Solved

No Authentication between PDC and BDC after Domain GPO edit.

Posted on 2004-09-28
11
765 Views
Last Modified: 2012-05-05
PDC = Windows Server 2003 Enterprise
BDC = Windows Advanced Server 2000

After reviewing an EE posting I performed an edit on my domain GPO ( to solve some Event Log errors) and changed the following settings.
Computer Configurations\Windows Security\Security Settings\Local Policies\Security Options
              Digitally sign client communication (always)
              Digitally sign client communication (when possible)
              Digitally sign server communication (always)
              Digitally sign server communication (when possible)
I changed all of them from "not defined" to "disabled"
I performed the edit from the BDC.  After a secedit refresh and a reboot, I no longer have communications between the PDC and the BDC.
I then when to the PDC and edited the domain GPO and set those same settings from "disabled" to "not defined" and rebooted.
That not only failed to help, but I found I was no longer able to edit domain GPO from either dc.
When I click on the Group Policy tab under the domain properties I get the following error...
"The domain controller for Group Policy operations is not available.  You may cancel this operation for this session or retry on of the following domain controller choices:"
"The one with the Operations Master token for this PDC emulator"
"The one used by the Active Directory Snap-ins"
"Use any available domain controller"
Any of the above options will get me an access denied error.  
I have confirmed my PDC is listed under Operations Master.
I have checked relevant permissions under Adsiedit and all is in order there.

I should add that I can ping the dc's from each other.  I also have all access on the LAN except between the two dc's.

I have run out of ideas and this is a critical week for these two servers.  
I will have to leave the office about 5p EST 10/28 but will monitor answers and try to implement solutions remotely, so if I don't seem to answer, please be patient.  I will be posting by morning.  Thanks for all your help.
NV
0
Comment
Question by:NoahVail
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +1
11 Comments
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 12173656
there is NO such thing as a PDC or BDC in any 2000/2003 domain,,, these are NT 4.0 terms.  In 2000/2003 all DCs are equal. True they can hold the PDC emulator FSMO role, but this is only for backward compatability if you have any NT4.0 DCs on your network.


forget whatever you read in a different article here on EE.... what is your INITIAL problem with your 2000/2003 DCs.. i believe you may have been barking up the wrong tree by doing whatever you have done already and possibly caused more problems rather than solve them.

What makes you think you have authentication problems between the DCs???



0
 

Author Comment

by:NoahVail
ID: 12173775
Any time I try to access anything (shares, accounts, whatever...) I am prompted for a user name and password which fails to authenticate.  
I have been trying to puzzle where the domain GPO is being held since I am denied access to it from both dc's.  Can I locate it and take ownership of it?
Thanks.
NV
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 12173853
can you elaberate on what exactly you are doing???

are you trying to access the shares/accounts from a client or server or what?
can whichever machine you are on even ping a domain controller?

i would start by removing one client from the domain and then re-add it back to the domain.

also... DNS is a likely cause of this issue... if DNS isn't set up correctly Active Directory will not work right at all. mainly b/c the clients can't find any of the DCs or resources.  So check your DNS configuration.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:NoahVail
ID: 12174019
Everything was fine until I performed those domain GPO edits.  From either machine I can go anywhere on the lan.  I can browse shares, access admin$ and IPC$, execute files, remotely adminster, you name it.  Likewise all my clients can access either server just fine.  But neither server can access each other.  The Windows Server 2003 system is the DNS and is serving the lan without a problem, except for the Win2k server, who cannot see it.
All of my problems began the moment I performed the edit on the domain GPO.  I do not know how to undo what I did.
Thanks for the replies.
NV
0
 
LVL 10

Expert Comment

by:BloodRed
ID: 12175891
I suspect one of the two systems has a policy being enforced requiring the digital signing of server communication, while the other does not.  That would prevent the two systems from communicating with each other as you mention, but they'd still be able to ping one another.  Check the local polices on each box and do a RSoP, then compare the results.  

I don't believe I'd remove a DC from the domain as a first step, this is probably a simple misconfiguration issue.  Is the GPO you edited the Default Domain Policy, Default Domain Controller Policy, or one you created?  If it is one of the default policies and you still can't access it, check the permissions of the GPT in SYSVOL.  If all else fails, you can download and run the DCGPOFIX.exe from Microsoft, it will re-create your default domain policies.  You did back up the settings, right??  ;)

-BR
0
 

Author Comment

by:NoahVail
ID: 12176184
It's the Default Domain Policy.  I'm not worried about settings at this point.  I gave myself full permissions on everything under the domain name in the SYSVOL folder.  I had already dcgpofix on the 2003 server and it returned an access denied error, citing a permissions problem on a file that did not exist - Error is....

Unable to open the GPO due to access denied.  Verify that permissions on the fil
e system path C:\WINDOWS\SYSVOL\sysvol\domainname.com\Policies\{31B2F340-016D
-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol and the active directory path LDAP
://server.domainname.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com are sufficient to modify the GPO.
Access is denied.
Warning: This tool was unable to re-create the EFS Certificates in the Default Domain Policy GPO
Access is denied.
The restore failed.  See previous messages for more details

I'm pretty stumped here.
Thanks for all the input.
NV
0
 
LVL 10

Expert Comment

by:BloodRed
ID: 12186396
Have you manually verified the permissions on the two objects in that error message?

-BR
0
 

Author Comment

by:NoahVail
ID: 12188766
Registry.pol doesn't exist at the path given.  

CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com doesn't show any restrictions, that is, if I'm looking in the right place in the ADSI editor.

Thanks.
NV
0
 

Author Comment

by:NoahVail
ID: 12328550
I've given up and reformatted the servers.  No one seems to know what to do for this.  As per Microsoft's Tech Support, I created another domain controller and used contents from that SYSVOL folder on the affected systems, however, that had no effect.

I'm requesting a close to this question.  I appreciate the efforts, but even Microsoft doesn't know what to do with this.

NV
0
 

Accepted Solution

by:
ee_ai_construct earned 0 total points
ID: 12360701
Question answered by asker or dialog valuable.
Closed, 500 points refunded.
ee_ai_construct (replacement part #xm34)
Community Support Admin
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Moving SQl Server SBS 2003 to SQL Server 2014 27 146
DHCP server 6 63
Intel Server Board SE7525GP2 Doesn't Recognize Full Hard Drive Capacity 4 133
Enterprise Mode 4 55
So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question