Re: Domain Password Synchronisation

"Steve Ireland" <Sandymount@xxxxxxxxxxx> wrote in message
news:eFM6WVg5GHA.756@xxxxxxxxxxxxxxxxxxxxxxx
I have had trouble finding other people with similar issue probably due to
the phraseology I'm using when searching Google.

Background:
This is a Windows 2003 domain that I did not install/upgrade so I can't
vouch for it (in fact it's a bit of a mess). It was upgraded from an NT
domain with Exchange 5.5.

Have you run DCDiag on every DC and fixed all ERRORs and WARNings
found? (Dump output to text file and search for ERROR and WARN.)

This is a minimum sanity check for any Domain and should be done
regularly, not just when taking over a mess or when a problem presents.

The W2K3 Exchange 2K3 (member) server is configured with an Active
Directory
connector.
The Win2K Proxy (member) server is running ISA 2000 with a content filter
plugin called WebMarshall.
There are two Win2K3 domain controllers (there was an NT4 DC which had
lost
communication with the domain months ago - I removed it's traces from
Active
Directory and reinstalled it with Win2K3 as a member server - as far as I
can tell, there are no longer any Event errors relating to this server).

See DCDiag too.

A lot of the XP desktops did not have SP2 installed and were, therefore,
not
installing the latest updates from MS. This caused problems when users
tried
to change their password at logon (they were prevented from doing so) once
it expired (due to the absence of certain security updates). That issue is
now resolved too.

You might investigate the (free download from MS) MBSA -- Microsoft
Baseline Security Analysis which will allow you to check for a variety
of things like updates, suspicious services, and general security settings.

There are many errors still in the Event logs of both DCs (one of the DCs
is
multihomed, which seems to be causing some authentication issues) that I
am
trying to resolve.

Many people recommend against multi-homed DCs -- although
I can generally get this to work without serious issue it is a
poor idea if there is no absolute requirement for it.

I could spend all day describing the various problems, but I think I'll
hold
off until asked.

The problem:
Essentially, after a period of time (which is possibly coinciding with the
expiration of the password - about one month) the user will login
successfully without being prompted to change their password. Once they
open
IE (ISA 2000) or Outlook (Exchange 2003), they will be prompted again for
user id and password.

ISA might not be in the "same domain", might not itself be
authenticating, or might not be SET to use domain accounts.

Outlook might be using non-domain servers (SMTP and such)
without the integrated features you would expect with Exchange.

These are specific applications which may or may not be using
or working with Domain security.

Also if they try to access network shares, they will
be prompted for a password. Their password will not work when they try to
enter it. If they log off and log back in they will again get into Windows
without been prompted to change their password. However, Exchange and ISA
will not let them authenticate.

NetDiag might be useful to run on all NON-DCs, much as DCDiag
is a must for the DCs.

Most authentication (and replication) problems are really DNS
at heart -- unless the basic network is faulty (hardware or IP) then
DNS counts for practically all such problems.

I used to get the users to Ctrl, Alt & Del and change their password and
the everything would work fine. However, recently, they might be told that
they do not have permission to change their password when logged into
Windows (they do, in ADU&C). If I go ahead and set their password to
expire,
they log off and log on, are prompted to change their password - which
they
do successfully - and then everything works fine.

Any pointers?

Could be a DC "replication" issue (but doesn't sound like quite the
right symptoms) or a machine "authentication" issue for either/both
CLIENT category and SERVER category machines.

Perhaps two or several separate issues that make the problem
more difficult to diagnose.

Start with the Diag tools. Then find which machines continually
work (if any) and post the IPConfig /all from both that machine
and one that gives troubles...

One thing to check immediately:

Do any of the machines (clients, servers, or DCs) use a mixture
of INTERNAL DNS and EXTERNAL DNS server settings on
their NIC->IP->DNS Server settings?

This latter will account for many intermittent problems and although
a naive admin might THINK it works it is NEVER reliably....

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


Thanks.
Steve.





.