Link to home
Start Free TrialLog in
Avatar of Clint1234
Clint1234

asked on

multiple Domain authenication issue

Hi - Ive got one annoying problem.  

We are a small company of about 200.  Offices with server 2003 r2 domain controllers in HK, NY and London.  I run the HK office - we have 2 domain controllers here,  one as fail over.  We have a local excahnge server here too.   In the weekend we had a sceduled MPLS outage.  

But i noticed I couldnt log on when the outage happended.  My PC was really unresponsive.  Anyway,  after the link came back up I started take ting note of the log in script,  The HK PC's are authenticating to the London DC - when the link came back up there was no issie at all.  

DC promo was run on the HK domain servers.  

What would cause this?  I alweays thought that PCs would try to connect to the closest domain - the PC's and DC in HK are on the same subnet.  

Avatar of Darius Ghassem
Darius Ghassem
Flag of United States of America image

Was the DNS server down to?
Avatar of Clint1234
Clint1234

ASKER

not sure what you mean?  The office was functioning as normal - bar the MPLS link being down.  I just logged onto one of the HK domains and the London domain controller is in DNS as well as one of the HK ones -
If the PCs can't contact the DNS that is in the HK domain it will look for the secondary DNS which then point them to the closet DC.
Thanks  - so do you think theres a DNS problem?   What test would you do to prove this?  
Are the PCs in HK still authenticating to the London DC? Is the MPLS online? What you should do is do a ipconfig /flushdns on one of PCs then logoff then log back on to see if the PCs are authenticating to the HK DCs. If the PC still goes to London try to ping the HK DNS server's IP address. Check the Event Log for any errors. I have a utility that we can run but lets try these first.
hi,  yes,  All PC;s are authenticating to London.  Yes MPLS is back on line,  Ive pinged the HK  DNS server IP address (to confirm ive gone into DNS, highlighted the HK DC controller,  gone properties and pinmged address in dialog box) .  Resolves fine.  Have run a tracert,  hits DNS server, then firewall,  then london DC.   How do I confirm that the HK DC is actually a DC. I remember running DC promo on it a bout a year ago but would be nice to double check -  
Open Active Directory Users and Computers then look in the Domain Controller OU to see if the server's name is listed. Also, look in DNS to find the SRV records to see if the server's IP address and name is listed. here are a couple of sites that will walk you through to see if the DC is listed in DNS.

http://support.microsoft.com/kb/816587

http://www.petri.co.il/active_directory_srv_records.htm
ok - in the forward lookup zones I have found the SRV files.  Bother Kerbros and _ldap are saying that the  hosts offeringh te service are both HK domain controllers -
and yes - both are in AD as domain controllers,  along with the New York one -
Have you done the ipconfig /flushdns on one of the PCs and logged off and then logged on? Do you have a global catalog setup on one of the DCs at the HK office. This is to see if you have one at the HK location do this on both of the HK DCs. If you don't then make one of the a global catalog.

To enable or disable a global catalog:

Click the Start button, select the Program option, select the Administrative Tools option and select the Active Directory Sites and Services option.
In the console tree, double-click the domain controller hosting the global catalog.
Right-click NTDS Settings, and then click Properties.
Select the Global Catalog check box.
Yes I have run ipconfig flush DNS and rebooted my PC.  Still authenticated to London - Checked NTDS settings,  both are set up as global catalog.  
From a command prompt try running netdiag /fix this could
repopulate the dns records for your dc

If you don't have the support tools installed, install them from your server
install disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take
into account slow links to dc's will also add to the testing time.

If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be output
in notepad text files that pop up automagically.

The script is located in the download section on my website at
http://www.pbbergs.com/windows/downloads.htm#DCDIAG

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.

just a thought,  if this does get it working will it cause all the PC's to look for this DC automatically of wil the guys need to log off and log on again?  dnt want it taking the network down -
This will give me a look at the AD environment and to see if any problems exist.
wow - wicked tool!  Heyu whats your email address?  I dont want to post the error files on here as its got our company name all through it (hedge fund you know - dont like everyone knowing our business).  
the netdiag.log file is shows no errors -

the DNS file shows errors for all domain controllers in delegation -
@dariusq:

Preferred DNS server on clients using MPLS.

Clint, you are in good hands.
My email address is dariusg@tbonz.com.
on its way to you now -
ASKER CERTIFIED SOLUTION
Avatar of Darius Ghassem
Darius Ghassem
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hey Darius - Im in meetings alll day today.  Ill try these fixes tonight,  and get back to you this time tomorrow - Clint.  
Darius,  repopulated the GC and all is fine now.  Ran ipconfig /all then set.  Confirmed in there we are now logging onto the HK domain.  

However when the MPLS goes down we still have problems with PC's locking up.  Ill post a new question to address this but you get the points for this question.  

Thanks for your help - Clint.