When backup domain controllers go bad

While it's rare for admins to stop receiving replication updates from the Windows Server domain controllers, there are several steps you can take to resolve the issue in Active Directory.

We don't live in a perfect world, and as long as that continues, we will be using legacy solutions in our enterprise IT environments. How many of you still have Windows NT 4.0 Server BDCs on your Windows 2000 Server Active Directory domains? Yep, just as I thought. Many of you are retaining these legacy systems to maintain backward compatibility with older clients, out of date software, or in-house developed solutions. And, short of...

revamping your entire organization, you'll be hanging on to those NT BDCs for the foreseeable future.

So, what do you do when your BDCs go bad? That is, what do you do when they stop receiving replication updates from the Windows 2000 Server or Windows Server 2003 domain controllers? Fortunately, this is a rare occurrence. But when it does happen, there are several actions you can take to resolve the problem.

The first step is to ensure that the PDC emulator is functioning and accessible by all BDCs. To discover which DC is currently hosting the FSMO role of PDC emulator, open the Active Directory Users and Computers utility on any domain controller, right-click the domain name, then select Operations Master from the pop-up menu. Select the PDC tab and view the name of the DC that is the PDC emulator. If no system is listed as the PDC emulator, you need to seize the role from a DC that can handle the additional workload. Without a PDC emulator, BDCs cannot receive domain database updates.

Make sure your BDCs can ping the PDC emulator and that you can access shared resources from the host DC (such as file or printer shares). If either of these items fail, reboot the PDC emulator and each BDC. If the issue is still not resolved (even after reviewing the next three options), you may need to move or seize the PDC emulator role to a different domain controller.

Next, ensure that the BDC's domain computer account is active and not locked out or disabled. View the computer account through the Active Directory Users and Computers utility on any domain controller. Next, try logging onto the BDC with a domain user account and attempt to access resources on various member servers and domain controllers (including the PDC emulator). If you are unable to log onto the domain from the BDC, then you need to reset the BDC's computer account. This is a involved task, so see Knowledge Base document 221826: How to create a computer object in the Active Directory for a Windows NT 4.0 BDC.

Next, make sure your AD domain is in mixed mode, not native mode. In mixed mode, Windows NT 4.0 Server BDCs can participate in the domain. In native mode, only Windows 2000 Server and Windows Server 2003 can be domain controllers. To view the current domain mode functional level, open the Active Directory Users and Computers utility on any domain controller, right-click the domain name, then select Raise Domain Functional Level from the pop-up menu. Be sure to click Cancel when you have finished viewing the status to prevent any accidental changes to the level status. If the status is native mode, you have only two possible recourses: 1) remove all Windows NT 4.0 Server BDCs from the environment, or 2) restore all Windows 2000 Server and Windows Server 2003 domain controllers from a backup set that is previous to the domain mode functional level change.

Finally, one last reason that a BDC may be unable to receive domain updates is that the domain is configured to restrict anonymous connections. This is evident by a plethora of 3210, 7023 and 8032 events in the System log. You must either reverse the domain configuration or remove all BDCs.


James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.


This was first published in November 2003

Dig deeper on Microsoft Active Directory Tools and Troubleshooting

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close