Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 963
  • Last Modified:

Need an explanation of what happens when a DC goes down

I have 2 DC's 2008 R2 and 2003.  The PDC is the 2008.  I had to shut it down while users were still logged in to their computers.  They complained they couldn't access their files or email.  I was under the impression if a DC goes down the computers would switch to the other DC.  Can someone explain what actually happens.

Thanks
0
J.R. Sitman
Asked:
J.R. Sitman
  • 11
  • 4
  • 4
  • +2
3 Solutions
 
HupSkiDupCommented:
I would say when they logged in that day, they exchanged credentials with the 2008 DC and got their security token.  that token gives them the credentials to get to the various AD resources.  When it went down, the other DC didn't have that token for them and stopped some access.  A restart would have authenticated them properly, but obviously not the desired circumstance.

I'm confident in the answer, not completely confident on the verbage...Have a great day!
0
 
Neil RussellTechnical Development LeadCommented:
More likely is that your "PDC" (There is actually no such thing anymore....) Ran DNS and all your clients pointed to THAT server for DNS. When the server died your client machines had no DNS server to talk to for name resolution.

Check what your clients DNS settings are but I'm confident in the answer...... ;)
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
There are several possibilities, but misconfiguration seems most likely to me.

In my own words:
1. DNS is often misconfigured - your clients should ONLY be using the AD-based DNS servers, no third party/non-AD DNS servers should be utilized (there are ways to get around this, but if you're asking this question, you shouldn't be considering them in my opinion).
2. Global Catalogs (GCs) are used in authentication and by Exchange.  If you only have one Global Catalog and that fails, then having another DC is not going to help authentication because without the global catalog, people can't authenticate appropriately.  (EXCEPTION, in NON-NATIVE mode domains, such as those upgraded from NT4).
3. Actually related to #2, Exchange picks a GC to work with and if that GC goes down it can take a while (I believe up to a half hour, but possibly more) for it to update and use the remaining GC.

I would be running DCDIAG and NETDIAG to ensure your settings on working properly as well as BPA tools, such as the Exchange Best Practices Advisor (BPA).  What they report is not necessarily wrong (pending the description of the issue), but may not be considered to be best practices.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
J.R. SitmanAuthor Commented:
If I run ipconfig /all on the clients, that should tell me if there settings are set properly, correct?
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
That'll tell you if the DNS settings are correct - won't tell you anything about the GCs - and it only tells you if the DNS settings are correct if you properly understand what they should be from what we've set.  Again, run DCDIAG (I usually use the /C /E /V switches) and NETDIAG and make sure there are no problems there either.  You issue MAY be as simple as ensuring both DCs are GCs... but you could also have other problems.
0
 
Bruno PACIIT ConsultantCommented:
Hi,

To complete answers already given by other experts here, I would also check the Time synchronization in the domain.

If the surviving DC is not timely synchronized with the rest of the domain it can not validate kerberos ticket when a ressrouce server ask him for a ticket validation. Then the access is refused.

So, compare time on the client, on the DC and on the ressource server. They should be synchronized.

Have a good day.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Time Sync is important, but should show up as an issue when DCDIAG is run.
0
 
J.R. SitmanAuthor Commented:
@leew I ran DCDiag with the switches and it returned a LOT of information I can process some of what it found and some of it I cant.  See attachment.  Example it states 172.16.1.33 and .34 passed all tests.  These are my DNS/DC's.  Then there are several other servers i.e. 192.112.36.4 that also passed and others that failed.  Why is there a server in my network with "192".  It also states DNS server 172.16.1.28 2 tests failure on the DNS server.  This is not a DNS server it is a DHCP server.  I will run Netdiag next
0
 
J.R. SitmanAuthor Commented:
forgot attachment
dns16.png
0
 
J.R. SitmanAuthor Commented:
no time server errors
0
 
J.R. SitmanAuthor Commented:
All NETDIAG tests passed
0
 
J.R. SitmanAuthor Commented:
@leew, you've answered or been involed in several of my questions and I appreciate your expertise.  I'd appreciate your opinion on whether or not there is a good GUI application out there for anaylzing DNS and Network issues.  I'm more of a GUI kind of guy.  <grin>
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Redirect the output and post
 the text file.  specifically, run this command:

DCDIAG /C /E /V >c:\DCDIAG.TXT

And do similarly for NETDIAG and then post the text files (which should be found in C:\).

Sorry, don't know much about GUI apps.  I prefer command lines.  BUT, like I said, also run some BPA tools - most BPA tools are GUI.
http://blogs.technet.com/b/activedirectoryua/archive/2009/01/30/introducing-ad-ds-best-practices-analyzer.aspx
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=dbab201f-4bee-4943-ac22-e2ddbd258df3&displaylang=en

(I'm assuming you have Exchange because you mentioned "They complained they couldn't access their files or email.")
0
 
J.R. SitmanAuthor Commented:
Yes, Exchange 2010.  Files attached.  I'll do the BPA, tonight or tomorrow.  Wife wants to go to dinner.  <grin>

dcdiag.TXT
NETDIAG.TXT
0
 
J.R. SitmanAuthor Commented:
See attachment.  is this a list of what DNS thinks are DNS servers?  spcala01 and 10 are not DNS servers 10 is no longer in the domain and 01 used to be a DNS server.

dnsservers.png
0
 
Neil RussellTechnical Development LeadCommented:
Are your DNS servers configured correctly for AD Integrated DNS?
You should remove all trace from DNS of servers that are not functional DNS servers.
0
 
J.R. SitmanAuthor Commented:

@Neilsr, thanks for the server clarification.

@leew, let me know when you get time to review what I posted.  Thanks
0
 
Neil RussellTechnical Development LeadCommented:
Your DCDIAG shows that you have multiple DNS serverser listed on the NIC configuration on SPCALA16.

A DC should ONLYT have itself listed as the DNS server on the NIC interface and NO other DNS servers listed on it at all for correct AD functionality.
0
 
J.R. SitmanAuthor Commented:
I changed it on both DC's  Thanks
0
 
Neil RussellTechnical Development LeadCommented:
So if you removed the extra DNS Servers set in the DNS servers tab AND removed DNS entries on NICS except for the machine they are on....

Rerun your DCDIAG now and post please.
0
 
J.R. SitmanAuthor Commented:
Thanks to all.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 11
  • 4
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now