Andrey_Gorohov
asked on
authentication failed after turning off one of DC's
Hello,
My situation:
We have DC in Central Office and 5 DC's in branches. Two days ago we had maintenance works in Central Office and we disabled DC in HQ. After that authentication in branches was failed.
The question is: why?
What i did wrong with installation DC's in branches?
OS WIndows Server 2008 R2
My situation:
We have DC in Central Office and 5 DC's in branches. Two days ago we had maintenance works in Central Office and we disabled DC in HQ. After that authentication in branches was failed.
The question is: why?
What i did wrong with installation DC's in branches?
OS WIndows Server 2008 R2
Do you have AD Sites setup? Is the other DCs pointing to themselves for DNS? Are the remove DCs Global Catalogs?
The DC you removed was probably the only Global Catalog in the domain. Enable Branch Office DCs as Global Catalogs
Active Directory Sites and Services
Sites
Select Relevant DC
Right Click NTDS settings
General Tab, check 'Global Catalog'
Active Directory Sites and Services
Sites
Select Relevant DC
Right Click NTDS settings
General Tab, check 'Global Catalog'
ASKER
yes, we have AD Sites. about DNS i have to check...
they are all has GC role... that's why it's strange for me...
Actualy, i don't think they have to be GC for normal authentication. Authentication should work without GC role on DC.
btw
DC was not removed, it was disabled for some time. And till it was disabled authentication does not worked in branches.
they are all has GC role... that's why it's strange for me...
Actualy, i don't think they have to be GC for normal authentication. Authentication should work without GC role on DC.
btw
DC was not removed, it was disabled for some time. And till it was disabled authentication does not worked in branches.
Get the DC back up.
They aren't like other member servers,...you cannot leave them down. Replication has to be maintained. If you cross the tombstone period you'll make a mess out of everything.
Shutting down a DC almost always has side-effects. DCs are not equal and they are not "fault-tolerant". Apart from the Sites -vs- WAN links situation the main reason for multiple DCs is so that losing one does not lose the AD Database,...it is not so that you can loose one and "transparently" and smootly keep on going,...because that won't happen. DCs are not "clusters" and they are not "arrays", nor do they act like they are one.
They aren't like other member servers,...you cannot leave them down. Replication has to be maintained. If you cross the tombstone period you'll make a mess out of everything.
Shutting down a DC almost always has side-effects. DCs are not equal and they are not "fault-tolerant". Apart from the Sites -vs- WAN links situation the main reason for multiple DCs is so that losing one does not lose the AD Database,...it is not so that you can loose one and "transparently" and smootly keep on going,...because that won't happen. DCs are not "clusters" and they are not "arrays", nor do they act like they are one.
ASKER
Replication is OK! DC was down about 10 hours, it is not so big time to destroy replication...
The problem is authentication stoped working at the same time when we turned off one DC in CO...
How to check, where client was authenticated (to get access to some share for example)?
The problem is authentication stoped working at the same time when we turned off one DC in CO...
How to check, where client was authenticated (to get access to some share for example)?
The command line echo %logonserver% will show their logon server when you run that from their machine.
ASKER
Hm... logonserver is DC in branch...
I din't know what else i have to check... :(
I din't know what else i have to check... :(
What authentication issues are you having?
Problems logging on?
Exchange/Sharepoint Issues?
Problems logging on?
Exchange/Sharepoint Issues?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes. logging on problem. Share access problem... Exchange/Sharepoint did not check, but i thik will be the same....
As pwindell says it sounds more like a DNS issue than a Kerberos issue. Can you confirm DNS settings on a couple of clients and see what is going on?
Can you also check if the DC that is offline has any of the FMSO roles?
Can you also check if the DC that is offline has any of the FMSO roles?
ASKER
Ok... i'll check DNS on clients... Look's like you are right and the problem in DNS...
Now all DC's is online and DC which was offline has no FSMO role.
Now all DC's is online and DC which was offline has no FSMO role.