Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Active Directory Problems

Status
Not open for further replies.
cmiddl1

cmiddl1

IS-IT--Management
Oct 16, 2003
20
US
Hi:

I need assistance with a very serious active directory (2000) problem. I created a user, and when attempting to login in with that account, I get: "The system could not log you on."....

Let me digress and give you what I have on my network:
1 PDC Windows 2000(DC)(GC Server) - is the DHCP/DNS server for the domain.
1BDC Win2K(Active Directory Tree Manager)- did have DNS/WINS installed, but I had the services shutdown due to earlier problems.

Okay, I did a little research and found that if I create the user on the BDC, then I can login with that ID, however, I cannot create or save a profile of the user to the network, which will cause a problem with other new users, the system says "access denied" and tries to use the local profile, which it cannot. The AD Tree Manager is located on the BDC. The NTDS does not replicate to the other DC, it too says access denied or cannot log in to the remote system.

What steps can I take to fix this? I am getting a new server and want to move the domain (AD) to 2003, what does anyone think of that idea?

Thanks. Tek-Tips Rules!!
 
Sort by date Sort by votes
cmiddl1,

for starters, there is not PDC or BDC with w2k. just DC's and member servers. if you can create accounts, then that server is a DC. depending on many items, your "logon server" can vary. so... if you create the account on DC-1 and when you go to logon with a domain computer, it may be looking at DC-2 for it's active directory information. (you can type SET at a command prompt to verify the logon server used by the client machine). the above based on the idea of 2 or more DC's in a site.

DNS will play a major role with everything w2k related. if you have 2 DC's, then they should both be running DNS. (and for MOST cases, the DNS servers should be active directory integrated). Per microsoft, all DC's should 1st point to the PDC-Emulator Domain Controller for 1st DNS. This is known as "spoke and hub". The PDC-Emulator is the hub. (for the record, the PDC-Emulator is a FSMO role that can be assigned to any DC, but is granted to the first DC added or upgraded to the domain.)

So, back to the original question, AD needs to replicate between servers. If you add a new object to AD, it will take several minutes (depending on lots of variables) to replicate to all DC's in the local segement, and longer across WANS and slow links. You can force replication via the AD Rep Mon utility from the w2k support tools (on the disk).

good luck and read up on the 2003 upgrade before heading down that path...

scottie
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

julis2103
  • Locked
  • Question
Active Directory
Replies
0
Views
84
julis2103
julis2103
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
328
goombawaho
goombawaho
geneg28
  • Locked
  • Question
Active Directory and Linux Servers
Replies
0
Views
81
geneg28
geneg28
axilleas
  • Locked
  • Question
Windows 2012 R2 Active directory problem after applying GPO
Replies
7
Views
146
technome
technome
mkrausnick
  • Locked
  • Question
Can't write to folder even though Active Directory effective permissions shows full control
Replies
1
Views
88
mkrausnick
mkrausnick

Part and Inventory Search

Sponsor

Back
Top