?
Solved

Domain Controller Not Authenticating Users, etc.

Posted on 2008-10-21
9
Medium Priority
?
754 Views
Last Modified: 2008-10-27
We have a domain controller at our site that does not seem to be doing its implied job. There are two DC's on site, an older Compaq Proliant running Windows 2000 (named C-BDC) and a newer Dell PowerEdge 2850 running Windows 2003 (named G-BDC). We would very much like to get the 2K server out of the mix so that we can elevate to native 2k3 operation, but if C-BDC goes down, our users are cannot log in, etc.

While investigating this, I ran the dcdiag tool against G-BDC, and got the following two errors:

Testing server: Corning\G-BDC
      Starting test: Connectivity
         The host 5b5d2ee3-c7b9-4d43-9213-d6147006f6c8._msdcs.ladarling.com could not be resolved to an IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (5b5d2ee3-c7b9-4d43-9213-d6147006f6c8._msdcs.ladarling.com) couldn't  be resolved, the server name (G-BDC.ladarling.com) resolved to the IP address (10.2.1.125) and was pingable.  Check that the IP address is registered correctly with the DNS server.
         ......................... G-BDC failed test Connectivity

Starting test: FsmoCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         ......................... ladarling.com failed test FsmoCheck

I dont know if this is directly related to our problem, or if its just symptomatic of some larger problem.

To provide some background, all of the AD roles (infrastructure master, GC, PDC emulator) are on an offsite machine at a sister company. Our network is operating O.K. in general, but this issue makes me think that there is some more sinister problem, possibly network wide. I have read, for instance, that IM and GC roles should not be on the same server, which is what our domain has now. I just dont have enough AD experience to judge what is making this one server freak out.

As for me, I am a programmer by training, so the network side of the house is a learn-as-I-go situation. Obviously, I dont want to even worry about mothballing the compaq if I cant get this dell DC to stand up correctly. Any help would be greatly appreciated.
0
Comment
Question by:ladarling
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 7

Expert Comment

by:Mikealcl
ID: 22770928
I think you just need another global catalog(or add that roll to your 2nd dc)?

IM and GC I believe only required to be separated when you get into multiple domain situations.  I think with single domain your fine.


0
 
LVL 4

Assisted Solution

by:Dimarc67
Dimarc67 earned 600 total points
ID: 22770933
While Microsoft's Best Practices recommend keeping the Infrastructure Master and Global Catalog on separate DCs, it's not overly troublesome for them to be together.

With that said, are either (or both) of your Win2000 and Win2003 DCs set as Global Catalogs?

Dimarc67
New York, NY
0
 
LVL 11

Author Comment

by:ladarling
ID: 22771027
With that said, are either (or both) of your Win2000 and Win2003 DCs set as Global Catalogs?

No. There is only the one throughout the domain, which does not seem right since between the 4 sites we have 5 DC's and around 20 member servers.
What is really bugging me is that the local Windows 2000 server seems to be the go-to server for all of the devices at our site (approx. 200 workstations, and numerous other network devices). If C-BDC is down (which is becoming more frequent of late), they dont 'see' G-BDC. Why would that be the case?
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 7

Assisted Solution

by:Mikealcl
Mikealcl earned 1200 total points
ID: 22771082
I don't think you can locate a login server without a global catalog available.

"Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355"

"Users in the site belong to a Windows 2000 domain running in native mode. In this case, all users must obtain universal group membership information from a global catalog server. If a global catalog is not located within the same site all logon requests must be routed over your WAN connection to a global catalog located in another site."

http://technet.microsoft.com/en-us/library/cc737290.aspx


0
 
LVL 4

Expert Comment

by:Dimarc67
ID: 22771208
In a Windows network, it is STRONGLY recommended to have a Global Catalog in each remote site.  This allows all machines and users local to the GC to have immediate access to resources without relying on the WAN.  There shouldn't be any issue with making your Win2003 DC a GC in your current topology.
0
 
LVL 11

Author Comment

by:ladarling
ID: 22771450
So the workstations are reaching the GC via C-BDC over the WAN? I mean, if thats not the case, why are the workstations not running login scripts or accessing the proxy server when C-BDC is offline? G-BDC runs the proxy software, and the workstations dont connect to it if C-BDC is down. Very annoying, to say the least.
I'm not seeing how that 2K server is so tangled up in this mess. What do you guys think the implications of me creating a local GC on the 2k3 server would be in that regard (removing dependence on that 2K machine, that is)?
 
0
 
LVL 4

Expert Comment

by:Dimarc67
ID: 22771520
I think it's a good idea.  Depending on the speed and topological distance to the offsite GC, you could see a noticeable improvement in certain areas of system response.
0
 
LVL 11

Assisted Solution

by:AnthonyP9618
AnthonyP9618 earned 200 total points
ID: 22773056
Your workstations HAVE to find a GC server to authenticate a logon (unless you're using Universal groups and the like).  I would make both the G-BDC and C-BDC DCs both GC servers and go a migration to to upgrade that Win2K DC to a Win2K3 and flip to native mode,
0
 
LVL 11

Accepted Solution

by:
ladarling earned 0 total points
ID: 22778544
Just for the posterity of this question, I will explain what I found (after much digging):
G-BDC is the newest addition of the DC servers on the network, it was initially setup as an application server only (IIS), and then later promoted to DC. However, the TCP/IP settings were still pointing to other servers for DNS. I changed the settings to look at itself, not really expecting that to be the problem. After a few replication cycles, however, 'dcdiag' passes *ALL* tests, and I can see that the GC and PDC operation masters correctly display in the Operations Masters task in ADUC. Sweet.
But, I agree with you guys that our site needs to have a GC, so I am going to hook that up ASAP. My next task will then be to monitor workstation activity against the server to see if its being used when C-BDC is down. Stay tuned, I will most likely be back with new and interesting problems (if my history with this machine is any indication). Thanks to all for your help.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question