Impacts of Domain Controller Reboot

My company has one forest, one domain, two physical locations connected via a gigabit WAN link. We'll call the main site "corp" - this is where employees are, as well as about 50 servers. The second site, we'll call "colo" - this is where we colocate about 25 servers.

No WINS in place in the domain.

I have two Domain Controllers at the primary site.

I recently set up a DC at the "colo" site, and told 4 out of 25 of my servers to use this new DC as their primary DNS server. The rest are still using the "corp" DNS servers.

All 3 DC are global catalog servers.

I have the appropriate sites set up in Active Directory Sites & Services, and the proper servers are in the right "container" in ADS&S.

I recently rebooted this new domain controller at the "colo" site, and received multiple errors from my applications, even those that don't have the new DC configured as their DNS server.

The errors were NETLOGON ID 5719:

This computer was not able to set up a secure session with a domain controller in domain XXXX due to the following:
The RPC server is unavailable.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

and Kerberos ID 7:

The digitally signed Privilege Attribute Certificate (PAC) that contains the authorization information for client AccountName in realm XXXX.COM could not be validated.
This error is usually caused by domain trust failures; please contact your system administrator.

My question is, how do my servers choose what Domain Controllers to use for NETLOGON and Kerberos? Is it based off the site in ADS&S and not the configured DNS server? Something else?

Why do I get application failures when that domain controller reboots? Shouldn't the request just roll to another DC?
Who is Participating?
Brian PiercePhotographerCommented:
Domain members will logon using a domain controller in the same site in preference (if you have configured sites). DNS is used to provide a list of domain controllers, and their IP addresses. The DNS severs will be tried in order of prefeence as defined in the DNS server list (given by DHCP or listed in the static IP information as preferred/alternate DNS servers.

 If sites have been configured then DNS will be used to locate a DC in the same site will be used in preference, if that DC does not respond another DC will be tried, if there are no remaining DCs in the local site, a DC in another site may be used.

BTW by SITES here I mean sites that have been defined in AD Sites and Services.

If a DC is down when a client attempts to log on, then another DC will be tried, however, if a DC fails after a client has logged on problems may arise as you describe.
slhbsmAuthor Commented:
So if I have a server at the "colo" site, that doesn't even have the new "colo" domain controller in the list of DNS servers, that server will still use the new domain controller first because of what's configured in ADS&S?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.