Re: DC fails to authenticate when trusted DCs unavailable?
- From: accudave <accudave@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 15 Jul 2008 07:31:01 -0700
They do use DNS servers from only their own domain, with each server having a
secondary, non-AD-replicated instance of the opposite zone. So, the
production DNS servers have a secondary for the corporate zone, and
vice-versa.
To complicate matters, our DCs are also our DNS servers, and the DNS
services wouldn't start because...it couldn't authenticate!!! Something of
an endless feedback loop there, I know, but it wasn't problematic before we
added the trust.
"Meinolf Weber" wrote:
Hello accudave,.
Even if the trust is not up and running, it should be possible to work/authenticate
in the own forest. So all machines in the forest use only DNS servers from
there own forest?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
We have two forests, production and corporate. Production trusts
corporate via a tree-root trust. These domains are in two separate
sites, connected by a VPN. There are no "foreign" DCs in either site,
e.g. no corporate DCs in the production site.
We had a power failure which caused all the production equipment to go
offline, and caused problems with the production VPN endpoint such
that the tunnel was down after all the servers came back up.
The production DCs failed to authenticate anything, even accounts in
their own domain, until the VPN was back up and it could contact a
corporate DC.
We got multiple 40960 errors from LSASRV:
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 6/20/2008
Time: 3:18:18 PM
User: N/A
Computer: **********
Description:
The Security System detected an authentication error for the server
ldap/**********. The failure code from authentication protocol
Kerberos was
"There are currently no logon servers available to service the logon
request.
(0xc000005e)".
Also multiple 5719 errors from NETLOGON:
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5719
Date: 6/20/2008
Time: 3:18:18 PM
User: N/A
Computer: **********
Description:
This computer was not able to set up a secure session with a domain
controller in domain CORPORATE due to the following:
There are currently no logon servers available to service the logon
request.
This may lead to authentication problems. Make sure that this computer
is
connected to the network. If the problem persists, please contact your
domain
administrator.
I can understand corporate accounts not being able to authenticate,
but production couldn't either. All the services with production
domain accounts failed on startup because the DCs weren't
authenticating until the VPN came back up.
Is it normal for DCs in a trusting forest to fail completely when
there are
no DCs from the trusted forest available? If not, what settings
govern this?
If it is normal, short of putting a corporate DC in the production
datacenter, is there any way around this? I have a paid support case
open
with Microsoft, but that is proving as productive as beating myself
with a cast iron skillet.
- Follow-Ups:
- Re: DC fails to authenticate when trusted DCs unavailable?
- From: Meinolf Weber
- Re: DC fails to authenticate when trusted DCs unavailable?
- References:
- DC fails to authenticate when trusted DCs unavailable?
- From: accudave
- Re: DC fails to authenticate when trusted DCs unavailable?
- From: Meinolf Weber
- DC fails to authenticate when trusted DCs unavailable?
- Prev by Date: Re: DC fails to authenticate when trusted DCs unavailable?
- Next by Date: Re: DC fails to authenticate when trusted DCs unavailable?
- Previous by thread: Re: DC fails to authenticate when trusted DCs unavailable?
- Next by thread: Re: DC fails to authenticate when trusted DCs unavailable?
- Index(es):
Relevant Pages
|
Loading
