DC communication problem

  • Thread starter Thread starter Gibo
  • Start date Start date
G

Gibo

Hi,
I am having some major problems with my PDC. Background:
3 Domain controllers running Windows 2003 server
1 local and two across WAN in different countries.

Up to recently everything in the garden was rosey!! Now when i go to my
exchange 2003 server ( non-DC) and open Active Directory Users and
Computers it connects to a DC across the WAN and takes ages to open. I
know replicating should occur and everything should be fine but it is
not. When i check "echo &logonserver% on different machines, none
except the exchange server point to the local DC. I am also getting
many problems in exchange with some users intermittently not being able
to recieve mail but can send!!! A reboot of exchange fixes this.

I have run dcdiag and netdiag and all run fine with no errors.

Can i force the PDC to answer first or what is wrong with my PDC???

Basically i am forced to reboot the exchange server every other day or
so when the issue occurs. This is obviously far from ideal...

Any help is gratefully recieved!
Thanks in advance,
Martin
 
everything is running under the default first site. I have three
physical locations, but when i started, all suffix are
location.mydomain.com. This is true of all locations. e.g they are all
saying location.mydomain.com but are in different locations!!

I think there is a problem still as i am authenticating to a DC in
another country at present from this machine when it should not be as
this is over a slow link. Anything i should do to check for problems?
Thanks so far...
Martin
 
Gibo,

I would suggest that as long as everything is one Site that you will
experience clients authenticating against a Domain Controller that is
located across the WAN. There is not really too much that you can do about
this as this is how things are supposed to happen. Clients authenticate
first against a DC in the same Site. If you have only one Site ( well, as
set up in AD Sites and Services ) then all three Domain Controllers are
'equal'. The next things is Weight and then Priority. Not much really that
you could do with these!

If you were to set up the three Sites ( well, er, the other two since you
already have one ) and then create the Subnets and associate each Subnet
with the correct Site things *should* work themselves out.

Are you familiar with how to set up Sites and Subnets in the ADSS MMC?

Also, consider making at least one DC in each Site a Global Catalog Server.
You can also do this in the ADSS MMC....

Now, are you saying that the DCs in the US have the suffix usa.mydomain.com
and the DCs in Germany have the suffix germany.yourdomain.com and the DCs in
Japan have the suffix japan.yourdomain.com -OR- are you saying that they all
have the suffix whatever.yourdomain.com?

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Hi Cary,
Thanks for your response. To answer the last first.. they are all
ireland.mydomain.com !!

Unfortunately i had not a huge knowledge of AD when upgrading this
network from NT. It was working without a hitch until last week, which
is about three months in all until i added the BDCs in the other
countries. If thisis expected behaviour then this is fine i guess. It
would be probably too much hassle to reassign the different countries
e.g. usa.mydomain.com and belgium.mydomain.com etc...

I have one GC set up, would it be adviseable to set up more as i dont
really understand fully what GC does or if having more than one is
beneficial to me.
Are you familiar with how to set up Sites and Subnets in the ADSS
Click to expand...
MMC?

In a word .. NO.
Again if this is something you would recommend i do, then i can make it
happen, but if you think it may be best to leave them all in the same
subnet??

Thanks
Martin
 
Gibo,

Ah! A newbie! We have all been there. It is a really good thing that you
are posting to this newsgroup. It is really a wonderful place. There are
lots of people in here with all levels of experience and knowledge.

I think that how you do things depends on what you want to accomplish. If
you do not want your clients authenticating against a Domain Controller that
is located across a WAN link that I would suggest that you set up - in the
AD Sites and Services MMC - a Site for each physical location. You would
also need to create a subnet for each subnet that exists and then associate
that subnet with the correct Site. This is supposed to assist the clients
( read: workstations ) in authenticating against a Domain Controller that is
in the same Site.

There are several Microsoft Knowledge Base Articles on how to do this.
There are several things that you need to know to ensure that this works
properly.

I would suggest that you search the MSKB. Here are some links to get you
started:

http://support.microsoft.com/?id=199174

http://www.microsoft.com/resources/...server/reskit/en-us/distrib/dsbh_rep_JFBG.asp

http://support.microsoft.com/?id=224815

http://support.microsoft.com/?id=271997

http://support.microsoft.com/?id=313994

http://support.microsoft.com/?id=306602 ( this one is more for the Big
Picture.... ).

Also, here are two MSKB Articles on how WIN2000 and WINXP clients locate
Domain Controllers:

http://support.microsoft.com/?id=247811
http://support.microsoft.com/?id=314861

Also, when you mention 'BDC' you mean that you have a WIN2000 Domain
Controller in each location, correct? And not a WINNT 4.0 Backup Domain
Controller.

You also do not mention what the WAN links are ( 56kbps or T1 or somewhere
in between ). And, I hope that you have a Firewall-to-Firewall VPN set up
( assuming that you do not have private links.... ).

If you have any questions please feel free to ask. I have no problems if
you e-mail directly but it is better that this stay in the news group. This
way everyone can contribute and learn!

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Once again Cary, thank you so much for your help. I have printed these
docs for some *fun* weekend reading!!
In the meen time...I have had the issue with my exchange server again.
I am pasting some of the different errors here for hope someone may see
my problem.
Thanks
Martin

Event Type: Error
Event Source: MSExchangeDSAccess
Event Category: Topology
Event ID: 2114
Date: 5/5/2005
Time: 4:04:42 PM
User: N/A
Computer: EXDUB01
Description:
Process EMSMTA.EXE (PID=3484). Topology Discovery failed, error
0x80040952.

For more information, click
http://www.microsoft.com/contentredirect.asp.

Event Type: Error
Event Source: MSExchangeSA
Event Category: General
Event ID: 9188
Date: 5/5/2005
Time: 4:03:38 PM
User: N/A
Computer: EXDUB01
Description:
Microsoft Exchange System Attendant failed to read the membership of
group 'cn=Exchange Domain Servers,cn=Users,dc=xxxxx,dc=yyyy,dc=com'.
Error code '800705b4'.

Please check whether the local computer is a member of the group. If it
is not, stop all the Microsoft Exchange services, add the local
computer into the group manually and restart all the services.

For more information, click
http://www.microsoft.com/contentredirect.asp.

Event Type: Error
Event Source: MSExchangeDSAccess
Event Category: Topology
Event ID: 2114
Date: 5/5/2005
Time: 3:49:05 PM
User: N/A
Computer: EXDUB01
Description:
Process IISIPM46828796-EB10-485B-9A68-422CAC63CC7C -AP
"EXCHANGEAPPLICATIONPOOL (PID=2888). Topology Discovery failed, error
0x80040952.

For more information, click
http://www.microsoft.com/contentredirect.asp.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1006
Date: 5/5/2005
Time: 3:41:35 PM
User: NT AUTHORITY\SYSTEM
Computer: EXDUB01
Description:
Windows cannot bind to here.mydomain.com domain. (Timeout). Group
Policy processing aborted.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 5/5/2005
Time: 3:41:35 PM
User: NT AUTHORITY\SYSTEM
Computer: EXDUB01
Description:
Windows cannot query for the list of Group Policy objects. Check the
event log for possible messages previously logged by the policy engine
that describes the reason for this.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: MSExchangeDSAccess
Event Category: Topology
Event ID: 2114
Date: 5/5/2005
Time: 3:33:44 PM
User: N/A
Computer: EXDUB01
Description:
Process EMSMTA.EXE (PID=3484). Topology Discovery failed, error
0x80040952.

For more information, click
http://www.microsoft.com/contentredirect.asp.
 
Hi Cary,
On further examination i believe it may be helpful if i upgrade my
Exchange 2003 server (running on Windows 2003) to an additional domain
controller. Any thoughts on this as i have found some people saying in
other groups that this will resolve many of the authentication and
domain communication problems i am having. This would give me 2 local
DCs for 100 users and 2 remote DCs for another 30ish users....


the only question i have is will it effect exchange; do i need to do it
out of hours or is it a short task that can be completed at lunchtime?
When i went through the DCPROMO command, it said
"All encrypted data, such as EFS-encrypted files or e-mail, should be
decrypted before continuing or it will be permenantly inaccessible."
Which is not something i want to happen to our mail or i will really be
for it!! (Drive is compressed if this makes any difference)

Again many thanks and have a great weekend.

Gibo
 
i have not done this yet as i have some concerns about the upgrade.,
Should it be ok??
Thanks
Gibo
 
Back
Top