Avatar of mberryaz
mberryaz
 asked on

Windows 2003 Secondary DC unable to communicate AD with FMSO DC at other end of WAN

I have a Windows 2003 Secondary DC located in office 2 it also runs Exchange 2003.  Since yesterday it cannot provide shares for users and cannot replicate with DC1 at office 1.  I can communicate with server via ip address (192.168.2.11) and when I ping DC1 using fully qual name (dc1.domain.com) it shows correct address, which reflects DNS Server entry, but if I PING DC1 with just host name (DC1) it shows 192.168.2.119 which is incorrect.  I have checked host files and they do not show that address.
I get several errors in the event log
NTDS KCC 1865
NTDS KCC 1311
multiple KERBEROS 4 events
Userenv 1006 (Windows cannot bind to domain)


This problem is also causing a problem for Exchange System Attendant Service to start, causing Exchange not to function
Windows Server 2003Active DirectoryExchange

Avatar of undefined
Last Comment
Sandy

8/22/2022 - Mon
Manpreet SIngh Khatra

If SA isnt starting what is the error for SA you get in EVent logs ?
How Many DC's are in the local Site for Exchange ?

- Rancy
mberryaz

ASKER
two sites each containing a DC, each site has global catalog
MSExchaneSA Event 9098  The MAD Monitoring thread was unable to read its configuration from the DS, error '0x80010002'.
Amit

Do you have any secondary NIC on Office 2 DC, If so, check it might be got registered in DNS, that could be one reason for this issue.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Manpreet SIngh Khatra

Did you rename the Domain ?
http://support.microsoft.com/kb/327844

Ensure the EDS and EES groups are in default Users conatiner
Also you can try to run /domainprep

- Rancy
mberryaz

ASKER
no, the domain was not renamed
Amit

Before you run /domainprep as suggested by Rancy, just run policytest.exe and check the result, if sesecurityprivilege shows not found on office 2 dc, then domain prep is required to fix it.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Amit

Any extra NIC?
mberryaz

ASKER
I really do not believe that Exchange is the cause.  I believe that there is a larger AD, DNS or Authentication issue which is the problem and Exchange is just a symptom.  If the DC2 could correctly communicate and replicate with AD on DC1, I believe that Exchange SA will start
mberryaz

ASKER
yes, there are two NICs
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Amit

ok run ipconfig /all | more and post here.
mberryaz

ASKER
the second ID on NIC is not registered in DNS (it had been removed years ago)
mberryaz

ASKER
if I run policytest.exe from DC2 it shows
DC = "DC2"
In Site = "Phoenix"
Right found: "SeSecurityPrivelege"

DC = "DC1"
In Site = "Denver"
!! LSAOpenPolicy returned error 5 !!!
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
mberryaz

ASKER
basically on all computers connecting to DC2 cannot access shares and on one RDP Windows 2008 server, users get authentication issues with trying to logon, since it attaches to that local DC.  This cannot be just an exchange issue
Amit

anything you disabled recently, like ipv6 or firewall. check all automatic services are running on dc.
mberryaz

ASKER
Microsoft .NET Framework NGEN v4.0.30319_X86
Microsoft Exchange System Attendant
Microsoft Exchange Information Store

those are not running
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Amit

Computer Browser service is running, i might suggest to do a reboot
mberryaz

ASKER
Computer browser running, I've rebooted several times
Manpreet SIngh Khatra

Is the DC with FSMO roles not contactable or not on the same site as Exchange ?

- Rancy
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
mberryaz

ASKER
I can ping and access DC1 (the one with FMSO roles) and can access shares via IP address, but cannot access shares using host name \\DC1 I says "\\DC1 is not accessible. Logon Failure: The target account name is incorrect.
The name \\DC1 correctly resolves to IP address
Manpreet SIngh Khatra

The reason i asked is if its a FSMO issue why not transfer the roles to DC2 and get Exchange running and then check whats the AD or DNS side issue

- Rancy
mberryaz

ASKER
because I need the Server at the other site to hold those roles
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER CERTIFIED SOLUTION
Leon Fester

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
compdigit44

In your orginal post you stated that for two day's you haven't been able to access shares on DC1. Was anything changed on the server? Configuration, Windows updates, AV etc...

is the time on the server correct?
In DNS are all of the necessary AD DNS records in place?
When you view the sysvol/netlogon share on DC1 does it contain all of the same files and correct timestamps as the sysvol share on dc2?
Have you tried to install the MSBPA for AD to help troubleshoot the issue further: http://technet.microsoft.com/en-us/library/dd378893(v=ws.10).aspx
Sandy

Check AD partition status from replmon