not prompting for password change

  • Thread starter Thread starter aaron.whittaker
  • Start date Start date
A

aaron.whittaker

Hello,
There are several 2000, and 2003 servers on my domain. The
functionality of the domain is 2000. Users on my domain are not being
prompted for password a change. They can log into machines. But the
moment they try to access network rescources they are unable to. Then
when they go to access exchange (2003) they are prompted. Then they
get the box to change their password. There are a number of ways that
can fix this issue. What is the Microsoft best practices way?
Thanks
 
In
aaron.whittaker said:
Hello,
There are several 2000, and 2003 servers on my domain. The
functionality of the domain is 2000. Users on my domain are not being
prompted for password a change. They can log into machines. But the
moment they try to access network rescources they are unable to. Then
when they go to access exchange (2003) they are prompted. Then they
get the box to change their password. There are a number of ways that
can fix this issue. What is the Microsoft best practices way?
Thanks
Click to expand...

Sounds like there's an issue with AD communication among your DCs, if not
other things going on. What Event log errors are you getting on your DCs?
Please check them all.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
In
aaron.whittaker said:
There was nothing significant in the logs. Do you have any other
ideas?
Click to expand...

Not at this time. Your original post you mentioned MS has multiple ways to
fix this. What articles were you looking at? Maybe I can check them out and
deduct something out of it for you.

Ace
 
In
aaron.whittaker said:
There was nothing significant in the logs. Do you have any other
ideas?
Click to expand...

Also, forgot to add, I would make sure that every machine in the AD
infrastructure (DCs, member servers and clients) are only using the internal
DNS server for resolution. That is a common problem where some admins use
their ISP's DNS. That we all know causes numerous issues.

Ace
 
there was nothing in the logs. Do you have any other ideas where i
should be looking. This is effecting all users.
 
Well you could put a group policy that wont allow users to
authenticate with cached credentials. Issue- laptop users cant login,
so i would have Deny- apply Group Policy.
Or the same thing could be done through a registry edit on all
machines, lot more work for 30 pc's.
But I dont think that either of these ideas are fully correct as they
are really not fixing the source of the problem. And also i would
like to know what the real problem/ and fix is.
 
Got a couple of Q's

1. How many DC do you have and hows replication btwn them. Test it
now. Make a dummy computer account and see if its replicated across to
other DCs

2. Test FRS: put a small (non-zero bytes) in NETLOGON and see if it
gets replicated over

3. Can you Email me the output of DCDIAG /V and NETDIAG /V run on all
DCs and also one run on the Client Machine

4. Definitely is network issues. It could be Name Resolution (DNS)
misconfiguration. It could be a bad wire somewhere or a bad piece of
Network Hardware like the switch or NIC.

5. It could be excessive traffic on your network - probable reasons
Viruses propagating, Bad hardware. Im sure there are more

6. If you can email me the above mentioned outputs I could have a look
and be able to deduct something.
 
I have 2 domain controllers, yes there is replication between the 2.
Every hour. Modifications do appear on the other DC.

But I am in Australia. I have one dc here. I also have another
domain controller that is in the US. All changes are done on the Aust
DC. So I would think that it is irrelevant that we have another
server because it is never used by anyone in Australia. And I am only
concerned with Australian users. Although all replication that I have
tested and monitored is updated on the US server it would have nothing
to do with the users trying to logon in Australia.

3. Can you Email me the output of DCDIAG /V and NETDIAG /V run on all
DCs and also one run on the Client Machine
All documentation instructs me to do the following.
Click Start, click Run, type cmd (or command) in the Open box, and
then click OK.
At the command prompt, type DCdiag /v, and then press Enter.
and then i get
'dcdiag' is not recognized as an internal or external command,
operable program or batch file.
I tried this on dc (2000), a 2003, and xp machine. They all produced
the same error.
Why does this not work?

4. Definitely is network issues. It could be Name Resolution (DNS)
misconfiguration. It could be a bad wire somewhere or a bad piece of
Network Hardware like the switch or NIC.
Could it really be a NIC as this is happening on multiple machines?
All of these machines can get to the domain controller, and other
network resources via, remote desktop, UNC, and ssh.

5. It could be excessive traffic on your network - probable reasons
Viruses propagating, Bad hardware. Im sure there are more.
I would hope that this is not the case. I check the Virus server.
Our network is has no viruses at the moment.
If someone's account is locked out (which is what this issue is
causing), I unlock their account and then they can immediately log in.
This would suggest that each client can in-fact talk to the dc but
for some reason it just won't prompt them for a password change. I
did however have someone who could not even change their password
after I unlocked and reset their password. They had to login and then
go ctrl alt del, and change their password that way. I don't know if
that is related, because they never told me what password they were
trying to change it to. We do have GPO's which do the following.
Must be eight characters, have 3 different types of characters in the
password. And it can't be the previous 3 passwords. So they could
have just not been trying one that the GPO would allow.

Also a lot of users leave their machines locked not logged out, as
they are developers with many items opened. So this would cause
machines never to ask for a new password. But most of them are smart
enough to restart when exchange tells them that their password has
expired. So they do this but when they attempt to log back in, it
will either: allow them into their machines (with no ability to access
network resources), or lock their account with no password prompt.
 
In
aaron.whittaker said:
I have 2 domain controllers, yes there is replication between the 2.
Every hour. Modifications do appear on the other DC.

But I am in Australia. I have one dc here. I also have another
domain controller that is in the US. All changes are done on the Aust
DC. So I would think that it is irrelevant that we have another
server because it is never used by anyone in Australia. And I am only
concerned with Australian users. Although all replication that I have
tested and monitored is updated on the US server it would have nothing
to do with the users trying to logon in Australia.

3. Can you Email me the output of DCDIAG /V and NETDIAG /V run on all
DCs and also one run on the Client Machine
All documentation instructs me to do the following.
Click Start, click Run, type cmd (or command) in the Open box, and
then click OK.
At the command prompt, type DCdiag /v, and then press Enter.
and then i get
'dcdiag' is not recognized as an internal or external command,
operable program or batch file.
I tried this on dc (2000), a 2003, and xp machine. They all produced
the same error.
Why does this not work?

4. Definitely is network issues. It could be Name Resolution (DNS)
misconfiguration. It could be a bad wire somewhere or a bad piece of
Network Hardware like the switch or NIC.
Could it really be a NIC as this is happening on multiple machines?
All of these machines can get to the domain controller, and other
network resources via, remote desktop, UNC, and ssh.

5. It could be excessive traffic on your network - probable reasons
Viruses propagating, Bad hardware. Im sure there are more.
I would hope that this is not the case. I check the Virus server.
Our network is has no viruses at the moment.
If someone's account is locked out (which is what this issue is
causing), I unlock their account and then they can immediately log in.
This would suggest that each client can in-fact talk to the dc but
for some reason it just won't prompt them for a password change. I
did however have someone who could not even change their password
after I unlocked and reset their password. They had to login and then
go ctrl alt del, and change their password that way. I don't know if
that is related, because they never told me what password they were
trying to change it to. We do have GPO's which do the following.
Must be eight characters, have 3 different types of characters in the
password. And it can't be the previous 3 passwords. So they could
have just not been trying one that the GPO would allow.

Also a lot of users leave their machines locked not logged out, as
they are developers with many items opened. So this would cause
machines never to ask for a new password. But most of them are smart
enough to restart when exchange tells them that their password has
expired. So they do this but when they attempt to log back in, it
will either: allow them into their machines (with no ability to access
network resources), or lock their account with no password prompt.
Click to expand...

1. Curious, you mentione MS states multiple ways to fix this. I asked
earlier, but still curious, since you haven't responded to what you read.

2. Also, if you have DCs across WAN links, and you are having problems on
one side, as Gautam suggested, it could be heavy traffic across the WAN,
slow WAN link, etc.

3. Also, the password change issue can be attributed to the PDC emulator not
being available, which can either indicate a DNS issue or WAN link
communication issue, or both. Which machine holds that role?

4. In DNS, is there a DNS server in both locations? Are the zones AD
Integrated? If yes or no, do the zones on both DNS have the same exact copy
of data, and the SRV records exist?

5. Is there a GC in Australia?

5. For netdiag and dcdiag, install the support tools off the Windows CDROM.
THen go to a CMD prompt and run them with the switches you specified.

6. Is your domain a single label name?

7. Can you post an unedited ipconfig /all from both DCs from both locations
please?

Thanks!

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
I would actually prefer if you can send us reports generates from this
tool.

Microsoft Product Support's Reporting Tools
http://www.microsoft.com/downloads/...7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en

It creates a CAB file when it finishes generating all reports. If you
can email me that CAB file from the DC, that would give me a good idea
of what's up.

Also I would need a MPSREPORTS CAB file from a client machine where
you are facing the issues.

And yes, what are the many ways in which Microsoft suggests to fix the
issue. we could probably glean on those as well.


--
Gautam Anand
e: gautam at hotpop dot com
---------------------------------
"Ace Fekay [MVP]"
message | In | aaron.whittaker <[email protected]> made a post then I
commented
| below
| > I have 2 domain controllers, yes there is replication between the
2.
| > Every hour. Modifications do appear on the other DC.
| >
| > But I am in Australia. I have one dc here. I also have another
| > domain controller that is in the US. All changes are done on the
Aust
| > DC. So I would think that it is irrelevant that we have another
| > server because it is never used by anyone in Australia. And I am
only
| > concerned with Australian users. Although all replication that I
have
| > tested and monitored is updated on the US server it would have
nothing
| > to do with the users trying to logon in Australia.
| >
| > 3. Can you Email me the output of DCDIAG /V and NETDIAG /V run on
all
| > DCs and also one run on the Client Machine
| > All documentation instructs me to do the following.
| > Click Start, click Run, type cmd (or command) in the Open box, and
| > then click OK.
| > At the command prompt, type DCdiag /v, and then press Enter.
| > and then i get
| > 'dcdiag' is not recognized as an internal or external command,
| > operable program or batch file.
| > I tried this on dc (2000), a 2003, and xp machine. They all
produced
| > the same error.
| > Why does this not work?
| >
| > 4. Definitely is network issues. It could be Name Resolution (DNS)
| > misconfiguration. It could be a bad wire somewhere or a bad piece
of
| > Network Hardware like the switch or NIC.
| > Could it really be a NIC as this is happening on multiple
machines?
| > All of these machines can get to the domain controller, and other
| > network resources via, remote desktop, UNC, and ssh.
| >
| > 5. It could be excessive traffic on your network - probable
reasons
| > Viruses propagating, Bad hardware. Im sure there are more.
| > I would hope that this is not the case. I check the Virus server.
| > Our network is has no viruses at the moment.
| > If someone's account is locked out (which is what this issue is
| > causing), I unlock their account and then they can immediately log
in.
| > This would suggest that each client can in-fact talk to the dc but
| > for some reason it just won't prompt them for a password change.
I
| > did however have someone who could not even change their password
| > after I unlocked and reset their password. They had to login and
then
| > go ctrl alt del, and change their password that way. I don't know
if
| > that is related, because they never told me what password they
were
| > trying to change it to. We do have GPO's which do the following.
| > Must be eight characters, have 3 different types of characters in
the
| > password. And it can't be the previous 3 passwords. So they
could
| > have just not been trying one that the GPO would allow.
| >
| > Also a lot of users leave their machines locked not logged out, as
| > they are developers with many items opened. So this would cause
| > machines never to ask for a new password. But most of them are
smart
| > enough to restart when exchange tells them that their password has
| > expired. So they do this but when they attempt to log back in, it
| > will either: allow them into their machines (with no ability to
access
| > network resources), or lock their account with no password prompt.
|
| 1. Curious, you mentione MS states multiple ways to fix this. I
asked
| earlier, but still curious, since you haven't responded to what you
read.
|
| 2. Also, if you have DCs across WAN links, and you are having
problems on
| one side, as Gautam suggested, it could be heavy traffic across the
WAN,
| slow WAN link, etc.
|
| 3. Also, the password change issue can be attributed to the PDC
emulator not
| being available, which can either indicate a DNS issue or WAN link
| communication issue, or both. Which machine holds that role?
|
| 4. In DNS, is there a DNS server in both locations? Are the zones AD
| Integrated? If yes or no, do the zones on both DNS have the same
exact copy
| of data, and the SRV records exist?
|
| 5. Is there a GC in Australia?
|
| 5. For netdiag and dcdiag, install the support tools off the Windows
CDROM.
| THen go to a CMD prompt and run them with the switches you
specified.
|
| 6. Is your domain a single label name?
|
| 7. Can you post an unedited ipconfig /all from both DCs from both
locations
| please?
|
| Thanks!
|
| --
| Regards,
| Ace
|
| Please direct all replies ONLY to the Microsoft public newsgroups
| so all can benefit.
|
| This posting is provided "AS-IS" with no warranties or guarantees
| and confers no rights.
|
| Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
| Microsoft Windows MVP - Windows Server - Directory Services
|
| Security Is Like An Onion, It Has Layers
| HAM AND EGGS: A day's work for a chicken;
| A lifetime commitment for a pig.
| --
| =================================
|
|
 
I would want the DIRSVC reports. Its the one which is 702KB in size
and here is the direct link to the exe.

http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd915706/MPSRPT_DirSvc.EXE
--
Gautam Anand
e: gautam at hotpop dot com
---------------------------------
"Ace Fekay [MVP]"
message | In | aaron.whittaker <[email protected]> made a post then I
commented
| below
| > I have 2 domain controllers, yes there is replication between the
2.
| > Every hour. Modifications do appear on the other DC.
| >
| > But I am in Australia. I have one dc here. I also have another
| > domain controller that is in the US. All changes are done on the
Aust
| > DC. So I would think that it is irrelevant that we have another
| > server because it is never used by anyone in Australia. And I am
only
| > concerned with Australian users. Although all replication that I
have
| > tested and monitored is updated on the US server it would have
nothing
| > to do with the users trying to logon in Australia.
| >
| > 3. Can you Email me the output of DCDIAG /V and NETDIAG /V run on
all
| > DCs and also one run on the Client Machine
| > All documentation instructs me to do the following.
| > Click Start, click Run, type cmd (or command) in the Open box, and
| > then click OK.
| > At the command prompt, type DCdiag /v, and then press Enter.
| > and then i get
| > 'dcdiag' is not recognized as an internal or external command,
| > operable program or batch file.
| > I tried this on dc (2000), a 2003, and xp machine. They all
produced
| > the same error.
| > Why does this not work?
| >
| > 4. Definitely is network issues. It could be Name Resolution (DNS)
| > misconfiguration. It could be a bad wire somewhere or a bad piece
of
| > Network Hardware like the switch or NIC.
| > Could it really be a NIC as this is happening on multiple
machines?
| > All of these machines can get to the domain controller, and other
| > network resources via, remote desktop, UNC, and ssh.
| >
| > 5. It could be excessive traffic on your network - probable
reasons
| > Viruses propagating, Bad hardware. Im sure there are more.
| > I would hope that this is not the case. I check the Virus server.
| > Our network is has no viruses at the moment.
| > If someone's account is locked out (which is what this issue is
| > causing), I unlock their account and then they can immediately log
in.
| > This would suggest that each client can in-fact talk to the dc but
| > for some reason it just won't prompt them for a password change.
I
| > did however have someone who could not even change their password
| > after I unlocked and reset their password. They had to login and
then
| > go ctrl alt del, and change their password that way. I don't know
if
| > that is related, because they never told me what password they
were
| > trying to change it to. We do have GPO's which do the following.
| > Must be eight characters, have 3 different types of characters in
the
| > password. And it can't be the previous 3 passwords. So they
could
| > have just not been trying one that the GPO would allow.
| >
| > Also a lot of users leave their machines locked not logged out, as
| > they are developers with many items opened. So this would cause
| > machines never to ask for a new password. But most of them are
smart
| > enough to restart when exchange tells them that their password has
| > expired. So they do this but when they attempt to log back in, it
| > will either: allow them into their machines (with no ability to
access
| > network resources), or lock their account with no password prompt.
|
| 1. Curious, you mentione MS states multiple ways to fix this. I
asked
| earlier, but still curious, since you haven't responded to what you
read.
|
| 2. Also, if you have DCs across WAN links, and you are having
problems on
| one side, as Gautam suggested, it could be heavy traffic across the
WAN,
| slow WAN link, etc.
|
| 3. Also, the password change issue can be attributed to the PDC
emulator not
| being available, which can either indicate a DNS issue or WAN link
| communication issue, or both. Which machine holds that role?
|
| 4. In DNS, is there a DNS server in both locations? Are the zones AD
| Integrated? If yes or no, do the zones on both DNS have the same
exact copy
| of data, and the SRV records exist?
|
| 5. Is there a GC in Australia?
|
| 5. For netdiag and dcdiag, install the support tools off the Windows
CDROM.
| THen go to a CMD prompt and run them with the switches you
specified.
|
| 6. Is your domain a single label name?
|
| 7. Can you post an unedited ipconfig /all from both DCs from both
locations
| please?
|
| Thanks!
|
| --
| Regards,
| Ace
|
| Please direct all replies ONLY to the Microsoft public newsgroups
| so all can benefit.
|
| This posting is provided "AS-IS" with no warranties or guarantees
| and confers no rights.
|
| Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
| Microsoft Windows MVP - Windows Server - Directory Services
|
| Security Is Like An Onion, It Has Layers
| HAM AND EGGS: A day's work for a chicken;
| A lifetime commitment for a pig.
| --
| =================================
|
|
 
In
Gautam Anand said:
I would actually prefer if you can send us reports generates from this
tool.

Microsoft Product Support's Reporting Tools
http://www.microsoft.com/downloads/...7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en

It creates a CAB file when it finishes generating all reports. If you
can email me that CAB file from the DC, that would give me a good idea
of what's up.

Also I would need a MPSREPORTS CAB file from a client machine where
you are facing the issues.

And yes, what are the many ways in which Microsoft suggests to fix the
issue. we could probably glean on those as well.
Click to expand...

Yes, they are two good tools for diagnosing.

I'm also still curious as to what MS suggestions Aaron is speaking of.

Ace
 
1. As mentioned earlier, i have seen case study scenarios where the
following has occured.
You could put a group policy that wont allow users to authenticate
with cached credentials. Issue- laptop users cant login, so i would
have Deny- apply Group Policy.
Or the same thing could be done through a registry edit on all
machines, lot more work for 30 pc's. But I dont think that either of
these ideas are fully correct as they are really not fixing the source
of the problem. And also i would like to know what the real problem/
and fix is.

2. This wont be the case as there is a DC on site. This is the main
DC. It is the closest so all machines would go to this one, which has
the most up to date information. The other one in the US, is a
centralised redundant machine, for when Aust users logon in other
parts of the world. As all of my company's connections go back to HQ
in US.

3. Also, the password change issue can be attributed to the PDC
emulator not
being available, which can either indicate a DNS issue or WAN link
communication issue, or both. Which machine holds that role?
The functional level of the domain is windows 2000 so there is no PDC

4. In DNS, is there a DNS server in both locations? Are the zones AD
Integrated? If yes or no, do the zones on both DNS have the same exact
copy
of data, and the SRV records exist? DNS is in Australia, and is
different to the US version
but again i dont think that DNS can be the issue, when basically we
are only talking and dealing with the Dc in Austrlia.

5. Is there a GC in Australia?
Don't no. will check.

5. For netdiag and dcdiag, install the support tools off the Windows
CDROM.
THen go to a CMD prompt and run them with the switches you specified.
Will do.

6. Is your domain a single label name? I dont know what the means, but
it is a child domain. Parent domain = US.NET Child Aust domain =
Aust.US.Net

7. Can you post an unedited ipconfig /all from both DCs from both
locations
please?

dc ipconfig
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\user>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : DCname
Primary DNS Suffix . . . . . . . : aust.us.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : aust.us.net
na.us.net
eu.us.net
us.com
companyname.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : austrlaia.us.net
Description . . . . . . . . . . . : Compaq NC3163 Fast
Ethernet NIC
Physical Address. . . . . . . . . : 00-02-A5-1B-9D-F3
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.177.1.8
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.177.1.1
DNS Servers . . . . . . . . . . . : 10.177.1.8
10.81.217.175
Primary WINS Server . . . . . . . : 10.100.8.6

C:\Documents and Settings\user>


user ipconfig
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\user>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : my-lap
Primary Dns Suffix . . . . . . . : aust.us.NET
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : aust.us.net
companyname.com

Ethernet adapter Wireless Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Intel(R) PRO/Wireless LAN
2100 3B Mi
ni PCI Adapter
Physical Address. . . . . . . . . : 00-0C-F1-30-E3-0E

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : local.australia.us.com
Description . . . . . . . . . . . : Intel(R) PRO/100 VE
Network Connecti
on
Physical Address. . . . . . . . . : 00-08-0D-61-88-FD
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.177.1.93
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.177.1.1
DHCP Server . . . . . . . . . . . : 10.177.1.10
DNS Servers . . . . . . . . . . . : 10.177.1.8
10.177.1.13
10.100.8.72
Primary WINS Server . . . . . . . : 10.177.1.10
Lease Obtained. . . . . . . . . . : Monday, 11 October 2004
1:54:11 PM
Lease Expires . . . . . . . . . . : Monday, 11 October 2004
4:54:11 PM

C:\Documents and Settings\user>

notice that DNs suffix is different, is this an issue?
 
Sorry it took so long to reply. Personal issues had me tied up for a few
days.

Replied inline below.

In
aaron.whittaker said:
1. As mentioned earlier, i have seen case study scenarios where the
following has occured.
You could put a group policy that wont allow users to authenticate
with cached credentials. Issue- laptop users cant login, so i would
have Deny- apply Group Policy.
Or the same thing could be done through a registry edit on all
machines, lot more work for 30 pc's. But I dont think that either of
these ideas are fully correct as they are really not fixing the source
of the problem. And also i would like to know what the real problem/
and fix is.
Click to expand...

*** Let's stay away from a GPO for now until ths is resolved.
2. This wont be the case as there is a DC on site. This is the main
DC. It is the closest so all machines would go to this one, which has
the most up to date information. The other one in the US, is a
centralised redundant machine, for when Aust users logon in other
parts of the world. As all of my company's connections go back to HQ
in US.
Click to expand...

*** Is the DC in Australia a GC? Does it show up in your SRVs as a GC? Do
all the DCs show up in the SRVs?
3. Also, the password change issue can be attributed to the PDC
emulator not
being available, which can either indicate a DNS issue or WAN link
communication issue, or both. Which machine holds that role?
The functional level of the domain is windows 2000 so there is no PDC
Click to expand...

*** But there IS a PDC Emulator. That guy coordinates password changes,
updates, time synch, legacy client password support, creating/editing GPOs,
etc. You can find the PDC Emulator by rt-clicking your domain name in ADUC,
choose Operations Masters, choose the PDC Emulator tab. It will tell you who
the current one is.
4. In DNS, is there a DNS server in both locations? Are the zones AD
Integrated? If yes or no, do the zones on both DNS have the same exact
copy
of data, and the SRV records exist? DNS is in Australia, and is
different to the US version
but again i dont think that DNS can be the issue, when basically we
are only talking and dealing with the Dc in Austrlia.
Click to expand...


*** But DNS is the mainstay of AD. Without the proper SRV records registerd,
AD will malfunction. AD RELIES on DNS. That is why I am heavy on finding out
your DNS infrastructure. If it is not sound, or misconfigured, AD is
guaranteed to have problems.

5. Is there a GC in Australia?
Don't no. will check.
Click to expand...

*** Look in Sites and Services, under your Site name (if the default, it
will be the Default-First-Site-Name), unders servers, choose the server in
Australia, in the right window pane, choose NTDS properties. It will be
checked off as a GC over there.
5. For netdiag and dcdiag, install the support tools off the Windows
CDROM.
THen go to a CMD prompt and run them with the switches you specified.
Will do.

6. Is your domain a single label name? I dont know what the means, but
it is a child domain. Parent domain = US.NET Child Aust domain =
Aust.US.Net
Click to expand...

*** It's not a single label name. Good.

7. Can you post an unedited ipconfig /all from both DCs from both
locations
please?
Click to expand...

*** Read inline below for my comments....
dc ipconfig
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\user>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : DCname
Primary DNS Suffix . . . . . . . : aust.us.net
Click to expand...

*** I assume this is your domain name? The Primary DNS Suffix needs to match
the AD DNS domain name.
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : aust.us.net
na.us.net
eu.us.net
us.com
companyname.com
Click to expand...

**** Why are all these search suffixes on this machine? Are they relevant AD
domain names or just external references? How many domains are in your
infrastructure? I thought there was just one??

*** If not relevant to AD, and you only have one domain, the manually
entered ones should be removed. The only ones that should be here are the
default ones that show up:
aust.us.net
us.net

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : austrlaia.us.net
Click to expand...

*** The above should match the Primary DNS Suffix.

Description . . . . . . . . . . . : Compaq NC3163 Fast
Ethernet NIC
Physical Address. . . . . . . . . : 00-02-A5-1B-9D-F3
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.177.1.8
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.177.1.1
DNS Servers . . . . . . . . . . . : 10.177.1.8
10.81.217.175
Click to expand...

*** Do these two DNS servers listed above have the same exact copy of the
aust.us.net zone data? If not, any servers listed in any machines' IP
properties (DC or clients) need to all have the same exact data.


Primary WINS Server . . . . . . . : 10.100.8.6

C:\Documents and Settings\user>


user ipconfig
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\user>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : my-lap
Primary Dns Suffix . . . . . . . : aust.us.NET
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : aust.us.net
companyname.com
Click to expand...

*** The 'companyname.com' zone does not need to be here.
Ethernet adapter Wireless Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Intel(R) PRO/Wireless LAN
2100 3B Mi
ni PCI Adapter
Physical Address. . . . . . . . . : 00-0C-F1-30-E3-0E
Click to expand...

*** Go into Network & Dialup Connections, Advanced Menu, Advanced settings,
and move the wireless card to the bottom of the binding order.
Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : local.australia.us.com
Description . . . . . . . . . . . : Intel(R) PRO/100 VE
Network Connecti
on
Physical Address. . . . . . . . . : 00-08-0D-61-88-FD
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.177.1.93
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.177.1.1
DHCP Server . . . . . . . . . . . : 10.177.1.10
DNS Servers . . . . . . . . . . . : 10.177.1.8
10.177.1.13
10.100.8.72
Click to expand...

*** I see that 10.177.1.8 is the DC above. What are these other two DNS
servers? They don't match the other one configured on the DC/DNS server
previously listed. Do they have copies of the aust.us.net zone as well??

Primary WINS Server . . . . . . . : 10.177.1.10
Lease Obtained. . . . . . . . . . : Monday, 11 October 2004
1:54:11 PM
Lease Expires . . . . . . . . . . : Monday, 11 October 2004
4:54:11 PM

C:\Documents and Settings\user>

notice that DNs suffix is different, is this an issue?
Click to expand...


How many DNS servers do you have in your company? Why were the suffixes
configured? How many domains do you have? If just one domain, remove all
these excessive suffixes, configure a forwarder on each DNS server to your
ISP's DNS (provided they all hold the same exact copy of the aust.us.net
zone).

Whatever happened to that report?

What were the MS references you were speaking of? Was the the GPO reference?

Ace
 
Back
Top