Re: DC secure channel

Tech-Archive recommends: Fix windows errors by optimizing your registry

"att100" <att100@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:09C2DEAE-E20A-47C2-9709-120EBB7D39F7@xxxxxxxxxxxxxxxx
> There are two Windows 2000 DCs. There is a NETLOGON 3210 event log on BDC
and
> NETLOGON 5722 on PDC at the startup of the BDC.

First there are no PDC/BDCs in AD, unless they are
NT4-BDCs, but presumably you mean your two DCs
since this seems to be an LDAP error:

(One of them will likely hold the PDC Emulator and you
may think of it as YOUR 'primary' DC, but it is not a PDC.)

> Running dcdiag on the BDC I get an error:
> LDAP bind failed with error 31,
> A device attached to the system is not functioning..
>
> Running nltest /sc_change_pwd:<domain name> on the BDC I get this:
> I_NetLogonControl failed: Status = 5 ERROR_ACCESS_DENIED
>
> What's the problem ?

Most such problems are due to failure to replicate, which are
usually due to DNS issues. I would check the DNS, try the
DCDiag /fix (or NetDIAG /fix), and if none of that works you
will likely need to "DCPromo cycle" one of them - probably
the one without the roles is best.


DCPromo-> non-DC then DCPromo -> (new) DC.


DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
> Thank you for your help !
>
> Attila


.

Relevant Pages

  • Re: BDC DCDIAG Problem
    ... I am looking through my DNS entries and I am only able to find SRV records ... for the PDC and not the BDC. ... Are there supposed to be records for the BDC as ... server Security Configuration Wizard on this server perhaps? ...
    (microsoft.public.windows.server.sbs)
  • Re: BDC DCDIAG Problem
    ... PDC and BDC are obsolete terms, ... I am looking through my DNS entries and I am only able to find SRV records ... server Security Configuration Wizard on this server perhaps? ...
    (microsoft.public.windows.server.sbs)
  • Re: Unable to authenticate users in windows 2003 SP1 secondary DC
    ... is it because my PDC hosts user folders and apps ... long as you have the domain setup to handle in accessible servers. ... domain in your forest) and that both dc's are dns servers for AD (The ... I have a PDC & BDC. ...
    (microsoft.public.windows.server.active_directory)
  • Re: How promote bdc to pdc in windows 2003?
    ... BDC is new PDC, but now BDC has a new ip. ... > If you don't intend to bring your old domain controller back, ... > (active directory DNS). ...
    (microsoft.public.windows.server.setup)
  • Re: BDC DCDIAG Problem
    ... What I found was my backup was not set to register in DNS and I set each DC ... PDC and BDC are obsolete terms, ... server Security Configuration Wizard on this server perhaps? ... Starting test: CrossRefValidation ...
    (microsoft.public.windows.server.sbs)