Solved

Domain Controller Not Authenticating Users, etc.

Posted on 2008-10-21
9
744 Views
Last Modified: 2008-10-27
We have a domain controller at our site that does not seem to be doing its implied job. There are two DC's on site, an older Compaq Proliant running Windows 2000 (named C-BDC) and a newer Dell PowerEdge 2850 running Windows 2003 (named G-BDC). We would very much like to get the 2K server out of the mix so that we can elevate to native 2k3 operation, but if C-BDC goes down, our users are cannot log in, etc.

While investigating this, I ran the dcdiag tool against G-BDC, and got the following two errors:

Testing server: Corning\G-BDC
      Starting test: Connectivity
         The host 5b5d2ee3-c7b9-4d43-9213-d6147006f6c8._msdcs.ladarling.com could not be resolved to an IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (5b5d2ee3-c7b9-4d43-9213-d6147006f6c8._msdcs.ladarling.com) couldn't  be resolved, the server name (G-BDC.ladarling.com) resolved to the IP address (10.2.1.125) and was pingable.  Check that the IP address is registered correctly with the DNS server.
         ......................... G-BDC failed test Connectivity

Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         ......................... ladarling.com failed test FsmoCheck

I dont know if this is directly related to our problem, or if its just symptomatic of some larger problem.

To provide some background, all of the AD roles (infrastructure master, GC, PDC emulator) are on an offsite machine at a sister company. Our network is operating O.K. in general, but this issue makes me think that there is some more sinister problem, possibly network wide. I have read, for instance, that IM and GC roles should not be on the same server, which is what our domain has now. I just dont have enough AD experience to judge what is making this one server freak out.

As for me, I am a programmer by training, so the network side of the house is a learn-as-I-go situation. Obviously, I dont want to even worry about mothballing the compaq if I cant get this dell DC to stand up correctly. Any help would be greatly appreciated.
0
Comment
Question by:ladarling
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 7

Expert Comment

by:Mikealcl
Comment Utility
I think you just need another global catalog(or add that roll to your 2nd dc)?

IM and GC I believe only required to be separated when you get into multiple domain situations.  I think with single domain your fine.


0
 
LVL 4

Assisted Solution

by:Dimarc67
Dimarc67 earned 150 total points
Comment Utility
While Microsoft's Best Practices recommend keeping the Infrastructure Master and Global Catalog on separate DCs, it's not overly troublesome for them to be together.

With that said, are either (or both) of your Win2000 and Win2003 DCs set as Global Catalogs?

Dimarc67
New York, NY
0
 
LVL 11

Author Comment

by:ladarling
Comment Utility
With that said, are either (or both) of your Win2000 and Win2003 DCs set as Global Catalogs?

No. There is only the one throughout the domain, which does not seem right since between the 4 sites we have 5 DC's and around 20 member servers.
What is really bugging me is that the local Windows 2000 server seems to be the go-to server for all of the devices at our site (approx. 200 workstations, and numerous other network devices). If C-BDC is down (which is becoming more frequent of late), they dont 'see' G-BDC. Why would that be the case?
0
 
LVL 7

Assisted Solution

by:Mikealcl
Mikealcl earned 300 total points
Comment Utility
I don't think you can locate a login server without a global catalog available.

"Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355"

"Users in the site belong to a Windows 2000 domain running in native mode. In this case, all users must obtain universal group membership information from a global catalog server. If a global catalog is not located within the same site all logon requests must be routed over your WAN connection to a global catalog located in another site."

http://technet.microsoft.com/en-us/library/cc737290.aspx


0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 4

Expert Comment

by:Dimarc67
Comment Utility
In a Windows network, it is STRONGLY recommended to have a Global Catalog in each remote site.  This allows all machines and users local to the GC to have immediate access to resources without relying on the WAN.  There shouldn't be any issue with making your Win2003 DC a GC in your current topology.
0
 
LVL 11

Author Comment

by:ladarling
Comment Utility
So the workstations are reaching the GC via C-BDC over the WAN? I mean, if thats not the case, why are the workstations not running login scripts or accessing the proxy server when C-BDC is offline? G-BDC runs the proxy software, and the workstations dont connect to it if C-BDC is down. Very annoying, to say the least.
I'm not seeing how that 2K server is so tangled up in this mess. What do you guys think the implications of me creating a local GC on the 2k3 server would be in that regard (removing dependence on that 2K machine, that is)?
 
0
 
LVL 4

Expert Comment

by:Dimarc67
Comment Utility
I think it's a good idea.  Depending on the speed and topological distance to the offsite GC, you could see a noticeable improvement in certain areas of system response.
0
 
LVL 11

Assisted Solution

by:AnthonyP9618
AnthonyP9618 earned 50 total points
Comment Utility
Your workstations HAVE to find a GC server to authenticate a logon (unless you're using Universal groups and the like).  I would make both the G-BDC and C-BDC DCs both GC servers and go a migration to to upgrade that Win2K DC to a Win2K3 and flip to native mode,
0
 
LVL 11

Accepted Solution

by:
ladarling earned 0 total points
Comment Utility
Just for the posterity of this question, I will explain what I found (after much digging):
G-BDC is the newest addition of the DC servers on the network, it was initially setup as an application server only (IIS), and then later promoted to DC. However, the TCP/IP settings were still pointing to other servers for DNS. I changed the settings to look at itself, not really expecting that to be the problem. After a few replication cycles, however, 'dcdiag' passes *ALL* tests, and I can see that the GC and PDC operation masters correctly display in the Operations Masters task in ADUC. Sweet.
But, I agree with you guys that our site needs to have a GC, so I am going to hook that up ASAP. My next task will then be to monitor workstation activity against the server to see if its being used when C-BDC is down. Stay tuned, I will most likely be back with new and interesting problems (if my history with this machine is any indication). Thanks to all for your help.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Hyper-convergence systems have taken the IT world by storm and have quickly started to change our point of view of how the data center should and could be architected. In this article, I’ll explain the benefits of employing a hyper-converged system …
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now