Domain users cannot logon to domain

Discussion in 'Active Directory' started by MartinH, Jun 16, 2006.

  1. MartinH

    MartinH Guest

    We are in the process of setting up a new network with 3 DC's.

    Domain(1)

    DC1: Domain.net

    Roles: GC, AD, DNS and DHCP (with no scope)

    Primary DNS: DC1 and DNS Suffix Search List: Dc3 and DC2

    One NIC with fixed IP (xxx.xxx.10.xxx)


    Domain(2)

    DC2: Child1.Domain.net

    Roles: AD, DNS (forwarding to DC1), DHCP (xxx.xxx.10.xxx), DFS

    Primary DNS: DC2 and DNS Suffix Search List: Dc3 and DC1

    One NIC with fixed IP (xxx.xxx.10.xxx)


    Domain(3)

    DC3: Child2.Domain.net

    Roles: AD, DNS (forwarding to DC1 and DC2), DHCP (xxx.xxx.20.xxx), DFS

    Primary DNS: DC3 and DNS Suffix Search List: Dc2 and DC1

    One NIC with fixed IP (xxx.xxx.20.xxx)



    DC1 and DC2 are on 1 site and DC3 is on a different site and connected
    trough a VPN tunnel setup using 2 3com gateways.

    The object of the setup is that every site can function when the other
    sites are not reachable. So when we diconnect DC1 the other DC's still
    function and when we disconnect DC1 and DC2 then DC3 should still
    function as well and so on. So DC1 should only function as a bridge
    between DC2 and DC3 and has no other function.

    So far we were not able to reach our objective. When connection to DC1
    is lost no domain users cannot logon anymore on DC3 and DC2. Also user
    logon on Domain(3) is slow. Booting DC2 and DC3 when DC1 is not
    available takes like 20 minutes.


    Snippets from dcdiag on DC3 when DC1 is not reachable...

    [Replications Check,DC3] A recent replication attempt failed:
    From MICKEY to DC3
    Naming Context:
    CN=Schema,CN=Configuration,DC=Domain,DC=net
    The replication generated an error (1908):
    Could not find the domain controller for this domain.
    The failure occurred at 2006-06-14 20:15:08.
    The last success occurred at 2006-06-14 02:47:50.
    3 failures have occurred since the last success.
    Kerberos Error.
    A KDC was not found to authenticate the call.
    Check that sufficient domain controllers are available.


    Testing server: Default-First-Site-Name\DC3
    Starting test: Replications
    [DC1] DsBindWithSpnEx() failed with error 1722,
    The RPC server is unavailable..
    [DC2] DsBindWithSpnEx() failed with error 1722,
    The RPC server is unavailable..

    Starting test: KnowsOfRoleHolders
    Warning: THEBOSS is the Schema Owner, but is not responding
    to DS RPC Bind.
    [DC1] LDAP search failed with error 58,
    The specified server cannot perform the requested operation..
    Warning: DC1 is the Schema Owner, but is not responding to
    LDAP Bind.
    Warning: DC1 is the Domain Owner, but is not responding to DS
    RPC Bind.
    Warning: DC1 is the Domain Owner, but is not responding to
    LDAP Bind.
    ......................... DC3 failed test KnowsOfRoleHolders


    Starting test: kccevent
    An Warning Event occured. EventID: 0x80000677
    Time Generated: 06/16/2006 03:21:33
    (Event String could not be retrieved)
    An Error Event occured. EventID: 0xC0000466
    Time Generated: 06/16/2006 03:21:45
    (Event String could not be retrieved)
    ......................... DC3 failed test kccevent

    Starting test: FsmoCheck
    Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error
    1355
    A Global Catalog Server could not be located - All GC's are
    down.
    ......................... Domain.net failed test FsmoCheck


    I tried activating a 2nd GC on DC3 but then userlogon on Domain(2)
    became slow so i disabled the GC again by unticking the box on sites
    and computers on DC3. I didnt test user logon when GC on DC3 was
    enabled.


    So my question is: What do i need to do, to reach my objective to get
    both child DC's to keep functioning when any combination of other DC's
    is not reachable.

    Any help is greatly appreciated.


    Martin.
     
    MartinH, Jun 16, 2006
    #1
    1. Advertisements

  2. MartinH

    Jorge Silva Guest

    Hi
    1 - You need a GC available to validate logons (Unless- you have only one
    domain or your DFL is in mixed mode) , so if you only have one GC (DC1) when
    IT GOES DOWN no logon can be performed.

    2 - Make sure that you link the apropriate subnets to their respective
    sites. If DC1 and DC2 are in the same site make sure that you create the 2
    subnets and link them to the same site, if DC3 is in a different site create
    a subnet to Site2.

    3 - Make sure that all servers are reachable by FQDN, using Dns Secondary
    zones, or Stub Zones, Forwarding, conditional Forwarding.

    4 - Make sure that your clients only use their local Dns servers.



    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator

     
    Jorge Silva, Jun 16, 2006
    #2
    1. Advertisements

  3. MartinH

    MartinH Guest

    Hi Jorge,

    Thanks for your help. Greatly appreciated. I have some more questions
    on this.



    So basicly what you say is i need to activate a GC on DC2 and DC3. i
    will do that.

    This is not really clear to me so I have a question on this.

    DC1 and DC2 are geographically in the same room and DC3 is not. DC3 is
    connected to DC1 and DC2 via a vpn tunnel (3com gateways).

    At this moment there are NO subnets on any of the DC;'s. I can only
    create a new subnet on DC1 and not on DC2 and DC3.
    My question is: I don't understand why or it may be because they are
    not yet GC's?

    Site(1) Child1.Domain.net = DC1 and DC2 are on subnet 255.255.255.0
    and IP xxx.xxx.20.xxx
    Site(2) Child2.Domain.net = DC3 is on subet 255.255.255.0 and IP
    xxx.xxx.10.xxx
    So my question is: What subnet do i need to create and on what dc?
    My guess would need to create a subnet from one site to the other
    site? So...

    DC3 = subnet xxx.xxx.10.0 /24 - Site associated = Child1.Domain.net
    DC2 = subnet xxx.xxx.20.0 /24 - Site associated = Child2.Domain.net
    DC1 = no subnet so no site associated then

    Is that correct?

    All servers are reachable in computername and in fully qualified name.
    Example: ping Computer and ping Computer.Domain.net or ping
    Computer.Child.Domain.net works in various combinations on themselves
    and all other CD's. So thats okay.
    IPconfig /all on clients report only the local DNS. So thats okay.

    IP and DNS on all the DC' are manual and the dns on them are...

    DC1 = dns DC1
    DC2 = dns DC2 then dns DC1
    DC3 = dns DC3 then dns DC1

    Are these correct?
     
    MartinH, Jun 16, 2006
    #3
  4. MartinH

    Jorge Silva Guest

    Inline
    Be aware with the IM master role:
    As a general rule, the infrastructure master should be located on a
    non-global catalog server that has a direct connection object to some global
    catalog in the forest, preferably in the same Active Directory site. Because
    the global catalog server holds a partial replica of every object in the
    forest, the infrastructure master, if placed on a global catalog server,
    will never update anything, because it does not contain any references to
    objects that it does not hold. Exceptions to the "do not place the
    infrastructure master on a global catalog server" rule are:



    * Single domain forest:

    In a forest that contains a single Active Directory domain, there are no
    phantoms, and so the infrastructure master has no work to do. The
    infrastructure master may be placed on any domain controller in the domain,
    regardless of whether that domain controller hosts the global catalog or
    not.



    *Multidomain forest where every domain controller in a domain holds the
    global catalog:
    If every domain controller in a domain that is part of a multidomain forest
    also hosts the global catalog, there are no phantoms or work for the
    infrastructure master to do. The infrastructure master may be put on any
    domain controller in that domain.



    You mean that DC1 and DC2 are in the same subnet?
    Now, I'm confused.

    DC1 and DC2 are in the same subnet?
    for example:
    DC1 is on 10.10.20.254/24=255.255.255.0
    DC1 is on 10.10.20.253/24=255.255.255.0

    DC3 is in a different subnet?
    for example:
    DC3 is on 10.10.10.254/24=255.255.255.0


    In this case you create:

    Site1 (For DC1 and DC2) -> subnet = 10.10.20.0/24
    Site2 (For DC3) -> subnet = 10.10.10.0/24

    on previous post I said that you'll needed to create 2 subnets for site 1,
    because I was assuming that you had 2 different subnets for it.
    For example:
    DC1 is on 10.10.20.254/24=255.255.255.0
    DC2 is on 10.10.30.254/24=255.255.255.0

    In this particular case you would need to create:
    Site1 (For DC1 and DC2)
    -> subnet = 10.10.20.0/24
    -> subnet = 10.10.30.0/24

    You can relate more than 1 subnet to an existent site. But it seem that
    isn't your case.

    Ahhh. Ok,Ok.
    Ok I believe that the previous answer respond that.
    - DC1 no site why?
    - Sites have nothing to do it Domains.
    - Sites represent Physical structures in an organization.

    * A site is a combination of one or more IP subnets connected by a highly
    reliable and fast link to localize as much network traffic as possible.
    With Active Directory, sites are not part of the namespace. When you browse
    the logical namespace, you see computers and users grouped into domains and
    OUs, not sites. Sites contain only computer objects and connection objects
    used to configure replication between sites


    *Sites in Active Directory represent the physical structure, or topology, of
    your network. Active Directory uses topology information, stored as site and
    site link objects in the directory, to build the most efficient replication
    topology. You use Active Directory Sites and Services to define sites and
    site links. A site is a set of well-connected subnets. Sites differ from
    domains; sites represent the physical structure of your network, while
    domains represent the logical structure of your organization.

    *Sites have two main roles:
    - To facilitate authentication, by determining the nearest domain controller
    when a user logs on from a workstation

    - To facilitate the replication of data between sites Because site names are
    used in the records registered in the Domain Name System (DNS) by the domain
    locator, they must be valid DNS names


    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jun 16, 2006
    #4
  5. MartinH

    MartinH Guest

    I expect the tree root server DC1 to be the Infrastructure Master so i
    should disable the GC on DC1 then? Simply untick the GC box in Sites
    and Computers on DC1?

    I activated GC's on the 2 other DC's a few hours ago so replication
    should be ready by now?
    Thats my case i think. 3 DC's all GC and DC1 (tree root server)
    Infrastructure Master and Schema Owner.

    So when I untick the GC on DC1 all should be working and updating. It
    is not realy a problem if the IM is not reachable for a moment once
    and a while?

    DC1 has no function other the being a DC and bridging the two child
    domains. All users etc are on them.
    Yes...

    Site(1): 192.168.10.1/24 for DC1 and 192.168.10.3/24 for DC2
    Site(2): 196.168.20.3/24 for DC3

    DC3 is on another subnet because its geographicly a couple of miles
    away from site(1) where DC1 and DC2 are located
    I dont get an option in the AD Sites and Services menu on DC2 and DC3
    to add a new subnet. I do on DC1 tho.

    Hope you bear with me. I am new to this. Site(1) I create a subnet
    192.168.20.0/24 where? In AD Sites and Services on DC1 or on DC2 or on
    both?
    This is simple. I get. I create Site(2) in AD Sites and Services on
    DC3 I create a new subnet 192.168.10.0/24
    Yes i am messing up the naming.
     
    MartinH, Jun 16, 2006
    #5
  6. MartinH

    MartinH Guest

    Jorge.


    Do I see the light now? On all DC's I see in AD Sites and Servers a
    Default-First-Site-Name and in there is Servers and DC1, DC2 and DC3.

    Should i create on the tree root server = DC1 in AD Sites and Services
    a new site and move DC3 in there? en then create a new subnet en point
    to the Default-First-Site-Name with DC1 and DC2 and to the new Site
    with DC3?

    Will this then replicate and synchronize to all other DC's?

    Martin
     
    MartinH, Jun 16, 2006
    #6
  7. MartinH

    Jorge Silva Guest

    - The DC1 and DC2 are connected to the same switch/network right?

    - You can use the Default-First-Site-Name to host DC1 and DC2
    create 2 subnets (DC1 subnet and DC2 subnet) and associate it with the
    Default-First-Site-Name, in this case will be
    192.168.10.0/24 -> represents DC1, and DC2 subnet

    - Create a new Site and associate the subnet 192.168.20.0/24 -> represents
    the DC3 subnet, move the DC3 to this new site and remove it from
    Default-First-Site-Name.

    - Make all DCs, global catalogs. go to each server NTDS Settings, right
    click and choose Global Catalog option.

    - How about Dns, how did you configured your Dns structure?


    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jun 16, 2006
    #7
  8. MartinH

    MartinH Guest

    Yes they are connected to the same switch netwotk

    and i do that on every DC or only on DC1 and then the settings
    synchronize to the others?
    Done that
    all DC's have dns.

    DC1 no forwarding
    DC2 forwarding to DC3 and DC1
    DC3 forwarding to DC2 and DC1
     
    MartinH, Jun 16, 2006
    #8
  9. MartinH

    Jorge Silva Guest

    and i do that on every DC or only on DC1 and then the settings
    Yep. You can use Active Directory Sites and Services, right click on the
    connection (Under NTDS Settings) and choose replicate now.
    Not intersite replication by default accours every 3 hours, you can change
    that by manually forcing replication, or go to the IPSite link and change
    the default (180 Minutes)

    - make sure that each dns only point to itself under their NIC Properties
    primary DNS server.



    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jun 16, 2006
    #9
  10. MartinH

    MartinH Guest

    Youre a great help. Again, thx very much.


    Created a 2nd Site in AD Sites and Services on DC1.

    Created a new subnet 192.168.10.0/24 linked to the
    Default-First-Site-Name

    Created a new subnet 192.168.20.0/24 linked to the Second-Site-Name

    How do I select the Licensing computer for the Second-Site ??
    Removed secondary dns pointing to DC1 in NIC properties on DC2 and DC3
     
    MartinH, Jun 16, 2006
    #10
  11. MartinH

    Jorge Silva Guest

    I'm glad i could help

    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jun 16, 2006
    #11
  12. MartinH

    MartinH Guest

    Jorge,

    Finally, You have any idea on where i should select the licensing
    computer for the 2nd site? It warned me to do so when i created the
    2nd site!
     
    MartinH, Jun 16, 2006
    #12
  13. MartinH

    Jorge Silva Guest

    The license server isn't running by default, to activate it go to the server
    were you want to make the license server - > services mmc console on the
    Administrative Tools and select License Logging service , change the service
    to Automatic and start it.

    Next goto Administrative Tools -> Licensing Add licenses On this menu.
    On Active Directory Sites and Services you can select the server that you
    just made the license server.

    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jun 17, 2006
    #13
  14. MartinH

    MartinH Guest

    Cool, So i suppose there is no License Server for the Default Site the
    so for site1 I make DC2 the License Logging Server and for Site 2 I
    Make DC3 the LIcense Logging Server ?
     
    MartinH, Jun 17, 2006
    #14
  15. MartinH

    Jorge Silva Guest

    You can use the same DC for all sites or you can make the DC3 it's up to you


    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jun 17, 2006
    #15
  16. MartinH

    Jorge Silva Guest

    there's licensing server for ALL SITES including the Default First Site

    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jun 17, 2006
    #16
  17. MartinH

    MartinH Guest

    Jorge,

    Ehm I was too fast with my response. There is NO License Logging
    Server running on DC1 or on DC2.

    Switched the License Logging Server on DC3 to Automatic as you
    suggested.

    Again, Mega thx. I hope you like a glass of wine because you earned a
    couple of them :D.

    Regards, martin
     
    MartinH, Jun 17, 2006
    #17
  18. MartinH

    Jorge Silva Guest

    Best regards


    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jun 17, 2006
    #18
  19. MartinH

    MartinH Guest

    Ignore this one hehhe. Its getting late. Ofcourse there are license
    logging server services running on DC1 and DC2
     
    MartinH, Jun 17, 2006
    #19
  20. MartinH

    MartinH Guest

    Jorge,


    License Server on DC2 and on DC3 on Automatic now.

    License Server on DC1 is Disabled.


    Kind regards and many thx, Martin
     
    MartinH, Jun 17, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.