Announcement

Collapse
No announcement yet.

Users can't log into child DC if Root forest DC is down

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Users can't log into child DC if Root forest DC is down

    Hello All,

    Here is my setup:

    Forest and Domain levels are: Windows Server 2003
    All servers are running: Windows Server 2003 R2 /w SP2

    My AD Site setup:

    root forest:

    example.com

    rootserv1 - DC, Global catalog, all 5 FSMO roles, DNS - AD integrated
    rootserv2 - DC, Global catalog

    Child.example.com

    childserv1 - DC, DNS (AD integrated), PDC, RID, Infrastructure
    childserv2 - DC, DNS (AD integrated)


    My question is, when i was powering down the rootservers for maintanence, I realized that users (workstations and user accounts exists only on the child domain), cannot log into the child domain while the root forest servers were down. I thuoght the child domain logins are indepedant of the root servers? Did i misconfigure something?

    thanks in advance

  • #2
    Re: Users can't log into child DC if Root forest DC is down

    Do you have any GC (global catalog) server on your child domain?
    How is the dns configured on the domain member's desktops? Are they pointing to chaildDSs?
    Did you look into the Even logs after the failed log in?
    Regards,
    Csaba Papp
    MCSA+messaging, MCSE, CCNA
    ...............................
    Remember to give credit where credit is due and leave reputation points where appropriate
    .................................

    Comment


    • #3
      Re: Users can't log into child DC if Root forest DC is down

      >>Do you have any GC (global catalog) server on your child domain?

      I didn't configure GC's in my child domain. Only in the root forest

      >>How is the dns configured on the domain member's desktops? Are they pointing to chaildDSs?

      The desktop members DNs is pointing to the child domain servers DNS.

      Was it because i didn't have a GC in the child domain?

      Comment


      • #4
        Re: Users can't log into child DC if Root forest DC is down

        Global Catalog servers are required to validate user logins, see this link http://support.microsoft.com/default.aspx/kb/216970.

        Instead of communicating with every domain in the forest to enumerate the universal groups from each (domain), the member list of each universal group is replicated to Global Catalog (GC) servers, making it easier for a domain controller to query one location for all universal groups of which the user is a member.

        ....

        When authentication occurs, the domain controller that is authenticating the user's logon request needs to locate a GC in order to construct the universal groups to which that user belongs.
        You should have at least one GC in each domain.
        Last edited by JDMils; 25th September 2007, 01:27.
        |
        +-- JDMils
        |
        +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
        |

        Comment


        • #5
          Re: Users can't log into child DC if Root forest DC is down

          doh!

          thanks a lot guys. I had misunderstood the function of the GC. I'll add one to the child domain.

          Comment

          Working...
          X