[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1290
  • Last Modified:

This computer was not able to set up a secure session with a domain controller in domain

We have three 2003 domain controllers. One of them had some issues and while it was unavailable the other two reported the following:

This computer was not able to set up a secure session with a domain controller in domain xyz due to the following:
There are currently no logon servers available to service the logon request.  
This may lead to authentication problems.

Some users reported problems with applications etc (anything that used AD). Were these errors meaning that the two remaining DCs were unable to function and thus the users were having trouble, or were they merely saying they tried to speak to the 1st DC and couldnt, but everything was OK after that (in which case the users having trouble were only the ones using DC1 at the time) ? In other words, did the other two DCs take over and carry on or was AD unavailable entirely?
0
GeorgeFromTheBank
Asked:
GeorgeFromTheBank
  • 4
  • 3
  • 2
1 Solution
 
lomareeCommented:
Hi

at present it would be difficult to say what went wrong and where? but if you can provide me with some information about how you have setup you windows infrastructure I might be able to preciously explain what went wrong.

1. All the 3 DCs are in the same site ?
2. All the 3 DCs are GC
3. The one with the problem was it a DNS server and had all 5 roles on it
4. If you answer no then which one these servers had which role and DNS services running on it.
5. Do you have Child Domain Topology or Hub/Spoke Topology without Child DCs, just additional DCs
0
 
GeorgeFromTheBankAuthor Commented:
Hi, thanks for your reply.

1) Yes all in the same site
2) All are GCs
3) No, DC1 has child domain FSMO roles (3), the other two (that were online) are DNS primary and secondary.
5) We have a top level domain with two child domains, the problem was with a child domain. The top level domain was online and accessible.
0
 
TasmantCommented:
so if you have 3 domains, with 3 dcs, you have only one DC per domain.
if one of your your dcs fails, there's no secondary DC to serve clients.
each dc hold a partition for it's current domain, and the others cannot authenticate as they don't have a read/write copy of the current domain partition.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
lomareeCommented:
Hi

If I got it right, you have 1 parent and two child in the same site and all are GC. The problem arrived when one of the child DC went down, while the parent and another child was online.  

Actually in windows XP and above , the system automatically can get logon server for authentication from any DC regardless of the site presence , it calculates this using a pre-defined method, this nature is by design.

Therefore, possibility is that the particular workstation had a logon server which was your problematic DC and when the user entered the credentials it couldn't get authentication then trying again it automatically selected another DC and got authentication successfully . I am pretty sure this is what had happened.

also you can check from CLI of any workstation which is the logon server by c:/>set l
0
 
GeorgeFromTheBankAuthor Commented:
Sorry let me clarify. We have a root domain and two child domains. I'm only talking about one child domain having trouble, so just imagine we just have one for now. That domain contains the three DCs I was talking about, one of which went offline this morning so the other two should have continued service, but we got those errors. Does that make sense?

I suspect that as you say the logon servers for those specific machines were using the DC that went offline and the other two were OK, but my worry is the other two DCs stopped authenticating too.
0
 
GeorgeFromTheBankAuthor Commented:
Looking at the event logs, both servers that remained online show successful authentications during the time DC1 was down, so I guess everything was fine and the error message was simply because the DCs couldnt contact their "PDC" role on DC1
0
 
TasmantCommented:
Yes you have a service continuity, but as DC1 was PDC, some operations couldn't be done any more (like operations with password). If clients are unable to find their logon server, they use DNS to discover another. So if your clients have at least 2 DNS configured in their network properties, at least one of the DNS answer, the client get the list of all available DCs for the current AD site (or all in the domain if it fails), then try to reach DCs one by one.
So for me all is fine.
0
 
GeorgeFromTheBankAuthor Commented:
Great, thanks. So for the clients that were having issues (WinXP) you think they were just the ones looking at DC1 that went offline and they just needed either a reboot or a bit of time to carry on?
0
 
lomareeCommented:
Yes that is correct .
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now