Cannot log onto server in trusted domain when one of the two domain controllers in that trusted domain is down.

Posted on 2008-10-23
Medium Priority
Last Modified: 2012-05-05
We have a forest with a two way trust between domain1 and domain2. Here's the FSMO roles:

Schema master               dc1.domain1.local
Domain naming master        dc1domain1.local
PDC                         dc1.domain2.local
RID pool manager            dc1.domain2.local
Infrastructure master       dc1.domain2.local

There is one DC in domain1 (dc1.domain1.local). There are two DCs in domain2 (dc1.domain2.local and dc2.domain2.local).

When we take down DC1.domain2.local and users in domain1 try to log into servers in domain2 using their domain1 user accounts the login attempts fail. Unfortunately none of the users took a screen shot so I don't know what the exact error is. They can ping and remote to it (see login prompt), but logging in fails. I can't test it without taking down dc1.domain.local but that will kill their services they're providing. Additionally their SQL connections now fail which use NTLM authentication.

both Dc1 and Dc2 on domain2 both host DNS as well and there's no WINS running if that helps.
Question by:GCIT_Manager
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 22786104
I would start by checking you event logs for errors on all your domain controllers. There may be some replication issues. Also if you dns is not replicatign properly then this can also cause these issues.

Check that the trust settings are in place correctly aswel.

Hope this helps.

Expert Comment

ID: 22786106

Those FSMO roles will exsist in both domains as I'm assuming this is a trust between two forests.

How is the DNS configured, do the DC's in domain 1 hold a secondary zone for domain2 and visa versa, and do both DC's in domain 2 hold this secondary or just one of them?  What kind of trust have you create, is it a two way entire domain?


Author Comment

ID: 22786273
There is one forest with two domains in it. Domain1 and Domain2. The trust is two way.


How do I verify DNS is replicating properly? What settings to check?

What specifically about DNS are you asking the configuration of?

In DNS on domain2 it is:

Forward Lookup Zones:
a. _msdcs.domain1.local
b. domain2.local

(same settings on both dc1 and dc2 in domain2)

Sorry to be lame, but can you direct me to where I find out your answers more specifically?
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.


Author Comment

ID: 22786328
Incidentally, dc.domain1.local has all of domain1's fsmo roles on it (only one dc in that domain)
LVL 18

Expert Comment

ID: 22786958
As long as your DC1.DOMIAN2 and DC2.DOMAIN2 both have DNS replicated to each other, you should not have any DNS name resolution issue. But you must verify the DNS zones in DC1.DOMAIN1 must contain zones of either DC1.DOMAIN2 or DC1.DOMAIN3 to be able to resolve name in the event DC1 or DC2 in DOMAIN2 is down.
Assuming this is not a problem, what about firewall between these domains? If there's firewall rule, may be it just open for DC1.DOMAIN2 but not DC2.DOMAIN2?

Author Comment

ID: 22787009
how do I verify that the replication of dns is working and that they contain zones.

When I check the DNS on dc1.domain1.com it shows these forward zones:


Assisted Solution

Sinder255248 earned 1000 total points
ID: 22794671
I think you're probably going to have to change the scope of DNS.  When you right click on the Zone in DNS and check properties.  It probably Says AD Integrated any DNS server in the domain (the default).  You need to change this to any DNS in the forest.  If you do this on all zones (except _msdcs) you'll see that they replicate to all DNS servers in the forest and you shouldn't have any issues logging on.  Let me know how it goes, by the end your DNS should look like:


          >  _msdcs.domain1.local (AD Integrated any DC in the forest)
          >  domain1.local   (AD Integrated any DC in the forest)
          >  domain2.local   (AD Integrated any DC in the forest)

DC2.Domain2.local and DC3.Domain2.local:

          >  _msdcs.domain2.local (AD Integrated any DC in the forest)
          >  domain1.local   (AD Integrated any DC in the forest)
          >  domain2.local   (AD Integrated any DC in the forest)

I wouldn't change the topology on _msdcs, I'd leave that on it's own domain.  You may also have to update the search suffix on your machines to include both Domain2.local and Domain1.local, so when computers search on Server1 it will append both domains suffix to the search and bring back the result.


Author Comment

ID: 22796024
Thanks. I"ll try that out. How do I change the search suffix?

Expert Comment

ID: 22796505
right click on My Network Places, properties, right click the network connection, properties.  Double click TCP/IP, click Advanced on DNS. Click Append these Suffix in order, then add them in.  

You can also put them in via group policy.

Author Comment

ID: 22797014
I just changed the DNS zone properties to include the whole forest. How long does it take before those others show up?

The unfortunate part of this is that the only way to test this is to take one of the DC's down.

I'm not sure if it's related, but incidentally when dc1.domain2.local is down I can't even log into dc2.domain.local at the console. As soon as I bring dc1.domain2.local back up I can log in.

That to me may be a different issue but is all related to the fact that the previous person who set up this second DC did not set up replication correctly. Any thoughts?

Author Comment

ID: 22798747
3.5 hours later and still no other zones showing up in DNS. :-(

Author Comment

ID: 22802977
does the suffix solution just fix things if they type in just the computer name? i'm pretty sure they're typing in the FQDN or the IP.

By the way, not until I rebooted the DC's in domain2 did they show replicated DNS info. I've now asked the other admin to reboot DC in domain1. once that is done the i can give it a test, but the fact that dc2 in domain2 can't even be logged into while dc1 is down seems suspect.

Accepted Solution

GCIT_Manager earned 0 total points
ID: 22825629
So the data showed up once i rebooted all the DC's in the forest in question. but still no luck.

What ended up being the fix is that DC2.domain2.local had to have itself listed as a DNS server in it's NIC TCP/IP settings. It only had DC1.domain2.local's IP which means it's doing all DNS lookups against a DNS server that is down.

I'm surprised this wasn't in there by default, but then again I can understand why it wasn't there. Partial credit goes to Sinder.

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question