-
January 12th, 2005, 09:01 PM
#21
Ok, now it's getting interesting.
I just ran browmon on this suspicious BDC, and sure enough the results are...odd.
It shows the proper PDC (note I say "PDC" here somewhat lightly, as according to M$, W2k doesn't assign a PDC...but you guys know what I mean -- the equivalent master role assigned this server), with it's state as online. Ok, all is well. But the next few collumns just don't make sense:
Type: Unknown
Servers: Unknown
Domains: Unknown
It lists two other W2k servers and identifies them as type Windows NT 5.0, 27 servers, 3 domains, but for some reason this all comes back as "unknown" for the PDC.
Note this BDC in question is fully patched.
-
January 12th, 2005, 09:03 PM
#22
Sorry Angelic if I missed it somewhere...are all the servers W2K???
The data server is a member server?? SP level?
What SP is the DC ??
What SP is the BDC??
The problem is if the PDC is doing the authentication using the updates...they are not being replicated or passed on properly.
Also...after you removed the updates ...did you reinstall the SP and other updates...I have one 2k server...that every so often a database update knocks the SP level down a notch...and the SP needs to be reapplied...must be a lanman thing.
Although I have never figures it out...I just reapply the SP and it all works again.
You know...cause this all started with a security patch update...you may be able to get free support from MS
http://support.microsoft.com/gp/securityitpro
No-Charge Support
1-866-PCSAFETY
or
1-866-727-2338
This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada.
They may have a work around for you?
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
January 12th, 2005, 09:07 PM
#23
Heh, boss won't let me call MS because we have "licensing" issues.
Yes, the entire network is nothing but W2k.
Let me take a look at those SP levels...Ok, everything looks to be SP4, even the servers missing hotfix patches.
-
January 12th, 2005, 09:10 PM
#24
Ok, just ran browstat on the BDC in question. It identifies the PDC no problem, as well as BDCs, but then check this out:
Could not connect to registry, error = 5
Unable to determine build of browser master: 5
Unable to determine server information for browser master: 5
Unable to retrieve server list from [PDC]: 64
That tell you anything?
<edit> Found this googling:
The error 5 is "access denied". You have to have administrative access to open
the registry (determine build) across the network.
Odd thing is, this IS with administrative access!
<edit 2> More googling uncovered that the error 64 message means "The specified network name is no longer available."
What the?!
-
January 13th, 2005, 09:29 AM
#25
Hi
I still cannot provide very constructive ideas, but your error message 5 sounds like
you have no access to the master browser from your "BDC" (remote registry),
which might also be reflected by the behaviour of the browser service.
/edit: ie: your bdc cannot obtain a proper browser list, and therefore, the
network neighborhood cannot be used, however you can connect doing a map
manually using the IP number. The problematic workstation seems to connect to
the "BDC", and therefore also suffers of this. Now, what causes this problem...
Just a thought: Might be something messed up with the ACL's while installing the
patches ?!
Just a reader: I have found 2 interesting resources, which however, might not
be of interest anymore...
[1] sequence for name lookups
[2] browser service resources
/edit.
oups, to quote morganlefay
The problem is if the PDC is doing the authentication using the updates...they are not being replicated or passed on properly.
Cheers
[1] http://expertanswercenter.techtarget...975461,00.html
[2] http://labmice.techtarget.com/networ...rowsersrvc.htm
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
January 13th, 2005, 04:57 PM
#26
AK
One thing we used to do to resolve outlook connectivity issues in NT4 ...was to edit the HOSTS file on the client and add the IP address and server name
127.0.0.1 LOCALHOST
xxx.xx.xx.x SERVERNAME
Maybe worth a try?? on the client and BDC...just map all your servers in there...you can always change it back.
It required a reboot in NT4 ....not sure bout w2k
Maybe worth a try...although I think that the credentials are getting F&%ked do to the patch levels not being the same
MLF
EDIT\ make sure you save the file with no extension just HOSTS
Default location C:\winnt\system32\drivers\etc
How people treat you is their karma- how you react is yours-Wayne Dyer
-
January 13th, 2005, 05:14 PM
#27
Just a thought: Might be something messed up with the ACL's while installing the
patches ?!
Good idea...I checked out permissions in the PDC's AD regarding access to this particular BDC, and it turns out the net admin user group (which I'm logged in under when running these tests) did not have full permissions, specifically lacking permission to alter the subtree. I'm not sure if that's related, but it's worth a shot, so I allowed permission there, and I'm about to see what happens next...
<edit> Didn't see your post there, Morgan. I'll look into that.
-
January 20th, 2005, 05:43 PM
#28
Bingo.
Whoever suggested a replication error (was it RoadClosed?) looks to have been right on the money.
One of our BDCs keeps mysteriously being promoted to PDC and kicking the PDC back down to BDC. So, I tried demoting this particular BDC to resolve that. Guess what? Demotion failed because of a replication error.
That's gotta be it. I've had similar replication problems with the global catalog before, and I never could figure out what was causing it. So I bet this is our gremlin.
<edit> Might there be a manual (alternative) process by which means to bypass the replication problem and demote the server anyway?
-
January 20th, 2005, 07:09 PM
#29
Ok, here's the next piece to the puzzle:
I read this here:
As part of the demotion process, the DCPROMO utility removes the configuration data for the domain controller from the Active Directory. This data takes the form of an "NTDS Settings" object, which exists as a child to the server object in the Active Directory Sites and Services Manager.
The information is in the following location in the Active Directory:
CN=NTDS Settings,CN=<servername>,
CN=Servers,CN=<sitename>,CN=Sites,
CN=Configuration,DC=<domain>...
But in my AD, in the specified location, I only see this:
Name: <automatically generated>
From server: (PDC name)
From site: Default-First-Site-Name
Type: Connection
And that's it. No other entries. I then right-click that and select "replicate now" and then I get the following error:
The target principal name is incorrect.
-
January 20th, 2005, 09:08 PM
#30
IMHO
You can bandaid your setup...and maybe it will work ...for now
But you will continue to have problems until you can bring all the servers up to the same patch level
Oh and by the way
Whoever suggested a replication error (was it RoadClosed?) looks to have been right on the money.
That was me
The problem is if the PDC is doing the authentication using the updates...they are not being replicated or passed on properly.
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|