We help IT Professionals succeed at work.

Diagnosing why a domain controller is not handling any authentication requests.

Simon336697
Simon336697 used Ask the Experts™
on
Hi guys,
We have an AD 2003 Domain.
We have added the correct site and subnets to AD sites and services and the right DC is in the correct AD Site.
What we are finding is that this domain controller is not authenticating any clients in the applicable subnet ranges that it should be. There are no attempts for the clients to contact this domain controller, and they are being authenticated by other domain controllers and we dont know why.
We know that this domain controller is handling replication activities correctly such as user account creation etc, so we dont know why it is not authenticating clients.

We have run a dcdiag against this domain controller and all seems fine.

Any other help greatly appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
make the second dc a GC (global catalogue) in sites and services
Commented:
PIng the Internal Domain name to make sure resolves to the correct IP address of the Domain controller
restart netlogon service, and see in the <Domain> DNS zone _MSDCS, check the following record are there for local DC.
_ldap._tcp.<SITE NAME>.dc._msdcs.<DOMAIN NAME>.domain.com

You have to look for the records for the particular DC under _MSDCS zone of the forest...
LDAP
GC
DC
KErberos
ok..if this is the new dc .. and has already registered  its srv records in the dsn server .. (to test check RReg test results of the comand    dcdiag /test:dns )
the clients my be still using the old dc.. for that you need to do ipconfig /flushdns on the clients so that they query dns for a dc in their site and dns gives this servers records to client for authentication
..
here is how log on process startd :
the dns service on workstation sends dns query to the dns server specified in the TCP/IP settings
and dns server give results according the site location requestd by client ..
if client does not specify any site.. dns give all dcs.. and  client connects to random dc

howevr if the dc is in different site.. this dc will give the fqdn of dc client should be connection to ..

now.. other case may be .. if SRV record proority and weight specified in dns

cleints connect to  srv records with "lowest priority and highest weith " ..  that is (0)(100) by default

if there is a dc with prioruty of 5 and weight of 100 and other dc has 0 and 100

the client will chose  later dc ..as this has lower priority

check that if dcs in other site have srv records modified

Commented:
Check netlogon log from debug folder & type set into the cmd & see what comes.
Using set cmd you can see which server is authenticating.

Commented:
Check below article & its applicable for windows 2003.

http://support.microsoft.com/?kbid=247811

Author

Commented:
Guys thanks so much for all your assistance.

Commented:
what was the problem in th end?

Author

Commented:
The SRV record for the DC was not in DNS.
As we dont use a Microsoft DNS Server, but a system called QIP, we had to allow permission for the DC to write its SRV records to this DNS zone.
Then, I restarted the netlogon service, and then did an nslookup, set q=srv, followed by:
_ldap._tcp.dc._msdcs.<domain>
and the domain controller showed an entry now.
Once again, I thank all of you.