• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 317
  • Last Modified:

Cant log into "additional" domain

I have a domain at my house. Today I decided to grab another PC and make it an "additional" domain. It mirrored my original DC fine.   I know I have to make the new DC I added a global catalog. So I went into the sites snap in, found the server and checked "GLOBAL."


 To test for redundancy purposes, I shut off my original DC. The only thing up was my additional DC. I tried logging into the domain and its not working. It says "DOMAIN NOT AVAILABLE" sometimes, other times it tells me my password isnt correct.

I have all my clients set to use both of the DCs as DNS servers.  
Still doesnt work.  Any ideas?
0
dissolved
Asked:
dissolved
  • 16
  • 7
  • 7
2 Solutions
 
Debsyl99Commented:
Hi
Just cos it's you I decided to have a look!

When you say additional domain - is this new server an additional dc on an existing domain, or a new dc on a child or trusted domain?

Where in the states? I loved Florida and Orlando! (Apart from the hurricane that hit whilst I was there)
0
 
dissolvedAuthor Commented:
Thanks Deb

this is an additional DC on an existing domain. Like I said, everything replicated ok (users, groups etc). But if the original DC is powered down, the additional DC I added is not doing its job.

I just got this error trying to do group policy to! http://mvpbaseball.cc/damn.jpg

I live in Delaware, the first state, one of the most boring too :)
Orlando is a nice place. Been there a few times. Wish I was there now
0
 
Debsyl99Commented:
I firmly belive that 99.9 % of AD "I can't find the server" issues are down to DNS - on your additional DC (bring your other DC up first) - make sure DNS is installed on the additional DC - then point your second DC preferred dns server in tcp/ip at DC1 to make sure that the DNS info replicates across the servers - all DNS zones need to be AD integrated and set to accept dynamic updates.

Setting Up the Domain Name System for Active Directory
http://support.microsoft.com/?kbid=237675
Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382
DNS Server becomes an island when a domain controller points to itself for the _Msdcs.ForestDnsName domain?
http://www.jsiinc.com/SUBH/tip3800/rh3869.htm

Whilst they are both up, also check the event logs for any other issues, particularly replication issues - you can use replmon from the 2000 server sp4 support tools

Deb :))

P.S Where is Delaware? Is it somewhere between NY and FL? (My US geography isn't too great - however I bet you don't know where Birmingham UK is either ;-))



0
How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

 
dissolvedAuthor Commented:
"then point your second DC preferred dns server in tcp/ip at DC1 to make sure that the DNS info replicates across the servers"

Im going to call my original DC  "DC A"  and my additional one "DC b" .

So you want me to go into TCP/IP properties on DC B, and add the address of  DC A's DNS server?
Right now, DC B's "preferred DNS" is set to 127.0.01 since it is a DNS server as well.  I will try what you said to do and let you know.
thanks!

ps: Yes it is .
Delaware is also near Philadelphia, Pennsylvania and Baltimore, Maryland. I'm about 2 hours from washington dc as well. Only good thing is that I'm 45minutes away from the beach
0
 
Debsyl99Commented:
"So you want me to go into TCP/IP properties on DC B, and add the address of  DC A's DNS server?" - Yes (Or if you want the US version, YUP! lol)- But DC A needs to be up, and you need to make sure that you can connect to both servers from DNS on one server and that records are replicating OK. Just ruling out problems with accessing dns records,

Also if you shut DC A down, make sure that any connecting client isn't using DHCP, unless you have a scope configured on DCB that will allocate a correct IP and DNS server etc in the event of DCA being unavailable,

P.S Washington is where your president lives which is on the East Coast somewhere below NY? Great I get to learn Geography as well as IT!
0
 
dissolvedAuthor Commented:
Deb: I made DC B 's preferred DNS server 192.168.1.98 (DC A's address) What do I do now?  

My whole point with this little experiement was to test if I had redundancy. My clients are using static addresses btw.  I was hoping I could kill one of my domain controllers, and the other one would assume it's duties.

By the way, in "real" environments: Do additonal domain controllers always have their DNS service pointing to the authorative one for the domain (ie: DC B uses DC A address) ?

ps: Yep, I'm below NY.  It's starting to get cold out here
0
 
dissolvedAuthor Commented:
Here is an interesting event log:
"Promotion of this server to global catalog has been delayed because partition occupany requirements have not been met"
I'm guessing this is why DC B cannot authenticate anyone
0
 
dissolvedAuthor Commented:
The computer I'm doing this one (DC B) has been promoted and demoted over and over again the past week (practicing).  I think this is why it is acting funny. I'm going to start from fresh. Any good tools that clean AD?


I have a lot of objects in my tree that shouldnt be there (references to domain's names I used a long time ago, but deleted)!
0
 
Debsyl99Commented:
Sorry - make secondary dns server in tcp/ip on DC B point to DCB's IP address. When both are up, try using dns in dcB (right-click dns - choose connect to server I think) to connect to DNS on Server DCA - check that records are replicated correctly (allow zone transfers to nameservers listed which should be both DCA and DCB). (Just pointing DCB at DC A temporarily to prevent islanding). If you are using static addresses, does it make any difference on the client if, after this you take DC A down, you point the preferred dns server in the clients tcp/ip preferred dns server to DCB, then try logon? If logging on doesn't work can you post the results of an ipconfig /all from a command prompt on the client, and maybe see if you can run a ping by name and ip against DCB?

You have to bear in mind that this is "off the top of my head" as I am nowhere near my domain right now, and I may well have to pick this up tomorrow as it is bedtime for me here,

P.S - Birmingham is about 120 miles north of London - but the weather here went from blizzard conditions last Thursday to 14 degrees C over the weekend ????
(Bit like "The Day After Tomorrow"! but fortunately in reverse)

0
 
Debsyl99Commented:
Ah - just got your last two posts now and yes that would cause your problems - Check for NTDS KCC source errors in the event logs - I still reckon it's dns related. Good tool to clean AD is ntdsutil (but not terribly sure your need to use it - you just need to get these two dc's replicating I think) - Just in case but don't use it yet:
How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q216498&

Before messing with ntdsutil - try using replmon from here: (You need to be using 2000 server sp4)
Windows 2000 SP4 Support Tools
http://support.microsoft.com/default.aspx?scid=kb;en-us;812809


0
 
dissolvedAuthor Commented:
Whats weird is that they did replicate some things. (the users and computers snap in shows the same things on both DCs)

Guess the DNS isnt replicating?

In any event, get some rest Deb! I'll play around a little more tonight. Cant believe its so cold there.

Thanks for the help
0
 
dissolvedAuthor Commented:
I need a vacation. I'll talk to you tomorrow deb lol
0
 
Chris DentPowerShell DeveloperCommented:

Morning Dissolved,

Late arrival I'm afraid, Deb stays up too late at night for me!

Can you post the TCP/IP Config for both servers? Ideally you should have:

Server A:
Primary DNS: Server A
Secondary DNS: Server B

Server B:
Primary DNS: Server A
Secondary DNS: Server B

And can you run DC Diagnostics against each server? You can download it from Microsoft if you don't already have it:

http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/dcdiag-o.asp

You'll need to run it from the command prompt with:

dcdiag /s:<server name>

It probably is DNS related, it's amazing the number of AD errors that are attributable to DNS.

There were blizzards up north? See that's the problem with moving into the south. Boring weather ;)
0
 
dissolvedAuthor Commented:
Domain A (192.168.1.3)   This is my first domain controller
DNS  127.0.0.1  primary
DNS 192.168.1.4  secondary



Domain B (192.168.1.4)    This is the additional, I made yesterday
DNS 127.0.0.1          primary
DNS 192.168.1.3     seondary


Is that the proper TCP/IP properties?
Are these typical TCP/IP properites for DNS servers (pointing to each other??) Do you do this even when they are different forests?  I thought that whenever you had a DNS server, you only point it to itself? (confusing stuf!)
thanks
0
 
Chris DentPowerShell DeveloperCommented:

These are both servers in the same domain? If it's two seperate domains and you're attempting to create a trust the the configuration above is correct.

If they're the same domain, it needs to know where the rest of the domain is in order to find the data to replicate, so initially at least your new server needs the IP of the first as it's primary DNS.

After that it's not so important because any changes to DNS are replicated throughout AD (Active Directory Integrated Zones). With that in mind it's also not too important which DNS it uses first - in all cases the DNS data should be the same.

So, try swapping the DNS Server addresses around on Server B.

It would still be worth running DCDiag to see if the servers are happily replicating AD Data.
0
 
dissolvedAuthor Commented:
Hey Chris. Here is a visio snap shot of my network.
http://mvpbaseball.cc/ad.jpg

the Spira.com domain tree consists of two DCs.  On my other network, I have a seperate tree called CalmLands.com.  I joined Calmlands.com and spira.com together to form a forest with external trust.

Given the diagram, here is how I have it set up:

Spira.com DC   (global catalog)
IP 192.168.1.98
gateway 192.168.1.1
Primary DNS  127.0.0.1
Secondary DNS NONE
*I created a secondary DNS zone for CalmLands.com (so I could resolve their host names)

Spira.com DC (additional)  (global catalog)
IP 192.168.1.12
Primary DNS 127.0.0.1
Secondary DNS 192.168.1.98


CalmLands.com DC   (global catalog)
IP 192.168.2.11
Primary DNS 127.0.0.1
Secondary DNS NONE
*I created a secondary DNS zone here for spira.com (so i could resolve their host names)


Problem: If I shut off the main DC in the spira.com domain, I cannot log in to the spira.com domain at all! The additional DC is not doing its job.
0
 
Chris DentPowerShell DeveloperCommented:

Add a slave zone for CalmLands.com on the additional Spira.com DC if you want names over there to resolve with the main DC down.

Add 192.168.1.12 as the secondary DNS on your main DC (not essential, but good just in case).

Run DCDiag, I'd like to see the output from there, especially to check whether or not the two DCs in Spira.com are replicating data between themselves.

Can you also run DumpFSMOs to check all those are in place?

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpfsmos-o.asp

Is the Group Policy error you have all the way above still showing up?

It still looks like a problem with replication, but the output from DCDiag and DumpFSMOs should help clear up exactly what is going wrong with it.
0
 
Chris DentPowerShell DeveloperCommented:

Oh, and could you switch the Primary and Secondary DNS on the additional DC until replication is definately working?
0
 
dissolvedAuthor Commented:
I will be home in 2 hours. I will do that.

When you say "add a slave zone for calmlands.com" . YOu mean a secondary DNS zone right?

Thanks for all the help bud
0
 
Chris DentPowerShell DeveloperCommented:

Yep, secondary DNS zone will let you resolve names on the remote network without your main DC being online.

Might be unnecessary, just depends on if you want it really.
0
 
Debsyl99Commented:
Hello Guys!
Looks like I've missed all the action....... Been busy prepping our forest for our first 2k3 DC and building it so been nowhere near my email till now (forestprep fluffed first time round after lots of successful tests and checks - I was gutted and shamed - anyway fixed it) but I digress...

Only thing I'd add really is not to use loopback addresses in dns settings, use the actual ip's and also use the dcdiag from the support tools link I posted earlier if you get dsismangled error message - IF you're running 2kserver sp4........ Also check the event logs on the servers and post any errors... I think that there should maybe be some logged (although dcdiag should list some of them at least if present)



0
 
dissolvedAuthor Commented:
Hi guys

I ran dcdiag and I'm getting this DsIsmangled error. Pc is win2k sp4 fully patched. Just got home from work. Going to try the suggestions
0
 
Debsyl99Commented:
Hi dissolved (what's your real name? fed up of referring to you like some sort of aspirin!)

Download the support tools as in the link below - you're just using the wrong version of dcdiag for your service pack level is all (that's all the dsismangled error means)- if you are on sp4 then download these tools, install, then re-run dcdiag and post the results as we both can't wait to see them ;-))

Windows 2000 SP4 Support Tools
http://support.microsoft.com/default.aspx?scid=kb;en-us;812809
0
 
dissolvedAuthor Commented:
lol aspirin. Real name is Dan

ok, im going to start with a fresh installation of AD. Stuff is getting too buggy. One problem. Ive been adding/removing so many domains, that now they show up when I go to log in. It gives me a list of 3 domains to log into.  How do I get rid of this? Also..... How do I remove old sites from sites and services? How do I remove old domains so they dont show up when I right click >properties > security?

Cant seem to get rid of the old domains.  After I do that, I'm going to re-try the whole purpose of this thread lol.
What a headache. You guys are probably right: DNS issues. Thats why I have never been able to uninstall AD. It always says "cannot find a DC or domain associate with that etc etc".

Thanks
0
 
Chris DentPowerShell DeveloperCommented:

Morning :)

Technically DNS is seperate from AD and should always be the last thing you remove when getting rid of a domain.

Anyway, removing things that no longer exist should first be attempted through the Administrative Tools applets. Each "dead" component has to be removed a little at a time. For instance, to remove a dead Domain Controller from AD Sites and Services you would first remove the connections, then the NTDS Settings, then the server itself, then the site, etc etc.

If it won't let you remove it from there then you get to delve into the wonderful world of ADSIEdit and NTDSUtil. ADSIEdit allows you to directly edit the contents of the directory - unlike the rest of the Administrative Tools it doesn't have any safeguards and will happily let you destroy AD.

Here's the relevant Microsoft article describing all the necessary steps:

http://support.microsoft.com/?kbid=216498

Domains are slightly different - in theory additional domains (or dead ones) shouldn't be mentioned in your current AD Structure, but if they are you should be able to see them with ADSIEdit.

I'm not too sure about removing logon domain options from the PCs. But you might check the Users applet under Control Panel and see if it lists any users in a different domain. It's possible cached logons for these domains are forcing the options to appear.
0
 
dissolvedAuthor Commented:
will give it a shot. Do appreciate all of your help and Deb's help. In my honest opinion, AD is a little buggy, but definitely needed in companies obviously. I hope serer 2003 addressed some of these issues I'm experiencing. Should just be able to remove a Dc from a domain and not go throgh all of this teeth pulling! lol

Thanks again guys.
0
 
dissolvedAuthor Commented:
btw: How do I remove trusts?  I think this may be part of the problem too
0
 
Chris DentPowerShell DeveloperCommented:

AD Domains and Trusts, Properties for your domain, Trusts tab and they should be listed there.
0
 
dissolvedAuthor Commented:
Yea a chid domain is listed there but the remove button is grayed out lol. Im going to close this question since I completly made it a mess all by myself. I'll re-post once I get everything straight

again, thanks for everything.
0
 
dissolvedAuthor Commented:
Was hard deciding who to award the answered question to!
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 16
  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now