Logon DC
-
Monday, February 04, 2013 8:38 AM
Hi Everyone,
I have 2 DCs at the Head-office and one on Branch site, I've realized once the branch network goes down users all across even at the Head-office experience logon and email issues. When i run echo %LOGONSERVER% its shows the machine was authenticated by the DC @ the branch.
1.How can i set users @ Head-office to be logging on to the DCs on the LAN instead of branch DC.
2.How can i set users to be failing over automatically to the available DCs
Meshack
All Replies
-
Monday, February 04, 2013 8:44 AM
You can change logonserver from elivated command prompt type set logonserver=\\newserver this will change the logonserver. However I doubt that the Time server is not working correct in the domain. Please make PDC as authoritative (NTP) Time Server for entire domain and it shall point to external Time source. Use the following link to check Time Server settings.
-
Monday, February 04, 2013 8:50 AM
echo %LOGONSERVER%
Above result is not correct everytime so you no need to worry about that. Set your client DNS IPs accordingly. Prefered & secondary DNS IP.
No need to set the logon server manually.
See the link.
If you have DHCP server then you need to configure that with right DNS settings for providing the IP addresses to the client.
HTH
Biswajit Biswas
My Blogs|MCC
|
TNWiki
Ninja
Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
- Edited by i.biswajith Monday, February 04, 2013 8:50 AM
- Edited by i.biswajith Monday, February 04, 2013 8:51 AM
- Edited by i.biswajith Monday, February 04, 2013 9:00 AM
- Edited by i.biswajith Monday, February 04, 2013 9:02 AM
-
Monday, February 04, 2013 9:40 AM
Hi VenkatSP,
Thanks for the update, i would like this to be happening automatically without having to set a specific one so that if one fails they pick automatically to anyone available.
I've already run the fix given in above link, how can i tell if my PDC (which is running server 2003) is the Authoritative Time Server for the entire domain?
Meshack
-
Monday, February 04, 2013 11:26 AMHave you defined sites in Active Directory Sites and Services for those two sites and associated physical subnets that reside on the physical to the corresponding Active Directory Site?
Site Overview:
http://technet.microsoft.com/en-us/library/cc782048(v=ws.10).aspx
Create a site:
http://technet.microsoft.com/en-us/library/cc728152(v=ws.10).aspxCreate a subnet:
http://technet.microsoft.com/en-us/library/cc740187(v=ws.10).aspxAssociate a subnet with a site:
http://technet.microsoft.com/en-us/library/cc780426(v=ws.10).aspxRun the following command on the clients to verify that they identitfy that they belong to the correct site (You may have to install Windows Support Tools for 'nltest' to work on Windows XP):
nltest /DSGETSITEEnfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog -
Monday, February 04, 2013 11:27 AM
You can change logonserver from elivated command prompt type set logonserver=\\newserver this will change the logonserver. However I doubt that the Time server is not working correct in the domain. Please make PDC as authoritative (NTP) Time Server for entire domain and it shall point to external Time source. Use the following link to check Time Server settings.
This will not change the logon server, the only thing it will do is to change the system variabel, it dosen't change the DC the client is used to authentication at all.Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog -
Monday, February 04, 2013 11:43 AM
Thanks guys for the info,
Funny enough my DHCP is set as recommended -the two IPs of the ADs in the headoffice then Branch IP as the last DNS option.
This how my setup is;
Head Office; Has two AD servers
- SVR1(2003 R2)- DNS, Has all the operation masters roles
- SVR2(2008 R2)-DN only
The Branch AD has DNS role also.
Observations when Then branch network goes down;
- Users are unable to access outlook(prompting for passwords others it automatically goes offline-Exchange server is in the head-office)
- Users are unable to access mapped networked drives
- Users are unable to change passwords getting an error you do not have permissions to change your password
- Most clients machines are unable to resolve server name to IP
- SVR1 which has all the operation masters roles couldn't load DNS records until the branch network came up.(However i could see the DNS records on SVR2)
- Group policy doesn't apply on machines
All the above issues seized once the branch network was restored.
Please help me avoid this occurrence.
Meshack
- Edited by Meshack KE Monday, February 04, 2013 11:47 AM
- Edited by Meshack KE Monday, February 04, 2013 11:51 AM
-
Monday, February 04, 2013 11:48 AMMakre sure that both your servers (DCs) are configured as Global Catalog Servers (Required to authenticate/logon)
To configure a domain controller as a global catalog server
1. Open Active Directory Sites and Services.
2. In the console tree, right-click NTDS Settings.
Where?
◦ Active Directory Sites and Services/Sites/YourApplicableSite/Servers/YourApplicableServer/NTDS Settings
3. Click Properties.4. On the General page, select the global catalog check box.
For more information:
How to promote a domain controller to a global catalog server:
http://support.microsoft.com/kb/296882?wa=wsignin1.0Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog -
Monday, February 04, 2013 12:10 PMThank Chris but the above is already in place. All ADs are set as Global catalog
Meshack
-
Monday, February 04, 2013 12:48 PMDid you verify with the following command? Dose it return the correct site for the clients?:
nltest /DSGETSITEEnfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog -
Monday, February 04, 2013 2:18 PM
Most machines are failing with the error below
Getting DC name failed: Status = 1919 0x77f ERROR_NO_SITENAME
one one was able to give Default-Site......
What do i need to do? i've tried restarting one machine and then rejoined it to the domain but still doesn't get the site.
Meshack
-
Monday, February 04, 2013 2:22 PM First of all - Have you created a site design? (e.g. have you created sites in Active Directory for your two pyhsical locations that you mention as 'Head-office' and 'Branch Office' - have you then created the assosicated IP subnets on those sites in Active Directory and assigned them to the sites in Active Directory? - This is required for making the clients location aware and choose the right DC for authentication? If not read the links in my post above.
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog- Marked As Answer by Meshack KE Tuesday, February 05, 2013 11:10 AM
-
Tuesday, February 05, 2013 5:23 AM
1.Create sites & associate subnets properly.
http://technet.microsoft.com/en-us/library/cc740187(v=ws.10).aspx
2.Create sitelink if required(You need to create sitelink if your network is not IP routeable coz bridge all site link is enabled bydefault.)
http://technet.microsoft.com/en-us/library/cc783909(v=ws.10).aspx
3. Make all DCs as GCs.
http://technet.microsoft.com/en-us/library/cc755257.aspx
4. Configure clients primary/Secondary IP properly. If DHCP server is there configure that accordingly.
http://technet.microsoft.com/en-us/library/cc753782.aspx
HTH
Biswajit Biswas
My Blogs|MCC|
TNWiki
Ninja Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
- Edited by i.biswajith Tuesday, February 05, 2013 5:24 AM
- Marked As Answer by Meshack KE Tuesday, February 05, 2013 11:06 AM
-
Tuesday, February 05, 2013 6:34 AM
Hi All,
Thank you for your posts they've been helpful,
This how my network is;
I have two sub-nets in the head office; 172.16.4.0-172.16.4.254(used for servers -Assigned manually) and 172.16.16.0-172.16.17.254(used for client machines-assigned automatically by a DHCP server)
The other sub-nets are for branches and runs from 172.16.20.0 -172.16.64.254 with each sub-net representing a branch i.e BRANCH B -172.16.20.0, BRANCH C 172.16.21.0, BRANCH D 172.16.22.0,,,and so on upto BRANCH X 172.16.64.0 (Hope its making sense)
In BRANCH C 172.16.21.0 is where i have places another AD
Now i have created sub-net 172.16.21.0/24 and linked it to BRANCHC Site to have them authenticate from the DC i the branch then created 172.16.0.0/17 and linked it to HEAD-OFFICE Site to have all other branches together with head office clients authenticate from HEAD-OFFICE Site.
Hope this is ok.
Meshack
-
Tuesday, February 05, 2013 6:41 AMI'm glad that the posts have been helpful - has the situation been resolved? (e.g. do the clients authenticate to the right DC and return the correct site name when you run 'nltest /DSGETSITE' ?
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog -
Tuesday, February 05, 2013 10:08 AM
yeah sure i've checked and now it seems fine.
Now will that resolve the issue of DCs @ head office loosing the DNS records and the error " you do not have permissions to change your password"when users password expires.?
Meshack
-
Tuesday, February 05, 2013 11:02 AMNot sure what you're talking about here, it seems like this is a competely diffrent issue? If you end-users can't change thier password once they expire? Please start a new/separate thread for that issue.
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog -
Tuesday, February 05, 2013 11:11 AMNoted.Thanks Chris and all the guys am now sorted.
Meshack
-
Wednesday, February 06, 2013 8:57 PM
Hi,
Open Dssite.msc and check the Subnets at the left pane bottom.
You need to configure in Subnets.
Regards,
Siva.
.png)
