Windows 2003 domain PDC emulator down and users unable to login

V

Vern

My environment:
Windows Server 2003 in Native Mode
1st domain controller (DC1): PDC emulator, Global Catalog, DNS, WINS &
DHCP.
2nd domain controller (DC2): Global Catalog, DNS, WINS
Workstations: All Windows XP Pro, most with SP1 & rest with SP2
DNS on both servers contain all the records for both controllers. So
does WINS.
The domain has been up since June 2005 with no major or even minor
problems AD wise.

My problem:
After hours, installed an application on DC1 (PDC emulator) which
required a reboot. During the reboot process, I was unable to login to
the domain from any XP workstation. Repeated login attempts failed.
Only after DC1 came back on-line was I able to login to the domain from
an XP workstaion. I was able to login to the domain on DC2 while DC1
was down though as you would expect.

In our labs, I took 3 PCs and brought up a Windows 2000 domain (native
mode) with the above configuration. 2 PCs for the DC1 & DC2 and 1 PC
for the WinXP Pro. Same login failure when DC1 (PDC emulator) is
powered off. Then duplicated the environment above with a Windows 2003
domain with same failed login result.

Question:
Everyone, who is anyone, claims that if all of your DCs are also Global
Catalogs then when the first installed DC (usually the one that will be
the PDC emulator) is off-line, workstations can still login to the
domain. This is not my experience. Anyone have any clues or suggestons
on why?

Thanks,
Vern
 
A

Ace Fekay [MVP]

In
Vern said:
My environment:
Windows Server 2003 in Native Mode
1st domain controller (DC1): PDC emulator, Global Catalog, DNS, WINS &
DHCP.
2nd domain controller (DC2): Global Catalog, DNS, WINS
Workstations: All Windows XP Pro, most with SP1 & rest with SP2
DNS on both servers contain all the records for both controllers. So
does WINS.
The domain has been up since June 2005 with no major or even minor
problems AD wise.

My problem:
After hours, installed an application on DC1 (PDC emulator) which
required a reboot. During the reboot process, I was unable to login to
the domain from any XP workstation. Repeated login attempts failed.
Only after DC1 came back on-line was I able to login to the domain
from an XP workstaion. I was able to login to the domain on DC2 while
DC1 was down though as you would expect.

In our labs, I took 3 PCs and brought up a Windows 2000 domain (native
mode) with the above configuration. 2 PCs for the DC1 & DC2 and 1 PC
for the WinXP Pro. Same login failure when DC1 (PDC emulator) is
powered off. Then duplicated the environment above with a Windows 2003
domain with same failed login result.

Question:
Everyone, who is anyone, claims that if all of your DCs are also
Global Catalogs then when the first installed DC (usually the one
that will be the PDC emulator) is off-line, workstations can still
login to the domain. This is not my experience. Anyone have any clues
or suggestons on why?

Thanks,
Vern
Click to expand...

I believe the workstation is caching the logon credentials and server. Try
this to eliminate caching and give it a shot:
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Logon/CachedLogonHashes.html

But if the DC is not available, it should log you on with cached credentials
anyway, as long as that user's been logged on that machine at least once.

Keep in mind, the initial request goes to the GC to enumerate Universal
Groups, then the request is sent to a DC (determined by querying DNS) which
then interacts with the local security auth (LSA) to construct the access
token.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

Not sure how? It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Assimilation Imminent. Resistance is Futile.
Infinite Diversities in Infinite Combinations.

The only thing in life is change. Anything less is a blackhole consuming
unnecessary energy.
===========================
 
H

Herb Martin

Vern said:
My environment:
Windows Server 2003 in Native Mode
1st domain controller (DC1): PDC emulator, Global Catalog, DNS, WINS &
DHCP.
2nd domain controller (DC2): Global Catalog, DNS, WINS
Workstations: All Windows XP Pro, most with SP1 & rest with SP2
DNS on both servers contain all the records for both controllers. So
does WINS.
The domain has been up since June 2005 with no major or even minor
problems AD wise.

My problem:
After hours, installed an application on DC1 (PDC emulator) which
required a reboot. During the reboot process, I was unable to login to
the domain from any XP workstation. Repeated login attempts failed.
Only after DC1 came back on-line was I able to login to the domain from
an XP workstaion. I was able to login to the domain on DC2 while DC1
was down though as you would expect.
Click to expand...

Ok, that implies "no GC" (Native mode) but you have a GC on both
DCs so that isn't it (double check), OR DNS records are not correct
for BOTH DCs ON BOTH DNS servers (but you say that it is, so
double check) that isn't it, OR DNS clients only "know" about ONE
of the DNS servers....

Make sure all DNS clients have BOTH DNS servers listed on their
NIC->IP properties.

In addition to that, run DCDiag on EACH DC and prove that they
both have all the proper DNS records registered with both DNS
servers AND that they are fully replicated.
In our labs, I took 3 PCs and brought up a Windows 2000 domain (native
mode) with the above configuration. 2 PCs for the DC1 & DC2 and 1 PC
for the WinXP Pro. Same login failure when DC1 (PDC emulator) is
powered off. Then duplicated the environment above with a Windows 2003
domain with same failed login result.
Click to expand...

Lab is more likely you are missing the GC but all of the above apply.
Question:
Everyone, who is anyone, claims that if all of your DCs are also Global
Catalogs then when the first installed DC (usually the one that will be
the PDC emulator) is off-line, workstations can still login to the
domain. This is not my experience. Anyone have any clues or suggestons
on why?
Click to expand...

It has nothing to do with the "PDC Emulator" functionality.

DCDiag is your friend.
 
S

shurley

I found that a few of my dc's, although configured in Sites and
Services to be a GC, were not actually GC ready. Connect to your DC's
using the LDP utility. After initilazation of the utility to a DC and
your base DSA information is desplayed, somewhere at the bottom it
shows your GC information, such as:

1> isGlobalCatalogReady: TRUE;

If that reads FALSE, even though your configured correctly in SAS, you
may need to "UNCHECK" the GC option for that server, wait an hour and
recheck it. Then use the LDP utility to look to see that GCReady is
TRUE!

Just a thought, I had this problem too and this fixed it!

Shurley
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

W2k Active directory and windows nt 4 workstations not logging in anymore??? 3
AD Problem involving FRS 5
Missing DC in ADSS Default-first-site NTDS Settings 9
Root domain controller LDAP Failure 3
AD Replication error Please help 2
AD replication problem - Global Catalog not available 1
Backup Domain Controller for Diaster Recovery! 1
PROBLEM with AD urgent help!!!!!!! 1

Top