Windows server 2003 login issue

[tronads]

I could do with some advice from anyone who knows anything about Domains on Windows Server 2003, as I am pretty weak when it comes to domains.

We have a small network of about 8 Windows 2003 servers, one of which is a Primary Domain controller, and two others are secondary backup Domain Controllers.

Recently, and becoming more frequent of late, one or two of the other servers have had account login issues, where when you try and remote desktop login to any account (including Administrator), I get the error message "Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear, contact your system administrator for assistance". This login failure occurs when logging into the domain (iether directly on the machine or by remote desktop), AND unusualy also when logging into "(this machine"). Whatsmore, there are some scheduled tasks that obviously require a login account, these are also failing and continue to fail once this error occurs.

Basicaly when this happens, its impossible to login on any account on this machine, be it local or in the domain, yet I can still access shared folders and mapped drives remotely on it, so it is not in a totaly unusable state. The only way I can get in is by doing a forced reboot by holding in the power button, after which the machine works straight away.

The servers that are domain controllers seem fine, have not crashed, and other servers on the domain can still log in without issue.

Anyone come accross this type of problem before ?

[WotTheFook]

The company I work for has Dell Poweredge servers running Server 2003 and in the last two months, one of the servers has been displaying the exact symptoms you describe. it started with the Outlook Exchange server falling over and even though a daily scheduled backup to tape is performed, they were unable to recover the data from the tape, so they had to resort to the previous Friday's tape. E-mail was accesible remotely via the Web as iot it hosted off-site, but it was not accessible but not via Outlook.

To an extent it depends on how old your servers are, but our eight years old ones have been diagnosed as failing so are marked for replacement with brand new ones in the next 12 months. Are your machines Dell servers by any chance?

At a hardware level, I would hazard a guess that it's either power supply issues or that some of the electrolytic capacitors that smooth out ripples in the voltage rails are starting to fail, hence the domain controller drops off when the voltage drops too low. Rebooting using the power button will surge the power and restore the peak voltage, but eventually it will decay away again and start to misbehave. It's not affecting the hard drives, as they are on separate power rails, so it's more likely to be the caps that feed from the mainboard power connector.

You will need to replace the server at some time in the near future. Feel free to diss my diagnosis.

[Over Carl]

Are the dc's running dns?
Are the dc's at the same location?
For the problem servers, are they using your dc's as dns servers?

Tried running dcdiag on the dc's?
Tried looking at c:\windows\debug\netsetup.log on the problem servers?

There's also a whole heap of dns srv records to test for - the ms site only gives three but I found a shedload I needed to recreate due to a strange isssue - will dig out further info tonight.

I'm just learning this stuff myself but will see if I can help.

[tronads]

Are the dc's running dns?
I dont believe so....there are seperate dns servers elsewhere on the estate



Are the dc's at the same location?
Yes, they are in the same racks.



For the problem servers, are they using your dc's as dns servers?
No, they have a seperate address in their dns server list, one I dont recognise. The IP's of the DC's are named in their hosts file.


Tried running dcdiag on the dc's?
I ran this and it produced a comprehensive report, but anything where problems were revealed did not correspond to the 2 machines ive had problems with...in fact the problems mentioned were for old decommisioned machines, presumably complaining about their abscence.


Tried looking at c:\windows\debug\netsetup.log on the problem servers?
This file doesnt seem to have been updated since 2005


There's also a whole heap of dns srv records to test for - the ms site only gives three but I found a shedload I needed to recreate due to a strange isssue - will dig out further info tonight.



Im not entirely sure that the domain controllers are where the problems are, because when it "goes", you cant even log in localy on the machines in question.
The machines are fairly old HP Proliant's, the newer of the two is a quad processor 4*3Ghz, so that may give some indication of age.
What I have noticed is that the 2 machines that this has occurred on, have not done it at the same time.....this morning I was able to log into the older one fine, but the newer one was having none of it.


D

[WotTheFook]

It's sounding more like dried out power rail capacitors in the server machines to me all the time, from your comments about the age of the machines. If you can't log on locally on the affected machines, it's because they are not talking to the domain controller due to a latent power failure. It could even be taking the main bus in the server machine down so it 'hangs'.

If you have spare server space, I'd migrate the data from these two Proliants onto another server machine, either directly or as a 'virtual' server, as I believe that the problem is hardware related and that the servers may fail completely in the not too distant future.

With server issues, people get obsessed with the software, kernal and data backup issues and don't take hardware failures into account.

Do you have any diagnostic tools that you could maybe run on the hardware, to try and isloate the fault?

http://www.tricksguide.com/performin...tstart-cd.html

http://www.scribd.com/doc/47775760/H...ht-Diagnostics

[Over Carl]

Hmm, missed the part about local logons not working - although with the setup you mentioned, I doubt the problem servers will be able to locate your dc's which could explain the domain accounts not logging on.

Will give more info when I get home tonight, although I could be completely going up the wrong tree, but here is the gist of it.

Clients and servers both use the dc locator process in order to find dc's. This is done by querying dns servers for various srv records. The recommended setup is to use the dc's as dns servers so they automatically provide these records as well as a load more.

If you are using say your router for dns, you can get external records no problem but no joy internal. Although if this was the case you would probably have problems finding your servers from client pc's.

Carry out the steps in this article and let us know what happens http://support.microsoft.com/kb/816587

I will dig out the other records not mentioned and tell you exactly how to find them when I get in.

[Over Carl]

Ok, here's a list I found for our work domain, to check yours,log on to a dc, admin tools, dns, forward lookup zones. In the examples I've changed the domain name to domain.name and you need to find the guid specific to your domain for one. Each of them should list each of your dc's except the pdc one which which should only return your pdc. As much as the MS article only mentions a few, I've noticed pc's actually using more then them. Also you may changed the name of your site in AD which will make your records look different.


_kpasswd._tcp.DOMAIN.NAME 464
_kerberos._tcp.dc._msdcs.DOMAIN.NAME port:88
_kerberos._tcp.DOMAIN.NAME port:88
_kerberos._udp.DOMAIN.NAME port:88
_kerberos._tcp.Default-First-Site-Name._sites.DOMAIN.NAME port:88
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN.NAME port:88
_ldap._tcp.dc._msdcs.DOMAIN.NAME port:389
_ldap._tcp.DOMAIN.NAME port:389
_ldap._tcp.Default-First-Site-Name._sites.DOMAIN.NAME port:389
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN.NAME port:389
_ldap._tcp.pdc._msdcs.DOMAIN.NAME port:389 dc1 only
_ldap._tcp.gc._msdcs.DOMAIN.NAME port:3268
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.DOMAIN.NAME port:3268
_gc._tcp.DOMAIN.NAME port:3268
_gc._tcp.Default-First-Site-Name._sites.DOMAIN.NAME port:3268
_ldap._tcp.DOMAIN GUID.domains._msdcs.DOMAIN.NAME port:?????