Solved

Windows Server 2008 R2 Domain Controllers (PDC and BDC) problems

Posted on 2010-08-25
12
4,331 Views
Last Modified: 2012-05-10
Hi,

I have two DC's, a primary and backup.  When I join a computer to the domain and I go look in the Active Directories for both servers, I sometimes find the machine in the PDC and sometimes in the BDC, but rarely in both.  At first I thought this would replicate at some stage like NT used to do, but it's been weeks and still nothing happened.  That's leads me to my first question, why is this happening and how can I fix it?

Second question which relates directly to the one above.  Sometimes a server will come online and I'll try to log in with my domain admin credentials but it'll throw up an error message "The security database on the server does not have a computer account for this workstation trust relationship".  If I go look at my PDC's computer list, this server will not be in it, only on the BDC.  I then need to remove the server from the domain and readd it again which is very troublesome as one time this happened on my SQL server and it was a nightmare stabelizing SQL afterwards.  So my second question would be, why is this happening?  I was under the impression the PDC and BDC were supposed to work together, but they look like they're acting seperately atm even though they're properly setup.

And then just a side note (because we're speaking of domain issues with servers).  I have myself in the Domain Admin role etc, but I can't log onto a server with my credentials apart from the PDC and BDC.  What do I need to do in order for domain admins to be able to connect and configure servers in the domain instead of using the Domain Administrator login creds?

Thanks a ton for any assistance!
0
Comment
Question by:Cyber-Storm
  • 7
  • 4
12 Comments
 
LVL 17

Assisted Solution

by:OriNetworks
OriNetworks earned 100 total points
Comment Utility
For clarity, in server 2008 architecture, there is no such thing as a PDC and BDC anymore as there can be multiple masters. It sounds like they are in fact hosting 2 separate domain or quite possibly have an incorrect DNS configuration on your servers and/or across the network. Please view the steps below that I pulled from a technet thread of which you can find the link below.


I list the general steps below for your reference. If anything is unclear, please post back.

1. Verify the new server's TCP/IP configuration has been pointed to the current DNS server.

2. Make the new server become a member server of the current Windows Server 2008 domain first.
 
3. Insert Windows Server 2008 Installation Disc in the new server.
 
4. Run "dcpromo" on new server to promote it as an additional domain controller in existing Windows 2008 domain, afterwards you may verify the installation of Active Directory.

 5. Verify that the old DNS Server Zone type is Active Directory-Integrated. If not, please refer to:
 
How To: Convert DNS Primary Server to Active Directory Integrated

http://support.microsoft.com/kb/816101

 Note: Active Directory Integrated-Zone is available only if DNS server is a domain controller.

Install DNS component on new server and configure it as a new DNS Server (Active Directory Integrated-Zone is preferred). All the DNS configuration should be replicated to the new DNS server with Active Directory Replication.

6. You may configure TCP/IP on all the clients, or adjust DHCP scope settings to make them use the new DNS server.

http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/bfcbe215-5031-4ae5-9b52-9e7175e2ac90
0
 

Author Comment

by:Cyber-Storm
Comment Utility
Hi OriNetworks,
The DNS part definately looks interesting, I'll be working through it during the course of the night and get back to you in the morning, thanks a stack for getting back to me so quickly.
Best Regards,
Storm
0
 

Author Comment

by:Cyber-Storm
Comment Utility
Hi OriNetworks,
Right, I've gone through everything with a fine tooth comb.  First off, my DNS is definately setup correctly, all machines connecting are replicating properly between my two DC's and they both are of type "Active Directory-Integrated Primary".
My domains are correct and they were correctly setup in the forest, my PDC is showing it's the primary DC and my BDC is showing the PDC is the primary DC.  So that looks all good.
Any other ideas? Also, could you shed some light on the last of the 3 questions as well please.
Many Thanks,
Storm
0
 
LVL 11

Accepted Solution

by:
sighar earned 400 total points
Comment Utility
For starters, run DCDIAG on the servers. That should point to something. Check where the FSMO roles are with "netdom /query FSMO" and see if the roles are not all on either one of your two DCs.
0
 

Author Comment

by:Cyber-Storm
Comment Utility
Hi Sighar,
That really helped point me in the right direction. DCDiag has shown errors on the Primary DC, I have attached the DCDiag from both servers.  For security reasons I have obviously renamed the domain and machine names.
I see that the "PDC" is showing some serious problems, while the "BDC" seems to be ok, the errors in the SystemLog tests appear to be from the remote desktop connection in that it can't connect to my local pc's Printer drivers etc which I assume is fine.
I'm afraid I'm a little out of my depth here, I can see things but I'm not entirely sure on where to start fixing the issues.  Any assistance in the matter will be greatly appreciated.
I will look into the FSMO roles in the meantime.
Best Regards,
Storm

PDC.log
0
 

Author Comment

by:Cyber-Storm
Comment Utility
Sorry, the thing submitted while I was still trying to upload the second log file
BDC.log
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 11

Expert Comment

by:sighar
Comment Utility
I found this> http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24805735.html where the solution is to not use teaming on NICs. I don't know if that's applicable to your situation.
It's DC1 that's having this problem, DC2 seems to be alright. Since you got LDAP errors, make sure the LDAP ports are open on the firewall.
389 – local (default)
636 – local, secure
3268 – global catalog
3269 – global catalog, secure
I assume that you've only got one domain so Global Catalogs shouldn't matter but maybe you can make sure both of them are GC, just in case? (Open Sites and Services, expand Sites, your site, servers and right click on NTDS settings, Global Catalog  should be checked on General tab - if not, try checking it).
0
 

Author Comment

by:Cyber-Storm
Comment Utility
Hi Sighar,
We have an Intel Modular Server, it has 4 nics per blade, 2 + 2 redundant.  I was originally using teaming but it had tremendous problems with HyperV etc and eventually I removed the teaming and used the standard Microsoft Network Bridge to bridge all 4 together since all the servers are internet facing.  The Network Bridge then sits inside the HyperV Virtual NIC.  All the blades are configured this way including DC2 and I can't simply break it all up just to test but it's possible that with all the original battling to get the system working, there is some underlying problem.  Unfortunately I can't simply trash it all since they're production blades running 24/7 so if I really need to play, I'll have to schedule a maintenance downtime over a weekend.
I've also checked the DC's, both have the GC ticked and currently there's only one domain but once the system is stable, all our branches DC's will connect to this solution very much like in the link you attached.
I've checked the firewall on DC1 and it's all all correct.  We have the Windows Firewall for the standard security stuff and then we have the Hardware firewall between the switches of the servers and the internet which only has ports open for HTTP/S, FTP, RD, etc.  So the servers (including DC1 and 2) can see each other on the internal network and doesn't go through the HW Firewall.
Your thoughts?
Thanks,
Storm
0
 
LVL 11

Assisted Solution

by:sighar
sighar earned 400 total points
Comment Utility
Have you tried turning the firewall off on the servers (for testing purposes)? You can also try to force the replication : Sites & Services - Site - Servers - DC1 - NTDS Settings and rightclick the <automatically generated> and choose "Replicate now". Are you using DFS or FRS? And they are running?

Is it an option for you to promote another server to DC to see if that works with DC2? If so, then you could just demote DC1. I know it's not a solution to this problem but sometimes workarounds do the job.
0
 

Author Comment

by:Cyber-Storm
Comment Utility
Ah, the promotion might just help us solve most of the issues immediately and then if need be we can reload the DC, great idea.
Unfortunately I'm going to leave today for two weeks, I will attempt to do as much as possible today still and then return to the problem in two weeks. Sorry about the break now but I started this question nearly a month ago hoping to resolve it before I went on leave.
In the meantime, would you mind terribly helping me with the 3rd problem I have in my question please?
Here's the excerpt from above:
And then just a side note (because we're speaking of domain issues with servers).  I have myself in the Domain Admin role etc, but I can't log onto a server with my credentials apart from the PDC and BDC.  What do I need to do in order for domain admins to be able to connect and configure servers in the domain instead of using the Domain Administrator login creds?
Thanks
0
 
LVL 11

Expert Comment

by:sighar
Comment Utility
I didn't address this question since I was hoping that it was related to your main problem. However, have you checked to see if Domain Admins aren't members of the local admins group? They should be when you add the server to the domain but if there's a problem with AD it's possible that it got messed up somehow. Also, what does the Event Log say when you try to log on? Check both on the server you're trying to log on to as well as both of the DCs (the Kerberos authentication is sent to either one of them).

I'll wait for your return and we'll pick it up again if you still haven't solved it. Hope you're going on vacation, after this you need it :-)
0
 

Author Closing Comment

by:Cyber-Storm
Comment Utility
Thanks very much for all the assistance.

We haven't resolved the problem yet, but we've learnt a lot through the advice offered to the point whereby we're confident we'll resolve the issues as it appears to be a collection of problems rolled into one.

We have scheduled downtime for the servers in order to resolve the conflict and are also speaking to a MS Specialist to assist us with the problem.
0

Featured Post

Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
OfficeMate Freezes on login or does not load after login credentials are input.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now