Newly promoted second PDC will not authenticate

[Channon Katt]

I have a windows 2000 server that has been newly promoted
to a PDC to provide backup for the current one. This new
server will not authenticate users even on an isolated
clean network.

Any ideas?

 

[Herb Martin]

I have a windows 2000 server that has been newly promoted

to a PDC to provide backup for the current one. This new

Domain Controller (not PDC)

server will not authenticate users even on an isolated
clean network.

Chances are it is a DNS problem -- do you have a DYNAMIC
DNS server (set)? Are all of the DCs NIC settings AND clients
pointed ONLY at this internal DNS (set)?

Make sure the new DC has it's DNS properties set to the existing
Dynamic DNS and restart the NetLogon service.

Do NOT point any of these internal machines at the ISP or other
external DNS. (Use a forwarder on the DNS servers, if you need that
effect.)

 

[channon_katt]

We have two DCs on the network now and one of them is also
set up as a nonroot DNS server which forwards out to the
ISP. The new DC is set correctly to point to the other DC
for its DNS. The new DC is not in and of itself setup for
DNS.

 

[Herb Martin]

We have two DCs on the network now and one of them is also

set up as a nonroot DNS server which forwards out to the
ISP. The new DC is set correctly to point to the other DC
for its DNS. The new DC is not in and of itself setup for
DNS.

You never confirmed that is it DYNAMIC. You did NOT confirm
that all clients AND servers are pointed STRICTLY at the internal
DNS. (Do not put an external Alternate on any client -- that is
what forwarding is designed to do.)

Check each DC by running DCDiag and each machine by running
NetDiag -- save output to a text file and search for WARN, FAIL,
ERROR.

 

[Channon Katt]

No it is in mixed mode. No a lot of the clients are set up
wrong for the DNS (just found that out) and that will be
corrected but what still puzzles me is that it can't see
the other DCs with nslookup. Also the new server can't
snap in any of the other DCs into its MMC.

So while there could be some client log in issues with the
DNS thing it doesn't explain the issues with it seeing the
other servers especially since I have confirmed that the
DNS settings for the new DC were originally set correctly
and still are

CK

 

[Herb Martin]

Try DCDiag next.

--
Herb Martin

No it is in mixed mode. No a lot of the clients are set up
wrong for the DNS (just found that out) and that will be
corrected but what still puzzles me is that it can't see
the other DCs with nslookup. Also the new server can't
snap in any of the other DCs into its MMC.

So while there could be some client log in issues with the
DNS thing it doesn't explain the issues with it seeing the
other servers especially since I have confirmed that the
DNS settings for the new DC were originally set correctly
and still are

CK

 

[Enkidu]

The new DC will have a static address. Therfore you need to configure
it with all the DNS information. However, since it has a fixed IP
address and doesn't use DHCP, it will not automatically update the
zone file on the DNS server. You'll need to do that by hand. I don't
know if this has been covered in the rather confused context trail,
which I've snipped for clarity,

Cheers,

Cliff

 

[Herb Martin]

The new DC will have a static address. Therfore you need to configure
it with all the DNS information. However, since it has a fixed IP
address and doesn't use DHCP, it will not automatically update the
zone file on the DNS server. You'll need to do that by hand. I don't
know if this has been covered in the rather confused context trail,
which I've snipped for clarity,

The above makes little sense and is likely to be unrelated to the
problem at hand (at best); it should probably be ignored.

DC records in DNS should almost never be done manually.

Dynamic DNS
DC points it's own client settings at that Dynamic DNS (only, no other)
Restart NetLogon Service to ensure (re) registration (after either of the
above are fixed)

Point clients to this same DNS (set)