This computer was not able to set up a secure session with a domain controller in domain

Posted on 2011-02-14
Last Modified: 2012-06-27
We have three 2003 domain controllers. One of them had some issues and while it was unavailable the other two reported the following:

This computer was not able to set up a secure session with a domain controller in domain xyz due to the following:
There are currently no logon servers available to service the logon request.  
This may lead to authentication problems.

Some users reported problems with applications etc (anything that used AD). Were these errors meaning that the two remaining DCs were unable to function and thus the users were having trouble, or were they merely saying they tried to speak to the 1st DC and couldnt, but everything was OK after that (in which case the users having trouble were only the ones using DC1 at the time) ? In other words, did the other two DCs take over and carry on or was AD unavailable entirely?
Question by:GeorgeFromTheBank
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2

Expert Comment

ID: 34886910

at present it would be difficult to say what went wrong and where? but if you can provide me with some information about how you have setup you windows infrastructure I might be able to preciously explain what went wrong.

1. All the 3 DCs are in the same site ?
2. All the 3 DCs are GC
3. The one with the problem was it a DNS server and had all 5 roles on it
4. If you answer no then which one these servers had which role and DNS services running on it.
5. Do you have Child Domain Topology or Hub/Spoke Topology without Child DCs, just additional DCs

Author Comment

ID: 34886934
Hi, thanks for your reply.

1) Yes all in the same site
2) All are GCs
3) No, DC1 has child domain FSMO roles (3), the other two (that were online) are DNS primary and secondary.
5) We have a top level domain with two child domains, the problem was with a child domain. The top level domain was online and accessible.
LVL 11

Expert Comment

ID: 34887003
so if you have 3 domains, with 3 dcs, you have only one DC per domain.
if one of your your dcs fails, there's no secondary DC to serve clients.
each dc hold a partition for it's current domain, and the others cannot authenticate as they don't have a read/write copy of the current domain partition.
The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.


Expert Comment

ID: 34887033

If I got it right, you have 1 parent and two child in the same site and all are GC. The problem arrived when one of the child DC went down, while the parent and another child was online.  

Actually in windows XP and above , the system automatically can get logon server for authentication from any DC regardless of the site presence , it calculates this using a pre-defined method, this nature is by design.

Therefore, possibility is that the particular workstation had a logon server which was your problematic DC and when the user entered the credentials it couldn't get authentication then trying again it automatically selected another DC and got authentication successfully . I am pretty sure this is what had happened.

also you can check from CLI of any workstation which is the logon server by c:/>set l

Author Comment

ID: 34887048
Sorry let me clarify. We have a root domain and two child domains. I'm only talking about one child domain having trouble, so just imagine we just have one for now. That domain contains the three DCs I was talking about, one of which went offline this morning so the other two should have continued service, but we got those errors. Does that make sense?

I suspect that as you say the logon servers for those specific machines were using the DC that went offline and the other two were OK, but my worry is the other two DCs stopped authenticating too.

Author Comment

ID: 34888839
Looking at the event logs, both servers that remained online show successful authentications during the time DC1 was down, so I guess everything was fine and the error message was simply because the DCs couldnt contact their "PDC" role on DC1
LVL 11

Accepted Solution

Tasmant earned 125 total points
ID: 34889204
Yes you have a service continuity, but as DC1 was PDC, some operations couldn't be done any more (like operations with password). If clients are unable to find their logon server, they use DNS to discover another. So if your clients have at least 2 DNS configured in their network properties, at least one of the DNS answer, the client get the list of all available DCs for the current AD site (or all in the domain if it fails), then try to reach DCs one by one.
So for me all is fine.

Author Comment

ID: 34889229
Great, thanks. So for the clients that were having issues (WinXP) you think they were just the ones looking at DC1 that went offline and they just needed either a reboot or a bit of time to carry on?

Expert Comment

ID: 34892343
Yes that is correct .

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question