New DC causing a problem.

[zabagar]

I installed a new domain controller in our environment, that up until this point just had 1 PDC.

After the new DC is on for a day, roughly, users will begin to have domain login problems. No errors in the event viewer on the PDC. On the newly installed DC, I get "userenv 1000" in the app. log, and "mrxsmb 3034" in the system log.

FYI - dcpromo ran without any errors when I initially set up this DC. I've also ran "dcdiag" and receive no errors - all looks good. Plus network connectivity & DNS appear fine.

All of the tests/diags I run come up okay. The two event errors I mentioned above are the only trace of a problem.

Maybe there are some rights that the 2nd DC needs that it doesn't have? Not sure. I did trace the "mrxsmb 3034" and see that the dword/data points to a time server issue.
I just can't see how that's the case. Our PDC synchs from an external time source, and the DC synchs to it. I checked both servers and they have the identical time down to the second. I printed out microsoft's white paper on the "time service" and compared it to my setup. All seems to be in place.

If anybody has any leads or ideas, please send them!

I've never had this problem bringing up a second DC. No problems if I turn off my new DC....but if I boot it up, people will have login problems shortly afterwards...

-thanks,
Bob

 

[jpaf]

Is the new new DC a global catalogue server? Does it perform any roles within AD (like schema master, RID master etc)? Is it in the same site as the main domain controller? What errors do the users have logging in?

Regards
jpaf

 

[zabagar]

jpaf -

The new DC is not a global catalog server. The one and only PDC has all the roles. I installed an additional DC to take some load off of the PDC plus use it as a backup of Active Directory.

Yes, both servers (PDC plus new DC) are in the same site. There are no replication errors logged in the event viewer.

Errors user get while logging in: My personal test revealed that after logging in, I had no network drives mapped and I was unauthorized to attach to any shares.

I appreciate your response. Thanks.

-Bob

 

[dholbrook]

The first DC in the DOmain must be the PDC machine, you can not have the old PDC and then add a new DC. You MUST update the original PDC to PDC/DC first before you add any DC's to the DOmain,or it will not work correctly.

Form you description it appears you hace just added a DC to an existing Domain. IS that correct? If so, demote it to a member server until after you have upgraded the original PDC to PDC/DC mixed mode configuration, then promote it back to DC (in the mixed mode configuration).

Sounds like you new DC is trying to be the master DC in a new Domain with the same name as the original.

HTH,

David

 

[zabagar]

David, I don't understand your post. Maybe my original message isn't as clear as I thought it was.

I have had 1 Windows 2000 AD Server for quite some time.
It holds all the FSMO roles and runs dns, dhcp, wins.
This server does all of the authenticating. It's the only one.

Now I added a second Windows 2000 Server. Ran DCPROMO w/ no errors. Now I have 2 DCs. One I call the PDC since it has that "pdc emulator" FSMO role...plus I need to distinguish the two from eachother while posting.

The second DC, which just has AD on it, is causing problems.

I've added domain controllers to an existing domain many times and haven't seen this problem before.

-bz

 

[dholbrook]

Much clearer now, you dohave the "PDC/DC" configuration.

Recommend you do the following:

1. DCPROMO on the new server to demote it to member server, then reboot it.

2. Remove the member server from the domain and reboot it.

3. Add the new server back to the domain and reboot.

4. DCPROMO the server to DC, then reboot and force the sync between the DC's.

This will probably resolve the issue, but be sure to do all the reboots. It sounds like something got lost during the initial CDPROMO and now the two DC's are not doing all the handshaking with each other properly. Hopefully this will resolve the issue, and at least it is worth the effort to try.

HTH,

David

 

[zabagar]

I'll give that a shot at some point. Thanks. I'll post the results.

 

[markdmac]

zabagar,

I had a bit of that same confusion because of the PDC reference. Just as an aside, better to give it a fictitious name to avoid confusion since there is no PDC in a 2k3 domain. Is your domain in Native Mode? If so then the PDC Emulator does nothing. It is only used for Mixed mode for backward compatability with NT4.

I agree with the advice given above. I would first however get a copy of the resource kit utility KERBTRAY and try deleting any kerberos tickets issued to the new server.

If that new server is not a GC, then it really isn't helping the other server other than to provide redundancy in case of a failure.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[zabagar]

Mark,

My domain operates in mixed mode. I'm aware of what the roles do.

The new server is not a GC (at least not right now). And yes, all I wanted it for was to provide redundancy in case of failure.

-bz-

 

[dholbrook]

Well, you accomplished your goal, you have redundancy, and it causes you to have failures!

Kidding aside, let me know if the removal, etc. fixes the problem. I had a similar contition, and starting over fixed the problem, but I still do not know what went wrong initially.

HTH,

David