Wrong Logonserver users getting second site:
news.nildram.co.uk
I've been struggling with this for some hours now.
We have a headoffice running W2K SBS (DONCASTER) and a second (MANCHESTER)
site (Second DC running W2K3) connected using VPN (1Mb ADSL & 1Mb Leased
Line) last night users started authenticating to the DC at the second site
(MANCHESER) this moring all users are now having this problem.
Sites and Services is set up correctly I think:
192.168.2.0/24 - Doncaster - DC (as GC)
10.0.3.0/24 - Manchesert - DC (as GC)
I'm wondering if the Headoffice server (Doncaster) is rejecting logons and
the clients are thefore forced to use the second site's DC. How can i test
this? i've tried to do some test with NLTEST but i'm not sure what is
normal and what is strange.
We have a second server for TS at the head office (W2K3) when i connect to
this server it is logging on via the remote site over the VPN i've tried the
follwoing NLTEST see results. Is this normal?
nltest /SC_QUERY:<our domain.net>
--------------------------------------
Result:
Flags: 10 HAS_IP
Trusted DC Name \\<manchester.ourdomain.net>
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
nltest /SERVER:<doncaster> /SC_QUERY:<our domain.net>
---------------------------------------------------------
Result:
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
nltest /SERVER:<doncaster> /QUERY
------------------------------------------
Result:
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully
TIA
Kind regards,
Graeme.
Paul Bergson
load the tools from your install disk onto a workstation or the dc
d:\support\tools\setup.exe
d:\i386\adminpak.msi (If loading on a workstation, this will give you dc
tools on this machine)
cd to dcdiag directory
dcdiag /s:dcname /e /c /v /f:c:\output.log
then open c:\output.log and review the contents
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.
"news.nildram.co.uk" <non...@nowhere.com> wrote in message
news:09ydnbh9j61...@pipex.net...
Graeme Stow
"Paul Bergson" <pbergson@allete_nospam.com> wrote in message
news:e9kbGzzc...@tk2msftngp13.phx.gbl...
>I would suggest running dcdiag and running Enterprise set of tests
>
> load the tools from your install disk onto a workstation or the dc
>
> d:\support\tools\setup.exe
> d:\i386\adminpak.msi (If loading on a workstation, this will give you dc
> tools on this machine)
>
> cd to dcdiag directory
>
> dcdiag /s:dcname /e /c /v /f:c:\output.log
I've installed the tools on the TerminalServer Box (at Doncaster) and run
the DC diag and *all* tests passed, dcdiag picked up both sites and both
servers correctly and performed numerous tests on both servers, all of which
passed!!!
I'm pulling my hair out, why are they using the remote site for
authentication, it wouldn't matter much, but the logonserver is used to
determine the drive mappings in a KiX script and all users are having to
mess around manually mapping hte drives they need back to the local server!
Graeme Stow
>
> I've been struggling with this for some hours now.
>
> We have a headoffice running W2K SBS (DONCASTER) and a second (MANCHESTER)
> site (Second DC running W2K3) connected using VPN (1Mb ADSL & 1Mb Leased
> Line) last night users started authenticating to the DC at the second site
> (MANCHESER) this moring all users are now having this problem.
>
> Sites and Services is set up correctly I think:
> 192.168.2.0/24 - Doncaster - DC (as GC)
> 10.0.3.0/24 - Manchesert - DC (as GC)
I've checked a number of clients at the headoffice site and the following
reg key is showing the correct site:
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DynamicSiteName
In the evening when the second site is unmanned clients will use the correct
DC if I disable the site-to-site link. This isn't a very good solution,
obvisously not practical during the day when both sites have staff trying to
work!!!
Please someone help,
Kind regards,
Graeme.
Paul Bergson
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.
"Graeme Stow" <graem...@reverse.net.virgin> wrote in message
news:Op-dnejQnOs...@pipex.net...
Graeme Stow
> Have you included the sub-nets in the sites and services for each dc?
Hi Paul,
cheers for your reply, the sites and services has not changed (not saying
it's correct but it seems right to me)
We have two sites under 'Sites and Services'
Balne-Office (server is WFSRV01)
Denton-Office (server is WFSRV03)
Each server is acting as the DHCP server for the subnet which are configured
as...
Under sites and services > Subnets there are:
10.0.3.0/24 With Denton-Office selected as site in properties dialog.
192.168.16.0/24 With Balne-Office seelected as site in properties diaglog.
Note: under the properties for each subnet the 'location' tab is blank!!!
My gut feeling is that the problem lies with the ip addresses of the acutal
site-to-site link which seems to be demand-dial even though i've tried
configuringni it as 'persistant connection' each server seem to get ip
addresses on two PPP adapters one on each subnet: fore example:
This is the ipconfig /all from the Headoffice server (site: balne-office
subnet: 192.168.16.0/24) notice the double PPP adapters, is this normal?
C:\Documents and Settings\Administrator>ipconfig /all
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : WFSRV01
Primary DNS Suffix . . . . . . . : <the company>.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : <the company>.net
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet
Adapter (10/100
Physical Address. . . . . . . . . : 00-06-3F-5B-C6-BF
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.16.2
10.0.3.1
Primary WINS Server . . . . . . . : 192.168.16.2
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 S Server
Adapter
Physical Address. . . . . . . . . : 01-22-AB-CD-AC-0C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : <External NIC IP> ,<PUBLIC IP
ADDRESS REMOVED
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : <Router IP> <PUBLIC IP ADDRESS
REMOVED
DNS Servers . . . . . . . . . . . : 192.168.16.2
10.0.3.1
NetBIOS over Tcpip. . . . . . . . : Disabled
PPP adapter RAS Server (Dial In) Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-12-32-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.88
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 127.0.0.1
PPP adapter {AC804620-D887-4136-ADD5-06F4604D0178}:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.3.15
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 127.0.0.1
Just a last point, later last week clients started to use the correct
server address yet today i've noticed clients on the Satelite site are using
the Headoffice site's server for authentication so i'm still struggling to
resolve the issues.
Kind regards,
Graeme.
Paul Bergson
The ppp is odd considering there is no default gateway on either, but it
must work. It looks like you have two definitions one inbound and one
inbound/outbound. I think that is why you have two.
It appears that you are running dns, dhcp and ras all on your dc's. That is
fine but I wonder if things are confused with the ras on there.
It doesn't appear that I am going to be of much assistance to you. Nothing
sticks out at me.
You could run a tool such as sonar
http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/sonar-o.asp
to see if there are any load issues doubtful though.
Have you run any diagnostic tools such as dcdiag to see if there are any AD
issues that is preventing it from being a dc?
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.
"Graeme Stow" <graem...@reverse.net.virgin> wrote in message
news:R8CdnSeq1eG...@pipex.net...
Graeme Stow
===================
If this doesn't work the thread can be found here:
Many thanks for the help from Paul Bergson [so far!]
The initial problem seemed to go away after a few days, the only real issue
being a logon script mapped drives dependant on the %LOGONSERVER%
environment variable, so some manual drive mapping was required to get
people working when the wrong server was being used for authentication.
NOW THE PROBLEM HAS STARTED AGAIN!!!!
I'm guessing that what is happening is that the netlogon servcie [is this
correct?] isn't responding quickly enough and the clients are going to the
second site for authentication, How can i test this and what could be
causing it?
Many thanks for all contributions,
Kind regards,
Graeme Stow.
NOTE: the link is a site-to-site VPN over 1mb leased line and a 2mb ADSL.
the connection is reasonble not supper fast though!
QUICK SUMMARY SO FAR: run Dcdiag no errors, Sites & services is setup
correctly [always has been] problem occurs for a couple of days and then
goes away!! [i.e no changes to setup or config, it's only me with access to
the servers]
![Paul Williams [MVP]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjWdffDrO39iq20mAGln-nZNHzWnzePpt9HnYK3mcVhPgAXdGg=s40-c)
Paul Williams [MVP]
is?
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Torgeir Bakken (MVP)
> The rest of this post is missing. Can you please clarify
> what the problem is?
>
Hi,
The full thread at Google newsgroup archive:
--
torgeir, Microsoft MVP Scripting, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
Graeme Stow
the "wrong site logonserver" issue, may happend for 2 or 3 days at a time,
say once a month or less often... the servers at each site are rarely
rebooted probably 2 or 3 times this year!
My last question was is it possible to test the connection to the sites
domain controller to see if it is responding correctly, as you can tell
from my initial post in June i've little knowledge of nltest, is this the
direction i should be looking?
Kind regards,
Graeme.
"Torgeir Bakken (MVP)" <Torgeir.B...@hydro.com> wrote in message
news:%23GTneNY...@TK2MSFTNGP14.phx.gbl...
Graeme Stow
Please, please, please, please, please HELP..
Everything has worked fine since September and now it's started again.
USERS authenticating on the wrong DC in the wrong site..
Kind regards,
Graeme.
====================================================
Paul Williams [MVP]
with the sites and subnets (and possibly DNS). Can you please elaborate on
your setup?
news.nildram.co.uk
This has been a significant delay in responding to this post so i'll again
include a link to the original thread on google groups (here:
http://tinyurl.com/b93n8)
The issues with the wrong logon server are more frequent, users are
sometimes being asked to change their password (as normal after 25 days or
whatever) and finding themselves unable to access their local file server
because the change has happened on a remote DC and AD replication hasn't had
time to synchronise, this also effects their email as Exchane is also
running on the local DC (win 2000 SBS) where their credentials are now
out=-of-date.
Many thanks for you interest in resolving my problems,
Thanks in advance,
Graeme.
I have gone through the issues in the thread (linked above) but here is the
setup you requested:
ACTIVE DIRECTORY SITES AND SERVICES:
#######################################
Sites:
Balne-Office
Servers - WFSRV01
Denton-Office
Servers - WFSRV03
Inter-Site Transport
IP - DEFAULTIPSITELINK
Sites in this Site Link:
Balne-Office
Denton-Office
Sites not in this Site Link;
none
Cost: 100
Replication every: 60 (minutes)
SMTP - none
Subnets
10.0.3.0/24 - Denton-Office
192.168.16.0/24 - Balne-Office
DNS SERVERS AT BOTH SITES DO NOT USE FORWARDERS
#####################################################
IPCONFIG /ALL FOR WFSRV01 - Balne-Office (Main Site)
################################################
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : WFSRV01
Primary DNS Suffix . . . . . . . : <COMPANYNAME>.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : <COMPANYNAME>.net
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet Adapter
(10/100)
Physical Address. . . . . . . . . : 00-06-5B-3F-BF-C6
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.16.2
10.0.3.1
Primary WINS Server . . . . . . . : 192.168.16.2
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 S Server Adapter
Physical Address. . . . . . . . . : 00-02-B3-B9-AC-0C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : <EXTERNAL IP REMOVED>
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : <ROUTERIP REMOVED>
DNS Servers . . . . . . . . . . . : 192.168.16.2
10.0.3.1
NetBIOS over Tcpip. . . . . . . . : Disabled
PPP adapter {AC804620-D887-4136-ADD5-06F4604D0178}:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.3.16
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 127.0.0.1
PPP adapter RAS Server (Dial In) Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.111
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 127.0.0.1
IPCONFIG /ALL FOR WFSRV03 - Denton-Office (Second Site)
###################################################
Windows IP Configuration
Host Name . . . . . . . . . . . . : wfsrv03
Primary Dns Suffix . . . . . . . : <COMPANYNAME>.net
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : <COMPANYNAME>.net
PPP adapter RAS Server (Dial In) Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.3.23
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
Connection
Physical Address. . . . . . . . . : 00-0F-1F-F9-FB-84
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.3.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.0.3.1
192.168.16.2
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Server Adapter
Physical Address. . . . . . . . . : 00-04-23-B4-C6-90
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : <EXTERNAL IP REMOVED>
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : <ROUTER IP REMOVED>
DNS Servers . . . . . . . . . . . : 10.0.3.1
192.168.16.2
PPP adapter HTF Office:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.88
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.16.2
10.0.3.1
NetBIOS over Tcpip. . . . . . . . : Disabled
"Paul Williams [MVP]" <ptw...@hotmail.com> wrote in message
news:u$FZymw%23FHA...@TK2MSFTNGP15.phx.gbl...
Graeme Stow
I've just noticed another post wich suggest running the following command:
NLTEST /DSGETDC:ourdomain.net
I've run this from a terminal server at the head office (Balne-Office in
sites and services!!)
What is it telling me?
This is the results:
DC: \\wfsrv03.<companyname>.net
Address: \\10.0.3.1
Dom Guid: c6196973-b2e9-4bb8-806c-497fa12d3d80
Dom Name: <companyname>.net
Forest Name: <companyname>.net
Dc Site Name: Denton-Office
Our Site Name: Balne-Office
Flags: GC DS LDAP KDC WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
The command completed successfully
As you can see this is using the wroong DC in the wrong site (in sites and
services)
Can anyone tell me why?
Many many thanks,
Graeme.
"Paul Williams [MVP]" <ptw...@hotmail.com> wrote in message
news:u$FZymw%23FHA...@TK2MSFTNGP15.phx.gbl...