2

I'm having quite an issue that began a few days ago. Let me just lay out exactly what happened - also I've inherited this environment, please keep that in mind.

1st Domain Controller - Windows Server 2003 R2 Std

2nd Domain Controller - Windows Server 2008 R2 Ent

In the last couple days, when a user boots up and attempts to log in from any workstation I have recently freshly installed encounters a Trust error upon login. So, I logged in as local admin and rejoined to the domain - however when the Trust failed multiple times across several machines I dug deeper.

On one of the workstations, I checked event viewer and found this: 

Log Name:      System
Source:        NETLOGON
Date:          5/16/2013 12:06:07 PM
Event ID:      3210
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      WIN7-2083.Domain.DomainName.com
Description:
This computer could not authenticate with \\BDCName.Domain.DomainName.com, a Windows domain controller for domain DOMAIN, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NETLOGON" />
    <EventID Qualifiers="0">3210</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-05-16T17:06:07.000000000Z" />
    <EventRecordID>52991</EventRecordID>
    <Channel>System</Channel>
    <Computer>WIN7-2083.Domain.DomainName.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>DOMAIN</Data>
    <Data>\\BDCName.Domain.DomainName.com</Data>
    <Binary>220000C0</Binary>
  </EventData>
</Event>

So for some reason, it led me to believe that this workstation was authenticating directly to the 2nd DC versus the 1st DC.

Looking at the 1st DC Event Viewer, I found this error: 

The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. 

Directory partition:
CN=Configuration,DC=Domain,DC=DomainName,DC=com 

There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers. 

User Action 
Perform one of the following actions: 
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option. 
- Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site. 

If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.

Followed by: 

The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site. 

Sites: 
CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain,DC=DomainName,DC=com

So I looked on the 1st DC to find almost identical errors:

The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site. 

Sites: 
CN=Jackson,CN=Sites,CN=Configuration,DC=Domain,DC=DomainName,DC=com

I've looked at several solutions, and many of them refer to looking up DNS entries, and other things, however I'm not entirely sure where the error lies as this just began happening. There have been no changes to any routing in the environment. It's literally been in the last few days. I'm guessing at this point, they both are not communicating with each other properly. If I make a change on one DC, it should show up on the other DC right? For example changing user properties on one DC should shortly show up on the second DC as well? This is not happening at this time.

What steps can I take to really get this resolved?

RogueSpear00
  • 162
  • 1
  • 1
  • 9
  • 3
    1. Stop calling them PDC and BDC. - 2. Double check the DNS client settings on all clients, including the Domain Controllers. All DNS clients should be using only the DC/DNS servers for DNS, including the Domain Controllers. The Domain Controllers are DNS clients just like any other computer in the domain. - 3. Check that the appropriate DNS (A, NS and SRV) records exist in your AD DNS zone for both Domain Controllers. - 4. A domain client can authenticate to any Domain Controller, not only to the Domain controller that holds the PDC Emulator role. – joeqwerty May 17 '13 at 18:43
  • 1
    There haven't been PDCs and BDCs for almost 14 years now. That went away with NT4. – MDMarra May 17 '13 at 18:47
  • 1
    In my head it just kinda sits like that. Not that they are Primary/Backup now. EDIT: Edit my post to properly reflect that. – RogueSpear00 May 17 '13 at 18:48
  • 2
    Start by running the ole [dcdiag](http://technet.microsoft.com/en-us/library/cc731968(v=ws.10).aspx) and taking note of any errors/failures and correcting them. – Zoredache May 17 '13 at 18:59
  • @Zoredache - I'll start there. I had run this prior, however, it didn't produce the error results that I'm seeing. Both servers are presenting different failures. 1st DC is showing SAM Database unable to lockout on the SystemLog test & KCC errors on the KCCEvent test. The 2nd showing failures on KCC & NCSecDesc. – RogueSpear00 May 17 '13 at 19:07

0 Answers0