authentication failed after turning off one of DC's

My situation:
We have DC in Central Office and 5 DC's in branches. Two days ago we had maintenance works in Central Office and we disabled DC in HQ. After that authentication in branches was failed.
The question is: why?
What i did wrong with installation DC's in branches?

OS WIndows Server 2008 R2
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Darius GhassemCommented:
Do you have AD Sites setup? Is the other DCs pointing to themselves for DNS? Are the remove DCs Global Catalogs?
James HaywoodCommented:
The DC you removed was probably the only Global Catalog in the domain. Enable Branch Office DCs as Global Catalogs

Active Directory Sites and Services
Select Relevant DC
Right Click NTDS settings
General Tab, check 'Global Catalog'
Andrey_GorohovAuthor Commented:
yes, we have AD Sites. about DNS i have to check...
they are all has GC role... that's why it's strange for me...
Actualy, i don't think they have to be GC for normal authentication. Authentication should work without GC role on DC.

DC was not removed, it was disabled for some time. And till it was disabled authentication does not worked in branches.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Get the DC back up.
They aren't like other member servers, cannot leave them down.   Replication has to be maintained.    If you cross the tombstone period you'll make a mess out of everything.

Shutting down a DC almost always has side-effects.   DCs are not equal and they are not "fault-tolerant".  Apart from the Sites -vs- WAN links situation the main reason for multiple DCs is so that losing one does not lose the AD Database, is not so that you can loose one and "transparently" and smootly keep on going,...because that won't happen.   DCs are not "clusters" and they are not "arrays", nor do they act like they are one.
Andrey_GorohovAuthor Commented:
Replication is OK! DC was down about 10 hours, it is not so big time to destroy replication...
The problem is authentication stoped working at the same time when we turned off one DC in CO...
How to check, where client was authenticated (to get access to some share for example)?
The command line echo %logonserver%  will show their logon server when you run that from their machine.
Andrey_GorohovAuthor Commented:
Hm... logonserver is DC in branch...
I din't know what else i have to check... :(
James HaywoodCommented:
What authentication issues are you having?

Problems logging on?
Exchange/Sharepoint Issues?
There are interdependencies between DCs.  They need to all be running at all times.   If one is going to be removed for a long period of time it needs to be DCPromo'ed to a Member Server so all the Roles gracefully move to other DCs and the DC identifiers are removed from DNS.   It can be DCPromo'ed back in when it is brought back.

I have never seen a DC be powered down for more than a few minutes without some level of disruption somewhere.  Even if it has no Roles and is not a GC, can still be the last DNS that a Client queried, and a DNS Client will always query the same DNS is did last time,...if it can't reach that DNS, at minimum, there will be a lag before the Client Side Resolver "gives up" and tries a different listed DNS.  So there is always going to be negative effects of a DC being down, is just a question of how much negative effects you will see.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Andrey_GorohovAuthor Commented:
Yes. logging on problem. Share access problem... Exchange/Sharepoint did not check, but i thik will be the same....
James HaywoodCommented:
As pwindell says it sounds more like a DNS issue than a Kerberos issue. Can you confirm DNS settings on a couple of clients and see what is going on?

Can you also check if the DC that is offline has any of the FMSO roles?
Andrey_GorohovAuthor Commented:
Ok... i'll check DNS on clients... Look's like you are right and the problem in DNS...
Now all DC's is online and DC which was offline has no FSMO role.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.