Announcement

Collapse
No announcement yet.

One (of two) 2008 DCs will not authenticate

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • One (of two) 2008 DCs will not authenticate

    "DC1" and "DC2" - both Server2008, same subnet, same 5 fsmo roles, both Global Catalog enabled, both run DNS. If DC1 is offline, AD seems to be unavailable - cannot login, cannot authenticate for Outlook/OWA/ISA2006 (Exchange 2007 also on same subnet). I suspect this is a DNS issue, but need assistance before diving into the zone. Thanks.

  • #2
    Re: One (of two) 2008 DCs will not authenticate

    They can't both hold the FSMO roles.

    Have you made sure that all of the clients and servers have both DC's set up as their primary and secondary DNS server?

    Comment


    • #3
      Re: One (of two) 2008 DCs will not authenticate

      Which server is Exchange installed on???

      Comment


      • #4
        Re: One (of two) 2008 DCs will not authenticate

        Silly question, but are they both in the same domain, or two different ones, possibly with the same name?
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: One (of two) 2008 DCs will not authenticate

          Thanks for your replies.
          joeqwerty - oops - you're right. only DC1 holds 5 fsmo roles.
          wullieb1 - Exchange is on a different box to the 2 DCs
          Ossian - Yes same domain (and same subnet)

          This from Exchange event log which indicated it can see both DCs (names substituted for privacy):

          Process MAD.EXE (PID=3444). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
          (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
          In-site:
          "DC1" CDG 1 7 7 1 0 1 1 7 1
          "DC2" CDG 1 7 7 1 0 0 1 7 1

          Comment


          • #6
            Re: One (of two) 2008 DCs will not authenticate

            I seem to remember hitting this one before -- something to do with the "SACL right" characteristics.

            Solution was to go into a GPO assigned to Domain Controllers OU and assign the "Manage Auditing and Security Log" user right to Exchange Servers or Exchange Enterprise Servers (one is for 2003, the other for 2007-10

            Without that right, the Exchange server will not talk to DC2

            Sorry, no reference, but you should have enough information to find it quickly on
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment

            Working...
            X