Problems with Domain Controller - 2003 Server

[Arrow_Runner]

It turns out that there are definitely some conflicting group policies. I'm just going to unlink the old ones the vendor put in and start from scratch. Thank you all for your insight.

[deda]

OK, I'm a "old" newby. I never heard use different subnets on a single NIC, maybe I'm saying something stupid but doesn't work. When you have more than a NIC to access different domains/workgroups it's OK. Try to use a single subnet and your problems go away, doesn't matter the physical locations, DNS exists for this.

[zunger]

OK, I'm a "old" newby. I never heard use different subnets on a single NIC, maybe I'm saying something stupid but doesn't work. When you have more than a NIC to access different domains/workgroups it's OK. Try to use a single subnet and your problems go away, doesn't matter the physical locations, DNS exists for this.

IP Route fixes the issue with the seperate subnets on a single nic. You can add up to 127 different ip's all having different subnets in 2003 (maybe more now).

It sounds like your DC may be foobared. You may try and bring up another box to promote it as a bdc and see if your gpo/dns settings replicate to it. You're probably going to have to go through each event in ev and start by fixing one by one. If you can post a few of the errors, there might be more detailed info on troubleshooting it.

[rion]

If you realy wanna know whats up with your DC.. Run this tool from Microsoft, it creates a CAB file with a huge amount of logfiles that can show you what might be amiss!

http://download.microsoft.com/download/b/b...SRPT_DirSvc.exe

You can go thru the dcdiag.txt file to see what's the status of your domain.

Also, you can post the files for us to take a look at so we can help you!

/ Joseph

Edited October 29, 2007 by rion

[Arrow_Runner]

I've got some of the things figured out. I'll post later with what I've found.

[Arrow_Runner]

So here's what I found.

There were conflicting GPs. The one in particular forced the Shared Access service to start, but was too restrictive on permissions I believe.

The time issue is gong to be fixed today when a script on the DC makes it sync to a government time server. Also, a couple PCs weren't running the time service for some reason.

I still don't know why we're getting the other errors in event viewer, but as long as everything is working, I'm not going to worry too much about it atm.

Also, we have multiple subnets because our DC is also the server for 3 remote branches. Routers split up the networks, not the DC.

Thanks to deda for the time commands, that really helped!

I have just one finally question that's got nothing to do with the network mentioned. I have a test network at home, and I set DNS/AD up, but when I go to do an nslookup on a PC without the full domain suffix, it errors out. For example:

nslookup PC00.domain.local --Works

nslookup PC00 --Fails

What am I missing here? I've got forward and reverse zones set up correctly.

[touchstone_81]

check the primary dns suffix being used on the pc.

[Arrow_Runner]

Found the answer to that problem too, and I think you're right. I was using a 2003 Terminal Server (in domain) and XP PRO (not in domain) to run nslookup on. I'm not sure why the TS wouldn't wouldn't work, but I suppose maybe I have to manually specify the DNS suffix. Once I joined the XP Pro machine to the domain though, it's nslookups worked just fine.

Thanks!