domain login problem

[hayesp]

Hi,

I have a full windows 2000 child domain connected to the parent domain over a leased line. If the leased line goes down however, no one apart from the administrator can login. The server is a domain controller and a global catalog server and I have started the services that I could think of that could affect this. I am now completely at a loss, any help would be greatly appreciated.

Thanks in advance,

Paul

 

[Jaderzaaaa]

Its not a bug its a feature
When the DC with the GC is disconnected from the child domain there is no way that users can logon to the child domain cause its the GC server that processes the logon request..

 

[hayesp]

Thanks for the quick response, the server in the child domain that users cannot log into is both a dc and a global catalog server.

 

[ReddLefty]

Does it also have WINS and DNS? Cause your client computers might not know where your child domain is located if you don't have those services configured properly. In other words, you might already have unessessary traffic going thru your leased line just to validate their accounts on the primary DC at the other end of the leased line when it could be done by the one that is local.

When the leased line goes down, the clients can't see that DC anymore, and don't know about the one that is local...




"In space, nobody can hear you click..."

 

[hayesp]

On both the child domain server and the client pc's, the primary dns server is itself and the secondary is the parent domains server. There is no wins set up, however there are host files on the client pc's.

 

[GiaBetiu]

Why hosts files? DNS should do the IP name resolution job.

What clients do you have? Windows 2000?
What is the logon method? UNC? (user@domain.com)


Gia Betiu
gia@almondeyes.net
Computer Eng. CNE 4, CNE 5, MCSE Win2K
new:

http://www.almondeyes.net

(just started)

 

[surfk4t]

I had a similar problem this morning. Although, it was at a root domain instead.

My server that has the following services running, was accidentally switched off last night ( It was not me - It was an expensive 'consultant' for the finance system)

Now this server has the following FSMO on it.

PDC Emulator
Infrastructure
RID Server

and the following Name Services

DNS Active Directory

and finally DHCP. Set to give out DNS IP addresses

Now the Windows 2000 client quite happily let the users logged on. But they did not have any network drives. I presumed the clients cache the password somewhere and thus let them log on. The network drives are kept on a different machine.

The Windows 98 machines complained the Domain was missing.


The Global Cataloge is kept on a different machine, that also as the other FSMO roles needed for the Root domain.

Schema
Domain Naming Master
DNS active directory

This has the network drives on it.

I do not understand why the Windows 2000 clients did not get their mapped drives or logon. They should work correctly.

Any ideas? Might be able to solve the above problem?

 

[hayesp]

the hosts file, i just add to the pc's as a habit from when they were windows 98. all of the clients are windows 2000 professional and the logon is either unc or just the username, password and domain. I have tried both but neither work for me.

 

[surfk4t]

hayesp

I think the problem could be the clients are not looking for the correct DC. Have you tried to ping the DC from the client. Using the DN?

Do the clients have DHCP configured? Do they have IP addresses? Are they valid? Are they configured to point to local DNS server? Windows 2000 clients need DNS to logon. No DNS no Logon.

Are you sure the machines are members of the local domain? Not the users, the machine? Does the machine have access? Check AD Users and Computers.

When you say only Administrator can logon, do you mean local admins or domain admins? Can you log on to the Server? Have you tried logging on as a local user on the Domain Controller? If this works it definately a Client/Network setup problem.

I expect local admins can log onto the client, But Domain Admins?

Do you have any Group Policy setting?

Try the above!

Cheers

 

[hayesp]

Hi,

The clients are all static valid ip addresses. They point to the local DNS Server. The pc's are members of the local domain. I haven't checked whether a domain admin can logon, the local one can. I only have group policies set up that are supplying proxy settings. Could it be the active directory database that is trying to validate the users is not the correct one. I have been told that there is some command that you can run to check this but I cannot find anything on the microsoft website.

Thanks,

 

[surfk4t]

hayesp

There is a command, I think it is the Netbui or something like that.

Did you try any of the other suggestions?

Have you checked your DNS server on the child domain, does it have the file directory _mcdcs folder?

I have a number of child domains, and what I did was to create secondary dns entries for the root domain. This may have something to do with your problem.

Under your DNS tables

You should have the local child domain which contain _mcdcs and then the root _mcdcs as a seperate entry.

ie

DNS Server
- Forward Zones
+ _mcdcs.root.com

+ _child.root.com

+_mcdcs.child.root.com


Have you looked at the MS article called Overview of Deploying and Operating Active Directory for Branch Office Environments

It very big, but contains all the fundamentals you need to install AD over branches etc.

I did not copy\replicate _mcdcs.root.com at first, I did it to cut down on traffic from the regional offices.

I think it could be a DNS problem.

Hope this helps? I am going home now, but will be back a 10am GMT (London, UK)

 

[surfk4t]

hayesp

Regarding the command try

NETDOM or NETDIAG tools

Goto Technet site and look at the following article

Windows 2000 Server

Chapter 10 - Active Directory Diagnostics, Troubleshooting, and Recovery

It has a really good Diagnostics section for clients.

Have a good evening

Cheers