Solved

multiple Domain authenication issue

Posted on 2008-06-15
23
178 Views
Last Modified: 2013-12-23
Hi - Ive got one annoying problem.  

We are a small company of about 200.  Offices with server 2003 r2 domain controllers in HK, NY and London.  I run the HK office - we have 2 domain controllers here,  one as fail over.  We have a local excahnge server here too.   In the weekend we had a sceduled MPLS outage.  

But i noticed I couldnt log on when the outage happended.  My PC was really unresponsive.  Anyway,  after the link came back up I started take ting note of the log in script,  The HK PC's are authenticating to the London DC - when the link came back up there was no issie at all.  

DC promo was run on the HK domain servers.  

What would cause this?  I alweays thought that PCs would try to connect to the closest domain - the PC's and DC in HK are on the same subnet.  

0
Comment
Question by:Clint1234
  • 12
  • 10
23 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21790218
Was the DNS server down to?
0
 

Author Comment

by:Clint1234
ID: 21790223
not sure what you mean?  The office was functioning as normal - bar the MPLS link being down.  I just logged onto one of the HK domains and the London domain controller is in DNS as well as one of the HK ones -
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21790253
If the PCs can't contact the DNS that is in the HK domain it will look for the secondary DNS which then point them to the closet DC.
0
 

Author Comment

by:Clint1234
ID: 21790258
Thanks  - so do you think theres a DNS problem?   What test would you do to prove this?  
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21790333
Are the PCs in HK still authenticating to the London DC? Is the MPLS online? What you should do is do a ipconfig /flushdns on one of PCs then logoff then log back on to see if the PCs are authenticating to the HK DCs. If the PC still goes to London try to ping the HK DNS server's IP address. Check the Event Log for any errors. I have a utility that we can run but lets try these first.
0
 

Author Comment

by:Clint1234
ID: 21790494
hi,  yes,  All PC;s are authenticating to London.  Yes MPLS is back on line,  Ive pinged the HK  DNS server IP address (to confirm ive gone into DNS, highlighted the HK DC controller,  gone properties and pinmged address in dialog box) .  Resolves fine.  Have run a tracert,  hits DNS server, then firewall,  then london DC.   How do I confirm that the HK DC is actually a DC. I remember running DC promo on it a bout a year ago but would be nice to double check -  
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21790518
Open Active Directory Users and Computers then look in the Domain Controller OU to see if the server's name is listed. Also, look in DNS to find the SRV records to see if the server's IP address and name is listed. here are a couple of sites that will walk you through to see if the DC is listed in DNS.

http://support.microsoft.com/kb/816587

http://www.petri.co.il/active_directory_srv_records.htm
0
 

Author Comment

by:Clint1234
ID: 21790588
ok - in the forward lookup zones I have found the SRV files.  Bother Kerbros and _ldap are saying that the  hosts offeringh te service are both HK domain controllers -
0
 

Author Comment

by:Clint1234
ID: 21790599
and yes - both are in AD as domain controllers,  along with the New York one -
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21790616
Have you done the ipconfig /flushdns on one of the PCs and logged off and then logged on? Do you have a global catalog setup on one of the DCs at the HK office. This is to see if you have one at the HK location do this on both of the HK DCs. If you don't then make one of the a global catalog.

To enable or disable a global catalog:

Click the Start button, select the Program option, select the Administrative Tools option and select the Active Directory Sites and Services option.
In the console tree, double-click the domain controller hosting the global catalog.
Right-click NTDS Settings, and then click Properties.
Select the Global Catalog check box.
0
 

Author Comment

by:Clint1234
ID: 21790636
Yes I have run ipconfig flush DNS and rebooted my PC.  Still authenticated to London - Checked NTDS settings,  both are set up as global catalog.  
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21790640
From a command prompt try running netdiag /fix this could
repopulate the dns records for your dc

If you don't have the support tools installed, install them from your server
install disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take
into account slow links to dc's will also add to the testing time.

If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be output
in notepad text files that pop up automagically.

The script is located in the download section on my website at
http://www.pbbergs.com/windows/downloads.htm#DCDIAG

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.

0
 

Author Comment

by:Clint1234
ID: 21790658
just a thought,  if this does get it working will it cause all the PC's to look for this DC automatically of wil the guys need to log off and log on again?  dnt want it taking the network down -
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21790670
This will give me a look at the AD environment and to see if any problems exist.
0
 

Author Comment

by:Clint1234
ID: 21790714
wow - wicked tool!  Heyu whats your email address?  I dont want to post the error files on here as its got our company name all through it (hedge fund you know - dont like everyone knowing our business).  
0
 

Author Comment

by:Clint1234
ID: 21790732
the netdiag.log file is shows no errors -

the DNS file shows errors for all domain controllers in delegation -
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21791792
@dariusq:

Preferred DNS server on clients using MPLS.

Clint, you are in good hands.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21792977
My email address is dariusg@tbonz.com.
0
 

Author Comment

by:Clint1234
ID: 21798781
on its way to you now -
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 21798925
Here is something that I forgot to add or ask. If HK setup as a different site in AD Sites and Services.


Second thing read this.

Most of the time this is due to the _gc records missing from DNS.

Clients find a local DC (and GC for authentication) based on 3 things - first, DNS and the _gc SRV records, next, they compare their own subnet with that of the referral from DNS.  If they match then the client uses the local server.  Lastly, they also look at the site record in DNS to make sure they are in the same site.

If it's failing, then very likely there is a _gc or _site entry missing somewhere.

0
 

Author Comment

by:Clint1234
ID: 21799005
Hey Darius - Im in meetings alll day today.  Ill try these fixes tonight,  and get back to you this time tomorrow - Clint.  
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21799101
Ok
0
 

Author Comment

by:Clint1234
ID: 21809802
Darius,  repopulated the GC and all is fine now.  Ran ipconfig /all then set.  Confirmed in there we are now logging onto the HK domain.  

However when the MPLS goes down we still have problems with PC's locking up.  Ill post a new question to address this but you get the points for this question.  

Thanks for your help - Clint.
0

Join & Write a Comment

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now