Active Directory and DNS problem

[precioustony]

I have 3 dcs located in three different offices. All of them are running Active Directory integrated DNS zones.
lets call the dcs dc-1, dc-2, and dc-3.

Client PCs in each of the offices are configured with at least the IP addresses of two dns servers. the 1st IP address is that of the dns server in their office and the second IP address is that of the dns server in another service that serves as a secondary.

Now I have this problem, when the DC(dc-1) in say, Office1 is down, users cannot log into AD because the dns that is on dc-1 is down as well. I expected users to be able to log in since there is a second dns server (dc-2 or dc-3) configured on the clients. Please help

 

[wdoellefeld]

I think I understand what your saying. Are the DC's in the other offices' global catalog servers? If they are not and only dc-1 is then that would explain why they can't logon.

(yay! shameless advertising. my side business)

http://www.frcp.net

 

[precioustony]

Yes, only dc-1 is a global catalog

But the clients are also configured with IP addresses of other dns servers. Shouldn't they be able to use the second DNS server to contact the global catalog(dc-1) and then login?

The configurations on the client is like this:

1st DNS Server: (IP address of the dns server in THEIR site)
2nd DNS Server: (IP address of the dns server in another site)

If the client cannot use the 2nd DNS server why then have the option of configuring a 2nd dns server on the client?

 

[BenChristian]

Wdoellefeld is on the right track here. If a user is a member of a using universal group then they have to be able to contact a global catalog server (GC) to be able to log in.

"when the DC(dc-1) in say, Office1 is down, users cannot log into AD because the dns that is on dc-1 is down as well."

"But the clients are also configured with IP addresses of other dns servers. Shouldn't they be able to use the second DNS server to contact the global catalog(dc-1) and then login?" -they can't access dc-1 if it is down.

You can configure one of the other DCs to be a GC which will allow the users to log in if DC-1 is down.

http://www.benchristian.com

 

[precioustony]

Maybe I didn't make myself very clear. The problem occurs with users in the office where dc-2 and dc-3 are located.

Since DC-1 which is holding the global catalog role is still up and running and users are configured with the IP Address of more than 1 dns server, shouldn't they be able to contact dc-1, the global catalog server, and then login if the server in their office is down?

This doesn't happen to be the case and that is the reason I am worried!

 

[BenChristian]

OK, I understand now.

I recommend you do some diagnostic testing. Set one of the clients to use the DNS server that you currently have configured as secondayry the primary (remove the current primary entry and replace it with the current secondary entry). Once you have done that, run a "netdiag" and "dcdiag /sCNAME" from the workstation and see if you receive any errors. This should point you in the right direction.

http://www.benchristian.com

 

[Andreh]

DC1 probably has all of the FSMO roles including the important 'PDC Emulator' role. If this is the case, then when this server goes down all users will not be able to authenticate. Does this DC have all FSMO roles?


"Assumption is the mother of all f#%kups!

 

[NewbieVN]

One more thing, users in branch offices will authenticate with their DC if you create Site - Site link otherwise, they can go to DC in HQ and request authentication with DC1, that maybe the your problem.

Regards,

 

[precioustony]

DC-1 is PDC Emulator, Global Catalog, RID Master
DC-2 holds no role
DC-3 is Infrastructure Master

All the DCs are in a one site

I did carry out the test suggested by Benchristian but there was no errors, also none of the users is a member of any universal group.

I don't really want to enable GC on any other DC because of replication traffic