Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
We have 2 2003 domain controllers I know that technically They supposedly got rid of pdc and bdc roles but I set up a backup pdc and assigned owner ship to the primary.
THe problem is its like a 1/2 & 1/2 game if both servers arnt up the clients dont seem to fully authenticate.
In the old 2000 days with pdc and bdc if one was unavailable the secondary would authnenticate
Ive tried deleting and recreateing the gpo changing ownership etc by demoting one and promoting the other
any help would be greately appareciated
"but I set up a backup pdc and assigned owner ship to the primary."
What do you mean by this? Doesn't make sense when dealing with 2003 server.
"In the old 2000 days with pdc and bdc.." You mean in the days of NT right? 2000 has always had Active Directory just like 2003.
"gpo changing ownership etc by demoting one and promoting the other "
Doesn't work that way. You can only promote/demote with dcpromo and NEVER via active directory.
The issue appears to be your application of NT server concepts to Active Directory. Ad is peer to peer. Replication between servers is automatic. Since this is not working for you I suspect you really messed something up.
I would suggest you familiarize yourself with Active Directory concepts and procedures. You may want to dcpromo down one server so you can get the one remaining server properly configured. Then bring the 2nd server back in with dcpromo.
Also consider that for failover that both servers should have DNS server either as primary/secondary or AD intrgrated. At least two servers should be Global Catalog holders. This way if the GC server dies you are not rebuilding your network from scratch.
Golly gee wilerkers everyone. Learn to Internet Search
0 
Wanderer is right mostly, but you do need to understand the role of the PDC emulator FSMO role holder.
"In a Windows 2000 domain, the PDC emulator server role performs the following functions:
Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator first.
Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator for validation before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Time synchronization for the domain.
Group Policy changes are preferentially written to the PDC emulator.Additionally, if your domain is a mixed mode domain that contains Windows NT 4 BDCs, then the Windows 2000 domain controller, that is the PDC emulator, acts as a Windows NT 4 PDC to the BDCs.
There is only one PDC emulator per domain.
Note: Some consider the PDC emulator to only be relevant in a mixed mode domain. This is not true. Even after you have changed your domain to native mode (no more NT 4 domain controllers), the PDC emulator is still necessary for the reasons above."
http://www.svrops.com/svrops/documents/fsmo.htm
This is the most important FMSO role holder to ensure it is highly available all the time.
For the most part, 2000/2003 DC's are multimaster, but you need to be aware of the FSMO role holders.
Please help survivors of Hurricane Katrina.
www.redcross.org
0
I used dcpromo to assign ownership
and I realize that pdc roles have changed with 2003 the key to all this is the fact that there is no rollover occuring on a failure for authentication the two should be working together but arnt
they replicate parameters like any active directory changes
new passwords new users
edits to gpo etcbut my clients are insistingo (90%) of them on using the second domain controler for authentication soley if its unavailable there is no rollover
when I check the ownership of the varieous domain controler aspects they all indicate that the primary is the owner
I realize pdc and bdc dont apply anymore but ive recreated the scenario on anoter set of boxes and they function properly thats why im lost the replication of only policy is occuring not services like netlogin or computer browser etc
0
"dcpromo to assign ownership"
Back again to a clarification of concept. There is no dcpromo assignment of ownership. There is file ownership but I don't think that is what you are talking about.Properly setup the two domain controllers will replicated between themselves. I think the mistake was trying to solve this issue via the AD interface.
You write:
"the key to all this is the fact that there is no rollover occuring on a failure for authentication"Sounds like you failed to do this [I wrote] "two servers should be Global Catalog holders."
You write "aren't replicating parameters like any active directory changes" which has all the signs of a server(s) not being in the same domain.
Again I suggest you dcpromo down one server and get a single DC functioning correctly. Make sure DNS is correct and your event viewer logs are only with the usual stuff. Then dcpromo the member server back in as a DC and follow the other recommendations for configuration.
Golly gee wilerkers everyone. Learn to Internet Search
0
I wrote that they ARE replicating parameter just not services
if I edit policy or permisions in one it replicates on the other its the services they arnt replicating Im wondering if maybe aliasing them under a common ip in the dns will fix it
they are both global catalog holders they are both in the same domain it is strictly services not rollig over
0
rundown
names will be changed to server 1 and 2
active dirctory users and computers
domanin controllers
server 1
server 2
domain
operations masters
Rid server 1
pdc server 1
infrastructer server 1
yet as stated previously 90% of clients authenticate through server 2
if server 2 is unavailable they will not rollover to server 1 yet those that do authenticate with server 1 are happy to use server 2 as well????the netlogon
distributed filesystem
computer browser and all other relavent services are in a full running state on both and obviously work on both except for the rolloverI know some of the terms I use are archaic but its the same principly of 99% of people calling EIDE = IDE when in fact the two are signifigantly different
if you look on a lot of new hard drive boxes enen though its obvioulsy eide that they are using they quite often use the term ide instead
just consider this a simmilar situation
ive set up multiple domains for companies and people but never stumbled on this situation
Im not saying Im an expert far from it self tought some Im probably lacking in a lot of key areas but Up until this Ive been able to compensate for my ignorance and get things working but Im obviously missing something in this scenario
I thought it might be the Group Policy so I recreated a blank version
Ive messed with master roles etcregardless of what I do a good chunk of the xp clients inist on using the 2nd server for everything they can manage
browsing authentication etc..This is one of the primary reasons I prefer linux networks at least I can figure those out and get them to work
Yikes you just about have to clobber windows to get dns to work properly
ive never had 1/4 the problems on a linux or mac network that I seem to allways bump into on windows networks
though praise be for 2003
2000 was a piece of junk 2003 should a vast improvement in stability performance and usabilitywhen they dumped nt4 i just about cried it worked and worked a lot better then 2000
the only real benefit I saw in the 2000 move was the wizards did speed up setup time
but 2003 put a nice bit of polish there as well.
0
Look, bashing Windows due to your lack of understanding of it will get you nowhere.
Compare Windows domains to Linux domains. Windows is far more advanced, with more features than Linux domains in terms of performance scaling, server/desktop management via policy, etc. Going along with that however is additional complexity in the configuration behind the scenes, such as DNS.
I'm not slamming linux by any means. But before you bash Windows domains, you need to fully understand it. A product isn't bad just because you can't make it work right.
"This is one of the primary reasons I prefer linux networks at least I can figure those out and get them to work"
I could say the same about Windows over Linux because I know windows better. They're both good; the difference is the expertise in each. If you don't know Windows, go hire a consultant who does.
Look, would you expect someone who doesn't really know Linux to setup a Linux network and make it work with no issues? No!
So why are you expecting to be able to do the same with Windows when it is clear you don't know it? I don't mean this to belittle your skills. If I had a client who wanted a linux network, even though I know some linux, I'd call someone in more knowledgable than I.
Windows 2000 kicks butt, and so does Windows 2003. But you must learn it. Everyone assumes since it's Windows, it's easy. NO!
"Yikes you just about have to clobber windows to get dns to work properly"
No, you don't.
As long as a DC has write permissions to the zone that will host the domain, the DC will create the resource records for you. Don't have a DNS server yet? Don't worry! During dcpromo, if no DNS is detected, DNS will be installed and the resource records will be created for you.
Please help survivors of Hurricane Katrina.
www.redcross.org
0
If you noticed I said 2003 was a huge leap in the right directions and many more people than I have noted the fact that 2000 was far less stable or friendly then 2003
also 2000 was far more a memmory hog microsofts memory management improved tremendously1 year ago i wouldnt have held linux anywhwere near as polished a product (mac still would have been superior) but things have changed with the proper selection of distro (proper selection key) you can set up linux far easier than windows with far more security features pic the wrong distro and your in a world of cli hurt
and as far as bashing my abilities sure came off that way wether that was intent or not
Im facing a unique situation here since I have set up numerouse windows networks this is a iregularity as I expressed my terminoloty is incorect but the basic knowledge is there
as far as dns goes it says a lot about their own confidence in their networking when they include a built in repair option for the network
my linux box doesnt need to do a
arp -d
ipconfig /flushdns
ipconfig /registerdns
nbstat -R
nbstat -RR
scs stop DNSCAche
sc staret DNSCache
etc the networking just works peroidthis is why most primary dns controllers for the internet fun bind 9 no windows dns
windows is a great product with its uses Im not bashing it
what i am acuratly describing is some limitations it faces
all os's face such limitations
linux mach bsd qnx synmbian etc....heck even os400 faces a lot of deficienceis though its the best of the lot in my opinion even better then solaris on a sparc system and Im a solarizs nut
simple fact is with dns windows gets the job done but not as well as linux its not to say that windows doesont have its stenghts over linux
you said yourself you lack an understanding of linux so how can you say if its better or not??
fact is each has their nich
I would have toted osx above the rest untill 10.4 its not that they didndt do fantastic optimizations to the system but they broke to much in netwoking and admit it.
as I also said I loved nt 4 and 2003 just not 2000 and as far as setting up dns its set up so is wins and ras etc
dfs roots etc I know how to config a active dirctory system ist that this simple quirk has occured and i lack the answer
but instead of really taking what ive said into context you seem bent on bashing meoperating systems do sometimes develop quirks or bugs onn their own not to say I didnt mess up some where I well could have but I admitedly said I lack the knowledge to fix this
I dont claim to be an expert but i do have a background in
dos -2003
linux 2.2 kernel -2.6 generations in fact we have a legacy redhat colgate system running here since the cobalt programs reside on it.
solaris 7-currnt
os400
bsd net free dragonfly etc
qnx
be
mac 7.5 -9.2 & osx all generations
react
symbian
syllable
open vms
etc. so i do have a basic understaning of how things workIm not the greatest coder first to admit it but as far as sysadmin im not a complete slouch
if you would read my entire posts instead of hyper focusing on certain aspects you would see that i like windows for its uses but prefer other systems for their uses
comparing linux and windows is kind of like comparing a duck to a mushroom anyhow since their basic philosiphyies differ so greatly
in a nutshell
linux is more versatile but that is a strenghth and weakness
lack of consistency in project maturity , to many options etc
windows on the other had offers a consistent enviroment that shows a steady level of maturity but lacks the flexibilityand before you get ticked off about the flexibility lets be honest linux runs on everyting from cell phones to main frames etc the only system that is more flexible or pervasive is tron
0
oh p.s for anyone interested I found a band aid solution till i find perm solution and works
simply created a dns alies that aliesd both active dirc systems. then wrote a batch script that forced them all to use this new alias as their policy managers etc. and placed it in the clients task scheduler and worked find I traced the results from the clients and seems they are roling over somewhat now.
so despite everyones apparent lack of faith in my abilities captain retardo (me) figured out a solution though I would appreciate any imput from someone that has faced a similar issue and resolved it
the fact is the system shows no indication why its failing in the logs
0
"2000 was far less stable"
I've used both extensively, and I'm certified in both. That is absolutely not true. 2000 is very stable, 2003 is even more stable, but to say 2000 isn't nearly as stable as 2003 is completely inaccurate.
"and as far as bashing my abilities sure came off that way wether that was intent or not"
I don't fault you for not knowing Windows and Active Directory. I fault you for thinking you can make it work when you clearly by your own admission don't have much experience with it. I fault you for not calling in someone who does.
We all can't know everything. That's why there are experts in certain areas. Get an expert! I can already tell you've butchered DNS.
"you said yourself you lack an understanding of linux so how can you say if its better or not??"
Did I? I said Windows domains can control desktop management better than linux, but that's one part of the product.
"I know how to config a active dirctory system ist that this simple quirk has occured and i lack the answer"
Dude, you don't know AD. Anyone reading this thread knows that from how you're describing things, and what you've done so far.
"fact is each has their nich"
Exactly.
"things have changed with the proper selection of distro (proper selection key) you can set up linux far easier than windows"
No, YOU can far easier. Windows is easy to setup provided you know what you're doing.
"and before you get ticked off about the flexibility"
This is not a post about linux vs. windows.
"simply created a dns alies that aliesd both active dirc systems. then wrote a batch script that forced them all to use this new alias as their policy managers etc. and placed it in the clients task scheduler and worked find I traced the results from the clients and seems they are roling over somewhat now."
OR...
You could have setup Active Directory correctly. Good luck getting support from Microsoft with that configuration.
Please help survivors of Hurricane Katrina.
www.redcross.org
0
god luck with support for that configuration hmmm
last I knew aliasing multiple ip's to a dns record was a standard practice largw service clusters like hotmail do this quite commonly so I dont forsee any support costs there but listen to your answersmicrosoft support
paid training
consultants etc
sounds like your one of those IT's that is notorious for bloated budgets. I would ratheer use my duct tape method that works and costs the company 0$the fact is I was being proactive and I have suffered no illeffects for the changes
Just because people dont do it exactly how you want doesnt necasarilly make it wrong
if you dont like the way people do things or cant get by without tuting your own horn or flaming people dont waste their time then
if you want to provide an alternative thats one thing but people are here for the answers to their questions not your opinion or godhood.. simply answer the quesiton if you cna and then offer alternatives
also have you truly exmined the gpo or registry settings how in the world do you know if its my eroor or the systmes or something else entirly like a default setting on the clients you have no clue as to the scenario here but are sure willing to nock things and I may not be perfect but so far Ive been able to manage without incident
Unfortuanatly some of our foreign asociates tend to run dirty networks but ive been able to cut off all majjor outbreaks even before definitions are available by simple and proper adminclez sirc etc all hit us before norton or fsecrue or any of them recognized them yet withing minutes of it apearoing on our network I killed it
so I may not be that great but I get the job doneandd that more than any fancy degree or consultant counts in my book RESULTS I may not have the proper and accepted solution here but I have RESUTLS so the end sum is you probably get the job done correctly at an exorborant cost i may not do it correctly but I get it done and cheap
0
quote from you **I've used both extensively, and I'm certified in both. That is absolutely not true. 2000 is very stable, 2003 is even more stable, but to say 2000 isn't nearly as stable as 2003 is completely inaccurate.**
which is it
lets analyze what you said
2000 is very stable, 2003 is even more stable,
but to say 2000 isn't nearly as stable as 2003 is completely inaccurate.**
here you say it is more stable then you say their equal quite blowing so much hot air I looked inot alot of your recent posts you need a job as a minister not helping people on a forum you like preaching and patting your own back to much
0
"last I knew aliasing multiple ip's to a dns record was a standard practice largw service clusters like hotmail do this quite commonly so I dont forsee any support costs there but listen to your answers"
If clients always connect to the same DC and not to the other, to correct this, there should absolutely be no altering of DNS unless the problem lies in bad DNS records for the failing DC.
If you think otherwise, go look at some AD documentation. If you really care about your clients' best interests, and you care about your own reputation, you would do what is supported by the vendor.
Two reasons:
1. You get hit by a car tomorrow, or you move, etc. The next person coming in will need to work with that environment. If you hack AD, alter it or the DNS configuration that is not a supported config by Microsoft, the next person in will attempt to fix it, which could break the AD patchwork environment. That's not this person's fault because you jerryrigged the config.
2. How do you know you're not limiting functionality of things you're not using now, but may use later? The bottom line is I can tell from what you described AD is not setup correctly. While it may not have a negative impact now, what happens if you begin using additional functionality later, such as adding Exchange, creating child domains, adding additional DC's, etc.
3. A competitor comes in, looks at what you did, and says, "This person has NO IDEA what they're doing!" The owner of the company asks the competitor to prove it, and the competitor then produces documentation by Microsoft that shows your config was dead wrong. Who would the customer believe - you, or your competitor backed by Microsoft?
Most would believe your competitor because no one knows AD better than Microsoft.
You can take this as a flame or whatever you want. It is intended to help you, should you decide to swallow your pride and listen.
"if you want to provide an alternative thats one thing but people are here for the answers to their questions not your opinion or godhood.. simply answer the quesiton if you cna and then offer alternatives"
My alternative was seek professional guidance. I can tell from what you've already written that you've butchered DNS, and it appears you've already altered default GPO's, which is against best practices yet again, etc. Your AD implementation was probably never setup correctly, and you made it worse. If I said you need to set it up again, you didn't know how to set it up correctly in the first place.
The best recommendation to you therefore is get someone in to either fix what you've messed up, or restart from scratch.
I admire that you're trying to do this yourself, despite your attitude towards me, but the hardest thing to do for many people (myself included) is admit you need help.
"sounds like your one of those IT's that is notorious for bloated budgets."
I'm not cheap, and I don't ever claim to be. I get it done right, and I take care of my customers. What you call "bloated budgets" is what I call professional service. I am certified, I implement vendor supported configurations that don't just work, but are highly available, scalable, and conform to best vendor practices as well as accepted independent security guidelines. If someone wants the cheapest guy around, they want someone who doesn't know AD well, because people who know AD get paid.
I am not an AD god, never claimed to be. Plenty of people out there who can kick my butt, but I do know quite a bit about it.
"I would ratheer use my duct tape method that works and costs the company 0$"
Nothing costs $0, including duct tape methods. Downtime costs money. Poor performance costs money. Should one of these duct tape solutions you come up with result in poor security, this could in turn result in the company being sued should sensitive data be compromised.
I don't go down that road. I'm an IT professional.
Please help survivors of Hurricane Katrina!
www.redcross.org
0
Naw, I get paid a lot better. :-)
Please help survivors of Hurricane Katrina.
www.redcross.org
0
um and about the admiting you need help part isnt that preaty much covered when someone asks for help here like I did??? your right about those that follow thats why everything is documented electronically and physically. thats about the first step you cover in it is proper planning and documentation and again if you read my posts instead of gleaming you would see Ive allready labeled this a band aid I will continue to look into a proper solution but in the mean time im not going to leave something working at poor capacity
even If I did decide consultation was needed you dont leave the client down when you can keep them running in the interum
and as far as systems go you forget unix's focus from the get go wansnt usability it was stability and security and was designed from ground up to be a networking system
windows took the oposite aproach because the industry was tired of poor ui so they made a user friendly system and a developer friendly system
for what their design purpose was for they did an ausome job but networking and security (admitably by them ) was an after thgouth
so as far as networking and secruity goes they are still catching up but in usability they rule also in development resources theese are their strengths not security 1/2 of management in microsoft have admited this year that the main reason for dropping alot of implimentations in vista was legacy code
if you think windows is more secure I challenge you to lock down win 98 to any posix based system even back to 2.2 kernel days your file system alone will kick you where it counts microsoft is doing a decent job of catchup in security and stability but it is a catchup just like linux is doing a catchup in the ui dept and is catching up quick kde 3.5 has about as many features now as vista is promising but you can go from a mature interface like that to the stone ages in a blink on linux
example vi may be alll powerful but comparew it to the ease of use by microsofts editor whats the good of such a powerful tooll (VI ) if a user cant figure out how to use it Ill be the first to admint linux may have a ton of documentation but most of it is so cryptic or technical it dosnt do newbies any goodIm not saying that microsoft dosnt rock office is a quality product its just as far as their os goes they have fallen behind becausse of the curse of legacy code
i respect the fact that you know your stuff but no one knows everything and a consultant isnt allways feasable especially on a time scale so I do believe in bandades untill you find a proper solution
Yeay you should do it proper ly from the getgo when possible but getting it to work is the primary objective.
cudos to you if you can do it right everytime but as far as dns being butchered we have auwsome resolution
ive looked throught the zones and everyting is fineim not saying Im beyond flaw first to admit I could have missed something small or even something big it happens but instead of a sermon I was looking to see if anyone else had suffered similarr to point me in the right direction i allready had a fix in mind (the one I used) but I to would rather do it right from get go but you dont allways have that luxury & this fix will give us some fall back in case of and eventuallity and give the cushion spcae to implement a proper fix
0
Back to the issue....
"if server 2 is unavailable they will not rollover to server 1 yet those that do authenticate with server 1 are happy to use server 2 as well????"
is DNS on both servers?
when you took server 2 down did you xfer the fsmo roles to server1?
Golly gee wilerkers everyone. Learn to Internet Search
0
no i did not and yes dns is running on both Ive examined both dns roots and look good and I rebooted it and noticed this happening when I was also rebooting some clients Im wanting the rollover in the advent of a meltdown or worse its not unheard of for hardware failure or worse to happen so I want to make sure the clients can use both in case one fails thats the whole reason for the second to balence load and for a fallback
0  |
 nbtstat conflicts
|
Terminal Services
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
