BDC Does Not Authenticate When PDC Is Offline

Toggle sidebar Toggle sidebar
L

LJ

Distinguished
Jun 12, 2004
40
0
18,530
Archived from groups: microsoft.public.windowsnt.domain (More info?)

All,

We needed to take the PDC of my NT domain offline to perform routine
maintenance (MS Patches / Software Updates, etc). We wanted to be sure that
users could still authenticate with the PDC offline before we began any
changes to the PDC. We successfully synchronized the Domain while both the
PDC and BDC were online. We then powered off the PDC and NO ONE could
authenticate! Mapped drives were lost, services failed, etc. Everyone was
receiving "No Logon Servers Available" error message. I attempted to open
User Manager For Domains and Server Manager on the BDC, and received the
message, "No domain controllers could be contacted for that Domain". The
BDC was not performing any Domain Controller functions. However, WINS is
installed on the BDC, and that was working. The BDC could PING machines,
and other machines on the network could PING it by name. We brought the PDC
online, and everyone could authenticate. The event logs show successful
replications to the BDC. It appears that everything functions normally with
both domain controllers online. Yet, the entire domain "dies" when the PDC
is taken offline.

I have never encountered this situation before. Please advise. Thanks.
 
Archived from groups: microsoft.public.windowsnt.domain (More info?)

There is a bug which causes a domain name 1c group name
for DCs to go into conflict which prevents the clients from
finding a DC. Open a dos prompt on the BDC and run
nbtstat -n to see the cache. If it's in conflict a reboot should
clear the conflict.

BTW the error you received when attempting to open user
manager or server manager is by design. The PDC holds
the only modifiable copy of the SAM therefore it must be
contacted when open user manager or server manager.
What you get when opening on the BDC without a PDC
is a read-only version.


"LJ" <Larry.A.Johnson@mantech-ist.com> wrote in message news:
> All,
>
> We needed to take the PDC of my NT domain offline to perform routine
> maintenance (MS Patches / Software Updates, etc). We wanted to be sure
that
> users could still authenticate with the PDC offline before we began any
> changes to the PDC. We successfully synchronized the Domain while both
the
> PDC and BDC were online. We then powered off the PDC and NO ONE could
> authenticate! Mapped drives were lost, services failed, etc. Everyone
was
> receiving "No Logon Servers Available" error message. I attempted to open
> User Manager For Domains and Server Manager on the BDC, and received the
> message, "No domain controllers could be contacted for that Domain". The
> BDC was not performing any Domain Controller functions. However, WINS is
> installed on the BDC, and that was working. The BDC could PING machines,
> and other machines on the network could PING it by name. We brought the
PDC
> online, and everyone could authenticate. The event logs show successful
> replications to the BDC. It appears that everything functions normally
with
> both domain controllers online. Yet, the entire domain "dies" when the
PDC
> is taken offline.
>
> I have never encountered this situation before. Please advise. Thanks.
 
Archived from groups: microsoft.public.windowsnt.domain (More info?)

I know that the BDC was rebooted several times while the PDC was offline.
The clients were never able to authenticate, until the PDC was brought
online. Can you manually make the necessary change, if a conflict exists?


"Michael Giorgio - MS MVP" <Michael.Giorgio@NoSpam.mayerson.com> wrote in
message news:uvPfb$5XFHA.2740@TK2MSFTNGP14.phx.gbl...
> There is a bug which causes a domain name 1c group name
> for DCs to go into conflict which prevents the clients from
> finding a DC. Open a dos prompt on the BDC and run
> nbtstat -n to see the cache. If it's in conflict a reboot should
> clear the conflict.
>
> BTW the error you received when attempting to open user
> manager or server manager is by design. The PDC holds
> the only modifiable copy of the SAM therefore it must be
> contacted when open user manager or server manager.
> What you get when opening on the BDC without a PDC
> is a read-only version.
>
>
> "LJ" <Larry.A.Johnson@mantech-ist.com> wrote in message news:
>> All,
>>
>> We needed to take the PDC of my NT domain offline to perform routine
>> maintenance (MS Patches / Software Updates, etc). We wanted to be sure
> that
>> users could still authenticate with the PDC offline before we began any
>> changes to the PDC. We successfully synchronized the Domain while both
> the
>> PDC and BDC were online. We then powered off the PDC and NO ONE could
>> authenticate! Mapped drives were lost, services failed, etc. Everyone
> was
>> receiving "No Logon Servers Available" error message. I attempted to
>> open
>> User Manager For Domains and Server Manager on the BDC, and received the
>> message, "No domain controllers could be contacted for that Domain". The
>> BDC was not performing any Domain Controller functions. However, WINS is
>> installed on the BDC, and that was working. The BDC could PING machines,
>> and other machines on the network could PING it by name. We brought the
> PDC
>> online, and everyone could authenticate. The event logs show successful
>> replications to the BDC. It appears that everything functions normally
> with
>> both domain controllers online. Yet, the entire domain "dies" when the
> PDC
>> is taken offline.
>>
>> I have never encountered this situation before. Please advise. Thanks.
>
>
 
Archived from groups: microsoft.public.windowsnt.domain (More info?)

Hi Larry,

You may be able to stop and start the server service along
with the netlogon service but I am not so sure that is your
problem. First open a dos prompt on the BDC and run
net accounts and look at the value of the computer role
field, it should say Backup. Next unplug the PDC and
run nbtstat -n on the BDC to see if the name actually goes
into conflict. Next make sure there are no firewalls of any
kind blocking traffic to and from the BDC. Also I would
be interested to know if you can communicate with the
BDC while the PDC is back online?

"LJ" <Larry.A.Johnson@mantech-ist.com> wrote in message news:
> I know that the BDC was rebooted several times while the PDC was offline.
> The clients were never able to authenticate, until the PDC was brought
> online. Can you manually make the necessary change, if a conflict exists?
 
Archived from groups: microsoft.public.windowsnt.domain (More info?)

Hi Michael,

Results from your suggestions...
1. Stopping and restarting the services (did not resolve the issue)
2. Computer Role (displayed BACKUP)
3. nbtstat -n (did not display a Conflict)
4. Firewall (not an issue)
5. Communication with PDC & BDC Online (not sure what you are looking for)
a. Was able to launch User Manager for Domains on the BDC
b. Was able to View the Trusts on the BDC
c. Was able to launch Server Manager on the BDC

Keep the suggestions coming. I am struggling with this one.....


"Michael Giorgio - MS MVP" <Michael.Giorgio@NoSpam.mayerson.com> wrote in
message news:uiY90a6XFHA.4032@tk2msftngp13.phx.gbl...
> Hi Larry,
>
> You may be able to stop and start the server service along
> with the netlogon service but I am not so sure that is your
> problem. First open a dos prompt on the BDC and run
> net accounts and look at the value of the computer role
> field, it should say Backup. Next unplug the PDC and
> run nbtstat -n on the BDC to see if the name actually goes
> into conflict. Next make sure there are no firewalls of any
> kind blocking traffic to and from the BDC. Also I would
> be interested to know if you can communicate with the
> BDC while the PDC is back online?
>
> "LJ" <Larry.A.Johnson@mantech-ist.com> wrote in message news:
>> I know that the BDC was rebooted several times while the PDC was offline.
>> The clients were never able to authenticate, until the PDC was brought
>> online. Can you manually make the necessary change, if a conflict
>> exists?
>
>
 
Archived from groups: microsoft.public.windowsnt.domain (More info?)

That rules out the 1c conflict problem. <g>
Unplug the PDC and basically reproduce
your original error but then attempt to map
to a share on the BDC from a problem client
first by name then by tcp/ip address; if either
fails post the exact error.

"LJ" <Larry.A.Johnson@mantech-ist.com> wrote in message news:
> Hi Michael,
>
> Results from your suggestions...
> 1. Stopping and restarting the services (did not resolve the issue)
> 2. Computer Role (displayed BACKUP)
> 3. nbtstat -n (did not display a Conflict)
> 4. Firewall (not an issue)
> 5. Communication with PDC & BDC Online (not sure what you are looking for)
> a. Was able to launch User Manager for Domains on the BDC
> b. Was able to View the Trusts on the BDC
> c. Was able to launch Server Manager on the BDC
>
> Keep the suggestions coming. I am struggling with this one.....
 
Archived from groups: microsoft.public.windowsnt.domain (More info?)

What version are the clients? If Windows 2000, yes, we have the same
problem. We had to add an LMHOSTS entry to each 2000 Pro client so they
would authenticate against just a BDC. I figure it must be a WINS issue but
we never could solve it.

Ray

"Michael Giorgio - MVP" <michael.giorgio@Nospam.mayerson.com> wrote in
message news:eeMBoeEYFHA.2288@TK2MSFTNGP14.phx.gbl...
> That rules out the 1c conflict problem. <g>
> Unplug the PDC and basically reproduce
> your original error but then attempt to map
> to a share on the BDC from a problem client
> first by name then by tcp/ip address; if either
> fails post the exact error.
>
> "LJ" <Larry.A.Johnson@mantech-ist.com> wrote in message news:
> > Hi Michael,
> >
> > Results from your suggestions...
> > 1. Stopping and restarting the services (did not resolve the issue)
> > 2. Computer Role (displayed BACKUP)
> > 3. nbtstat -n (did not display a Conflict)
> > 4. Firewall (not an issue)
> > 5. Communication with PDC & BDC Online (not sure what you are looking
for)
> > a. Was able to launch User Manager for Domains on the BDC
> > b. Was able to View the Trusts on the BDC
> > c. Was able to launch Server Manager on the BDC
> >
> > Keep the suggestions coming. I am struggling with this one.....
>
>
 
Archived from groups: microsoft.public.windowsnt.domain (More info?)

Results:
I cannot access any shares (No Logon Server Available).
All trusted accounts cannot access any resources on the domain.
I can ping the BDC by name, and I receive the correct name when I "ping -a
bdcipaddress".

"Michael Giorgio - MVP" <michael.giorgio@Nospam.mayerson.com> wrote in
message news:eeMBoeEYFHA.2288@TK2MSFTNGP14.phx.gbl...
> That rules out the 1c conflict problem. <g>
> Unplug the PDC and basically reproduce
> your original error but then attempt to map
> to a share on the BDC from a problem client
> first by name then by tcp/ip address; if either
> fails post the exact error.
>
> "LJ" <Larry.A.Johnson@mantech-ist.com> wrote in message news:
>> Hi Michael,
>>
>> Results from your suggestions...
>> 1. Stopping and restarting the services (did not resolve the issue)
>> 2. Computer Role (displayed BACKUP)
>> 3. nbtstat -n (did not display a Conflict)
>> 4. Firewall (not an issue)
>> 5. Communication with PDC & BDC Online (not sure what you are looking
>> for)
>> a. Was able to launch User Manager for Domains on the BDC
>> b. Was able to View the Trusts on the BDC
>> c. Was able to launch Server Manager on the BDC
>>
>> Keep the suggestions coming. I am struggling with this one.....
>
>
 
Archived from groups: microsoft.public.windowsnt.domain (More info?)

Immediately aftwards open a dos prompt and run
nbtstat -c then look for a 1c entry. If you see it
tell us whether the TTL value is -1 or 600 or less.

"LJ" <Larry.A.Johnson@mantech-ist.com> wrote in message
news:uC3HwSIYFHA.3572@TK2MSFTNGP12.phx.gbl...
> Results:
> I cannot access any shares (No Logon Server Available).
> All trusted accounts cannot access any resources on the domain.
> I can ping the BDC by name, and I receive the correct name when I "ping -a
> bdcipaddress".
>
> "Michael Giorgio - MVP" <michael.giorgio@Nospam.mayerson.com> wrote in
> message news:eeMBoeEYFHA.2288@TK2MSFTNGP14.phx.gbl...
> > That rules out the 1c conflict problem. <g>
> > Unplug the PDC and basically reproduce
> > your original error but then attempt to map
> > to a share on the BDC from a problem client
> > first by name then by tcp/ip address; if either
> > fails post the exact error.
> >
> > "LJ" <Larry.A.Johnson@mantech-ist.com> wrote in message news:
> >> Hi Michael,
> >>
> >> Results from your suggestions...
> >> 1. Stopping and restarting the services (did not resolve the issue)
> >> 2. Computer Role (displayed BACKUP)
> >> 3. nbtstat -n (did not display a Conflict)
> >> 4. Firewall (not an issue)
> >> 5. Communication with PDC & BDC Online (not sure what you are looking
> >> for)
> >> a. Was able to launch User Manager for Domains on the BDC
> >> b. Was able to View the Trusts on the BDC
> >> c. Was able to launch Server Manager on the BDC
> >>
> >> Keep the suggestions coming. I am struggling with this one.....
> >
> >
>
>
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom