Impacts of Domain Controller Reboot

Posted on 2012-09-20
Last Modified: 2012-10-23
My company has one forest, one domain, two physical locations connected via a gigabit WAN link. We'll call the main site "corp" - this is where employees are, as well as about 50 servers. The second site, we'll call "colo" - this is where we colocate about 25 servers.

No WINS in place in the domain.

I have two Domain Controllers at the primary site.

I recently set up a DC at the "colo" site, and told 4 out of 25 of my servers to use this new DC as their primary DNS server. The rest are still using the "corp" DNS servers.

All 3 DC are global catalog servers.

I have the appropriate sites set up in Active Directory Sites & Services, and the proper servers are in the right "container" in ADS&S.

I recently rebooted this new domain controller at the "colo" site, and received multiple errors from my applications, even those that don't have the new DC configured as their DNS server.

The errors were NETLOGON ID 5719:

This computer was not able to set up a secure session with a domain controller in domain XXXX due to the following:
The RPC server is unavailable.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

and Kerberos ID 7:

The digitally signed Privilege Attribute Certificate (PAC) that contains the authorization information for client AccountName in realm XXXX.COM could not be validated.
This error is usually caused by domain trust failures; please contact your system administrator.

My question is, how do my servers choose what Domain Controllers to use for NETLOGON and Kerberos? Is it based off the site in ADS&S and not the configured DNS server? Something else?

Why do I get application failures when that domain controller reboots? Shouldn't the request just roll to another DC?
Question by:slhbsm
    LVL 70

    Accepted Solution

    Domain members will logon using a domain controller in the same site in preference (if you have configured sites). DNS is used to provide a list of domain controllers, and their IP addresses. The DNS severs will be tried in order of prefeence as defined in the DNS server list (given by DHCP or listed in the static IP information as preferred/alternate DNS servers.

     If sites have been configured then DNS will be used to locate a DC in the same site will be used in preference, if that DC does not respond another DC will be tried, if there are no remaining DCs in the local site, a DC in another site may be used.

    BTW by SITES here I mean sites that have been defined in AD Sites and Services.

    If a DC is down when a client attempts to log on, then another DC will be tried, however, if a DC fails after a client has logged on problems may arise as you describe.

    Author Comment

    So if I have a server at the "colo" site, that doesn't even have the new "colo" domain controller in the list of DNS servers, that server will still use the new domain controller first because of what's configured in ADS&S?

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
    Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now