Archived from groups: microsoft.public.win2000.active_directory (
More info?)
Maybe I should qualify that. I haven't seen this in this thread, but I
may have missed one that pointed this out.
Cheers,
Cliff
On Thu, 09 Dec 2004 21:17:07 +1300, Enkidu <enkidu@xyzcliffpxyz.com>
wrote:
>
>If all DCs are also GCs, this is NOT a problem.
>
>http://support.microsoft.com/kb/223346
>
>I'm a little surprised that no one has pointed this out.
>
>Cheers,
>
>Cliff
>
>On Wed, 8 Dec 2004 21:15:05 -0800, DaveinPNG
><DaveinPNG@discussions.microsoft.com> wrote:
>
>>This was the answer. Once I made DC2 (in the same domain as DC1) and DC3 (in
>>a child domain) all GC servers, all three can now handle logins.
>>
>>Considering what I have, should I be concerned that DC1 and DC3 are a GC and
>>the Infrastruture master? I really have no choice, do I?
>>
>>Thanks.
>>
>>Dave
>>
>>"Ken B" wrote:
>>
>>> One other thing to check... are DC's 2 & 3 Global Catalogs? That's what
>>> really handles authentication, I believe.
>>>
>>> Ken
>>>
>>>
>>> "Herb Martin" <news@LearnQuick.com> wrote in message
>>> news:OXHKM0E3EHA.1144@TK2MSFTNGP09.phx.gbl...
>>> > "DaveinPNG" <DaveinPNG@discussions.microsoft.com> wrote in message
>>> > news
F8FB2C2-BA9A-4663-9F71-4278EF888DA1@microsoft.com...
>>> >> Two domains - Two DCs in one domain, one DC in a child domain
>>> >>
>>> >> If DC1 is unavailable, even though DC2 and DC3 are available, no one can
>>> >> login.
>>> >> REPADMIN /showreps looks fine.
>>> >
>>> > Ok, that eliminates replication but the most common
>>> > reason is that one of the DCs is not registered properly
>>> > in DNS OR your DNS is only correct on the other (missing)
>>> > DC.
>>> >
>>> > Most replication and authentication problems are based on
>>> > DNS problems.
>>> >
>>> >> The only clue I can find is this: I was writing a perl script to
>>> > authenicate
>>> >> a user. The bind fails no matter what I do.
>>> >> I get a similiar message if I run repadmin /bind DSA:
>>> >> DsBindWithCred to dsa failed with status 1722 (0x6ba):
>>> >> The RPC server is unavailable.
>>> >
>>> > This might be important and represent some serious problem
>>> > with the (other) DC, but let's do the obvious first.
>>> >
>>> >> I know this has got to be simple, but I'm stumped.
>>> >> BTW: DC1 has all of the roles and was upgraded from NT4 (PDC) to W2K to
>>> > W2K3.
>>> >
>>> > Pretty much irrelevant as long are you clients are Win2000+
>>> > and you aren't discussing BDCs.
>>> >
>>> > Roles can affect clients but seldom in authentication (e.g.,
>>> > browsing) unless the client is Win9x or NT, and thus
>>> > (could be) dependent on the PDC emulator.
>>> >
>>> > First, run DCDiag on the problematic DC -- and save the
>>> > output to a text file (/?) -- search the file for FAIL, ERROR,
>>> > WARN and either fix those errors or report them (here).
>>> >
>>> > Check you DNS architecture:
>>> >
>>> > DNS
>>> > 1) Dynamic for the zone supporting AD
>>> > 2) All internal DNS clients NIC\IP properties must specify SOLELY
>>> > that internal, dynamic DNS server (set.)
>>> > 3) DCs and even DNS servers are DNS clients too -- see #2
>>> >
>>> > Restart NetLogon on any DC if you change any of the above that
>>> > affects a DC.
>>> >
>>> > Ensure that DNS zones/domains are fully replicated to all DNS
>>> > servers for that (internal) zone/domain.
>>> >
>>> >
>>> > --
>>> > Herb Martin
>>> >
>>> >
>>> >
>>>
>>>
>>>
--
These twin-CPU hyperthreading computers are really
great! We can wait ten to a hundred times faster
these days.