Re: Domain Password Synchronisation


"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:uGR$jUh5GHA.4644@xxxxxxxxxxxxxxxxxxxxxxx
"Steve Ireland" <Sandymount@xxxxxxxxxxx> wrote in message
news:eFM6WVg5GHA.756@xxxxxxxxxxxxxxxxxxxxxxx
I have had trouble finding other people with similar issue probably due to
the phraseology I'm using when searching Google.

Background:
This is a Windows 2003 domain that I did not install/upgrade so I can't
vouch for it (in fact it's a bit of a mess). It was upgraded from an NT
domain with Exchange 5.5.

Have you run DCDiag on every DC and fixed all ERRORs and WARNings
found? (Dump output to text file and search for ERROR and WARN.)

This is a minimum sanity check for any Domain and should be done
regularly, not just when taking over a mess or when a problem presents.


I had run DCDiag and NetDiag for other reasons over the last few months and
have resolved any issues that they reported.
Neither of the DCs report any errors other than:
....a failure to reach the gateway (this is firewalled to prevent pings, so
that's acceptable).
....NetBT name test is passed with a warning (...[WARNING] At least one of
the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names
is missing...)
....a notice that there is no default gateway configured on the second
adapter in the multihomed DC (which is correct).

The W2K3 Exchange 2K3 (member) server is configured with an Active
Directory
connector.
The Win2K Proxy (member) server is running ISA 2000 with a content filter
plugin called WebMarshall.
There are two Win2K3 domain controllers (there was an NT4 DC which had
lost
communication with the domain months ago - I removed it's traces from
Active
Directory and reinstalled it with Win2K3 as a member server - as far as I
can tell, there are no longer any Event errors relating to this server).

See DCDiag too.


Ditto.

A lot of the XP desktops did not have SP2 installed and were, therefore,
not
installing the latest updates from MS. This caused problems when users
tried
to change their password at logon (they were prevented from doing so)
once
it expired (due to the absence of certain security updates). That issue
is
now resolved too.

You might investigate the (free download from MS) MBSA -- Microsoft
Baseline Security Analysis which will allow you to check for a variety
of things like updates, suspicious services, and general security
settings.


I will continue to do this but only sporadically. MBSA often shows up
vulnerabilites that are neceesary to the normal operations of the DC.

There are many errors still in the Event logs of both DCs (one of the DCs
is
multihomed, which seems to be causing some authentication issues) that I
am
trying to resolve.

Many people recommend against multi-homed DCs -- although
I can generally get this to work without serious issue it is a
poor idea if there is no absolute requirement for it.


We have a separate subnet for financial transactions. The security
consultants recommended this configuration. It's a bit ugly, if you ask me.
I might find an alternative. I am certain that certain other issues are down
to the bindings on this multihomed system and would like the whole config
reverted.

I could spend all day describing the various problems, but I think I'll
hold
off until asked.

The problem:
Essentially, after a period of time (which is possibly coinciding with
the
expiration of the password - about one month) the user will login
successfully without being prompted to change their password. Once they
open
IE (ISA 2000) or Outlook (Exchange 2003), they will be prompted again for
user id and password.

ISA might not be in the "same domain", might not itself be
authenticating, or might not be SET to use domain accounts.

Outlook might be using non-domain servers (SMTP and such)
without the integrated features you would expect with Exchange.

These are specific applications which may or may not be using
or working with Domain security.


When I reset the password on the account in AD, all of the services work
fine. Does this not preclude the chance that these two systems are not
correctly in the domain? ISA is set to use Integrated Authentication and the
plugin, WebMarshall, permits access based on 'Internet Group' membership. As
in Exchange, the password synchronisation at logon is fine 99% of the time.
Only every now and again does it fail - possibly coinciding with password
expiration.

Also if they try to access network shares, they will
be prompted for a password. Their password will not work when they try to
enter it. If they log off and log back in they will again get into
Windows
without been prompted to change their password. However, Exchange and ISA
will not let them authenticate.

NetDiag might be useful to run on all NON-DCs, much as DCDiag
is a must for the DCs.

Most authentication (and replication) problems are really DNS
at heart -- unless the basic network is faulty (hardware or IP) then
DNS counts for practically all such problems.


No errors (except for failure to reach the gateway) on Exchange member
server (2003) but could not run NetDiag on ISA procy server (got error...
[FATAL] Failed to get system information of this machine.)
We did have DNS issues. Now, DNS no longer reports errors (for the last
three weeks or so) after a 'clear out'.

I used to get the users to Ctrl, Alt & Del and change their password and
the everything would work fine. However, recently, they might be told
that
they do not have permission to change their password when logged into
Windows (they do, in ADU&C). If I go ahead and set their password to
expire,
they log off and log on, are prompted to change their password - which
they
do successfully - and then everything works fine.

Any pointers?

Could be a DC "replication" issue (but doesn't sound like quite the
right symptoms) or a machine "authentication" issue for either/both
CLIENT category and SERVER category machines.

Perhaps two or several separate issues that make the problem
more difficult to diagnose.

Start with the Diag tools. Then find which machines continually
work (if any) and post the IPConfig /all from both that machine
and one that gives troubles...


I will have to check on this in general. However, the person I did it for
yesterday is using a PC that I configured so I know that has the correct
settings. Maybe that's hubris. Like I say, I'll check it out.

One thing to check immediately:

Do any of the machines (clients, servers, or DCs) use a mixture
of INTERNAL DNS and EXTERNAL DNS server settings on
their NIC->IP->DNS Server settings?

This latter will account for many intermittent problems and although
a naive admin might THINK it works it is NEVER reliably....


One of my predecessors had entered the ISP DNS settings on the client
desktops. Bootup and login was taking about 10 minutes. I have been settings
them back to auto (the two DCs) as I find them. The DCs are pointing to
127.0.0.1 and replicate DNS settings to servers in the name tab. Each DC
forwards DNS queries to the ISP DNS servers.

Thanks very much to the suggestions. Keeps me on the right track.

Stephen.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


Thanks.
Steve.







.