att100 said:
There are two Windows 2000 DCs. There is a NETLOGON 3210 event log on BDC and
NETLOGON 5722 on PDC at the startup of the BDC.
First there are no PDC/BDCs in AD, unless they are
NT4-BDCs, but presumably you mean your two DCs
since this seems to be an LDAP error:
(One of them will likely hold the PDC Emulator and you
may think of it as YOUR 'primary' DC, but it is not a PDC.)
Running dcdiag on the BDC I get an error:
LDAP bind failed with error 31,
A device attached to the system is not functioning..
Running nltest /sc_change_pwd:<domain name> on the BDC I get this:
I_NetLogonControl failed: Status = 5 ERROR_ACCESS_DENIED
What's the problem ?
Most such problems are due to failure to replicate, which are
usually due to DNS issues. I would check the DNS, try the
DCDiag /fix (or NetDIAG /fix), and if none of that works you
will likely need to "DCPromo cycle" one of them - probably
the one without the roles is best.
DCPromo-> non-DC then DCPromo -> (new) DC.
DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)
netdiag /fix
....or maybe:
dcdiag /fix
(Win2003 can do this from Support tools):
nltest /dsregdns /server
C-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/
Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.
Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.
Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
