Domain users cannot logon to domain

Discussion in 'Active Directory' started by MartinH, Jun 16, 2006.

  1. MartinH

    MartinH Guest

    Jorge

    Logfile on DC1 says: "The local domain controller is now the intersite
    topology generator and has assumed responsibility for generating and
    maintaining intersite replication topologies or his site "

    Logfiles on DC3 and DC3 say: "This Domain Controller is now a Global
    Catalog"


    But something strange i think in AD Sites and Services.


    NTDS Settings of DC1 has 2 objects. (DC2 and DC3)

    NTDS Settings of DC2 has 2 objects. (DC1 and DC3)

    NTDS Settings of DC3 has only 1 object. (DC2) = Automaticy created

    Question: Shouldnt there be 2 objects in the DC3 NTDS Settings? Like
    (DC1 and DC2) and if yes can i just create a new connection to DC1in
    the NTDS Settings on DC3?
     
    MartinH, Jun 17, 2006
    #21
    1. Advertisements

  2. MartinH

    Jorge Silva Guest

    Hi Martin

    don't worry about anything the KCC does that automatically for you.

    Just monitor on daily basis your replications you can use tools like:

    - repadmin
    - replmon
    - dsastat

    you can find these tools installing support tools from Windows cd
    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jun 17, 2006
    #22
    1. Advertisements

  3. MartinH

    MartinH Guest

    Hi Jorge, It's me again :D


    Problem 1...

    On Site(1) there was a DHCP running with no scope on DC1 and a DHCP
    with a scope on DC2.

    I Removed the DHCP role from DC1 because there should only be 1 DHCP
    per site in my opinion.

    I just noticed that by itself the DHCP on DC2 was also removed. OOPS!
    Not what i wanted. So i reinstalled the DHCP role on DC2 and to my
    surprise there is no a identical DHCP with scope on DC1.


    Problem 2...

    Someting strange with the scope name. I created the DHCP role on DC2
    with Child.Domain.net name. Scope names on both DC's are not
    identical.

    DC1 scopename: Child.Domain.net
    DC2 scopename: Child

    DC1 is the Rootserver and DC2 is the child.


    I am beginning to think both DHCP's are identical and servicing
    identical but i am not sure and better ask then sorry my mum says :D


    What should i do now?


    Kind regards, Martin
     
    MartinH, Jun 19, 2006
    #23
  4. DHCP configuration is not replication between servers, so I think something
    else occurred here when you removed/add the role/scope

    if you have multiple DHCP servers, clients don't care which DHCP server will
    service them. Clients ask a question for an IP and the first DHCP server to
    respond will service. It is basically on a "first come first server basis"

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Windows Server - Directory Services

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
     
    Jorge de Almeida Pinto [MVP], Jun 19, 2006
    #24
  5. MartinH

    Niv Raz Guest

    i sugesst you provide us more detail description about the structr...



    --
    =====================================================
    When responding to posts, please "Reply to Group" via
    your newsreader so that others may learn and benefit
    from your issue.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    "Jorge de Almeida Pinto [MVP]"
     
    Niv Raz, Jun 19, 2006
    #25
  6. MartinH

    Jorge Silva Guest

    Hi Martin
    - You can have both DHCP servers running, as long as you ton't oberlap
    eachother Scopes.
    check:
    Configuring scopes
    http://www.microsoft.com/windows2000/en/advanced/help/sag_DHCP_imp_ConfigScopes.htm

    - check under system32\dhcp\backup - directory and if you have any backup
    you can recover it to DC2

    - first, force replication between the DCs then check again.
    - A question - You have configured DHCP service on DC2 and DC1, with the
    same scope? If yes, plase don't do that, check the link that I provided to
    you.



    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jun 19, 2006
    #26
  7. MartinH

    MartinH Guest

    The DHCP was originally created in Add remove Programs / Windows
    Components on the tree root server DC1 to create the DHCP admin roles.
    We didnt create a scope so DC1 had just the DHCP running with no
    scope.

    We then created in Add Remove Programs / Windows Components on DC2
    (child domain to DC1) a DHCP with a scope.

    The DHCP on DC1 was and is creating errors 1044 and 1046 (txt on
    bottom of this message) so i decided to remove the role from the
    server. I am under the impression it's not good to have more then 1
    DHCP in ne domain because you may get overlapping leases.So I removed
    the role in Add Remove programs / Windows Components on the tree root
    server DC1. I didnt check the DHCP on DC2 at that time. When i checked
    DC2 at a later time the DHCP was gone.

    So I setup a new DHCP on DC2 in Add Remove Programs / Windows
    Components. After i created a scope i checked DC1 and there was also a
    DHCP and a scope. Now I am lost.



    Systemlog Errors....
    ======================================

    Event Type: Error
    Event Source: DhcpServer
    Event Category: None
    Event ID: 1046
    Date: 19-Jun-06
    Time: 02:02:28
    User: N/A
    Computer: DC1
    Description:
    The DHCP/BINL service on the local machine, belonging to the Windows
    Administrative domain Domain.net, has determined that it is not
    authorized to start. It has stopped servicing clients. The following
    are some possible reasons for this:
    This machine is part of a directory service enterprise and is
    not authorized in the same domain. (See help on the DHCP Service
    Management Tool for additional information).

    This machine cannot reach its directory service enterprise and
    it has encountered another DHCP service on the network belonging to a
    directory service enterprise on which the local machine is not
    authorized.

    Some unexpected network error occurred.

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 00 00 00 00 ....

    Event Type: Information
    Event Source: DhcpServer
    Event Category: None
    Event ID: 1044
    Date: 19-Jun-06
    Time: 02:03:08
    User: N/A
    Computer: DC1
    Description:
    The DHCP/BINL service on the local machine, belonging to the Windows
    Administrative domain Domain.net, has determined that it is authorized
    to start. It is servicing clients now.

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 00 00 00 00 ....
     
    MartinH, Jun 19, 2006
    #27
  8. MartinH

    MartinH Guest

    Hi Niv,

    Thx for joining in. Plz read my last message to Jorge.

    Martin
     
    MartinH, Jun 19, 2006
    #28
  9. MartinH

    MartinH Guest

    On Mon, 19 Jun 2006 11:58:35 +0100, "Jorge Silva"


    I created the DHCP and the scope on DC2. It replicated to DC1.

    DC1: Scope [192.169.10.0] Child1.Domain.net
    DC2: Scope [192.169.10.0] Child1

    When i created the scope on DC2 i typed "Child1.Domain.net" and thats
    not what the scope is named now.

    I prefer to run only one dhcp and run the dhcp on DC2 because i want
    the child DC's to run as independently as possible from the tree root.
     
    MartinH, Jun 19, 2006
    #29
  10. MartinH

    Jorge Silva Guest

    - Martin - The scopes don't replicate, the only thing that replicates is the
    AD DHCP Authorization. You can check that by going to DHCP mmc console,
    right click on DHCP (not the server), choose the option Manage Authorized
    servers, then you should see which servers are authorized in AD. You can
    also authorize DHCP servers by right clicking on the DHCP server, than
    choose the option authorize.



    - Create a normal user account with a non-expiring password, then go to DHCP
    mmc console, right click on the DHCP server, choose properties, go to
    Advanced tab - click credentials, and place here the account that you just
    created. (This account will be used to register DNS records on behalf of the
    DHCP clients).


    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator

     
    Jorge Silva, Jun 19, 2006
    #30
  11. MartinH

    MartinH Guest

    I noticed. After Unauthorizing DHCP on DC1 it was unauthorized on DC2
    as well. All DHCP servers are currently authorized.
     
    MartinH, Jun 19, 2006
    #31
  12. MartinH

    Jorge Silva Guest

    so... it's everything ok now?

    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jun 19, 2006
    #32
  13. MartinH

    MartinH Guest

    Not really!

    I would prefer to have just one DHCP for the domain so how do i get
    rid of the DHCP on DC1. I modified scopes so they are not overlapping
    anymore

    Scope on DC1 = 192.168.10.201 - 254

    Scope on DC2 = 192.168.10.1 - 200
     
    MartinH, Jun 19, 2006
    #33
  14. MartinH

    Jorge Silva Guest

    Right click on the DHCP on DC1 and delete the scope then unauthorize it.

    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jun 19, 2006
    #34
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.