Re: DC fails to authenticate when trusted DCs unavailable?
- From: Meinolf Weber <meiweb(nospam)@gmx.de>
- Date: Tue, 15 Jul 2008 14:37:45 +0000 (UTC)
Hello accudave,
Please post an unedited ipconfig /all from the DC/DNS servers in the problem forest.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
They do use DNS servers from only their own domain, with each server
having a secondary, non-AD-replicated instance of the opposite zone.
So, the production DNS servers have a secondary for the corporate
zone, and vice-versa.
To complicate matters, our DCs are also our DNS servers, and the DNS
services wouldn't start because...it couldn't authenticate!!!
Something of an endless feedback loop there, I know, but it wasn't
problematic before we added the trust.
"Meinolf Weber" wrote:
Hello accudave,
Even if the trust is not up and running, it should be possible to
work/authenticate in the own forest. So all machines in the forest
use only DNS servers from there own forest?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
We have two forests, production and corporate. Production trusts
corporate via a tree-root trust. These domains are in two separate
sites, connected by a VPN. There are no "foreign" DCs in either
site, e.g. no corporate DCs in the production site.
We had a power failure which caused all the production equipment to
go offline, and caused problems with the production VPN endpoint
such that the tunnel was down after all the servers came back up.
The production DCs failed to authenticate anything, even accounts in
their own domain, until the VPN was back up and it could contact a
corporate DC.
We got multiple 40960 errors from LSASRV:
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 6/20/2008
Time: 3:18:18 PM
User: N/A
Computer: **********
Description:
The Security System detected an authentication error for the server
ldap/**********. The failure code from authentication protocol
Kerberos was
"There are currently no logon servers available to service the logon
request.
(0xc000005e)".
Also multiple 5719 errors from NETLOGON:
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5719
Date: 6/20/2008
Time: 3:18:18 PM
User: N/A
Computer: **********
Description:
This computer was not able to set up a secure session with a domain
controller in domain CORPORATE due to the following:
There are currently no logon servers available to service the logon
request.
This may lead to authentication problems. Make sure that this
computer
is
connected to the network. If the problem persists, please contact
your
domain
administrator.
I can understand corporate accounts not being able to authenticate,
but production couldn't either. All the services with production
domain accounts failed on startup because the DCs weren't
authenticating until the VPN came back up.
Is it normal for DCs in a trusting forest to fail completely when
there are
no DCs from the trusted forest available? If not, what settings
govern this?
If it is normal, short of putting a corporate DC in the production
datacenter, is there any way around this? I have a paid support
case
open
with Microsoft, but that is proving as productive as beating myself
with a cast iron skillet.
.
- References:
- Re: DC fails to authenticate when trusted DCs unavailable?
- From: accudave
- Re: DC fails to authenticate when trusted DCs unavailable?
- Prev by Date: Re: DC fails to authenticate when trusted DCs unavailable?
- Next by Date: Re: DHCP doesn't release new IP address
- Previous by thread: Re: DC fails to authenticate when trusted DCs unavailable?
- Next by thread: Re: DC fails to authenticate when trusted DCs unavailable?
- Index(es):
Relevant Pages
|
