locked
NPS on Domain Controller but it says There is no domain controller available for domain RRS feed

  • Question

  • Hello,

    I tried to find solution for my problem, but I used all solutions I knew or could find on the web.

    I am running two DC's main one and secondary in second office.

    DC on both sites acts also as DHCP, DNS and NPS.

    On main site I started to having a problem with accessing the AD. In my log files I found continuously errors

    Error 4401

    Domain controller contoso.com for domain contosois not responsive. NPS switches to other DCs.

    4400

    it switches to dc2 but then again domain controller is not responsive...

    In that moment I got each times errors:

    6274

    The Network Policy Server was unable to connect to a domain controller in the domain where the account is located. Because of this, authentication and authorization for the RADIUS request could not be performed.

    On secocond DC - DC2 everything works well. I checked and the server is not registered in AD (added to the security group RAS and IAS servers, but even I added domain controller to that group it didn't change anything.

    Any idea?

    or backup NPS, uninstall NPS and install again and import settings?

    thanks for any advice

    Andrew

    Monday, August 11, 2014 4:21 PM

Answers

  • Hi Andy,

    Based on your description, this event will not cause any issue, just a information which let us know NPS try to contact with another DC during that time. I am providing the related information for you reference, hope this will help you in this matter.

    NPS will try 3 steps to obtain a DC:
    1.Try to find a cached DC first; Call => DsGetDcNameW

    2.next to find a non-cached DC. Call => DsGetDcNameW

    (http://msdn.microsoft.com/en-us/library/windows/desktop/ms675983(v=vs.85).aspx)

    If finding the nearest DC fails, NPS will attempt to find a DC anywhere (this should be redundant as the previous call would return a DC even if out of site), the IAS trace will contain the following entry if this code is indeed hit:
    "Failed to connect to the DC discovered by DC locator, try DC enumerator ..." Call => DsGetDcOpenW

    http://msdn.microsoft.com/en-us/library/windows/desktop/ms675985(v=vs.85).aspx)
    From the network trace, I think you may see the NPS get a list of DC to choose.

    Thank you.

    Best regards,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by Steven_Lee0510 Tuesday, September 9, 2014 6:06 AM
    Friday, August 29, 2014 12:08 PM

All replies

  • Hi,

    What's the DNS configuration of your DC?

    Try to change the preferred DNS server to other DC and then point to the private IP address of itself as an alternate DNS server.

    After configuring the DNS, please run the command below to clear the DNS cache,

    ipconfig /flushdns

    dnscmd /clearcache

    Make sure that all the NPS has been added to the RAS and IAS servers group.

    If issue persists, could you try to reboot your server?

    Besides, is there any warning or error related AD DS in the event viewer of your DC?

    Best Regards



    Steven Lee

    TechNet Community Support


    Tuesday, August 12, 2014 8:20 AM
  • Dear Steven,

    Thank you for your reply.

    Basically I checked these steps before I posted my question on this forum. However as I found few interesting details about that case I would like to share about them with you. I am not sure if that problem is caused by bug in WiFi AP/Controller software or there is a bug in NPS (or both).

    What I spotted, that to my my network with Radius authentication (802.1x) controller was passing one authentication request from (as I suppose Samsung mobile handset), which was crashing whole NPS.

    This handset user was not authorised to connect to that network, however he/she tried to configure that network at her/his device.

    NPS was getting this request, every few seconds, which caused that NPS was switching to secondary DC, and so on.. Because it was switching between controllers every 15 seconds, most of the valid requests couldn't be served.

    For me it could be even used as kind of DOS attack.

    Network Policy Server discarded the request for a user.

    Contact the Network Policy Server administrator for more information.

    User:
        Security ID:            NULL SID
        Account Name:            
        Account Domain:            COMPANYDOMAIN
        Fully Qualified Account Name:    COMPANYDOMAIN\

    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        84-18-3A-16-77-78:COMPANYWIFI
        Calling Station Identifier:        CC-3A-61-A0-AE-F1

    NAS:
        NAS IPv4 Address:        10.0.0.61
        NAS IPv6 Address:        -
        NAS Identifier:            84-18-3A-16-77-78
        NAS Port-Type:            Wireless - IEEE 802.11
        NAS Port:            30

    RADIUS Client:
        Client Friendly Name:        Ruckus
        Client IP Address:            10.0.0.61

    Authentication Details:
        Connection Request Policy Name:    Use Windows authentication for all users
        Network Policy Name:        -
        Authentication Provider:        Windows
        Authentication Server:        NPS.COMPANYDOMAIN.com
        Authentication Type:        EAP
        EAP Type:            -
        Account Session Identifier:        -
        Reason Code:            5
        Reason:                The Network Policy Server was unable to connect to a domain controller in the domain where the account is located. Because of this, authentication and authorization for the RADIUS request could not be performed.

    Regards,

    Andy

    Monday, August 18, 2014 1:50 PM
  • Hi Andy,

    If we stop the request from the handset user, does the server work properly?

    Besides, could you test the domain locator process by the command below,

    nltest /dsgetdc:domainname

    Please run these command the the NPS server

    For detailed information about troubleshooting the domain locator process, please view the link below,

    http://support.microsoft.com/kb/314861/en-us

    Best Regards



    Steven Lee

    TechNet Community Support



    Tuesday, August 19, 2014 1:04 PM
  • Dear Steven,

    When I blocked mac address from accessing SSID (which has radius authentication) NPS works fine.

    What I spotted is that this Samsung Galaxy S III is connected to the same WiFi AP (the same AP mac address) but different SSID and Network. Being connected it sends request to AP (and NPS as well) without username/password.

    Using my WindowsPhone8 I was not able to connect without providing username/password. When I was providing domain name as an user, NPS was creating a log that a user doesn't exist.

    That phone creates a requests without a username and password which crash NPS (as NPS tries to find and account which doesn't exist). I checked and NPS is connected to proper DC.

    The same issue was when NPS was running on DC.

    Ruckus supports wrote me, that for them AP in that case is transparent and the problem is on NPS side.

    I got wireshark capture on NPS.

    Andrew

    Tuesday, August 26, 2014 3:13 PM
  • Additional info: NPS connects to secondary DC, nltest /dsgetdc: returns main DC controller.

    A.

    Tuesday, August 26, 2014 3:26 PM
  • Hi Andy,

    I am trying to involve someone familiar with this topic to further look at this issue.

    There might be some time delay. Appreciate your patience.

    Best Regards.



    Steven Lee

    TechNet Community Support

    Thursday, August 28, 2014 8:26 AM
  • Hi Andy,

    Based on your description, this event will not cause any issue, just a information which let us know NPS try to contact with another DC during that time. I am providing the related information for you reference, hope this will help you in this matter.

    NPS will try 3 steps to obtain a DC:
    1.Try to find a cached DC first; Call => DsGetDcNameW

    2.next to find a non-cached DC. Call => DsGetDcNameW

    (http://msdn.microsoft.com/en-us/library/windows/desktop/ms675983(v=vs.85).aspx)

    If finding the nearest DC fails, NPS will attempt to find a DC anywhere (this should be redundant as the previous call would return a DC even if out of site), the IAS trace will contain the following entry if this code is indeed hit:
    "Failed to connect to the DC discovered by DC locator, try DC enumerator ..." Call => DsGetDcOpenW

    http://msdn.microsoft.com/en-us/library/windows/desktop/ms675985(v=vs.85).aspx)
    From the network trace, I think you may see the NPS get a list of DC to choose.

    Thank you.

    Best regards,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by Steven_Lee0510 Tuesday, September 9, 2014 6:06 AM
    Friday, August 29, 2014 12:08 PM
  • Hi Andy,

    Would you mind telling me the current situation on you side?

    Thank you.

    Best regards,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, September 2, 2014 3:16 PM
  • Hi Andy,

    How thing are going on your end? Could you drop me a note if you need us for further assistance.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, September 5, 2014 9:49 AM
  • Dear Steven,

    Ruckus support believe that this is not a problem of wifi controller/ap.

    The problem more likely in on the NPS side.

    General, I was not able to reproduce this kind of authentication request as creates this Samsung Galaxy SIII, however when I try to log in to wifi with radius authentication with:

    bad username/password - I got even that this username doesn't exist, or password is bad

    anotherdomain\username - I got even that this anotherdomain doesn't exist.

    With Query to my DNS I get mydomain\ and SID (SubjectUserSid S-1-0-0) which forces NPS to switch to another DC.

    I have two DC, and NPS service is installed on DC and DC2.

    I belive the problem is when username SID is S-1-0-0 causes that problem.

    Andrew

    Tuesday, September 9, 2014 11:30 AM
  • Dear Steven,

    When I blocked mac address from accessing SSID (which has radius authentication) NPS works fine.

    What I spotted is that this Samsung Galaxy S III is connected to the same WiFi AP (the same AP mac address) but different SSID and Network. Being connected it sends request to AP (and NPS as well) without username/password.

    Using my WindowsPhone8 I was not able to connect without providing username/password. When I was providing domain name as an user, NPS was creating a log that a user doesn't exist.

    That phone creates a requests without a username and password which crash NPS (as NPS tries to find and account which doesn't exist). I checked and NPS is connected to proper DC.

    The same issue was when NPS was running on DC.

    Ruckus supports wrote me, that for them AP in that case is transparent and the problem is on NPS side.

    I got wireshark capture on NPS.

    Andrew

    Hi Andrew,

    You can resolve the issue you observed by adding a 'User Name' condition to your connection request policy containing the following value:

    \w+

    This will match characters a-Z, A-Z, 0-9, and underscore one or more times. This will prevent null username strings.

    Tuesday, September 23, 2014 12:51 PM
  • Old thread, but still same relevant to current versions.

    Really good explanation is here

    And as answered there, (at least to me) this was a almost perfect string to use (as most of my users do have only letters & a single space in user name)

    ^[a-zA-Z]+(?:\s[a-zA-Z]+)?$

    But some of them could also have two spaces or a single word, like:

    Mary Jame Smith
    MJSmith
    Mary-Jane Smith
    MJ'Smith

    In which case less elaborate string would do

    ^[a-zA-Z-' ]+$


    Thanks

    Seb


    • Edited by scerazy Wednesday, March 6, 2019 10:11 AM
    Wednesday, March 6, 2019 8:56 AM