Announcement

Collapse
No announcement yet.

AD Authentication

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD Authentication

    So we have three domain controllers DC1, DC2, and DC3 in the root domain. While patching I noticed that when DC2 is down, I can not login to webmail. It keeps prompting me for username and password. I also noticed that I was not able to login to one of the child domain controllers using enterprise admin account from root domain.

    Once DC2 comes back up again...every thing is fine. I was under the impression when one DC is down, others take over and provide authentication.

    Can some one guide me in troubleshooting this issue? Thanks.

    OS:Windows 2003 R2
    Mail: Exchange 2003

  • #2
    Re: AD Authentication

    Is Exchange installed on a DC? It's strongly recommended that you do not do this. If so, which server is it installed on?

    Which server(s) are DNS and Global Catalog servers?

    Which server(s) have which FSMO roles?

    Can you logon to workstations when DC2 is down?

    Any errors in the event logs on any of the servers?
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: AD Authentication

      utdc1 holds the two forest wide roles and is a global catalog server. utdc2 holds the rest of the roles including infrastructure master and is not a GC. uthdc3 is also a GC server. utdc1 is primary dns and utdc2 is secondary dns.

      Exchange 2003 is installed in a child domain. Exchange is not installed on a domain controller(running on a six node cluster with two front end servers).

      Thanks for your help.

      Comment


      • #4
        Re: AD Authentication

        Oh and I did not try logging on to a workstation when utdc2 is down. I do not see any related error messages in the event viewer.

        Comment


        • #5
          Re: AD Authentication

          I'm not an expert in AD, but I'm guessing one of the FSMO roles held by server 2 is what's causing your problem.
          Gareth Howells

          BSc (Hons), MBCS, MCP, MCDST, ICCE

          Any advice is given in good faith and without warranty.

          Please give reputation points if somebody has helped you.

          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

          Comment


          • #6
            Re: AD Authentication

            Well I can test it out..move th roles and shutdown the server. But I think thers might be something else going on.

            Comment


            • #7
              Re: AD Authentication

              I can't think of a FSMO role that plays a part in logins other than DCs forwarding failed logins to the PDC.

              When a DC goes offline, clients still have it cached, there is a delay until things timeout and a client looks for another DC.

              I would look at a network capture while these failures are occurring.

              Comment


              • #8
                Re: AD Authentication

                Hare Krsna,

                A Client locate a domain controller using srv resource records. So u might not be able to login if the dns doesn't know how of the domain controller.

                You clients will pick up a new domain controller during logon

                Now there could be replication issue Domain Partition is not in sync can cause this issue. I have a lab setup forestrootdomain: microsoft.com, child: it.microsoft.com
                both are dc/gc. Now i used enterprise admin account and i wasn't able to logon on the child domain.


                Now here is what you need to do.

                issue these commands (u need to have support tools installed on the dc)
                repadmin /replsum
                repadmin /syncall

                replmon
                add all the three servers
                expand all the partitions
                take a screenshot

                dcdiag /v
                netdaig /fix

                get me the output

                Check if your dns is configured properly and you have right service records for the domain controller and gc

                Incase if problem presist. Get me all the infor you have collected
                Clear the application log and system log on all the three domain contoller. Force replication b.w all three dc's.
                after that try to login few times
                Get me the app and syslogs
                Thanks & Regards
                v-2nas

                MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
                Sr. Wintel Eng. (Investment Bank)
                Independent IT Consultant and Architect
                Blog: http://www.exchadtech.blogspot.com

                Show your appreciation for my help by giving reputation points

                Comment


                • #9
                  Re: AD Authentication

                  Originally posted by v-2nas View Post
                  Clear the application log and system log on all the three domain contoller
                  If these are production servers, save the logs before clearing them. The last thing you want is to find another problem tomorrow, and not have any logs to help you diagnose it.
                  Gareth Howells

                  BSc (Hons), MBCS, MCP, MCDST, ICCE

                  Any advice is given in good faith and without warranty.

                  Please give reputation points if somebody has helped you.

                  "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                  "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                  Comment


                  • #10
                    Re: AD Authentication

                    when you say "webmail" do you mean "OWA (Outlook Web Access)?
                    I am not sure this is related but it's worth mentioning it any way.
                    utdc2 is the PDCE holder, PDCE one of his roles is Trust validation, you mentioned that the exchange is in a sub domain.
                    and access to the OWA is not available.
                    Is it true to all users from all domains or only those in the Root Domain?
                    what you 4got to mention is , who is the DC for the child domain among those 3 DCs?
                    Last edited by Akila; 11th November 2008, 22:36.

                    Comment


                    • #11
                      Re: AD Authentication

                      Just as client machines cache AD info so does Exchange. If Exchange is using DC2 for AD info then you won't be able to access your mailbox until Exchange refreshes the info and detects that DC2 is offline. How long are you waiting when DC2 is down?

                      Comment


                      • #12
                        Re: AD Authentication

                        Hi,

                        DC2 might holding the PDC emulator role, please try to migrate this role to other server and try it
                        Regards,
                        Venkatesan S

                        Comment


                        • #13
                          Re: AD Authentication

                          HELO

                          Buddy i reviewed ur question once again

                          "So we have three domain controllers DC1, DC2, and DC3 in the root domain. While patching I noticed that when DC2 is down, I can not login to webmail. It keeps prompting me for username and password. I also noticed that I was not able to login to one of the child domain controllers using enterprise admin account from root domain.

                          Once DC2 comes back up again...every thing is fine. I was under the impression when one DC is down, others take over and provide authentication.

                          Can some one guide me in troubleshooting this issue? Thanks.

                          OS:Windows 2003 R2
                          Mail: Exchange 2003
                          "
                          Now when u said "Once DC2 comes back up again...every thing is fine" where is the problem. ???
                          Can you explain the issue once again so i may try to help you out
                          Thanks & Regards
                          v-2nas

                          MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
                          Sr. Wintel Eng. (Investment Bank)
                          Independent IT Consultant and Architect
                          Blog: http://www.exchadtech.blogspot.com

                          Show your appreciation for my help by giving reputation points

                          Comment

                          Working...
                          X