Solved

Domain Controller Not Authenticating Users, etc.

Posted on 2008-10-21
9
751 Views
Last Modified: 2008-10-27
We have a domain controller at our site that does not seem to be doing its implied job. There are two DC's on site, an older Compaq Proliant running Windows 2000 (named C-BDC) and a newer Dell PowerEdge 2850 running Windows 2003 (named G-BDC). We would very much like to get the 2K server out of the mix so that we can elevate to native 2k3 operation, but if C-BDC goes down, our users are cannot log in, etc.

While investigating this, I ran the dcdiag tool against G-BDC, and got the following two errors:

Testing server: Corning\G-BDC
      Starting test: Connectivity
         The host 5b5d2ee3-c7b9-4d43-9213-d6147006f6c8._msdcs.ladarling.com could not be resolved to an IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (5b5d2ee3-c7b9-4d43-9213-d6147006f6c8._msdcs.ladarling.com) couldn't  be resolved, the server name (G-BDC.ladarling.com) resolved to the IP address (10.2.1.125) and was pingable.  Check that the IP address is registered correctly with the DNS server.
         ......................... G-BDC failed test Connectivity

Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         ......................... ladarling.com failed test FsmoCheck

I dont know if this is directly related to our problem, or if its just symptomatic of some larger problem.

To provide some background, all of the AD roles (infrastructure master, GC, PDC emulator) are on an offsite machine at a sister company. Our network is operating O.K. in general, but this issue makes me think that there is some more sinister problem, possibly network wide. I have read, for instance, that IM and GC roles should not be on the same server, which is what our domain has now. I just dont have enough AD experience to judge what is making this one server freak out.

As for me, I am a programmer by training, so the network side of the house is a learn-as-I-go situation. Obviously, I dont want to even worry about mothballing the compaq if I cant get this dell DC to stand up correctly. Any help would be greatly appreciated.
0
Comment
Question by:ladarling
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 7

Expert Comment

by:Mikealcl
ID: 22770928
I think you just need another global catalog(or add that roll to your 2nd dc)?

IM and GC I believe only required to be separated when you get into multiple domain situations.  I think with single domain your fine.


0
 
LVL 4

Assisted Solution

by:Dimarc67
Dimarc67 earned 150 total points
ID: 22770933
While Microsoft's Best Practices recommend keeping the Infrastructure Master and Global Catalog on separate DCs, it's not overly troublesome for them to be together.

With that said, are either (or both) of your Win2000 and Win2003 DCs set as Global Catalogs?

Dimarc67
New York, NY
0
 
LVL 11

Author Comment

by:ladarling
ID: 22771027
With that said, are either (or both) of your Win2000 and Win2003 DCs set as Global Catalogs?

No. There is only the one throughout the domain, which does not seem right since between the 4 sites we have 5 DC's and around 20 member servers.
What is really bugging me is that the local Windows 2000 server seems to be the go-to server for all of the devices at our site (approx. 200 workstations, and numerous other network devices). If C-BDC is down (which is becoming more frequent of late), they dont 'see' G-BDC. Why would that be the case?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 7

Assisted Solution

by:Mikealcl
Mikealcl earned 300 total points
ID: 22771082
I don't think you can locate a login server without a global catalog available.

"Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355"

"Users in the site belong to a Windows 2000 domain running in native mode. In this case, all users must obtain universal group membership information from a global catalog server. If a global catalog is not located within the same site all logon requests must be routed over your WAN connection to a global catalog located in another site."

http://technet.microsoft.com/en-us/library/cc737290.aspx


0
 
LVL 4

Expert Comment

by:Dimarc67
ID: 22771208
In a Windows network, it is STRONGLY recommended to have a Global Catalog in each remote site.  This allows all machines and users local to the GC to have immediate access to resources without relying on the WAN.  There shouldn't be any issue with making your Win2003 DC a GC in your current topology.
0
 
LVL 11

Author Comment

by:ladarling
ID: 22771450
So the workstations are reaching the GC via C-BDC over the WAN? I mean, if thats not the case, why are the workstations not running login scripts or accessing the proxy server when C-BDC is offline? G-BDC runs the proxy software, and the workstations dont connect to it if C-BDC is down. Very annoying, to say the least.
I'm not seeing how that 2K server is so tangled up in this mess. What do you guys think the implications of me creating a local GC on the 2k3 server would be in that regard (removing dependence on that 2K machine, that is)?
 
0
 
LVL 4

Expert Comment

by:Dimarc67
ID: 22771520
I think it's a good idea.  Depending on the speed and topological distance to the offsite GC, you could see a noticeable improvement in certain areas of system response.
0
 
LVL 11

Assisted Solution

by:AnthonyP9618
AnthonyP9618 earned 50 total points
ID: 22773056
Your workstations HAVE to find a GC server to authenticate a logon (unless you're using Universal groups and the like).  I would make both the G-BDC and C-BDC DCs both GC servers and go a migration to to upgrade that Win2K DC to a Win2K3 and flip to native mode,
0
 
LVL 11

Accepted Solution

by:
ladarling earned 0 total points
ID: 22778544
Just for the posterity of this question, I will explain what I found (after much digging):
G-BDC is the newest addition of the DC servers on the network, it was initially setup as an application server only (IIS), and then later promoted to DC. However, the TCP/IP settings were still pointing to other servers for DNS. I changed the settings to look at itself, not really expecting that to be the problem. After a few replication cycles, however, 'dcdiag' passes *ALL* tests, and I can see that the GC and PDC operation masters correctly display in the Operations Masters task in ADUC. Sweet.
But, I agree with you guys that our site needs to have a GC, so I am going to hook that up ASAP. My next task will then be to monitor workstation activity against the server to see if its being used when C-BDC is down. Stay tuned, I will most likely be back with new and interesting problems (if my history with this machine is any indication). Thanks to all for your help.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question