|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Secondary (backup) domain controller not working ?we have two DCs in our LAN.(192.168.0.1 and 192.168.0.2). We have configured them in the DNS configuration for each client member of the domain (primary and secondary DNS). Just for the test, I power off the first DC, then I reboot one of my client. After typing my login/password, it takes a very long time for the authentication. DCdiag doesnt show any specific error. Do you have any idea ? Thank you -- iautran The purpose of the second DC is so that you do not loose the AD Database in
a disaster. The purpose is *not* transparent failover if the first DC goes down. What you are seeing is exactly the behavor that is expected. When a DC goes down,...all the FSMO Roles held by that server are *Lost* until it is repaired,..they do not,...and will never,....roll over to the remaining DC. The Global Catalog,..which is not exactly a FSMO Role can also be lost. Then on top of all that,...Client machines will not,..and never will,...smoothly roll over to the next DNS in their TCP/IP specs. Eventually they will, but only under the right conditions,...and then after that they will not roll smoothly back to the original when it comes back. -- Show quoteHide quotePhillip Windell The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- "iautran" <iautran@nospam.hotmail.com> wrote in message news:mn.3cb57d9787aca847.97978@nospam.hotmail.com... > Hello, > > we have two DCs in our LAN.(192.168.0.1 and 192.168.0.2). > > We have configured them in the DNS configuration for each client member of > the domain (primary and secondary DNS). > > Just for the test, I power off the first DC, then I reboot one of my > client. After typing my login/password, it takes a very long time for the > authentication. > > DCdiag doesnt show any specific error. > > Do you have any idea ? > > Thank you > > -- > iautran > > But this is not what I have read about the "DC Locator" process ... And
so why does Microsoft tell us to configure two DNS DC servers in the DNS configuration of each client ? Moreover, a client will roll over to the second DNS server if the first one is not available, sorry ! :D Show quoteHide quote > The purpose of the second DC is so that you do not loose the AD Database in a > disaster. The purpose is *not* transparent failover if the first DC goes > down. > What you are seeing is exactly the behavor that is expected. > > When a DC goes down,...all the FSMO Roles held by that server are *Lost* > until it is repaired,..they do not,...and will never,....roll over to the > remaining DC. The Global Catalog,..which is not exactly a FSMO Role can also > be lost. > > Then on top of all that,...Client machines will not,..and never > will,...smoothly roll over to the next DNS in their TCP/IP specs. Eventually > they will, but only under the right conditions,...and then after that they > will not roll smoothly back to the original when it comes back. > > -- > Phillip Windell > > The views expressed, are my own and not those of my employer, or Microsoft, > or anyone else associated with me, including my cats. > ----------------------------------------------------- > > > > "iautran" <iautran@nospam.hotmail.com> wrote in message > news:mn.3cb57d9787aca847.97978@nospam.hotmail.com... >> Hello, >> >> we have two DCs in our LAN.(192.168.0.1 and 192.168.0.2). >> >> We have configured them in the DNS configuration for each client member of >> the domain (primary and secondary DNS). >> >> Just for the test, I power off the first DC, then I reboot one of my >> client. After typing my login/password, it takes a very long time for the >> authentication. >> >> DCdiag doesnt show any specific error. >> >> Do you have any idea ? >> >> Thank you >> >> -- iautran >> >> -- iautran "iautran" <iautran@nospam.hotmail.com> wrote in message Becuase it is better than not doing it. The Client most likely will log in news:mn.3cd77d97c254cab5.97978@nospam.hotmail.com... > But this is not what I have read about the "DC Locator" process ... And so > why does Microsoft tell us to configure two DNS DC servers in the DNS > configuration of each client ? with a cached account,..just like it would do if you started it up without the LAN cable plugged in. The second DNS entry would give the client the ability to still resolve names in a more general sense. The Client would be "aware" that the other DC existed because it would be seen in the DNS Zone,...but the remaining DC just cannot do the jobs of the other DC because it just does not have the same FSMO Roles. Instead of testing by shutting down the first DC,...test by shutting down the second DC,...you will notice that it will almost not even be noticed (depending on the FSMO Roles it had). Yes I have seen the articals that make it all sound so "rosey" but in pactice it has never seemed to be so rosey when tried. Now everything changes again when you get into Sites with multiple DCs where you have a DC at each Site. The AD Sites are designed so that all the Clients in a Site will use the DC within their own Site regardless of the FSMO roles it has. So I'm not going to claim to know every little detail of how and why it behaves the way it does,...but I do know that smooth transparent DC fail-over just does not happen. -- Phillip Windell The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- Hello Phillip,
Maybe i understand you not correct, but the FSMOs are not needed for the logon process, so it doesn't matter if the DC holding them is not available. For logon at least a DC and DNS server is needed, when universal groups are used also a Global catalog server. Otherwise they will logon with cached credentials onj th local machine. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > "iautran" <iautran@nospam.hotmail.com> wrote in message > news:mn.3cd77d97c254cab5.97978@nospam.hotmail.com... > >> But this is not what I have read about the "DC Locator" process ... >> And so why does Microsoft tell us to configure two DNS DC servers in >> the DNS configuration of each client ? >> > Becuase it is better than not doing it. The Client most likely will > log in with a cached account,..just like it would do if you started it > up without the LAN cable plugged in. The second DNS entry would give > the client the ability to still resolve names in a more general sense. > The Client would be "aware" that the other DC existed because it would > be seen in the DNS Zone,...but the remaining DC just cannot do the > jobs of the other DC because it just does not have the same FSMO > Roles. > > Instead of testing by shutting down the first DC,...test by shutting > down the second DC,...you will notice that it will almost not even be > noticed (depending on the FSMO Roles it had). > > Yes I have seen the articals that make it all sound so "rosey" but in > pactice it has never seemed to be so rosey when tried. > > Now everything changes again when you get into Sites with multiple DCs > where you have a DC at each Site. The AD Sites are designed so that > all the Clients in a Site will use the DC within their own Site > regardless of the FSMO roles it has. > > So I'm not going to claim to know every little detail of how and why > it behaves the way it does,...but I do know that smooth transparent DC > fail-over just does not happen. > > The views expressed, are my own and not those of my employer, or > Microsoft, or anyone else associated with me, including my cats. > ----------------------------------------------------- > Hello,
i hate my typos. Sorry for that. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello iautran,
Do you use Universal groups and are the accounts member of them? Then also a Global catalog is required to check them during logon. Personally i only realize a small delay when the preferred DNS/DC is down and i logon again when the machine is still running. If i startup a client when the preferred DNS is down i don't have any delay realized. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > Hello, > > we have two DCs in our LAN.(192.168.0.1 and 192.168.0.2). > > We have configured them in the DNS configuration for each client > member of the domain (primary and secondary DNS). > > Just for the test, I power off the first DC, then I reboot one of my > client. After typing my login/password, it takes a very long time for > the authentication. > > DCdiag doesnt show any specific error. > > Do you have any idea ? > > Thank you > Hello,
thank you for your answer too :) No I am not using Universal group (and moreover the universal group membership is enabled). Are you agree with Phillip about what he said ? Thanks Show quoteHide quote > Hello iautran, > > Do you use Universal groups and are the accounts member of them? Then also a > Global catalog is required to check them during logon. Personally i only > realize a small delay when the preferred DNS/DC is down and i logon again > when the machine is still running. If i startup a client when the preferred > DNS is down i don't have any delay realized. > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > > >> Hello, >> >> we have two DCs in our LAN.(192.168.0.1 and 192.168.0.2). >> >> We have configured them in the DNS configuration for each client >> member of the domain (primary and secondary DNS). >> >> Just for the test, I power off the first DC, then I reboot one of my >> client. After typing my login/password, it takes a very long time for >> the authentication. >> >> DCdiag doesnt show any specific error. >> >> Do you have any idea ? >> >> Thank you >> -- iautran Hello iautran,
See my answer to Philipp. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > Hello, > > thank you for your answer too :) > > No I am not using Universal group (and moreover the universal group > membership is enabled). > > Are you agree with Phillip about what he said ? > > Thanks > >> Hello iautran, >> >> Do you use Universal groups and are the accounts member of them? Then >> also a Global catalog is required to check them during logon. >> Personally i only realize a small delay when the preferred DNS/DC is >> down and i logon again when the machine is still running. If i >> startup a client when the preferred DNS is down i don't have any >> delay realized. >> >> Best regards >> >> Meinolf Weber >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> confers >> no rights. >> ** Please do NOT email, only reply to Newsgroups >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>> Hello, >>> >>> we have two DCs in our LAN.(192.168.0.1 and 192.168.0.2). >>> >>> We have configured them in the DNS configuration for each client >>> member of the domain (primary and secondary DNS). >>> >>> Just for the test, I power off the first DC, then I reboot one of my >>> client. After typing my login/password, it takes a very long time >>> for the authentication. >>> >>> DCdiag doesnt show any specific error. >>> >>> Do you have any idea ? >>> >>> Thank you >>> Ok so I think I understood correctly and it should work... but it
doesnt ! :D How can I find more information about the problem as my computer and my DC's dont have any related errors ? Can I force a kerberos ticket granting and see what s happened ? If yes, how ? :D Thanks Show quoteHide quote > Hello iautran, > > See my answer to Philipp. > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > > >> Hello, >> >> thank you for your answer too :) >> >> No I am not using Universal group (and moreover the universal group >> membership is enabled). >> >> Are you agree with Phillip about what he said ? >> >> Thanks >> >>> Hello iautran, >>> >>> Do you use Universal groups and are the accounts member of them? Then >>> also a Global catalog is required to check them during logon. >>> Personally i only realize a small delay when the preferred DNS/DC is >>> down and i logon again when the machine is still running. If i >>> startup a client when the preferred DNS is down i don't have any >>> delay realized. >>> >>> Best regards >>> >>> Meinolf Weber >>> Disclaimer: This posting is provided "AS IS" with no warranties, and >>> confers >>> no rights. >>> ** Please do NOT email, only reply to Newsgroups >>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>> Hello, >>>> >>>> we have two DCs in our LAN.(192.168.0.1 and 192.168.0.2). >>>> >>>> We have configured them in the DNS configuration for each client >>>> member of the domain (primary and secondary DNS). >>>> >>>> Just for the test, I power off the first DC, then I reboot one of my >>>> client. After typing my login/password, it takes a very long time >>>> for the authentication. >>>> >>>> DCdiag doesnt show any specific error. >>>> >>>> Do you have any idea ? >>>> >>>> Thank you >>>> -- iautran Hello iautran,
Please post an unedited ipconfig /all from both machines. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > Ok so I think I understood correctly and it should work... but it > doesnt ! :D > > How can I find more information about the problem as my computer and > my DC's dont have any related errors ? > > Can I force a kerberos ticket granting and see what s happened ? If > yes, how ? :D > > Thanks > >> Hello iautran, >> >> See my answer to Philipp. >> >> Best regards >> >> Meinolf Weber >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> confers >> no rights. >> ** Please do NOT email, only reply to Newsgroups >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>> Hello, >>> >>> thank you for your answer too :) >>> >>> No I am not using Universal group (and moreover the universal group >>> membership is enabled). >>> >>> Are you agree with Phillip about what he said ? >>> >>> Thanks >>> >>>> Hello iautran, >>>> >>>> Do you use Universal groups and are the accounts member of them? >>>> Then also a Global catalog is required to check them during logon. >>>> Personally i only realize a small delay when the preferred DNS/DC >>>> is down and i logon again when the machine is still running. If i >>>> startup a client when the preferred DNS is down i don't have any >>>> delay realized. >>>> >>>> Best regards >>>> >>>> Meinolf Weber >>>> Disclaimer: This posting is provided "AS IS" with no warranties, >>>> and >>>> confers >>>> no rights. >>>> ** Please do NOT email, only reply to Newsgroups >>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>>>> Hello, >>>>> >>>>> we have two DCs in our LAN.(192.168.0.1 and 192.168.0.2). >>>>> >>>>> We have configured them in the DNS configuration for each client >>>>> member of the domain (primary and secondary DNS). >>>>> >>>>> Just for the test, I power off the first DC, then I reboot one of >>>>> my client. After typing my login/password, it takes a very long >>>>> time for the authentication. >>>>> >>>>> DCdiag doesnt show any specific error. >>>>> >>>>> Do you have any idea ? >>>>> >>>>> Thank you >>>>> "iautran" <iautran@nospam.hotmail.com> wrote in message news:mn.3d447d97140045e2.97978@nospam.hotmail.com... Hello iautran,> Ok so I think I understood correctly and it should work... but it > doesnt ! :D > > How can I find more information about the problem as my computer and my > DC's dont have any related errors ? > > Can I force a kerberos ticket granting and see what s happened ? > If yes, how ? :D > > Thanks It does work, and it doesn't work, depending on your expectations. The main thing is the way the local client resolver algorithm works when it is querying DNS. So it really depens on your DNS entries on your internal machines. Read the following to gain a better understanding of how the client side resolver algirthm works, and apply it to your scenario. Also, the ipconfigs Meinolf requested would be helpful to gain a better understanding of your AD's configuration. ==================================== If one DC is down, why does it not logon to the other DC? By Ace Fekay, updated 7/1/09 Keep in mind that if any of the DCs are multihomed (more than one NIC and/or IP), you are using your ISP's DNS, or the domain is a single label name ('domain' versus the recommended minimum of 'domain.com,' domain.local,' etc), other problems will occur, and you will get unexpected and undesireable results whether there is one DC down or not. As for the second DC responding, this all depends on the DNS settings on the client side, as well as if the previous logon server and record was cached. It will use the second address, but only after a timeout period the client is waiting for a response from the server. You need to understand how the client side resolver works. If the query sent to the first entry in the DNS list responds with an NXDOMAIN response, meaning it is an actual response, but there is no record from the server it asked, then it will look no further because it is a response. however if it receives a NULL response, meaning the DNS server is down and there is no response, it will remove the first entry from the 'eligible resolvers list' for a certain amount of time (depending on the OS version and SP level), then send the query to the second one. However, if the record is already cached, it won' even ask the first entry. Hence why the possibility that the client machine is asking a DC that is down. As I mentioned, this is ALL based on the client side resolver, not the DNS server. This time out period can be perceived as by someone sitting there waiting as 'it's not working' because it appears to be taking so long. Also, if it is already cached locally by the client side service, it will not ask and will send the connection request to the cached record, which if it is the server that is down, then it can't connect anyway, and no response, but you may be sitting there expecting it to go to the other DC that is up. The way to reset the list is to restart the DHCP Client service (not the DHCP server) on the workstation, and the way to delete the cache on the client is to run ipconfig /flushdns, or simply restart the machine. I hope that makes sense. Also I am providing some links on it, however, sorry about all the links, but they will give you a better understanding of it and how it applies. They all give little but in some cases not the whole picture. The DNS Whitepaper is pretty good to start with. How DNS Works: DNS Resolution, Client Side Resolver (Time out period, devolution, and much more) http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k3tr_dns_how_gaxc How DNS Works: DNS Resolution, Client Side Resolver (Time out period, devolution, and much more) http://technet.microsoft.com/en-us/library/cc772774.aspx#w2k3tr_dns_how_gaxc W2k DNS White Paper- search thru for Fully-Qualified Query and Disabling the Caching Resolver: http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/w2kdns.asp How DNS query works Domain Name System(DNS): http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/0bcd97e6-b75d-48ce-83ca-bf470573ebdc.mspx DNS Resolver Cache Service [incvluding NetFailureCacheTime and NegativeCacheTime reg entries]: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cnbc_imp_qxht.asp 286834 - DNS Client Service Doesn't Revert to Using First Server in List [explained in the DNS white papers] reg to alter it too: http://support.microsoft.com/default.aspx?scid=kb;en-us;286834 261968 - Explanation of the Server List Management Feature in the Domain Name Resolver Client: http://support.microsoft.com/?id=261968 SP4 Changes DNS Name Resolution - Actual Query Timeout settings the resolver uses - (XP too): http://support.microsoft.com/default.aspx?scid=kb;en-us;198550 ------ -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution. Ace Fekay, MCT, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging Microsoft Certified Trainer ace***@mvps.RemoveThisPart.org http://twitter.com/acefekay For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. Are both dc's global catalog servers?
From each dc's command prompt run the following and post the output NLTEST /dsgetdc:your_domain_name.com /gc ==> replace your_domain_name with the domain name in question I would post an ipconfig /all of both dc's as well as for the client in question -- Show quoteHide quotePaul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights. "iautran" <iautran@nospam.hotmail.com> wrote in message news:mn.3cb57d9787aca847.97978@nospam.hotmail.com... > Hello, > > we have two DCs in our LAN.(192.168.0.1 and 192.168.0.2). > > We have configured them in the DNS configuration for each client member of > the domain (primary and secondary DNS). > > Just for the test, I power off the first DC, then I reboot one of my > client. After typing my login/password, it takes a very long time for the > authentication. > > DCdiag doesnt show any specific error. > > Do you have any idea ? > > Thank you > > -- > iautran > > 
Other interesting topics
Sezing FSMO roles...
Win 2003 ADS users get locked out Backup of DC - windows 2003 ERROR event ID 3224 SERVER 2003 X64 Windows Security Log Rejoining Computers to domain Check Folder Size AD upgrade - what changes? Merge local user and domain user Is Lsass.exe the "heart" of the Active Directory engine? |
|||||||||||||||||||||||
