+ Post New Thread
Results 1 to 14 of 14
Windows Thread, Cannot login to domain when DC is restarting in Technical; Hi I am confused about an issue I have with the network we have. We still have a windows 2003 ...
  1. #1
    ranj's Avatar
    Join Date
    Feb 2006
    Location
    Birmingham
    Posts
    732
    Thank Post
    100
    Thanked 42 Times in 32 Posts
    Rep Power
    25

    Cannot login to domain when DC is restarting

    Hi

    I am confused about an issue I have with the network we have.

    We still have a windows 2003 server with SP2 on the network which is a DC, over the summer we introduced 2 new 2008 DC's and gave the FSMO roles to one of the new 2008 servers. Over the half term I want to completely take this 2003 server out of business after 5 successful years of trouble free service but its proving quite a challenge.

    A bit of history about this 2003 dc.

    It was the first domain controller in the forest when the network was built from scratch over 5 years ago. It's had a number of roles these being it was an Exchange server 2003 (I know not good practise but i inherited this network in this state), printer server, dfs server, dns, dhcp and terminal server.

    So it had a lot of roles and the majority of roles have now been successfully transferred, these being print, dns, dhcp and exchange and of course the fsmo roles.

    I have now begun planning how to remove all the other roles, I am worried about taking its DC functionality off as I am not sure how the rest of the network will react as it seems a lot of services relied on this server.

    For example I began removing some old software of the server and some of the software said the server needed to be restarted, so no problem i restart the server but whilst the server was restarting I noticed that I couldn't login to any other server be it a DC or member server, our new exchange 2007 server. It came up with the standard message about password being incorrect ( I wasn't going loopy honest!! I know it was the correct password) I also noticed that some web tools we have which are in fact on linux server but use AD authentication also stopped working, same symptions with not being able to login.

    Does anyone know whats going on? I haven't taken its role of DC of yet but I am dreading it in case no one can login to the network once I have done this. I thought transferring ALL the fsmo roles to the new 2008 DC would have allievated any issues similar to this?

    Am I right in saying that what should happen is if a DC is unavailable a client can just communicate with another DC and that DC can login that client in?

    I did find this artcle and am not sure if this would resolve it

    Windows Server 2003-based domain controllers may incorrectly return the "NO_SUCH_USER (0xc0000064)" status code in response to logon requests

    The server is windows 2003 standard edition with SP2.

    Any advice on this would be greatly appreciated.
    Thanks

  2. #2

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,158
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    124
    You mention FSMO roles but you don't mention global catalogs; the only servers which process user logons are GCs.

    Make all your DCs into GCs and I suspect your problems will go.

  3. #3

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,297
    Thank Post
    242
    Thanked 1,586 Times in 1,263 Posts
    Rep Power
    344
    Could be a number of things. Firstly I presume all servers are Domain Controllers, but how many of them are DHCP, DNS and also Global Catalog servers? The FSMO roles are not really important as the other domain controllers (if setup correctly) should be able to serve a network without the FSMO holder for a short period of time.

  4. #4

    Join Date
    Jun 2007
    Location
    Rochdale
    Posts
    237
    Thank Post
    27
    Thanked 35 Times in 30 Posts
    Rep Power
    21
    Also check the settings on the Linux server as to where the apps look to authenticate - you may find they are looking for a server on a specific IP / specific name, rather than any available DC.

  5. #5

    Join Date
    Dec 2008
    Location
    Liverpool
    Posts
    86
    Thank Post
    22
    Thanked 7 Times in 6 Posts
    Rep Power
    14
    hi there,
    how have you got your other servers joined to the domain, have you joined them or prepered them with domain controlers, you wouldnt be able to log in unless you have 2 domain controlers the other servers wont run AD it will only run off the server 2003 until you give one of them the role as like a backup server.

  6. #6


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,927
    Thank Post
    231
    Thanked 902 Times in 777 Posts
    Rep Power
    304
    they arnt all trying to dns lookup from just that one server are they?

  7. #7

    SpuffMonkey's Avatar
    Join Date
    Jul 2005
    Posts
    2,264
    Thank Post
    55
    Thanked 284 Times in 190 Posts
    Rep Power
    135
    I'd be interested to hear suggestions on this - as I have a similar issue - 2 DCs both with GC, DNS etc - but if the first server is down, no logins can happen. Any ideas appreciated

  8. #8

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,297
    Thank Post
    242
    Thanked 1,586 Times in 1,263 Posts
    Rep Power
    344
    It's a common mistake I see often. DCs should authenticate against themselves first, then any other secondary server. If it's the other way around it's pointless having another DC to serve requests.

    For workstations to authenticate successfully, the primary and secondary DNS servers, then any external DNS servers should be listed within DHCP server.

  9. #9
    ranj's Avatar
    Join Date
    Feb 2006
    Location
    Birmingham
    Posts
    732
    Thank Post
    100
    Thanked 42 Times in 32 Posts
    Rep Power
    25
    Yeh I had a look and we have 3 DC's. 2 which are 2008 and this 1 2003 which I want to retire. They are all GC's. They all have integrated AD DNS and when I run dcdiag, it passes the majority of tests. there are few which it complains about but these aren't the critical things.

    The DNS servers are listed on the 2008 dhcp server.

  10. #10

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,297
    Thank Post
    242
    Thanked 1,586 Times in 1,263 Posts
    Rep Power
    344
    Are all three DHCP servers too? And on the network properties of each server, it should list its own IP first. If your server is 192.168.1.10 and the other two 192.168.1.11 and .12, then say hypothetically speaking OpenDNS for external DNS, the configuration should look something like this -

    Server 1
    192.168.1.10
    192.168.1.11
    192.168.1.12
    208.67.222.222
    208.67.220.220

    Server 2
    192.168.1.11
    192.168.1.12
    192.168.1.10
    208.67.222.222
    208.67.220.220

    Server 3
    192.168.1.12
    192.168.1.10
    192.168.1.11
    208.67.222.222
    208.67.220.220

  11. #11
    ranj's Avatar
    Join Date
    Feb 2006
    Location
    Birmingham
    Posts
    732
    Thank Post
    100
    Thanked 42 Times in 32 Posts
    Rep Power
    25
    Quote Originally Posted by Michael View Post
    Are all three DHCP servers too?
    No we only have 1 authorised DHCP server which is on one of the 2008 servers.

    Thanks

  12. #12

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,297
    Thank Post
    242
    Thanked 1,586 Times in 1,263 Posts
    Rep Power
    344
    When you enable DHCP on multiple servers, (on each server), you must enable Conflict Detection and set it to either 1 or 2.

    Open up DHCP Server and right click servername.domain name [IP of Server] and choose 'Properties' > Advanced tab. Specify the number of attempts here. Failure to do this will create serious problems with DHCP leasing.

  13. #13

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,158
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    124
    Quote Originally Posted by Michael View Post
    For workstations to authenticate successfully, the primary and secondary DNS servers, then any external DNS servers should be listed within DHCP server.
    yes to the first bit but a big fat NO to the second.

    You never, ever, ever, ever put the external DNS to be given out by your DHCP; that's a sure recipe for getting failed logins.

    All DNS lookups on a client need to go to the AD DNS server; that will then either answer directly if you're looking up an internal name or it will fetch the info from an external server and return it to a client.

    When a workstation goes to log on, it needs to find a global catalog server. It does this by asking DNS for the IP address of _gc._msdcs.<DnsForestName> If it doesn't get an answer then the machine won't log on (you can watch this with Wireshark; it's useful when you're trying to troubleshoot this sort of problem)

    If you ask an internal server then you should get the address of the global catalog server - something's very broken if you don't.

    if you ask an external DNS server it won't know anything about your internal names, you won't find a GC and you've got no chance of logging on.

  14. #14

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,297
    Thank Post
    242
    Thanked 1,586 Times in 1,263 Posts
    Rep Power
    344
    You never, ever, ever, ever put the external DNS to be given out by your DHCP; that's a sure recipe for getting failed logins.
    Normally you're right, but I remember someone, somewhere told me to do this within a Birmingham school and I can't remember why, sorry To be honest I think worse case scenario is that it would delay logon a little more having to check-in with a DNS server externally but it doesn't actually create a problem. Logon will still fail.

    However, if you set it as the primary DNS that would be a very foolish thing to do



SHARE:
+ Post New Thread

Similar Threads

  1. Windows 98 on domain: Local login
    By AntiThesis in forum Windows
    Replies: 18
    Last Post: 7th June 2009, 09:20 PM
  2. Login issues with domain trusts
    By Stuart_C in forum Windows
    Replies: 18
    Last Post: 9th December 2008, 06:27 PM
  3. Restricting Domain Login List
    By Stuart_C in forum Wireless Networks
    Replies: 5
    Last Post: 28th October 2008, 12:35 PM
  4. Limit Login in 2000 only Domain
    By e_g_r in forum Wireless Networks
    Replies: 0
    Last Post: 13th February 2007, 10:03 AM
  5. Change XP Domain Login Box
    By Nij.UK in forum Windows
    Replies: 2
    Last Post: 27th September 2006, 11:06 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •