Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » 1 of 2 domain controllers down and users cannot login to the domai
1 of 2 domain controllers down and users cannot login to the domai [message #155763] Thu, 04 June 2009 10:35 Go to next message
D Smith  is currently offline D Smith
Messages: 8
Registered: June 2009
Junior Member
We have 2 windows 2003 domain controllers here in our domain. One of them is
quite old and used to be the only domain controller. The other is much newer
and was installed only about a year ago. I transferred all the FSMO roles
over to the new domain controller and believed that it was all setup to be
the primary domain controller which all computers would go to first if they
needed something.

Recently the old server was rebooted by a patch in the middle of the night
and had a keyboard error (you know the one where you need to press F1 to
continue). This was an easy fix but what disturbed me was while the server
was "down" none of the users were able to login to the domain. Its as if they
weren't looking to the new server for authentication, DNS, DHCP etc.

Please help!
Re: 1 of 2 domain controllers down and users cannot login to the domai [message #155775 is a reply to message #155763] Thu, 04 June 2009 12:31 Go to previous messageGo to next message
lanwench  is currently offline lanwench  United States
Messages: 1684
Registered: July 2009
Senior Member
D Smith <DSmith@discussions.microsoft.com> wrote:
> We have 2 windows 2003 domain controllers here in our domain. One of
> them is quite old and used to be the only domain controller. The
> other is much newer and was installed only about a year ago. I
> transferred all the FSMO roles over to the new domain controller and
> believed that it was all setup to be the primary domain controller
> which all computers would go to first if they needed something.
>
> Recently the old server was rebooted by a patch in the middle of the
> night and had a keyboard error (you know the one where you need to
> press F1 to continue). This was an easy fix but what disturbed me was
> while the server was "down" none of the users were able to login to
> the domain. Its as if they weren't looking to the new server for
> authentication, DNS, DHCP etc.
>
> Please help!

Make sure the new DC is also a global catalog server.
Re: 1 of 2 domain controllers down and users cannot login to the domai [message #155778 is a reply to message #155775] Thu, 04 June 2009 12:50 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
Lanwench [MVP - Exchange] wrote:
> D Smith <DSmith@discussions.microsoft.com> wrote:
>> We have 2 windows 2003 domain controllers here in our domain. One of
>> them is quite old and used to be the only domain controller. The
>> other is much newer and was installed only about a year ago. I
>> transferred all the FSMO roles over to the new domain controller and
>> believed that it was all setup to be the primary domain controller
>> which all computers would go to first if they needed something.
>>
>> Recently the old server was rebooted by a patch in the middle of the
>> night and had a keyboard error (you know the one where you need to
>> press F1 to continue). This was an easy fix but what disturbed me was
>> while the server was "down" none of the users were able to login to
>> the domain. Its as if they weren't looking to the new server for
>> authentication, DNS, DHCP etc.
>>
>> Please help!
>
> Make sure the new DC is also a global catalog server.

....and a DNS server, or the DNS server the client workstations uses is in
common with the DC(s) and operational.

--
/kj
Re: 1 of 2 domain controllers down and users cannot login to the domai [message #155783 is a reply to message #155778] Thu, 04 June 2009 12:55 Go to previous messageGo to next message
lanwench  is currently offline lanwench  United States
Messages: 1684
Registered: July 2009
Senior Member
kj [SBS MVP] <KevinJ.SBS@SPAMFREE.gmail.com> wrote:
> Lanwench [MVP - Exchange] wrote:
>> D Smith <DSmith@discussions.microsoft.com> wrote:
>>> We have 2 windows 2003 domain controllers here in our domain. One of
>>> them is quite old and used to be the only domain controller. The
>>> other is much newer and was installed only about a year ago. I
>>> transferred all the FSMO roles over to the new domain controller and
>>> believed that it was all setup to be the primary domain controller
>>> which all computers would go to first if they needed something.
>>>
>>> Recently the old server was rebooted by a patch in the middle of the
>>> night and had a keyboard error (you know the one where you need to
>>> press F1 to continue). This was an easy fix but what disturbed me
>>> was while the server was "down" none of the users were able to
>>> login to the domain. Its as if they weren't looking to the new
>>> server for authentication, DNS, DHCP etc.
>>>
>>> Please help!
>>
>> Make sure the new DC is also a global catalog server.
>
> ...and a DNS server, or the DNS server the client workstations uses
> is in common with the DC(s) and operational.

Yep - I assumed it was running AD-integrated DNS (esp in a small network
it's rare that a DC wouldn't be), but it's a good call.
Re: 1 of 2 domain controllers down and users cannot login to the d [message #155787 is a reply to message #155775] Thu, 04 June 2009 13:13 Go to previous messageGo to next message
D Smith  is currently offline D Smith
Messages: 8
Registered: June 2009
Junior Member
They are both global catalog servers thanks for the suggestion though!



"Lanwench [MVP - Exchange]" wrote:

> D Smith <DSmith@discussions.microsoft.com> wrote:
> > We have 2 windows 2003 domain controllers here in our domain. One of
> > them is quite old and used to be the only domain controller. The
> > other is much newer and was installed only about a year ago. I
> > transferred all the FSMO roles over to the new domain controller and
> > believed that it was all setup to be the primary domain controller
> > which all computers would go to first if they needed something.
> >
> > Recently the old server was rebooted by a patch in the middle of the
> > night and had a keyboard error (you know the one where you need to
> > press F1 to continue). This was an easy fix but what disturbed me was
> > while the server was "down" none of the users were able to login to
> > the domain. Its as if they weren't looking to the new server for
> > authentication, DNS, DHCP etc.
> >
> > Please help!
>
> Make sure the new DC is also a global catalog server.
>
>
>
Re: 1 of 2 domain controllers down and users cannot login to the d [message #155788 is a reply to message #155778] Thu, 04 June 2009 13:15 Go to previous messageGo to next message
D Smith  is currently offline D Smith
Messages: 8
Registered: June 2009
Junior Member
Both servers are dns servers and dhcp as well. In the dhcp options that the
clients get the #1 DNS ip is the new server so workstations should be
checking the new domain controler first for dns entries.

"kj [SBS MVP]" wrote:

> Lanwench [MVP - Exchange] wrote:
> > D Smith <DSmith@discussions.microsoft.com> wrote:
> >> We have 2 windows 2003 domain controllers here in our domain. One of
> >> them is quite old and used to be the only domain controller. The
> >> other is much newer and was installed only about a year ago. I
> >> transferred all the FSMO roles over to the new domain controller and
> >> believed that it was all setup to be the primary domain controller
> >> which all computers would go to first if they needed something.
> >>
> >> Recently the old server was rebooted by a patch in the middle of the
> >> night and had a keyboard error (you know the one where you need to
> >> press F1 to continue). This was an easy fix but what disturbed me was
> >> while the server was "down" none of the users were able to login to
> >> the domain. Its as if they weren't looking to the new server for
> >> authentication, DNS, DHCP etc.
> >>
> >> Please help!
> >
> > Make sure the new DC is also a global catalog server.
>
> ....and a DNS server, or the DNS server the client workstations uses is in
> common with the DC(s) and operational.
>
> --
> /kj
>
>
>
Re: 1 of 2 domain controllers down and users cannot login to the d [message #155798 is a reply to message #155788] Thu, 04 June 2009 15:53 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"D Smith" <DSmith@discussions.microsoft.com> wrote in message
news:1C4F4548-55EA-485B-B014-0F3805DF9350@microsoft.com...
> Both servers are dns servers and dhcp as well. In the dhcp options that
> the
> clients get the #1 DNS ip is the new server so workstations should be
> checking the new domain controler first for dns entries.

Are you saying both DCs are DHCP servers? If so, are you using a split
scope?

As for the second DC responding, this all depends on the DNS settings on the
client side, as well as if the previous logon server and record was cached.

It will use the second address, but only after a timeout period the client
is waiting for a response from the server. You need to understand how the
client side resolver works. If the query sent to the first entry in the DNS
list responds with an NXDOMAIN response, meaning it is an actual response,
but there is no record from the server it asked, then it will look no
further because it is a response. however if it receives a NULL response,
meaning the DNS server is down and there is no response, it will remove the
first entry from the 'eligible resolvers list' for a certain amount of time
(depending on the OS version and SP level), then send the query to the
second one. However, if the record is already cached, it won' even ask the
first entry. Hence why the possibility that the client machine is asking a
DC that is down.

As I mentioned, this is ALL based on the client side resolver, not the DNS
server. This time out period can be perceived as by someone sitting there
waiting as 'it's not working' because it appears to be taking so long. Also,
if it is already cached locally by the client side service, it will not ask
and will send the connection request to the cached record, which if it is
the server that is down, then it can't connect anyway, and no response, but
you may be sitting there expecting it to go to the other DC that is up. The
way to reset the list is to restart the DHCP Client service (not the DHCP
server) on the workstation, and the way to delete the cache on the client is
to run ipconfig /flushdns, or simply restart the machine.

I hope that makes sense.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay
Re: 1 of 2 domain controllers down and users cannot login to the domai [message #155814 is a reply to message #155763] Fri, 05 June 2009 02:51 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello D,

Make sure the clients are configured to use both DNS servers on the NIC or
via DHCP settings and NONE other like your ISP. Alos make sure that the DHCP
servers are not having the same scope twice, except you configure them each
with an activated half of the scope.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We have 2 windows 2003 domain controllers here in our domain. One of
> them is quite old and used to be the only domain controller. The other
> is much newer and was installed only about a year ago. I transferred
> all the FSMO roles over to the new domain controller and believed that
> it was all setup to be the primary domain controller which all
> computers would go to first if they needed something.
>
> Recently the old server was rebooted by a patch in the middle of the
> night and had a keyboard error (you know the one where you need to
> press F1 to continue). This was an easy fix but what disturbed me was
> while the server was "down" none of the users were able to login to
> the domain. Its as if they weren't looking to the new server for
> authentication, DNS, DHCP etc.
>
> Please help!
>
Re: 1 of 2 domain controllers down and users cannot login to the d [message #155838 is a reply to message #155814] Fri, 05 June 2009 08:48 Go to previous messageGo to next message
D Smith  is currently offline D Smith
Messages: 8
Registered: June 2009
Junior Member
Each dhcp server is setup with a different section of the scope so there are
no conflicts there. DNS server IP addresses are configured in DHCP and the
new server is set as the primary DNS server and the old one as the secondary.

"Meinolf Weber [MVP-DS]" wrote:

> Hello D,
>
> Make sure the clients are configured to use both DNS servers on the NIC or
> via DHCP settings and NONE other like your ISP. Alos make sure that the DHCP
> servers are not having the same scope twice, except you configure them each
> with an activated half of the scope.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > We have 2 windows 2003 domain controllers here in our domain. One of
> > them is quite old and used to be the only domain controller. The other
> > is much newer and was installed only about a year ago. I transferred
> > all the FSMO roles over to the new domain controller and believed that
> > it was all setup to be the primary domain controller which all
> > computers would go to first if they needed something.
> >
> > Recently the old server was rebooted by a patch in the middle of the
> > night and had a keyboard error (you know the one where you need to
> > press F1 to continue). This was an easy fix but what disturbed me was
> > while the server was "down" none of the users were able to login to
> > the domain. Its as if they weren't looking to the new server for
> > authentication, DNS, DHCP etc.
> >
> > Please help!
> >
>
>
>
Re: 1 of 2 domain controllers down and users cannot login to the d [message #155842 is a reply to message #155798] Fri, 05 June 2009 08:46 Go to previous messageGo to next message
D Smith  is currently offline D Smith
Messages: 8
Registered: June 2009
Junior Member
"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "D Smith" <DSmith@discussions.microsoft.com> wrote in message
> news:1C4F4548-55EA-485B-B014-0F3805DF9350@microsoft.com...
> > Both servers are dns servers and dhcp as well. In the dhcp options that
> > the
> > clients get the #1 DNS ip is the new server so workstations should be
> > checking the new domain controler first for dns entries.
>
> Are you saying both DCs are DHCP servers? If so, are you using a split
> scope?
>
> As for the second DC responding, this all depends on the DNS settings on the
> client side, as well as if the previous logon server and record was cached.
>
> It will use the second address, but only after a timeout period the client
> is waiting for a response from the server. You need to understand how the
> client side resolver works. If the query sent to the first entry in the DNS
> list responds with an NXDOMAIN response, meaning it is an actual response,
> but there is no record from the server it asked, then it will look no
> further because it is a response. however if it receives a NULL response,
> meaning the DNS server is down and there is no response, it will remove the
> first entry from the 'eligible resolvers list' for a certain amount of time
> (depending on the OS version and SP level), then send the query to the
> second one. However, if the record is already cached, it won' even ask the
> first entry. Hence why the possibility that the client machine is asking a
> DC that is down.
>
> As I mentioned, this is ALL based on the client side resolver, not the DNS
> server. This time out period can be perceived as by someone sitting there
> waiting as 'it's not working' because it appears to be taking so long. Also,
> if it is already cached locally by the client side service, it will not ask
> and will send the connection request to the cached record, which if it is
> the server that is down, then it can't connect anyway, and no response, but
> you may be sitting there expecting it to go to the other DC that is up. The
> way to reset the list is to restart the DHCP Client service (not the DHCP
> server) on the workstation, and the way to delete the cache on the client is
> to run ipconfig /flushdns, or simply restart the machine.
>
> I hope that makes sense.
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
> aceman@mvps.RemoveThisPart.org
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> "Efficiency is doing things right; effectiveness is doing the right
> things." - Peter F. Drucker
> http://twitter.com/acefekay
>
>
>
>


Yes we are using a split scope for DHCP. As for the client side DNS settings
the newer server is the primary DNS server on all the client machines. If I
understand what your saying then if I had rebooted the client machines they
may have connected to the new domain controller or maybe after a timeout
period. But what I don't understand is why the clients aren't connecting to
the new domain controller first and foremost. What determines which domain
controller is the first point of contact? If it is the primary dns server
then that is already the new server so why were all the client machines
trying to connect to the old server first?
Re: 1 of 2 domain controllers down and users cannot login to the d [message #155850 is a reply to message #155842] Fri, 05 June 2009 11:03 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"D Smith" <DSmith@discussions.microsoft.com> wrote in message
news:0D8F3283-1565-46CB-B08D-12120A60DCC0@microsoft.com...
>
> Yes we are using a split scope for DHCP. As for the client side DNS
> settings
> the newer server is the primary DNS server on all the client machines. If
> I
> understand what your saying then if I had rebooted the client machines
> they
> may have connected to the new domain controller or maybe after a timeout
> period. But what I don't understand is why the clients aren't connecting
> to
> the new domain controller first and foremost. What determines which domain
> controller is the first point of contact? If it is the primary dns server
> then that is already the new server so why were all the client machines
> trying to connect to the old server first?

If the clients query the first DNS server, provided it is up and running, at
initial logon, the GetDcList function will query for for a GC/DC in its
Site, and if there are more than one DC/GC in the site, provided Sites are
configured properly, then it will be a round robin for which one the DNS
server offers in the query response. So it may wind up being a 50-50 shot.
Not much you can do about that unless you play around with the weights and
priorities in the Netlogon registry settings altering the values that get
registered into DNS for the DCs, which I don;t recommend.

If the first DNS server is down, of course after the time out period when it
receives an NXDOMAIN, then it will query the second, but then again, the
above paragraph applies as to which responds.

Now if the new DC is not the one they are contacting, I would look further
into making sure the DCs records are registered properly, in the proper
site, and if you have only one domain, all DCs must be GCs, based on the
best practice recommendations.

Ace
Re: 1 of 2 domain controllers down and users cannot login to the d [message #155877 is a reply to message #155838] Sat, 06 June 2009 07:36 Go to previous message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello D,

All DCs and workstations are listed in the forward/reverse lookup zones?
Did you also provide the ISPs DNS server to the clients?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Each dhcp server is setup with a different section of the scope so
> there are no conflicts there. DNS server IP addresses are configured
> in DHCP and the new server is set as the primary DNS server and the
> old one as the secondary.
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello D,
>>
>> Make sure the clients are configured to use both DNS servers on the
>> NIC or via DHCP settings and NONE other like your ISP. Alos make sure
>> that the DHCP servers are not having the same scope twice, except you
>> configure them each with an activated half of the scope.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> We have 2 windows 2003 domain controllers here in our domain. One of
>>> them is quite old and used to be the only domain controller. The
>>> other is much newer and was installed only about a year ago. I
>>> transferred all the FSMO roles over to the new domain controller and
>>> believed that it was all setup to be the primary domain controller
>>> which all computers would go to first if they needed something.
>>>
>>> Recently the old server was rebooted by a patch in the middle of the
>>> night and had a keyboard error (you know the one where you need to
>>> press F1 to continue). This was an easy fix but what disturbed me
>>> was while the server was "down" none of the users were able to login
>>> to the domain. Its as if they weren't looking to the new server for
>>> authentication, DNS, DHCP etc.
>>>
>>> Please help!
>>>
Previous Topic:03 server cerificate
Next Topic:Unable to mount snapshot with dsamain
Goto Forum:
  


Current Time: Sun Sep 24 15:24:24 EDT 2017

Total time taken to generate the page: 0.03716 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software