Solved

Our remote DC is not being used to authenticate local users when WAN is down?

Posted on 2010-09-10
14
791 Views
Last Modified: 2012-05-10
We have Domain Controllers at our remote sites. Whenever our WAN link goes down, remote employees are unable to authenticate with their local domain controller to login/gain access to anything. It is as though they always use our PDC that is located in a different location. When the WAN link goes down - the authentication and access should still all go through the Remote DC, but it is not - and the remote employees are unable to access the local DC or login to their machines.

The WAN link is currently down and I was wondering if anyone had any recommendations on how to troubleshoot this issues? This is the perfect time to troubleshoot this issue. I am able to call the remote employees and have them try some things to get to the bottom of this.

We are on Server 2003 R2 and Domain Funtional Level of 2003.

Any ideas would be greatly appreciated!
0
Comment
Question by:RavenInd
14 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33649464
Are your remote DCs also GCs  do you have the subnets defined properly for the sites?

thanks

Mike
0
 

Author Comment

by:RavenInd
ID: 33649489
They are GCs - i believe our subnets are also configured correctly. What is the best way to verify if they are configured correctly?
0
 
LVL 3

Expert Comment

by:PlugThatInWhere
ID: 33649502
In AD Sites and Services tool, do you have the remote office defined as a Site?  You will also need to define the IP subnet that services this site / office.  

If not then I will provide the steps to do this.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 3

Expert Comment

by:PlugThatInWhere
ID: 33649512
Check the Event Logs of the site DC and make sure you do not have any replication issues that are preventing the DC from servicing users.
0
 

Author Comment

by:RavenInd
ID: 33649520
I just checked - and yes we have a Site defined "Sulphur Springs" and we also have the correct subnets configured. Is there any steps that i can have a remote employee run from his/her computer to try and troubleshoot connectivity?
0
 

Author Comment

by:RavenInd
ID: 33649534
PlugThatInWhere - do i check the "Directory Service" log on the PDC? What events should i look for? Thanks!
0
 
LVL 6

Assisted Solution

by:Gunter17
Gunter17 earned 250 total points
ID: 33649645
Are the clients at the remote site pointed at their local domain controller (Primary DNS)?
0
 

Author Comment

by:RavenInd
ID: 33649685
how can i verify which DC they are pointing to? isn't there a command to check what their main DC is?
0
 

Author Comment

by:RavenInd
ID: 33650022
I just contacted a remote employee and had him run a few commands.

He ran: echo %logonserver% and it returned the correct remote DC
He ran: ipconfig /all and it returned the correct DNS and DHCP settings for the remote DC server

It appears that when they shutdown/restart after the WAN is down - it takes a very long time (sometime over 7 minutes) to get logged into their local desktop.
0
 
LVL 3

Expert Comment

by:PlugThatInWhere
ID: 33650080
At the SS site you will nee dthe PCs to be using the DNS running on their local DC, this is required.  You can put two DNS servers in the PCs and the first should be the SS DC and the second can be your local DNS/DC.

To tell which server Authenticated them you would have them go to DOS and type:
SET L
This will provide a list of items that start with the letter L and one of them will be LogonServer (whihc is the DC that authenticated them and where they will run their Logon scripts from).

Make use they can ping the SS DC by its short name as well.

As for which event, look in all of the folders for recurring errors and errors that happen shortly after reboot.  (Netlogon, FRS, NetBT, etc).
0
 
LVL 3

Assisted Solution

by:PlugThatInWhere
PlugThatInWhere earned 250 total points
ID: 33650096
Make sure your Logon scripts do not refer to the DC name in AD Users and Computers.  It should just be the script name (nother before it) and it should be on the root of the Netlogon share of any DC (it will replicate from there to the others.
0
 

Author Comment

by:RavenInd
ID: 33650167
The logon script is titled logon.bat. Our domain is "raven". The full path is raven.ravenind.net. When i was troubleshooting with this remote employee - he was unable to get to his network domain DFS directories by going to \\raven\path. He could only get to them by going to \\remotefileserver\path. It seems as though DFS is also not working when the WAN is down.
0
 
LVL 3

Expert Comment

by:PlugThatInWhere
ID: 33650494
How do the event logs look on the remote server, look at the File Replication items.  Does the Netlogon share seem Up To Date?  If you create a TXT file does it show up in your other DC in a few minutes?

Asfor the DFS, look at the . records in DNS (no name specified.  You should have your remote site DC IP listed with the others.
0
 

Accepted Solution

by:
RavenInd earned 0 total points
ID: 33761339
I finally resolved this by discovery that our Primary DNS server for our remote site was set wrong on the DHCP/DNS server. Once I changed that to point to the correct path - everything started working just fine.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question