?
Solved

Active Directory changes not updating

Posted on 2011-03-03
4
Medium Priority
?
652 Views
Last Modified: 2012-05-11
We are running Windows Small Business Server 2003 SP2 and a new user that I created in AD can't log on.  It looks like my user was created correctly, but AD is not updating something.

When I try and log on I get the message "The system could not log you on.  Make sure your User name and domain are correct, then type your password again.  Letters in passwords must be typed using the correct case" as if they didn't exist.

I created the new user by copying a user that had been disabled, but I know I unchecked the box during the copy for User is Disabled.

Then I deleted the new user and copied from an existing user that was not disabled and got the same message as if the account didn't exist.

Then I took a user account that was disabled, re-enabled it and set a new password and tried to log in with that, but it says "Your account has been disabled.  Please see your system administrator"

Any ideas as to what might be going on?
0
Comment
Question by:LogisticsOne
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 21

Expert Comment

by:snusgubben
ID: 35030984
A dcdiag is alway a good place to start.
0
 
LVL 1

Author Comment

by:LogisticsOne
ID: 35031698
Just did the dcdiag.  Received the following info:
---------------------------------
Doing primary tests

   Testing server: Default-First-Site-Name\PRISRVR
      Starting test: Replications
         [Replications Check,PRISRVR] A recent replication attempt failed:
            From BKUPSRVR to PRISRVR
            Naming Context: DC=XXXXXXXXXXX,DC=local
            The replication generated an error (8614):
            The Active Directory cannot replicate with this server because the t
ime since the last replication with this server has exceeded the tombstone lifet
ime.
            The failure occurred at 2011-03-03 16:21:18.
            The last success occurred at 2010-08-17 11:14:04.
            327500 failures have occurred since the last success.
         REPLICATION-RECEIVED LATENCY WARNING
         PRISRVR:  Current time is 2011-03-03 16:23:02.
            DC=XXXXXXXXXX,DC=local
               Last replication recieved from BKUPSRVR at 2009-01-01 11:14:04.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!
------------------------------------------
Now the weird thing is that we disabled a user last friday and that user was successfully disabled on both the primary and backup Doman controllers.  We have also created users within the past month and had no problems (and both DC have the same user information, except for this most recently added user), so I don't know if the above error is the true problem, it's a red herring, or it's indicative of a bigger issue that has all of a sudden cropped up.
0
 
LVL 21

Accepted Solution

by:
snusgubben earned 2000 total points
ID: 35031808
When a DC becomes tombstoned it will not replicate. Simple as that.

I would recomend you to clean out the tombstoned DC, rebuild it and add it back in as a DC. Then verify that you don't have any DNS/communication issues.

dcpromo /forceremoval (on the tombstoned DC. It will be placed in a workgroup)

Run a metadata cleanup on the remaining DC to remove the tombstoned DC out of you domain:

http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
 
LVL 1

Author Comment

by:LogisticsOne
ID: 35059950
The question is somewhat misleading, our real problem is we have our main SBS and a backup domain controller on another server and they stopped communicating.  

For this one, we ended up calling Microsoft and I wasn't in on the repair but the technician demoted our backup DC, did something to it and then added it back in. Our guy who actually worked on it with the tech apparently logged the tech into his machine and went home so I don't know the details and he doesn't either, but essentially we paid Microsoft $300 to pretty much do what snusgubben recommended.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question