Solved

This computer was not able to set up a secure session with a domain controller in domain

Posted on 2011-02-14
9
1,196 Views
Last Modified: 2012-06-27
We have three 2003 domain controllers. One of them had some issues and while it was unavailable the other two reported the following:

This computer was not able to set up a secure session with a domain controller in domain xyz due to the following:
There are currently no logon servers available to service the logon request.  
This may lead to authentication problems.

Some users reported problems with applications etc (anything that used AD). Were these errors meaning that the two remaining DCs were unable to function and thus the users were having trouble, or were they merely saying they tried to speak to the 1st DC and couldnt, but everything was OK after that (in which case the users having trouble were only the ones using DC1 at the time) ? In other words, did the other two DCs take over and carry on or was AD unavailable entirely?
0
Comment
Question by:GeorgeFromTheBank
  • 4
  • 3
  • 2
9 Comments
 
LVL 1

Expert Comment

by:lomaree
ID: 34886910
Hi

at present it would be difficult to say what went wrong and where? but if you can provide me with some information about how you have setup you windows infrastructure I might be able to preciously explain what went wrong.

1. All the 3 DCs are in the same site ?
2. All the 3 DCs are GC
3. The one with the problem was it a DNS server and had all 5 roles on it
4. If you answer no then which one these servers had which role and DNS services running on it.
5. Do you have Child Domain Topology or Hub/Spoke Topology without Child DCs, just additional DCs
0
 

Author Comment

by:GeorgeFromTheBank
ID: 34886934
Hi, thanks for your reply.

1) Yes all in the same site
2) All are GCs
3) No, DC1 has child domain FSMO roles (3), the other two (that were online) are DNS primary and secondary.
5) We have a top level domain with two child domains, the problem was with a child domain. The top level domain was online and accessible.
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 34887003
so if you have 3 domains, with 3 dcs, you have only one DC per domain.
if one of your your dcs fails, there's no secondary DC to serve clients.
each dc hold a partition for it's current domain, and the others cannot authenticate as they don't have a read/write copy of the current domain partition.
0
 
LVL 1

Expert Comment

by:lomaree
ID: 34887033
Hi

If I got it right, you have 1 parent and two child in the same site and all are GC. The problem arrived when one of the child DC went down, while the parent and another child was online.  

Actually in windows XP and above , the system automatically can get logon server for authentication from any DC regardless of the site presence , it calculates this using a pre-defined method, this nature is by design.

Therefore, possibility is that the particular workstation had a logon server which was your problematic DC and when the user entered the credentials it couldn't get authentication then trying again it automatically selected another DC and got authentication successfully . I am pretty sure this is what had happened.

also you can check from CLI of any workstation which is the logon server by c:/>set l
0
 

Author Comment

by:GeorgeFromTheBank
ID: 34887048
Sorry let me clarify. We have a root domain and two child domains. I'm only talking about one child domain having trouble, so just imagine we just have one for now. That domain contains the three DCs I was talking about, one of which went offline this morning so the other two should have continued service, but we got those errors. Does that make sense?

I suspect that as you say the logon servers for those specific machines were using the DC that went offline and the other two were OK, but my worry is the other two DCs stopped authenticating too.
0
 

Author Comment

by:GeorgeFromTheBank
ID: 34888839
Looking at the event logs, both servers that remained online show successful authentications during the time DC1 was down, so I guess everything was fine and the error message was simply because the DCs couldnt contact their "PDC" role on DC1
0
 
LVL 11

Accepted Solution

by:
Tasmant earned 125 total points
ID: 34889204
Yes you have a service continuity, but as DC1 was PDC, some operations couldn't be done any more (like operations with password). If clients are unable to find their logon server, they use DNS to discover another. So if your clients have at least 2 DNS configured in their network properties, at least one of the DNS answer, the client get the list of all available DCs for the current AD site (or all in the domain if it fails), then try to reach DCs one by one.
So for me all is fine.
0
 

Author Comment

by:GeorgeFromTheBank
ID: 34889229
Great, thanks. So for the clients that were having issues (WinXP) you think they were just the ones looking at DC1 that went offline and they just needed either a reboot or a bit of time to carry on?
0
 
LVL 1

Expert Comment

by:lomaree
ID: 34892343
Yes that is correct .
0

Join & Write a Comment

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now