Domain Controllers Out of Sync

[Mike]

We are running a LAN with 2 Windows 2000 Server domain
controllers. The primary domain controller (PDC) and
backup domain controller (BDC) have fallen out of sync,
and now new users created on the PDC can not be
authenticated on the BDC. This is a problem mostly
because our BDC is also our Terminal Server, so we are
now unable to grant access to any new remote/Terminal
Server users. How can I get the BDC to resync with the
PDC?

 

[Chriss3]

Hello Mike, there is today Operation Master Roles within a Windows Domain.
One of them are PDC emulator to take care of your NT Clients and replication
down
to NT4.0 BDC´s if you are in mixed mode.
Active Directory has what we call MultiMaster Replication. Changes can be
done at any of your Domain Controllers.

How ever if your controllers are out of sync, check the Directory Services
log in event viewer on both DC´s, Post back any relative information.

There is a few good tools to take use of to work with Replication,
Replication Monitor (GUI) and replication admin (Command-line)

Install Windows Server Support Tools located on your Windows Server CD. type
repadmin or replmon in the run field to start the utilities

--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1

 

[Moreno B,]

Hi Mike,

this situation is strange because the two servers are on the same
LAN........Did you verified the network cable connection?

Ok, if the cable is ok, let's talk about your problem.

One solution could be a DEMOTION of the BDC and, after of this, a new
PROMOTION of the server to become a domain controller again using
DCPROMO.EXE.

Before doing this, be sure the PDC is a GC server (but I suppose this
because the server IS a PDC!!).

Running this command you FORCE the Active Directory to re-create all the
Active Directory connection and at the end of the process all will work.

Also, verify if the DNS is working well.


Hope this helps.

Bye!

Moreno

 

[David Brandt [MSFT]]

Try running from the bdc the following command to force a full sync;
"net accounts /sync"

Also check the event logs to see if there are errors/events that may
indicate a secure channel issue that you can use netdom to try and reset,
and be sure that the bdc is still seeing the pdc (good name resolution)

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[David Brandt [MSFT]]

Disregard the net accounts /sync cmd as I misread the problem and thought
your bdc was nt4.
sorry bout that, but do be sure your connectivity is good.

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[Guest]

I should have prefaced my message by noting that I am the
de facto IT administrator, as our former IT admin left us
several months ago and has yet to be replaced (i.e., I
have limited knowledge about this). I also should have
noted that we changed our LAN subnet from 192.168.0.0/24
to 192.168.5.0/24 recently in the process of setting up a
VPN, and I suspect something was missed here that either
contributed to, or caused, this problem. Here's what the
Directory Service Event Viewer for the PDC is repeatedly
reporting:

-----------
The checkpoint with the PDC was unsuccessful. The
checkpointing process will be retried again in four
hours. A full synchronization of the security database to
downlevel domain controllers may take place if this
machine is promoted to be the PDC before the next
successful checkpoint. The error returned was: The DSA
operation is unable to proceed because of a DNS lookup
failure.
-----------

The Directory Service Event Viewer for the BDC does not
have ANY entries. Also, the PDC is visible from the BDC
(i.e., browsable via My Network Places), but the BDC is
NOT visible from the PDC. I'm starting to think it's
something wrong in a DNS entry somewhere...if anyone can
walk this novice through troubleshooting this, I'd sure
be thankful.

 

[Mike]

Hi Mike,

with this information, we found the cause of your problems.

Check ALL the IP adress of the servers and BE SURE they
are one the SAME AD SITE and SUBNET.

If you have an ip address of the server from the subnet
192.168.0.0/24, you won't be able to see the subnet
192.168.5.0/24 without adding a new route to the router
and without a correct configuration of the AD sites in the
ACTIVE DIRECTORY SITE AND SERVICES.

In your case, I suppose it will be necessary only a
correct IP configuration of the servers IP addresses and
submask, followed by a fresh replication of the Active
DIrectory.

In fact, with a correct IP configuration, the PDC will be
able again to "SEE" the machine in the network and it will
restart replication automatically.

So, check this things and tell us if this works.

Have a nice day!

Moreno

 

[Mike]

Both servers are on 192.168.5.0/24. The PDC is
192.168.5.20 (subnet mask 255.255.255.0, gateway
192.168.5.1 which is the router) and the BDC is
192.168.5.21 (subnet mask 255.255.255.0, gateway
192.168.5.1). You mentioned a "a fresh replication of
the Active Directory"...how do I do this? You also
mentioned "a correct configuration of the AD sites in the
ACTIVE DIRECTORY SITE AND SERVICES"...will the fresh
replication accomplish this? Thanks.

Mike