My company has one forest, one domain, two physical locations connected via a gigabit WAN link. We'll call the main site "corp" - this is where employees are, as well as about 50 servers. The second site, we'll call "colo" - this is where we colocate about 25 servers.
No WINS in place in the domain.
I have two Domain Controllers at the primary site.
I recently set up a DC at the "colo" site, and told 4 out of 25 of my servers to use this new DC as their primary DNS server. The rest are still using the "corp" DNS servers.
All 3 DC are global catalog servers.
I have the appropriate sites set up in Active Directory Sites & Services, and the proper servers are in the right "container" in ADS&S.
I recently rebooted this new domain controller at the "colo" site, and received multiple errors from my applications, even those that don't have the new DC configured as their DNS server.
The errors were NETLOGON ID 5719:
This computer was not able to set up a secure session with a domain controller in domain XXXX due to the following:
The RPC server is unavailable.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
and Kerberos ID 7:
The digitally signed Privilege Attribute Certificate (PAC) that contains the authorization information for client AccountName in realm XXXX.COM could not be validated.
This error is usually caused by domain trust failures; please contact your system administrator.
My question is, how do my servers choose what Domain Controllers to use for NETLOGON and Kerberos? Is it based off the site in ADS&S and not the configured DNS server? Something else?
Why do I get application failures when that domain controller reboots? Shouldn't the request just roll to another DC?