?
Solved

AD Windows Server 2003 DC is not recognized as a GC when another GC is bounced

Posted on 2011-02-25
17
Medium Priority
?
486 Views
Last Modified: 2012-05-11
good day everyone,

we have 2 servers with the role of global catalog servers, they both have FSMO roles distributed amongst each other, server 1 is a GC, DNS, DHCP AD server, server 2 has AD and is acting as a GC as well. server 2 has been around longer then server 1, server 1 replaced an old DC we had which has been d'commd. this is what happens:

when we restart server 2, everyone looses connection to the internet and are not able to log in. we find this strange being server 1 has DNS, AD and is a GC. we are wondering why users are not able to auhtenticate while server server 2 is being rebooted?

any ideas?
0
Comment
Question by:GridLock137
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
  • 3
  • +1
17 Comments
 
LVL 12

Expert Comment

by:Navdeep
ID: 34984322
Hi,

are both of your DC is in Same site/Same Domain?

Do you have multiple sites?

If you run the following command do you see your DC as GC
use following command

nltest /dsgetdc:domain.com

check under flags if your server is marked as GC

If not, then go to active directory sites and service, site / servers / properties of ntds settings and mark it as GC and reboot.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 34984373
You only have 1 DNS server???

Do users have to authenticate to a proxy to get internet access?

Does DC2 hold the PDC Emulator role?
0
 
LVL 7

Author Comment

by:GridLock137
ID: 34984480
let me remote in and check this.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 7

Author Comment

by:GridLock137
ID: 34984563
ok so both DCs are in the same site same domain, we do not have multiple site but we do have other domains configured, i guess they can be called child domains. v-2 i could not run that command, where do i run it from? i checked and both are GC. i just found out we have a server 3 that holds the roles of infrastructure and rid and is currently the operations master.

server 3 has no DNS installed

server 1 and 2 both have DNS installed.

craigbeck DC2 dows not hold the PDC Em role, just looked it up and server 3 holds it.
0
 
LVL 3

Accepted Solution

by:
Jim Restucci earned 2000 total points
ID: 34984589
We see this problem all the time, and have been told by Microsoft Support that it has to do with the timeout of the client.  If the client was logged in using DC1 and DC1 is rebooted, the secure channel has to be rebuilt, resulting in a longer than normal period for login.

Is this what you are seeing?
0
 
LVL 7

Author Comment

by:GridLock137
ID: 34984689
yes we see that as well as loss of internet conectivity. i thought if one GC goes down then the other takes over, or it does not work this way?
0
 
LVL 3

Expert Comment

by:Jim Restucci
ID: 34984713
As far as I know it does not work this way.  Any clients logged into the rebooting DC, will have to rebuild the secure channel to the remaining DC and that can take some time.  If we take down DC1 for maintenance, we always inform staff to reboot their machines before attempting to login again.
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 34984726
Hi,

You would run that command in command prompt. You need to install support tools for that.
0
 
LVL 7

Author Comment

by:GridLock137
ID: 34984811
i see. ok. no problem. i will have to test further since there is another person involved in this troubleshooting process. i will post my results monday guys. thank you.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 34984885
Do your clients look at DC2 first for DNS?
Also, does DC1 use DC2 as its primary DNS server, and vice-versa for DC2?
0
 
LVL 7

Author Comment

by:GridLock137
ID: 34988539
i believe the clients are looking at DC1 first but i could be wrong, we have desktop admins and they might be mixing up the order of which they should put first. i will verify what the DCs have as their primary DNS. should each one point to the other or themselves as the primary?
0
 
LVL 3

Expert Comment

by:Jim Restucci
ID: 34989000
We have them point to each other and a 3rd party (out upstream provider) DNS.
0
 
LVL 7

Author Comment

by:GridLock137
ID: 34989189
I will verify that, but what about server three that seems to hold some of the fsmo roles but is not a gc, don't point to that guy correct, if anything that guy should point to server 1 and 2 yes?
0
 
LVL 3

Expert Comment

by:Jim Restucci
ID: 34989197
Yes, since Server3 doesn't have the GC role, I would have it point to 1 and 2.
0
 
LVL 7

Author Comment

by:GridLock137
ID: 34989235
Ok I will verify the setting, change if needed and test it... Have a great weekend. Will post monday. Thank you
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 34989289
Hi
Also u need to remove external dns from clients n put it under forwarders of dns server properties. Reason being ur clients will look for gc dc on external dns when dc1 n dc2 won't respond
0
 
LVL 7

Author Closing Comment

by:GridLock137
ID: 35020686
thank you guys!
0

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question