Account is fine on all DCs, but a specifc DC presents "access is denied" for same account

  • Thread starter Thread starter Marlon Brown
  • Start date Start date
M

Marlon Brown

I have a total of 8 DC's.

One DC that is on a remote site and has connections to MainSite DC presents
strange behavior:
If I create an account on MainSiteDC, the account replicates accordingly to
DC8.

However if I right click NewAccount, select for example "Profile" tab on the
account, I only see a line that states:
The Active Directory Could not be displayed

Access is denied


I already ran netdiag, repadmin /showreps, dcdiag/test:intersite and all
results seem normal for that dc8.
I already rebooted the server and error does not go away. Basically all
objects present this "access is denied" message when I attempt to access
certain attributes.
I am a domain admin, enterprise admin, etc.
I go to Intersite, force replication and no error is displayed.
I go to event viewer and no relevant event log can be found.
IF users try to logon using any account and that authenticates to that dc,
the login 'hangs'.

What could be wrong ?
 
Marlon,

Maybe consider trying to ping that DC? from any other machine in the
environment...all three ways. Actually, there is a fourth involving
'_.msdcs'...I am sure that you can but let's just start there. Then I would
try an 'nslookup yourdomain.com' on that particular DC. I would check to
make sure that all of the DNS entries are present and accounted for. Have
you taken a look at DNSLint? I might also suggest FRSDiag....

Have you redirected the output of all the tests that you have run to a log
file so that you can slowly and methodically go through them? If so, have
you looked for 'fail' and 'error'? What shows up? Maybe a better question,
what does not show up? Have you run these tests only on DC8 or have you run
them against as many as possible?

And let's not overlook the event ids! Do you have any? You wrote that
there are none. Really? Absolutely none! There has to be something in
there....

You have Sites setup properly so only users from that remote Site should be
authenticating against DC8? Does this mean that no one in this remote Site
can logon? Is that DC8 also a Global Catalog Server? Have you run, for
example, netdom query fsmo? Are the results of that correct?

Is this a new DC? How long has it been around? When did you notice this
problem? Have you gone to each workstation in the remote Site and entered
'set l' ( that would be the letter 'L', not the number 1 ). This will tell
you against which DC the client is authenticating...At what Service pack
level is this DC8? And the others?

Marlon, I hope that this helps you to resolve your issue.

Cary
 
Back
Top