Re: Secondary (backup) domain controller not working ?
- From: "Ace Fekay [Microsoft Certified Trainer]" <aceman@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 7 Jul 2009 18:40:19 -0400
"iautran" <iautran@xxxxxxxxxxxxxxxxxx> wrote in message news:mn.3d447d97140045e2.97978@xxxxxxxxxxxxxxxxxxxxx
Ok so I think I understood correctly and it should work... but it
doesnt ! :D
How can I find more information about the problem as my computer and my
DC's dont have any related errors ?
Can I force a kerberos ticket granting and see what s happened ?
If yes, how ? :D
Thanks
Hello iautran,
It does work, and it doesn't work, depending on your expectations. The main thing is the way the local client resolver algorithm works when it is querying DNS. So it really depens on your DNS entries on your internal machines. Read the following to gain a better understanding of how the client side resolver algirthm works, and apply it to your scenario.
Also, the ipconfigs Meinolf requested would be helpful to gain a better understanding of your AD's configuration.
====================================
If one DC is down, why does it not logon to the other DC?
By Ace Fekay, updated 7/1/09
Keep in mind that if any of the DCs are multihomed (more than one NIC and/or IP), you are using your ISP's DNS, or the domain is a single label name ('domain' versus the recommended minimum of 'domain.com,' domain.local,' etc), other problems will occur, and you will get unexpected and undesireable results whether there is one DC down or not.
As for the second DC responding, this all depends on the DNS settings on the
client side, as well as if the previous logon server and record was cached.
It will use the second address, but only after a timeout period the client
is waiting for a response from the server. You need to understand how the
client side resolver works. If the query sent to the first entry in the DNS
list responds with an NXDOMAIN response, meaning it is an actual response,
but there is no record from the server it asked, then it will look no
further because it is a response. however if it receives a NULL response,
meaning the DNS server is down and there is no response, it will remove the
first entry from the 'eligible resolvers list' for a certain amount of time
(depending on the OS version and SP level), then send the query to the
second one. However, if the record is already cached, it won' even ask the
first entry. Hence why the possibility that the client machine is asking a
DC that is down.
As I mentioned, this is ALL based on the client side resolver, not the DNS
server. This time out period can be perceived as by someone sitting there
waiting as 'it's not working' because it appears to be taking so long. Also,
if it is already cached locally by the client side service, it will not ask
and will send the connection request to the cached record, which if it is
the server that is down, then it can't connect anyway, and no response, but
you may be sitting there expecting it to go to the other DC that is up. The
way to reset the list is to restart the DHCP Client service (not the DHCP
server) on the workstation, and the way to delete the cache on the client is
to run ipconfig /flushdns, or simply restart the machine.
I hope that makes sense.
Also I am providing some links on it, however, sorry about all the links, but they will give you a better understanding of it and how it applies. They all give little but in some cases not the whole picture. The DNS Whitepaper is pretty good to start with.
How DNS Works: DNS Resolution, Client Side Resolver (Time out period, devolution, and much more)
http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k3tr_dns_how_gaxc
How DNS Works: DNS Resolution, Client Side Resolver (Time out period, devolution, and much more)
http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k3tr_dns_how_gaxc
W2k DNS White Paper- search thru for Fully-Qualified Query and Disabling the Caching Resolver:
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/w2kdns.asp
How DNS query works Domain Name System(DNS):
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/0bcd97e6-b75d-48ce-83ca-bf470573ebdc.mspx
DNS Resolver Cache Service [incvluding NetFailureCacheTime and NegativeCacheTime reg entries]:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cnbc_imp_qxht.asp
286834 - DNS Client Service Doesn't Revert to Using First Server in List [explained in the DNS white papers] reg to alter it too:
http://support.microsoft.com/default.aspx?scid=kb;en-us;286834
261968 - Explanation of the Server List Management Feature in the Domain Name Resolver Client:
http://support.microsoft.com/?id=261968
SP4 Changes DNS Name Resolution - Actual Query Timeout settings the resolver uses - (XP too):
http://support.microsoft.com/default.aspx?scid=kb;en-us;198550
------
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.
Ace Fekay, MCT, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer
aceman@xxxxxxxxxxxxxxxxxxxxxxx
http://twitter.com/acefekay
For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
.
- References:
- Re: Secondary (backup) domain controller not working ?
- From: iautran
- Re: Secondary (backup) domain controller not working ?
- From: Meinolf Weber [MVP-DS]
- Re: Secondary (backup) domain controller not working ?
- From: iautran
- Re: Secondary (backup) domain controller not working ?
- Prev by Date: Re: ERROR event ID 3224 SERVER 2003 X64
- Next by Date: Re: Audting DNS A records
- Previous by thread: Re: Secondary (backup) domain controller not working ?
- Next by thread: Re: Secondary (backup) domain controller not working ?
- Index(es):
Relevant Pages
|
