Domain Controllers

[Guest]

I need help!!! I have 3 domain controllers running W2K server SP4.
A few weeks ago my second domain controler would not replicate with the
other two DC's. I eventually phoned Microsoft for help, and after running
MPSRPT we found that the secure channel had been broken between DC 2 and
DC1/DC3.
The tech at Microsoft helped me to download fixes and reset the
administrator password. This did not help, and everyday I need to reset the
password. During this exercise I need to disable the "Kerberos Key
Distribution Centre" services, reboot the server then enable this particular
services again.
Last week during one of these exercises, I forgot to enable the "Kerberos
Key Distribution Centre" services and my server ran for a few days without
any problems. Then I discovered my mistake and enabled the service, well, my
problems started all over again.
Can you help solve this problem, because the tech at Microsoft has run out
of ideas?

Thanks

Johan

 

[Herb Martin]

I need help!!! I have 3 domain controllers running W2K server SP4.
A few weeks ago my second domain controler would not replicate with the
other two DC's. I eventually phoned Microsoft for help, and after running
MPSRPT we found that the secure channel had been broken between DC 2 and
DC1/DC3.

Ok, since it keeps coming back, there is obviously
something else going on.

Some things to check/try:

Fix the time, many Kerberos and thus those authentication
problems are due to time drift -- Kerberos is quite
picky about the times being similar. This also means
setting the TIME ZONE correctly if the machines are
in different zones: 9:00 AM EST is the same as 8:00
AM CST.

Fix the DNS, most such problems (authentication and
replication) are DNS related. *See below

Cycle DCPromo to rebuild the entire AD on the problematic
DC -- don't do this until you feel you have checked all
the configuration issues (time, dns.)
DCPromo ->Non-DC then** DCPromo -> (new) DC

Perform a REPAIR install on the problematic DC --
** I recommend doing this between the two DCPromo's
when cycling the DC.
Boot from original CD, install into same directory,
make certain if ASKS if you wish to repair, and confirm
that intention.
Check the updates from Windows Update (may be undone
by 'repair'.)

*DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

 

[Ryan Hanisco]

If you paid for a case with Microsoft, re-open it. They will work with you
until its resolved and it doesn't sound like this is the case. Call them
back and give them the case ID number and start from there.

Herb's suggestions are great, but it sounds like you need help... and you've
already paid for it.

--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

I need help!!! I have 3 domain controllers running W2K server SP4.
A few weeks ago my second domain controler would not replicate with the
other two DC's. I eventually phoned Microsoft for help, and after running
MPSRPT we found that the secure channel had been broken between DC 2 and
DC1/DC3.

Ok, since it keeps coming back, there is obviously
something else going on.

Some things to check/try:

Fix the time, many Kerberos and thus those authentication
problems are due to time drift -- Kerberos is quite
picky about the times being similar. This also means
setting the TIME ZONE correctly if the machines are
in different zones: 9:00 AM EST is the same as 8:00
AM CST.

Fix the DNS, most such problems (authentication and
replication) are DNS related. *See below

Cycle DCPromo to rebuild the entire AD on the problematic
DC -- don't do this until you feel you have checked all
the configuration issues (time, dns.)
DCPromo ->Non-DC then** DCPromo -> (new) DC

Perform a REPAIR install on the problematic DC --
** I recommend doing this between the two DCPromo's
when cycling the DC.
Boot from original CD, install into same directory,
make certain if ASKS if you wish to repair, and confirm
that intention.
Check the updates from Windows Update (may be undone
by 'repair'.)

*DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

...or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

--
Herb Martin

I need help!!! I have 3 domain controllers running W2K server SP4.
A few weeks ago my second domain controler would not replicate with the
other two DC's. I eventually phoned Microsoft for help, and after running
MPSRPT we found that the secure channel had been broken between DC 2 and
DC1/DC3.
The tech at Microsoft helped me to download fixes and reset the
administrator password. This did not help, and everyday I need to reset the
password. During this exercise I need to disable the "Kerberos Key
Distribution Centre" services, reboot the server then enable this particular
services again.
Last week during one of these exercises, I forgot to enable the "Kerberos
Key Distribution Centre" services and my server ran for a few days
without
any problems. Then I discovered my mistake and enabled the service, well, my
problems started all over again.
Can you help solve this problem, because the tech at Microsoft has run
out
of ideas?

Thanks

Johan

 

[Herb Martin]

If you paid for a case with Microsoft, re-open it. They will work with you
until its resolved and it doesn't sound like this is the case. Call them
back and give them the case ID number and start from there.

GOOD ADVICE.

Herb's suggestions are great, but it sounds like you need help... and you've
already paid for it.

Given that (I didn't know since my support has always
been done differently -- Premier accounts etc.) you should
call them.

So yes. Call back and get help. Until it is fixed.

BTW, make a backup -- just in case support screws
your DCs up completely -- they are usually excellent
but it wouldn't be the first time.



--
Herb Martin

--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

I need help!!! I have 3 domain controllers running W2K server SP4.
A few weeks ago my second domain controler would not replicate with the
other two DC's. I eventually phoned Microsoft for help, and after running
MPSRPT we found that the secure channel had been broken between DC 2 and
DC1/DC3.

Ok, since it keeps coming back, there is obviously
something else going on.

Some things to check/try:

Fix the time, many Kerberos and thus those authentication
problems are due to time drift -- Kerberos is quite
picky about the times being similar. This also means
setting the TIME ZONE correctly if the machines are
in different zones: 9:00 AM EST is the same as 8:00
AM CST.

Fix the DNS, most such problems (authentication and
replication) are DNS related. *See below

Cycle DCPromo to rebuild the entire AD on the problematic
DC -- don't do this until you feel you have checked all
the configuration issues (time, dns.)
DCPromo ->Non-DC then** DCPromo -> (new) DC

Perform a REPAIR install on the problematic DC --
** I recommend doing this between the two DCPromo's
when cycling the DC.
Boot from original CD, install into same directory,
make certain if ASKS if you wish to repair, and confirm
that intention.
Check the updates from Windows Update (may be undone
by 'repair'.)

*DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

...or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

--
Herb Martin

I need help!!! I have 3 domain controllers running W2K server SP4.
A few weeks ago my second domain controler would not replicate with the
other two DC's. I eventually phoned Microsoft for help, and after running
MPSRPT we found that the secure channel had been broken between DC 2 and
DC1/DC3.
The tech at Microsoft helped me to download fixes and reset the
administrator password. This did not help, and everyday I need to reset the
password. During this exercise I need to disable the "Kerberos Key
Distribution Centre" services, reboot the server then enable this particular
services again.
Last week during one of these exercises, I forgot to enable the "Kerberos
Key Distribution Centre" services and my server ran for a few days
without
any problems. Then I discovered my mistake and enabled the service,

well,
my

problems started all over again.
Can you help solve this problem, because the tech at Microsoft has run
out
of ideas?

Thanks

Johan

 

[Guest]

Thanks guys for your advice. Just for the record, I'm not saying that
Microsoft is unwilling to help, as a matter of fact, the person that I have
been dealing with has been great and very helpful. We have tried and are
still trying a few things but none has managed to solve my problem, and I
posted my problem here to see if someone did not know something we might have
been missing, or might have experienced the same problem. I'm in contact with
Microsoft on a daily basis trying to solve the problem.

Thanks

Johan

If you paid for a case with Microsoft, re-open it. They will work with you
until its resolved and it doesn't sound like this is the case. Call them
back and give them the case ID number and start from there.

GOOD ADVICE.

Herb's suggestions are great, but it sounds like you need help... and you've
already paid for it.

Given that (I didn't know since my support has always
been done differently -- Premier accounts etc.) you should
call them.

So yes. Call back and get help. Until it is fixed.

BTW, make a backup -- just in case support screws
your DCs up completely -- they are usually excellent
but it wouldn't be the first time.



--
Herb Martin

--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

I need help!!! I have 3 domain controllers running W2K server SP4.
A few weeks ago my second domain controler would not replicate with the
other two DC's. I eventually phoned Microsoft for help, and after running
MPSRPT we found that the secure channel had been broken between DC 2 and
DC1/DC3.

Ok, since it keeps coming back, there is obviously
something else going on.

Some things to check/try:

Fix the time, many Kerberos and thus those authentication
problems are due to time drift -- Kerberos is quite
picky about the times being similar. This also means
setting the TIME ZONE correctly if the machines are
in different zones: 9:00 AM EST is the same as 8:00
AM CST.

Fix the DNS, most such problems (authentication and
replication) are DNS related. *See below

Cycle DCPromo to rebuild the entire AD on the problematic
DC -- don't do this until you feel you have checked all
the configuration issues (time, dns.)
DCPromo ->Non-DC then** DCPromo -> (new) DC

Perform a REPAIR install on the problematic DC --
** I recommend doing this between the two DCPromo's
when cycling the DC.
Boot from original CD, install into same directory,
make certain if ASKS if you wish to repair, and confirm
that intention.
Check the updates from Windows Update (may be undone
by 'repair'.)

*DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

...or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

--
Herb Martin


I need help!!! I have 3 domain controllers running W2K server SP4.
A few weeks ago my second domain controler would not replicate with the
other two DC's. I eventually phoned Microsoft for help, and after running
MPSRPT we found that the secure channel had been broken between DC 2 and
DC1/DC3.
The tech at Microsoft helped me to download fixes and reset the
administrator password. This did not help, and everyday I need to reset
the
password. During this exercise I need to disable the "Kerberos Key
Distribution Centre" services, reboot the server then enable this
particular
services again.
Last week during one of these exercises, I forgot to enable the "Kerberos
Key Distribution Centre" services and my server ran for a few days
without
any problems. Then I discovered my mistake and enabled the service, well,
my
problems started all over again.
Can you help solve this problem, because the tech at Microsoft has run
out
of ideas?

Thanks

Johan

 

[Herb Martin]

I am studying for an exam and have no experience of AD, am confused with
regards to Global catalogue. Books state that "AD automatically builds the
first GC on the first DC in the Forest ?? at what point does a forest
appear is this as soon as you install AD on a DC. Having not installed
win2k server in a test environment yet I cannot get my head around this one.
Any help would be greatly appreciated.

My suggestions will almost certainly
work.

--
Herb Martin

Thanks

Johan

If you paid for a case with Microsoft, re-open it. They will work

with
you

until its resolved and it doesn't sound like this is the case. Call them
back and give them the case ID number and start from there.

GOOD ADVICE.

Herb's suggestions are great, but it sounds like you need help... and you've
already paid for it.

Given that (I didn't know since my support has always
been done differently -- Premier accounts etc.) you should
call them.

So yes. Call back and get help. Until it is fixed.

BTW, make a backup -- just in case support screws
your DCs up completely -- they are usually excellent
but it wouldn't be the first time.



--
Herb Martin

--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

I need help!!! I have 3 domain controllers running W2K server SP4.
A few weeks ago my second domain controler would not replicate with the
other two DC's. I eventually phoned Microsoft for help, and after running
MPSRPT we found that the secure channel had been broken between DC

2
and

DC1/DC3.

Ok, since it keeps coming back, there is obviously
something else going on.

Some things to check/try:

Fix the time, many Kerberos and thus those authentication
problems are due to time drift -- Kerberos is quite
picky about the times being similar. This also means
setting the TIME ZONE correctly if the machines are
in different zones: 9:00 AM EST is the same as 8:00
AM CST.

Fix the DNS, most such problems (authentication and
replication) are DNS related. *See below

Cycle DCPromo to rebuild the entire AD on the problematic
DC -- don't do this until you feel you have checked all
the configuration issues (time, dns.)
DCPromo ->Non-DC then** DCPromo -> (new) DC

Perform a REPAIR install on the problematic DC --
** I recommend doing this between the two DCPromo's
when cycling the DC.
Boot from original CD, install into same directory,
make certain if ASKS if you wish to repair, and confirm
that intention.
Check the updates from Windows Update (may be undone
by 'repair'.)

*DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

...or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

--
Herb Martin


I need help!!! I have 3 domain controllers running W2K server SP4.
A few weeks ago my second domain controler would not replicate with the
other two DC's. I eventually phoned Microsoft for help, and after running
MPSRPT we found that the secure channel had been broken between DC

2
and

DC1/DC3.
The tech at Microsoft helped me to download fixes and reset the
administrator password. This did not help, and everyday I need to reset
the
password. During this exercise I need to disable the "Kerberos Key
Distribution Centre" services, reboot the server then enable this
particular
services again.
Last week during one of these exercises, I forgot to enable the "Kerberos
Key Distribution Centre" services and my server ran for a few days
without
any problems. Then I discovered my mistake and enabled the service, well,
my
problems started all over again.
Can you help solve this problem, because the tech at Microsoft has run
out
of ideas?

Thanks

Johan