2nd DC not authenticating users?

  • Thread starter Thread starter DaShard
  • Start date Start date
D

DaShard

I have 3 Win 2K DC's.

Whenever the first one that was set up is being rebooted or maintained there
appears to be very little resolutions on the rest of the network. People
can't login easily and the dead giveaway is that nothing happens when you
click the domain name in net neighborhood.

I'm pretty sure it's to do wth my lack of knowledge of GC's and the like....
Help.

What do I need to do to make my 2nd and 3rd DC act like one for local
network/domain resolutions.....

thanks
 
DaShard!

I think that you are probably correct in your thought process that it is a
GC issue.

Is your WIN2000 Active Directory environment in Native Mode or in Mixed
Mode?

Does DC01 hold all of the FSMO Roles ( there are five: two forest-wide and
three domain-wide......Schema Master and Domain Naming Master and then the
PDC Emulator, RID Master and Infrastructure Master )?

Do you have WIN2000 and WINXP Pro clients only or do you also have some
'legacy' clients?

If you have only one Domain / Tree / Forest then it is generally suggested
that all Domain Controllers also be a Global Catalog Server. Now, the first
DC will be a GC. This you know. How do you make the second and third DCs
also Global Catalog Servers? Easy! Open up the Active Directory Sites and
Services MMC. Go to each DC under the SERVERS folder. Each DC should have
a child object NTDS SETTINGS. Simply right click that object and choose
Properties. On the General tab in the lower left corner you will see a
check box labeled Global Catalog Server. For DC02 and DC03 this check box
will not be checked. Check it! It is also probably a good idea to reboot
each DC once you do this, so you might want to do this on the weekend or
after hours!

I might also suggest to you that you install the Support Tools on all of
your Windows 2000 Servers, no matter what role they play ( Domain
Controller, Member Server running Exchange, Member Server running Terminal
Server, etc. etc. etc. ). There are some really neat tools. dcdaig,
netdiag, nltest, repadmin, replmon and netdom are the tools that you would
most likely use most often!

If you can not script then I would suggest that you look at ADModify to help
you when you have bulk changes to do.

I would also suggest that you make use of ExMerge for any Exchange 2000
related things that you might need. It is a great tool.

You might also want to go to Joe's web site at http://www.joeware.net and
get oldcmp and adfind ( at the very least ).

You might also want to get ALTOOLS.exe ( from the MS Web Site ) and make use
of the Account Lockout Tools. They are really nice.

HTH,

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Forgot in my first response:

Is DC01 the only DNS Server in your environment? If it is you might want to
look at making either DC02 or DC03 ( or maybe both ) DNS Servers. Also,
look at making DNS Active Directory Integrated DNS ( aka Dynamic DNS or
DDNS ). DO not forget to update DHCP if you add additional DNS Servers so
that your clients will have the updated information ( assuming that you use
DHCP ).

How many user account objects are in your environment? And how many
computer account objects? And I am assuming ( always a bad thing to do )
that you have one physical location and that you have properly created the
Subnet(s) and associated it/them with the correct Site? You would do this
in the Active Directory Sites and Services MMC.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Cary, thanks. OK I made my DC02 and DC03 GC's as per your grand suggestion.
I have one location/domain/site.
Thanks for the good Idea on the Support Tools - wish I'd had those last
week!
I think I'm in mixed mode as I have 1 NT4.0 Server and 3 W2K Servers. - how
do I check/change?
All my Clients are W2K Pro or XP Pro

Thanks.
 
All 3 DC's are DNS Swervers.... yup - you know I forgot about the DHCP!
arghhhhhhhhh
35 users and computers + 5 Swervers....

Is it or is it not a good idea to have the secondary or tertiary DNS servers
as the ISP or should the resolvers all be inside and only forwarded out?

I always think that if the DNS server 'breaks' then the client goes straight
out the router for web resolution and never notices the downed server -
maybe!

Thanks...
 
Michael,

Only if that WINNT 4.0 Server is a Backup Domain Controller are we
interested in remaining Mixed Mode. Well, essentially.

Open up the Active Directory Users and Computers MMC and right click
'yourdomain.com' and select Properties. You will see on the General tab
either Mixed Mode or Native Mode in the Domain Operation Mode. If it is in
Mixed Mode you would see a button to change it to Native Mode. If it is in
Native Mode already then there will be no button as the switch from Mixed
Mode to Native Mode is a one-way, one-time thing.

Is that WINNT 4.0 Server a Backup Domain Controller?

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Michael,

Only 35 users and three Domain Controllers. This is a bit excessive! It is
always a good idea to have two Domain Controllers. I am not sure that you
need the third one. But if you have it.....

NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER
NEVER NEVER NEVER
use any DNS Server other that your internal DNS Server(s). This is a
horrible idea and will cause all sorts of problems. Sorry, but your
thinking is completely off base here. ;-)

You only want your clients to know about your internal DNS Servers as they
will need then for, among other things, the SRV records. These are all
important records in your DNS' Forward Lookup Zone. You will want to
include at least two of the three DNS Servers in your Options in DHCP ( why
not use all three? ) so that your clients will always have the DNS Servers
information. The only place that your ISP's DNS Server information belongs
is in the Forwarding tab......

Please take a look at the following two MSKB Articles that explain how both
WIN2000 and WINXP Pro systems locate things:

http://support.microsoft.com/?id=247811
http://support.microsoft.com/?id=314861

It is imperative that you do not include your ISP's DNS information in the
Options in DHCP. Your clients will have a lot of problems with a lot of
things ( GPOs for one... ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
My thinking's sometimes a bit off base in other areas too!!!

I knew I could go straight to 'the Top' in this forum...

Thanks for all you Help - I've got it all now.......
 
Back
Top