2nd DC causing problems.

[Bob Z.]

I installed a domain controller in our environment, that
up until this point just had 1 PDC.

After the new DC is on for a day, roughly, users will
begin to have domain login problems. No errors in the
event viewer on the PDC. On the newly installed DC, I
get "userenv 1000" in the app. log, and "mrxsmb 3034" in
the system log.

FYI - dcpromo ran without any errors when I initially set
up this DC. I've also ran "dcdiag" and receive no errors -
all looks good. Plus network connectivity & DNS appear
fine.

All of the tests/diags I run come up okay. The two event
errors I mentioned above are the only trace of a problem.

Maybe there are some rights that the 2nd DC needs that it
doesn't have? Not sure. I did trace the "mrxsmb 3034" and
see that the dword/data points to a time server issue.
I just can't see how that's the case. Our PDC synchs from
an external time source, and the DC synchs to it. I
checked both servers and they have the identical time down
to the second. I printed out microsoft's white paper on
the "time service" and compared it to my setup. All seems
to be in place.

If anybody has any leads or ideas, please send them!

I've never had this problem bringing up a second DC. No
problems if I turn off my new DC....but if I boot it up,
people will have login problems shortly afterwards...

-thanks,
Bob

 

[Cary Shultz [A.D. MVP]]

Bob,

is the second DC also a DNS Server? also a GC?

I think that the 3034 errors can also be found when you are mapping a
networked drive on the machine which houses the shared folders. So, if you
log on as Administrator to DC01 and the Administrator account has logon.bat
associated with it and all of your shared folders are on DC01 (
\\dc01\software, \\dc01\utilities, \\dc01\private, \\dc01\public,
\\dc01\departments, etc ) then you will notice the 3034 errors. Was not
aware that this would also be a time synch issue. Have you checked to make
sure that all machines are within 5 minutes of the DC that holds the role of
the PDC Emulator? By default, five minutes is the magic number. This,
however, can be changed by GPO ( but probably should not be ).

Just to make sure that all of the FSMO Roles are available you can run -
from a command prompt without the quotes - 'netdom query fsmo' on each of
your domain controllers. Check to make sure that both of them agree on who
holds what roles.

Also, as I am sure that you found out, the userenv 1000 errors can be a
million things! Can you post the entire message?

I know that you said that all is well in DNS land but do you have all four
of the subfolders ( _msdcs, _tcp, _udp and _sites ) in your FLZ? Do they
all have the appropriate entries? If dcdiag comes up fine then this is
probably the case. With which switches did you do dcdiag? I like to use
dcdiag /c /verbose....

I would also look at the client computers. Run - again from the command
prompt without the quotes - 'set l' on the pcs. Do you notice any patterns?
Also, do an ipconfig /all on the computers that work and on those that do
not work ( not all of them, just a couple in the beginning ). Let's just
make sure that they are getting the correct IP Address lease information ( I
am making the assumption that you are using DHCP ). If you are setting this
information up manually then you might want to consider using DHCP. Fix
your gaze on the information for the DNS Servers. This information needs to
be your internal DNS Server IP Address(es), not your ISP DNS Server IP
Address(es).

HTH,

Cary

 

[Bob Z.]

Cary, I appreciate your in-depth reply. Thanks.

The second DC is not a DNS server.
The PDC holds all FSMO roles, runs DNS, DHCP, WINS.
The new DC is only active directory.

I'm sure there is no client problem or DNS/DHCP problem.
If the new DC is turned off (as it is now) then all runs
100% as has been for a year+. I only have problems when
the 2nd DC is powered on. And as I said, it only has AD on
it, no other services.

The "mrxsmb 3034" error : if you look at the data in the
error, and examine the last word in the set, you can
reference this against a microsoft database on the net.
For instance, my last data/word is "c00000133" which when
looked up on the table, claims to be a "time synch"
related error.

All machines are within 5 minutes of the DC. That is the
default time-skew-value which has not been changed...I
checked the registry.

Yes, DNS has all 4 subfolders _msdcs, _tcp, _udp, _sites.

As far as the userenv 1000 error goes, here it is in full:
"Windows cannot determine the user or computer name.
Return value (1398)."

Keep in mind, as I said, for the past year plus we just
have had 1 PDC that hosts all the roles plus DNS, DHCP,
WINS. The DC I recently installed was just to take the
load off of AD on the PDC. Plus have a backup copy of AD.
The PDC by itself runs fine. When you power on the new
DC, that's when users will randomly have login problems.
I'd imagine since some logon requests are answered by the
PDC, they'd work. If the logon request is answered by the
new DC, it has problems.

The errors only appear on the new DC. No event errors at
all on the PDC.

-thanks again,
Bob


-----Original Message-----

 

[Cary Shultz [A.D. MVP]]

Bob,

I remember that there was another situation like yours not too long ago and
that there was a solution. I will have to search through this and pull on
my thinking cap ( I just dropped off our newborn son at Grandma's so I can
concentrate on other things now! ).

Cary

 

[Bob Z.]

Thanks for helping.
I've been troubleshooting for weeks, but am no closer to
an answer!

-bz-

 

[Bob Z.]

Hi.
I don't know if you're still there or not, but here's
another angle: I found a post from another user a few
months ago that is having (or was!) the same problem. His
circumstances are slightly different. But, the problem is
the same.

Look at:
http://www.experts-
exchange.com/Networking/Microsoft_Network/Q_21022094.html

-Bob