Domain login problem
-
Friday, February 08, 2013 10:57 AM
I have a small forest with a root doamin and a child domain with two DCs in each domain.
The first DC (PDSvr1) has the roles PDC, RID, Infrastructure, DNS, WINS, DHCP.
The second DC (PDSvr2) has the roles Catalog, DNS, WINS.
When the network status is OK there is no problem to login to the domain for users as well as directly on the server console.
However when there is a network problem between the two DCs users can not login even thoug they have network connection to either DC.
The most weird thing is that is not possible to login at the PDSvr1 console either. I would expext that the PDSvr1 locally has all information it needs to verify/authenticate the admin user login.
When the network connection between the two DCs is OK again, the logins also work OK again.
The same problem applies for the servers and users in the child domain.
Can anyone explain this phenomena?
All Replies
-
Friday, February 08, 2013 11:15 AM
The servers are Win 2003 R2 StdEd and Win 2003 StdEd respectively.
Forest and domain functional level is Win Server 2003.
-
Friday, February 08, 2013 12:55 PMModerator
This sounds like you have a misconfigured DNS. Do all of your clients point to your AD DNS servers only? Do you DC's only point to AD DNS only? If your dns servers are receiving requests that aren't related to the AD DNS they should be forwarding them to your ISP for resolution.
Post an ipconfig /all from a client and dc that is having trouble if you don't understand how to ensure you are correctly configured.
If your dns is correctly configured see:
--
http://blogs.dirteam.com/blogs/paulbergson/archive/2009/01/26/troubleshooting-active-directory-issues.aspx
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com Twitter @pbbergs
http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.- Proposed As Answer by Ace Fekay [MCT]MVP Saturday, February 09, 2013 3:30 AM
-
Friday, February 08, 2013 1:53 PM
The clients refer to the internal AD DNS servers only.
The AD DNS servers are forwarding to the ISP DNS and on the "Name Servers" tab they refer to each other.
I do not understand what ISP DNS has to do with issue reg. internal AD login problems if the DC-DC network link has a temporary connection problem.
I wil run the diagnostics proposed in the referred blog.
-
Friday, February 08, 2013 1:58 PMModerator
I want to make sure you don't have an external dns resolver ip address in the DC or client nic settings. This is a common thing for folks to do.
--
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com Twitter @pbbergs
http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights. -
Friday, February 08, 2013 4:13 PM
When connection between your DC is down try to make nslookup to your domain name from any workstation. Before this test don't forget to flush dns. And check if you get ping reply from DC for connectivity test.
Make sure that clients have both DC as DNS servers configured.
-
Saturday, February 09, 2013 3:27 AM
What Paul was worried about is something that we see a lot with DNS misconfigurations and just a precautionary that we always ask.
With child domains or additional trees in a forest, you must be careful designing the resolving infrastructure so all hosts can resolve everything in the forest. There are two ways to do this with child domains: a parent-child delegation with a conditional or general forwarder from teh child/tree to the parent (my vote is for a conditional because it can be AD integrated), or make the zone forest wide. Either way, you'll want to make sure search suffixes are properly set on all machines. If one child, that will be automatic on the child, but I would add the child zone suffix to the parent hosts. If multiple childs, they would habe to be configured with a GPO or script.
Any other iterations usually result in something not resolving something else causing AD comm problems, including lack of login ability, authentication, replication, etc.
More specifics here:
DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspxAce Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/This post is provided AS-IS with no warranties or guarantees and confers no rights.
-
Saturday, February 09, 2013 3:29 AM
One more thing I forgot, is you want to make sure none of your DCs are multihomed (more than one unteamed NIC, IP, RRAS and/or iSCSI interfaces), or this will cause numerous issues, too.
And it's recommended all DCs are GCs to insure GC availability forest wide. Exchange will thank you for that, too.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/This post is provided AS-IS with no warranties or guarantees and confers no rights.
-
Monday, February 11, 2013 10:57 AM
After running a couple of the proposed tests I found records such as _kerberos/_ldap._tcp.dc._msdcs.mydomain.com, kerberos/_ldap._tcp.mysite._sites.DomainDnsZones.mydomain.com and _ldap._tcp.ForestDnsZones.mydomain.com etc referring to servers that do not exist anymore.
This is a forest that has quite many years of history and has undergone a number of changes.
I also found that the record _kerberos/_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.com is referring to a nonexisting server so it's obvious now that there are some misconfigurations which have not been corrected when instaling/uninstalling servers.
You you think that this can be the answer to this issue?
-
Monday, February 11, 2013 11:10 AM
You need to clean the metadata of that server. see the link for that
http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/
Regards
Biswajit Biswas
My Blogs|MCC|TNWiki NinjaBest regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
- Edited by i.biswajith Monday, February 11, 2013 11:12 AM
- Edited by i.biswajith Monday, February 11, 2013 12:36 PM
- Marked As Answer by pbbergsMVP, Moderator Friday, February 15, 2013 12:59 PM
-
Monday, February 11, 2013 12:23 PMIn addition, all nonexistent DNS entries for servers that do not exist, must be manually deleted. Otherwise they may be offered as query responses. You must also go through each zone's properties Nameservers tab to remove nonexistent entries.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/This post is provided AS-IS with no warranties or guarantees and confers no rights.
-
Monday, February 11, 2013 12:28 PMAnd as Ace stated, make sure that both domain controllers are set as Global Catalogs. Usually GC is a requirement in the login process.
Andrei Ungureanu www.winadmin.ro
-
Monday, February 11, 2013 1:05 PMModerator
When a DC is demoted it notifies the Active Directory service (All the DC's participating in the domain) that it no longer will be a part of the domain. Therefore there is no longer a need to replicate data to it, etc... Since there are DC's in the domain that think it still exists the other DC's are still trying to communicate and work with it. When it isn't demoted then you have to manually clean up AD and DNS, this is what Ace and Biswajit are speaking about. I have a blog as well to help guide you through your problem:
--
http://blogs.dirteam.com/blogs/paulbergson/archive/2009/06/09/active-directory-cleanup-the-most-common-question-i-see.aspx
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com Twitter @pbbergs
http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer by pbbergsMVP, Moderator Friday, February 15, 2013 12:59 PM
-
Tuesday, February 12, 2013 3:47 PM
I have removed all obsolete DNS records that I can find.
Is GC on one server sufficient or is it beneficial to enable it on all except on the the Infrastructure role server?
I'm getting some test failures when running the dcdiag command "DCDIAG /V /C /D /E /s:CDSvr1 > c:\dcdiag.log".
CDSvr1 is a server in the child domain and it is reporting some access errors when trying to acess a server in the parent domain e.g. Replications, NetLogons, Services, systemlog.
Error 5 for frssysvol, frsevent and kccevent tests.
Tests between servers in the same domain passed.
Is this normal or is it something that need to be fixed?
Does it have anything to do with the original login issue?
-
Tuesday, February 12, 2013 5:03 PM
Hi KarBe,
There might be some other issues in your environment but I will ignore those and I will strictly speak about the logon issues. If you don't have a GC server available then the logon will not be possible. The GC role has a know incompatibillity with the Infrastructure Role, except the case where all your domain controllers are GCs. So recommended in your case is to make all your DCs Global Catalogs.
Regards.
Andrei Ungureanu www.winadmin.ro
-
Tuesday, February 12, 2013 5:53 PM
Just to add, the IM rioe creates phantom objects for objects in either domains in a multi-domain forest. This is how other domains find objects in other domains. In a single domain, the IM role sits idle and has nothing to do. However the GC has references for objects in the whole forest anyway.
Therefore If you make all DCs a GC, then the references to other objects already are available including if the GC is on an IM. So the IM now longer has anything to do. The advantages are obvious in this design because it provides higher GC availability for services that require it at the same time provides references to objects everywhere.
The GC to not be on an IM rule is from the beginning days of AD and is now legacy and antiquated, and following the new idea of every DC a GC has multiple advantages the old rule is short on.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/This post is provided AS-IS with no warranties or guarantees and confers no rights.
-
Wednesday, February 13, 2013 9:50 AM
When running the command "repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt" on one DC I get this result:
---------------
CN=Configuration,DC=mydomain,DC=com
(null) via RPC
DC object GUID: 17e7bad1-f102-41c9-91a4-85a1a19dcd71
Address: 17e7bad1-f102-41c9-91a4-85a1a19dcd71._msdcs.mydomain.com
WRITEABLE
Last attempt @ 2012-05-16 14:46:04 failed, result 1722 (0x6ba):
The RPC server is unavailable.
1 consecutive failure(s).
Last success @ 2012-05-16 08:45:36.
----------------
I'm not able to locate this ghost GUID. It is not visible in ADSIedit. It is only reported for one DC and not for the others.
Does anyone know a way to locate where it comes from?
It is now the only failure for all the DCs reported by repadmin.
-
Wednesday, February 13, 2013 4:40 PM
In addition, let's see an ipconfig /all from the four DCs, and elaborate on how DNS is designed to support the parent-child forest. For example, use the following to understand available DNS design options and please post back which you've employed to support the forest:
DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx.
Also, to better understand replication between the DCs, you can use the following to check your replication topology and status before and after (these two tools, along with event log entries, PortQry GUI, and dcdiags, help me all the time figuring out replication issues).
1. ReplDIAG: (run it as repldiag > c:\repldiag.txt, then open it as a CSV in Excel choosing comma separated, to be able to clearly read the formatting)
Explained here:
Troubleshooting replication with ReplDiag.exe [part 1 of 4], Rob Bolbotowski [MSFT], Microsoft Corp, 13 Oct 2010 12:04 PM
http://blogs.technet.com/b/robertbo/archive/2010/10/13/troubleshooting-replication-with-repldiag-exe-part-1-of-4.aspx
Downloadable from:
http://activedirectoryutils.codeplex.com/releases/view/136642. Download The Active Directory Replication Status Tool:
http://www.microsoft.com/en-us/download/details.aspx?id=30005
Requires .Net Framework 4:
Microsoft .NET Framework 4 (Web Installer)
http://www.microsoft.com/en-us/download/details.aspx?id=17851.
3. Run PortQry GUI choosing Domains & Trusts between each other (DCs). Post only errors existing with 0x00000002.
PortQryUI - GUI - Version 2.0 8/2/2004
http://www.microsoft.com/download/en/details.aspx?id=24009
..
If you can't post any of the requested data, that is understandable. I hope the info we've provided regarding design and troubleshooting, will help you resolve it.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/This post is provided AS-IS with no warranties or guarantees and confers no rights.
- Proposed As Answer by Aiden_CaoMicrosoft Contingent Staff, Moderator Friday, February 15, 2013 3:11 AM
- Marked As Answer by pbbergsMVP, Moderator Friday, February 15, 2013 12:59 PM
-
Friday, February 15, 2013 11:25 AM
The ReplDiag.exe reports "No topology errors found".
AD Replication Status Tool reports "The operation completed successfully" for all tested items.
To me everythings seems to be OK now.
Many thanks to all of you for your advices to solv my problem.
-
Saturday, February 16, 2013 8:36 PMGlad we were able to help!
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/This post is provided AS-IS with no warranties or guarantees and confers no rights.
-
Sunday, February 17, 2013 1:28 PM
Glad to me too that all are working fine.
Regards
Biswajit Biswas
My Blogs|MCC|TNWiki NinjaBest regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
- Edited by i.biswajith Sunday, February 17, 2013 1:28 PM
.png)
