
ID: 11846596
Well.. the only thing is, that this Exchange 2000 Server has been operating for about 2 months now. So all the clients have been connecting to this for email for a while without issue. It is only when I shut down the old PDC (no longer running exchange) that I run into issue. So I dont think it has to do directly with moving the mailboxes since this just came up recently and resolves itself whenever i boot the old pdc back up.. make any sense or am i just rambling on (long day, need food) :)
0
 
LVL 9

Accepted Solution

by:
jdeclue earned 500 total points
ID: 11846627
Hmm,,, ok... I need to leave the office and go home now, so I will think about it, .... see ya tomorrow, good luck!

J
0
 

Author Comment

by:jeremywatco
ID: 11855316
Well.. i recreated the outlook profiles and so far so good.

Thanks for the help.. i raised the points to 500, wish I could go higher because you were a great help.
Thanks again
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, I show you step by step with screenshots to assist you - HOW TO: Deploy and Install the VMware vCenter Server Appliance 6.5 (VCSA 6.5), with some helpful tips along the way.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now