Having multiple domain controllers does not help

[Jordan]

When my domain was Windows NT4 I had a PDC and a BDC. If the PDC or the BDC
ever needed to go offline during the day for whatever reason the network
would still function fine. Ever since I updated to Windows 2000, whenever I
need to do some maintainance on one of the DCs, many resources on the
network can't be accesses. Why gives???

Example. I had to restart one of the DCs and none of my user could access
their Exchange 2003 server email.

Example 2. I had an issue with a DC the other day and some users trying to
access the internet via ISA 2000 server were prompted for their
DOMAIN/USERNAME/PASSWORD every time they opened an IE window while some were
not. The ones that were had the problematic DC listed as their logon
server.

In NT 4, when a DC had a problem or was off line, clients (even W2K Pro)
would be able to pickup verifications from the other DCs, but this does not
seem to be happening with Windows 2000 Servers. I put up a second DC hoping
to help keep everything up, but it just seems like it is hurting things.

 

[Miha Pihler]

Hi Jordan,

Can you check these things:
* your second DC (domain controller) is also a GC (global catalog). If it is
not it should be if you need it to perform the authentication if first DC
goes down
* is your second DC also a DNS server? If not, it should be. If you only
have one DNS server and it goes down clients won't be able to find the other
DC (they use DNS to locate DCs, GCs, ...)
* your clients should have both DCs listed as DNS servers (under TCP/IP
settings). If they only have one they will not be able to use second DNS
server to locate your DC if first DNS server goes down...

Mike

 

[Jeff Cochran]

When my domain was Windows NT4 I had a PDC and a BDC. If the PDC or the BDC
ever needed to go offline during the day for whatever reason the network
would still function fine. Ever since I updated to Windows 2000, whenever I
need to do some maintainance on one of the DCs, many resources on the
network can't be accesses. Why gives???

Example. I had to restart one of the DCs and none of my user could access
their Exchange 2003 server email.

Example 2. I had an issue with a DC the other day and some users trying to
access the internet via ISA 2000 server were prompted for their
DOMAIN/USERNAME/PASSWORD every time they opened an IE window while some were
not. The ones that were had the problematic DC listed as their logon
server.

In NT 4, when a DC had a problem or was off line, clients (even W2K Pro)
would be able to pickup verifications from the other DCs, but this does not
seem to be happening with Windows 2000 Servers. I put up a second DC hoping
to help keep everything up, but it just seems like it is hurting things.

Keep in mind it may not be your DC, but rather other services running
on it. DNS for example. Make sure you have alternates available.
Also, make sure the remaining DC is a Global Catalog server. That can
cause issues such as you describe.

Jeff

 

[Steven L Umbach]

In addition to other replies check the Event Viewer on both domain
controllers to make sure there are no persistent replication problems.
Running the support tools dcdiag, replmon, and gpotool can also verify
correct connectivity/replication between domain controllers when both are up
and running. Dns configuration in the domain is critical as explained in the
link below. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

 

[Karl Levinson [x y] mvp]

Windows 2000 is actually better than NT that way, in that all DCs are more
or less equal peers. It sounds like the problem is the DCs have not been
implemented according to best practices from Microsoft. In general, when
these things happen, check the Windows System and Application event logs for
more informative error messages.

www.microsoft.com/technet/security and www.microsoft.com/technet and
www.microsoft.com/windows have information on best practices for windows
implementation.

 

[Jordan]

Thanks. It appears that I never set the GC option when I made the second
server a DC. Both DCs are DNS servers and both are in the clients DHCP
settings so when I restart this server I should see if this takes care of
the problem.