In a Windows environment, the domain controller -- the server that responds to security authentication requests -- doesn't always honor login or permission requests. Below you'll find some domain controller troubleshooting questions Windows administrators asked of SearchWincomputing.com's server experts.
- Why do my clients attempt to use the same domain controller as their logon server?
- Why can't I log into the domain?
- Why can't our users log on to one of our domain controllers?
- Can I rename a server once that's been promoted to DC status?
- Can I restore local administration rights when DC password is lost?
- Are there any known issues with SP1 on a domain controller?
- What are the ramifications of doing a broad scale change to domain accounts?
Why do my clients attempt to use the same domain controller as their logon server?
We have two domain controllers at two different sites in India and the U.S. Some of the Windows XP and Windows 2000 clients in the U.S. are using the India domain controller as their logon server. This is causing the logon to be very slow. How can we solve this issue?
Active Directory clients are site-aware, which means that they will attempt to contact a domain controller in the same site before attempting to authenticate across a WAN link. Be certain that you've correctly configured your sites, subnets and site links in Active Directory Sites and Subnets, since this is the information that your clients will rely on to select an appropriate logon server.
Why can't I log into the domain?
When attempting to log into the domain my machine takes a lot of time and sometimes does not even complete the process. I am using Windows 2000 Server and the domain controllers are using Windows 2003 Server. Can you help?
Without additional information it's hard to point to a specific culprit. Though, some general troubleshooting steps you should take include checking the Event Viewer on the client that is having trouble logging on, as well as on your domain controllers. You should also test network connectivity using PING and TRACERT, as well as using netdiag and nslookup on your domain controllers to verify that your DNS records are set up properly, particularly your SRV records that indicate the location of your domain controllers.
Why can't our users log on to one of our domain controllers?
We have two sites. I put my main domain controller with AD and DNA at the primary site and an additional domain controller (DC) at the other site with DNS. Both the sites were connected with high-speed link. I gave both the DCs global catalog role for fault tolerance. But when the link was down, none of my users were able to log on to the other site where I kept the additional domain controller. All of my clients are either NT or Windows 98. What is the problem in authenticating and how do I solve this?
Make sure that one DC in each site is a global catalog (GC) server, as your clients will not be able to log on without access to the GC. (Here are some instructions on enabling a controller to be a GC.) Also make sure that you have WINS running in both locations, as NT and 98 clients require NetBIOS for name resolution.
Can I rename a server once that's been promoted to DC status?
We are running a Windows Server 2003 Active Directory domain. We are replacing one of our production Windows 2000 member servers with newer hardware running Windows Server 2003 and want it to keep its hostname and IP address. What must I do to ensure a smooth transition for this machine?
It's generally a bad idea to rename a server once you have promoted it to DC status. Let's say that your current DC is called DC1. Installing your new server as a member server called SERVER1 would be your best bet. Then, I suggest installing a third machine as a domain controller, call it DC2. Once DC2 has been installed as a domain controller, transfer all 5 FSMO roles from DC1 to DC2, and run dcpromo to gracefully remove the old DC1 from your network. Once you've removed the old DC1 from your network, you can rename the SERVER1 member server to DC1. Then you can run dcpromo on the new DC1 to introduce it to your network gracefully.
Can I restore local administration rights when DC password is lost?
The local administration has gone and no one knows what the DC password is (Windows 2003). A locksmith allowed me to reset the local administration password and now the account has very limited access. I can access the server but I cannot do much. How do I restore those local administration rights?
If you've forgotten or lost the domain administrator's password and you do not have another user with administrative rights, you can perform a parallel installation of the OS onto a different partition, or use a password recovery utility to reset the password.
Are there any known issues with SP1 on a domain controller?
I run a network of about 2500 PCs and 200 servers. I have an Active Directory in native 2003 mode and I have 23 domain controllers (I only have one domain). I would like to upgrade to Windows 2003 Server SP1. Before I upgrade, are there any known issues with SP1 on a domain controller I should know about?
The majority of known issues surrounding SPI involve installing SP1 on an SBS server. Aside from that, each individual upgrade process is unique based on the hardware and software that is installed on the domain controller – you should test the SP1 upgrade process in a test environment before deploying it on your production hardware. Microsoft KB article 889101 includes the Release Notes for SP1, which also details a few known issues to be aware of before upgrading.
What are the ramifications of doing a broad scale change to domain accounts?
I have a client who is running Windows 2000 Server/Exchange 2000 Server domain that has had domain user names in a certain format (eg. jsmith) for a few years. My client just recently changed their Internet e-mail address scheme to be email@example.com. Now my client wants to change the domain accounts to match the new e-mail format (firstname.lastname@example.org) and delete the other SMTP addresses with the old scheme. I have 75 users that I need changed. What are the ramifications of doing a broad scale change to domain accounts to match SMTP Internet e-mail address schemes?
Instead of recreating and deleting accounts, consider using the Dsmove command with the –newname switch to rename the accounts as they are. User accounts are assigned unique identifiers that are independent of the user name. Start with a small group of users as a test, and be sure to give your domain controllers time to replicate the change if you are split over multiple sites.
This was first published in July 2006