dissolved
asked on
Cant log into "additional" domain
I have a domain at my house. Today I decided to grab another PC and make it an "additional" domain. It mirrored my original DC fine. I know I have to make the new DC I added a global catalog. So I went into the sites snap in, found the server and checked "GLOBAL."
To test for redundancy purposes, I shut off my original DC. The only thing up was my additional DC. I tried logging into the domain and its not working. It says "DOMAIN NOT AVAILABLE" sometimes, other times it tells me my password isnt correct.
I have all my clients set to use both of the DCs as DNS servers.
Still doesnt work. Any ideas?
To test for redundancy purposes, I shut off my original DC. The only thing up was my additional DC. I tried logging into the domain and its not working. It says "DOMAIN NOT AVAILABLE" sometimes, other times it tells me my password isnt correct.
I have all my clients set to use both of the DCs as DNS servers.
Still doesnt work. Any ideas?
ASKER
Thanks Deb
this is an additional DC on an existing domain. Like I said, everything replicated ok (users, groups etc). But if the original DC is powered down, the additional DC I added is not doing its job.
I just got this error trying to do group policy to! http://mvpbaseball.cc/damn.jpg
I live in Delaware, the first state, one of the most boring too :)
Orlando is a nice place. Been there a few times. Wish I was there now
this is an additional DC on an existing domain. Like I said, everything replicated ok (users, groups etc). But if the original DC is powered down, the additional DC I added is not doing its job.
I just got this error trying to do group policy to! http://mvpbaseball.cc/damn.jpg
I live in Delaware, the first state, one of the most boring too :)
Orlando is a nice place. Been there a few times. Wish I was there now
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"then point your second DC preferred dns server in tcp/ip at DC1 to make sure that the DNS info replicates across the servers"
Im going to call my original DC "DC A" and my additional one "DC b" .
So you want me to go into TCP/IP properties on DC B, and add the address of DC A's DNS server?
Right now, DC B's "preferred DNS" is set to 127.0.01 since it is a DNS server as well. I will try what you said to do and let you know.
thanks!
ps: Yes it is .
Delaware is also near Philadelphia, Pennsylvania and Baltimore, Maryland. I'm about 2 hours from washington dc as well. Only good thing is that I'm 45minutes away from the beach
Im going to call my original DC "DC A" and my additional one "DC b" .
So you want me to go into TCP/IP properties on DC B, and add the address of DC A's DNS server?
Right now, DC B's "preferred DNS" is set to 127.0.01 since it is a DNS server as well. I will try what you said to do and let you know.
thanks!
ps: Yes it is .
Delaware is also near Philadelphia, Pennsylvania and Baltimore, Maryland. I'm about 2 hours from washington dc as well. Only good thing is that I'm 45minutes away from the beach
"So you want me to go into TCP/IP properties on DC B, and add the address of DC A's DNS server?" - Yes (Or if you want the US version, YUP! lol)- But DC A needs to be up, and you need to make sure that you can connect to both servers from DNS on one server and that records are replicating OK. Just ruling out problems with accessing dns records,
Also if you shut DC A down, make sure that any connecting client isn't using DHCP, unless you have a scope configured on DCB that will allocate a correct IP and DNS server etc in the event of DCA being unavailable,
P.S Washington is where your president lives which is on the East Coast somewhere below NY? Great I get to learn Geography as well as IT!
Also if you shut DC A down, make sure that any connecting client isn't using DHCP, unless you have a scope configured on DCB that will allocate a correct IP and DNS server etc in the event of DCA being unavailable,
P.S Washington is where your president lives which is on the East Coast somewhere below NY? Great I get to learn Geography as well as IT!
ASKER
Deb: I made DC B 's preferred DNS server 192.168.1.98 (DC A's address) What do I do now?
My whole point with this little experiement was to test if I had redundancy. My clients are using static addresses btw. I was hoping I could kill one of my domain controllers, and the other one would assume it's duties.
By the way, in "real" environments: Do additonal domain controllers always have their DNS service pointing to the authorative one for the domain (ie: DC B uses DC A address) ?
ps: Yep, I'm below NY. It's starting to get cold out here
My whole point with this little experiement was to test if I had redundancy. My clients are using static addresses btw. I was hoping I could kill one of my domain controllers, and the other one would assume it's duties.
By the way, in "real" environments: Do additonal domain controllers always have their DNS service pointing to the authorative one for the domain (ie: DC B uses DC A address) ?
ps: Yep, I'm below NY. It's starting to get cold out here
ASKER
Here is an interesting event log:
"Promotion of this server to global catalog has been delayed because partition occupany requirements have not been met"
I'm guessing this is why DC B cannot authenticate anyone
"Promotion of this server to global catalog has been delayed because partition occupany requirements have not been met"
I'm guessing this is why DC B cannot authenticate anyone
ASKER
The computer I'm doing this one (DC B) has been promoted and demoted over and over again the past week (practicing). I think this is why it is acting funny. I'm going to start from fresh. Any good tools that clean AD?
I have a lot of objects in my tree that shouldnt be there (references to domain's names I used a long time ago, but deleted)!
I have a lot of objects in my tree that shouldnt be there (references to domain's names I used a long time ago, but deleted)!
Sorry - make secondary dns server in tcp/ip on DC B point to DCB's IP address. When both are up, try using dns in dcB (right-click dns - choose connect to server I think) to connect to DNS on Server DCA - check that records are replicated correctly (allow zone transfers to nameservers listed which should be both DCA and DCB). (Just pointing DCB at DC A temporarily to prevent islanding). If you are using static addresses, does it make any difference on the client if, after this you take DC A down, you point the preferred dns server in the clients tcp/ip preferred dns server to DCB, then try logon? If logging on doesn't work can you post the results of an ipconfig /all from a command prompt on the client, and maybe see if you can run a ping by name and ip against DCB?
You have to bear in mind that this is "off the top of my head" as I am nowhere near my domain right now, and I may well have to pick this up tomorrow as it is bedtime for me here,
P.S - Birmingham is about 120 miles north of London - but the weather here went from blizzard conditions last Thursday to 14 degrees C over the weekend ????
(Bit like "The Day After Tomorrow"! but fortunately in reverse)
You have to bear in mind that this is "off the top of my head" as I am nowhere near my domain right now, and I may well have to pick this up tomorrow as it is bedtime for me here,
P.S - Birmingham is about 120 miles north of London - but the weather here went from blizzard conditions last Thursday to 14 degrees C over the weekend ????
(Bit like "The Day After Tomorrow"! but fortunately in reverse)
Ah - just got your last two posts now and yes that would cause your problems - Check for NTDS KCC source errors in the event logs - I still reckon it's dns related. Good tool to clean AD is ntdsutil (but not terribly sure your need to use it - you just need to get these two dc's replicating I think) - Just in case but don't use it yet:
How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q216498&
Before messing with ntdsutil - try using replmon from here: (You need to be using 2000 server sp4)
Windows 2000 SP4 Support Tools
http://support.microsoft.com/default.aspx?scid=kb;en-us;812809
How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q216498&
Before messing with ntdsutil - try using replmon from here: (You need to be using 2000 server sp4)
Windows 2000 SP4 Support Tools
http://support.microsoft.com/default.aspx?scid=kb;en-us;812809
ASKER
Whats weird is that they did replicate some things. (the users and computers snap in shows the same things on both DCs)
Guess the DNS isnt replicating?
In any event, get some rest Deb! I'll play around a little more tonight. Cant believe its so cold there.
Thanks for the help
Guess the DNS isnt replicating?
In any event, get some rest Deb! I'll play around a little more tonight. Cant believe its so cold there.
Thanks for the help
ASKER
I need a vacation. I'll talk to you tomorrow deb lol
Morning Dissolved,
Late arrival I'm afraid, Deb stays up too late at night for me!
Can you post the TCP/IP Config for both servers? Ideally you should have:
Server A:
Primary DNS: Server A
Secondary DNS: Server B
Server B:
Primary DNS: Server A
Secondary DNS: Server B
And can you run DC Diagnostics against each server? You can download it from Microsoft if you don't already have it:
http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/dcdiag-o.asp
You'll need to run it from the command prompt with:
dcdiag /s:<server name>
It probably is DNS related, it's amazing the number of AD errors that are attributable to DNS.
There were blizzards up north? See that's the problem with moving into the south. Boring weather ;)
ASKER
Domain A (192.168.1.3) This is my first domain controller
DNS 127.0.0.1 primary
DNS 192.168.1.4 secondary
Domain B (192.168.1.4) This is the additional, I made yesterday
DNS 127.0.0.1 primary
DNS 192.168.1.3 seondary
Is that the proper TCP/IP properties?
Are these typical TCP/IP properites for DNS servers (pointing to each other??) Do you do this even when they are different forests? I thought that whenever you had a DNS server, you only point it to itself? (confusing stuf!)
thanks
DNS 127.0.0.1 primary
DNS 192.168.1.4 secondary
Domain B (192.168.1.4) This is the additional, I made yesterday
DNS 127.0.0.1 primary
DNS 192.168.1.3 seondary
Is that the proper TCP/IP properties?
Are these typical TCP/IP properites for DNS servers (pointing to each other??) Do you do this even when they are different forests? I thought that whenever you had a DNS server, you only point it to itself? (confusing stuf!)
thanks
These are both servers in the same domain? If it's two seperate domains and you're attempting to create a trust the the configuration above is correct.
If they're the same domain, it needs to know where the rest of the domain is in order to find the data to replicate, so initially at least your new server needs the IP of the first as it's primary DNS.
After that it's not so important because any changes to DNS are replicated throughout AD (Active Directory Integrated Zones). With that in mind it's also not too important which DNS it uses first - in all cases the DNS data should be the same.
So, try swapping the DNS Server addresses around on Server B.
It would still be worth running DCDiag to see if the servers are happily replicating AD Data.
ASKER
Hey Chris. Here is a visio snap shot of my network.
http://mvpbaseball.cc/ad.jpg
the Spira.com domain tree consists of two DCs. On my other network, I have a seperate tree called CalmLands.com. I joined Calmlands.com and spira.com together to form a forest with external trust.
Given the diagram, here is how I have it set up:
Spira.com DC (global catalog)
IP 192.168.1.98
gateway 192.168.1.1
Primary DNS 127.0.0.1
Secondary DNS NONE
*I created a secondary DNS zone for CalmLands.com (so I could resolve their host names)
Spira.com DC (additional) (global catalog)
IP 192.168.1.12
Primary DNS 127.0.0.1
Secondary DNS 192.168.1.98
CalmLands.com DC (global catalog)
IP 192.168.2.11
Primary DNS 127.0.0.1
Secondary DNS NONE
*I created a secondary DNS zone here for spira.com (so i could resolve their host names)
Problem: If I shut off the main DC in the spira.com domain, I cannot log in to the spira.com domain at all! The additional DC is not doing its job.
http://mvpbaseball.cc/ad.jpg
the Spira.com domain tree consists of two DCs. On my other network, I have a seperate tree called CalmLands.com. I joined Calmlands.com and spira.com together to form a forest with external trust.
Given the diagram, here is how I have it set up:
Spira.com DC (global catalog)
IP 192.168.1.98
gateway 192.168.1.1
Primary DNS 127.0.0.1
Secondary DNS NONE
*I created a secondary DNS zone for CalmLands.com (so I could resolve their host names)
Spira.com DC (additional) (global catalog)
IP 192.168.1.12
Primary DNS 127.0.0.1
Secondary DNS 192.168.1.98
CalmLands.com DC (global catalog)
IP 192.168.2.11
Primary DNS 127.0.0.1
Secondary DNS NONE
*I created a secondary DNS zone here for spira.com (so i could resolve their host names)
Problem: If I shut off the main DC in the spira.com domain, I cannot log in to the spira.com domain at all! The additional DC is not doing its job.
Add a slave zone for CalmLands.com on the additional Spira.com DC if you want names over there to resolve with the main DC down.
Add 192.168.1.12 as the secondary DNS on your main DC (not essential, but good just in case).
Run DCDiag, I'd like to see the output from there, especially to check whether or not the two DCs in Spira.com are replicating data between themselves.
Can you also run DumpFSMOs to check all those are in place?
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpfsmos-o.asp
Is the Group Policy error you have all the way above still showing up?
It still looks like a problem with replication, but the output from DCDiag and DumpFSMOs should help clear up exactly what is going wrong with it.
Oh, and could you switch the Primary and Secondary DNS on the additional DC until replication is definately working?
ASKER
I will be home in 2 hours. I will do that.
When you say "add a slave zone for calmlands.com" . YOu mean a secondary DNS zone right?
Thanks for all the help bud
When you say "add a slave zone for calmlands.com" . YOu mean a secondary DNS zone right?
Thanks for all the help bud
Yep, secondary DNS zone will let you resolve names on the remote network without your main DC being online.
Might be unnecessary, just depends on if you want it really.
Hello Guys!
Looks like I've missed all the action....... Been busy prepping our forest for our first 2k3 DC and building it so been nowhere near my email till now (forestprep fluffed first time round after lots of successful tests and checks - I was gutted and shamed - anyway fixed it) but I digress...
Only thing I'd add really is not to use loopback addresses in dns settings, use the actual ip's and also use the dcdiag from the support tools link I posted earlier if you get dsismangled error message - IF you're running 2kserver sp4........ Also check the event logs on the servers and post any errors... I think that there should maybe be some logged (although dcdiag should list some of them at least if present)
Looks like I've missed all the action....... Been busy prepping our forest for our first 2k3 DC and building it so been nowhere near my email till now (forestprep fluffed first time round after lots of successful tests and checks - I was gutted and shamed - anyway fixed it) but I digress...
Only thing I'd add really is not to use loopback addresses in dns settings, use the actual ip's and also use the dcdiag from the support tools link I posted earlier if you get dsismangled error message - IF you're running 2kserver sp4........ Also check the event logs on the servers and post any errors... I think that there should maybe be some logged (although dcdiag should list some of them at least if present)
ASKER
Hi guys
I ran dcdiag and I'm getting this DsIsmangled error. Pc is win2k sp4 fully patched. Just got home from work. Going to try the suggestions
I ran dcdiag and I'm getting this DsIsmangled error. Pc is win2k sp4 fully patched. Just got home from work. Going to try the suggestions
Hi dissolved (what's your real name? fed up of referring to you like some sort of aspirin!)
Download the support tools as in the link below - you're just using the wrong version of dcdiag for your service pack level is all (that's all the dsismangled error means)- if you are on sp4 then download these tools, install, then re-run dcdiag and post the results as we both can't wait to see them ;-))
Windows 2000 SP4 Support Tools
http://support.microsoft.com/default.aspx?scid=kb;en-us;812809
Download the support tools as in the link below - you're just using the wrong version of dcdiag for your service pack level is all (that's all the dsismangled error means)- if you are on sp4 then download these tools, install, then re-run dcdiag and post the results as we both can't wait to see them ;-))
Windows 2000 SP4 Support Tools
http://support.microsoft.com/default.aspx?scid=kb;en-us;812809
ASKER
lol aspirin. Real name is Dan
ok, im going to start with a fresh installation of AD. Stuff is getting too buggy. One problem. Ive been adding/removing so many domains, that now they show up when I go to log in. It gives me a list of 3 domains to log into. How do I get rid of this? Also..... How do I remove old sites from sites and services? How do I remove old domains so they dont show up when I right click >properties > security?
Cant seem to get rid of the old domains. After I do that, I'm going to re-try the whole purpose of this thread lol.
What a headache. You guys are probably right: DNS issues. Thats why I have never been able to uninstall AD. It always says "cannot find a DC or domain associate with that etc etc".
Thanks
ok, im going to start with a fresh installation of AD. Stuff is getting too buggy. One problem. Ive been adding/removing so many domains, that now they show up when I go to log in. It gives me a list of 3 domains to log into. How do I get rid of this? Also..... How do I remove old sites from sites and services? How do I remove old domains so they dont show up when I right click >properties > security?
Cant seem to get rid of the old domains. After I do that, I'm going to re-try the whole purpose of this thread lol.
What a headache. You guys are probably right: DNS issues. Thats why I have never been able to uninstall AD. It always says "cannot find a DC or domain associate with that etc etc".
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
will give it a shot. Do appreciate all of your help and Deb's help. In my honest opinion, AD is a little buggy, but definitely needed in companies obviously. I hope serer 2003 addressed some of these issues I'm experiencing. Should just be able to remove a Dc from a domain and not go throgh all of this teeth pulling! lol
Thanks again guys.
Thanks again guys.
ASKER
btw: How do I remove trusts? I think this may be part of the problem too
AD Domains and Trusts, Properties for your domain, Trusts tab and they should be listed there.
ASKER
Yea a chid domain is listed there but the remove button is grayed out lol. Im going to close this question since I completly made it a mess all by myself. I'll re-post once I get everything straight
again, thanks for everything.
again, thanks for everything.
ASKER
Was hard deciding who to award the answered question to!
Just cos it's you I decided to have a look!
When you say additional domain - is this new server an additional dc on an existing domain, or a new dc on a child or trusted domain?
Where in the states? I loved Florida and Orlando! (Apart from the hurricane that hit whilst I was there)