General software, Operating Systems, and Programming discussion.
Everything from software questions, OSes, simple HTML to scripting languages, Perl, PHP, Python, MySQL, VB, C++ etc.
Upgraded the last of our 2000 DC's to 2008 R2 and we are starting to have issues with random users not able to log into the domain, getting messages stating that the domain is not available.
If I look at the event viewer on one of these machines one of the errors that shows up is"
wuauclt (3016) An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb" failed with system error 1392 (0x00000570): "The file or directory is corrupted and unreadable. ". The delete file operation will fail with error -1022 (0xfffffc02).
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time.
Here are the errors from the 2008 R2 event viewer "Security" logs of another user that was having issues:
A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: "USERNAME"
Supplied Realm Name: "DOMAIN"
User ID: NULL SID
Service Information:
Service Name: krbtgt/"DOMAIN"
Service ID: NULL SID
Network Information:
Client Address: ::ffff:10.X.X.X
Client Port: 1048
Additional Information:
Ticket Options: 0x40810010
Result Code: 0x12
Ticket Encryption Type: 0xffffffff
Pre-Authentication Type: -
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120
I have no idea at the moment if these errors are related, we have only XP SP3 clients and our domain is now a Windows Server 2008 R2 domain
Is the old DC still online?
On the new server, ADUC, do these "users" accounts show up properly?
On these workstations, are they using the IP address of the new DC for their DNS?
MORNING WOOD Lumber Company
Guinness for Strength!!!
The old DC is offline, the user accounts seem to be fine and if I run IPCONFIG /ALL it shows the correct DNS server.
The issue has occurred on 3 machines so far, one of them I was able to remove from the domain and place back in and it was able to log in, I tried that on another machine and it did not work, it would not allow me to add back into domain, I tried a few min later and it worked.
The third machine was located at another center and was quite stubborn, I was able to remove/add to domain but still was not able to log her in, I had to log her in with a local account and give her access to what she needed, I called her the next day and she connected just fine with her credentials.
If this is out of many different workstations..you only have a couple...and the health of the existing network at that time was wobbly....yeah, that will happen. The workstations giving you issues may have had issues going on with the old DCs....like stale SIDs...and you just didn't know it. So since they broke off as an island with the old DC...naturally they wouldn't migrate over when you replicated AD from old server to new server.
Go through the motions of removing the workstation from the domain. Before re-adding it...make sure on your server side..and the computer account is removed from ADUC (may be some delay here depending on infrastructure loads). Also if you still have WINS running somewhere..make sure it's gone from there too. Once confirmed..rejoin the domain with that workstation. I like to log into a domain twice as the administrator (full reboots) before going in and adding the domain user account.
MORNING WOOD Lumber Company
Guinness for Strength!!!
Thanks, that's kinda what I figured since only a few machines out of the 900 or so we have are actually having this issue, I was just afraid it would blow up into a much more serious issue.
We have just within the last week migrated fully from 2000 to 2008 R2 and still need to pull the trigger on making the switch from "Windows 2000 Native" to what I assume will be "Windows 2008 R2 Native", that will be taking place this week.
Still have much to grasp on the immense logging options and making sense of it all.
Take your time flipping the switch to 2k8 native.....I'd probably let it hang at 2003 functionality level for a while.
While sometimes you can make a migration in a day or two, if you can...let it go slowly. Right now I'm doing some remote work on a migration I started in July...it's a Small Business Server 2003 migration to 2k8 Standard and Exchange 2010 Standard. No need to rush...I do it a little at a time because this place can allow that to happen.
MORNING WOOD Lumber Company
Guinness for Strength!!!
I'd probably let it hang at 2003 functionality level for a while.
I'm OK with that, however, my DC states that I am still at a "Windows 2000 native" functional level, I'm assuming that's normal coming off a 2000 environment? Just wasn't sure how that could be if we no longer have any 2000 DC's?
Yeah it defaults to 2k level because that's what it ate for breakfast. Once you've moved all the roles over...monitor....no problem....dcpromo demote the old servers, shut 'em down...and a few days later bump it to 2k3. Let it ride for a while...when you're ready..raise functionality to native.
