Announcement

Collapse
No announcement yet.

Logins fail when link down

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Logins fail when link down

    I have two sites conneced via a T1. Each site has a domain controller. The problem I have is that every time the "main" site loses connectivity, the users at the remote site cannot authenticate. I have setup the remote DC as a Global Catalog server and this hasn't done anything. What can I do to make sure this remote site can authenticate no matter what?

  • #2
    Re: Logins fail when link down

    Presumably the second DC is configured as a primary DC. If so are they replicating over the link?

    Comment


    • #3
      Re: Logins fail when link down

      Primary? I don't follow. It is a Win2k3 server, not NT. The main site has the PDC role. Can there be two PDC emulators in the same domain? I thought you could only have one.... I do have the sites setup and so far as I know they are replicating. I can't even login to the DC at the remote site when the main site is down as it tells me the domain is unavailable.

      Also, all clients are running XP.
      Last edited by Bubbagump; 22nd October 2008, 15:49.

      Comment


      • #4
        Re: Logins fail when link down

        Is the DC on the second site a DNS server as well as a DC? The clients will need to be able to locate a DC in the event that the link is down and they need a functioning and contactable DNS server to do that.

        Also, make sure that the clients are configured to use the DNS on the second site. (Normally you would configure a client's DNS servers through DHCP unless you're using static IP addressing).
        I nerd therefore I am!

        Comment


        • #5
          Re: Logins fail when link down

          Originally posted by Bubbagump View Post
          Primary? I don't follow. It is a Win2k3 server, not NT. The main site has the PDC role. Can there be two PDC emulators in the same domain? I thought you could only have one.... I do have the sites setup and so far as I know they are replicating. I can't even login to the DC at the remote site when the main site is down as it tells me the domain is unavailable.

          Also, all clients are running XP.
          The main DC holds all the FSMO roles presumably. BUT all DC`s in a windows 2003 domain are authoritative and asynchronous in regards to replication depending on your settings in sites and services. Sorry for the confusion. The reason why i said primary was because some DC`s can be configured as caching only DC`s and cant be written to. Either way you can use GPO to configure the clients to cache there login credentials in the event that a DC is unavailable. Also ensure there is a DNS server present on that "remote" subnet and the clients are pointing towards it. No DNS means no AD

          Comment


          • #6
            Re: Logins fail when link down

            The remote DC is indeed a DNS server and it is set to use itself for DNS. I checked and the remote also appears to have all the AD service records (_msdcs, _sites, etc). The DHCP server is also set to give out the remote DC's address for DNS. So everything looks peachy from a DNS stand point.

            Here is a tid bit that may make a difference. The main site rune Win2k, not Win2k3. I don't think that should matter, but perhaps you know differently.

            As for caching the credentials, this is being done and users can log into their machines. They just can't authenticate to Exchange or the shares on the server/ Additionally as I mentioned, I can't login to the DC when the link is down.

            Comment


            • #7
              Re: Logins fail when link down

              I assume you performed all the required tasks before introducing a Windows 2003 DC into a Windows 2000 Forest?

              http://support.microsoft.com/kb/325379

              Or, was it the other way around and you promoted a Windows 2000 DC into a Win2k3 Forest? In the latter case, the domain is in mixed mode right?

              Have you run a 'dcdiag' on the DC at the second site? That might give you some insights.
              I nerd therefore I am!

              Comment


              • #8
                Re: Logins fail when link down

                Ok, the plot thickens. I ran DCDIAG and the output told me

                Starting test: NetLogons
                Unable to connect to the NETLOGON share! (\\SONIC\netlogon)
                [SONIC] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
                ......................... SONIC failed test NetLogons
                Starting test: Advertising
                Warning: DsGetDcName returned information for \\itg-080702-s01.blah.com, when we were trying to reach SONIC.
                Server is not responding or is not considered suitable.
                ......................... SONIC failed test Advertising
                So I did some digging and noticed that the SYSVOL and NETLOGON shares are missing. I reset the registry key for BurFlags to D4, restarted Netlogon and File Rep services. SYSVOL now shows up, but NETLOGON does not. Even stranger, SYSVOL has the domain folder in it, but nothing else. No staging, policies, or scripts folders.

                So where do I go now?

                Comment


                • #9
                  Re: Logins fail when link down

                  there are two ways to login the Domain from a computer.
                  1) using the traditional legacy way
                  USER:
                  PASSWORD:
                  DOMAIN:

                  2) using the [email protected].
                  next time that happens , could you see if login to the domain using the "[email protected]" is working or not?
                  the reason why I am asking you this is b/c when you log onto the domain using this method , you are actually logging using the Global Catalog to login
                  (another way of testing functionality of the GC).

                  Another question, does by any change the DC in the main site is also holding the WINS services and the Other DC is not a WINS Server
                  or in exchange the other WINS server is not on a server in the Remote site (all WINS Servers in the Main Site)?
                  Last edited by Akila; 22nd October 2008, 19:10.

                  Comment


                  • #10
                    Re: Logins fail when link down

                    Originally posted by Bubbagump View Post
                    So I did some digging and noticed that the SYSVOL and NETLOGON shares are missing. I reset the registry key for BurFlags to D4, restarted Netlogon and File Rep services. SYSVOL now shows up, but NETLOGON does not. Even stranger, SYSVOL has the domain folder in it, but nothing else. No staging, policies, or scripts folders.
                    So where do I go now?
                    that is b/c you ran an Authoritative restore in a bad way.
                    D4 should only be done along with D2 on the other DC.
                    and it is not something you do without reading the TID 1000 times b4 you do it.
                    that might explain why they could not Authenticate to the Other DC, since the SYSVOL is down , so the DC did not advertised itself as a DC accepting Authentications.

                    check on that DC
                    if you have on the File replication Event view the Event:13516?
                    The File Replication Service is no longer preventing the computer DC from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.

                    Type "net share" to check for the SYSVOL share.
                    Last edited by Akila; 22nd October 2008, 19:16.

                    Comment


                    • #11
                      Re: Logins fail when link down

                      I tried both methods to logon and neither works.

                      So what are you saying with the BurFlags. How bad of a mess am I in?

                      As for WINS, I don't know where you are going with that, but the main site is indeed a WINS server where as the remote site has no WINS server. I figured WINS was dead and there was no need to set it up at the new location. So what does this mean?

                      Thanks so much for everyone's help so far!

                      EDIT: It seems you added to your post. To answer your question, I do have event 13516 as you described and net share returns:


                      Share name SYSVOL
                      Path C:\WINDOWS\SYSVOL\sysvol
                      Remark Logon server share
                      Maximum users No limit
                      Users
                      Caching Manual caching of documents
                      Permission Everyone, READ
                      BUILTIN\Administrators, FULL
                      NT AUTHORITY\Authenticated Users, FULL

                      The command completed successfully.
                      Last edited by Bubbagump; 22nd October 2008, 19:21.

                      Comment


                      • #12
                        Re: Logins fail when link down

                        Originally posted by Bubbagump View Post
                        I tried both methods and neither works.

                        As for WINS, I don't know where you are going with that, but the main site is indeed a WINS server where as the remote site has no WINS server. I figured WINS was dead and there was no need to set it up at the new location. So what does this mean?

                        Thanks so much for everyone's help so far!
                        WINS is not totaly dead, when you use \\SERVER , you are actually using NetBios and that is what we see in your Events of the DCDIAG

                        any way to recover your SYSVOL, start with that Thread
                        http://forums.petri.com/showthread.php?t=25682
                        http://support.microsoft.com/kb/315457/en-us
                        Last edited by Akila; 22nd October 2008, 19:25.

                        Comment


                        • #13
                          Re: Logins fail when link down

                          Originally posted by Akila View Post
                          WINS is not totaly dead, when you use \\SERVER , you are actually using NetBios and that is what we see in your Events of the DCDIAG

                          any way to recover your SYSVOL, start with that Thread
                          http://forums.petri.com/showthread.php?t=25682
                          http://support.microsoft.com/kb/315457/en-us
                          Only if DNS first fails will it use NetBIOS.

                          You ran D4 on the bad DC? If thats the case you got it backwards. Should have done D2 on the bad DC.

                          Comment


                          • #14
                            Re: Logins fail when link down

                            I followed the instructions in the KB article. This caused SYSVOL to disappear on the remote DC. I am getting more bewildered by the minute.

                            EDIT: Nevermind, it just took a long time to show up. GPOs are now showing in the Policies folder on the remote. It looks like I fried all my GPOs with my screw up earlier... but no matter. They only really have a password policy and that can be recreated quickly.

                            Does this mean I am fixed? What can I do to test without taking everyone down?
                            Last edited by Bubbagump; 22nd October 2008, 19:59.

                            Comment


                            • #15
                              Re: Logins fail when link down

                              It seems the D2/D4 thing is all that was needed. The link failed again today and everything was fine at the remote site. Now my next issue is to fight with the T provider to see why their pipe fails so frequently.

                              Comment

                              Working...
                              X