Backup DC replication/LDap issue


I seem to have a problem with my backup DC on a 2 DC domain. The PDC is an SBS 2003 and the BDC is Server 2003. For the last 2 weeks I have been seeing a number of NTLM authentication failure errors on the daily reports along with a few other, possibly related errors. I've run dcdiag on the bdc and all tests pass, as does the same test on the SBS. Although if I run dcdiag /e on the BDC, I get a whole host of failures:

      Starting test: NetLogons
         [SERVER] User credentials does not have permission to perform this oper
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... SERVER failed test NetLogons
      Starting test: Advertising
         Fatal Error:DsGetDcName (SERVER) call failed, error 5
         The Locator could not find the server.
         ......................... SERVER failed test Advertising
      Starting test: KnowsOfRoleHolders

 I don't understand the "The account used for this test must have network logon privileges
 for this machine's domain" as I'm using the domain admin account to run these tests.

Dcdiag /e on the PDC passes everything.

Netdiag passes everything, barring the following:

LDAP test. . . . . . . . . . . . . : Passed
    [FATAL] Cannot do NTLM authenticated ldap_bind to 'server.domain.local': Inval
id Credentials.
    [FATAL] Cannot do Negotiate authenticated ldap_bind to 'server.domain.local':
Invalid Credentials.
    [WARNING] Failed to query SPN registration on DC 'server.domain.local'.

All the neccesary shares (Netlogon, Sysvol and IPC$) are up and accessbile on both DC's, I've checked to make sure all required services are started correcly and now I'm pretty much stuck. Iv'e trawled the net most of today looking for a solution and so far not been successful :(

Any help would be much appreciated :)
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Darius GhassemCommented:
Make sure you are using the correct verison of support tools this error usually indicats that the supports aren't correct.
the1paulcoleAuthor Commented:
Hi Darius, how do I know I'm using the correct version of these tools? It was only today that I downloaded the Microsoft Windows Server 2003 Support Tools, I thought they would be the correct ones.
Darius GhassemCommented:
Did you download the 2003 SP2 support tools? What SP are you running?
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

the1paulcoleAuthor Commented:
This is definitely a problem as I cannot browse the SYSvol share on the PDC from the BDC using either the IP or the netbios name. I thought it would be down to DNS, but all DNS tests seem to pass. I've tried restarting the BDC to no avail.

The error I get when I try to browse any share on the PDC is:

"The referenced account is currently locked out and may not be logged into"

Again, I have no idea why this is as it's the administrator account which is not locked and is working fine everywhere else. I've run the account lockout tool on both servers and both times come back fine.

Can dns resolve name by running nslookup,aslo check firewall if blocking communication on dc's.
Darius GhassemCommented:
If you can't with IP address what error are you getting?
the1paulcoleAuthor Commented:
Hi Awinish, yep. run it on boh dc's and both IP's and names resolve correctly.

darius, they're on SP2 and I used the sp2 tools after downloading them again to make sure
the1paulcoleAuthor Commented:
I've fixed the problem. I don't know why, but there was an account and password stored locally which was being referenced and causing the account lockout problems - removed this and everything is working as it should

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.