Solved

Need an explanation of what happens when a DC goes down

Posted on 2011-03-08
21
944 Views
Last Modified: 2012-05-11
I have 2 DC's 2008 R2 and 2003.  The PDC is the 2008.  I had to shut it down while users were still logged in to their computers.  They complained they couldn't access their files or email.  I was under the impression if a DC goes down the computers would switch to the other DC.  Can someone explain what actually happens.

Thanks
0
Comment
Question by:jrsitman
  • 11
  • 4
  • 4
  • +2
21 Comments
 
LVL 1

Accepted Solution

by:
HupSkiDup earned 100 total points
ID: 35074687
I would say when they logged in that day, they exchanged credentials with the 2008 DC and got their security token.  that token gives them the credentials to get to the various AD resources.  When it went down, the other DC didn't have that token for them and stopped some access.  A restart would have authenticated them properly, but obviously not the desired circumstance.

I'm confident in the answer, not completely confident on the verbage...Have a great day!
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 50 total points
ID: 35074874
More likely is that your "PDC" (There is actually no such thing anymore....) Ran DNS and all your clients pointed to THAT server for DNS. When the server died your client machines had no DNS server to talk to for name resolution.

Check what your clients DNS settings are but I'm confident in the answer...... ;)
0
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 100 total points
ID: 35074983
There are several possibilities, but misconfiguration seems most likely to me.

In my own words:
1. DNS is often misconfigured - your clients should ONLY be using the AD-based DNS servers, no third party/non-AD DNS servers should be utilized (there are ways to get around this, but if you're asking this question, you shouldn't be considering them in my opinion).
2. Global Catalogs (GCs) are used in authentication and by Exchange.  If you only have one Global Catalog and that fails, then having another DC is not going to help authentication because without the global catalog, people can't authenticate appropriately.  (EXCEPTION, in NON-NATIVE mode domains, such as those upgraded from NT4).
3. Actually related to #2, Exchange picks a GC to work with and if that GC goes down it can take a while (I believe up to a half hour, but possibly more) for it to update and use the remaining GC.

I would be running DCDIAG and NETDIAG to ensure your settings on working properly as well as BPA tools, such as the Exchange Best Practices Advisor (BPA).  What they report is not necessarily wrong (pending the description of the issue), but may not be considered to be best practices.
0
 

Author Comment

by:jrsitman
ID: 35075525
If I run ipconfig /all on the clients, that should tell me if there settings are set properly, correct?
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 35075767
That'll tell you if the DNS settings are correct - won't tell you anything about the GCs - and it only tells you if the DNS settings are correct if you properly understand what they should be from what we've set.  Again, run DCDIAG (I usually use the /C /E /V switches) and NETDIAG and make sure there are no problems there either.  You issue MAY be as simple as ensuring both DCs are GCs... but you could also have other problems.
0
 
LVL 16

Expert Comment

by:PaciB
ID: 35075809
Hi,

To complete answers already given by other experts here, I would also check the Time synchronization in the domain.

If the surviving DC is not timely synchronized with the rest of the domain it can not validate kerberos ticket when a ressrouce server ask him for a ticket validation. Then the access is refused.

So, compare time on the client, on the DC and on the ressource server. They should be synchronized.

Have a good day.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 35075913
Time Sync is important, but should show up as an issue when DCDIAG is run.
0
 

Author Comment

by:jrsitman
ID: 35075967
@leew I ran DCDiag with the switches and it returned a LOT of information I can process some of what it found and some of it I cant.  See attachment.  Example it states 172.16.1.33 and .34 passed all tests.  These are my DNS/DC's.  Then there are several other servers i.e. 192.112.36.4 that also passed and others that failed.  Why is there a server in my network with "192".  It also states DNS server 172.16.1.28 2 tests failure on the DNS server.  This is not a DNS server it is a DHCP server.  I will run Netdiag next
0
 

Author Comment

by:jrsitman
ID: 35075987
forgot attachment
dns16.png
0
 

Author Comment

by:jrsitman
ID: 35075995
no time server errors
0
 

Author Comment

by:jrsitman
ID: 35076074
All NETDIAG tests passed
0
 

Author Comment

by:jrsitman
ID: 35076130
@leew, you've answered or been involed in several of my questions and I appreciate your expertise.  I'd appreciate your opinion on whether or not there is a good GUI application out there for anaylzing DNS and Network issues.  I'm more of a GUI kind of guy.  <grin>
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 35076668
Redirect the output and post
 the text file.  specifically, run this command:

DCDIAG /C /E /V >c:\DCDIAG.TXT

And do similarly for NETDIAG and then post the text files (which should be found in C:\).

Sorry, don't know much about GUI apps.  I prefer command lines.  BUT, like I said, also run some BPA tools - most BPA tools are GUI.
http://blogs.technet.com/b/activedirectoryua/archive/2009/01/30/introducing-ad-ds-best-practices-analyzer.aspx
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=dbab201f-4bee-4943-ac22-e2ddbd258df3&displaylang=en

(I'm assuming you have Exchange because you mentioned "They complained they couldn't access their files or email.")
0
 

Author Comment

by:jrsitman
ID: 35076984
Yes, Exchange 2010.  Files attached.  I'll do the BPA, tonight or tomorrow.  Wife wants to go to dinner.  <grin>

dcdiag.TXT
NETDIAG.TXT
0
 

Author Comment

by:jrsitman
ID: 35077189
See attachment.  is this a list of what DNS thinks are DNS servers?  spcala01 and 10 are not DNS servers 10 is no longer in the domain and 01 used to be a DNS server.

dnsservers.png
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 35085759
Are your DNS servers configured correctly for AD Integrated DNS?
You should remove all trace from DNS of servers that are not functional DNS servers.
0
 

Author Comment

by:jrsitman
ID: 35085824

@Neilsr, thanks for the server clarification.

@leew, let me know when you get time to review what I posted.  Thanks
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 35085989
Your DCDIAG shows that you have multiple DNS serverser listed on the NIC configuration on SPCALA16.

A DC should ONLYT have itself listed as the DNS server on the NIC interface and NO other DNS servers listed on it at all for correct AD functionality.
0
 

Author Comment

by:jrsitman
ID: 35086077
I changed it on both DC's  Thanks
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 35086797
So if you removed the extra DNS Servers set in the DNS servers tab AND removed DNS entries on NICS except for the machine they are on....

Rerun your DCDIAG now and post please.
0
 

Author Closing Comment

by:jrsitman
ID: 35131640
Thanks to all.
0

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now