Solved

Our remote DC is not being used to authenticate local users when WAN is down?

Posted on 2010-09-10
14
789 Views
Last Modified: 2012-05-10
We have Domain Controllers at our remote sites. Whenever our WAN link goes down, remote employees are unable to authenticate with their local domain controller to login/gain access to anything. It is as though they always use our PDC that is located in a different location. When the WAN link goes down - the authentication and access should still all go through the Remote DC, but it is not - and the remote employees are unable to access the local DC or login to their machines.

The WAN link is currently down and I was wondering if anyone had any recommendations on how to troubleshoot this issues? This is the perfect time to troubleshoot this issue. I am able to call the remote employees and have them try some things to get to the bottom of this.

We are on Server 2003 R2 and Domain Funtional Level of 2003.

Any ideas would be greatly appreciated!
0
Comment
Question by:RavenInd
14 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33649464
Are your remote DCs also GCs  do you have the subnets defined properly for the sites?

thanks

Mike
0
 

Author Comment

by:RavenInd
ID: 33649489
They are GCs - i believe our subnets are also configured correctly. What is the best way to verify if they are configured correctly?
0
 
LVL 3

Expert Comment

by:PlugThatInWhere
ID: 33649502
In AD Sites and Services tool, do you have the remote office defined as a Site?  You will also need to define the IP subnet that services this site / office.  

If not then I will provide the steps to do this.
0
 
LVL 3

Expert Comment

by:PlugThatInWhere
ID: 33649512
Check the Event Logs of the site DC and make sure you do not have any replication issues that are preventing the DC from servicing users.
0
 

Author Comment

by:RavenInd
ID: 33649520
I just checked - and yes we have a Site defined "Sulphur Springs" and we also have the correct subnets configured. Is there any steps that i can have a remote employee run from his/her computer to try and troubleshoot connectivity?
0
 

Author Comment

by:RavenInd
ID: 33649534
PlugThatInWhere - do i check the "Directory Service" log on the PDC? What events should i look for? Thanks!
0
 
LVL 6

Assisted Solution

by:Gunter17
Gunter17 earned 250 total points
ID: 33649645
Are the clients at the remote site pointed at their local domain controller (Primary DNS)?
0
 

Author Comment

by:RavenInd
ID: 33649685
how can i verify which DC they are pointing to? isn't there a command to check what their main DC is?
0
 

Author Comment

by:RavenInd
ID: 33650022
I just contacted a remote employee and had him run a few commands.

He ran: echo %logonserver% and it returned the correct remote DC
He ran: ipconfig /all and it returned the correct DNS and DHCP settings for the remote DC server

It appears that when they shutdown/restart after the WAN is down - it takes a very long time (sometime over 7 minutes) to get logged into their local desktop.
0
 
LVL 3

Expert Comment

by:PlugThatInWhere
ID: 33650080
At the SS site you will nee dthe PCs to be using the DNS running on their local DC, this is required.  You can put two DNS servers in the PCs and the first should be the SS DC and the second can be your local DNS/DC.

To tell which server Authenticated them you would have them go to DOS and type:
SET L
This will provide a list of items that start with the letter L and one of them will be LogonServer (whihc is the DC that authenticated them and where they will run their Logon scripts from).

Make use they can ping the SS DC by its short name as well.

As for which event, look in all of the folders for recurring errors and errors that happen shortly after reboot.  (Netlogon, FRS, NetBT, etc).
0
 
LVL 3

Assisted Solution

by:PlugThatInWhere
PlugThatInWhere earned 250 total points
ID: 33650096
Make sure your Logon scripts do not refer to the DC name in AD Users and Computers.  It should just be the script name (nother before it) and it should be on the root of the Netlogon share of any DC (it will replicate from there to the others.
0
 

Author Comment

by:RavenInd
ID: 33650167
The logon script is titled logon.bat. Our domain is "raven". The full path is raven.ravenind.net. When i was troubleshooting with this remote employee - he was unable to get to his network domain DFS directories by going to \\raven\path. He could only get to them by going to \\remotefileserver\path. It seems as though DFS is also not working when the WAN is down.
0
 
LVL 3

Expert Comment

by:PlugThatInWhere
ID: 33650494
How do the event logs look on the remote server, look at the File Replication items.  Does the Netlogon share seem Up To Date?  If you create a TXT file does it show up in your other DC in a few minutes?

Asfor the DFS, look at the . records in DNS (no name specified.  You should have your remote site DC IP listed with the others.
0
 

Accepted Solution

by:
RavenInd earned 0 total points
ID: 33761339
I finally resolved this by discovery that our Primary DNS server for our remote site was set wrong on the DHCP/DNS server. Once I changed that to point to the correct path - everything started working just fine.
0

Join & Write a Comment

Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now