DC communication problem

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,
I am having some major problems with my PDC. Background:
3 Domain controllers running Windows 2003 server
1 local and two across WAN in different countries.

Up to recently everything in the garden was rosey!! Now when i go to my
exchange 2003 server ( non-DC) and open Active Directory Users and
Computers it connects to a DC across the WAN and takes ages to open. I
know replicating should occur and everything should be fine but it is
not. When i check "echo &logonserver% on different machines, none
except the exchange server point to the local DC. I am also getting
many problems in exchange with some users intermittently not being able
to recieve mail but can send!!! A reboot of exchange fixes this.

I have run dcdiag and netdiag and all run fine with no errors.

Can i force the PDC to answer first or what is wrong with my PDC???

Basically i am forced to reboot the exchange server every other day or
so when the issue occurs. This is obviously far from ideal...

Any help is gratefully recieved!
Thanks in advance,
Martin
10 answers Last reply
More about communication problem
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Did you set up Sites and associate the correct Subnets with the appropriate
    Site in the Active Directory Sites and Services? or is everything running
    under the default first Site?

    --
    Cary W. Shultz
    Roanoke, VA 24012
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Gibo" <martingibney@gmail.com> wrote in message
    news:1115118003.008559.20690@f14g2000cwb.googlegroups.com...
    > Hi,
    > I am having some major problems with my PDC. Background:
    > 3 Domain controllers running Windows 2003 server
    > 1 local and two across WAN in different countries.
    >
    > Up to recently everything in the garden was rosey!! Now when i go to my
    > exchange 2003 server ( non-DC) and open Active Directory Users and
    > Computers it connects to a DC across the WAN and takes ages to open. I
    > know replicating should occur and everything should be fine but it is
    > not. When i check "echo &logonserver% on different machines, none
    > except the exchange server point to the local DC. I am also getting
    > many problems in exchange with some users intermittently not being able
    > to recieve mail but can send!!! A reboot of exchange fixes this.
    >
    > I have run dcdiag and netdiag and all run fine with no errors.
    >
    > Can i force the PDC to answer first or what is wrong with my PDC???
    >
    > Basically i am forced to reboot the exchange server every other day or
    > so when the issue occurs. This is obviously far from ideal...
    >
    > Any help is gratefully recieved!
    > Thanks in advance,
    > Martin
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    everything is running under the default first site. I have three
    physical locations, but when i started, all suffix are
    location.mydomain.com. This is true of all locations. e.g they are all
    saying location.mydomain.com but are in different locations!!

    I think there is a problem still as i am authenticating to a DC in
    another country at present from this machine when it should not be as
    this is over a slow link. Anything i should do to check for problems?
    Thanks so far...
    Martin
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Gibo,

    I would suggest that as long as everything is one Site that you will
    experience clients authenticating against a Domain Controller that is
    located across the WAN. There is not really too much that you can do about
    this as this is how things are supposed to happen. Clients authenticate
    first against a DC in the same Site. If you have only one Site ( well, as
    set up in AD Sites and Services ) then all three Domain Controllers are
    'equal'. The next things is Weight and then Priority. Not much really that
    you could do with these!

    If you were to set up the three Sites ( well, er, the other two since you
    already have one ) and then create the Subnets and associate each Subnet
    with the correct Site things *should* work themselves out.

    Are you familiar with how to set up Sites and Subnets in the ADSS MMC?

    Also, consider making at least one DC in each Site a Global Catalog Server.
    You can also do this in the ADSS MMC....

    Now, are you saying that the DCs in the US have the suffix usa.mydomain.com
    and the DCs in Germany have the suffix germany.yourdomain.com and the DCs in
    Japan have the suffix japan.yourdomain.com -OR- are you saying that they all
    have the suffix whatever.yourdomain.com?

    --
    Cary W. Shultz
    Roanoke, VA 24012
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Gibo" <martingibney@gmail.com> wrote in message
    news:1115194424.317308.316280@f14g2000cwb.googlegroups.com...
    > everything is running under the default first site. I have three
    > physical locations, but when i started, all suffix are
    > location.mydomain.com. This is true of all locations. e.g they are all
    > saying location.mydomain.com but are in different locations!!
    >
    > I think there is a problem still as i am authenticating to a DC in
    > another country at present from this machine when it should not be as
    > this is over a slow link. Anything i should do to check for problems?
    > Thanks so far...
    > Martin
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi Cary,
    Thanks for your response. To answer the last first.. they are all
    ireland.mydomain.com !!

    Unfortunately i had not a huge knowledge of AD when upgrading this
    network from NT. It was working without a hitch until last week, which
    is about three months in all until i added the BDCs in the other
    countries. If thisis expected behaviour then this is fine i guess. It
    would be probably too much hassle to reassign the different countries
    e.g. usa.mydomain.com and belgium.mydomain.com etc...

    I have one GC set up, would it be adviseable to set up more as i dont
    really understand fully what GC does or if having more than one is
    beneficial to me.

    > Are you familiar with how to set up Sites and Subnets in the ADSS
    MMC?

    In a word .. NO.
    Again if this is something you would recommend i do, then i can make it
    happen, but if you think it may be best to leave them all in the same
    subnet??

    Thanks
    Martin

    Cary Shultz [A.D. MVP] wrote:
    > Gibo,
    >
    > I would suggest that as long as everything is one Site that you will
    > experience clients authenticating against a Domain Controller that is

    > located across the WAN. There is not really too much that you can do
    about
    > this as this is how things are supposed to happen. Clients
    authenticate
    > first against a DC in the same Site. If you have only one Site (
    well, as
    > set up in AD Sites and Services ) then all three Domain Controllers
    are
    > 'equal'. The next things is Weight and then Priority. Not much
    really that
    > you could do with these!
    >
    > If you were to set up the three Sites ( well, er, the other two since
    you
    > already have one ) and then create the Subnets and associate each
    Subnet
    > with the correct Site things *should* work themselves out.
    >
    > Are you familiar with how to set up Sites and Subnets in the ADSS
    MMC?
    >
    > Also, consider making at least one DC in each Site a Global Catalog
    Server.
    > You can also do this in the ADSS MMC....
    >
    > Now, are you saying that the DCs in the US have the suffix
    usa.mydomain.com
    > and the DCs in Germany have the suffix germany.yourdomain.com and the
    DCs in
    > Japan have the suffix japan.yourdomain.com -OR- are you saying that
    they all
    > have the suffix whatever.yourdomain.com?
    >
    > --
    > Cary W. Shultz
    > Roanoke, VA 24012
    > Microsoft Active Directory MVP
    >
    > http://www.activedirectory-win2000.com
    > http://www.grouppolicy-win2000.com
    >
    >
    >
    > "Gibo" <martingibney@gmail.com> wrote in message
    > news:1115194424.317308.316280@f14g2000cwb.googlegroups.com...
    > > everything is running under the default first site. I have three
    > > physical locations, but when i started, all suffix are
    > > location.mydomain.com. This is true of all locations. e.g they are
    all
    > > saying location.mydomain.com but are in different locations!!
    > >
    > > I think there is a problem still as i am authenticating to a DC in
    > > another country at present from this machine when it should not be
    as
    > > this is over a slow link. Anything i should do to check for
    problems?
    > > Thanks so far...
    > > Martin
    > >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Gibo,

    Ah! A newbie! We have all been there. It is a really good thing that you
    are posting to this newsgroup. It is really a wonderful place. There are
    lots of people in here with all levels of experience and knowledge.

    I think that how you do things depends on what you want to accomplish. If
    you do not want your clients authenticating against a Domain Controller that
    is located across a WAN link that I would suggest that you set up - in the
    AD Sites and Services MMC - a Site for each physical location. You would
    also need to create a subnet for each subnet that exists and then associate
    that subnet with the correct Site. This is supposed to assist the clients
    ( read: workstations ) in authenticating against a Domain Controller that is
    in the same Site.

    There are several Microsoft Knowledge Base Articles on how to do this.
    There are several things that you need to know to ensure that this works
    properly.

    I would suggest that you search the MSKB. Here are some links to get you
    started:

    http://support.microsoft.com/?id=199174

    http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/distrib/dsbh_rep_JFBG.asp

    http://support.microsoft.com/?id=224815

    http://support.microsoft.com/?id=271997

    http://support.microsoft.com/?id=313994

    http://support.microsoft.com/?id=306602 ( this one is more for the Big
    Picture.... ).

    Also, here are two MSKB Articles on how WIN2000 and WINXP clients locate
    Domain Controllers:

    http://support.microsoft.com/?id=247811
    http://support.microsoft.com/?id=314861

    Also, when you mention 'BDC' you mean that you have a WIN2000 Domain
    Controller in each location, correct? And not a WINNT 4.0 Backup Domain
    Controller.

    You also do not mention what the WAN links are ( 56kbps or T1 or somewhere
    in between ). And, I hope that you have a Firewall-to-Firewall VPN set up
    ( assuming that you do not have private links.... ).

    If you have any questions please feel free to ask. I have no problems if
    you e-mail directly but it is better that this stay in the news group. This
    way everyone can contribute and learn!

    --
    Cary W. Shultz
    Roanoke, VA 24012
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Gibo" <martingibney@gmail.com> wrote in message
    news:1115218485.540370.92360@f14g2000cwb.googlegroups.com...
    > Hi Cary,
    > Thanks for your response. To answer the last first.. they are all
    > ireland.mydomain.com !!
    >
    > Unfortunately i had not a huge knowledge of AD when upgrading this
    > network from NT. It was working without a hitch until last week, which
    > is about three months in all until i added the BDCs in the other
    > countries. If thisis expected behaviour then this is fine i guess. It
    > would be probably too much hassle to reassign the different countries
    > e.g. usa.mydomain.com and belgium.mydomain.com etc...
    >
    > I have one GC set up, would it be adviseable to set up more as i dont
    > really understand fully what GC does or if having more than one is
    > beneficial to me.
    >
    >> Are you familiar with how to set up Sites and Subnets in the ADSS
    > MMC?
    >
    > In a word .. NO.
    > Again if this is something you would recommend i do, then i can make it
    > happen, but if you think it may be best to leave them all in the same
    > subnet??
    >
    > Thanks
    > Martin
    >
    > Cary Shultz [A.D. MVP] wrote:
    >> Gibo,
    >>
    >> I would suggest that as long as everything is one Site that you will
    >> experience clients authenticating against a Domain Controller that is
    >
    >> located across the WAN. There is not really too much that you can do
    > about
    >> this as this is how things are supposed to happen. Clients
    > authenticate
    >> first against a DC in the same Site. If you have only one Site (
    > well, as
    >> set up in AD Sites and Services ) then all three Domain Controllers
    > are
    >> 'equal'. The next things is Weight and then Priority. Not much
    > really that
    >> you could do with these!
    >>
    >> If you were to set up the three Sites ( well, er, the other two since
    > you
    >> already have one ) and then create the Subnets and associate each
    > Subnet
    >> with the correct Site things *should* work themselves out.
    >>
    >> Are you familiar with how to set up Sites and Subnets in the ADSS
    > MMC?
    >>
    >> Also, consider making at least one DC in each Site a Global Catalog
    > Server.
    >> You can also do this in the ADSS MMC....
    >>
    >> Now, are you saying that the DCs in the US have the suffix
    > usa.mydomain.com
    >> and the DCs in Germany have the suffix germany.yourdomain.com and the
    > DCs in
    >> Japan have the suffix japan.yourdomain.com -OR- are you saying that
    > they all
    >> have the suffix whatever.yourdomain.com?
    >>
    >> --
    >> Cary W. Shultz
    >> Roanoke, VA 24012
    >> Microsoft Active Directory MVP
    >>
    >> http://www.activedirectory-win2000.com
    >> http://www.grouppolicy-win2000.com
    >>
    >>
    >>
    >> "Gibo" <martingibney@gmail.com> wrote in message
    >> news:1115194424.317308.316280@f14g2000cwb.googlegroups.com...
    >> > everything is running under the default first site. I have three
    >> > physical locations, but when i started, all suffix are
    >> > location.mydomain.com. This is true of all locations. e.g they are
    > all
    >> > saying location.mydomain.com but are in different locations!!
    >> >
    >> > I think there is a problem still as i am authenticating to a DC in
    >> > another country at present from this machine when it should not be
    > as
    >> > this is over a slow link. Anything i should do to check for
    > problems?
    >> > Thanks so far...
    >> > Martin
    >> >
    >
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Once again Cary, thank you so much for your help. I have printed these
    docs for some *fun* weekend reading!!
    In the meen time...I have had the issue with my exchange server again.
    I am pasting some of the different errors here for hope someone may see
    my problem.
    Thanks
    Martin

    Event Type: Error
    Event Source: MSExchangeDSAccess
    Event Category: Topology
    Event ID: 2114
    Date: 5/5/2005
    Time: 4:04:42 PM
    User: N/A
    Computer: EXDUB01
    Description:
    Process EMSMTA.EXE (PID=3484). Topology Discovery failed, error
    0x80040952.

    For more information, click
    http://www.microsoft.com/contentredirect.asp.

    Event Type: Error
    Event Source: MSExchangeSA
    Event Category: General
    Event ID: 9188
    Date: 5/5/2005
    Time: 4:03:38 PM
    User: N/A
    Computer: EXDUB01
    Description:
    Microsoft Exchange System Attendant failed to read the membership of
    group 'cn=Exchange Domain Servers,cn=Users,dc=xxxxx,dc=yyyy,dc=com'.
    Error code '800705b4'.

    Please check whether the local computer is a member of the group. If it
    is not, stop all the Microsoft Exchange services, add the local
    computer into the group manually and restart all the services.

    For more information, click
    http://www.microsoft.com/contentredirect.asp.

    Event Type: Error
    Event Source: MSExchangeDSAccess
    Event Category: Topology
    Event ID: 2114
    Date: 5/5/2005
    Time: 3:49:05 PM
    User: N/A
    Computer: EXDUB01
    Description:
    Process IISIPM46828796-EB10-485B-9A68-422CAC63CC7C -AP
    "EXCHANGEAPPLICATIONPOOL (PID=2888). Topology Discovery failed, error
    0x80040952.

    For more information, click
    http://www.microsoft.com/contentredirect.asp.

    Event Type: Error
    Event Source: Userenv
    Event Category: None
    Event ID: 1006
    Date: 5/5/2005
    Time: 3:41:35 PM
    User: NT AUTHORITY\SYSTEM
    Computer: EXDUB01
    Description:
    Windows cannot bind to here.mydomain.com domain. (Timeout). Group
    Policy processing aborted.

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.

    Event Type: Error
    Event Source: Userenv
    Event Category: None
    Event ID: 1030
    Date: 5/5/2005
    Time: 3:41:35 PM
    User: NT AUTHORITY\SYSTEM
    Computer: EXDUB01
    Description:
    Windows cannot query for the list of Group Policy objects. Check the
    event log for possible messages previously logged by the policy engine
    that describes the reason for this.

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.

    Event Type: Error
    Event Source: MSExchangeDSAccess
    Event Category: Topology
    Event ID: 2114
    Date: 5/5/2005
    Time: 3:33:44 PM
    User: N/A
    Computer: EXDUB01
    Description:
    Process EMSMTA.EXE (PID=3484). Topology Discovery failed, error
    0x80040952.

    For more information, click
    http://www.microsoft.com/contentredirect.asp.
  7. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Gibo,

    You are welcome.

    I would take a spin over to http://www.eventid.net and enter Event ID
    numbers. You will find a host of possible solutions. Have fun reading! It
    is a lot to digest.

    --
    Cary W. Shultz
    Roanoke, VA 24012
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Gibo" <martingibney@gmail.com> wrote in message
    news:1115305971.416233.315400@o13g2000cwo.googlegroups.com...
    > Once again Cary, thank you so much for your help. I have printed these
    > docs for some *fun* weekend reading!!
    > In the meen time...I have had the issue with my exchange server again.
    > I am pasting some of the different errors here for hope someone may see
    > my problem.
    > Thanks
    > Martin
    >
    > Event Type: Error
    > Event Source: MSExchangeDSAccess
    > Event Category: Topology
    > Event ID: 2114
    > Date: 5/5/2005
    > Time: 4:04:42 PM
    > User: N/A
    > Computer: EXDUB01
    > Description:
    > Process EMSMTA.EXE (PID=3484). Topology Discovery failed, error
    > 0x80040952.
    >
    > For more information, click
    > http://www.microsoft.com/contentredirect.asp.
    >
    > Event Type: Error
    > Event Source: MSExchangeSA
    > Event Category: General
    > Event ID: 9188
    > Date: 5/5/2005
    > Time: 4:03:38 PM
    > User: N/A
    > Computer: EXDUB01
    > Description:
    > Microsoft Exchange System Attendant failed to read the membership of
    > group 'cn=Exchange Domain Servers,cn=Users,dc=xxxxx,dc=yyyy,dc=com'.
    > Error code '800705b4'.
    >
    > Please check whether the local computer is a member of the group. If it
    > is not, stop all the Microsoft Exchange services, add the local
    > computer into the group manually and restart all the services.
    >
    > For more information, click
    > http://www.microsoft.com/contentredirect.asp.
    >
    > Event Type: Error
    > Event Source: MSExchangeDSAccess
    > Event Category: Topology
    > Event ID: 2114
    > Date: 5/5/2005
    > Time: 3:49:05 PM
    > User: N/A
    > Computer: EXDUB01
    > Description:
    > Process IISIPM46828796-EB10-485B-9A68-422CAC63CC7C -AP
    > "EXCHANGEAPPLICATIONPOOL (PID=2888). Topology Discovery failed, error
    > 0x80040952.
    >
    > For more information, click
    > http://www.microsoft.com/contentredirect.asp.
    >
    > Event Type: Error
    > Event Source: Userenv
    > Event Category: None
    > Event ID: 1006
    > Date: 5/5/2005
    > Time: 3:41:35 PM
    > User: NT AUTHORITY\SYSTEM
    > Computer: EXDUB01
    > Description:
    > Windows cannot bind to here.mydomain.com domain. (Timeout). Group
    > Policy processing aborted.
    >
    > For more information, see Help and Support Center at
    > http://go.microsoft.com/fwlink/events.asp.
    >
    > Event Type: Error
    > Event Source: Userenv
    > Event Category: None
    > Event ID: 1030
    > Date: 5/5/2005
    > Time: 3:41:35 PM
    > User: NT AUTHORITY\SYSTEM
    > Computer: EXDUB01
    > Description:
    > Windows cannot query for the list of Group Policy objects. Check the
    > event log for possible messages previously logged by the policy engine
    > that describes the reason for this.
    >
    > For more information, see Help and Support Center at
    > http://go.microsoft.com/fwlink/events.asp.
    >
    > Event Type: Error
    > Event Source: MSExchangeDSAccess
    > Event Category: Topology
    > Event ID: 2114
    > Date: 5/5/2005
    > Time: 3:33:44 PM
    > User: N/A
    > Computer: EXDUB01
    > Description:
    > Process EMSMTA.EXE (PID=3484). Topology Discovery failed, error
    > 0x80040952.
    >
    > For more information, click
    > http://www.microsoft.com/contentredirect.asp.
    >
  8. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi Cary,
    On further examination i believe it may be helpful if i upgrade my
    Exchange 2003 server (running on Windows 2003) to an additional domain
    controller. Any thoughts on this as i have found some people saying in
    other groups that this will resolve many of the authentication and
    domain communication problems i am having. This would give me 2 local
    DCs for 100 users and 2 remote DCs for another 30ish users....


    the only question i have is will it effect exchange; do i need to do it
    out of hours or is it a short task that can be completed at lunchtime?
    When i went through the DCPROMO command, it said
    "All encrypted data, such as EFS-encrypted files or e-mail, should be
    decrypted before continuing or it will be permenantly inaccessible."
    Which is not something i want to happen to our mail or i will really be
    for it!! (Drive is compressed if this makes any difference)

    Again many thanks and have a great weekend.

    Gibo
  9. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    i have not done this yet as i have some concerns about the upgrade.,
    Should it be ok??
    Thanks
    Gibo
  10. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Sorry,

    Sent you an e-mail.

    --
    Cary W. Shultz
    Roanoke, VA 24012
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Gibo" <martingibney@gmail.com> wrote in message
    news:1115626619.538302.48110@g14g2000cwa.googlegroups.com...
    >i have not done this yet as i have some concerns about the upgrade.,
    > Should it be ok??
    > Thanks
    > Gibo
    >
Ask a new question

Read More

Windows Server 2003 Active Directory Windows