Re: Windows 2003 domain PDC emulator down and users unable to login
- From: "Ace Fekay [MVP]" <PleaseSubstituteMyActualFirstName&LastNameHere@xxxxxxxxxxx>
- Date: Tue, 31 Jan 2006 01:10:46 -0500
In news:1138596284.457123.179070@xxxxxxxxxxxxxxxxxxxxxxxxxxxx,
Vern <vernon@xxxxxxxx> stated, which I commented on below:
> My environment:
> Windows Server 2003 in Native Mode
> 1st domain controller (DC1): PDC emulator, Global Catalog, DNS, WINS &
> DHCP.
> 2nd domain controller (DC2): Global Catalog, DNS, WINS
> Workstations: All Windows XP Pro, most with SP1 & rest with SP2
> DNS on both servers contain all the records for both controllers. So
> does WINS.
> The domain has been up since June 2005 with no major or even minor
> problems AD wise.
>
> My problem:
> After hours, installed an application on DC1 (PDC emulator) which
> required a reboot. During the reboot process, I was unable to login to
> the domain from any XP workstation. Repeated login attempts failed.
> Only after DC1 came back on-line was I able to login to the domain
> from an XP workstaion. I was able to login to the domain on DC2 while
> DC1 was down though as you would expect.
>
> In our labs, I took 3 PCs and brought up a Windows 2000 domain (native
> mode) with the above configuration. 2 PCs for the DC1 & DC2 and 1 PC
> for the WinXP Pro. Same login failure when DC1 (PDC emulator) is
> powered off. Then duplicated the environment above with a Windows 2003
> domain with same failed login result.
>
> Question:
> Everyone, who is anyone, claims that if all of your DCs are also
> Global Catalogs then when the first installed DC (usually the one
> that will be the PDC emulator) is off-line, workstations can still
> login to the domain. This is not my experience. Anyone have any clues
> or suggestons on why?
>
> Thanks,
> Vern
I believe the workstation is caching the logon credentials and server. Try
this to eliminate caching and give it a shot:
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Logon/CachedLogonHashes.html
But if the DC is not available, it should log you on with cached credentials
anyway, as long as that user's been logged on that machine at least once.
Keep in mind, the initial request goes to the GC to enumerate Universal
Groups, then the request is sent to a DC (determined by querying DNS) which
then interacts with the local security auth (LSA) to construct the access
token.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
Not sure how? It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Assimilation Imminent. Resistance is Futile.
Infinite Diversities in Infinite Combinations.
The only thing in life is change. Anything less is a blackhole consuming
unnecessary energy.
===========================
.
- References:
- Prev by Date: Re: creating domains in Lab environment
- Next by Date: Blocking programs for certain groups?
- Previous by thread: Windows 2003 domain PDC emulator down and users unable to login
- Next by thread: Domain users Issue
- Index(es):
Relevant Pages
|
