towerdigital
asked on
Cannot access admin shares on a domain controller from another domain controller without entering credentials again
I have 2 domain controllers in the same LAN. The first domain controller (DC1) cannot access the admin shares (i.e. c$) on the other domain controller (DC2) without the domain credentials popping up. The DC2 does not get a credential popup when hitting DC 1.
I also see access denied errors on DC1 when trying to launch "Domain Controller Seciryt Policy" and "Donain Security Policy".
I have searched the forums, but cannot determine what the issue is. No events are recorded in the Event Log.
I also see access denied errors on DC1 when trying to launch "Domain Controller Seciryt Policy" and "Donain Security Policy".
I have searched the forums, but cannot determine what the issue is. No events are recorded in the Event Log.
Can you do an netdiag then post the results. You aren't getting any errors in the Event log, right?
ASKER
Netdiag results:
Computer Name: GEIDIPRIME
DNS Host Name: geidiprime.towerdigital.ad
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 3 Stepping 4, GenuineIntel
Netcard queries test . . . . . . . : Passed
[WARNING] The net card 'RAS Async Adapter' may not be working because it has not received any packets.
[WARNING] The net card 'SSL-VPN NetExtender Adapter' may not be working because it has not received any packets.
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : geidiprime.towerdigital.ad
IP Address . . . . . . . . : 10.2.0.100
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 10.2.0.1
Dns Servers. . . . . . . . : 10.2.0.101
10.2.0.100
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{703524EE-2254 -417E-B311 -5D6BE9AF4 B5C}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '10.2.0.101' and other DCs also have some of the names registered.
PASS - All the DNS entries for DC are registered on DNS server '10.2.0.100' and other DCs also have some of the names registered.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{703524EE-2254 -417E-B311 -5D6BE9AF4 B5C}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{703524EE-2254 -417E-B311 -5D6BE9AF4 B5C}
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Passed
Secure channel for domain 'TOWERDIGITAL' is to '\\arrakis.towerdigital.ad '.
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Computer Name: GEIDIPRIME
DNS Host Name: geidiprime.towerdigital.ad
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 3 Stepping 4, GenuineIntel
Netcard queries test . . . . . . . : Passed
[WARNING] The net card 'RAS Async Adapter' may not be working because it has not received any packets.
[WARNING] The net card 'SSL-VPN NetExtender Adapter' may not be working because it has not received any packets.
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : geidiprime.towerdigital.ad
IP Address . . . . . . . . : 10.2.0.100
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 10.2.0.1
Dns Servers. . . . . . . . : 10.2.0.101
10.2.0.100
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{703524EE-2254
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '10.2.0.101' and other DCs also have some of the names registered.
PASS - All the DNS entries for DC are registered on DNS server '10.2.0.100' and other DCs also have some of the names registered.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{703524EE-2254
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{703524EE-2254
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Passed
Secure channel for domain 'TOWERDIGITAL' is to '\\arrakis.towerdigital.ad
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Everything looks good. Are you logging into the servers with the same user? Are you sure there isn't anything in the Event Logs at all? Are you logging on the server as the domain or local?
ASKER
Yes, logging in as the Domain Admin. Since both are DC's, you can only log into the domain.
Try to see if you can reset the secure channel.
https://www.experts-exchange.com/questions/23629068/Computers-in-NEtwork-lose-Domain-connection-randomly.html
https://www.experts-exchange.com/questions/23629068/Computers-in-NEtwork-lose-Domain-connection-randomly.html
ASKER
Is this wise on a domain controller?
ASKER
Also, when I run an "nltest" on each domain controller, DC1 works fine and DC2 gives me the following error:
C:\>nltest /server:ARRAKIS /sc_query:towerdigital.ad
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
C:\>nltest /server:ARRAKIS /sc_query:towerdigital.ad
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
ASKER
I ran the "Netdom" tool and it had an error on DC2:
C:\Program Files\Support Tools>netdom resetpwd /s:GEIDIRPIME /ud:towerdigital\ad
ministrator /pd:*
Type the password associated with the domain user:
The machine account password for the local machine could not be reset.
The network path was not found.
The command failed to complete successfully.
C:\Program Files\Support Tools>netdom resetpwd /s:GEIDIRPIME /ud:towerdigital\ad
ministrator /pd:*
Type the password associated with the domain user:
The machine account password for the local machine could not be reset.
The network path was not found.
The command failed to complete successfully.
Did you run the netdiag on the DC having trouble?
ASKER
NLTEST now works after resetting the machine passwords properly on the 2 DC's. I still have the original issue though. Here is th eoutput from the following command:
C:\Program Files\Support Tools>REPADMIN /SHOWCONN ARRAKIS
Base DN: CN=Default-First-Site-Name ,CN=Sites, CN=Configu ration,DC= towerdigit al,DC
=ad
==== KCC CONNECTION OBJECTS ========================== ========== ========
Connection --
Connection name : 30472b15-6575-4b09-bdca-b8 c452efbbc5
Server DNS name : arrakis.towerdigital.ad
Server DN name : CN=NTDS Settings,CN=ARRAKIS,CN=Ser vers,CN=De fault-Firs t-Si
te-Name,CN=Sites,CN=Config uration,DC =towerdigi tal,DC=ad
DsReplicaGetInfo() failed with status 8453 (0x2105):
Replication access was denied.
DsReplicaGetInfo() failed with status 8453 (0x2105):
Replication access was denied.
Note that it fails due to access denied.
C:\Program Files\Support Tools>REPADMIN /SHOWCONN ARRAKIS
Base DN: CN=Default-First-Site-Name
=ad
==== KCC CONNECTION OBJECTS ==========================
Connection --
Connection name : 30472b15-6575-4b09-bdca-b8
Server DNS name : arrakis.towerdigital.ad
Server DN name : CN=NTDS Settings,CN=ARRAKIS,CN=Ser
te-Name,CN=Sites,CN=Config
DsReplicaGetInfo() failed with status 8453 (0x2105):
Replication access was denied.
DsReplicaGetInfo() failed with status 8453 (0x2105):
Replication access was denied.
Note that it fails due to access denied.
You are not getting any errors in the Event Logs? Usually this is because the server isn't connected to the domain or doesn't have the secure channel password. Run a netdiag then post for me
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.