Administrator Can't log into a DC unless the DC can see a GC

[Guest]

My forest has three tree's, and the tree I'm interested in has a single
domain and three DC's. Two are GC's and one (with RID and Infrastructure) is
not. As long as the non-GC server can see a GC server then I can use the
administrator account and log in fine. If I pull the network cable out of
the main network and plug it into a simple isolated hub and try and log in as
administrator it gives the cannot connect to a dc message. As soon as the
network cable is plugged back into the main network it all logs in okay. All
DC's are DNS servers, and all DC's point to themselves as the first DNS
server to look at.

I haven't looked at any other tree in the forest at this time.

As a quick test I set up a clean domain with GC's and non GC's. In the
clean environment if the non-gc box couldn't see a GC the administrator could
still log in.

All the servers in the forest are W2k SP4. Replication is fine according to
both Sonar and Ultrasound. Any thoughts anyone?

 

[Simon Geary]

By default, an administrator can log in without a GC present but this can be
changed via the registry so that even admins need a GC present. This is a
security setting which another admin on your network probably enabled. Have
a read of this, it should help.
http://support.microsoft.com/?id=241789

 

[Paul Bergson]

I believe that you have misunderstood this article. This has nothing to do
with an admin being denied access to a resource because a GC is unavailable.
This provides a situation where none admins can gain access to the network
after they have established access and then the GC is temp unavailable.

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.