Improve company productivity with a Business Account.Sign Up

x
?
Solved

This computer was not able to set up a secure session with a domain controller in domain

Posted on 2011-02-14
9
Medium Priority
?
1,299 Views
Last Modified: 2012-06-27
We have three 2003 domain controllers. One of them had some issues and while it was unavailable the other two reported the following:

This computer was not able to set up a secure session with a domain controller in domain xyz due to the following:
There are currently no logon servers available to service the logon request.  
This may lead to authentication problems.

Some users reported problems with applications etc (anything that used AD). Were these errors meaning that the two remaining DCs were unable to function and thus the users were having trouble, or were they merely saying they tried to speak to the 1st DC and couldnt, but everything was OK after that (in which case the users having trouble were only the ones using DC1 at the time) ? In other words, did the other two DCs take over and carry on or was AD unavailable entirely?
0
Comment
Question by:GeorgeFromTheBank
  • 4
  • 3
  • 2
9 Comments
 
LVL 1

Expert Comment

by:lomaree
ID: 34886910
Hi

at present it would be difficult to say what went wrong and where? but if you can provide me with some information about how you have setup you windows infrastructure I might be able to preciously explain what went wrong.

1. All the 3 DCs are in the same site ?
2. All the 3 DCs are GC
3. The one with the problem was it a DNS server and had all 5 roles on it
4. If you answer no then which one these servers had which role and DNS services running on it.
5. Do you have Child Domain Topology or Hub/Spoke Topology without Child DCs, just additional DCs
0
 

Author Comment

by:GeorgeFromTheBank
ID: 34886934
Hi, thanks for your reply.

1) Yes all in the same site
2) All are GCs
3) No, DC1 has child domain FSMO roles (3), the other two (that were online) are DNS primary and secondary.
5) We have a top level domain with two child domains, the problem was with a child domain. The top level domain was online and accessible.
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 34887003
so if you have 3 domains, with 3 dcs, you have only one DC per domain.
if one of your your dcs fails, there's no secondary DC to serve clients.
each dc hold a partition for it's current domain, and the others cannot authenticate as they don't have a read/write copy of the current domain partition.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Expert Comment

by:lomaree
ID: 34887033
Hi

If I got it right, you have 1 parent and two child in the same site and all are GC. The problem arrived when one of the child DC went down, while the parent and another child was online.  

Actually in windows XP and above , the system automatically can get logon server for authentication from any DC regardless of the site presence , it calculates this using a pre-defined method, this nature is by design.

Therefore, possibility is that the particular workstation had a logon server which was your problematic DC and when the user entered the credentials it couldn't get authentication then trying again it automatically selected another DC and got authentication successfully . I am pretty sure this is what had happened.

also you can check from CLI of any workstation which is the logon server by c:/>set l
0
 

Author Comment

by:GeorgeFromTheBank
ID: 34887048
Sorry let me clarify. We have a root domain and two child domains. I'm only talking about one child domain having trouble, so just imagine we just have one for now. That domain contains the three DCs I was talking about, one of which went offline this morning so the other two should have continued service, but we got those errors. Does that make sense?

I suspect that as you say the logon servers for those specific machines were using the DC that went offline and the other two were OK, but my worry is the other two DCs stopped authenticating too.
0
 

Author Comment

by:GeorgeFromTheBank
ID: 34888839
Looking at the event logs, both servers that remained online show successful authentications during the time DC1 was down, so I guess everything was fine and the error message was simply because the DCs couldnt contact their "PDC" role on DC1
0
 
LVL 11

Accepted Solution

by:
Tasmant earned 500 total points
ID: 34889204
Yes you have a service continuity, but as DC1 was PDC, some operations couldn't be done any more (like operations with password). If clients are unable to find their logon server, they use DNS to discover another. So if your clients have at least 2 DNS configured in their network properties, at least one of the DNS answer, the client get the list of all available DCs for the current AD site (or all in the domain if it fails), then try to reach DCs one by one.
So for me all is fine.
0
 

Author Comment

by:GeorgeFromTheBank
ID: 34889229
Great, thanks. So for the clients that were having issues (WinXP) you think they were just the ones looking at DC1 that went offline and they just needed either a reboot or a bit of time to carry on?
0
 
LVL 1

Expert Comment

by:lomaree
ID: 34892343
Yes that is correct .
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question