none
Computer not able to set up a secure session with a domain controller

    Question

  • Hello,

    I have 3 RWDC at different site. Site A has DC1 & DC2. Site B has DC3. In my environment, I have one GPO through which few records as below is not registered on DC3.

    Mnemonic

    Type

    DNS record

    Dc

    SRV

    _ldap._tcp.dc._msdcs.<DnsDomainName>

    DcByGuid

    SRV

    _ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>

    Gc

    SRV

    _ldap._tcp.gc._msdcs.<DnsForestName>

    GenericGc

    SRV

    _gc._tcp.<DnsForestName>

    GcIpAddress

    A

    _gc._msdcs.<DnsForestName>

    Kdc

    SRV

    _kerberos._tcp.dc._msdcs.<DnsDomainName>

    Ldap

    SRV

    _ldap._tcp.<DnsDomainName>

    LdapIpAddress

    A

    <DnsDomainName>

    Rfc1510Kdc

    SRV

    _kerberos._tcp.<DnsDomainName>

    Rfc1510UdpKdc

    SRV

    _kerberos._udp.<DnsDomainName>

    Rfc1510Kpwd

    SRV

    _kpasswd._tcp.<DnsDomainName>

    Rfc1510UdpKpwd

    SRV

    _kpasswd._udp.<DnsDomainName>

    When connectivity between both sites get down, no user is able to authenticate. Even I am getting below error during outage time.

    C:\Users\ABC>nltest /dsgetsite

    Getting DC name failed: Status = 1919 0x77f ERROR_NO_SITENAME
    Thursday, April 27, 2017 7:13 AM

All replies

  • Hi

    Getting DC name failed: Status = 1919 0x77f ERROR_NO_SITENAME >>>>

     Did you already assign the correct subnets to related site DC's..Check from AD Site and services,if didn't configure,you should assign the site subnets to site DC's.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, April 27, 2017 8:52 AM
  • Bhavesh, did you check what is the issue with GPO and why the settings are not applied on the DC? 

    It is not clear from which site users are not able to authenticate?

    All the LDAP records in the GPO are critical for authentication and they advertise DC's in the site. If you are controlling site specific DC records investigate the root cause for GPO and the settings that are not applied.

    I take you have hub-and-spoke topology and so consider your Site B to communicate with Site A in case of local DC failure. FYI - https://support.microsoft.com/en-us/help/306602/how-to-optimize-the-location-of-a-domain-controller-or-global-catalog-that-resides-outside-of-a-client-s-site


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Thursday, April 27, 2017 9:22 AM
  • Hi Burak,

    Subnets are Ok with AD Site and Services. Even I am getting correct result as below during no outage.

    C:\Users\ABC>nltest /dsgetsite
    IMPNOI
    The command completed successfully

    Thursday, April 27, 2017 11:29 AM
  • Sorry Jimmy for not providing required information.

    No users from Site B (DC3) can authenticate when connectivity between Site A & Site B break. Even I can ping to DC3 by their IP & name during outage.

    Thursday, April 27, 2017 11:35 AM
  • Even I am getting correct result as below during no outage.

    So you should check this DC health,replication health and check locator process on the DC.(also check the client side dns configuration.)

    Run "Dcdiag","repadmin /replsum"...Also check this article for compare your site topology;

    http://blogs.msmvps.com/acefekay/2010/01/03/the-dc-locator-process-the-logon-process-controlling-which-dc-responds-in-an-ad-site-and-srv-records/


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, April 27, 2017 5:36 PM