Domain Controllers not doing their job

[Rob Not Knowing]

Thank you in advance.

I have a Windows 2000 Adv. Server network..with about 15
servers. I have 3 DC's. I am having a problem with the
other servers trying to log into the domain when I reboot
any of the DC's. For example: I rebooted the so called
PDC this morning along with another member server and the
member server came up first but could not log in until
the "PDC" came back on-line. Shouldn't it log into the
other DC's? And the same goes for when I rebooted the
other DC's...some servers had to wait on those to come
back before they would sing in...even though at least one
DC was available. Is there a setting I need to check. Any
help will do.

Thank you!!!

 

[Nathan]

I'm assumnig all 15 servers are on the same LAN?

By default each computer (server or workstation) will
first try to authenticate against the last server it
successfully authenticated with. It should then try the
other servers, so I would check the WINS and DNS settings
on all 15 of these servers to ensure you are able to see
all of the network no matter which of the 3 DC's are
online. Hopefully all 3 DC's are running your WINS for
you, so this should be easy.

 

[Jim Singh]

Seems like you computers and member severs are waiting for a GC server to
come online. And in your case the So-callled "PDC emul" is the GC server. In
AD you need a Global catalog server in the d omain/site so that client,
server etc can send their authentication request to the GC server for logon
authentication. GC holds a copy of full database of its domain and partial
copy of the other domains in forest. You need to make your DCs GCs so that
this wont happen. On the member server you can run the following cmd to see
which GC its trying to log on to:

nslookup set type=SRV

_ldap._tcp.gc._msdcs.Yourcompany.com

-Jim

 

[Cary Shultz [A.D. MVP]]

Rob,

You did not state if this is a one Site environment or if there are multiple
Sites.

I might install the Support Tools on each of your WIN2000 Servers ( Domain
Controller, Exchange Server, File/Print Server, et al ) and run 'netdom
query fsmo' on each one of them. I would also run dcdiag /c /v on all of
the domain controllers as well as netdiag /v on all of your WIN2000 Servers.

The Support Tools can be found on the WIN2000 Server CD as well as on the
WIN2000 Service Pack CD in the Support | Tools folder. I would opt for the
Service Pack CD - or download them from the MS website.

When did this problem begin?

HTH,

Cary

 

[Rob Not Knowing]

Cary,

Thank you for your response....
I will install the Support tools and see what happens.
This is a one site environment. I notice the problem this
morning while I was doing the latest and greatest Windows
updates.....I would reboot one of the DC's and then a
couple of servers at the same time and that is when I
noticed that some of the member servers would not log in
until that DC came back online.......

I have DNS running on all 3 DC's and Wins on 2 of
them...do you think I need WINS on all three? I noticed
yesterday when I disabled a profile on one of the DC's it
did not automatically disable it on the other 2 dc's....I
had to do the replicate now option.

 

[Rob Not Knowing]

Thanks....I will try this.

 

[Rob Not Knowing]

Thanks, I will try this.

-----Original Message-----
Seems like you computers and member severs are waiting for a GC server to
come online. And in your case the So-callled "PDC emul" is the GC server. In
AD you need a Global catalog server in the d omain/site so that client,
server etc can send their authentication request to the GC server for logon
authentication. GC holds a copy of full database of its domain and partial
copy of the other domains in forest. You need to make your DCs GCs so that
this wont happen. On the member server you can run the following cmd to see
which GC its trying to log on to:

nslookup set type=SRV

-Jim




.

 

[Cary Shultz [A.D. MVP]]

Rob,

Typically in a WIN2000 environment WINS is not needed. DNS is the king
here. That is not to say that you do not need WINS. You very well may.
However, let's focus on DNS here.

I wanted to include in my original post that you might want to take a look
at the MSKB article on troubleshooting Intrasite AD Replication errors.
Looks like I should have. Here is the link:

http://support.microsoft.com/?id=249256


When you had to do the 'replicate now' option - how long did you allow AD to
try to replicate the change before you manually initiated it?

HTH,

Cary

 

[Jim Bollinger]

I also have the same problem and same question. My DC
config (DC1 has WINS/DNS and is a GC, DC2 has DNS/WINS,
DC3 is a GC only). One site, two different subnets- DC1
is on the subnet with all servers except DC2 and DC3,
which are in another bldg.

DC1 is the PDC emulator, and if it is down domain logins
fail until it is finished rebooting.

This is not a recent thing, it has been there for months
if not forever.

Replication checks out fine. Domain seems healthy in all
respects except this.

Thanks, Jim

 

[Paul Bergson]

Where do DC2 and DC3 point for DNS if DC1 is down? Could there be a router
blocking certain ports between sites?


--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Nathan]

-----Original Message-----

I also have the same problem and same question. My DC
config (DC1 has WINS/DNS and is a GC, DC2 has DNS/WINS,
DC3 is a GC only). One site, two different subnets- DC1
is on the subnet with all servers except DC2 and DC3,
which are in another bldg.

Why didn't DC2 be set as a GC? I would think DC3 would do
the job for the other building. Perhaps DNS on DC3 is
wrong?

 

[ptwilliams]

Building on what others have said here (I've not read the whole thread)
every machine should have two entries for DNS. A primary and a secondary
(failover) -these are not the zone type, just another in case the first is
down.

i.e., in a site point to themselves and then a replication partner.

DNS is the lifeblood of AD; you must ensure it is always on and accessible.

Furthermore, for your environment make all DCs GCs; there is no benefit to
you in having only some GCs.

I would also use AD Integrated DNS. In fact, unless there are multiple
domains, I see no reason to use anything else (and even then, each domain
should have AD Integrated).

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


I also have the same problem and same question. My DC
config (DC1 has WINS/DNS and is a GC, DC2 has DNS/WINS,
DC3 is a GC only). One site, two different subnets- DC1
is on the subnet with all servers except DC2 and DC3,
which are in another bldg.

DC1 is the PDC emulator, and if it is down domain logins
fail until it is finished rebooting.

This is not a recent thing, it has been there for months
if not forever.

Replication checks out fine. Domain seems healthy in all
respects except this.

Thanks, Jim