• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 645
  • Last Modified:

Backup DC replication/LDap issue


I seem to have a problem with my backup DC on a 2 DC domain. The PDC is an SBS 2003 and the BDC is Server 2003. For the last 2 weeks I have been seeing a number of NTLM authentication failure errors on the daily reports along with a few other, possibly related errors. I've run dcdiag on the bdc and all tests pass, as does the same test on the SBS. Although if I run dcdiag /e on the BDC, I get a whole host of failures:

      Starting test: NetLogons
         [SERVER] User credentials does not have permission to perform this oper
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... SERVER failed test NetLogons
      Starting test: Advertising
         Fatal Error:DsGetDcName (SERVER) call failed, error 5
         The Locator could not find the server.
         ......................... SERVER failed test Advertising
      Starting test: KnowsOfRoleHolders

 I don't understand the "The account used for this test must have network logon privileges
 for this machine's domain" as I'm using the domain admin account to run these tests.

Dcdiag /e on the PDC passes everything.

Netdiag passes everything, barring the following:

LDAP test. . . . . . . . . . . . . : Passed
    [FATAL] Cannot do NTLM authenticated ldap_bind to 'server.domain.local': Inval
id Credentials.
    [FATAL] Cannot do Negotiate authenticated ldap_bind to 'server.domain.local':
Invalid Credentials.
    [WARNING] Failed to query SPN registration on DC 'server.domain.local'.

All the neccesary shares (Netlogon, Sysvol and IPC$) are up and accessbile on both DC's, I've checked to make sure all required services are started correcly and now I'm pretty much stuck. Iv'e trawled the net most of today looking for a solution and so far not been successful :(

Any help would be much appreciated :)
  • 4
  • 3
1 Solution
Darius GhassemCommented:
Make sure you are using the correct verison of support tools this error usually indicats that the supports aren't correct.
the1paulcoleAuthor Commented:
Hi Darius, how do I know I'm using the correct version of these tools? It was only today that I downloaded the Microsoft Windows Server 2003 Support Tools, I thought they would be the correct ones.
Darius GhassemCommented:
Did you download the 2003 SP2 support tools? What SP are you running?
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

the1paulcoleAuthor Commented:
This is definitely a problem as I cannot browse the SYSvol share on the PDC from the BDC using either the IP or the netbios name. I thought it would be down to DNS, but all DNS tests seem to pass. I've tried restarting the BDC to no avail.

The error I get when I try to browse any share on the PDC is:

"The referenced account is currently locked out and may not be logged into"

Again, I have no idea why this is as it's the administrator account which is not locked and is working fine everywhere else. I've run the account lockout tool on both servers and both times come back fine.

Can dns resolve name by running nslookup,aslo check firewall if blocking communication on dc's.
Darius GhassemCommented:
If you can't with IP address what error are you getting?
the1paulcoleAuthor Commented:
Hi Awinish, yep. run it on boh dc's and both IP's and names resolve correctly.

darius, they're on SP2 and I used the sp2 tools after downloading them again to make sure
the1paulcoleAuthor Commented:
I've fixed the problem. I don't know why, but there was an account and password stored locally which was being referenced and causing the account lockout problems - removed this and everything is working as it should
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now