This computer was not able to set up a secure session with a domain controller in domain

Posted on 2011-02-14
Medium Priority
Last Modified: 2012-06-27
We have three 2003 domain controllers. One of them had some issues and while it was unavailable the other two reported the following:

This computer was not able to set up a secure session with a domain controller in domain xyz due to the following:
There are currently no logon servers available to service the logon request.  
This may lead to authentication problems.

Some users reported problems with applications etc (anything that used AD). Were these errors meaning that the two remaining DCs were unable to function and thus the users were having trouble, or were they merely saying they tried to speak to the 1st DC and couldnt, but everything was OK after that (in which case the users having trouble were only the ones using DC1 at the time) ? In other words, did the other two DCs take over and carry on or was AD unavailable entirely?
Question by:GeorgeFromTheBank
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2

Expert Comment

ID: 34886910

at present it would be difficult to say what went wrong and where? but if you can provide me with some information about how you have setup you windows infrastructure I might be able to preciously explain what went wrong.

1. All the 3 DCs are in the same site ?
2. All the 3 DCs are GC
3. The one with the problem was it a DNS server and had all 5 roles on it
4. If you answer no then which one these servers had which role and DNS services running on it.
5. Do you have Child Domain Topology or Hub/Spoke Topology without Child DCs, just additional DCs

Author Comment

ID: 34886934
Hi, thanks for your reply.

1) Yes all in the same site
2) All are GCs
3) No, DC1 has child domain FSMO roles (3), the other two (that were online) are DNS primary and secondary.
5) We have a top level domain with two child domains, the problem was with a child domain. The top level domain was online and accessible.
LVL 11

Expert Comment

ID: 34887003
so if you have 3 domains, with 3 dcs, you have only one DC per domain.
if one of your your dcs fails, there's no secondary DC to serve clients.
each dc hold a partition for it's current domain, and the others cannot authenticate as they don't have a read/write copy of the current domain partition.
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.


Expert Comment

ID: 34887033

If I got it right, you have 1 parent and two child in the same site and all are GC. The problem arrived when one of the child DC went down, while the parent and another child was online.  

Actually in windows XP and above , the system automatically can get logon server for authentication from any DC regardless of the site presence , it calculates this using a pre-defined method, this nature is by design.

Therefore, possibility is that the particular workstation had a logon server which was your problematic DC and when the user entered the credentials it couldn't get authentication then trying again it automatically selected another DC and got authentication successfully . I am pretty sure this is what had happened.

also you can check from CLI of any workstation which is the logon server by c:/>set l

Author Comment

ID: 34887048
Sorry let me clarify. We have a root domain and two child domains. I'm only talking about one child domain having trouble, so just imagine we just have one for now. That domain contains the three DCs I was talking about, one of which went offline this morning so the other two should have continued service, but we got those errors. Does that make sense?

I suspect that as you say the logon servers for those specific machines were using the DC that went offline and the other two were OK, but my worry is the other two DCs stopped authenticating too.

Author Comment

ID: 34888839
Looking at the event logs, both servers that remained online show successful authentications during the time DC1 was down, so I guess everything was fine and the error message was simply because the DCs couldnt contact their "PDC" role on DC1
LVL 11

Accepted Solution

Tasmant earned 500 total points
ID: 34889204
Yes you have a service continuity, but as DC1 was PDC, some operations couldn't be done any more (like operations with password). If clients are unable to find their logon server, they use DNS to discover another. So if your clients have at least 2 DNS configured in their network properties, at least one of the DNS answer, the client get the list of all available DCs for the current AD site (or all in the domain if it fails), then try to reach DCs one by one.
So for me all is fine.

Author Comment

ID: 34889229
Great, thanks. So for the clients that were having issues (WinXP) you think they were just the ones looking at DC1 that went offline and they just needed either a reboot or a bit of time to carry on?

Expert Comment

ID: 34892343
Yes that is correct .

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses
Course of the Month12 days, 20 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question