none
2012 R2 NPS/RADIUS Server. Event ID 4402: There is no domain controller available for the domain.

    Question

  • Attempting to replace existing Winidows 2003 RADIUS server with new 2012 R2 NPS/RADIUS Server. RADIUS server used for 2nd Factor SafeWord authentication. All policies and settings replicated to new NPS server. NPS server has been registered w/ AD (child.domain.com).

    When testing w/ NTRadPing Utility, continually get response: Access-Reject. Event ID 4402 "There is no domain controller for the domain domain.com" logged in System Log on NPS server.

    Unable to locate any reference to issue w/ child domains. Not sure if this error is perhaps a red herring of some sort.

    Thursday, November 12, 2015 10:00 PM

Answers

  • Contrary to what others have said, you do not need to rename your domain or back rev to 2008 non-R2.

    I was able to resolve this issue by adding the following reg key to force authentication to use the DNS name, instead of the NetBIOS name:

    HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\ControlProtocols\Builtin

    • New String Value (REG_SZ): DefaultDomain

    • Data: example.loc (or example.domain.loc)



    Friday, November 13, 2015 7:32 PM

All replies

  • Hi Rod Patterson,

    NPS event 4402:"There is no domain controller for the domain domain.com". This event is related with the communication between NPS server and DC.

    We may check the network connection between DC and NPS server, check if we can ping DC on NPS server.

    Also check the DNS configuration on NPS server, check if the DNS server could resolve the domain.

    >Not sure if this error is perhaps a red herring of some sort.

    NPS server will contact with DC frequently, if every works well and the event is intermittent, it might be caused by network traffic. If so, it seems to be normal.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, November 13, 2015 6:11 AM
    Moderator
  • My apologies for not stating earlier that Ping, NsLookup and PortQry tesst were all successful

    Checking further, it appears this issue is a result of the customer having a NetBIOS domain name (pre-Windows 2000) that includes a "." (<domain>.com).

    Microsoft reportedly dropped support for this in NPS with the release of Server 2008 R2.


    Friday, November 13, 2015 6:55 AM
  • Hi Rob Patterson,

    >Microsoft reportedly dropped support for this in NPS with the release of Server 2008 R2.

    Although it seems not a good news for your situation, but you find the root cause of the issue anyway. And it's kind of you to feed back here, it will help others if they meet the similar issue.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, November 13, 2015 7:03 AM
    Moderator
  • Contrary to what others have said, you do not need to rename your domain or back rev to 2008 non-R2.

    I was able to resolve this issue by adding the following reg key to force authentication to use the DNS name, instead of the NetBIOS name:

    HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\ControlProtocols\Builtin

    • New String Value (REG_SZ): DefaultDomain

    • Data: example.loc (or example.domain.loc)



    Friday, November 13, 2015 7:32 PM
  • The problem is with this approach if the client presents the NetBIOS name in the authentication string then the default domain is not used and the NetBIOS name with it's period in it is still used and fails. This is troublesome with 802.x authentication where the login is not interactive. If anyone has a workaround I would be very interested in hearing what was found.
    Friday, July 13, 2018 8:59 PM