Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


June 2001

The Right Tool for the Job


From the June 2001 Edition
of Windows IT Pro
John Green
Lab Notes
InstantDoc #20717
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Dcdiag rescued me from a frustrating replication problem

The problem-frustration-solution-elation cycle is a way of life at the Windows 2000 Magazine Lab. However, some cycles' problem and frustration phases are more persistent than others'. Such was the case with a problem that recently crippled our network.

The Lab uses a mixed-mode Win2K Active Directory (AD) domain with two domain controllers (DCs) and more than 130 computers for benchmark testing. As is the case with Win2K domains, one DC acts as a PDC emulator. During preparations for a test, I rebooted about 50 Windows NT Workstation 4.0 computers and discovered that the DCs denied domain access to some of these computers. Each of those workstations displayed a message that the domain account or password was invalid. I found corresponding failed-authentication messages in the PDC emulator's System log.

AD problem resolution isn't my strength, but I knew I needed to start somewhere and soon; several Lab projects were on hold. I used the Microsoft Windows NT Server 4.0 Resource Kit's Netdom tool to reset the domain accounts. I could then log on from the computers—but the logon problem resurfaced a short time later. After deleting and recreating the computer accounts in the domain failed to fix the problem, I checked both DCs' Directory Services logs and discovered warning messages. On the PDC emulator, event ID 1308 indicated failed replication with the second DC. The second DC's log displayed event ID 1586, which denotes unsuccessful checkpoints with the PDC emulator.

At that point, I called Microsoft Product Support Services (PSS). The support technician advised me to run two Win2K support tools: Netdiag and Dcdiag. (You'll find these tools on the Win2K Server CD-ROM.) Netdiag.exe ran a variety of domain connectivity and authentication tests and showed no errors on the DCs.

Dcdiag.exe ran a variety of DC diagnostics. When I ran dcdiag.exe on the PDC emulator, the tool reported a message similar to event ID 1308: failed replication with the second DC. However, when I ran dcdiag.exe on the second DC, the tool's NCSecDesc test gave me the information I needed to fix the problem: The Enterprise Domain Controllers group lacked three rights that replication requires. The tool listed both the rights and the naming contexts (NCs) in which I needed to set them.

To track down the delinquent rights, I opened the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in on the second DC and selected View, Advanced Settings from the menu bar. I then opened the appropriate NC's Properties dialog box and clicked the Security tab. I changed the Enterprise Domain Controllers group's rights on the second DC to match those on the PDC emulator. To verify that these changes fixed the replication problem, I opened the MMC Active Directory Sites and Services console on each DC and used each DC's Connection object's Replicate Now function. However, the replication fix didn't alleviate the original symptom of invalid computer accounts. (Machine account passwords had changed, but because of the replication problems, only one DC had the working password.) Before I could experience the elation of a problem solved, I needed to use Netdom to reset the accounts.

Education typically emerges somewhere in the middle of the problem-frustration-solution-elation cycle. Although I never discovered the cause of the missing rights, I did learn about an effective tool that I'll be able to use in future problem cycles. Kudos to the team that designed Dcdiag.

Give Us Your Feedback: The Lab strives to cover products that address your most common problems. Are we hitting the mark? What categories of products do you want us to cover? What kinds of information do you need to make purchasing decisions? To post your comments, click "Post a comment" in the right-hand column of this page.

End of Article

Reader Comments
I faced the same problem last year. However, at that time, my knowledge of netdom, dcdiag or win2k replication was meagre. All I could do at that point in time was to reformat the machine with a different name - and that is what solved the problem.
Till today, I couldn't get to the problem. But now that I know the problem, I wish this article was published then.

Soumendra Ray May 18, 2001

I lived exactely the same situation in a production environment few weeks ago. All the NT4 WS are unable to logon but win2k, with the same username.
<br><br>
When I try the following command : net use \\servername\ipc$ "" /user:"", to connect the IPC$ with a blank username, certain DC accept the command and certain refused the command with an access denied!
<br><br>
We have forwarded the problem to MS but, at the time, without success with the solution.

Claude Bordigoni June 07, 2001

I also had this problem.

"No Win95 / Win98 pc's could connect to my nt 4 server."

The NT server was standing un-used for a while (swithced off). I connected it to my network after about 6 months to be used as a file server for user docs. I created the shared folders and assigned the access rights to the shared folders with no problems.

I moved some files of another server to this server through the nt network with no problem.
The next day, no 95 or 98 pc's could access the server. They all got the \\servername\IPC$ password prompt.

I checked for help all over the net and followed all the suggestions I could find but no luck. After I checked the event viewer
(should have checked it first!) I saw that the netlogon service failed with error code 1787, stating something about the Windows logon server does not have an account for the NT workstation.
I KNOW that I was not working on NT workstation, but that it was an NT server.

I checked the computer account on the PDC and my machine had an NT server account. Did not make any sense, so I removed the account and added it again as an NT server.

Same thing happened, -> netlogon does not start due to the missing workstation account on the PDC.
That's when I remembered that this old server was used in one of the remote branches and was configured as a BDC.

I removed the server account on the PDC and added the new account but this time as a BDC. It worked! Netlogon started succesfully and the Win95 and Win98 pc's can connect to the shared folders.

Hope this can help someone.

Johan
webmaster@ground-beef-recipes.com

Johan May 20, 2004

Jason M. Laurvick had authentication problems ...way back when. Laurvick solved authentication failure before the replication problem by making sure the user rights in the source server's security policy included the servers' machine account. Laurvick chose the "Everyone" group with the "Domain Controllers" group. Then Laurvick checked the destination server for old or invalid tickets going to the source server. He used Windows 2000 Resource Kit utilities to perform tests and the NETDOM RESETPWD command to reset the account. He wrote the password to an immediate replication partner, which effectively changes the password; sets the old and new passwords to be the same, and then writes this change to the replication partner. Lastly, Laurvick restarted the computer.

Anonymous User February 19, 2005 (Article Rating: )

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 24, 2008

An often irreverent look at some of the week's other news, including a Vista Capable dismissal request, Zune price reductions, Morrow musings, Novell and Microsoft sitting in a tree ... two years later, Yahoo!, IE 6 on Windows Mobile, and so much more ...
Active Directory (AD) Whitepapers Sustainable Compliance: How to reconnect compliance, security and business goals

Managing Unix/Linux with Microsoft System Center Operations Manager 2007 Cross Platform Extensions Beta

Addressing the Insider Threat with NetIQ Security and Administration Solutions
Related Events Concrete Ways to Make Sure Your SharePoint Deployment Doesn't Blow Up

Virtualization 101

PCI Requirements for Windows and Active Directory: Straight from a Certified Auditor

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Is Your Approach to VMware Server Recovery Outdated?
Is your data protected from server failure? Download this white paper to find the best way to back up, recover, and restore your VMware ESX Server 3.x.

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

GoGrid Offers FREE Trial for Windows Cloud Servers
Deploy Windows Server 2003 and 2008 with free load balancing through GoGrid’s award winning web-based GUI – all in less than 5 minutes

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What?
This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions

Don't Miss 3 Introductory PowerShell Lessons!
Paul Robichaux equips you with PowerShell basics in 3 introductory lessons, each followed by live Q&A—all on your own computer! Register today!

What Would You Do If You Ran Microsoft?
ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.

Maximize Your SharePoint Investment
This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.

Rock Your Knowledge, and Compete with Friends and Colleagues!
Are you the Web Application Performance Guru in your office? It's time to have fun! Download now to access the crossword puzzle. Challenge yourself and complete this fun activity!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing