I was just wondering if anyone could shed some light as to what might have happened that could have caused this: 1) All FSMO roles were moved off ofour original domain controller (PDC emulator, RADIUS, InfrastructureMGR)to other domain controllers 2) This DC was demoted via the dcpromo command to a standalone server 3) DC was rebuilt from scratch/bare metal 4) Waited two hours for replication to complete 5) DC was re-promoted to a domain controller 6) All FSMO roles were moved back to this DC throughout the the next day. At first, we noticed that users from other domains, no matter where they logged in, could not reach any resources in the domain where this server had been reinstalled. We determined that this new DC was missing a WINS replication partner. Upon replacement of the WINS partner, this issue was resolved. However, we then received reports that users were unable to authenticate from other regions but were able to authenticate locally. At this point, we engaged Microsoft to assist. After our troubleshooting, it was determined that this problem only existed when using NETBIOS names and not the FQDN. The workaround recommended yesterday was to change the DNS suffix search order on one of the other domain's workstations. The result has been successful thus far, but only if the users resolve the system as <servername>.[originaldomainname].com. If the system resolves as <servername>.[veryolddomain].com, it prompts the user for credentials and does not allow them to authenticate. From [originaldomainname] systems, we are able to access servers using [veryolddomain].com as the DNS suffix, thereby indicating that Kerberos is functioning correctly in this domain (or NTLM is allowing authentication). Whichever the reason, I feel that we need to address this issue through more assisted research and resolve the problem instead of requiring[originaldomainname] to be higher in the DNS suffix search order on machines in the [seconddomainname]. This was working prior to the rebuild of the Domain Controller and I feel that we need to address this aspect of the issue before we can determine that it has come to conclusion. Again, thank you for all your assistance and please recommend what you feel would be the next steps toward resolving this issue.

HiMake sure the TIME is correct and not just visibly correct by havingthe TIME ZONE set incorrectly so that the machines (DCs or clientsand DC) are more than 5 minutes out of time sync. Run dcdiag, netdiag and repadmin in verbose mode.-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log-> netdiag.exe /v > c:\netdiag.log (On each dc)-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt-> dnslint /ad /s "ip address of your dc" **Note: Using the /E switch in dcdiag will run diagnostics against ALLdc's in the forest. If you have significant numbers of DC's this testcould generate significant detail and take a long time. You also want totake into account slow links to dc's will also add to the testing time. If you download a gui script I wrote it should be simple to set and run(DCDiag and NetDiag). It also has the option to run individual testswithout having to learn all the switch options. The details will beoutput in notepad text files that pop up automagically. The script is located on my website athttp://www.pbbergs.com/windows/downloads.htm Just select both dcdiag and netdiag make sure verbose is set. (Leave thedefault settings for dcdiag as set when selected) When complete search for fail, error and warning messages. Description and download for dnslinthttp://support.microsoft.com/kb/321045Hope this helps!DevaDon't do what others say - listen to them, but do what you feel good doing.

Hello,Please post a complete dcdiag /v on this forum so we can examine and see if anything is wrongIsaac Oben MCITP:EA, MCSE

Hello,please describe more detailed your network setup, how many DCs in total, sites andhow DNS is configured, AD integrated zones etc. Depending on your topology configuration 2 hours can be too less time for replication to complete. Default inter-site for example is 180 minutes.Changing the DNS suffix search order doesn't sound for me a solution, you didn't change the domain name according to your description or did you? You also talk about "veryolddomain.com" and "originaldomainname.com", please clarify this more detailed.In the moment it sounds for me that ther reinstalled DC was added back to early and that you also move the 5 FSMO roles back to early. Please proivde an output from "netdom query fsmo" from one existing/older and the new re/installed DC.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.