Solved

No Authentication between PDC and BDC after Domain GPO edit.

Posted on 2004-09-28
11
764 Views
Last Modified: 2012-05-05
PDC = Windows Server 2003 Enterprise
BDC = Windows Advanced Server 2000

After reviewing an EE posting I performed an edit on my domain GPO ( to solve some Event Log errors) and changed the following settings.
Computer Configurations\Windows Security\Security Settings\Local Policies\Security Options
              Digitally sign client communication (always)
              Digitally sign client communication (when possible)
              Digitally sign server communication (always)
              Digitally sign server communication (when possible)
I changed all of them from "not defined" to "disabled"
I performed the edit from the BDC.  After a secedit refresh and a reboot, I no longer have communications between the PDC and the BDC.
I then when to the PDC and edited the domain GPO and set those same settings from "disabled" to "not defined" and rebooted.
That not only failed to help, but I found I was no longer able to edit domain GPO from either dc.
When I click on the Group Policy tab under the domain properties I get the following error...
"The domain controller for Group Policy operations is not available.  You may cancel this operation for this session or retry on of the following domain controller choices:"
"The one with the Operations Master token for this PDC emulator"
"The one used by the Active Directory Snap-ins"
"Use any available domain controller"
Any of the above options will get me an access denied error.  
I have confirmed my PDC is listed under Operations Master.
I have checked relevant permissions under Adsiedit and all is in order there.

I should add that I can ping the dc's from each other.  I also have all access on the LAN except between the two dc's.

I have run out of ideas and this is a critical week for these two servers.  
I will have to leave the office about 5p EST 10/28 but will monitor answers and try to implement solutions remotely, so if I don't seem to answer, please be patient.  I will be posting by morning.  Thanks for all your help.
NV
0
Comment
Question by:NoahVail
  • 5
  • 2
  • 2
  • +1
11 Comments
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 12173656
there is NO such thing as a PDC or BDC in any 2000/2003 domain,,, these are NT 4.0 terms.  In 2000/2003 all DCs are equal. True they can hold the PDC emulator FSMO role, but this is only for backward compatability if you have any NT4.0 DCs on your network.


forget whatever you read in a different article here on EE.... what is your INITIAL problem with your 2000/2003 DCs.. i believe you may have been barking up the wrong tree by doing whatever you have done already and possibly caused more problems rather than solve them.

What makes you think you have authentication problems between the DCs???



0
 

Author Comment

by:NoahVail
ID: 12173775
Any time I try to access anything (shares, accounts, whatever...) I am prompted for a user name and password which fails to authenticate.  
I have been trying to puzzle where the domain GPO is being held since I am denied access to it from both dc's.  Can I locate it and take ownership of it?
Thanks.
NV
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 12173853
can you elaberate on what exactly you are doing???

are you trying to access the shares/accounts from a client or server or what?
can whichever machine you are on even ping a domain controller?

i would start by removing one client from the domain and then re-add it back to the domain.

also... DNS is a likely cause of this issue... if DNS isn't set up correctly Active Directory will not work right at all. mainly b/c the clients can't find any of the DCs or resources.  So check your DNS configuration.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:NoahVail
ID: 12174019
Everything was fine until I performed those domain GPO edits.  From either machine I can go anywhere on the lan.  I can browse shares, access admin$ and IPC$, execute files, remotely adminster, you name it.  Likewise all my clients can access either server just fine.  But neither server can access each other.  The Windows Server 2003 system is the DNS and is serving the lan without a problem, except for the Win2k server, who cannot see it.
All of my problems began the moment I performed the edit on the domain GPO.  I do not know how to undo what I did.
Thanks for the replies.
NV
0
 
LVL 10

Expert Comment

by:BloodRed
ID: 12175891
I suspect one of the two systems has a policy being enforced requiring the digital signing of server communication, while the other does not.  That would prevent the two systems from communicating with each other as you mention, but they'd still be able to ping one another.  Check the local polices on each box and do a RSoP, then compare the results.  

I don't believe I'd remove a DC from the domain as a first step, this is probably a simple misconfiguration issue.  Is the GPO you edited the Default Domain Policy, Default Domain Controller Policy, or one you created?  If it is one of the default policies and you still can't access it, check the permissions of the GPT in SYSVOL.  If all else fails, you can download and run the DCGPOFIX.exe from Microsoft, it will re-create your default domain policies.  You did back up the settings, right??  ;)

-BR
0
 

Author Comment

by:NoahVail
ID: 12176184
It's the Default Domain Policy.  I'm not worried about settings at this point.  I gave myself full permissions on everything under the domain name in the SYSVOL folder.  I had already dcgpofix on the 2003 server and it returned an access denied error, citing a permissions problem on a file that did not exist - Error is....

Unable to open the GPO due to access denied.  Verify that permissions on the fil
e system path C:\WINDOWS\SYSVOL\sysvol\domainname.com\Policies\{31B2F340-016D
-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol and the active directory path LDAP
://server.domainname.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com are sufficient to modify the GPO.
Access is denied.
Warning: This tool was unable to re-create the EFS Certificates in the Default Domain Policy GPO
Access is denied.
The restore failed.  See previous messages for more details

I'm pretty stumped here.
Thanks for all the input.
NV
0
 
LVL 10

Expert Comment

by:BloodRed
ID: 12186396
Have you manually verified the permissions on the two objects in that error message?

-BR
0
 

Author Comment

by:NoahVail
ID: 12188766
Registry.pol doesn't exist at the path given.  

CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com doesn't show any restrictions, that is, if I'm looking in the right place in the ADSI editor.

Thanks.
NV
0
 

Author Comment

by:NoahVail
ID: 12328550
I've given up and reformatted the servers.  No one seems to know what to do for this.  As per Microsoft's Tech Support, I created another domain controller and used contents from that SYSVOL folder on the affected systems, however, that had no effect.

I'm requesting a close to this question.  I appreciate the efforts, but even Microsoft doesn't know what to do with this.

NV
0
 

Accepted Solution

by:
ee_ai_construct earned 0 total points
ID: 12360701
Question answered by asker or dialog valuable.
Closed, 500 points refunded.
ee_ai_construct (replacement part #xm34)
Community Support Admin
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question