Announcement

Collapse
No announcement yet.

2nd DC has to be on for users to logon..help

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 2nd DC has to be on for users to logon..help

    I have 2 W2K Domain Controllers. One is an old Compaq that I would like to demote and decommision. All of the FSMO roles show for the newer server like I want, but when I shut down the old DC......some of the older computers in the LAN don't logon to the domain and everyone else creeps very slow. I think it might have something to to with Netlogon/Sysvol replication. I don't want to run DCPROMO on the old DC until I feel comfortable that things will be ok afterwards.
    Also, There is some spyware on the old DC. So I don't know if DCPROMO will work correctly.
    Any help is appreciated

  • #2
    Re: 2nd DC has to be on for users to logon..help

    The new one is also a GC?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: 2nd DC has to be on for users to logon..help

      Yes....here is a DCDIAG of both of the DC's Exchng is the new one I want to keep and NTPDCTULSA is the old DC I want to get rid of.
      I know it's long, but maybe it can help someone diagnose my problem.
      Thanks -

      X:\>dcdiag /a /q /v

      DC Diagnosis

      Performing initial setup:
      * Verifing that the local machine exchng, is a DC.
      * Connecting to directory service on server exchng.
      * Collecting site info.
      * Identifying all servers.
      * Found 2 DC(s). Testing 2 of them.
      Done gathering initial info.

      Doing initial non skippeable tests

      Testing server: Default-First-Site-Name\EXCHNG
      Starting test: Connectivity
      * Active Directory LDAP Services Check
      * Active Directory RPC Services Check
      ......................... EXCHNG passed test Connectivity

      Testing server: Default-First-Site-Name\NTPDCTULSA
      Starting test: Connectivity
      * Active Directory LDAP Services Check
      * Active Directory RPC Services Check
      ......................... NTPDCTULSA passed test Connectivity

      Doing primary tests

      Testing server: Default-First-Site-Name\EXCHNG
      Starting test: Replications
      * Replications Check
      ......................... EXCHNG passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
      * Security Permissions Check for
      CN=Schema,CN=Configuration,DC=hscpa,DC=com
      * Security Permissions Check for
      CN=Configuration,DC=hscpa,DC=com
      * Security Permissions Check for
      DC=hscpa,DC=com
      ......................... EXCHNG passed test NCSecDesc
      Starting test: NetLogons
      * Network Logons Privileges Check
      ......................... EXCHNG passed test NetLogons
      Starting test: Advertising
      The DC EXCHNG is advertising itself as a DC and having a DS.
      The DC EXCHNG is advertising as an LDAP server
      The DC EXCHNG is advertising as having a writeable directory
      The DC EXCHNG is advertising as a Key Distribution Center
      The DC EXCHNG is advertising as a time server
      The DS EXCHNG is advertising as a GC.
      ......................... EXCHNG passed test Advertising
      Starting test: KnowsOfRoleHolders
      Role Schema Owner = CN=NTDS Settings,CN=EXCHNG,CN=Servers,CN=Default-Fi
      rst-Site-Name,CN=Sites,CN=Configuration,DC=hscpa,DC=com
      Role Domain Owner = CN=NTDS Settings,CN=EXCHNG,CN=Servers,CN=Default-Fi
      rst-Site-Name,CN=Sites,CN=Configuration,DC=hscpa,DC=com
      Role PDC Owner = CN=NTDS Settings,CN=EXCHNG,CN=Servers,CN=Default-First
      -Site-Name,CN=Sites,CN=Configuration,DC=hscpa,DC=com
      Role Rid Owner = CN=NTDS Settings,CN=EXCHNG,CN=Servers,CN=Default-First
      -Site-Name,CN=Sites,CN=Configuration,DC=hscpa,DC=com
      Role Infrastructure Update Owner = CN=NTDS Settings,CN=EXCHNG,CN=Server
      s,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hscpa,DC=com
      ......................... EXCHNG passed test KnowsOfRoleHolders
      Starting test: RidManager
      * Available RID Pool for the Domain is 4324 to 1073741823
      * exchng.hscpa.com is the RID Master
      * DsBind with RID Master was successful
      * rIDAllocationPool is 3824 to 4323
      * rIDNextRID: 3080
      * rIDPreviousAllocationPool is 2824 to 3323
      ......................... EXCHNG passed test RidManager
      Starting test: MachineAccount
      * SPN found :LDAP/exchng.hscpa.com/hscpa.com
      * SPN found :LDAP/exchng.hscpa.com
      * SPN found :LDAP/EXCHNG
      * SPN found :LDAP/exchng.hscpa.com/TULSA
      * SPN found :LDAP/7b5d0317-e49c-40bc-8535-ba5c4cd409fb._msdcs.hscpa.com

      * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/7b5d0317-e49c-40bc-85
      35-ba5c4cd409fb/hscpa.com
      * SPN found :HOST/exchng.hscpa.com/hscpa.com
      * SPN found :HOST/exchng.hscpa.com
      * SPN found :HOST/EXCHNG
      * SPN found :HOST/exchng.hscpa.com/TULSA
      * SPN found :GC/exchng.hscpa.com/hscpa.com
      ......................... EXCHNG passed test MachineAccount
      Starting test: Services
      * test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
      EXCHNG is in domain DC=hscpa,DC=com
      Checking for CN=EXCHNG,OU=Domain Controllers,DC=hscpa,DC=com in domain
      DC=hscpa,DC=com on 2 servers
      Object is up-to-date on all servers.
      Checking for CN=NTDS Settings,CN=EXCHNG,CN=Servers,CN=Default-First-Sit
      e-Name,CN=Sites,CN=Configuration,DC=hscpa,DC=com in domain CN=Configuration,DC=h
      scpa,DC=com on 2 servers
      Object is up-to-date on all servers.
      ......................... EXCHNG passed test ObjectsReplicated
      Starting test: frssysvol
      * The File Replication Service Event log test
      The SYSVOL has been shared, and the AD is no longer
      prevented from starting by the File Replication Service.
      ......................... EXCHNG passed test frssysvol
      Starting test: kccevent
      * The KCC Event log test
      Found no KCC errors in Directory Service Event log in the last 15 minut
      es.
      ......................... EXCHNG passed test kccevent
      Starting test: systemlog
      * The System Event log test
      Found no errors in System Event log in the last 60 minutes.
      ......................... EXCHNG passed test systemlog

      Testing server: Default-First-Site-Name\NTPDCTULSA
      Starting test: Replications
      * Replications Check
      ......................... NTPDCTULSA passed test Replications

      Starting test: NetLogons
      * Network Logons Privileges Check
      ......................... NTPDCTULSA passed test NetLogons
      Starting test: Advertising
      The DC NTPDCTULSA is advertising itself as a DC and having a DS.
      The DC NTPDCTULSA is advertising as an LDAP server
      The DC NTPDCTULSA is advertising as having a writeable directory
      The DC NTPDCTULSA is advertising as a Key Distribution Center
      The DC NTPDCTULSA is advertising as a time server
      ......................... NTPDCTULSA passed test Advertising
      Starting test: KnowsOfRoleHolders
      Role Schema Owner = CN=NTDS Settings,CN=EXCHNG,CN=Servers,CN=Default-Fi
      rst-Site-Name,CN=Sites,CN=Configuration,DC=hscpa,DC=com
      Role Domain Owner = CN=NTDS Settings,CN=EXCHNG,CN=Servers,CN=Default-Fi
      rst-Site-Name,CN=Sites,CN=Configuration,DC=hscpa,DC=com
      Role PDC Owner = CN=NTDS Settings,CN=EXCHNG,CN=Servers,CN=Default-First
      -Site-Name,CN=Sites,CN=Configuration,DC=hscpa,DC=com
      Role Rid Owner = CN=NTDS Settings,CN=EXCHNG,CN=Servers,CN=Default-First
      -Site-Name,CN=Sites,CN=Configuration,DC=hscpa,DC=com
      Role Infrastructure Update Owner = CN=NTDS Settings,CN=EXCHNG,CN=Server
      s,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hscpa,DC=com
      ......................... NTPDCTULSA passed test KnowsOfRoleHolders
      ......................... NTPDCTULSA passed test RidManager
      Starting test: MachineAccount
      * SPN found :LDAP/ntpdctulsa.hscpa.com/hscpa.com
      * SPN found :LDAP/ntpdctulsa.hscpa.com
      * SPN found :LDAP/NTPDCTULSA
      * SPN found :LDAP/ntpdctulsa.hscpa.com/TULSA
      * SPN found :LDAP/f970ddf7-729a-489f-afd4-07bfd246835e._msdcs.hscpa.com

      * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/f970ddf7-729a-489f-af
      d4-07bfd246835e/hscpa.com
      * SPN found :HOST/ntpdctulsa.hscpa.com/hscpa.com
      * SPN found :HOST/ntpdctulsa.hscpa.com
      * SPN found :HOST/NTPDCTULSA
      * SPN found :HOST/ntpdctulsa.hscpa.com/TULSA
      * SPN found :GC/ntpdctulsa.hscpa.com/hscpa.com
      ......................... NTPDCTULSA passed test MachineAccount
      SMTPSVC Service is stopped on [NTPDCTULSA]
      ......................... NTPDCTULSA failed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
      NTPDCTULSA is in domain DC=hscpa,DC=com
      Checking for CN=NTPDCTULSA,OU=Domain Controllers,DC=hscpa,DC=com in dom
      ain DC=hscpa,DC=com on 2 servers
      Object is up-to-date on all servers.
      Checking for CN=NTDS Settings,CN=NTPDCTULSA,CN=Servers,CN=Default-First
      -Site-Name,CN=Sites,CN=Configuration,DC=hscpa,DC=com in domain CN=Configuration,
      DC=hscpa,DC=com on 2 servers
      Object is up-to-date on all servers.
      ......................... NTPDCTULSA passed test ObjectsReplicated
      Starting test: frssysvol
      * The File Replication Service Event log test
      The SYSVOL has been shared, and the AD is no longer
      prevented from starting by the File Replication Service.
      ......................... NTPDCTULSA passed test frssysvol
      Starting test: FsmoCheck
      GC Name: \\exchng.hscpa.com
      Locator Flags: 0xe00001fd
      PDC Name: \\exchng.hscpa.com
      Locator Flags: 0xe00001fd
      Time Server Name: \\exchng.hscpa.com
      Locator Flags: 0xe00001fd
      Preferred Time Server Name: \\exchng.hscpa.com
      Locator Flags: 0xe00001fd
      KDC Name: \\exchng.hscpa.com
      Locator Flags: 0xe00001fd
      ......................... hscpa.com passed test FsmoCheck

      X:\>
      Last edited by grcarter; 23rd August 2007, 17:48.

      Comment


      • #4
        Re: 2nd DC has to be on for users to logon..help

        It looks like all your tests passed except the SMTP test on your old DC. Are you using SMTP as your replication transport? If so, that is the problem as the SMTP service on the old DC is not running. Try starting the service, force replication, then shut down the old DC and see what happens. Also, how long are you waiting after the old DC is shut down before testing a client machine? A client machine will cache domain information and you may need to wait a little bit. As a test you can shut down the DC and then ping your AD domain name and see which DC responds. Also try changing the replication transport to RPC and see if that fixes the problem. RPC is the default replication transport and SMTP is meant to be used over slow links. If the DC's are on the same subnet then you should use RPC.
        Last edited by joeqwerty; 24th August 2007, 03:18.

        Comment


        • #5
          Re: 2nd DC has to be on for users to logon..help

          I have it set for RPC replication on both of them. I guess I can take a Ghost image of the old DC and try to Demote it and see what happens. I just don't want to get into a hole where I would have to rebuild my whole Active Directory from scratch if it doesn't work. Is there anything else to try to see what is making this old DC hang on? what would happen If I deleted it from Replication?

          Comment


          • #6
            Re: 2nd DC has to be on for users to logon..help

            Sorry small question, how is DNS setup on your network?
            I think Joe's idea of pinging the domain name once you shutdown the old DC will tell a lot.
            I don't know anything about (you or your) computers.
            Research/test for yourself when listening to free advice.

            Comment


            • #7
              Re: 2nd DC has to be on for users to logon..help

              I have DNS running on both DC's. I just noticed that the old DC's DNS was pointing to the new DC instead itself. I will try pinging the domain when the old DC is down.
              I will keep you posted..thanks

              Comment

              Working...
              X