Our forums are currently in maintenance mode and the ability to post is disabled. We will be back up and running as soon as possible. Thanks for your patience!



2nd DC not authenticating

By archeologistbb ·
Situation: Single forrest/Single domain architecture running W2k3 Mixed mode AD. Recently dcpromo'd a 2nd server for backup authentication. Had problems with replication but that seems to be just fine now. All the roles are on the 1st DC (plus GC) and 2nd DC is GC as well. When we yank the network from 1st DC and try to log into workstations it won't let us login. I have banged my head against the wall on this one for a few days now and I'm all out of answers. Your help is greatly appreciated.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by alex.beckwith In reply to 2nd DC not authenticating

I recently had to do this for a current project for test purposes.
I promoted a second server box by specifying it was a peer joining an existing network.
Nothing else, nothing fancy. It knew it's place.
Switched off the primary domain controller and all the PC's on the network authenticated OK but squealed about roaming profiles (understandably because the accounts were hardcoded to look at the PDC particular computer name) but logged in with cached accounts fine.
Just checking if you've tried the basics first.

Collapse -

Logging on

by p.j.hutchison In reply to 2nd DC not authenticating

What is installed on the workstations? If using legacy OS such as NT4 or 98 then the DC running the PDC emulator role must be available.
If using Windows 2000 Pro or XP Pro, then it shouldn't matter.
It also helps if you allow cached credentials on your network, so if a user has logged in a PC at least once you can login again, even with no DCs present.

Collapse -

No legacy clients

by archeologistbb In reply to Logging on

The 1st DC is the FSMO master for all roles + PDC emulator - but as you said, if all the clients are 2000+ it doesn't matter (which is true). For security's sake - we cannot allow cached logins. Both #1DC and #2DC are GC's (global catalog servers) and both are running DNS and update each other with changes - however, all the clients in the network point to a third DNS server that isn't part of AD - but we do regular zone transfers/copies to keep it up to date. I know it must seem backwards the way we are doing things - but its DoD, and they are itsec paranoid. Any other ideas?

I just ran dcdiag /v /c /e on both DC's and they both come back clean as a whistle (except for #2DC complaining about not being able to forward dns requests - which is by design).

Collapse -

PDC Emulator

by julian.bennett In reply to No legacy clients

The problem is the PDC emulator is on the the 1st DC, with the PDC emulator offline, all sorts of authentication issues will crop up... If you seized the role to your 2nd DC, then logons will kick back in...

Collapse -

No legacy?

by archeologistbb In reply to PDC Emulator

Hi Julian - thanks for your reply. Wondering though that if we have no legacy clients why then would it matter? I thought PDC emulation was for sub-2000 legacy systems?

Collapse -


by p.j.hutchison In reply to No legacy clients

It could be a DNS issue. Run nslookup on all three dns servers.
Try the domain name, does it display all the ipaddresses of all your DCs (does it change when you re-enter it).
Check that all DNS servers have all the SRV resource records eg _ldap, _kerberos, _gc and CNAME records for the DC servers.

Collapse -

Probably right...

by archeologistbb In reply to DNS

I think you may be right on this -- I checked the DNS server that all the clients point to, and the 2nd DC does not have any _ldap,_kerb,_gc records in there -- only the 1st DC does. But it does have CNAME records for both DC's. So I will initiate a zone copy from 2nd DC to client DNS server and see if that does the trick. Thanks!

Collapse -

hi... Just Try this...

by jkatju2005 In reply to 2nd DC not authenticating

1. Switch both the DCs in windows server 2003 native mode (both on domain-level as well as forest-level)... [in AD domains and trusts].

2. in TCP/IP properties of the local area connction, in DNS servers tab, insert the local ip as the primary DNS and the other DC's IP as secondary DNS

and check it out.

3. install support tools from the Windows server 2003 CD ((\support) folder).

4. on the GC (Global Catalog Server... First DC)... start >> run >> replmon >> press enter (follow instructions)

You will be up and running :-)

Related Discussions

Related Forums