Login failures when PDC is rebooted 2

[force5]

Hello,
we have 2 branch locations each with a domain controller and DNS running on them. At corporate, is our PDC (global catalog) and 1 other Backup domain controller (both also running DNS). We sometimes need to reboot the PDC for some reason during working hours and when we do, it cuases some issues. Although this only happens a few times per year, it's a pain! It causes logon failures and other strange issues like accessing certain network resources, etc. The PDC takes approximately 7 minutes to boot up.

Why doesn't the backup domain controller(s) handle these requests during this time? I thought that was a benefit of having BDCs, LOL. Maybe I don't have replication set up often enough?

Any help would be appreciated,

Oh yeah, not sure if it matters, but I migrated all of our servers and domain from NT4 to a fully functional AD domain about 3 years ago. I did not do a fresh install.



Thanks,

Chad
Network Administrator

 

[ITPangaeaArchitect]

Ok so first...get the idea of PDC/BDC out of your head There is a PDC emulator role, however, the DCs do not work the same as in NT4...and DNS resolution is dependent on tcp/ip configuration, only the replication of the zones is part of the multimaster topology of AD...and even then, only AD integrated zones....

What OS is this btw? Also, you did not mention what site has this problem when the PDCe is rebooted. I will go off the assumption that you only have 1 DC per site (each running DNS, as all DCs should), and that all clients in each site point only to their local DC for DNS...if that is not accurate, please let me know so I can change the below information to reflect info you provide...

FIRST-THE DC CONFIG---
Does your PDCe point to itself and itself only for DNS?
Does your replica DC in the branch point to the PDCe for its preferred, and itself as alternate for DNS?
If the answer to the 2 above questions is no, theres where you should start....it will allow you to control name resolution traffic and replication topology better as your environment grows...

NOW CLIENT CONFIG---
Now, do all clients in the site with the PDCe point to only the PDCe for DNS? If the answer is yes, then your problem is that you need to add the DC in your branch site as an alternate DNS server in your DHCP scope (or manually, depending on your infrastructure)....
Do all clients in the branch site with the replica DC point only to the replica DC? If yes, you will experience the same problem in the branch site when the replica DC is rebooted....the fix is the same, but in this case, add the PDCe in the hub site as the alternate.

-------------------------------

All of that will ensure your configuration is correct for confined control of the replication topology as the environment grows and adds more sites and more DCs; it will ensure a predictable name resolution path in cases where records do not exist on a DC being queried for name resolution; it will ensure all clients get the fastest possible name resolution on the internal domain; and finally, it will ensure the clients can access an alternative DNS server hosting the SOA for your domain

This should erradicate your problem. You need only actually do the client portion, but I strongly suggest also doing the DC portion...

Also, if possible, you should add at least 1 more DC per site for redundancy...

-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+

 

[force5]

Hey Brandon...Thanks for your reply. Here are the answers to your questions:
Yes, I am aware that PDC/BDC is old NT terminolgy and knowledgeable on the current roles. In many forums, including this one, people still use those terms as a kind of "mental" picture of the setup. So that's why I used them. Sorry for the confusion

1.) Server 2003 Standard SP2. And yes, your assumption is correct, we have 1 DC per branch site and they each run DNS. We actually have 7 other locations, but they are small (2 employees) store fronts that sell hydraulic parts. There are no servers at these locations, but they do point to the closest geographical DC.

As far as the rest THE DC CONFIG and the THE CLIENT CONFIG, I was going to answer them one by one, but I can easily answer them all by letting you know that all clients at all sites are set up properly, the way you mentioned. They are using their own DC for their primary and the pdc as the alternate.

Thanks...any more ideas?



Thanks,

Chad
Network Administrator

 

[Roadki11]

Make sure all your DC's are GC's.


RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[force5]

I thought you could only have 1 GC? We currently are only using 1 GC throughout our domain and that is our PDC.

Thanks....

Thanks,

Chad
Network Administrator

 

[Roadki11]

http://technet.microsoft.com/en-us/library/cc737269.aspx

In a single-domain forest, configure all domain controllers as global catalog servers.

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[ITPangaeaArchitect]

Force-to answer the quick answer, you should have at least 1 GC per site. All domain members will eprform a GC query to get basic information about group membership within universal AND global groups (although I do not think the global group membership lookup is publicly stated...I worked at MS as bronze (top lelvel) support and a mentor of other directory service engineers for couple years...so I know this as VERY true).

Now to the other...no confusion caused, I just want to be sure you have a solid concept. Those who refer to a PDC/BDC infrastructure show automatically they truly dont know much unless they refer to the multimaster topology as the real deal with AD...keep that in mind for who you take advice from.

Yes I have an idea...search your registry for a value named NT4Emulator. If you have it on your DCs, delete it. This will be the cause of your problem if its there. If its not there, let me know.

See

http://support.microsoft.com/kb/298713

for more information on the value.
In a nutshell, this will cause Win2000/2003 to behave as NT4 did.

-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+

 

[force5]

I made the change to all domain controllers and checked the GC checkbox. Thanks guys!! I'll test this out this weekend.
Also, I will check the registry tomorrow.

have a good one,



Thanks,

Chad
Network Administrator

 

[ITPangaeaArchitect]

The GC thing will do it for you too if both werent GCs.

You do have one other option if you have low bandwidth and are worried of replication overhead, and that is to enable universal group membership caching at the branch location.
Be advised that this actually caches global and universal group membership, just like a GC, despite its name.

My bet is that will do the trick for you if NT4Emulator key is not present. Both can have the same result that you are experiencing.

-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+

 

[force5]

Agian, thanks alot! I could have swore that I read an MS article (or maybe it was in the Help File on the server) that only 1 GC was necessary. But after ADGod and Roadkill posted this info, I have since found alot of info on this. I appreciate it. We did in fact only have 1 GC in our whole domain, so Im sure this will help. I plan on testing this out over the weekend.
I also searched the registry on all of our DCs and did not find NT4Emulator on any of them. So we're good?

Excellent help guys, you made my week!

Thanks,

Chad
Network Administrator

 

[ITPangaeaArchitect]

Yep that should do it for ya. Glad to hear you got it worked oout

-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+

 

[force5]

Gentlemen,

I hate to bring this back up, but I had never had a chance to test this out properly due to a huge staff reduction. I am pretty much a lone ranger in IT now. However, a non invited test happened Wednesday this week. Our main server (email, print, file, DHCP, DNS, Domain Controller) went down HARD, LOL. I had to eventually replace the motherboard and the riser.
Anyway, while this thing was down, Our network was in shambles as you can imagine. We are not a huge company and do not have the budgets for a separate server to run each individual roles. But despite me making those changes that you all recommended (making all domain controllers GC's and pointing Pri & Alt DNS appropriately) we still saw alot of strange problems. We could not get out to the internet at all. I would think that our secondary DC would have taken over and handled the proper DNS via Microsoft's integrated root servers?? We saw some strange remote desktop connectio issues when tryint ot remote into other servers, some users could log in, some couldn't. I have to say, it was not "as bad" as before those changes, but something still isn't right. Heck, I even forced my laptop to use the secondary dns server (also GC) and it still would not work.
Is there anything else I can check?

Thanks alot

Thanks,

Chad
Network Administrator

 

[ITPangaeaArchitect]

DNS doesnt work that way. You are forgetting to put a forwarder to your ISPs DNS server. Do that, you'll get out...or create a new root hint (forwarders are easier and mroe readily configurable though)

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[theravager]

When you take the server with the pdc role expect some dramas. The pdc role does some very important things in a 2k+ domain. Some truly bizarre things can happen when its mia.

Most of the answers above are way off the mark.

Best way to get around this is to plan your outage, move the role to another dc the day before to give replication time to sync.

Also check your dns hieracy to ensure when that server is down dns resolution dosen't get upset.