Solved

Cannot log onto server in trusted domain when one of the two domain controllers in that trusted domain is down.

Posted on 2008-10-23
13
370 Views
Last Modified: 2012-05-05
We have a forest with a two way trust between domain1 and domain2. Here's the FSMO roles:

Schema master               dc1.domain1.local
Domain naming master        dc1domain1.local
PDC                         dc1.domain2.local
RID pool manager            dc1.domain2.local
Infrastructure master       dc1.domain2.local

There is one DC in domain1 (dc1.domain1.local). There are two DCs in domain2 (dc1.domain2.local and dc2.domain2.local).

When we take down DC1.domain2.local and users in domain1 try to log into servers in domain2 using their domain1 user accounts the login attempts fail. Unfortunately none of the users took a screen shot so I don't know what the exact error is. They can ping and remote to it (see login prompt), but logging in fails. I can't test it without taking down dc1.domain.local but that will kill their services they're providing. Additionally their SQL connections now fail which use NTLM authentication.

both Dc1 and Dc2 on domain2 both host DNS as well and there's no WINS running if that helps.
0
Comment
Question by:GCIT_Manager
13 Comments
 
LVL 3

Expert Comment

by:Karl12347
ID: 22786104
I would start by checking you event logs for errors on all your domain controllers. There may be some replication issues. Also if you dns is not replicatign properly then this can also cause these issues.

Check that the trust settings are in place correctly aswel.

Hope this helps.
Karl
0
 
LVL 8

Expert Comment

by:Sinder255248
ID: 22786106
Hi,

Those FSMO roles will exsist in both domains as I'm assuming this is a trust between two forests.

How is the DNS configured, do the DC's in domain 1 hold a secondary zone for domain2 and visa versa, and do both DC's in domain 2 hold this secondary or just one of them?  What kind of trust have you create, is it a two way entire domain?

0
 

Author Comment

by:GCIT_Manager
ID: 22786273
There is one forest with two domains in it. Domain1 and Domain2. The trust is two way.

Questions:

How do I verify DNS is replicating properly? What settings to check?

What specifically about DNS are you asking the configuration of?

In DNS on domain2 it is:

Forward Lookup Zones:
a. _msdcs.domain1.local
b. domain2.local

(same settings on both dc1 and dc2 in domain2)

Sorry to be lame, but can you direct me to where I find out your answers more specifically?
0
 

Author Comment

by:GCIT_Manager
ID: 22786328
Incidentally, dc.domain1.local has all of domain1's fsmo roles on it (only one dc in that domain)
0
 
LVL 18

Expert Comment

by:Americom
ID: 22786958
As long as your DC1.DOMIAN2 and DC2.DOMAIN2 both have DNS replicated to each other, you should not have any DNS name resolution issue. But you must verify the DNS zones in DC1.DOMAIN1 must contain zones of either DC1.DOMAIN2 or DC1.DOMAIN3 to be able to resolve name in the event DC1 or DC2 in DOMAIN2 is down.
Assuming this is not a problem, what about firewall between these domains? If there's firewall rule, may be it just open for DC1.DOMAIN2 but not DC2.DOMAIN2?
0
 

Author Comment

by:GCIT_Manager
ID: 22787009
how do I verify that the replication of dns is working and that they contain zones.

When I check the DNS on dc1.domain1.com it shows these forward zones:

_msdcs.domain1.local
domain1.local
   
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 8

Assisted Solution

by:Sinder255248
Sinder255248 earned 250 total points
ID: 22794671
I think you're probably going to have to change the scope of DNS.  When you right click on the Zone in DNS and check properties.  It probably Says AD Integrated any DNS server in the domain (the default).  You need to change this to any DNS in the forest.  If you do this on all zones (except _msdcs) you'll see that they replicate to all DNS servers in the forest and you shouldn't have any issues logging on.  Let me know how it goes, by the end your DNS should look like:

DC1.Domain1.local:

          >  _msdcs.domain1.local (AD Integrated any DC in the forest)
          >  domain1.local   (AD Integrated any DC in the forest)
          >  domain2.local   (AD Integrated any DC in the forest)

DC2.Domain2.local and DC3.Domain2.local:

          >  _msdcs.domain2.local (AD Integrated any DC in the forest)
          >  domain1.local   (AD Integrated any DC in the forest)
          >  domain2.local   (AD Integrated any DC in the forest)

I wouldn't change the topology on _msdcs, I'd leave that on it's own domain.  You may also have to update the search suffix on your machines to include both Domain2.local and Domain1.local, so when computers search on Server1 it will append both domains suffix to the search and bring back the result.

0
 

Author Comment

by:GCIT_Manager
ID: 22796024
Thanks. I"ll try that out. How do I change the search suffix?
0
 
LVL 8

Expert Comment

by:Sinder255248
ID: 22796505
right click on My Network Places, properties, right click the network connection, properties.  Double click TCP/IP, click Advanced on DNS. Click Append these Suffix in order, then add them in.  

You can also put them in via group policy.
0
 

Author Comment

by:GCIT_Manager
ID: 22797014
I just changed the DNS zone properties to include the whole forest. How long does it take before those others show up?

The unfortunate part of this is that the only way to test this is to take one of the DC's down.

I'm not sure if it's related, but incidentally when dc1.domain2.local is down I can't even log into dc2.domain.local at the console. As soon as I bring dc1.domain2.local back up I can log in.

That to me may be a different issue but is all related to the fact that the previous person who set up this second DC did not set up replication correctly. Any thoughts?
0
 

Author Comment

by:GCIT_Manager
ID: 22798747
3.5 hours later and still no other zones showing up in DNS. :-(
0
 

Author Comment

by:GCIT_Manager
ID: 22802977
does the suffix solution just fix things if they type in just the computer name? i'm pretty sure they're typing in the FQDN or the IP.

By the way, not until I rebooted the DC's in domain2 did they show replicated DNS info. I've now asked the other admin to reboot DC in domain1. once that is done the i can give it a test, but the fact that dc2 in domain2 can't even be logged into while dc1 is down seems suspect.
0
 

Accepted Solution

by:
GCIT_Manager earned 0 total points
ID: 22825629
So the data showed up once i rebooted all the DC's in the forest in question. but still no luck.

What ended up being the fix is that DC2.domain2.local had to have itself listed as a DNS server in it's NIC TCP/IP settings. It only had DC1.domain2.local's IP which means it's doing all DNS lookups against a DNS server that is down.

I'm surprised this wasn't in there by default, but then again I can understand why it wasn't there. Partial credit goes to Sinder.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now