Solved

Password is not getting update on member machines/servers

Posted on 2013-01-08
13
245 Views
Last Modified: 2013-01-20
Hi
we have 2 domain controller running in our domain, 1 domain controller is hung and unreachable for now however other one is running.
Now when i m resetting any users password on available domain controller, its not updating on member servers/machines.
All FSMO roles are running on available domain controller.
My domain controller is running on 2003 and member servers are on 2008

Please help
0
Comment
Question by:pdixit1977
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 4
13 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38757948
And your 100% certain that ALL 5 FSMO roles are on the running server?
Is the "Hung" server powerd off?
0
 

Author Comment

by:pdixit1977
ID: 38758017
Yes, i m 100% sure.

and the other domain controller is in hung state, i can ping it but RDP. LDP and other connections could not made.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38758042
OK so ALL 5 FSMO roles already belonged to the server that is still alive yes?

If the other DC is hung and unusable I would start by switching it off completely or disconnecting it from the network.
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 

Author Comment

by:pdixit1977
ID: 38758086
yes all 5 FSMO running on alive server..

Hung server (actually both servers) is lying in datacenter where no onsite resource is available till next 7 hours.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 38758381
Now when i m resetting any users password on available domain controller, its not updating on member servers/machines.

Not entirely sure if I'm understanding, but in AD environment all user authentication requests are performed by a domain controller. So any user logging on will need to get to his credentials validated by the DC.

Unless you've got passwords saved on your local workstations/servers, then you'll need to update them manually.

The fact that you cannot RDP or LDP onto that server, doesn't mean it's not answering other ports, so if that server is discoverable, then your member servers could be waiting on authentication responses which are not work.

Here is  a list of ports that you can check for responses.
http://technet.microsoft.com/en-us/library/cc959833.aspx

BUT like NeilSr said, get that hung server switched off.
Did you try a remote shutdown of the "hung" DC?
run: "shutdown /i" from the available DC an enter the details of the other DC.
0
 

Author Comment

by:pdixit1977
ID: 38762745
I tried remote shutdown with various method but that server was having memory leak problem hence it was not accepting *any* communication on *any* port except ICMP (Ping).

For time being i followed below steps.
1. made host file entry in all member servers to the live domain controller like1.1.1.1 (live DC)  mydomain.com
2. configure lower weight and priority for hung DC SRV record on DNS.
3. Remove hung DC's IP address from all member servers DNS IP from LAN config

users were able to login with their new/resetted password on maximum servers however few were still not working.

Now the hung server has rebooted and issue is fixed.

BUT i really surprised and curious to know why member servers was taking hung domain controller as their default logonserver when

1. all roles were lying with live DC.
2. I remove hung DC from DNS list in LAN config.
3. SRV for hung DC was also modified.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 38762775
The domain controller locator in Windows XP and in Windows Server 2003 caches the name of a single domain controller. This client cache is not updated until the targeted domain controller stops responding to locator requests or until the client is restarted. Therefore, the client continues to send domain controller requests to the cached domain controller.

Note The cached domain controller is selected from the pool of available domain controllers when the DCLocator cache is first populated.

In this scenario, the client cannot update the cached domain controller item even if additional domain controllers or more suitable domain controllers become available.

Taken from:
http://support.microsoft.com/kb/939252
http://technet.microsoft.com/en-us/library/cc978011.aspx
http://support.microsoft.com/kb/247811
0
 

Author Comment

by:pdixit1977
ID: 38763910
thanks dvt_localboy.

is there a way to clear that DCLocator cache without machine restart ?
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 38766073
Assuming you can logon to the workstation, you can run: NLTEST /DSGETDC:<newDCname> /force
alternatively, you can change the value of the logonserver environment variable, also when logged onto the workstation by running:
set logonserver=\\<newDCname>

But assuming you cannot logon to the server and you want a permanent solution then have a look at this article:
http://support.microsoft.com/kb/939252/en-us
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38766629
"is there a way to clear that DCLocator cache without machine restart ? "

Note that the hotfix mention in those articles DOES require a restart BEFORE it will work.
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 125 total points
ID: 38766850
Absolutely correct Neilsr.
Looking at the subject of this question "Password is not getting update on member machines/servers" and the commest from the author: by: pdixit1977Posted on 2013-01-10 at 15:39:44ID: 38762745
"users were able to login with their new/resetted password on maximum servers however few were still not working."

I must confess I'm WAS assuming that he was looking for a forward looking solution that would prevent this condition from occurring again.

If he cannot logon to the workstation/server because the DC is not available then he cannot use the other solutions, which  require you to logon first.

From the KB:
After you install the hotfix, the DNS locator client in Windows XP and in Windows Server 2003 updates its domain controller cache after a default interval. The DNS locator client tries to rediscover a suitable domain controller. The life cycle of a cached entry is controlled by the value of the ForceRediscoveryInterval registry entry

So while the installation of the hotfix requires a restart the functionality it introduces is the solution that will clear the DCLocator cache and look for  a new DC, thus preventing a re-occurence of this issue.

Personally I've never seen this behaviour nor used the hotfix myself but I hope my logic make sense.
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 125 total points
ID: 38767281
Yes logic is fine, I was just pointing out to the OP that the fix still requires a reboot, and that was one of his objections earlier.

Once the server is powered off, as it is now, a simple reboot without the hotfix works for now.

As you say, the hotfix would prevent such an issue in the future should a simular occurance happen.

I do question the fact that the OP only has 2 DC's and that they are offsite in a datacenter! You really should have a DC locally on site.
0
 

Author Closing Comment

by:pdixit1977
ID: 38798675
Thanks to both of you for brainstorming on this..
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question