Solved

Domain controllers not Logon Server

Posted on 2008-06-11
12
926 Views
Last Modified: 2012-05-05
Dear guys,

I have a forset contains single domain Mydomain.com and have two sites SiteA and SiteB
at SiteA there is two Domain controllers server names like:CA1 and CA2 both are Dell PowerEdge1650 ,windows 2003 enterprise edition SP2 and they working well without problems.

 in SiteB there are 3 Domain Controller All are Dell PowerEdge1650 windows 2003 enterprise edition SP2 servers names like:BA1,BA2 and BA3

SiteA and SiteB are connected through VPN IPSec tunnel using ISA Server 2006 Standard from both Sites

FSMO Roles are all at server BA1 at SiteB,Replication is well
All DCs are GC ,Time Servers ,DNS active directory integrated and DHCP except the FSMO roles holder server not contain GC.
I have a problem in Site B as only one server is act as a logon server BA1,in other words if this DC is offline ,clients fail to access shared resources and fail to logon to their computers.

Could you help me to solve this problem
0
Comment
Question by:ahmed_bq
  • 6
  • 4
12 Comments
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 21766458
Ahmed,

I'm not sure exactly what will solve the problem, but here's where I would start:

1. Make sure that you've configured your sites correctly:
    - You've created subnet objects for each IP subnet
    - You've assigned each subnet object to the appropriate site
2. Make sure that each server is in the correct site
    - Keep in mind that domain controllers do not automatically assign themselves to sites the way member servers and clients do.
3. Make sure at least one DC in each site is a global catalog server
4. Make sure you've got two DNS servers in each site
5. Check your event logs for any of the following errors and warnings:
    - DNS
    - NTFRS
    - Kerberos
    - Active Directory

I know you mention that all DCs are GC, time servers, etc.  Regarding time servers, your PDC emulator should be configured to sync to an outside time source and all other servers and clients should be left alone.

What are your thoughts?

<-=+=->
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21766463
Can you run dcdiag on each DC in turn please? What are the results - anything untoward?
All the dc's are in the right areas within sites & services?
No registry changes forcing clients to use a particular DC for logon?
0
 

Author Comment

by:ahmed_bq
ID: 21766666
SplinterCell5894:

My sites is configured correctly SiteA 172.16.0.0/24 SiteB 10.0.0.0/24 DCs is in right way in sites and services

there are 2 servers contain GC and all DCs are DNS servers
Time server is configured as preferred time server in PDC BA1

I have errors like following in BA1 (FSMO Roles holder server)

Source:NTDS Replication
ID: 1411
Category: DS RPC Client
The Security System detected an authentication error for the server LDAP/BA1.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".


Source:MSDTC
ID: 53258
Category: SVC
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: %1

Source:LSASRV
ID: 40960
Category: SPNEGO (Negotiator)
The Security System detected an authentication error for the server LDAP/BA1.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

Source:KDC
ID: 11
Category: none
There are multiple accounts with name host/PC34.MyDomain.com of type DS_SERVICE_PRINCIPAL_NAME.

Source:KDC
ID: 7
Category: none
The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was Saeed_Zaky and lookup type 0x8.

last event ID has many same erros  like saeed_zaky with another user accounts
0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 21766677
Ah.  Okay.  I'd recommend doing this for the DC that won't authenticate users:

1. Demote it to a member server.
2. Remove it from the domain.
3. Re-add it to the domain.
4. Promote it to a DC again.

This will reset all of its security accounts and the like.

<-=+=->
0
 

Author Comment

by:ahmed_bq
ID: 21766689
DCDIAG for enterprise verbose and show only errors and also test domain test indicated as following

>dcdiag /e /c /v /testdomain:MyDomain.
com /q /fix
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Check secure channel from BA1 to MyDomain.com: The spe
cified domain either does not exist or could not be contacted.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         ......................... BA1 failed test OutboundSecureChannels
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... BA1 failed test frsevent
         Warning: BA3 is not advertising as a time server.
         ......................... BA3 failed test Advertising
         Could not Check secure channel from BA1 to MyDomain.com: The spe
cified domain either does not exist or could not be contacted.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         ......................... BA3 failed test OutboundSecureChannels
         Could not Check secure channel from BA1 to MyDomain.com: The spe
cified domain either does not exist or could not be contacted.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         ......................... BA2 failed test OutboundSecureChannels
            *Warning: The next ISTG could not be authoratively determined for
            site SiteB.  A DC should make an ISTG failover attempt in 61
            minutes.
            *Warning: The next ISTG could not be authoratively determined for
            site SiteA.  A DC should make an ISTG failover attempt in 17
            minutes.

0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 21766700
I'd recommend going through the steps I outllined.  That will clear up a lot of issues... especially once you see KDC and Kerberos errors.

<-=+=->
0
 

Author Comment

by:ahmed_bq
ID: 21766707
SplinterCell5894:

I want also to inform you that I demote all servers before and reinstall windows again to insure it is clean
Also make sure all DNS records and sites and services not contains any data about demoted servers also check fom NTDSUTIL metadata and then I promote them again

but still has the same problem
0
 

Author Comment

by:ahmed_bq
ID: 21766787
I also use NLTEST tool as below

>nltest /SC_QUERY:mydomain.com
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

I hope this will help
0
 

Author Comment

by:ahmed_bq
ID: 21767591
can any one help ??
0
 

Accepted Solution

by:
ahmed_bq earned 0 total points
ID: 21771015
I solved the problem by adding all authenticated users and everyone access computer from network at default domain controllers  GPO .

http://support.microsoft.com/kb/837513


Thanks everybody
0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 21771871
Ahmed,

Sorry I bailed on you... the time zones caught up with us.  I had to sleep!

Glad you got it solved!

<-=+=->
0

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Domain join remote sites or not 3 30
Can’t delete a file 14 87
Password Expiry 9 21
DNS Woes 7 15
Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now