Problems logging on to server

[Guest]

We have a primary domain controller and a secondary domain controller in our
domain. We have built the trust relationship so that these servers should
share information in both directions. We have however run into a problem
with two of our users. They can get to the secondary server but when they
try to join the primary domain it says that the domain is not accessible. We
have deleted their user accounts and redone them as well as trying to delete
their computers on the server and then adding them back. We have done what
we believed should make everything available to them but we are having no
luck. If you need more specific information or if you have any ideas please
let me know. Your input would be greatly appreciated.

 

[Herb Martin]

We have a primary domain controller and a secondary domain controller in our
domain.

If they are Win2000 (this newsgroup) then they are BOTH
just DCs. Neither is primary or secondary. That's NT.

From below it sounds like you may have two domains,
and that they are in different forests....

We have built the trust relationship so that these servers should
share information in both directions.

Trusts are only used between DIFFERENT DOMAINS, so you
cannot have a trust within a single domain as you describe.

Domains within the same Forest (Win2000+) already have
trusts. (And with only 2 domains there would not be a reason
for adding shortcut trusts.) Do you have multiple Forests?

We have however run into a problem
with two of our users. They can get to the secondary server but when they
try to join the primary domain it says that the domain is not accessible.

Almost all such problems are authentication and almost all
of those are DNS problems.

We
have deleted their user accounts and redone them as well as trying to delete
their computers on the server and then adding them back. We have done what
we believed should make everything available to them but we are having no
luck. If you need more specific information or if you have any ideas please
let me know. Your input would be greatly appreciated.

Domain and forest structure (same different)?
DNS structure (where are the zones held)?

If different Forests (or NT) do you have ROUTERS internal
to you network? External trusts require NetBIOS name
resolution to work completely...so WINS server may be
necessary in that case.

Settings on ALL client NICs set to ONLY internal DNS
servers.

Internal DNS servers can ALL resolve the OTHER DNS
zones that support the other domain?


DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domain (either directly or indirectly)

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Lable domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
[/QUOTE]

 

[Guest]

I appreciate your quick response. I obviously did not give you enough
information. This was a domain with an NT 4.0 server and we added a windows
2003 server on a different domain. The 2003 server is the primary domain
controller now and the NT Server is a secondary. These individuals can join
and log on to the NT domain but not the 2003 domain. It tells us that the
domain is not available when we try to join the domain. Once logged on to
the NT domain we can see the 2003 domain but still can not access it. The
idea is that we want them to log on to the 2003 server but be able to access
the NT server once they are logged on. I am failry new to server
administration so bear with me and please be tolerant of my ignorance. I
will get the other information that you have asked for and let you know.
Thank You

We have a primary domain controller and a secondary domain controller in our
domain.

If they are Win2000 (this newsgroup) then they are BOTH
just DCs. Neither is primary or secondary. That's NT.

From below it sounds like you may have two domains,
and that they are in different forests....

We have built the trust relationship so that these servers should
share information in both directions.

Trusts are only used between DIFFERENT DOMAINS, so you
cannot have a trust within a single domain as you describe.

Domains within the same Forest (Win2000+) already have
trusts. (And with only 2 domains there would not be a reason
for adding shortcut trusts.) Do you have multiple Forests?

We have however run into a problem
with two of our users. They can get to the secondary server but when they
try to join the primary domain it says that the domain is not accessible.

Almost all such problems are authentication and almost all
of those are DNS problems.

We
have deleted their user accounts and redone them as well as trying to delete
their computers on the server and then adding them back. We have done what
we believed should make everything available to them but we are having no
luck. If you need more specific information or if you have any ideas please
let me know. Your input would be greatly appreciated.

Domain and forest structure (same different)?
DNS structure (where are the zones held)?

If different Forests (or NT) do you have ROUTERS internal
to you network? External trusts require NetBIOS name
resolution to work completely...so WINS server may be
necessary in that case.

Settings on ALL client NICs set to ONLY internal DNS
servers.

Internal DNS servers can ALL resolve the OTHER DNS
zones that support the other domain?


DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domain (either directly or indirectly)

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Lable domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

 

[Herb Martin]

I appreciate your quick response. I obviously did not give you enough
information. This was a domain with an NT 4.0 server and we added a windows
2003 server on a different domain.

Then my guess about 2 domains and even NT will apply.

And if you have one or more (internal) routers you will need
WINS server.

The 2003 server is the primary domain
controller now and the NT Server is a secondary.

You might wish to avoid the words "primary and secondary", as
the first has a technical meaning in NT and they both are technical
terms in the related subject of DNS.

Domains are usually unrelated OR their relationship is one
such as, "one is the Accounts domain, the second is the Resource
domain".

These individuals can join
and log on to the NT domain but not the 2003 domain.

Users should, and computers must, have an account in
only one domain.

Win2003 domains require DNS to be properly configured
so most such problems are DNS related.

Networks with NT4 or multiple disparate domains (not the
same Win2000+ forest) generally require NetBIOS resolution
to function correct -- thus the require that if there are also
routers you need WINS server to make the logon, trusts,
etc. work.

It tells us that the
domain is not available when we try to join the domain. Once logged on to
the NT domain we can see the 2003 domain but still can not access it.

"see"? as in Network Neighborhood?

Sounds like a NetBIOS (or perhaps DNS) NAME RESOLUTION
problem.

The
idea is that we want them to log on to the 2003 server but be able to access
the NT server once they are logged on. I am failry new to server
administration so bear with me and please be tolerant of my ignorance. I
will get the other information that you have asked for and let you know.

IN Which domain are the COMPUTERS members?

IN Which do you WISH the Users to have an account?

DO you have a trust between domains?

DO you have any routers INTERNAL to your network?
(NetBIOS broadcasts do not cross routers -- thus WINS.)

IF you have WINS server then EVERY machine, servers
included, must be a WINS client on the NIC->IP->Advanced
->WINS/netbios properties.

IF you have DNS (which you must for Win2000+ domains)
then your machines should all be DNS clients (servers
included on the similar NIC->IP->Advanced->DNS properties
and below is the general requirements for DNS...

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domain (either directly or indirectly)

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Lable domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]


--
Herb Martin

Thank You

We have a primary domain controller and a secondary domain controller

in
our

domain.

If they are Win2000 (this newsgroup) then they are BOTH
just DCs. Neither is primary or secondary. That's NT.

From below it sounds like you may have two domains,
and that they are in different forests....

We have built the trust relationship so that these servers should
share information in both directions.

Trusts are only used between DIFFERENT DOMAINS, so you
cannot have a trust within a single domain as you describe.

Domains within the same Forest (Win2000+) already have
trusts. (And with only 2 domains there would not be a reason
for adding shortcut trusts.) Do you have multiple Forests?

We have however run into a problem
with two of our users. They can get to the secondary server but when they
try to join the primary domain it says that the domain is not

accessible.

Almost all such problems are authentication and almost all
of those are DNS problems.

We
have deleted their user accounts and redone them as well as trying to delete
their computers on the server and then adding them back. We have done what
we believed should make everything available to them but we are having no
luck. If you need more specific information or if you have any ideas please
let me know. Your input would be greatly appreciated.

Domain and forest structure (same different)?
DNS structure (where are the zones held)?

If different Forests (or NT) do you have ROUTERS internal
to you network? External trusts require NetBIOS name
resolution to work completely...so WINS server may be
necessary in that case.

Settings on ALL client NICs set to ONLY internal DNS
servers.

Internal DNS servers can ALL resolve the OTHER DNS
zones that support the other domain?


DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domain (either directly or indirectly)

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Lable domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

 

[Guest]

I appreciate all of your help. As there are 4 internal routers I added WINS
Server to the 2003 Server and was able to join and access domain. Thank you
very much.

I appreciate your quick response. I obviously did not give you enough
information. This was a domain with an NT 4.0 server and we added a windows
2003 server on a different domain.

Then my guess about 2 domains and even NT will apply.

And if you have one or more (internal) routers you will need
WINS server.

The 2003 server is the primary domain
controller now and the NT Server is a secondary.

You might wish to avoid the words "primary and secondary", as
the first has a technical meaning in NT and they both are technical
terms in the related subject of DNS.

Domains are usually unrelated OR their relationship is one
such as, "one is the Accounts domain, the second is the Resource
domain".

These individuals can join
and log on to the NT domain but not the 2003 domain.

Users should, and computers must, have an account in
only one domain.

Win2003 domains require DNS to be properly configured
so most such problems are DNS related.

Networks with NT4 or multiple disparate domains (not the
same Win2000+ forest) generally require NetBIOS resolution
to function correct -- thus the require that if there are also
routers you need WINS server to make the logon, trusts,
etc. work.

It tells us that the
domain is not available when we try to join the domain. Once logged on to
the NT domain we can see the 2003 domain but still can not access it.

"see"? as in Network Neighborhood?

Sounds like a NetBIOS (or perhaps DNS) NAME RESOLUTION
problem.

The
idea is that we want them to log on to the 2003 server but be able to access
the NT server once they are logged on. I am failry new to server
administration so bear with me and please be tolerant of my ignorance. I
will get the other information that you have asked for and let you know.

IN Which domain are the COMPUTERS members?

IN Which do you WISH the Users to have an account?

DO you have a trust between domains?

DO you have any routers INTERNAL to your network?
(NetBIOS broadcasts do not cross routers -- thus WINS.)

IF you have WINS server then EVERY machine, servers
included, must be a WINS client on the NIC->IP->Advanced
->WINS/netbios properties.

IF you have DNS (which you must for Win2000+ domains)
then your machines should all be DNS clients (servers
included on the similar NIC->IP->Advanced->DNS properties
and below is the general requirements for DNS...

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domain (either directly or indirectly)

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Lable domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]


--
Herb Martin

Thank You

We have a primary domain controller and a secondary domain controller in
our
domain.

If they are Win2000 (this newsgroup) then they are BOTH
just DCs. Neither is primary or secondary. That's NT.

From below it sounds like you may have two domains,
and that they are in different forests....


We have built the trust relationship so that these servers should
share information in both directions.

Trusts are only used between DIFFERENT DOMAINS, so you
cannot have a trust within a single domain as you describe.

Domains within the same Forest (Win2000+) already have
trusts. (And with only 2 domains there would not be a reason
for adding shortcut trusts.) Do you have multiple Forests?

We have however run into a problem
with two of our users. They can get to the secondary server but when they
try to join the primary domain it says that the domain is not accessible.

Almost all such problems are authentication and almost all
of those are DNS problems.

We
have deleted their user accounts and redone them as well as trying to
delete
their computers on the server and then adding them back. We have done
what
we believed should make everything available to them but we are having no
luck. If you need more specific information or if you have any ideas
please
let me know. Your input would be greatly appreciated.

Domain and forest structure (same different)?
DNS structure (where are the zones held)?

If different Forests (or NT) do you have ROUTERS internal
to you network? External trusts require NetBIOS name
resolution to work completely...so WINS server may be
necessary in that case.

Settings on ALL client NICs set to ONLY internal DNS
servers.

Internal DNS servers can ALL resolve the OTHER DNS
zones that support the other domain?


DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domain (either directly or indirectly)

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Lable domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

 

[Herb Martin]

I appreciate all of your help. As there are 4 internal routers I added WINS
Server to the 2003 Server and was able to join and access domain. Thank you
very much.

Excellent. Glad to help.

Double check that ALL computers are set as WINS clients,
even the DCs and the WINS server itself.

For name resolution, 'servers' are CLIENTS too!

If you have multiple WINS servers, make sure they
replicate -- all computers need to see the same
(single) WINS database even if it is on multiple
machines.

--
Herb Martin

I appreciate your quick response. I obviously did not give you enough
information. This was a domain with an NT 4.0 server and we added a windows
2003 server on a different domain.

Then my guess about 2 domains and even NT will apply.

And if you have one or more (internal) routers you will need
WINS server.

The 2003 server is the primary domain
controller now and the NT Server is a secondary.

You might wish to avoid the words "primary and secondary", as
the first has a technical meaning in NT and they both are technical
terms in the related subject of DNS.

Domains are usually unrelated OR their relationship is one
such as, "one is the Accounts domain, the second is the Resource
domain".

These individuals can join
and log on to the NT domain but not the 2003 domain.

Users should, and computers must, have an account in
only one domain.

Win2003 domains require DNS to be properly configured
so most such problems are DNS related.

Networks with NT4 or multiple disparate domains (not the
same Win2000+ forest) generally require NetBIOS resolution
to function correct -- thus the require that if there are also
routers you need WINS server to make the logon, trusts,
etc. work.

It tells us that the
domain is not available when we try to join the domain. Once logged on to
the NT domain we can see the 2003 domain but still can not access it.

"see"? as in Network Neighborhood?

Sounds like a NetBIOS (or perhaps DNS) NAME RESOLUTION
problem.

The
idea is that we want them to log on to the 2003 server but be able to access
the NT server once they are logged on. I am failry new to server
administration so bear with me and please be tolerant of my ignorance. I
will get the other information that you have asked for and let you

know.

IN Which domain are the COMPUTERS members?

IN Which do you WISH the Users to have an account?

DO you have a trust between domains?

DO you have any routers INTERNAL to your network?
(NetBIOS broadcasts do not cross routers -- thus WINS.)

IF you have WINS server then EVERY machine, servers
included, must be a WINS client on the NIC->IP->Advanced
->WINS/netbios properties.

IF you have DNS (which you must for Win2000+ domains)
then your machines should all be DNS clients (servers
included on the similar NIC->IP->Advanced->DNS properties
and below is the general requirements for DNS...

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domain (either directly or indirectly)

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Lable domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]


--
Herb Martin

Thank You
:

We have a primary domain controller and a secondary domain

controller
in

our
domain.

If they are Win2000 (this newsgroup) then they are BOTH
just DCs. Neither is primary or secondary. That's NT.

From below it sounds like you may have two domains,
and that they are in different forests....


We have built the trust relationship so that these servers should
share information in both directions.

Trusts are only used between DIFFERENT DOMAINS, so you
cannot have a trust within a single domain as you describe.

Domains within the same Forest (Win2000+) already have
trusts. (And with only 2 domains there would not be a reason
for adding shortcut trusts.) Do you have multiple Forests?

We have however run into a problem
with two of our users. They can get to the secondary server but

when
they

try to join the primary domain it says that the domain is not accessible.

Almost all such problems are authentication and almost all
of those are DNS problems.

We
have deleted their user accounts and redone them as well as trying to
delete
their computers on the server and then adding them back. We have done
what
we believed should make everything available to them but we are

having
no

luck. If you need more specific information or if you have any ideas
please
let me know. Your input would be greatly appreciated.

Domain and forest structure (same different)?
DNS structure (where are the zones held)?

If different Forests (or NT) do you have ROUTERS internal
to you network? External trusts require NetBIOS name
resolution to work completely...so WINS server may be
necessary in that case.

Settings on ALL client NICs set to ONLY internal DNS
servers.

Internal DNS servers can ALL resolve the OTHER DNS
zones that support the other domain?


DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domain (either directly or indirectly)

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Lable domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]