Biofilminc
asked on
One domain controller does not see the other.
I have 2 domain controllers, DC0 and DC1.
DC0 shows only itself in Active Directory. Also DC0 shows that it is has the RID, PDC and Infrastructure roles in AD.
DC0 is getting the error...
Event ID: 22
The time provider NtpServer encountered an error while digitally signing the NTP response for peer 192.168.1.12:123. NtpServer cannot provide secure (signed) time to the client and will ignore the request. The error was: The specified user does not exist. (0x80070525)
DC1 shows both domain controllers in AD. DC1 also thinks it has the Infrastructure role.
DC1 is getting the error....
Event ID:
Time Provider NtpClient: The response received from domain controller dc0l has a bad signature. The response may have been tampered with and will be ignored.
I have a user that I can not join to the domain. I forget the exact error at the moment but was something to do with "allocating a relative identifier".
What would be the best plan of action to fix the problem. If I demoted DC1 and re promoted it again would that fix the issues? Would I loose any data in AD or loose my permissions on the shared folders on DC1?
If I demote DC1 will I be able to promote it back to a domain controller, even though I have a computer I can't join.
Any suggestions to help me on my way would help.
DC0 shows only itself in Active Directory. Also DC0 shows that it is has the RID, PDC and Infrastructure roles in AD.
DC0 is getting the error...
Event ID: 22
The time provider NtpServer encountered an error while digitally signing the NTP response for peer 192.168.1.12:123. NtpServer cannot provide secure (signed) time to the client and will ignore the request. The error was: The specified user does not exist. (0x80070525)
DC1 shows both domain controllers in AD. DC1 also thinks it has the Infrastructure role.
DC1 is getting the error....
Event ID:
Time Provider NtpClient: The response received from domain controller dc0l has a bad signature. The response may have been tampered with and will be ignored.
I have a user that I can not join to the domain. I forget the exact error at the moment but was something to do with "allocating a relative identifier".
What would be the best plan of action to fix the problem. If I demoted DC1 and re promoted it again would that fix the issues? Would I loose any data in AD or loose my permissions on the shared folders on DC1?
If I demote DC1 will I be able to promote it back to a domain controller, even though I have a computer I can't join.
Any suggestions to help me on my way would help.
There is no problem demote and promote a DC.
Before you do that, you may want to verify the DNS is configured probably. As long as there's no firewall in between these two DCs, the first thing you need to check is DNS.
Assuming you are using Windows DNS and Active Directory Integrated Zone(ADIZ), you want to have DNS services installed on both DCs. Make sure you have Name Server(NS) shows both DCs in the DNS. Make sure both Host records appears DNS forward zone. Make sure the Reverse Zone also configured. If you don't see one DC, just install DNS on the missing DC and configure it the same way as the other DC. If they are configured properly, then both DNS will replicate any record you create in one DNS to the other DNS. But the host and Name Server record must present first. If not, you can manually register it with IPCONFIG or simply restart the NetLogon Services on your DCs.
Before you do that, you may want to verify the DNS is configured probably. As long as there's no firewall in between these two DCs, the first thing you need to check is DNS.
Assuming you are using Windows DNS and Active Directory Integrated Zone(ADIZ), you want to have DNS services installed on both DCs. Make sure you have Name Server(NS) shows both DCs in the DNS. Make sure both Host records appears DNS forward zone. Make sure the Reverse Zone also configured. If you don't see one DC, just install DNS on the missing DC and configure it the same way as the other DC. If they are configured properly, then both DNS will replicate any record you create in one DNS to the other DNS. But the host and Name Server record must present first. If not, you can manually register it with IPCONFIG or simply restart the NetLogon Services on your DCs.
ASKER
I have the windows firewall disabled on both. Both are in same server room on 192.168.1.x network.
I can connect to DC1 from DC0 using \\dc1
and I can connect to DC0 from DC1 using \\dc0
I can connect to DC1 from DC0 using \\dc1
and I can connect to DC0 from DC1 using \\dc0
ASKER
Actually they look the same, at lest on the high level. My guess is if your domain name is Bioxxx.local then they both look the same. If you click on this zone, they the content of this zone should be the same from both DC0 and DC1 if it's actually the same and working. What's bothers me is the _msdcs.Bioxxx.local zone which should not be in parallel of Bioxxx.local as it already contain _msdcs under it. You may want to double check on the _msdcs.Bioxxx.local and see how is it configured, I'm hoping it is just manually created or replicated from somewhere. What is needed to be equal is the content of the forward zone Bioxxx.local and everything underneath. Make sure you have both Nameserver and host record there of your DC0 and DC1. You can verify if the replication is working both simply create a dumy host record in Dc0 and see if DC1 will get it replcated.
ASKER
I've been sick and had to put this problem on hold. I will do what Americom says shortly.
ASKER
If I create a record in either server it is not replicated. And DC1 has 71 records under biofilminc.local and DC0 has 70.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
are both the DCs at the same location or at different locations. Is the subnet the same. Are there any network related issues or any firewalls between the DCs
bhanu