Problem solve Get help with specific problems with your technologies, process and projects.

Clients and servers can't log on to new Active Directory domain

I have upgraded a properly functioning NT4.0 PDC to Windows 2000 and Active Directory. All appeared to go well, but all the clients and servers will not log on to the domain.

I have upgraded a properly functioning NT4.0 PDC (primary domain controller) to Windows 2000 and Active Directory. The network has 120 NT4 workstations, 30 Windows 2000 workstations and three other NT4 servers. All appeared to go well, with the PDC carrying over all users, shares, polices and so on, but all the clients and servers will not log on to the domain. The PDC has a new Win2k domain but the NetBIOS name is the original. From the PDC, I can browse the network and view shares on the BDCs (backup domain controllers) with no problems, but from the BDC all I can see is the other BDCs. There is a Unix DNS server on the network that deals with the Internet. I have installed Win2000 DNS and have forwarded this to the Unix box. This appears to work, as Internet access is fine. All IP addresses are as they previously were and can ping OK around the network in any direction.
The most common issue is DNS. First question, did you alter the DNS suffix of the NT 4.0 PDC to match the Active Directory name prior to upgrading? It either has to match or be blank, otherwise you have a disjointed AD domain. The AD is called, for instance, "MyWin2k.Corp.com," while the machines primary DNS is "OldCorp.com." Since they don't match, the DNS records are wrong and the other machines cannot locate the AD services to make connections and log on. Just do an IPCONFIG/ALL to check this. If it is in bad sorts you will need to DCPROMO the machine back down to a member server, make the change of the DNS suffix and then DCPROMO the machine back to being an AD domain. This, of course, will cause all of your servers and workstations to have to manually rejoin the domain. Sorry!

If this is not your problem and the DNS suffix and the AD domain name match, you will need to research the problem more. Install the support tools on the machine and run NETDIAG.EXE, which will give you an excellent starting point. It will tell you what is wrong with the name resolution or general networking. I would suspect that the dynamic registration is not working if you are using a Unix DNS. This would mean that while your servers record (e.g., MyServer.MyCorp.com) is present, a bunch of the other records registered by a Windows 2000 AD controller are not (e.g., _ldap.tcp._msdcs). Here are a couple of articles to help out:

  • Domain controller's domain name does not match the DNS suffix
  • How to verify the creation of SRV records for a domain controller.
  • Dig Deeper on Windows systems and network management

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.