Password is not getting update on member machines/servers

Hi
we have 2 domain controller running in our domain, 1 domain controller is hung and unreachable for now however other one is running.
Now when i m resetting any users password on available domain controller, its not updating on member servers/machines.
All FSMO roles are running on available domain controller.
My domain controller is running on 2003 and member servers are on 2008

Please help
pdixit1977Asked:
Who is Participating?
 
Neil RussellTechnical Development LeadCommented:
Yes logic is fine, I was just pointing out to the OP that the fix still requires a reboot, and that was one of his objections earlier.

Once the server is powered off, as it is now, a simple reboot without the hotfix works for now.

As you say, the hotfix would prevent such an issue in the future should a simular occurance happen.

I do question the fact that the OP only has 2 DC's and that they are offsite in a datacenter! You really should have a DC locally on site.
0
 
Neil RussellTechnical Development LeadCommented:
And your 100% certain that ALL 5 FSMO roles are on the running server?
Is the "Hung" server powerd off?
0
 
pdixit1977Author Commented:
Yes, i m 100% sure.

and the other domain controller is in hung state, i can ping it but RDP. LDP and other connections could not made.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Neil RussellTechnical Development LeadCommented:
OK so ALL 5 FSMO roles already belonged to the server that is still alive yes?

If the other DC is hung and unusable I would start by switching it off completely or disconnecting it from the network.
0
 
pdixit1977Author Commented:
yes all 5 FSMO running on alive server..

Hung server (actually both servers) is lying in datacenter where no onsite resource is available till next 7 hours.
0
 
Leon FesterSenior Solutions ArchitectCommented:
Now when i m resetting any users password on available domain controller, its not updating on member servers/machines.

Not entirely sure if I'm understanding, but in AD environment all user authentication requests are performed by a domain controller. So any user logging on will need to get to his credentials validated by the DC.

Unless you've got passwords saved on your local workstations/servers, then you'll need to update them manually.

The fact that you cannot RDP or LDP onto that server, doesn't mean it's not answering other ports, so if that server is discoverable, then your member servers could be waiting on authentication responses which are not work.

Here is  a list of ports that you can check for responses.
http://technet.microsoft.com/en-us/library/cc959833.aspx

BUT like NeilSr said, get that hung server switched off.
Did you try a remote shutdown of the "hung" DC?
run: "shutdown /i" from the available DC an enter the details of the other DC.
0
 
pdixit1977Author Commented:
I tried remote shutdown with various method but that server was having memory leak problem hence it was not accepting *any* communication on *any* port except ICMP (Ping).

For time being i followed below steps.
1. made host file entry in all member servers to the live domain controller like1.1.1.1 (live DC)  mydomain.com
2. configure lower weight and priority for hung DC SRV record on DNS.
3. Remove hung DC's IP address from all member servers DNS IP from LAN config

users were able to login with their new/resetted password on maximum servers however few were still not working.

Now the hung server has rebooted and issue is fixed.

BUT i really surprised and curious to know why member servers was taking hung domain controller as their default logonserver when

1. all roles were lying with live DC.
2. I remove hung DC from DNS list in LAN config.
3. SRV for hung DC was also modified.
0
 
Leon FesterSenior Solutions ArchitectCommented:
The domain controller locator in Windows XP and in Windows Server 2003 caches the name of a single domain controller. This client cache is not updated until the targeted domain controller stops responding to locator requests or until the client is restarted. Therefore, the client continues to send domain controller requests to the cached domain controller.

Note The cached domain controller is selected from the pool of available domain controllers when the DCLocator cache is first populated.

In this scenario, the client cannot update the cached domain controller item even if additional domain controllers or more suitable domain controllers become available.

Taken from:
http://support.microsoft.com/kb/939252
http://technet.microsoft.com/en-us/library/cc978011.aspx
http://support.microsoft.com/kb/247811
0
 
pdixit1977Author Commented:
thanks dvt_localboy.

is there a way to clear that DCLocator cache without machine restart ?
0
 
Leon FesterSenior Solutions ArchitectCommented:
Assuming you can logon to the workstation, you can run: NLTEST /DSGETDC:<newDCname> /force
alternatively, you can change the value of the logonserver environment variable, also when logged onto the workstation by running:
set logonserver=\\<newDCname>

But assuming you cannot logon to the server and you want a permanent solution then have a look at this article:
http://support.microsoft.com/kb/939252/en-us
0
 
Neil RussellTechnical Development LeadCommented:
"is there a way to clear that DCLocator cache without machine restart ? "

Note that the hotfix mention in those articles DOES require a restart BEFORE it will work.
0
 
Leon FesterSenior Solutions ArchitectCommented:
Absolutely correct Neilsr.
Looking at the subject of this question "Password is not getting update on member machines/servers" and the commest from the author: by: pdixit1977Posted on 2013-01-10 at 15:39:44ID: 38762745
"users were able to login with their new/resetted password on maximum servers however few were still not working."

I must confess I'm WAS assuming that he was looking for a forward looking solution that would prevent this condition from occurring again.

If he cannot logon to the workstation/server because the DC is not available then he cannot use the other solutions, which  require you to logon first.

From the KB:
After you install the hotfix, the DNS locator client in Windows XP and in Windows Server 2003 updates its domain controller cache after a default interval. The DNS locator client tries to rediscover a suitable domain controller. The life cycle of a cached entry is controlled by the value of the ForceRediscoveryInterval registry entry

So while the installation of the hotfix requires a restart the functionality it introduces is the solution that will clear the DCLocator cache and look for  a new DC, thus preventing a re-occurence of this issue.

Personally I've never seen this behaviour nor used the hotfix myself but I hope my logic make sense.
0
 
pdixit1977Author Commented:
Thanks to both of you for brainstorming on this..
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.