• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 494
  • Last Modified:

AD Windows Server 2003 DC is not recognized as a GC when another GC is bounced

good day everyone,

we have 2 servers with the role of global catalog servers, they both have FSMO roles distributed amongst each other, server 1 is a GC, DNS, DHCP AD server, server 2 has AD and is acting as a GC as well. server 2 has been around longer then server 1, server 1 replaced an old DC we had which has been d'commd. this is what happens:

when we restart server 2, everyone looses connection to the internet and are not able to log in. we find this strange being server 1 has DNS, AD and is a GC. we are wondering why users are not able to auhtenticate while server server 2 is being rebooted?

any ideas?
0
GridLock137
Asked:
GridLock137
  • 8
  • 4
  • 3
  • +1
1 Solution
 
NavdeepCommented:
Hi,

are both of your DC is in Same site/Same Domain?

Do you have multiple sites?

If you run the following command do you see your DC as GC
use following command

nltest /dsgetdc:domain.com

check under flags if your server is marked as GC

If not, then go to active directory sites and service, site / servers / properties of ntds settings and mark it as GC and reboot.
0
 
Craig BeckCommented:
You only have 1 DNS server???

Do users have to authenticate to a proxy to get internet access?

Does DC2 hold the PDC Emulator role?
0
 
GridLock137Author Commented:
let me remote in and check this.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
GridLock137Author Commented:
ok so both DCs are in the same site same domain, we do not have multiple site but we do have other domains configured, i guess they can be called child domains. v-2 i could not run that command, where do i run it from? i checked and both are GC. i just found out we have a server 3 that holds the roles of infrastructure and rid and is currently the operations master.

server 3 has no DNS installed

server 1 and 2 both have DNS installed.

craigbeck DC2 dows not hold the PDC Em role, just looked it up and server 3 holds it.
0
 
Jim RestucciDirector, Network OperationsCommented:
We see this problem all the time, and have been told by Microsoft Support that it has to do with the timeout of the client.  If the client was logged in using DC1 and DC1 is rebooted, the secure channel has to be rebuilt, resulting in a longer than normal period for login.

Is this what you are seeing?
0
 
GridLock137Author Commented:
yes we see that as well as loss of internet conectivity. i thought if one GC goes down then the other takes over, or it does not work this way?
0
 
Jim RestucciDirector, Network OperationsCommented:
As far as I know it does not work this way.  Any clients logged into the rebooting DC, will have to rebuild the secure channel to the remaining DC and that can take some time.  If we take down DC1 for maintenance, we always inform staff to reboot their machines before attempting to login again.
0
 
NavdeepCommented:
Hi,

You would run that command in command prompt. You need to install support tools for that.
0
 
GridLock137Author Commented:
i see. ok. no problem. i will have to test further since there is another person involved in this troubleshooting process. i will post my results monday guys. thank you.
0
 
Craig BeckCommented:
Do your clients look at DC2 first for DNS?
Also, does DC1 use DC2 as its primary DNS server, and vice-versa for DC2?
0
 
GridLock137Author Commented:
i believe the clients are looking at DC1 first but i could be wrong, we have desktop admins and they might be mixing up the order of which they should put first. i will verify what the DCs have as their primary DNS. should each one point to the other or themselves as the primary?
0
 
Jim RestucciDirector, Network OperationsCommented:
We have them point to each other and a 3rd party (out upstream provider) DNS.
0
 
GridLock137Author Commented:
I will verify that, but what about server three that seems to hold some of the fsmo roles but is not a gc, don't point to that guy correct, if anything that guy should point to server 1 and 2 yes?
0
 
Jim RestucciDirector, Network OperationsCommented:
Yes, since Server3 doesn't have the GC role, I would have it point to 1 and 2.
0
 
GridLock137Author Commented:
Ok I will verify the setting, change if needed and test it... Have a great weekend. Will post monday. Thank you
0
 
NavdeepCommented:
Hi
Also u need to remove external dns from clients n put it under forwarders of dns server properties. Reason being ur clients will look for gc dc on external dns when dc1 n dc2 won't respond
0
 
GridLock137Author Commented:
thank you guys!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 8
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now