Solved

Password is not getting update on member machines/servers

Posted on 2013-01-08
13
240 Views
Last Modified: 2013-01-20
Hi
we have 2 domain controller running in our domain, 1 domain controller is hung and unreachable for now however other one is running.
Now when i m resetting any users password on available domain controller, its not updating on member servers/machines.
All FSMO roles are running on available domain controller.
My domain controller is running on 2003 and member servers are on 2008

Please help
0
Comment
Question by:pdixit1977
  • 5
  • 4
  • 4
13 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38757948
And your 100% certain that ALL 5 FSMO roles are on the running server?
Is the "Hung" server powerd off?
0
 

Author Comment

by:pdixit1977
ID: 38758017
Yes, i m 100% sure.

and the other domain controller is in hung state, i can ping it but RDP. LDP and other connections could not made.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38758042
OK so ALL 5 FSMO roles already belonged to the server that is still alive yes?

If the other DC is hung and unusable I would start by switching it off completely or disconnecting it from the network.
0
 

Author Comment

by:pdixit1977
ID: 38758086
yes all 5 FSMO running on alive server..

Hung server (actually both servers) is lying in datacenter where no onsite resource is available till next 7 hours.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 38758381
Now when i m resetting any users password on available domain controller, its not updating on member servers/machines.

Not entirely sure if I'm understanding, but in AD environment all user authentication requests are performed by a domain controller. So any user logging on will need to get to his credentials validated by the DC.

Unless you've got passwords saved on your local workstations/servers, then you'll need to update them manually.

The fact that you cannot RDP or LDP onto that server, doesn't mean it's not answering other ports, so if that server is discoverable, then your member servers could be waiting on authentication responses which are not work.

Here is  a list of ports that you can check for responses.
http://technet.microsoft.com/en-us/library/cc959833.aspx

BUT like NeilSr said, get that hung server switched off.
Did you try a remote shutdown of the "hung" DC?
run: "shutdown /i" from the available DC an enter the details of the other DC.
0
 

Author Comment

by:pdixit1977
ID: 38762745
I tried remote shutdown with various method but that server was having memory leak problem hence it was not accepting *any* communication on *any* port except ICMP (Ping).

For time being i followed below steps.
1. made host file entry in all member servers to the live domain controller like1.1.1.1 (live DC)  mydomain.com
2. configure lower weight and priority for hung DC SRV record on DNS.
3. Remove hung DC's IP address from all member servers DNS IP from LAN config

users were able to login with their new/resetted password on maximum servers however few were still not working.

Now the hung server has rebooted and issue is fixed.

BUT i really surprised and curious to know why member servers was taking hung domain controller as their default logonserver when

1. all roles were lying with live DC.
2. I remove hung DC from DNS list in LAN config.
3. SRV for hung DC was also modified.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 38762775
The domain controller locator in Windows XP and in Windows Server 2003 caches the name of a single domain controller. This client cache is not updated until the targeted domain controller stops responding to locator requests or until the client is restarted. Therefore, the client continues to send domain controller requests to the cached domain controller.

Note The cached domain controller is selected from the pool of available domain controllers when the DCLocator cache is first populated.

In this scenario, the client cannot update the cached domain controller item even if additional domain controllers or more suitable domain controllers become available.

Taken from:
http://support.microsoft.com/kb/939252
http://technet.microsoft.com/en-us/library/cc978011.aspx
http://support.microsoft.com/kb/247811
0
 

Author Comment

by:pdixit1977
ID: 38763910
thanks dvt_localboy.

is there a way to clear that DCLocator cache without machine restart ?
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 38766073
Assuming you can logon to the workstation, you can run: NLTEST /DSGETDC:<newDCname> /force
alternatively, you can change the value of the logonserver environment variable, also when logged onto the workstation by running:
set logonserver=\\<newDCname>

But assuming you cannot logon to the server and you want a permanent solution then have a look at this article:
http://support.microsoft.com/kb/939252/en-us
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38766629
"is there a way to clear that DCLocator cache without machine restart ? "

Note that the hotfix mention in those articles DOES require a restart BEFORE it will work.
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 125 total points
ID: 38766850
Absolutely correct Neilsr.
Looking at the subject of this question "Password is not getting update on member machines/servers" and the commest from the author: by: pdixit1977Posted on 2013-01-10 at 15:39:44ID: 38762745
"users were able to login with their new/resetted password on maximum servers however few were still not working."

I must confess I'm WAS assuming that he was looking for a forward looking solution that would prevent this condition from occurring again.

If he cannot logon to the workstation/server because the DC is not available then he cannot use the other solutions, which  require you to logon first.

From the KB:
After you install the hotfix, the DNS locator client in Windows XP and in Windows Server 2003 updates its domain controller cache after a default interval. The DNS locator client tries to rediscover a suitable domain controller. The life cycle of a cached entry is controlled by the value of the ForceRediscoveryInterval registry entry

So while the installation of the hotfix requires a restart the functionality it introduces is the solution that will clear the DCLocator cache and look for  a new DC, thus preventing a re-occurence of this issue.

Personally I've never seen this behaviour nor used the hotfix myself but I hope my logic make sense.
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 125 total points
ID: 38767281
Yes logic is fine, I was just pointing out to the OP that the fix still requires a reboot, and that was one of his objections earlier.

Once the server is powered off, as it is now, a simple reboot without the hotfix works for now.

As you say, the hotfix would prevent such an issue in the future should a simular occurance happen.

I do question the fact that the OP only has 2 DC's and that they are offsite in a datacenter! You really should have a DC locally on site.
0
 

Author Closing Comment

by:pdixit1977
ID: 38798675
Thanks to both of you for brainstorming on this..
0

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now