Domain users cannot logon to domain
- From: MartinH <nick@xxxxxxxxxxxxxx>
- Date: Fri, 16 Jun 2006 11:18:28 +0200
We are in the process of setting up a new network with 3 DC's.
Domain(1)
DC1: Domain.net
Roles: GC, AD, DNS and DHCP (with no scope)
Primary DNS: DC1 and DNS Suffix Search List: Dc3 and DC2
One NIC with fixed IP (xxx.xxx.10.xxx)
Domain(2)
DC2: Child1.Domain.net
Roles: AD, DNS (forwarding to DC1), DHCP (xxx.xxx.10.xxx), DFS
Primary DNS: DC2 and DNS Suffix Search List: Dc3 and DC1
One NIC with fixed IP (xxx.xxx.10.xxx)
Domain(3)
DC3: Child2.Domain.net
Roles: AD, DNS (forwarding to DC1 and DC2), DHCP (xxx.xxx.20.xxx), DFS
Primary DNS: DC3 and DNS Suffix Search List: Dc2 and DC1
One NIC with fixed IP (xxx.xxx.20.xxx)
DC1 and DC2 are on 1 site and DC3 is on a different site and connected
trough a VPN tunnel setup using 2 3com gateways.
The object of the setup is that every site can function when the other
sites are not reachable. So when we diconnect DC1 the other DC's still
function and when we disconnect DC1 and DC2 then DC3 should still
function as well and so on. So DC1 should only function as a bridge
between DC2 and DC3 and has no other function.
So far we were not able to reach our objective. When connection to DC1
is lost no domain users cannot logon anymore on DC3 and DC2. Also user
logon on Domain(3) is slow. Booting DC2 and DC3 when DC1 is not
available takes like 20 minutes.
Snippets from dcdiag on DC3 when DC1 is not reachable...
[Replications Check,DC3] A recent replication attempt failed:
From MICKEY to DC3
Naming Context:
CN=Schema,CN=Configuration,DC=Domain,DC=net
The replication generated an error (1908):
Could not find the domain controller for this domain.
The failure occurred at 2006-06-14 20:15:08.
The last success occurred at 2006-06-14 02:47:50.
3 failures have occurred since the last success.
Kerberos Error.
A KDC was not found to authenticate the call.
Check that sufficient domain controllers are available.
Testing server: Default-First-Site-Name\DC3
Starting test: Replications
[DC1] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
[DC2] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
Starting test: KnowsOfRoleHolders
Warning: THEBOSS is the Schema Owner, but is not responding
to DS RPC Bind.
[DC1] LDAP search failed with error 58,
The specified server cannot perform the requested operation..
Warning: DC1 is the Schema Owner, but is not responding to
LDAP Bind.
Warning: DC1 is the Domain Owner, but is not responding to DS
RPC Bind.
Warning: DC1 is the Domain Owner, but is not responding to
LDAP Bind.
......................... DC3 failed test KnowsOfRoleHolders
Starting test: kccevent
An Warning Event occured. EventID: 0x80000677
Time Generated: 06/16/2006 03:21:33
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000466
Time Generated: 06/16/2006 03:21:45
(Event String could not be retrieved)
......................... DC3 failed test kccevent
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error
1355
A Global Catalog Server could not be located - All GC's are
down.
......................... Domain.net failed test FsmoCheck
I tried activating a 2nd GC on DC3 but then userlogon on Domain(2)
became slow so i disabled the GC again by unticking the box on sites
and computers on DC3. I didnt test user logon when GC on DC3 was
enabled.
So my question is: What do i need to do, to reach my objective to get
both child DC's to keep functioning when any combination of other DC's
is not reachable.
Any help is greatly appreciated.
Martin.
.
- Follow-Ups:
- Re: Domain users cannot logon to domain
- From: Jorge Silva
- Re: Domain users cannot logon to domain
- Prev by Date: Re: Big problem with Group Policy
- Next by Date: Re: weak domain administrator taht can only add computer to the domain
- Previous by thread: weak domain administrator taht can only add computer to the domain
- Next by thread: Re: Domain users cannot logon to domain
- Index(es):
Relevant Pages
|
Loading
