none
There are currently no logon servers available....

    Question

  • History...

    I had a domain (abc.com) with all the servers in it connecting to two domain controllers DC1/DC2 (dns on both). All logging in fine.. no problems. I then created a subdomain (def.abc.com). Added a single domain controller into it (no dns) DC3.

    I then moved all the servers to def.abc.com using netdom /move etc. They all correctly moved authenticating against the abc.com account.now I can not logon to any of the servers and get the above error. They all resolve correctly nslookup abc.com (and def.abc.com). DNS is still the same servers DC1/DC2.one weird thing is I can connect to a remote share from a machine not working i.e. I can connect to \\DC1\c$ and authenticate against abc.com but I can not do it the other way i.e. connect from dc1 to \\server\c$ - I get the same error message.

    As a test I also removed a machine from the domain and re added it and it still will not logon. Any ideas? I think I am going round the bend on this one!

    Friday, July 20, 2012 12:24 PM

Answers

  • Also run a command netdom query fsmo and find the roles of each DC.

    Regards, Ravikumar P

    • Marked as answer by NastyMatt Thursday, July 26, 2012 9:14 AM
    Saturday, July 21, 2012 12:57 AM

All replies

  • Hello,

    First of all, try adding both domains in use as DNS suffixes and check results. Also, I would recommend to make all your domains' DNS zones AD integrated and set to be replicated in the forest.

    Like that, you can do each DC / DNS server in your forest for the forest DNS name resolution.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Friday, July 20, 2012 4:00 PM
  • Being in the subdomain it appends primary and parent suffixes anyways... but I did append the specific DNS suffixes just to make sure and it if not work.

    It is Windows Server 2008 r2 so the DNS zones are already AD integrated. So still not working :(

    Is there a record in DNS I need to create? The servers were moved domains, corresponding records created in the new zone. Nothing else changed?!?!

    Friday, July 20, 2012 4:16 PM
  • Being in the subdomain it appends primary and parent suffixes anyways... but I did append the specific DNS suffixes just to make sure and it if not work.

    It is Windows Server 2008 r2 so the DNS zones are already AD integrated. So still not working :(

    Is there a record in DNS I need to create? The servers were moved domains, corresponding records created in the new zone. Nothing else changed?!?!

    What if you use nslookup for resolution of this DNS record? Can please check that you are getting the correct DNS resolution.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Friday, July 20, 2012 4:21 PM
  • It does resolve correctly. (nslookup abc.com returns all the DC's)

    Here is some weird info... if I put in the wrong password when using the parent domain i.e. abc.com\user1, I instantly get "incorrect password or username" etc if I put the correct password in it takes about 10s then errors with no logon server available.

    Friday, July 20, 2012 4:25 PM
  • Hello,

    Try to find the logon server name with the help of echo %logonserver% command and check, to which sever user is belongs to?

    Note:Run this command with elevated rights.


    Regards, Ravikumar P

    Saturday, July 21, 2012 12:56 AM
  • Also run a command netdom query fsmo and find the roles of each DC.

    Regards, Ravikumar P

    • Marked as answer by NastyMatt Thursday, July 26, 2012 9:14 AM
    Saturday, July 21, 2012 12:57 AM
  • Hi,

    It seems like that you are not able to logon to your child domain client, right?

    As you have added those server to your child domain, please logon to them with child domain user account, and chose the right domain.

    Regards,

    Yan Li


    Yan Li

    TechNet Community Support


    Monday, July 23, 2012 9:37 AM
    Moderator
  • ok.. some more info.. 

    %logonserver% will simply tell me which server i finally managed to logon onto.. not which it is attempting to logon to. So a bit misleading as I can only see success :(

    but netdom query fsmo returned "The RPC server is unavailable"...ooh.... looking promising. So i did a network monitor on the command and it is communicating with dc3 (the single dc in the sub domain def.abc.com) but running that command locally on dc3 it returns the info correctly.

    Now is this a red herring as dc3 is not a dns server or is this the issue? All dns resolution works fine and netmon'ing that shows it is indeed hitting the correct servers.

    Monday, July 23, 2012 10:23 AM
  • Are the member server pointing to the correct dns server for their current domain?

    Please post an IPConfig /all from a member server that is having the issue

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.


    Monday, July 23, 2012 12:09 PM
    Moderator
  • Well... I think I have found an issue with the netdom command failing. I have a feeling in my bones that is the issue as I have network monitored the traffic and all the ports it is trying to communicate on are blocked.

    but trying to get 1024-65535 ports opened is "tricky" here!!! So i am jumping through hoops to get this done and it won't be done minimum until Thursday. Will report back then.

    Monday, July 23, 2012 3:41 PM
  • So close down the range of high ports on your external servers.
    http://support.microsoft.com/kb/154596

    I have done this many times w/o issue.  Works great.

    This is a blog as an example for DC's
    http://blogs.dirteam.com/blogs/paulbergson/archive/2012/05/15/windows-2000-2003-replication-through-a-firewall.aspx

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, July 23, 2012 4:29 PM
    Moderator
  • Matt,

    Can you please try to use login using your def.abc.com domain.... using only def\username

    Also, good to see you again Mr. X

    Best Regards,


    Steve Kline
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7
    Microsoft Certified Product Specialist & Network Product Specialist
    Red Hat Certified System Administrator
    Microsoft® Community Contributor Award 2011
    This posting is "as is" without warranties and confers no rights.

    Monday, July 23, 2012 5:22 PM
  • Could you please list or "suggest" the lists of servers and all of their roles? (example below)

    Also any networking information would be great to really get the big picture of what you're laying out and mapping.

    This allows for the active supporters to really troubleshoot your issue, instead of some symptoms that you're telling us about.

    Example:

    server1.def.abc.com - ADDS(RM,OM,PDCe), F&Ps, etc.. (10.1.1.5/24)

    server1.abc.com - ADDS(SM & DNM), F&Ps, etc... (10.1.2.5/24)

    server2.abc.com - ADDS(RM, OM, PDCe), F&Ps, etc...(10.1.2.6/24)

    These types of descriptions... will extremely help out what information is lacking in the above descriptions of what you're explaining.


    Steve Kline
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7
    Microsoft Certified Product Specialist & Network Product Specialist
    Red Hat Certified System Administrator
    Microsoft® Community Contributor Award 2011
    This posting is "as is" without warranties and confers no rights

    Monday, July 23, 2012 5:31 PM
  • Ports have been opened and we have made progress!! :)

    Now I can logon to the servers using def.abc.com/<username>. But not abc.com/<username>!!! I get the following error.. which is weird considering there is a two way trust etc. I think this could be a group policy update issue or something:

    "To log on to this remote computer, you must be granted the Allow log on through Terminal services right..."

    If anyone knows why moving domains might cause the above issue I'd be wholly grateful, other wise - thank you every one for the help - much appreciated. The "try netdom query fsmo" reply got me on the right track and helped me nail it might be comms issue.

    Thursday, July 26, 2012 9:13 AM
  • You need to provide allow logon to terminal services rights refer below link how to configure the same.
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/262880fb-f4eb-4bba-9056-049ff6f50ec2/

    Hope this helps

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Thursday, July 26, 2012 9:23 AM