Solved

Cant login with secondary domain controller windows server  2003

Posted on 2009-06-28
6
468 Views
Last Modified: 2012-05-07
Ive created a secondary domain controller, until now, Ive done this:


1. Installed 2003 server, joined the domain and runned DCPROMO
2. Ive installed and configure DHCP and DNS.
3.Ive checked that both servers are global catalog servers.

My Primary Sever ip is 10.0.0.1, and my secondary is 10.0.0.5
All clients have DNS 10.0.0.1 and 10.0.0.5 (configured through DHCP)

Ive made a test disconnecting the primary domain controller, and after rebooting all client computers are unable to login, they can only login with user credentials already used in that client.

Can you help me?
Thank you.

0
Comment
Question by:_the_reverend
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 16

Expert Comment

by:Bruno PACI
ID: 24732432
Hi,

Can you verify that the SYSVOL share exists on the second DC. A new DC does not bring up the SYSVOL share until it has successfully finished an Active Directory replication, and by the way it also refuse to authenticate anyone.

Did you install the "Support Tools" and check the result of DCDIAG and NETDIAG commands ? These commands will show you a precise report of Active Directory status.
(the support tools are on the Windows 2003 CD).

Have a nice day


0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24732610
Hi there. As mentioned by PaciB, a DCDIAG and NETDIAG should root out any issues on the DCs.
Have you confirmed that the new IP config (ie both DNS servers listed) is actually applying to your clients? Did you configure these options on both scopes? If your first DC was also a DHCP server, your clients will continue to try to contact it to renew the lease. They won't automatically go through a full broadcast DORA process and speak to the new DHCP server until 50% (i think) of the existing lease has passed. From memory, they'll try to contact the source DHCP server, if they can't, then they continue with their existing lease, and therefore not get the config you have put on the new server. Just a thought.
0
 

Author Comment

by:_the_reverend
ID: 24732640
Ive Attached the results of both diagnostics, but I dont understand them completley and as how to correct those tests that didnt pass.
Thank you.
dcdiag.txt
netdiag.txt
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 27

Accepted Solution

by:
bluntTony earned 500 total points
ID: 24732661
Are these on the new or old server? I'm guessing it's the new?
Why has the NIC on this server got two IP addresses? Is this intentional? It would cause problems on a DC. Remove the .8 address in the properties of the NIC TCP/IP settings, then run the following commands on the DC:
ipconfig -flushdns
ipconfig -registerdns
net stop netlogon
net start netlogon
This should correct DNS records. Then jut check in your forward lookup zone that you only have one Host (A) record for the server, and that it points to the .5 address.
See if this helps...
0
 

Author Closing Comment

by:_the_reverend
ID: 31597718
Thank you, that did it, we used a virtual IP (.8) to avoid SPAMERS using our SMTP server. Dont know how exactly but that was the reason. Why can this virtual ip cause problems to the DC?
Thank you.
0
 
LVL 16

Expert Comment

by:Bruno PACI
ID: 24732781
Hi,

Your DC is a multi-homed server, meaning it has several netcards et several IP addresses.
You must ensure that your DC has NOT registered itself in DNS with bad IP, like these on the "Realtek NIC" : 201.134.44.xxx

If your DC is register in DNS with a IP address that is not reachable from clients you can have trouble like you described. As an exemple let's suppose your secondary DC is registered in DNS with multiple IP addresses : 10.0.0.5 (the good one) and 201.134.44.172 (a bad address coming from the Realtek NIC).
When your first DC is offline, clients request the secondary DNS 10.0.0.5 asking for another DC for the ponderosa.local domain.
The DNS only knows one other DC : monterrey5.ponderosa.local... But it has multiple addresses for this DC. So the DNS server choose one of the addresses for monterrey5 and give it to the client.
Let's suppose the DNS choosed 201.134.44.172. The client cannot reach the DC on this address. The the client suppose this DC is offline and ask the DNS for one more DC but there is no more DC in the list.

You can check which IP addresses are returned by the DNS server byt typing these two commands several times :

IPCONFIG /FLUSHDNS
PING monterrey5.ponderosa.local

The first command force the client to empty its DNS cache
Now that the DNS cache is empty, the second command force the client to request the DNS server.

Doing this several times you will have several answers. In normal situation all the answer should give you the same IP address. If not then you DNS is polluted with bad IP addresses and you have to fix the IP configuration on the DC.

Have a nice day.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
what is the difference between basic disks and dinamyic disks? 6 89
DHCP restore question Server 2003 to 2012 3 54
home folder path for users 4 98
BgInfo help 5 64
Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question