Solved

Domain controllers not Logon Server

Posted on 2008-06-11
12
928 Views
Last Modified: 2012-05-05
Dear guys,

I have a forset contains single domain Mydomain.com and have two sites SiteA and SiteB
at SiteA there is two Domain controllers server names like:CA1 and CA2 both are Dell PowerEdge1650 ,windows 2003 enterprise edition SP2 and they working well without problems.

 in SiteB there are 3 Domain Controller All are Dell PowerEdge1650 windows 2003 enterprise edition SP2 servers names like:BA1,BA2 and BA3

SiteA and SiteB are connected through VPN IPSec tunnel using ISA Server 2006 Standard from both Sites

FSMO Roles are all at server BA1 at SiteB,Replication is well
All DCs are GC ,Time Servers ,DNS active directory integrated and DHCP except the FSMO roles holder server not contain GC.
I have a problem in Site B as only one server is act as a logon server BA1,in other words if this DC is offline ,clients fail to access shared resources and fail to logon to their computers.

Could you help me to solve this problem
0
Comment
Question by:ahmed_bq
  • 6
  • 4
12 Comments
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 21766458
Ahmed,

I'm not sure exactly what will solve the problem, but here's where I would start:

1. Make sure that you've configured your sites correctly:
    - You've created subnet objects for each IP subnet
    - You've assigned each subnet object to the appropriate site
2. Make sure that each server is in the correct site
    - Keep in mind that domain controllers do not automatically assign themselves to sites the way member servers and clients do.
3. Make sure at least one DC in each site is a global catalog server
4. Make sure you've got two DNS servers in each site
5. Check your event logs for any of the following errors and warnings:
    - DNS
    - NTFRS
    - Kerberos
    - Active Directory

I know you mention that all DCs are GC, time servers, etc.  Regarding time servers, your PDC emulator should be configured to sync to an outside time source and all other servers and clients should be left alone.

What are your thoughts?

<-=+=->
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21766463
Can you run dcdiag on each DC in turn please? What are the results - anything untoward?
All the dc's are in the right areas within sites & services?
No registry changes forcing clients to use a particular DC for logon?
0
 

Author Comment

by:ahmed_bq
ID: 21766666
SplinterCell5894:

My sites is configured correctly SiteA 172.16.0.0/24 SiteB 10.0.0.0/24 DCs is in right way in sites and services

there are 2 servers contain GC and all DCs are DNS servers
Time server is configured as preferred time server in PDC BA1

I have errors like following in BA1 (FSMO Roles holder server)

Source:NTDS Replication
ID: 1411
Category: DS RPC Client
The Security System detected an authentication error for the server LDAP/BA1.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".


Source:MSDTC
ID: 53258
Category: SVC
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: %1

Source:LSASRV
ID: 40960
Category: SPNEGO (Negotiator)
The Security System detected an authentication error for the server LDAP/BA1.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

Source:KDC
ID: 11
Category: none
There are multiple accounts with name host/PC34.MyDomain.com of type DS_SERVICE_PRINCIPAL_NAME.

Source:KDC
ID: 7
Category: none
The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was Saeed_Zaky and lookup type 0x8.

last event ID has many same erros  like saeed_zaky with another user accounts
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 21766677
Ah.  Okay.  I'd recommend doing this for the DC that won't authenticate users:

1. Demote it to a member server.
2. Remove it from the domain.
3. Re-add it to the domain.
4. Promote it to a DC again.

This will reset all of its security accounts and the like.

<-=+=->
0
 

Author Comment

by:ahmed_bq
ID: 21766689
DCDIAG for enterprise verbose and show only errors and also test domain test indicated as following

>dcdiag /e /c /v /testdomain:MyDomain.
com /q /fix
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Check secure channel from BA1 to MyDomain.com: The spe
cified domain either does not exist or could not be contacted.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         ......................... BA1 failed test OutboundSecureChannels
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... BA1 failed test frsevent
         Warning: BA3 is not advertising as a time server.
         ......................... BA3 failed test Advertising
         Could not Check secure channel from BA1 to MyDomain.com: The spe
cified domain either does not exist or could not be contacted.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         ......................... BA3 failed test OutboundSecureChannels
         Could not Check secure channel from BA1 to MyDomain.com: The spe
cified domain either does not exist or could not be contacted.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         ......................... BA2 failed test OutboundSecureChannels
            *Warning: The next ISTG could not be authoratively determined for
            site SiteB.  A DC should make an ISTG failover attempt in 61
            minutes.
            *Warning: The next ISTG could not be authoratively determined for
            site SiteA.  A DC should make an ISTG failover attempt in 17
            minutes.

0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 21766700
I'd recommend going through the steps I outllined.  That will clear up a lot of issues... especially once you see KDC and Kerberos errors.

<-=+=->
0
 

Author Comment

by:ahmed_bq
ID: 21766707
SplinterCell5894:

I want also to inform you that I demote all servers before and reinstall windows again to insure it is clean
Also make sure all DNS records and sites and services not contains any data about demoted servers also check fom NTDSUTIL metadata and then I promote them again

but still has the same problem
0
 

Author Comment

by:ahmed_bq
ID: 21766787
I also use NLTEST tool as below

>nltest /SC_QUERY:mydomain.com
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

I hope this will help
0
 

Author Comment

by:ahmed_bq
ID: 21767591
can any one help ??
0
 

Accepted Solution

by:
ahmed_bq earned 0 total points
ID: 21771015
I solved the problem by adding all authenticated users and everyone access computer from network at default domain controllers  GPO .

http://support.microsoft.com/kb/837513


Thanks everybody
0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 21771871
Ahmed,

Sorry I bailed on you... the time zones caught up with us.  I had to sleep!

Glad you got it solved!

<-=+=->
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html) provided 218 attendees with a step-by-step guide for identifying Acti…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question