Solved

Windows Server 2008 R2 Domain Controllers (PDC and BDC) problems

Posted on 2010-08-25
12
4,360 Views
Last Modified: 2012-05-10
Hi,

I have two DC's, a primary and backup.  When I join a computer to the domain and I go look in the Active Directories for both servers, I sometimes find the machine in the PDC and sometimes in the BDC, but rarely in both.  At first I thought this would replicate at some stage like NT used to do, but it's been weeks and still nothing happened.  That's leads me to my first question, why is this happening and how can I fix it?

Second question which relates directly to the one above.  Sometimes a server will come online and I'll try to log in with my domain admin credentials but it'll throw up an error message "The security database on the server does not have a computer account for this workstation trust relationship".  If I go look at my PDC's computer list, this server will not be in it, only on the BDC.  I then need to remove the server from the domain and readd it again which is very troublesome as one time this happened on my SQL server and it was a nightmare stabelizing SQL afterwards.  So my second question would be, why is this happening?  I was under the impression the PDC and BDC were supposed to work together, but they look like they're acting seperately atm even though they're properly setup.

And then just a side note (because we're speaking of domain issues with servers).  I have myself in the Domain Admin role etc, but I can't log onto a server with my credentials apart from the PDC and BDC.  What do I need to do in order for domain admins to be able to connect and configure servers in the domain instead of using the Domain Administrator login creds?

Thanks a ton for any assistance!
0
Comment
Question by:Cyber-Storm
  • 7
  • 4
12 Comments
 
LVL 17

Assisted Solution

by:OriNetworks
OriNetworks earned 100 total points
ID: 33520754
For clarity, in server 2008 architecture, there is no such thing as a PDC and BDC anymore as there can be multiple masters. It sounds like they are in fact hosting 2 separate domain or quite possibly have an incorrect DNS configuration on your servers and/or across the network. Please view the steps below that I pulled from a technet thread of which you can find the link below.


I list the general steps below for your reference. If anything is unclear, please post back.

1. Verify the new server's TCP/IP configuration has been pointed to the current DNS server.

2. Make the new server become a member server of the current Windows Server 2008 domain first.
 
3. Insert Windows Server 2008 Installation Disc in the new server.
 
4. Run "dcpromo" on new server to promote it as an additional domain controller in existing Windows 2008 domain, afterwards you may verify the installation of Active Directory.

 5. Verify that the old DNS Server Zone type is Active Directory-Integrated. If not, please refer to:
 
How To: Convert DNS Primary Server to Active Directory Integrated

http://support.microsoft.com/kb/816101 

 Note: Active Directory Integrated-Zone is available only if DNS server is a domain controller.

Install DNS component on new server and configure it as a new DNS Server (Active Directory Integrated-Zone is preferred). All the DNS configuration should be replicated to the new DNS server with Active Directory Replication.

6. You may configure TCP/IP on all the clients, or adjust DHCP scope settings to make them use the new DNS server.

http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/bfcbe215-5031-4ae5-9b52-9e7175e2ac90
0
 

Author Comment

by:Cyber-Storm
ID: 33521458
Hi OriNetworks,
The DNS part definately looks interesting, I'll be working through it during the course of the night and get back to you in the morning, thanks a stack for getting back to me so quickly.
Best Regards,
Storm
0
 

Author Comment

by:Cyber-Storm
ID: 33539675
Hi OriNetworks,
Right, I've gone through everything with a fine tooth comb.  First off, my DNS is definately setup correctly, all machines connecting are replicating properly between my two DC's and they both are of type "Active Directory-Integrated Primary".
My domains are correct and they were correctly setup in the forest, my PDC is showing it's the primary DC and my BDC is showing the PDC is the primary DC.  So that looks all good.
Any other ideas? Also, could you shed some light on the last of the 3 questions as well please.
Many Thanks,
Storm
0
 
LVL 11

Accepted Solution

by:
sighar earned 400 total points
ID: 33577064
For starters, run DCDIAG on the servers. That should point to something. Check where the FSMO roles are with "netdom /query FSMO" and see if the roles are not all on either one of your two DCs.
0
 

Author Comment

by:Cyber-Storm
ID: 33578464
Hi Sighar,
That really helped point me in the right direction. DCDiag has shown errors on the Primary DC, I have attached the DCDiag from both servers.  For security reasons I have obviously renamed the domain and machine names.
I see that the "PDC" is showing some serious problems, while the "BDC" seems to be ok, the errors in the SystemLog tests appear to be from the remote desktop connection in that it can't connect to my local pc's Printer drivers etc which I assume is fine.
I'm afraid I'm a little out of my depth here, I can see things but I'm not entirely sure on where to start fixing the issues.  Any assistance in the matter will be greatly appreciated.
I will look into the FSMO roles in the meantime.
Best Regards,
Storm

PDC.log
0
 

Author Comment

by:Cyber-Storm
ID: 33578476
Sorry, the thing submitted while I was still trying to upload the second log file
BDC.log
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 11

Expert Comment

by:sighar
ID: 33579041
I found this> http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24805735.html where the solution is to not use teaming on NICs. I don't know if that's applicable to your situation.
It's DC1 that's having this problem, DC2 seems to be alright. Since you got LDAP errors, make sure the LDAP ports are open on the firewall.
389 – local (default)
636 – local, secure
3268 – global catalog
3269 – global catalog, secure
I assume that you've only got one domain so Global Catalogs shouldn't matter but maybe you can make sure both of them are GC, just in case? (Open Sites and Services, expand Sites, your site, servers and right click on NTDS settings, Global Catalog  should be checked on General tab - if not, try checking it).
0
 

Author Comment

by:Cyber-Storm
ID: 33584509
Hi Sighar,
We have an Intel Modular Server, it has 4 nics per blade, 2 + 2 redundant.  I was originally using teaming but it had tremendous problems with HyperV etc and eventually I removed the teaming and used the standard Microsoft Network Bridge to bridge all 4 together since all the servers are internet facing.  The Network Bridge then sits inside the HyperV Virtual NIC.  All the blades are configured this way including DC2 and I can't simply break it all up just to test but it's possible that with all the original battling to get the system working, there is some underlying problem.  Unfortunately I can't simply trash it all since they're production blades running 24/7 so if I really need to play, I'll have to schedule a maintenance downtime over a weekend.
I've also checked the DC's, both have the GC ticked and currently there's only one domain but once the system is stable, all our branches DC's will connect to this solution very much like in the link you attached.
I've checked the firewall on DC1 and it's all all correct.  We have the Windows Firewall for the standard security stuff and then we have the Hardware firewall between the switches of the servers and the internet which only has ports open for HTTP/S, FTP, RD, etc.  So the servers (including DC1 and 2) can see each other on the internal network and doesn't go through the HW Firewall.
Your thoughts?
Thanks,
Storm
0
 
LVL 11

Assisted Solution

by:sighar
sighar earned 400 total points
ID: 33584607
Have you tried turning the firewall off on the servers (for testing purposes)? You can also try to force the replication : Sites & Services - Site - Servers - DC1 - NTDS Settings and rightclick the <automatically generated> and choose "Replicate now". Are you using DFS or FRS? And they are running?

Is it an option for you to promote another server to DC to see if that works with DC2? If so, then you could just demote DC1. I know it's not a solution to this problem but sometimes workarounds do the job.
0
 

Author Comment

by:Cyber-Storm
ID: 33584648
Ah, the promotion might just help us solve most of the issues immediately and then if need be we can reload the DC, great idea.
Unfortunately I'm going to leave today for two weeks, I will attempt to do as much as possible today still and then return to the problem in two weeks. Sorry about the break now but I started this question nearly a month ago hoping to resolve it before I went on leave.
In the meantime, would you mind terribly helping me with the 3rd problem I have in my question please?
Here's the excerpt from above:
And then just a side note (because we're speaking of domain issues with servers).  I have myself in the Domain Admin role etc, but I can't log onto a server with my credentials apart from the PDC and BDC.  What do I need to do in order for domain admins to be able to connect and configure servers in the domain instead of using the Domain Administrator login creds?
Thanks
0
 
LVL 11

Expert Comment

by:sighar
ID: 33584755
I didn't address this question since I was hoping that it was related to your main problem. However, have you checked to see if Domain Admins aren't members of the local admins group? They should be when you add the server to the domain but if there's a problem with AD it's possible that it got messed up somehow. Also, what does the Event Log say when you try to log on? Check both on the server you're trying to log on to as well as both of the DCs (the Kerberos authentication is sent to either one of them).

I'll wait for your return and we'll pick it up again if you still haven't solved it. Hope you're going on vacation, after this you need it :-)
0
 

Author Closing Comment

by:Cyber-Storm
ID: 33840479
Thanks very much for all the assistance.

We haven't resolved the problem yet, but we've learnt a lot through the advice offered to the point whereby we're confident we'll resolve the issues as it appears to be a collection of problems rolled into one.

We have scheduled downtime for the servers in order to resolve the conflict and are also speaking to a MS Specialist to assist us with the problem.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now