Announcement

Collapse
No announcement yet.

Authentication failover between domain controllers.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authentication failover between domain controllers.

    I manage two Windows 2003 interim domains that were upgraded from NT4 domains a couple of years ago. We still have 3 NT workstations on one of the domains.

    I have been encountering a problem since we migrated that I have been unable to solve. Due to the nature of the problem, I can't go and do much testing.

    For both domains, whenever I have to take one of the domain controllers down, it appears that authentication begins failing for all systems that were using that domain controller to authenticate with. Authentication is never picked up by the domain controller that is still up. All systems that originally authenticated with the active domain controller can carry on - business as usual. All others must either log off and back on (authenticating with the other server), or wait until the other domain controller comes back up.

    I have no replication issues and all of the common tests (dcdiag, net diag, etc.) have always come back pristine since we went to Active Directory.

    I'll try to give a little more information, but if more is needed I will provide it. Both domain controllers (this pertains to both domains) run DNS services, WINS services and only one domain has a DHCP server (which is on what would be considered the Master DC). FSMO roles have been divied up according to MS 'best practices'.

    There are two other sites in one of these domains - one has a single domain controller and the other has two domain controllers. To my knowledge (I don't actively manage it as we have an onsite administrator there), the one with two domain controllers does not exhibit this behavior, but it was migrated at the same time and in exactly the same fashion - I even did the migration.

    I'm not sure where else to look. I've not found much Googling and considering there are no errors or other negative indicators, I don't have much else to go on. Shouldn't failover authentication 'just work' in an AD environment? It's becoming very difficult to perform updates and other maintenance tasks unless we exclude the domain controllers.

    Thanks for any help you can provide!

  • #2
    Re: Authentication failover between domain controllers.

    Are both DC's also a GC?
    Also if it's an IP issue (don't believe that though) you can split the scope and have 2 dhcp scopes running, 1 on every DC
    Last edited by Dumber; 19th December 2008, 21:28. Reason: spelling
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Authentication failover between domain controllers.

      Thanks for replying.

      Yes, all of my DCs have GC enabled.

      DHCP should not be a factor (at least in some case) since I have this authentication issue on a domain that does not use DHCP (purely static addressing).

      I do plan on splitting DHCP duties at some point, but I really wanted to get this resolved before I get into it.

      Thanks again.

      Comment


      • #4
        Re: Authentication failover between domain controllers.

        Can you run Netdom query fsmo and post it here?
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Authentication failover between domain controllers.

          Sorry for the delay - you know how Fridays are

          I ran netdom and to my surprise, all the FSMO roles were on my 'primary'. I know I changed those, so I'm unsure how they could have gotten transfered back.

          Anyway, would this really cause an issue like I'm experiencing? Despite all roles being on one server, there aren't many clients (roughly 20 servers, 30 production systems and 100-125 user workstations).

          Comment


          • #6
            Re: Authentication failover between domain controllers.

            usually not...
            I was just checking.

            Can you run DCdiag and Netdiag and post it back?
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Authentication failover between domain controllers.

              DCDIAG
              Code:
              Domain Controller Diagnosis
              Performing initial setup:
                 Done gathering initial info.
              Doing initial required tests
                 
                 Testing server: Atlanta\DXDCAD01
                    Starting test: Connectivity
                       ......................... DXDCAD01 passed test Connectivity
              Doing primary tests
                 
                 Testing server: Atlanta\DXDCAD01
                    Starting test: Replications
                       ......................... DXDCAD01 passed test Replications
                    Starting test: NCSecDesc
                       ......................... DXDCAD01 passed test NCSecDesc
                    Starting test: NetLogons
                       ......................... DXDCAD01 passed test NetLogons
                    Starting test: Advertising
                       ......................... DXDCAD01 passed test Advertising
                    Starting test: KnowsOfRoleHolders
                       ......................... DXDCAD01 passed test KnowsOfRoleHolders
                    Starting test: RidManager
                       ......................... DXDCAD01 passed test RidManager
                    Starting test: MachineAccount
                       ......................... DXDCAD01 passed test MachineAccount
                    Starting test: Services
                       ......................... DXDCAD01 passed test Services
                    Starting test: ObjectsReplicated
                       ......................... DXDCAD01 passed test ObjectsReplicated
                    Starting test: frssysvol
                       ......................... DXDCAD01 passed test frssysvol
                    Starting test: frsevent
                       ......................... DXDCAD01 passed test frsevent
                    Starting test: kccevent
                       ......................... DXDCAD01 passed test kccevent
                    Starting test: systemlog
                       An Error Event occured.  EventID: 0x40011006
                          Time Generated: 12/22/2008   07:08:30
                          Event String: The connection was aborted by the remote WINS.
                       An Error Event occured.  EventID: 0x40011006
                          Time Generated: 12/22/2008   07:38:29
                          Event String: The connection was aborted by the remote WINS.
                       ......................... DXDCAD01 failed test systemlog
                    Starting test: VerifyReferences
                       ......................... DXDCAD01 passed test VerifyReferences
                 
                 Running partition tests on : ForestDnsZones
                    Starting test: CrossRefValidation
                       ......................... ForestDnsZones passed test CrossRefValidation
                    Starting test: CheckSDRefDom
                       ......................... ForestDnsZones passed test CheckSDRefDom
                 
                 Running partition tests on : DomainDnsZones
                    Starting test: CrossRefValidation
                       ......................... DomainDnsZones passed test CrossRefValidation
                    Starting test: CheckSDRefDom
                       ......................... DomainDnsZones passed test CheckSDRefDom
                 
                 Running partition tests on : Schema
                    Starting test: CrossRefValidation
                       ......................... Schema passed test CrossRefValidation
                    Starting test: CheckSDRefDom
                       ......................... Schema passed test CheckSDRefDom
                 
                 Running partition tests on : Configuration
                    Starting test: CrossRefValidation
                       ......................... Configuration passed test CrossRefValidation
                    Starting test: CheckSDRefDom
                       ......................... Configuration passed test CheckSDRefDom
                 
                 Running partition tests on : datamatx
                    Starting test: CrossRefValidation
                       ......................... datamatx passed test CrossRefValidation
                    Starting test: CheckSDRefDom
                       ......................... datamatx passed test CheckSDRefDom
                 
                 Running enterprise tests on : datamatx.local
                    Starting test: Intersite
                       ......................... datamatx.local passed test Intersite
                    Starting test: FsmoCheck
                       ......................... datamatx.local passed test FsmoCheck
              NETDIAG
              Code:
              .........................................
              
                  Computer Name: DXDCAD01
                  DNS Host Name: DXDCAD01.datamatx.local
                  System info : Microsoft Windows Server 2003 (Build 3790)
                  Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
                  List of installed hotfixes : 
                      KB911564
                      KB921503
                      KB925398_WMP64
                      KB925902
                      KB926122
                      KB926139
                      KB927891
                      KB929123
                      KB930178
                      KB931768
                      KB931784
                      KB931836
                      KB932168
                      KB933360
                      KB933566
                      KB933729
                      KB933854
                      KB935839
                      KB935840
                      KB935966
                      KB936021
                      KB936357
                      KB936782
                      KB937143
                      KB938127
                      KB938127-IE7
                      KB938464
                      KB939653
                      KB941202
                      KB941568
                      KB941569
                      KB941644
                      KB941672
                      KB941693
                      KB942615
                      KB942763
                      KB942830
                      KB942831
                      KB942840
                      KB943055
                      KB943460
                      KB943484
                      KB943485
                      KB943729
                      KB944338
                      KB944533
                      KB944653
                      KB945553
                      KB946026
                      KB947864
                      KB948496
                      KB948590
                      KB948745
                      KB948881
                      KB949014
                      KB950759
                      KB950759-IE7
                      KB950760
                      KB950762
                      KB950974
                      KB951066
                      KB951072-v2
                      KB951698
                      KB951746
                      KB951748
                      KB952069
                      KB952954
                      KB954211
                      KB954600
                      KB955069
                      KB955839
                      KB956390-IE7
                      KB956391
                      KB956802
                      KB956803
                      KB956841
                      KB957095
                      KB957097
                      KB958215-IE7
                      KB958644
                      Q147222
              
              
              Netcard queries test . . . . . . . : Passed
              
              
              
              Per interface results:
              
                  Adapter : Local Area Connection
              
                      Netcard queries test . . . : Passed
              
                      Host Name. . . . . . . . . : DXDCAD01.xxx.local
                      IP Address . . . . . . . . : 192.168.xxx.xxx
                      Subnet Mask. . . . . . . . : 255.255.255.0
                      Default Gateway. . . . . . : 192.168.xxx.xxx
                      Primary WINS Server. . . . : 192.168.xxx.xxx
                      Secondary WINS Server. . . : 127.0.0.1
                      Dns Servers. . . . . . . . : 127.0.0.1
                                                   192.168.xxx.xxx
              
              
                      AutoConfiguration results. . . . . . : Passed
              
                      Default gateway test . . . : Passed
              
                      NetBT name test. . . . . . : Passed
                      [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
              
                      WINS service test. . . . . : Passed
              
              
              Global results:
              
              
              Domain membership test . . . . . . : Passed
              
              
              NetBT transports test. . . . . . . : Passed
                  List of NetBt transports currently configured:
                      NetBT_Tcpip_{5801C3B7-BE43-4170-BA70-FFF18DE2FB37}
                  1 NetBt transport currently configured.
              
              
              Autonet address test . . . . . . . : Passed
              
              
              IP loopback ping test. . . . . . . : Passed
              
              
              Default gateway test . . . . . . . : Passed
              
              
              NetBT name test. . . . . . . . . . : Passed
                  [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
              
              
              Winsock test . . . . . . . . . . . : Passed
              
              
              DNS test . . . . . . . . . . . . . : Passed
                  PASS - All the DNS entries for DC are registered on DNS server '127.0.0.1' and other DCs also have some of the names registered.
                  PASS - All the DNS entries for DC are registered on DNS server '192.168.xxx.xxx' and other DCs also have some of the names registered.
              
              
              Redir and Browser test . . . . . . : Passed
                  List of NetBt transports currently bound to the Redir
                      NetBT_Tcpip_{5801C3B7-BE43-4170-BA70-FFF18DE2FB37}
                  The redir is bound to 1 NetBt transport.
              
                  List of NetBt transports currently bound to the browser
                      NetBT_Tcpip_{5801C3B7-BE43-4170-BA70-FFF18DE2FB37}
                  The browser is bound to 1 NetBt transport.
              
              
              DC discovery test. . . . . . . . . : Passed
              
              
              DC list test . . . . . . . . . . . : Passed
              
              
              Trust relationship test. . . . . . : Skipped
              
              
              Kerberos test. . . . . . . . . . . : Passed
              
              
              LDAP test. . . . . . . . . . . . . : Passed
              
              
              Bindings test. . . . . . . . . . . : Passed
              
              
              WAN configuration test . . . . . . : Skipped
                  No active remote access connections.
              
              
              Modem diagnostics test . . . . . . : Passed
              
              IP Security test . . . . . . . . . : Skipped
              
                  Note: run "netsh ipsec dynamic show /?" for more detailed information
              
              
              The command completed successfully

              Comment


              • #8
                Re: Authentication failover between domain controllers.

                Are both the DC's in the same domain???

                Comment


                • #9
                  Re: Authentication failover between domain controllers.

                  Yes.

                  2 DCs in an Atlanta, GA site, 2 in a Richmond, VA site and 1 in a Phoenix, AZ site.

                  We also have a second domain in Atlanta that has two DCs.

                  If one DC goes down in either domain (restricted to sites in the first domain), then all systems that logged onto it do not automatically start reauthenticating with the other DC. They become unable to access other systems and other systems cannot access them.

                  Comment

                  Working...
                  X