?
Solved

Password is not getting update on member machines/servers

Posted on 2013-01-08
13
Medium Priority
?
249 Views
Last Modified: 2013-01-20
Hi
we have 2 domain controller running in our domain, 1 domain controller is hung and unreachable for now however other one is running.
Now when i m resetting any users password on available domain controller, its not updating on member servers/machines.
All FSMO roles are running on available domain controller.
My domain controller is running on 2003 and member servers are on 2008

Please help
0
Comment
Question by:pdixit1977
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 4
13 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38757948
And your 100% certain that ALL 5 FSMO roles are on the running server?
Is the "Hung" server powerd off?
0
 

Author Comment

by:pdixit1977
ID: 38758017
Yes, i m 100% sure.

and the other domain controller is in hung state, i can ping it but RDP. LDP and other connections could not made.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38758042
OK so ALL 5 FSMO roles already belonged to the server that is still alive yes?

If the other DC is hung and unusable I would start by switching it off completely or disconnecting it from the network.
0
Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

 

Author Comment

by:pdixit1977
ID: 38758086
yes all 5 FSMO running on alive server..

Hung server (actually both servers) is lying in datacenter where no onsite resource is available till next 7 hours.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 38758381
Now when i m resetting any users password on available domain controller, its not updating on member servers/machines.

Not entirely sure if I'm understanding, but in AD environment all user authentication requests are performed by a domain controller. So any user logging on will need to get to his credentials validated by the DC.

Unless you've got passwords saved on your local workstations/servers, then you'll need to update them manually.

The fact that you cannot RDP or LDP onto that server, doesn't mean it's not answering other ports, so if that server is discoverable, then your member servers could be waiting on authentication responses which are not work.

Here is  a list of ports that you can check for responses.
http://technet.microsoft.com/en-us/library/cc959833.aspx

BUT like NeilSr said, get that hung server switched off.
Did you try a remote shutdown of the "hung" DC?
run: "shutdown /i" from the available DC an enter the details of the other DC.
0
 

Author Comment

by:pdixit1977
ID: 38762745
I tried remote shutdown with various method but that server was having memory leak problem hence it was not accepting *any* communication on *any* port except ICMP (Ping).

For time being i followed below steps.
1. made host file entry in all member servers to the live domain controller like1.1.1.1 (live DC)  mydomain.com
2. configure lower weight and priority for hung DC SRV record on DNS.
3. Remove hung DC's IP address from all member servers DNS IP from LAN config

users were able to login with their new/resetted password on maximum servers however few were still not working.

Now the hung server has rebooted and issue is fixed.

BUT i really surprised and curious to know why member servers was taking hung domain controller as their default logonserver when

1. all roles were lying with live DC.
2. I remove hung DC from DNS list in LAN config.
3. SRV for hung DC was also modified.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 38762775
The domain controller locator in Windows XP and in Windows Server 2003 caches the name of a single domain controller. This client cache is not updated until the targeted domain controller stops responding to locator requests or until the client is restarted. Therefore, the client continues to send domain controller requests to the cached domain controller.

Note The cached domain controller is selected from the pool of available domain controllers when the DCLocator cache is first populated.

In this scenario, the client cannot update the cached domain controller item even if additional domain controllers or more suitable domain controllers become available.

Taken from:
http://support.microsoft.com/kb/939252
http://technet.microsoft.com/en-us/library/cc978011.aspx
http://support.microsoft.com/kb/247811
0
 

Author Comment

by:pdixit1977
ID: 38763910
thanks dvt_localboy.

is there a way to clear that DCLocator cache without machine restart ?
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 38766073
Assuming you can logon to the workstation, you can run: NLTEST /DSGETDC:<newDCname> /force
alternatively, you can change the value of the logonserver environment variable, also when logged onto the workstation by running:
set logonserver=\\<newDCname>

But assuming you cannot logon to the server and you want a permanent solution then have a look at this article:
http://support.microsoft.com/kb/939252/en-us
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38766629
"is there a way to clear that DCLocator cache without machine restart ? "

Note that the hotfix mention in those articles DOES require a restart BEFORE it will work.
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 375 total points
ID: 38766850
Absolutely correct Neilsr.
Looking at the subject of this question "Password is not getting update on member machines/servers" and the commest from the author: by: pdixit1977Posted on 2013-01-10 at 15:39:44ID: 38762745
"users were able to login with their new/resetted password on maximum servers however few were still not working."

I must confess I'm WAS assuming that he was looking for a forward looking solution that would prevent this condition from occurring again.

If he cannot logon to the workstation/server because the DC is not available then he cannot use the other solutions, which  require you to logon first.

From the KB:
After you install the hotfix, the DNS locator client in Windows XP and in Windows Server 2003 updates its domain controller cache after a default interval. The DNS locator client tries to rediscover a suitable domain controller. The life cycle of a cached entry is controlled by the value of the ForceRediscoveryInterval registry entry

So while the installation of the hotfix requires a restart the functionality it introduces is the solution that will clear the DCLocator cache and look for  a new DC, thus preventing a re-occurence of this issue.

Personally I've never seen this behaviour nor used the hotfix myself but I hope my logic make sense.
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 375 total points
ID: 38767281
Yes logic is fine, I was just pointing out to the OP that the fix still requires a reboot, and that was one of his objections earlier.

Once the server is powered off, as it is now, a simple reboot without the hotfix works for now.

As you say, the hotfix would prevent such an issue in the future should a simular occurance happen.

I do question the fact that the OP only has 2 DC's and that they are offsite in a datacenter! You really should have a DC locally on site.
0
 

Author Closing Comment

by:pdixit1977
ID: 38798675
Thanks to both of you for brainstorming on this..
0

Featured Post

What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question