AD Repl problem with two servers

[Guest]

Hi,

I have a customer with 2x Win 2000 Servers. These are in the same site.
The problem I have is that when I went to update a GP one the network, it
said that it couldn't contact the PDC emulator. When I went and checked with
replmon tue enough, I could there was a connectivity problem with this
server. Now I can ping, view file shares, remote desktop etc from one server
to the other, it seems to be limited to domain functions.

e.g. If I am logged onto server1 (as admin) and try to use Computer Mgmt to
connect to Server2 then I get a request for an account with permissions to
log on. If I remote desktop onto server2 from server1 using the same
user/pwd combination then I can logon fine.

Now using replmon (from server1) to view the two servers, server1 is ok,
server2 has problems logging on to ldap. From server2, I can connect to
server1 ok and I can view server2.

So, what can I do? Oh, all the FSMO roles are on server1 except for PDC
emulator which os on server2.

All I can think of is (un)promo-ing server2 to become a member server again
and then re-promoing it again.

If you can think of anything else to try please let me know.


Thanks,


Chris

 

[Herb Martin]

Hi,

I have a customer with 2x Win 2000 Servers. These are in the same site.
The problem I have is that when I went to update a GP one the network, it
said that it couldn't contact the PDC emulator.

The normal case is to update GPOs on this DC
by default, but any DC can technically perform
this function.

(Especially) in large domains, default to a single
DC helps to prevent two admins from editing the
same GPO concurrently.

When I went and checked with
replmon tue enough, I could there was a connectivity problem with this
server. Now I can ping, view file shares, remote desktop etc from one server
to the other, it seems to be limited to domain functions.

Usually such are DNS problems -- presuming that
your network and any firewall filters are not
interfering (and that is likely safe since it is a
single site.

e.g. If I am logged onto server1 (as admin) and try to use Computer Mgmt to
connect to Server2 then I get a request for an account with permissions to
log on. If I remote desktop onto server2 from server1 using the same
user/pwd combination then I can logon fine.

This looks like either (or both) a replication or
authentication problem. It is possible that the
passwords have been changed on one DC and
not replicated to the other so that in effect the
account is only usable on one of them.

This can also happen to computers (since their
passwords are maintained automatically with
their DC.)

Now using replmon (from server1) to view the two servers, server1 is ok,
server2 has problems logging on to ldap. From server2, I can connect to
server1 ok and I can view server2.

So, what can I do? Oh, all the FSMO roles are on server1 except for PDC
emulator which os on server2.

Start with DNS.

All I can think of is (un)promo-ing server2 to become a member server again
and then re-promoing it again.

You might as well try to fix the underlying problem
first. IF it turns out that this has been broken for
months (longer than tombstone lifetime especially)
you may eventually need to DCPromo-Cycle on of
the DCs.

If you can think of anything else to try please let me know.

Most such problems are DNS problems (or something that
interferes directly with network transport such as a firewall
or other network issue.)

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

 

[Guest]

More info.

I generated a status report from the first server. This all looked ok until
I got to the Enterprise Data section.

The first server shows the same GUID for the Server GUID (used for DNS) and
the Replication Database GUID (used to identify partner in replication).
However, the second server has differing GUID's for each of these entries.
Is this normal or could this be the problem?

I have tried running dcpromo again to demote then promote the server back to
a DC but it wont let me as it wants to replicate the changes... aargh.

So I'm stuck for the moment.

Again, your thoughts please.


Chris