I've got two domain controllers.
The first, a Win2k3 Server, is my PDC for all of my FSMO roles.
The second, a Win2k Server, is a BDC, and also my GC server.
From the Win2k3 Server I can access active directory, connect to either domain controller, and see all of my users and groups. In the Active Directory Sites and Services I can see both of my servers under my Default First Site. When connected to the 2k3 Server I can replicate from the 2k Server, but not to the 2k Server. When attempting to replicate to the 2k Server I get an Access Denied error.
From the Win2k Server I can access active directory, but cannot connect to the Win2k3 DC. On the 2k server when I attempt to replicate either direction from AD Sites and Services I get "The target principle name is incorrect".
My users seem to be randomly impacted. From my workstation I authenticate through the PDC, my logon script runs normally, and I have full access to all network drives.
From other users accounts, the behavior is sporadic, but falls into one of the following two categories:
1. Most of the time their computers appear to use cached credentials to athenticate into windows (the type of behavior that exhibits if you have a laptop and disconnect it from the network where your PDC is). In this instance, they can see the computers on the network, including the Win2k3 Server, but cannot access any files on the Win2k3 Server. For instances where this is the case the logon script does not run.
2. Other times users appear to authenticate through the BDC (Win2k) Server. In these instances, it appears to run the logon script properly, again they can view all machines in the domain, but when they attempt to connect to the Win2k3 Server they receive an error "The target account name is incorrect".
In either case where the user does not authenticate through the PDC, I can still ping the PDC by NetBIOS name and/or IP address. Computers that cannot access the files on the PDC can still access the IMAP server that's hosted on that box because it's addressed by IP.
The problem I am having in troubleshooting this is that I cannot explain why some users are impacted and others are not. I cannot seem to find a setting or conflict that would allow some users to authenticate through the PDC properly while forcing other users to authenticate through the BDC or using cached credentials. I'd like to know a couple of things:
1. Is there a way using GPO to restrict the use of cached creditials (i.e. force the systems to look for the PDC when connecting to the domain)?
2. Has anyone encountered anything like this and have a good direction for troubleshooting?
3. Why would something like this change? Our domain controllers have been stable for several months prior to this, and then beginning yesterday I lost access to shared applications on the PDC.
Thanks all for any help,