Link to home
Start Free TrialLog in
Avatar of ahmed_bq
ahmed_bqFlag for Egypt

asked on

Domain controllers not Logon Server

Dear guys,

I have a forset contains single domain Mydomain.com and have two sites SiteA and SiteB
at SiteA there is two Domain controllers server names like:CA1 and CA2 both are Dell PowerEdge1650 ,windows 2003 enterprise edition SP2 and they working well without problems.

 in SiteB there are 3 Domain Controller All are Dell PowerEdge1650 windows 2003 enterprise edition SP2 servers names like:BA1,BA2 and BA3

SiteA and SiteB are connected through VPN IPSec tunnel using ISA Server 2006 Standard from both Sites

FSMO Roles are all at server BA1 at SiteB,Replication is well
All DCs are GC ,Time Servers ,DNS active directory integrated and DHCP except the FSMO roles holder server not contain GC.
I have a problem in Site B as only one server is act as a logon server BA1,in other words if this DC is offline ,clients fail to access shared resources and fail to logon to their computers.

Could you help me to solve this problem
Avatar of Joseph Hornsey
Joseph Hornsey
Flag of United States of America image

Ahmed,

I'm not sure exactly what will solve the problem, but here's where I would start:

1. Make sure that you've configured your sites correctly:
    - You've created subnet objects for each IP subnet
    - You've assigned each subnet object to the appropriate site
2. Make sure that each server is in the correct site
    - Keep in mind that domain controllers do not automatically assign themselves to sites the way member servers and clients do.
3. Make sure at least one DC in each site is a global catalog server
4. Make sure you've got two DNS servers in each site
5. Check your event logs for any of the following errors and warnings:
    - DNS
    - NTFRS
    - Kerberos
    - Active Directory

I know you mention that all DCs are GC, time servers, etc.  Regarding time servers, your PDC emulator should be configured to sync to an outside time source and all other servers and clients should be left alone.

What are your thoughts?

<-=+=->
Can you run dcdiag on each DC in turn please? What are the results - anything untoward?
All the dc's are in the right areas within sites & services?
No registry changes forcing clients to use a particular DC for logon?
Avatar of ahmed_bq

ASKER

SplinterCell5894:

My sites is configured correctly SiteA 172.16.0.0/24 SiteB 10.0.0.0/24 DCs is in right way in sites and services

there are 2 servers contain GC and all DCs are DNS servers
Time server is configured as preferred time server in PDC BA1

I have errors like following in BA1 (FSMO Roles holder server)

Source:NTDS Replication
ID: 1411
Category: DS RPC Client
The Security System detected an authentication error for the server LDAP/BA1.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".


Source:MSDTC
ID: 53258
Category: SVC
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: %1

Source:LSASRV
ID: 40960
Category: SPNEGO (Negotiator)
The Security System detected an authentication error for the server LDAP/BA1.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

Source:KDC
ID: 11
Category: none
There are multiple accounts with name host/PC34.MyDomain.com of type DS_SERVICE_PRINCIPAL_NAME.

Source:KDC
ID: 7
Category: none
The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was Saeed_Zaky and lookup type 0x8.

last event ID has many same erros  like saeed_zaky with another user accounts
Ah.  Okay.  I'd recommend doing this for the DC that won't authenticate users:

1. Demote it to a member server.
2. Remove it from the domain.
3. Re-add it to the domain.
4. Promote it to a DC again.

This will reset all of its security accounts and the like.

<-=+=->
DCDIAG for enterprise verbose and show only errors and also test domain test indicated as following

>dcdiag /e /c /v /testdomain:MyDomain.
com /q /fix
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Check secure channel from BA1 to MyDomain.com: The spe
cified domain either does not exist or could not be contacted.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         ......................... BA1 failed test OutboundSecureChannels
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... BA1 failed test frsevent
         Warning: BA3 is not advertising as a time server.
         ......................... BA3 failed test Advertising
         Could not Check secure channel from BA1 to MyDomain.com: The spe
cified domain either does not exist or could not be contacted.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         ......................... BA3 failed test OutboundSecureChannels
         Could not Check secure channel from BA1 to MyDomain.com: The spe
cified domain either does not exist or could not be contacted.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         ......................... BA2 failed test OutboundSecureChannels
            *Warning: The next ISTG could not be authoratively determined for
            site SiteB.  A DC should make an ISTG failover attempt in 61
            minutes.
            *Warning: The next ISTG could not be authoratively determined for
            site SiteA.  A DC should make an ISTG failover attempt in 17
            minutes.

I'd recommend going through the steps I outllined.  That will clear up a lot of issues... especially once you see KDC and Kerberos errors.

<-=+=->
SplinterCell5894:

I want also to inform you that I demote all servers before and reinstall windows again to insure it is clean
Also make sure all DNS records and sites and services not contains any data about demoted servers also check fom NTDSUTIL metadata and then I promote them again

but still has the same problem
I also use NLTEST tool as below

>nltest /SC_QUERY:mydomain.com
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

I hope this will help
can any one help ??
ASKER CERTIFIED SOLUTION
Avatar of ahmed_bq
ahmed_bq
Flag of Egypt image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Ahmed,

Sorry I bailed on you... the time zones caught up with us.  I had to sleep!

Glad you got it solved!

<-=+=->