Ask the Expert

Clients and servers can't log on to new Active Directory domain

I have upgraded a properly functioning NT4.0 PDC (primary domain controller) to Windows 2000 and Active Directory. The network has 120 NT4 workstations, 30 Windows 2000 workstations and three other NT4 servers. All appeared to go well, with the PDC carrying over all users, shares, polices and so on, but all the clients and servers will not log on to the domain. The PDC has a new Win2k domain but the NetBIOS name is the original. From the PDC, I can browse the network and view shares on the BDCs (backup domain controllers) with no problems, but from the BDC all I can see is the other BDCs. There is a Unix DNS server on the network that deals with the Internet. I have installed Win2000 DNS and have forwarded this to the Unix box. This appears to work, as Internet access is fine. All IP addresses are as they previously were and can ping OK around the network in any direction.

    Requires Free Membership to View

The most common issue is DNS. First question, did you alter the DNS suffix of the NT 4.0 PDC to match the Active Directory name prior to upgrading? It either has to match or be blank, otherwise you have a disjointed AD domain. The AD is called, for instance, "MyWin2k.Corp.com," while the machines primary DNS is "OldCorp.com." Since they don't match, the DNS records are wrong and the other machines cannot locate the AD services to make connections and log on. Just do an IPCONFIG/ALL to check this. If it is in bad sorts you will need to DCPROMO the machine back down to a member server, make the change of the DNS suffix and then DCPROMO the machine back to being an AD domain. This, of course, will cause all of your servers and workstations to have to manually rejoin the domain. Sorry!

If this is not your problem and the DNS suffix and the AD domain name match, you will need to research the problem more. Install the support tools on the machine and run NETDIAG.EXE, which will give you an excellent starting point. It will tell you what is wrong with the name resolution or general networking. I would suspect that the dynamic registration is not working if you are using a Unix DNS. This would mean that while your servers record (e.g., MyServer.MyCorp.com) is present, a bunch of the other records registered by a Windows 2000 AD controller are not (e.g., _ldap.tcp._msdcs). Here are a couple of articles to help out:

  • Domain controller's domain name does not match the DNS suffix
  • How to verify the creation of SRV records for a domain controller.
  • This was first published in December 2002

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: