Re: Where are DC signatures stored in AD ? Can then be edited using adsiedit ?
- From: "Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
- Date: Mon, 18 Dec 2006 22:08:05 +0100
the license service can be disabled
I assume "something" with the wrong password is "attacking" your domain
administrator with the wrong password.
use netlogon debugging to start tracing the account lockout....start at the
PDC
Enabling debug logging for the Net Logon service
a.. HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag
b.. DBFlag = 0x2080FFFF (in: %windir%\debug\netlogon.log)
and follow what is mentioned here:
http://www.eksternkompetanse.no/blog/PermaLink,guid,576846a0-ac14-47d4-8057-c117a9e2ec1c.aspx
http://www.eksternkompetanse.no/blog/PermaLink,guid,43f143b3-f389-4946-9bdf-21a1b787f5cb.aspx
http://www.eksternkompetanse.no/blog/PermaLink,guid,3e28462e-f4c9-499a-8cc9-43accc47a779.aspx
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Alex" <newsgroups@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uuK0KQtIHHA.780@xxxxxxxxxxxxxxxxxxxxxxx
Hi Paul. Thanks for the information. Unfortunately the process we went
through to create our test network was different to what you have
suggested on your site. Our live network at the time only had one 2000
DC. We took a NTBackup of the DC and restored it onto a server with the
same hardware. There were no errors apart from the decomissioned signature
for the first DC. I have ran dcdiag, netdiag and repadmin testing
throughout the test upgrade to 2003 and have not had any errors. When we
started having problems with the test network at the point of demoting the
2000 DC we stopped any parallel upgrades on the Live network.
Subsequently both networks now have one 2000 DC and one 2003 DC, the 2003
has all the roles.
Unfortunately we aren't having much luck with this upgrade. The new
2000/2003 have been running without problem but over the weekend we have
started generating LicenseService (ID 213) warnings on what appears to be
a random selection of member servers (License Service is running on the
2003 DC and AD Sites & Services Licensing Site Settings points to DC2).
More concerning we have also started to get NTDSReplication ID 1083, NTDS
Replication ID 1955 and SAM 12294 for the Domain Administrator account. I
have just posted about this in a new post but if I could resolve these two
issues on the Live network I don't think we would have any further
problems with the demotion and addition of new 2003 DC.
Thanks,
Alex.
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:O89OrWjIHHA.1248@xxxxxxxxxxxxxxxxxxxxxxx
How did you build the test network. Have a look at a build doc I have
and see if you missed out on any steps.
http://www.pbbergs.com
Select articles and click on Create a Test Domain
Once you have the domain created run diagnostics against it
If you don't have the tools installed, install them from your server
install disk.
d:\support\tools\setup.exe
Run dcdiag, netdiag and repadmin in verbose mode.
-> dcdiag /e /c /v /s:DC_Name /f:c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be
output in notepad text files that pop up automagically.
The script is located in the download section on my website at
http://www.pbbergs.com
Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)
When complete search for fail, error and warning messages.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Alex" <newsgroups@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uHnDDHfIHHA.2456@xxxxxxxxxxxxxxxxxxxxxxx
Hi. We have been having a problem with a test network which we are
using to test an upgrade from 2000 to 2003. The network was built from
a restored 2000 DC image before the first 2003 DC was added. The
restore completed successfully on slightly different hardware with no
errors and everything working correctly. On running repadmin /showsig
the 2000 DC (DC1) has generated a new signature and the old signature
has been retired. Unfortunately although repadmin is showing this DC as
having and using a new signature, it registers it's CNAME entry in DNS
with the old signature and the NTDS Replication DNS Alias (visible from
AD Sites and Services on the 2003 DC) is also listing the old signature.
Subsequently when we attempt to demote this server the demotion is not
clean. BUT even after we clear out any left over DNS and AD entries for
the 2000 DC (no server entry is left from the demotion in ntdsutil),
when we then install 2003 on the same server hardware, same IP address
and same name, after running dcpromo and rebooting the server it
generates replication errors. These errors are indicating that the 2003
DC(DC2) is attempting to replicate with the now new 2003 DC1 but they
fail to authenticate with each other because the 2003 DC2 appearing to
be trying to contact DC1 using its old retired signature. I have posted
about this in a similar post previously and Jorge made the suggestions
below but this is still occurring:
*Clear the DNS cache
- rightclick the DNS server and clear the cache.
- run from cmd: ipconfig /flushdns
*delete the files netlogon.dnb and netlogon.dns from
%systemroot%\system32\config
*run ipconfig /registerdns
*restart the netlogon service, confirm the creation of the files
netlogon.dnb and netlogon.dns on %systemroot%\system32\config
*run netdiag /fix
Check again the DNS entries.
This is only happening on our test network. When I run repadmin
/showsigs on the live network the current 2000 DC has only 1 signature
with non retired and the newer 2003 DC also has 1 signature. I would
really like to cleanup the test network so I can confirm the demotion
and addition of the replacement 2003 DC works successfully.
Thanks,
Alex.
.
- Follow-Ups:
- References:
- Prev by Date: Re: Windows 2000 Mixed to Win2003. What to Expect?
- Next by Date: Re: change computer dns server ip through active directory
- Previous by thread: Re: Where are DC signatures stored in AD ? Can then be edited using adsiedit ?
- Next by thread: Re: Where are DC signatures stored in AD ? Can then be edited using adsiedit ?
- Index(es):
Relevant Pages
|
