Solved

Domain Controller Not Authenticating Users, etc.

Posted on 2008-10-21
9
749 Views
Last Modified: 2008-10-27
We have a domain controller at our site that does not seem to be doing its implied job. There are two DC's on site, an older Compaq Proliant running Windows 2000 (named C-BDC) and a newer Dell PowerEdge 2850 running Windows 2003 (named G-BDC). We would very much like to get the 2K server out of the mix so that we can elevate to native 2k3 operation, but if C-BDC goes down, our users are cannot log in, etc.

While investigating this, I ran the dcdiag tool against G-BDC, and got the following two errors:

Testing server: Corning\G-BDC
      Starting test: Connectivity
         The host 5b5d2ee3-c7b9-4d43-9213-d6147006f6c8._msdcs.ladarling.com could not be resolved to an IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (5b5d2ee3-c7b9-4d43-9213-d6147006f6c8._msdcs.ladarling.com) couldn't  be resolved, the server name (G-BDC.ladarling.com) resolved to the IP address (10.2.1.125) and was pingable.  Check that the IP address is registered correctly with the DNS server.
         ......................... G-BDC failed test Connectivity

Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         ......................... ladarling.com failed test FsmoCheck

I dont know if this is directly related to our problem, or if its just symptomatic of some larger problem.

To provide some background, all of the AD roles (infrastructure master, GC, PDC emulator) are on an offsite machine at a sister company. Our network is operating O.K. in general, but this issue makes me think that there is some more sinister problem, possibly network wide. I have read, for instance, that IM and GC roles should not be on the same server, which is what our domain has now. I just dont have enough AD experience to judge what is making this one server freak out.

As for me, I am a programmer by training, so the network side of the house is a learn-as-I-go situation. Obviously, I dont want to even worry about mothballing the compaq if I cant get this dell DC to stand up correctly. Any help would be greatly appreciated.
0
Comment
Question by:ladarling
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 7

Expert Comment

by:Mikealcl
ID: 22770928
I think you just need another global catalog(or add that roll to your 2nd dc)?

IM and GC I believe only required to be separated when you get into multiple domain situations.  I think with single domain your fine.


0
 
LVL 4

Assisted Solution

by:Dimarc67
Dimarc67 earned 150 total points
ID: 22770933
While Microsoft's Best Practices recommend keeping the Infrastructure Master and Global Catalog on separate DCs, it's not overly troublesome for them to be together.

With that said, are either (or both) of your Win2000 and Win2003 DCs set as Global Catalogs?

Dimarc67
New York, NY
0
 
LVL 11

Author Comment

by:ladarling
ID: 22771027
With that said, are either (or both) of your Win2000 and Win2003 DCs set as Global Catalogs?

No. There is only the one throughout the domain, which does not seem right since between the 4 sites we have 5 DC's and around 20 member servers.
What is really bugging me is that the local Windows 2000 server seems to be the go-to server for all of the devices at our site (approx. 200 workstations, and numerous other network devices). If C-BDC is down (which is becoming more frequent of late), they dont 'see' G-BDC. Why would that be the case?
0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 7

Assisted Solution

by:Mikealcl
Mikealcl earned 300 total points
ID: 22771082
I don't think you can locate a login server without a global catalog available.

"Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355"

"Users in the site belong to a Windows 2000 domain running in native mode. In this case, all users must obtain universal group membership information from a global catalog server. If a global catalog is not located within the same site all logon requests must be routed over your WAN connection to a global catalog located in another site."

http://technet.microsoft.com/en-us/library/cc737290.aspx


0
 
LVL 4

Expert Comment

by:Dimarc67
ID: 22771208
In a Windows network, it is STRONGLY recommended to have a Global Catalog in each remote site.  This allows all machines and users local to the GC to have immediate access to resources without relying on the WAN.  There shouldn't be any issue with making your Win2003 DC a GC in your current topology.
0
 
LVL 11

Author Comment

by:ladarling
ID: 22771450
So the workstations are reaching the GC via C-BDC over the WAN? I mean, if thats not the case, why are the workstations not running login scripts or accessing the proxy server when C-BDC is offline? G-BDC runs the proxy software, and the workstations dont connect to it if C-BDC is down. Very annoying, to say the least.
I'm not seeing how that 2K server is so tangled up in this mess. What do you guys think the implications of me creating a local GC on the 2k3 server would be in that regard (removing dependence on that 2K machine, that is)?
 
0
 
LVL 4

Expert Comment

by:Dimarc67
ID: 22771520
I think it's a good idea.  Depending on the speed and topological distance to the offsite GC, you could see a noticeable improvement in certain areas of system response.
0
 
LVL 11

Assisted Solution

by:AnthonyP9618
AnthonyP9618 earned 50 total points
ID: 22773056
Your workstations HAVE to find a GC server to authenticate a logon (unless you're using Universal groups and the like).  I would make both the G-BDC and C-BDC DCs both GC servers and go a migration to to upgrade that Win2K DC to a Win2K3 and flip to native mode,
0
 
LVL 11

Accepted Solution

by:
ladarling earned 0 total points
ID: 22778544
Just for the posterity of this question, I will explain what I found (after much digging):
G-BDC is the newest addition of the DC servers on the network, it was initially setup as an application server only (IIS), and then later promoted to DC. However, the TCP/IP settings were still pointing to other servers for DNS. I changed the settings to look at itself, not really expecting that to be the problem. After a few replication cycles, however, 'dcdiag' passes *ALL* tests, and I can see that the GC and PDC operation masters correctly display in the Operations Masters task in ADUC. Sweet.
But, I agree with you guys that our site needs to have a GC, so I am going to hook that up ASAP. My next task will then be to monitor workstation activity against the server to see if its being used when C-BDC is down. Stay tuned, I will most likely be back with new and interesting problems (if my history with this machine is any indication). Thanks to all for your help.
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question