Help to Find out Which W2K DC the XP client authenticate

[Danny]

Hi,

I need some help for finding out which DC in my domain is not
synchronize the user authentication information.

What happen is I have 2 W2K DCs in my LAN and 2 DCs in remote site
connected via WAN. One of DC in my LAN is a GC. What happen is
recently, I trigger the passwor d policy which force every user change
their password.

The user has no issue change their password and logon to the domain
from their XP. However, occasionally, some user encounter problem for
the Outlook. We are using POP3 service for the Outlook 2000 which
connected to the Exchange 2000 in the backend. The sympton is user
experience the Outlook client keep popping up the screen and ask for
W2K logon password.

I managed to figure out a short-term solution to address sympton
which is to restart the whole XP client.

I suspect one of the DCs was not synchronize the AD information
properly, however, when I use the Repadmin from the W2K Support Tools,
they is no report shown any AD synchronization issue.

My question is does Microsoft provide any tools to check which DC used
by the XP and Exchange 2000 for authentication?

Alternative, anyone know what's wrong for this?

Regards.

 

[Andrei Ungureanu]

using SET in command prompt you'll see a variable called LOGONSERVER

 

[Herb Martin]

Hi,

I need some help for finding out which DC in my domain is not
synchronize the user authentication information.

The standard tools are (in Support Tools):

DCDiag.exe
RepAdmin.exe
ReplMon.exe

What happen is I have 2 W2K DCs in my LAN and 2 DCs in remote site
connected via WAN. One of DC in my LAN is a GC. What happen is
recently, I trigger the passwor d policy which force every user change
their password.

In such a small domain/forest it is best to just make
all DCs into GCs.

The user has no issue change their password and logon to the domain
from their XP. However, occasionally, some user encounter problem for
the Outlook. We are using POP3 service for the Outlook 2000 which
connected to the Exchange 2000 in the backend. The sympton is user
experience the Outlook client keep popping up the screen and ask for
W2K logon password.

Exchange 2000 depends on the GC (in place of the Exchange x.y
Global Address List) so finding a GC is very important to Exchange
2000+.

I managed to figure out a short-term solution to address sympton
which is to restart the whole XP client.

That is unlikely to be reliable unless you are just
randomly getting the DC with the GC or with the
correct info.

I suspect one of the DCs was not synchronize the AD information
properly, however, when I use the Repadmin from the W2K Support Tools,
they is no report shown any AD synchronization issue.

Most AD replication problems resolve to a DNS problem.

(A few, especially with WANS as you have, might be due
to firewall filters and other network connectivity issues
though.)

My question is does Microsoft provide any tools to check which DC used
by the XP and Exchange 2000 for authentication?

That's different than your question above, the standard
tool for that is NLTest.exe (also from support tools.)

Although you can get the name of the LogonServer by
checking the environment for that variable:

set logonserver

....NLTest let's you not only test it, but reset or change
the server that provides the authentication secure channel
for the client.

Alternative, anyone know what's wrong for this?

Probably DNS or connectivity issues so here's the scoop
on DNS:


DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]