Possible Network Security Issue (Windows Server 2000) - Page 3
Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 31

Thread: Possible Network Security Issue (Windows Server 2000)

  1. #21
    Junior Member
    Join Date
    Jan 2004
    Posts
    5
    Ok ..good technically when the PDC goes down the BDC is supposed to kick in and run as PDC until the PDC server is back up , in a W2K enviroment there are no pdc or bdc just DC Domain controlers, therefore when the main DC fails anoth DC should still be able to authenticate users and profiles, this will give you the ability to repair the main DC and still have users log onto the network. one more question is the DNS and WINS and DHCP server all on the main DC machine.

    In Short either way you look at the network you will need some downtime to further troubleshoot the server crashes. It would make life easier if there was another dc on the network so that users will not fail to authenticate...but not knowing totally how the servers are set up it would be safer to schedule downtime maintenance in an non-peak hour and apply the maintenance to the server that is faulting out. Got another Question, Have you viewed the event log on the server in question for any events that flag or pertain to the crashes on the server.

  2. #22
    Junior Member
    Join Date
    Jan 2004
    Posts
    5
    here is an helpfull link in the meantime ..... maybe this site has a direction you can pursue.
    http://www.labmice.net/troubleshooting/default.htm

  3. #23
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    As everyone says, make sure they are all on the same SP with the same hotfixes. Also, check the replication of AD. It sounds almost as if the AD permissions on the two DCs are not exactly in sync.

    If AD replication is the problem, I'd also consider setting up an alternate NIC on each server to handle AD replication. If they are physically close enough, use a crossover cable. That way even if the net fails, AD can still replicate.

    Why not just make all 3 servers AD domain controllers and use DFS (distributed file system) in conjunction with Terminal Services? Are there security or data integrity issues preventing this, or is the third server a NAS or SAN device?

    As for DNS, one of them is obviously a DNS root server. You can use the nslookup command to find out which one. If the other isn't runnung DNS, set it up as a backup DNS and have the primary replicate to it. You can also troubleshoot DNS with the dcdiag.exe tool from the Windows 2000 resource kit (it's still available from Microsoft's website, last time I checked).

    Just a thought.

  4. #24
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,003
    Another bit of information which may be usefull is the mark of the servers and their type. One of the first things i would do when i have a server doing strange things is to connect to the support site of the maufacturer. Another good site to check out is microsofts technet site.
    It is true that the problem does look like a power supply problem or an problem of overheating. Is your server in a well ventilated area?
    As for the problem your users have with connecting to the shares on the server I have a couple of questions you may ask yourself.
    1) what are the differances between the two servers use to connect.
    2) How are the shares connected when the users logs on?
    3) Is the problem the same for everyone. ie Do you have the same problem when you log on the second server as the administator as a user does?
    4)Have you noticed any error messages. The present of errors will depend largly on how the shares are connected.
    6) What are the reasons ,security or otherwise, for this system of file sharing?
    7) what are the results when you create a new shares on the file server with no security restrictions! Can you user connect to it?
    8) what events do you get when you put a security audit in place on the file server? I would audit connexion succes and failur for certain shares.
    9) Is the file server visiable from the second server. if not a problem with the DNS is a good bet.
    I would think that you have a problem of authentification between you connexion server and your file server.
    hope some of these points help

    P.S. on a more personel note I would agree with what you said about the community. i havent been a member long but i am more than impressed by the attitude of the people who are present on this site. My only regret is i didnt find it sooner, like when i was having major problems with a dr watson, network connections and intels landesk manager, ah well such is life.

  5. #25
    Okay, we're finally coming to some solutions over here, among which we're going to replace this darn server. But that brings up a new question that I'm researching -- How do you move the global catalog and operations master roles to one of the other DCs? I'm sure that's done through either Active Directory or MMC, but I don't what steps to take. However, we need to do this when we demote this server and remove it.

  6. #26
    Member
    Join Date
    Dec 2003
    Posts
    43
    Single master operations roles can be moved using warious mmc AD utils... you may need to install the schema snapin for mmc, I do not think it installs by default..

    http://www.microsoft.com/technet/tre...rFSMOroles.asp

    how to move the global catalog..
    http://support.microsoft.com/?kbid=313994

  7. #27
    Member
    Join Date
    Dec 2003
    Posts
    43
    to install the schema snapin if you havent already, go here...
    http://www.microsoft.com/windows2000...all_Snapin.htm

    for more info about master roles...
    http://www.microsoft.com/technet/tre...ag_ADFSMOs.asp

    I believe most of the single master roles will automatically transfer when you demote a domain controller, not sure about the global catalog.

    I had a domain controller die completely on me once, and had to sieze all of those roles forcefully using ntdsutil from the command line. That wasnt much fun...

  8. #28
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    tabich is right, you'll have to install schema snapin. As for the global catalog, if AD replication is configured on the DC's, they should all contain a pretty close copy of the global catalog. If you downgrade the first DC on the domain, it should force an enterprise-wide AD replication of the entire AD schema, including master roles, global catalog, and any other AD dependants to occur before it completes the demotion process.

  9. #29

    Thumbs up Identifying Roles

    Thanks, that helped a lot. So how do I find out which operation master roles the server currently has (and thus needs to transfer)?

  10. #30
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,003
    i am running a windows 2003 Domain so for a Windows 2000 domain these steps migth be a little different.
    the procedure to find out the operations masters in a AD is the following :

    for the global catalog
    open active directory site and services
    if you have a site set up go to the site folder
    expand the server to see the icon NTDS Settings
    right click on the icon and go to properties
    check to see if the box it ticked

    for the other roles (RID, PDC, INFRASTRUCTURE)
    open active directory users and computers
    right click on your domain and go to the item operations masters( in 2k this might be higher in the structure right at the root i.e active directory users and computers).
    the first area has the DNS name of the current operations master. the second is the name of the current server on whiched you are logged. to change operations master these need to be different.
    hope this helps

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •