Re: Domain users cannot logon to domain

Hi

So far we were not able to reach our objective. When connection to DC1
is lost no domain users cannot logon anymore on DC3 and DC2. Also user
logon on Domain(3) is slow. Booting DC2 and DC3 when DC1 is not
available takes like 20 minutes.

1 - You need a GC available to validate logons (Unless- you have only one
domain or your DFL is in mixed mode) , so if you only have one GC (DC1) when
IT GOES DOWN no logon can be performed.

2 - Make sure that you link the apropriate subnets to their respective
sites. If DC1 and DC2 are in the same site make sure that you create the 2
subnets and link them to the same site, if DC3 is in a different site create
a subnet to Site2.

3 - Make sure that all servers are reachable by FQDN, using Dns Secondary
zones, or Stub Zones, Forwarding, conditional Forwarding.

4 - Make sure that your clients only use their local Dns servers.



--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"MartinH" <nick@xxxxxxxxxxxxxx> wrote in message
news:vft4925d8t4sm406lkm41fjedj2m28fkjl@xxxxxxxxxx


We are in the process of setting up a new network with 3 DC's.

Domain(1)

DC1: Domain.net

Roles: GC, AD, DNS and DHCP (with no scope)

Primary DNS: DC1 and DNS Suffix Search List: Dc3 and DC2

One NIC with fixed IP (xxx.xxx.10.xxx)


Domain(2)

DC2: Child1.Domain.net

Roles: AD, DNS (forwarding to DC1), DHCP (xxx.xxx.10.xxx), DFS

Primary DNS: DC2 and DNS Suffix Search List: Dc3 and DC1

One NIC with fixed IP (xxx.xxx.10.xxx)


Domain(3)

DC3: Child2.Domain.net

Roles: AD, DNS (forwarding to DC1 and DC2), DHCP (xxx.xxx.20.xxx), DFS

Primary DNS: DC3 and DNS Suffix Search List: Dc2 and DC1

One NIC with fixed IP (xxx.xxx.20.xxx)



DC1 and DC2 are on 1 site and DC3 is on a different site and connected
trough a VPN tunnel setup using 2 3com gateways.

The object of the setup is that every site can function when the other
sites are not reachable. So when we diconnect DC1 the other DC's still
function and when we disconnect DC1 and DC2 then DC3 should still
function as well and so on. So DC1 should only function as a bridge
between DC2 and DC3 and has no other function.

So far we were not able to reach our objective. When connection to DC1
is lost no domain users cannot logon anymore on DC3 and DC2. Also user
logon on Domain(3) is slow. Booting DC2 and DC3 when DC1 is not
available takes like 20 minutes.


Snippets from dcdiag on DC3 when DC1 is not reachable...

[Replications Check,DC3] A recent replication attempt failed:
From MICKEY to DC3
Naming Context:
CN=Schema,CN=Configuration,DC=Domain,DC=net
The replication generated an error (1908):
Could not find the domain controller for this domain.
The failure occurred at 2006-06-14 20:15:08.
The last success occurred at 2006-06-14 02:47:50.
3 failures have occurred since the last success.
Kerberos Error.
A KDC was not found to authenticate the call.
Check that sufficient domain controllers are available.


Testing server: Default-First-Site-Name\DC3
Starting test: Replications
[DC1] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
[DC2] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..

Starting test: KnowsOfRoleHolders
Warning: THEBOSS is the Schema Owner, but is not responding
to DS RPC Bind.
[DC1] LDAP search failed with error 58,
The specified server cannot perform the requested operation..
Warning: DC1 is the Schema Owner, but is not responding to
LDAP Bind.
Warning: DC1 is the Domain Owner, but is not responding to DS
RPC Bind.
Warning: DC1 is the Domain Owner, but is not responding to
LDAP Bind.
......................... DC3 failed test KnowsOfRoleHolders


Starting test: kccevent
An Warning Event occured. EventID: 0x80000677
Time Generated: 06/16/2006 03:21:33
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000466
Time Generated: 06/16/2006 03:21:45
(Event String could not be retrieved)
......................... DC3 failed test kccevent

Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error
1355
A Global Catalog Server could not be located - All GC's are
down.
......................... Domain.net failed test FsmoCheck


I tried activating a 2nd GC on DC3 but then userlogon on Domain(2)
became slow so i disabled the GC again by unticking the box on sites
and computers on DC3. I didnt test user logon when GC on DC3 was
enabled.


So my question is: What do i need to do, to reach my objective to get
both child DC's to keep functioning when any combination of other DC's
is not reachable.

Any help is greatly appreciated.


Martin.


.

Relevant Pages

  • Re: Jorge --- Re: root forest AD DC crashed
    ... Also install DNS, WINS and DHCP ... Give DC1 it own IP address ... As preferred DNS for DC1 enter the IP of DC1 ... As alternate DNS for DC1 enter the IP of DC2 ...
    (microsoft.public.win2000.active_directory)
  • Re: root forest AD DC crashed
    ... For location A install a fresh W2K3 server with SP1. ... Give DC1 it own IP address ... As preferred DNS for DC1 enter the IP of DC1 ... As alternate DNS for DC1 enter the IP of DC2 ...
    (microsoft.public.win2000.active_directory)
  • Re: Domain users cannot logon to domain
    ... So basicly what you say is i need to activate a GC on DC2 and DC3. ... connected to DC1 and DC2 via a vpn tunnel. ... create a new subnet on DC1 and not on DC2 and DC3. ...
    (microsoft.public.windows.server.active_directory)
  • After migrate from NT4 -> Win2K3 problem
    ... Both DC1 and DC2 tick Global Catalog. ... DNS and WINS service. ... DC2 as primary DNS Zone and DC1 as secondary DNS Zone ...
    (microsoft.public.windows.server.migration)
  • Re: Logon Server
    ... Everyone was pointing to DC1 or DC2. ... All these user are having the LOGON server as DC3. ...
    (microsoft.public.win2000.active_directory)
Loading