[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 877
  • Last Modified:

Cannot access admin shares on a domain controller from another domain controller without entering credentials again

I have 2 domain controllers in the same LAN. The first domain controller (DC1) cannot access the admin shares (i.e. c$) on the other domain controller (DC2) without the domain credentials popping up. The DC2 does not get a credential popup when hitting DC 1.
I also see access denied errors on DC1 when trying to launch "Domain Controller Seciryt Policy" and "Donain Security Policy".
I have searched the forums, but cannot determine what the issue is. No events are recorded in the Event Log.
0
towerdigital
Asked:
towerdigital
  • 7
  • 6
1 Solution
 
Darius GhassemCommented:
Can you do an netdiag then post the results. You aren't getting any errors in the Event log, right?
0
 
towerdigitalAuthor Commented:
Netdiag results:

    Computer Name: GEIDIPRIME
    DNS Host Name: geidiprime.towerdigital.ad
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 15 Model 3 Stepping 4, GenuineIntel
 
Netcard queries test . . . . . . . : Passed
    [WARNING] The net card 'RAS Async Adapter' may not be working because it has not received any packets.
    [WARNING] The net card 'SSL-VPN NetExtender Adapter' may not be working because it has not received any packets.

Per interface results:

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : geidiprime.towerdigital.ad
        IP Address . . . . . . . . : 10.2.0.100
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 10.2.0.1
        Dns Servers. . . . . . . . : 10.2.0.101
                                     10.2.0.100

        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{703524EE-2254-417E-B311-5D6BE9AF4B5C}
    1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '10.2.0.101' and other DCs also have some of the names registered.
    PASS - All the DNS entries for DC are registered on DNS server '10.2.0.100' and other DCs also have some of the names registered.

Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{703524EE-2254-417E-B311-5D6BE9AF4B5C}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{703524EE-2254-417E-B311-5D6BE9AF4B5C}
    The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Passed
    Secure channel for domain 'TOWERDIGITAL' is to '\\arrakis.towerdigital.ad'.

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped
No active remote access connections.

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped
0
 
Darius GhassemCommented:
Everything looks good. Are you logging into the servers with the same user? Are you sure there isn't anything in the Event Logs at all? Are you logging on the server as the domain or local?
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
towerdigitalAuthor Commented:
Yes, logging in as the Domain Admin. Since both are DC's, you can only log into the domain.
0
 
Darius GhassemCommented:
0
 
towerdigitalAuthor Commented:
Is this wise on a domain controller?
0
 
Darius GhassemCommented:
0
 
towerdigitalAuthor Commented:
Also, when I run an "nltest" on each domain controller, DC1 works fine and DC2 gives me the following error:

C:\>nltest /server:ARRAKIS /sc_query:towerdigital.ad
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
0
 
towerdigitalAuthor Commented:
I ran the "Netdom" tool and it had an error on DC2:

C:\Program Files\Support Tools>netdom resetpwd /s:GEIDIRPIME /ud:towerdigital\ad
ministrator /pd:*
Type the password associated with the domain user:

The machine account password for the local machine could not be reset.

The network path was not found.

The command failed to complete successfully.
0
 
Darius GhassemCommented:
Did you run the netdiag on the DC having trouble?
0
 
towerdigitalAuthor Commented:
NLTEST now works after resetting the machine passwords properly on the 2 DC's. I still have the original issue though. Here is th eoutput from the following command:

C:\Program Files\Support Tools>REPADMIN /SHOWCONN ARRAKIS
Base DN: CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=towerdigital,DC
=ad
==== KCC CONNECTION OBJECTS ============================================
Connection --
    Connection name : 30472b15-6575-4b09-bdca-b8c452efbbc5
    Server DNS name : arrakis.towerdigital.ad
    Server DN  name : CN=NTDS Settings,CN=ARRAKIS,CN=Servers,CN=Default-First-Si
te-Name,CN=Sites,CN=Configuration,DC=towerdigital,DC=ad
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.
       
Note that it fails due to access denied.
0
 
Darius GhassemCommented:
You are not getting any errors in the Event Logs? Usually this is because the server isn't connected to the domain or doesn't have the secure channel password. Run a netdiag then post for me
0
 
towerdigitalAuthor Commented:
Ran the secure channel reset using instructions froma colleague and got the issue to go away. Here are the proper instructions:


1.Open a command prompt on DC-1 (the one you restored AD to and is acting up now) type net stop kdc,
2.Then go to DC-2 (the domain controller that is working fine that you didnt restore AD in authoritative mode to) and type net stop kdc
3.Download windows server 2003 resource kit tools onto both servers.
4.Once installed go to start-programs-windows 2003 resourced kit and open command shell, type klist purge, then type y to each question it asks you, this will purge all tickets on both DC-1 and DC-2. Run it several times if necessary on both servers to ensure all tickets are purged.
5.On DC-2 at command prompt, run netdom resetpwd /server:10.7.10.7 /userd:madd.org\administrator /password:*  then press enter, enter the domain password, press enter (this will reset the password for the local machine) (10.7.10.7 is DC-2s IP address)
6.repeat step 5 for DC-1 using its IP address of 10.7.10.6
7.At the command prompt net start kdc on DC-1, then on DC-2
8.Go to AD sites and services, replicate both connections between the domain controllers.  
9.At this time when on the phone with Microsoft, DC-2 still errors when replicating to DC-1 in the AD sites and services, so we restart both of them at the same time.
10.Upon restart it still doesnt work when replicating in AD sites and services, so on DC-2 we open a command prompt and type net stop kdc, then do the same on DC-1
11.on DC-1 open a command shell from the windows 2k3 resource kit install and type klist tickets, do the same on DC-2.
12.On DC-1, type klist purge in command shell, then run the netdom resetpwd /server:10.7.10.6 /userd:madd.org\administrator /password:*  then press enter, enter the domain password, press enter.
13.Then run net start kdc on both DC-1 and DC-2
14.on DC-1, in command shell type klist tickets
15.issue resolved. Tested by opening AD sites and services and replications occurs fine.
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now