Solved

Domain Controller Can't Authenticate against itself

Posted on 2012-04-04
14
4,217 Views
Last Modified: 2012-06-13
I have two Server 2003 Domain Controllers. One has all of the FSMO roles (DC1) and one is just a standalone Domain Controller (DC2) with no FSMO roles. I shutdown the standalone Domain Controller (DC2). When I try and RDP into the DC with all of the FSMO roles (as confirmed with the netdom /query fsmo command) it gives me the following error:

"The system cannot log you on due to the following error:
The specified domain either does not exist or could not be contacted.

Please try again or consult your system administrator."

Another symptom is in trying to create a share on another box and in trying to find active directory objects, it couldn't find them, only local computer users.

Looking through the event log there's nothing serious recently.

Thanks, Jonathan
0
Comment
Question by:RFVDB
14 Comments
 
LVL 6

Expert Comment

by:emadallan
ID: 37805501
0
 
LVL 10

Expert Comment

by:Prashant Girennavar
ID: 37805511
First you will have to check , By default which Domain controller a client system is contacting.

To determine a DC within a set of DC of DCs in the client's AD site that could authenticate/service the client:

•NLTEST /DSGETDC:<FQDN DOMAIN>

ALso do you have any sites and subnets configured in your enviorment? Explain.

Refer below link to understand DC locatore proccess which is performed by clients.

http://blogs.dirteam.com/blogs/jorge/archive/2007/07/02/dc-locator-process-in-w2k-w2k3-r2-and-w2k8-part-1.aspx

http://blogs.dirteam.com/blogs/jorge/archive/2007/07/02/dc-locator-process-in-w2k-w2k3-r2-and-w2k8-part-2.aspx

http://blogs.dirteam.com/blogs/jorge/archive/2007/07/02/dc-locator-process-in-w2k-w2k3-r2-and-w2k8-part-3.aspx

Regards,

_Prashant_
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 37805516
Is DC1 also a Global Catalog server? It MUST be a GC to authenticate logins.
0
 
LVL 21

Expert Comment

by:motnahp00
ID: 37805520
Are you even seeing the OM roles from DC2?

netdom query fsmo

Do you have DC1's ip address as a DNS entry?
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 37805929
Is that server functioning correctly?
For all you know the netlogon service is not running or something.

Access the server with the FSMO roles and then run a dcdiag. You'd probably have to switch on the other DC again.
Then run dcdiag /v to check for errors.

Preferably run it on both DC's.
0
 

Author Comment

by:RFVDB
ID: 37808006
Thanks for the rapid response. I checked the netlogon service and its running. Both servers are GCs.

The dcdiag did come up with a couple of errors. I did both commands on both servers. Please see attached.
DC1cdiagv.log
DC1dcdiag.log
DC2dcdiag.log
DC2dcdiagv.log
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 37809819
For FILESERVER
Move FILESERVER to the Domain Controllers OU
Run IPCONFIG /registerdns
Run nltest /dsregdns
w32tm /config /update /syncfromflags:domhier /reliable:yes

For COLO1
Move COLO1 to the Domain Controllers OU

The Domain Controllers OU has specific GPO's and settings that related to controlling permissions on these type of servers.
Hence why it is recommended to run DC's with no additional roles/applications.

Once you've moved the servers to the Domain Controllers OU, you'll need to run the following in a CMD prompt on both servers.
GPUPDATE /force
Note: you may need to restart the DC's. It won't automatically restart, just run the command and check the reply. Restart them if required.

If no restart is required then run "repadmin /syncall" on both DC's.

Wait 15 minutes then check the results of "repadmin /showrepl"
You don't want to see any failed replications.

If errors persist then re-run the dcdiags and post the results.

Alternatively, check the solution provided for re-initializing SYSVOL replication:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24323148.html
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:RFVDB
ID: 37931267
Hi dvt_localboy,

Thanks for the comprehensive answer. I just went on a long vacation as you answered and just came back. Will be reviewing this in the next couple of days and will then get back to you.

Best, Jonathan
0
 

Author Comment

by:RFVDB
ID: 37937534
Hi dvt_localboy,

The above handlings didn't fix the issue. So instead of messing around with it since I was migrating this environment to VMware anyhow I decided to upgrade and setup a 2008R2 domain controller. I upgraded Active Directory as needed to implement the 2008R2 DC which it did successfully and setup a 2008R2 DC with DNS.

When running dcdiag on the new 2008 DC server however it came up with a couple of errors, even if it will replicate successfully with Colo1.

DCDIAG: "   Testing server: BaxterSF\DC1
      Starting test: Advertising
         Warning: DsGetDcName returned information for
         \\colo1.BaxterResearch.net, when we were trying to reach DC1.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... DC1 failed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems."

AND: "      Starting test: SystemLog
         A warning event occurred.  EventID: 0x00000018
            Time Generated: 05/05/2012   11:22:19
            Event String:
            Time Provider NtpClient: No valid response has been received from do
main controller colo1.BaxterResearch.net after 8 attempts to contact it. This do
main controller will be discarded as a time source and NtpClient will attempt to
 discover a new domain controller from which to synchronize. The error was: The
peer is unreachable."



Its saying that there are Sysvol problems. Running "net share" shows that there's no "netlogon" or "sysvol" share on the new 2008R2 DC named DC1:

"Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\Windows                      Remote Admin
The command completed successfully."


Looking into the event viewer shows no errors relating to sysvol or netlogon not being available or shared - which seems very strange to me as from what I understand, these are needed for a DC to function?

Attached are the dcdiag and and dcdiag /v for the current 2003 DC and the new 2008R2 DC.

I want to move away from the 2003 DCs but need to have functioning 2008R2 DCs before I can correctly migrate the FSMO roles and decommission the 2003 DCs. Thanks!

- Jonathan
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 37937636
I hate you for going on vacation! LOL j/king
Hope you had a good time and got lots of rest.

I get your idea about installing the new DC...but while there is still a problem with the old DC, it may not be able to finalize the initial replication.

N.B. Only after the initial replication has finished will the SYSVOL and NETLOGON shares be available.

You need to double check the configuration for colo1.
You can nltest /dsregdns to re-register all DNS entries for colo1.

You can verify the SRV records for all your DC's:
http://support.microsoft.com/kb/816587

You can then manually create records if it wasn't successful using the nltest commands.

If colo1 is still giving issues, then maybe move all the FSMO roles to the other W2K3 DC and then demote colo1.

Do you know what other roles are installed on colo1? e.g. DNS, DHCP, WINS, etc?
Those will need to be moved before you demote colo1.
0
 

Author Comment

by:RFVDB
ID: 37958316
I ran nltest /dsregdns and checked the Svr Records. All good. Still no go.

The problem with the 2nd W2K3 DC (fileserver) is that it also doesn't have the sysvol and netlogon shares, only colo1 does. Colo1 has all of the FSMO roles and a functioning sysvol and netlogon share. So I can't migrate to the 2nd W2K3 server.

All DCs have the DNS roles. Colo1 also has the RRAS for VPN access setup.

Jonathan
0
 

Accepted Solution

by:
RFVDB earned 0 total points
ID: 38062959
I opened up a case with Microsoft and this fixed the problem of the netlogon and sysvol share not replicating to the other domain controllers:

1) Disable and stop FRS service.
2) Backup of WINDOWS\SYSVOL\sysvol\BaxterReserarch.net\ (folders within)
3) Change the following on the DC that is does have the netlogon and sysvol share: hklm\system\currentcontrolset\services\ntfrs\parameters\backup/restore\process at startup\BurFlags - Change to D2
4) Change the following on the other DCs that can't get the netlogon and sysvol share replicated to them: hklm\system\currentcontrolset\services\ntfrs\parameters\backup/restore\process at startup\BurFlags - Change to D4
5) Enable and start FRS service.
5) Wait for a while, maybe 30 mins or so for correct replication and run netshare and dcdiag on your other servers and you'll see the netlogon and sysvol share show up and dcdiag without the same errors. Event log will show Event 13516 showing correct FRS replication.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 38062988
Microsoft showed you how to do and an authoratative restore.

Have a look at the link suggested by: dvt_localboyPosted on 2012-04-05 at 07:43:10ID: 37809819
It discusses the same solution . . .

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24323148.html
0
 

Author Closing Comment

by:RFVDB
ID: 38077933
I contacted Microsoft and had them assist me in implementing the correct solution which immediately fixed the problem.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now