RE: domain authentication

From: Bill Mote (bill.mote@mem.com)
Date: 12/27/01


From: "Bill Mote" <bill.mote@mem.com>
To: "Evan Mann" <emann@questinc.org>, <focus-ms@securityfocus.com>
Date: Thu, 27 Dec 2001 08:17:04 -0500

This may not be as big a concern as you fear. When a machine tries to
authenticate to your domain it'll take whomever responds first with the
correct credentials. The fact that one of your BDCs is responding is a good
thing! It's helping distribute the load off of your PDC.

Our PDC is also our virus distribution server, our time synchronization
server, the primary file & print server, and the backup server. It's pretty
busy =) Our BDC pretty much sits idle. So, the fact that it's responding
to network login requests is understandable. It's not that your PDC doesn't
want to; maybe it's just too busy and the BDC is beating it to the punch.

Bill Mote

-----Original Message-----
From: Evan Mann [mailto:emann@questinc.org]
Sent: Wednesday, December 26, 2001 3:10 PM
To: focus-ms@securityfocus.com
Subject: domain authentication

Today I noticed a potentially large problem. My network is a hybrid with an
NT4.0 SP6a PDC and 8 NT4.0 SP6a BDCs as well as a # of Win2000 Servers just
as members to the network. 95% of my workstation are Windows 2000 Pro SP2
and this issue concerns the Win2000 computers.

It appears that not one single Windows 2000 machine on my network is
actually authenticating on the domain with the PDC . I've checked a dozen
machines and so far every one of them has a LOGONSERVER that was a BDC, and
it seems to always vary as to which BDC that is.

I've searched the KB about this and can't come up with anything that seems
to address this issue, only an issue of Win2000 machines still hitting BDC's
have a PDC has been upgaded to Win2000 Server, which is not the case here.

I'm worried this may cause problems when we do kick our PDC to Win2000
Server+AD in the next few months and would like to at least resolve the
issue while I'm on NT4 and get my workstations actually authenticating with
the PDC.



Relevant Pages

  • Re: Second Trust
    ... Will the Trust be there when I change my current PDC and make my new ... server a PDC? ... you'll have AD with the NT4 server as a BDC" Why would it be a BDC and ...
    (microsoft.public.win2000.active_directory)
  • Re: NT 4.0 to windows 2003 AD in place upgrade.
    ... PDC that I make a BDC is the one I will take offline before I do the ... Exchange server the PDC, allow to SYNC. ...
    (microsoft.public.windows.server.migration)
  • Re: PDC/BDC problem
    ... Did your BDC got all the FSMO rules after takeover? ... Seems that it is missing one of the roles after you take out the broken server and cleanup your metadata. ... The PDC arrived last Monday. ... everything to reestablish the trust. ...
    (microsoft.public.win2000.networking)
  • Re: PDC/BDC problem
    ... Even com away from PDC and BDC. ... So which server from you has which role in the moment? ... I tried everything to reestablish the trust. ...
    (microsoft.public.win2000.networking)
  • Re: BDC DCDIAG Problem
    ... PDC and BDC are obsolete terms, ... I am looking through my DNS entries and I am only able to find SRV records ... server Security Configuration Wizard on this server perhaps? ...
    (microsoft.public.windows.server.sbs)