Solved

authentication failed after turning off one of DC's

Posted on 2012-03-19
12
164 Views
Last Modified: 2013-10-01
Hello,
My situation:
We have DC in Central Office and 5 DC's in branches. Two days ago we had maintenance works in Central Office and we disabled DC in HQ. After that authentication in branches was failed.
The question is: why?
What i did wrong with installation DC's in branches?

OS WIndows Server 2008 R2
0
Comment
Question by:Andrey_Gorohov
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
  • +1
12 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37737504
Do you have AD Sites setup? Is the other DCs pointing to themselves for DNS? Are the remove DCs Global Catalogs?
0
 
LVL 17

Expert Comment

by:James Haywood
ID: 37737873
The DC you removed was probably the only Global Catalog in the domain. Enable Branch Office DCs as Global Catalogs

Active Directory Sites and Services
Sites
Select Relevant DC
Right Click NTDS settings
General Tab, check 'Global Catalog'
0
 

Author Comment

by:Andrey_Gorohov
ID: 37738635
yes, we have AD Sites. about DNS i have to check...
they are all has GC role... that's why it's strange for me...
Actualy, i don't think they have to be GC for normal authentication. Authentication should work without GC role on DC.

btw
DC was not removed, it was disabled for some time. And till it was disabled authentication does not worked in branches.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 29

Expert Comment

by:pwindell
ID: 37739306
Get the DC back up.
They aren't like other member servers,...you cannot leave them down.   Replication has to be maintained.    If you cross the tombstone period you'll make a mess out of everything.

Shutting down a DC almost always has side-effects.   DCs are not equal and they are not "fault-tolerant".  Apart from the Sites -vs- WAN links situation the main reason for multiple DCs is so that losing one does not lose the AD Database,...it is not so that you can loose one and "transparently" and smootly keep on going,...because that won't happen.   DCs are not "clusters" and they are not "arrays", nor do they act like they are one.
0
 

Author Comment

by:Andrey_Gorohov
ID: 37739397
Replication is OK! DC was down about 10 hours, it is not so big time to destroy replication...
The problem is authentication stoped working at the same time when we turned off one DC in CO...
How to check, where client was authenticated (to get access to some share for example)?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37739412
The command line echo %logonserver%  will show their logon server when you run that from their machine.
0
 

Author Comment

by:Andrey_Gorohov
ID: 37739426
Hm... logonserver is DC in branch...
I din't know what else i have to check... :(
0
 
LVL 17

Expert Comment

by:James Haywood
ID: 37739476
What authentication issues are you having?

Problems logging on?
Exchange/Sharepoint Issues?
0
 
LVL 29

Accepted Solution

by:
pwindell earned 300 total points
ID: 37739478
There are interdependencies between DCs.  They need to all be running at all times.   If one is going to be removed for a long period of time it needs to be DCPromo'ed to a Member Server so all the Roles gracefully move to other DCs and the DC identifiers are removed from DNS.   It can be DCPromo'ed back in when it is brought back.

I have never seen a DC be powered down for more than a few minutes without some level of disruption somewhere.  Even if it has no Roles and is not a GC,...it can still be the last DNS that a Client queried, and a DNS Client will always query the same DNS is did last time,...if it can't reach that DNS, at minimum, there will be a lag before the Client Side Resolver "gives up" and tries a different listed DNS.  So there is always going to be negative effects of a DC being down,...it is just a question of how much negative effects you will see.
0
 

Author Comment

by:Andrey_Gorohov
ID: 37739485
Yes. logging on problem. Share access problem... Exchange/Sharepoint did not check, but i thik will be the same....
0
 
LVL 17

Expert Comment

by:James Haywood
ID: 37739542
As pwindell says it sounds more like a DNS issue than a Kerberos issue. Can you confirm DNS settings on a couple of clients and see what is going on?

Can you also check if the DC that is offline has any of the FMSO roles?
0
 

Author Comment

by:Andrey_Gorohov
ID: 37739571
Ok... i'll check DNS on clients... Look's like you are right and the problem in DNS...
Now all DC's is online and DC which was offline has no FSMO role.
0

Featured Post

Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question