Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 954
  • Last Modified:

Domain controllers not Logon Server

Dear guys,

I have a forset contains single domain Mydomain.com and have two sites SiteA and SiteB
at SiteA there is two Domain controllers server names like:CA1 and CA2 both are Dell PowerEdge1650 ,windows 2003 enterprise edition SP2 and they working well without problems.

 in SiteB there are 3 Domain Controller All are Dell PowerEdge1650 windows 2003 enterprise edition SP2 servers names like:BA1,BA2 and BA3

SiteA and SiteB are connected through VPN IPSec tunnel using ISA Server 2006 Standard from both Sites

FSMO Roles are all at server BA1 at SiteB,Replication is well
All DCs are GC ,Time Servers ,DNS active directory integrated and DHCP except the FSMO roles holder server not contain GC.
I have a problem in Site B as only one server is act as a logon server BA1,in other words if this DC is offline ,clients fail to access shared resources and fail to logon to their computers.

Could you help me to solve this problem
0
ahmed_bq
Asked:
ahmed_bq
  • 6
  • 4
1 Solution
 
Joseph HornseyPresident and JanitorCommented:
Ahmed,

I'm not sure exactly what will solve the problem, but here's where I would start:

1. Make sure that you've configured your sites correctly:
    - You've created subnet objects for each IP subnet
    - You've assigned each subnet object to the appropriate site
2. Make sure that each server is in the correct site
    - Keep in mind that domain controllers do not automatically assign themselves to sites the way member servers and clients do.
3. Make sure at least one DC in each site is a global catalog server
4. Make sure you've got two DNS servers in each site
5. Check your event logs for any of the following errors and warnings:
    - DNS
    - NTFRS
    - Kerberos
    - Active Directory

I know you mention that all DCs are GC, time servers, etc.  Regarding time servers, your PDC emulator should be configured to sync to an outside time source and all other servers and clients should be left alone.

What are your thoughts?

<-=+=->
0
 
Keith AlabasterEnterprise ArchitectCommented:
Can you run dcdiag on each DC in turn please? What are the results - anything untoward?
All the dc's are in the right areas within sites & services?
No registry changes forcing clients to use a particular DC for logon?
0
 
ahmed_bqAuthor Commented:
SplinterCell5894:

My sites is configured correctly SiteA 172.16.0.0/24 SiteB 10.0.0.0/24 DCs is in right way in sites and services

there are 2 servers contain GC and all DCs are DNS servers
Time server is configured as preferred time server in PDC BA1

I have errors like following in BA1 (FSMO Roles holder server)

Source:NTDS Replication
ID: 1411
Category: DS RPC Client
The Security System detected an authentication error for the server LDAP/BA1.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".


Source:MSDTC
ID: 53258
Category: SVC
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: %1

Source:LSASRV
ID: 40960
Category: SPNEGO (Negotiator)
The Security System detected an authentication error for the server LDAP/BA1.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

Source:KDC
ID: 11
Category: none
There are multiple accounts with name host/PC34.MyDomain.com of type DS_SERVICE_PRINCIPAL_NAME.

Source:KDC
ID: 7
Category: none
The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was Saeed_Zaky and lookup type 0x8.

last event ID has many same erros  like saeed_zaky with another user accounts
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Joseph HornseyPresident and JanitorCommented:
Ah.  Okay.  I'd recommend doing this for the DC that won't authenticate users:

1. Demote it to a member server.
2. Remove it from the domain.
3. Re-add it to the domain.
4. Promote it to a DC again.

This will reset all of its security accounts and the like.

<-=+=->
0
 
ahmed_bqAuthor Commented:
DCDIAG for enterprise verbose and show only errors and also test domain test indicated as following

>dcdiag /e /c /v /testdomain:MyDomain.
com /q /fix
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Check secure channel from BA1 to MyDomain.com: The spe
cified domain either does not exist or could not be contacted.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         ......................... BA1 failed test OutboundSecureChannels
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... BA1 failed test frsevent
         Warning: BA3 is not advertising as a time server.
         ......................... BA3 failed test Advertising
         Could not Check secure channel from BA1 to MyDomain.com: The spe
cified domain either does not exist or could not be contacted.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         ......................... BA3 failed test OutboundSecureChannels
         Could not Check secure channel from BA1 to MyDomain.com: The spe
cified domain either does not exist or could not be contacted.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         ......................... BA2 failed test OutboundSecureChannels
            *Warning: The next ISTG could not be authoratively determined for
            site SiteB.  A DC should make an ISTG failover attempt in 61
            minutes.
            *Warning: The next ISTG could not be authoratively determined for
            site SiteA.  A DC should make an ISTG failover attempt in 17
            minutes.

0
 
Joseph HornseyPresident and JanitorCommented:
I'd recommend going through the steps I outllined.  That will clear up a lot of issues... especially once you see KDC and Kerberos errors.

<-=+=->
0
 
ahmed_bqAuthor Commented:
SplinterCell5894:

I want also to inform you that I demote all servers before and reinstall windows again to insure it is clean
Also make sure all DNS records and sites and services not contains any data about demoted servers also check fom NTDSUTIL metadata and then I promote them again

but still has the same problem
0
 
ahmed_bqAuthor Commented:
I also use NLTEST tool as below

>nltest /SC_QUERY:mydomain.com
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

I hope this will help
0
 
ahmed_bqAuthor Commented:
can any one help ??
0
 
ahmed_bqAuthor Commented:
I solved the problem by adding all authenticated users and everyone access computer from network at default domain controllers  GPO .

http://support.microsoft.com/kb/837513


Thanks everybody
0
 
Joseph HornseyPresident and JanitorCommented:
Ahmed,

Sorry I bailed on you... the time zones caught up with us.  I had to sleep!

Glad you got it solved!

<-=+=->
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now