• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 254
  • Last Modified:

Password is not getting update on member machines/servers

Hi
we have 2 domain controller running in our domain, 1 domain controller is hung and unreachable for now however other one is running.
Now when i m resetting any users password on available domain controller, its not updating on member servers/machines.
All FSMO roles are running on available domain controller.
My domain controller is running on 2003 and member servers are on 2008

Please help
0
pdixit1977
Asked:
pdixit1977
  • 5
  • 4
  • 4
2 Solutions
 
Neil RussellTechnical Development LeadCommented:
And your 100% certain that ALL 5 FSMO roles are on the running server?
Is the "Hung" server powerd off?
0
 
pdixit1977Author Commented:
Yes, i m 100% sure.

and the other domain controller is in hung state, i can ping it but RDP. LDP and other connections could not made.
0
 
Neil RussellTechnical Development LeadCommented:
OK so ALL 5 FSMO roles already belonged to the server that is still alive yes?

If the other DC is hung and unusable I would start by switching it off completely or disconnecting it from the network.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
pdixit1977Author Commented:
yes all 5 FSMO running on alive server..

Hung server (actually both servers) is lying in datacenter where no onsite resource is available till next 7 hours.
0
 
Leon FesterIT Project Change ManagerCommented:
Now when i m resetting any users password on available domain controller, its not updating on member servers/machines.

Not entirely sure if I'm understanding, but in AD environment all user authentication requests are performed by a domain controller. So any user logging on will need to get to his credentials validated by the DC.

Unless you've got passwords saved on your local workstations/servers, then you'll need to update them manually.

The fact that you cannot RDP or LDP onto that server, doesn't mean it's not answering other ports, so if that server is discoverable, then your member servers could be waiting on authentication responses which are not work.

Here is  a list of ports that you can check for responses.
http://technet.microsoft.com/en-us/library/cc959833.aspx

BUT like NeilSr said, get that hung server switched off.
Did you try a remote shutdown of the "hung" DC?
run: "shutdown /i" from the available DC an enter the details of the other DC.
0
 
pdixit1977Author Commented:
I tried remote shutdown with various method but that server was having memory leak problem hence it was not accepting *any* communication on *any* port except ICMP (Ping).

For time being i followed below steps.
1. made host file entry in all member servers to the live domain controller like1.1.1.1 (live DC)  mydomain.com
2. configure lower weight and priority for hung DC SRV record on DNS.
3. Remove hung DC's IP address from all member servers DNS IP from LAN config

users were able to login with their new/resetted password on maximum servers however few were still not working.

Now the hung server has rebooted and issue is fixed.

BUT i really surprised and curious to know why member servers was taking hung domain controller as their default logonserver when

1. all roles were lying with live DC.
2. I remove hung DC from DNS list in LAN config.
3. SRV for hung DC was also modified.
0
 
Leon FesterIT Project Change ManagerCommented:
The domain controller locator in Windows XP and in Windows Server 2003 caches the name of a single domain controller. This client cache is not updated until the targeted domain controller stops responding to locator requests or until the client is restarted. Therefore, the client continues to send domain controller requests to the cached domain controller.

Note The cached domain controller is selected from the pool of available domain controllers when the DCLocator cache is first populated.

In this scenario, the client cannot update the cached domain controller item even if additional domain controllers or more suitable domain controllers become available.

Taken from:
http://support.microsoft.com/kb/939252
http://technet.microsoft.com/en-us/library/cc978011.aspx
http://support.microsoft.com/kb/247811
0
 
pdixit1977Author Commented:
thanks dvt_localboy.

is there a way to clear that DCLocator cache without machine restart ?
0
 
Leon FesterIT Project Change ManagerCommented:
Assuming you can logon to the workstation, you can run: NLTEST /DSGETDC:<newDCname> /force
alternatively, you can change the value of the logonserver environment variable, also when logged onto the workstation by running:
set logonserver=\\<newDCname>

But assuming you cannot logon to the server and you want a permanent solution then have a look at this article:
http://support.microsoft.com/kb/939252/en-us
0
 
Neil RussellTechnical Development LeadCommented:
"is there a way to clear that DCLocator cache without machine restart ? "

Note that the hotfix mention in those articles DOES require a restart BEFORE it will work.
0
 
Leon FesterIT Project Change ManagerCommented:
Absolutely correct Neilsr.
Looking at the subject of this question "Password is not getting update on member machines/servers" and the commest from the author: by: pdixit1977Posted on 2013-01-10 at 15:39:44ID: 38762745
"users were able to login with their new/resetted password on maximum servers however few were still not working."

I must confess I'm WAS assuming that he was looking for a forward looking solution that would prevent this condition from occurring again.

If he cannot logon to the workstation/server because the DC is not available then he cannot use the other solutions, which  require you to logon first.

From the KB:
After you install the hotfix, the DNS locator client in Windows XP and in Windows Server 2003 updates its domain controller cache after a default interval. The DNS locator client tries to rediscover a suitable domain controller. The life cycle of a cached entry is controlled by the value of the ForceRediscoveryInterval registry entry

So while the installation of the hotfix requires a restart the functionality it introduces is the solution that will clear the DCLocator cache and look for  a new DC, thus preventing a re-occurence of this issue.

Personally I've never seen this behaviour nor used the hotfix myself but I hope my logic make sense.
0
 
Neil RussellTechnical Development LeadCommented:
Yes logic is fine, I was just pointing out to the OP that the fix still requires a reboot, and that was one of his objections earlier.

Once the server is powered off, as it is now, a simple reboot without the hotfix works for now.

As you say, the hotfix would prevent such an issue in the future should a simular occurance happen.

I do question the fact that the OP only has 2 DC's and that they are offsite in a datacenter! You really should have a DC locally on site.
0
 
pdixit1977Author Commented:
Thanks to both of you for brainstorming on this..
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 5
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now