Solved

No Authentication between PDC and BDC after Domain GPO edit.

Posted on 2004-09-28
11
758 Views
Last Modified: 2012-05-05
PDC = Windows Server 2003 Enterprise
BDC = Windows Advanced Server 2000

After reviewing an EE posting I performed an edit on my domain GPO ( to solve some Event Log errors) and changed the following settings.
Computer Configurations\Windows Security\Security Settings\Local Policies\Security Options
              Digitally sign client communication (always)
              Digitally sign client communication (when possible)
              Digitally sign server communication (always)
              Digitally sign server communication (when possible)
I changed all of them from "not defined" to "disabled"
I performed the edit from the BDC.  After a secedit refresh and a reboot, I no longer have communications between the PDC and the BDC.
I then when to the PDC and edited the domain GPO and set those same settings from "disabled" to "not defined" and rebooted.
That not only failed to help, but I found I was no longer able to edit domain GPO from either dc.
When I click on the Group Policy tab under the domain properties I get the following error...
"The domain controller for Group Policy operations is not available.  You may cancel this operation for this session or retry on of the following domain controller choices:"
"The one with the Operations Master token for this PDC emulator"
"The one used by the Active Directory Snap-ins"
"Use any available domain controller"
Any of the above options will get me an access denied error.  
I have confirmed my PDC is listed under Operations Master.
I have checked relevant permissions under Adsiedit and all is in order there.

I should add that I can ping the dc's from each other.  I also have all access on the LAN except between the two dc's.

I have run out of ideas and this is a critical week for these two servers.  
I will have to leave the office about 5p EST 10/28 but will monitor answers and try to implement solutions remotely, so if I don't seem to answer, please be patient.  I will be posting by morning.  Thanks for all your help.
NV
0
Comment
Question by:NoahVail
  • 5
  • 2
  • 2
  • +1
11 Comments
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 12173656
there is NO such thing as a PDC or BDC in any 2000/2003 domain,,, these are NT 4.0 terms.  In 2000/2003 all DCs are equal. True they can hold the PDC emulator FSMO role, but this is only for backward compatability if you have any NT4.0 DCs on your network.


forget whatever you read in a different article here on EE.... what is your INITIAL problem with your 2000/2003 DCs.. i believe you may have been barking up the wrong tree by doing whatever you have done already and possibly caused more problems rather than solve them.

What makes you think you have authentication problems between the DCs???



0
 

Author Comment

by:NoahVail
ID: 12173775
Any time I try to access anything (shares, accounts, whatever...) I am prompted for a user name and password which fails to authenticate.  
I have been trying to puzzle where the domain GPO is being held since I am denied access to it from both dc's.  Can I locate it and take ownership of it?
Thanks.
NV
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 12173853
can you elaberate on what exactly you are doing???

are you trying to access the shares/accounts from a client or server or what?
can whichever machine you are on even ping a domain controller?

i would start by removing one client from the domain and then re-add it back to the domain.

also... DNS is a likely cause of this issue... if DNS isn't set up correctly Active Directory will not work right at all. mainly b/c the clients can't find any of the DCs or resources.  So check your DNS configuration.
0
 

Author Comment

by:NoahVail
ID: 12174019
Everything was fine until I performed those domain GPO edits.  From either machine I can go anywhere on the lan.  I can browse shares, access admin$ and IPC$, execute files, remotely adminster, you name it.  Likewise all my clients can access either server just fine.  But neither server can access each other.  The Windows Server 2003 system is the DNS and is serving the lan without a problem, except for the Win2k server, who cannot see it.
All of my problems began the moment I performed the edit on the domain GPO.  I do not know how to undo what I did.
Thanks for the replies.
NV
0
 
LVL 10

Expert Comment

by:BloodRed
ID: 12175891
I suspect one of the two systems has a policy being enforced requiring the digital signing of server communication, while the other does not.  That would prevent the two systems from communicating with each other as you mention, but they'd still be able to ping one another.  Check the local polices on each box and do a RSoP, then compare the results.  

I don't believe I'd remove a DC from the domain as a first step, this is probably a simple misconfiguration issue.  Is the GPO you edited the Default Domain Policy, Default Domain Controller Policy, or one you created?  If it is one of the default policies and you still can't access it, check the permissions of the GPT in SYSVOL.  If all else fails, you can download and run the DCGPOFIX.exe from Microsoft, it will re-create your default domain policies.  You did back up the settings, right??  ;)

-BR
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:NoahVail
ID: 12176184
It's the Default Domain Policy.  I'm not worried about settings at this point.  I gave myself full permissions on everything under the domain name in the SYSVOL folder.  I had already dcgpofix on the 2003 server and it returned an access denied error, citing a permissions problem on a file that did not exist - Error is....

Unable to open the GPO due to access denied.  Verify that permissions on the fil
e system path C:\WINDOWS\SYSVOL\sysvol\domainname.com\Policies\{31B2F340-016D
-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol and the active directory path LDAP
://server.domainname.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com are sufficient to modify the GPO.
Access is denied.
Warning: This tool was unable to re-create the EFS Certificates in the Default Domain Policy GPO
Access is denied.
The restore failed.  See previous messages for more details

I'm pretty stumped here.
Thanks for all the input.
NV
0
 
LVL 10

Expert Comment

by:BloodRed
ID: 12186396
Have you manually verified the permissions on the two objects in that error message?

-BR
0
 

Author Comment

by:NoahVail
ID: 12188766
Registry.pol doesn't exist at the path given.  

CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com doesn't show any restrictions, that is, if I'm looking in the right place in the ADSI editor.

Thanks.
NV
0
 

Author Comment

by:NoahVail
ID: 12328550
I've given up and reformatted the servers.  No one seems to know what to do for this.  As per Microsoft's Tech Support, I created another domain controller and used contents from that SYSVOL folder on the affected systems, however, that had no effect.

I'm requesting a close to this question.  I appreciate the efforts, but even Microsoft doesn't know what to do with this.

NV
0
 

Accepted Solution

by:
ee_ai_construct earned 0 total points
ID: 12360701
Question answered by asker or dialog valuable.
Closed, 500 points refunded.
ee_ai_construct (replacement part #xm34)
Community Support Admin
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now