Event ID 3210 "Unable to Authenticate to All Domain Controllers"

We have a Windows 2003 AD Domain with three DC's called DC-1, DC-2, and DC-3.  All DC's are running AD integrated DNS.  There seems to be no problem authenticating to DC-1, but all the XP/2000 workstation in our environment are having problems authenticating to DC-2 and DC-3.  It's real annoying because customers have to keep restarting their computers until they connect to DC-1.  When they fail, the follwing event error appears:

Event ID 3210
Source: Netlogon
This Computer could not authenticate with \\DC-2 (also DC-3), a windows domain controller for domain OUR_DOMAIN_NAME, and therefore this computer might deny login requests.  This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer is not recognized.  If this message appears again, contact your system administrator.

We tried deleting/recreating workstation accounts, but that didn't help.  There doesn't seem to be any problem with duplicate computer names on the network.  We also checked our DNS records and everything seems to be ok.  We can also ping the FQDN for all DC's.  NLTEST tells us that we can only connect to DC-1.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Are the two servers cloned from DC1?

If so, the machine SID is not unique.  Run SYSPREP on them to recreate the SID.  You *may* need to demote them first.

dborschelAuthor Commented:
Thanks for the quick reply netmann66.  The servers were not cloned from DC1.  We also verified that all the workstations had unique SIDs.
You may also need to reset the secure channel for these two DCs.


Same applies to 2003:

5 Ways Acronis Skyrockets Your Data Protection

Risks to data security are risks to business continuity. Businesses need to know what these risks look like – and where they can turn for help.
Check our newest E-Book and learn how you can differentiate your data protection business with advanced cloud solutions Acronis delivers

Just a quick note on SIDs on DCs.  All DCs should have the same SID, once they are promoted they change and will have the same one.

PSGetSid from Sysinternals is a good tool to check the SID issues on a domain.

Have you checked the event log on DC-2 or -3 to see if there are logged events when a workstation attempts to authenticate with them?
dborschelAuthor Commented:
I checked event viewer on both DC's and there is nothing logged from the workstations.

I also took a look at the links that netmann66 posted.  The netlogon service was started on both DC's.  Also the 3210 error is only showing up on the workstations, not the domain controllers.
dborschelAuthor Commented:
Thanks Stafi.  I've done a lot of things such as using Netdom and nltest, but I haven't checked the Security Policy setting for restrict anonymous.  I'll check it out.
dborschelAuthor Commented:
It took some time, but I believe we have resolved this problem.  After much research, we came across microsoft support article 154596 "How to configure RPC dynamic port allocation to work with firewalls".  We modified the registry on the servers so they would use ports 5000-5200. Thus, we can control which ports RPC is using so that the Firewall can be configured the same way.  We are thinking that when dynamic RPC failed for the clients, they could only authenticate to DC-1 because it was the PDC emulator.

I'm not a firewall expert, so I hope my explanation was ok.

I hope the link below will help others who have had this problem:
Closed, 275 points refunded.
Community Support Moderator

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.