Re: Active Directory Replication Issues - Win2k & Win2k3

Tech-Archive recommends: Fix windows errors by optimizing your registry

Danial,

There are several things that could be causing this but would like to throw some things out there to start with:
1. http://support.microsoft.com/default.aspx/kb/288167 to reset the secure channel.
2. Check your SMB signing settings on the 2000 and 2003 servers and verify that they are set to a compatible level. You can see the reg keys and get additional information from http://support.microsoft.com/kb/916846. Just verify that the settings are the same for each server.

If you continue to have issues after this it would be helpful to see the output from dsdiag /v and repadmin /showreps

Thanks,
Greg


"Daniel Casper" <DanielCasper@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:40B255E5-28D9-47A8-B93A-8EEF9ED6120C@xxxxxxxxxxxxxxxx
I'm having some trouble with my domain controllers and figured I would try to
poll the experts. This is where I'm at:

I've got two domain controllers.

The first, a Win2k3 Server, is my PDC for all of my FSMO roles.

The second, a Win2k Server, is a BDC, and also my GC server.

From the Win2k3 Server I can access active directory, connect to either
domain controller, and see all of my users and groups. In the Active
Directory Sites and Services I can see both of my servers under my Default
First Site. When connected to the 2k3 Server I can replicate from the 2k
Server, but not to the 2k Server. When attempting to replicate to the 2k
Server I get an Access Denied error.

From the Win2k Server I can access active directory, but cannot connect to
the Win2k3 DC. On the 2k server when I attempt to replicate either direction
from AD Sites and Services I get "The target principle name is incorrect".

My users seem to be randomly impacted. From my workstation I authenticate
through the PDC, my logon script runs normally, and I have full access to all
network drives.

From other users accounts, the behavior is sporadic, but falls into one of
the following two categories:

1. Most of the time their computers appear to use cached credentials to
athenticate into windows (the type of behavior that exhibits if you have a
laptop and disconnect it from the network where your PDC is). In this
instance, they can see the computers on the network, including the Win2k3
Server, but cannot access any files on the Win2k3 Server. For instances
where this is the case the logon script does not run.

2. Other times users appear to authenticate through the BDC (Win2k) Server.
In these instances, it appears to run the logon script properly, again they
can view all machines in the domain, but when they attempt to connect to the
Win2k3 Server they receive an error "The target account name is incorrect".

In either case where the user does not authenticate through the PDC, I can
still ping the PDC by NetBIOS name and/or IP address. Computers that cannot
access the files on the PDC can still access the IMAP server that's hosted on
that box because it's addressed by IP.

The problem I am having in troubleshooting this is that I cannot explain why
some users are impacted and others are not. I cannot seem to find a setting
or conflict that would allow some users to authenticate through the PDC
properly while forcing other users to authenticate through the BDC or using
cached credentials. I'd like to know a couple of things:

1. Is there a way using GPO to restrict the use of cached creditials (i.e.
force the systems to look for the PDC when connecting to the domain)?

2. Has anyone encountered anything like this and have a good direction for
troubleshooting?

3. Why would something like this change? Our domain controllers have been
stable for several months prior to this, and then beginning yesterday I lost
access to shared applications on the PDC.

Thanks all for any help,
--Daniel

.

Relevant Pages

  • Re: Secondary AD
    ... There's no particular guarantee that any given user will authenticate to AD1 or AD2, but once they have authenticated a session to that AD, they should stick with it for the session unless it goes away. ... logons of the PDC is not available if the 2nd DC doesnt provide DNS services or should i enable DNS also not to mention it does provide DHCP because thats SBS's job. ... It was a spare server given to us with the same make and model as the GX260 and we want to use it to its full extent. ... Adding a Replica DC won't alleviate Squat on the SBServer in terms of load balancing. ...
    (microsoft.public.windows.server.sbs)
  • Re: Install DC in Win NT4.0 environment
    ... > WE have a new win2k3 server installed as member server in ... > win2k3 with the exception of PDC authentication. ... Most likely you'll be doing in-place upgrade in your case (which is the ... Win2K3 server - you need to upgrade the OS itself. ...
    (microsoft.public.windows.server.migration)
  • Re: NT4 to Server 2003 Migration
    ... based on everything you've said here, I would hire an experienced consultant, if only to assist you in the planning stage. ... I would not upgrade your current PDC to 2003. ... it's only 4-8 gig, not nearly large enough for 2003 server with SP1, and future service packs & upgrades. ... BDC 1 - RAS, Print Server, File Storage ...
    (microsoft.public.windows.server.migration)
  • Re: Windows Time Service: What if the PDC-role is moved?
    ... NTP - use the time source specified in the NtpServer Value ... I suggest using the w32tm command for modifying the time service parameters rather than directly modifying the registry entries. ... switch that takes priority and tells it to acquire NTP server info ... Doesn't he has to have the PDC DNS-name or IP-address in it? ...
    (microsoft.public.windows.group_policy)
  • Re: wrong time server
    ... It does not query what the local machine's time service is set to use with the domain hierarchy. ... It's rather useless trying to use it to find which server is the client's time service. ... All client desktops select an authenticating domain controller ) as their time source. ... The PDC of the current domain. ...
    (microsoft.public.windows.server.active_directory)