[ActiveDir] Active Directory/DNS weirdness
Okay, this is something that I've filed in the "I'll live with it" column for awhile: Windows 2000 Active Directory domain. Still supporting NT4 clients. Using BIND DNS that does -not- have dynamic updates enabled: whenever I create a DC, I am required to manually upload the netlogon.dns into the zone file. (This is usually a one-time upload, since it's done manually.) Whenever I reboot the PDC Emulator, my NT4 clients start throwing the following error: "System can not log you on to the domain because the systems computer account in its primary domain is missing or the password on that account is incorrect"... Or, "System Error 1789 has occurred. The trust relationship between this workstation and the primary domain failed." 2000/XP boxen keep chugging merrily along, this behaviour only happens on NT. The MS KB answer is to drop the machine from the domain and re-add it. (Every NT workstation? Every time I reboot the server? Are you serious? Besides...I tried that and it doesn't work.) The workaround that I've found is to compact the AD database after I reboot the controller. It's a workaround only, and doesn't solve the underlying problem that it just plain shouldn't be happening. Another piece to the anecdote: I had formerly housed the PDC Emulator on a remote subnet, in a different building from my clients. When this was the case, said error would start throwing itself every few days even -without- me rebooting the PDC Emulator. I had to build a DC, install it locally and transfer the PDC FSMO role to get any sleep at all! Laura *waves at Roger & Tony* *** Laura E. Hunter MCSE, MCT, MVP - Windows Networking List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory/DNS weirdness
> First, do the NT4 clients have > the DSClient installed, and if so, does it make a difference? I've tried installing the DSClient - doesn't seem to make a difference whether the clients have it installed or not. > > Second, are you still running WINS in the environment? > Oh yes, much WINS. WINS WINS WINS. WINS will never die. > > When the clients stop being able to log in, have you run > NLTest or NetDom to verify the secure channel? I'd be > interested in seeing the output of that. > I'll reboot the PDC Emulator the next time I'm in on a weekend to force the error and run those two utilities. I'll re-post if anything interesting comes of it. Thanks! Laura List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory/DNS weirdness
I had a similar situation with winme clients (we only have 2 remaining thank god!). They were fine until I had to change the logon passwords, after that they were locked out/cannot find domain. I installed the DSClient and that didn't help. I was able to ping by netbios name and so forth, I ended up changing the domain name in their network settings and rebooting them. After reboot I put in our correct domain name and they could connect...? Pre W2k sucks last word! Patrick Foote LAN Administrator Equistar Financial 727-388-7450 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Hunter, Laura E. Sent: Tuesday, May 04, 2004 9:23 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory/DNS weirdness > First, do the NT4 clients have > the DSClient installed, and if so, does it make a difference? I've tried installing the DSClient - doesn't seem to make a difference whether the clients have it installed or not. > > Second, are you still running WINS in the environment? > Oh yes, much WINS. WINS WINS WINS. WINS will never die. > > When the clients stop being able to log in, have you run > NLTest or NetDom to verify the secure channel? I'd be > interested in seeing the output of that. > I'll reboot the PDC Emulator the next time I'm in on a weekend to force the error and run those two utilities. I'll re-post if anything interesting comes of it. Thanks! Laura List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory/DNS weirdness
Add to that: output of netdiag and dcdiag from the DC's would be a good addition. -Al -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, May 03, 2004 4:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory/DNS weirdness Hey Laura... Two things come to mind here. First, do the NT4 clients have the DSClient installed, and if so, does it make a difference? Second, are you still running WINS in the environment? What it sounds like is that you're having a LOT of NetBIOS name resolution issues. Remember pre-Win2k, you pretty much had to have WINS, and its an absolute requirenment for multisegment LANs and WANs. When the clients stop being able to log in, have you run NLTest or NetDom to verify the secure channel? I'd be interested in seeing the output of that. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Hunter, Laura E. [mailto:[EMAIL PROTECTED] > Sent: Monday, May 03, 2004 3:36 PM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Active Directory/DNS weirdness > > Okay, this is something that I've filed in the "I'll live with it" > column for awhile: > > > Windows 2000 Active Directory domain. > > Still supporting NT4 clients. > > Using BIND DNS that does -not- have dynamic updates enabled: > whenever I > create a DC, I am required to manually upload the netlogon.dns into > the zone file. (This is usually a one-time upload, since it's done > manually.) > > Whenever I reboot the PDC Emulator, my NT4 clients start throwing the > following error: > > "System can not log you on to the domain because the systems computer > account in its primary domain is missing or the password on that > account is incorrect"... > > Or, > > "System Error 1789 has occurred. The trust relationship between this > workstation and the primary domain failed." > > 2000/XP boxen keep chugging merrily along, this behaviour only happens > on NT. > > The MS KB answer is to drop the machine from the domain and re-add it. > (Every NT workstation? Every time I reboot the server? Are you > serious? > Besides...I tried that and it doesn't work.) > > The workaround that I've found is to compact the AD database after I > reboot the controller. It's a workaround only, and doesn't solve the > underlying problem that it just plain shouldn't be happening. > > Another piece to the anecdote: I had formerly housed the PDC Emulator > on a remote subnet, in a different building from my clients. When > this was the case, said error would start throwing itself every few > days even -without- me rebooting the PDC Emulator. I had to build a > DC, install it locally and transfer the PDC FSMO role to get any sleep > at all! > > Laura > > *waves at Roger & Tony* > > *** > Laura E. Hunter > MCSE, MCT, MVP - Windows Networking > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory/DNS weirdness
Since you're running WINS, are there any static WINS entries for the domain? (1C records) I used to have people who thought you needed them to fix stupid little problems that are simple misconfigurations... Use a Win2k or later WINS manager and do a search for registrations for the netBIOS name of your domain. See what comes back, and more importantly, what comes back marked as static... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Hunter, Laura E. [mailto:[EMAIL PROTECTED] > Sent: Tuesday, May 04, 2004 9:23 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Active Directory/DNS weirdness > > > > > First, do the NT4 clients have > > the DSClient installed, and if so, does it make a difference? > > I've tried installing the DSClient - doesn't seem to make a difference > whether the clients have it installed or not. > > > > > Second, are you still running WINS in the environment? > > > > Oh yes, much WINS. WINS WINS WINS. WINS will never die. > > > > > When the clients stop being able to log in, have you run > > NLTest or NetDom to verify the secure channel? I'd be > > interested in seeing the output of that. > > > > I'll reboot the PDC Emulator the next time I'm in on a > weekend to force the > error and run those two utilities. I'll re-post if anything > interesting > comes of it. > > Thanks! > > Laura > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory/DNS weirdness
Hey Laura... Two things come to mind here. First, do the NT4 clients have the DSClient installed, and if so, does it make a difference? Second, are you still running WINS in the environment? What it sounds like is that you're having a LOT of NetBIOS name resolution issues. Remember pre-Win2k, you pretty much had to have WINS, and its an absolute requirenment for multisegment LANs and WANs. When the clients stop being able to log in, have you run NLTest or NetDom to verify the secure channel? I'd be interested in seeing the output of that. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Hunter, Laura E. [mailto:[EMAIL PROTECTED] > Sent: Monday, May 03, 2004 3:36 PM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Active Directory/DNS weirdness > > Okay, this is something that I've filed in the "I'll live > with it" column > for awhile: > > > Windows 2000 Active Directory domain. > > Still supporting NT4 clients. > > Using BIND DNS that does -not- have dynamic updates enabled: > whenever I > create a DC, I am required to manually upload the > netlogon.dns into the zone > file. (This is usually a one-time upload, since it's done manually.) > > Whenever I reboot the PDC Emulator, my NT4 clients start throwing the > following error: > > "System can not log you on to the domain because the systems computer > account in its primary domain is missing or the password on > that account is > incorrect"... > > Or, > > "System Error 1789 has occurred. The trust relationship between this > workstation and the primary domain failed." > > 2000/XP boxen keep chugging merrily along, this behaviour > only happens on > NT. > > The MS KB answer is to drop the machine from the domain and re-add it. > (Every NT workstation? Every time I reboot the server? Are > you serious? > Besides...I tried that and it doesn't work.) > > The workaround that I've found is to compact the AD database > after I reboot > the controller. It's a workaround only, and doesn't solve > the underlying > problem that it just plain shouldn't be happening. > > Another piece to the anecdote: I had formerly housed the PDC > Emulator on a > remote subnet, in a different building from my clients. When > this was the > case, said error would start throwing itself every few days > even -without- > me rebooting the PDC Emulator. I had to build a DC, install > it locally and > transfer the PDC FSMO role to get any sleep at all! > > Laura > > *waves at Roger & Tony* > > *** > Laura E. Hunter > MCSE, MCT, MVP - Windows Networking > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
