Ok ..good technically when the PDC goes down the BDC is supposed to kick in and run as PDC until the PDC server is back up , in a W2K enviroment there are no pdc or bdc just DC Domain controlers, therefore when the main DC fails anoth DC should still be able to authenticate users and profiles, this will give you the ability to repair the main DC and still have users log onto the network. one more question is the DNS and WINS and DHCP server all on the main DC machine.
In Short either way you look at the network you will need some downtime to further troubleshoot the server crashes. It would make life easier if there was another dc on the network so that users will not fail to authenticate...but not knowing totally how the servers are set up it would be safer to schedule downtime maintenance in an non-peak hour and apply the maintenance to the server that is faulting out. Got another Question, Have you viewed the event log on the server in question for any events that flag or pertain to the crashes on the server.
As everyone says, make sure they are all on the same SP with the same hotfixes. Also, check the replication of AD. It sounds almost as if the AD permissions on the two DCs are not exactly in sync.
If AD replication is the problem, I'd also consider setting up an alternate NIC on each server to handle AD replication. If they are physically close enough, use a crossover cable. That way even if the net fails, AD can still replicate.
Why not just make all 3 servers AD domain controllers and use DFS (distributed file system) in conjunction with Terminal Services? Are there security or data integrity issues preventing this, or is the third server a NAS or SAN device?
As for DNS, one of them is obviously a DNS root server. You can use the nslookup command to find out which one. If the other isn't runnung DNS, set it up as a backup DNS and have the primary replicate to it. You can also troubleshoot DNS with the dcdiag.exe tool from the Windows 2000 resource kit (it's still available from Microsoft's website, last time I checked).
Just a thought.
January 15th, 2004, 05:31 PM
Another bit of information which may be usefull is the mark of the servers and their type. One of the first things i would do when i have a server doing strange things is to connect to the support site of the maufacturer. Another good site to check out is microsofts technet site.
It is true that the problem does look like a power supply problem or an problem of overheating. Is your server in a well ventilated area?
As for the problem your users have with connecting to the shares on the server I have a couple of questions you may ask yourself.
1) what are the differances between the two servers use to connect.
2) How are the shares connected when the users logs on?
3) Is the problem the same for everyone. ie Do you have the same problem when you log on the second server as the administator as a user does?
4)Have you noticed any error messages. The present of errors will depend largly on how the shares are connected.
6) What are the reasons ,security or otherwise, for this system of file sharing?
7) what are the results when you create a new shares on the file server with no security restrictions! Can you user connect to it?
8) what events do you get when you put a security audit in place on the file server? I would audit connexion succes and failur for certain shares.
9) Is the file server visiable from the second server. if not a problem with the DNS is a good bet.
I would think that you have a problem of authentification between you connexion server and your file server.
hope some of these points help
P.S. on a more personel note I would agree with what you said about the community. i havent been a member long but i am more than impressed by the attitude of the people who are present on this site. My only regret is i didnt find it sooner, like when i was having major problems with a dr watson, network connections and intels landesk manager, ah well such is life.
January 15th, 2004, 11:09 PM
Okay, we're finally coming to some solutions over here, among which we're going to replace this darn server. But that brings up a new question that I'm researching -- How do you move the global catalog and operations master roles to one of the other DCs? I'm sure that's done through either Active Directory or MMC, but I don't what steps to take. However, we need to do this when we demote this server and remove it.
January 16th, 2004, 12:56 AM
Single master operations roles can be moved using warious mmc AD utils... you may need to install the schema snapin for mmc, I do not think it installs by default..
I believe most of the single master roles will automatically transfer when you demote a domain controller, not sure about the global catalog.
I had a domain controller die completely on me once, and had to sieze all of those roles forcefully using ntdsutil from the command line. That wasnt much fun...
January 16th, 2004, 02:36 AM
tabich is right, you'll have to install schema snapin. As for the global catalog, if AD replication is configured on the DC's, they should all contain a pretty close copy of the global catalog. If you downgrade the first DC on the domain, it should force an enterprise-wide AD replication of the entire AD schema, including master roles, global catalog, and any other AD dependants to occur before it completes the demotion process.
January 20th, 2004, 04:08 PM
Thanks, that helped a lot. So how do I find out which operation master roles the server currently has (and thus needs to transfer)?
January 20th, 2004, 04:33 PM
i am running a windows 2003 Domain so for a Windows 2000 domain these steps migth be a little different.
the procedure to find out the operations masters in a AD is the following :
for the global catalog
open active directory site and services
if you have a site set up go to the site folder
expand the server to see the icon NTDS Settings
right click on the icon and go to properties
check to see if the box it ticked
for the other roles (RID, PDC, INFRASTRUCTURE)
open active directory users and computers
right click on your domain and go to the item operations masters( in 2k this might be higher in the structure right at the root i.e active directory users and computers).
the first area has the DNS name of the current operations master. the second is the name of the current server on whiched you are logged. to change operations master these need to be different.
hope this helps