Remote PCs not authenticating against local domain controller

Discussion in 'Active Directory' started by Neil Green, Aug 2, 2007.

  1. Neil Green

    Neil Green Guest

    I have two sites connected via a WAN link. At site 1 there are two domain
    controllers: S1DC1 = Windows 2003 primary DC with GC and S1DC2 = Windows 2000
    seconday with GC. At site 2, there is a single domain controller S2DC1 =
    Windows 2003 secondary with GC.

    I have configured the two sites within sites and services and assigned the
    DCs to the relevant sites.

    I have run dcdiag and netdiag on all DCs and they report that they are
    working correctly as DCs.

    The problem is when the WAN link fails, the PCs at the remote site cannot
    log on to the domain.

    Please could you let me know any further tests that I can run to show where
    the problem lies.

    Many thanks, Neil
     
    Neil Green, Aug 2, 2007
    #1
    1. Advertisements

  2. Neil Green

    Steve B Guest

    Sounds like a DNS problem rather than an AD problem. Where do your clients
    point for their Preferred DNS in site 2?
     
    Steve B, Aug 2, 2007
    #2
    1. Advertisements

  3. Neil Green

    Neil Green Guest

    The clients point to S2DC1 as their primary DNS and then S1DC1 & S1DC2 as
    secondaries.
     
    Neil Green, Aug 2, 2007
    #3
  4. Neil Green

    Steve B Guest

    OK...so when the user logons on normally is the client definately
    authenticated by S2DC1 in the remote site (i.e. its local DC)?

    In addition, have you checked that the client is in the correct AD site? If
    you run gpresult or RSOP (or something similiar), it will show you the site
    that the client belongs to - is this the same one as S2DC1?

    In addition, have you looked at:
    http://support.microsoft.com/default.aspx/kb/314861
     
    Steve B, Aug 2, 2007
    #4
  5. Neil Green

    G Johansson Guest

    Is the DC in the Remote Office also configured as GC (otherwise clients wont
    be able to login)?
     
    G Johansson, Aug 2, 2007
    #5
  6. Neil Green

    Neil Green Guest

    It is configured as a GC

     
    Neil Green, Aug 7, 2007
    #6
  7. Neil Green

    Neil Green Guest

    Hi Steve,

    I have configured netlogon debugging and the clients at the remote site
    seem to be authenticating against S2DC1.

    I have run gpresult and the clients at the remote site are reporting that
    the site name is the one for the main site but when I run nltest against the
    domain, it reports that the clients "our site" is the remote one.

    When the link is disconnected, the clients take a long time to logon and
    state that they cannot retrieve their roaming profile (even though it is
    stored on S2DC1). When eventually the PC shows the desktop and they try to
    access files on the server that they can get normally, there is an error
    about "compromising security". And then when I run gpresult when the link is
    down, the site name is reported correctly as the remote one.

    many thanks,

    Neil
     
    Neil Green, Aug 7, 2007
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.