Very slow logon to secondary domain controller when primary goes down

[jstevens]

Greetings,

I have a network with two domain controllers, WIN2k3. Primary is master of all, RID, Infastructure, PDC, Domain naming, Schema... I have DNS and WINS setup on both servers and they are replicating correctly.

Here is the problem, when the primary DC goes down, it then takes up to 4 minutes for workstations to logon. They seem to pause at a blank screen after applying settings. The workstations then logon ok (login script is run)and everything else seems fine such as browsing and network authentication.

Of course the workstations have DNS and WINS of both servers however the primary settings are for the primary DC.

I just had a thought, I will remove the primary and leave only the secondary IP's for WINS and DNS and see if it is a WINS/DNS problem. Such as the primary is not reachable so the workstations (All XP-SP2) round robin takes a very long time?

The other thought I had was there is no PDCE apparently when the primary dc goes down. I noticed this when I attempted to get into AD Domains and Trusts with the master DC down. I have placed another GC on the secondary DC which I think MS says not to do but it did not seem to help anyway.

Thank you in advance.

Jason Stevens

 

[markdmac]

Jason, you would want to have redundancy in your Global Catalogs for sure.

If the server is going to be down for long periods of time, then you should transfer FSMO roles with the exception of the Schema master to the other server. If it will be down permanently then you need to transfer Schema as well. If the server is just down dfor some periodic maintenance then leave the roles alone.

Also, do you have redundancy in your DHCP? Verify your clients can get an address if you release their address first. Second I would alter the scope options to move the second server to the top for DNS while the other server is unavailable.

I hope you find this post helpful.

Regards,

Mark

 

[jstevens]

Yes I have redundant DHCP but on a manual basis. The leases are good for 24 hours.

The server is only down periodically or under case of emergency. I am currently having a hardware issue with my master PDC hence my dealing with this issue.

I have not had a chance to do the test of only assigning the secondary DC's IP for DNS and WINS to see if it is a resource location - DNS/WINS timeout issue or if the problem is due to not having an additional PDCE on the LAN and windows is just timing out.

I had migrated from 2000 server to 2003 and I have been running in mixed mode AD and have not raised functionality. I wonder if raising functionality to 2k3 will resolve the issue of having to rely on the PDCE?

This is very anoying. The reason to have multiple DC's is to provide a Seamless failover. This obviously is not happening for me. =D

If anyone has experienced this issue or knows of a Qarticle (which I have not been able to find as of yet) or resolution please update this thread.

Thankyou much in advance.

Jason

 

[Electro121]

Hi Jason,

I think you are on the right track here...

I don't believe your FSMO roles are the problem. The PDCE provides backwards compatibility for NT4 BDC's and also primarily time synchronization in Windows 2000 (Kerberos Authentication Protocal).

If your clients are using Windows XP then I'd be more focused on a possible issue with DNS. How is your DNS setup? Do you have both internal / external DNS? For Internal DNS - are your DC's pointed to one and another for Primary DNS and secondary to themselves?

Not sure what other things might be going on but we'll help you get this figured out

Thanks!

Darryl Brambilla
IT Manager

 

[jstevens]

Thanks for your reply Darryl,

I have both servers pointing to each other and have verified DNS and WINS replication. DCDIAG reports no errors. I did have a group policy issue reported in my log. It is also possible that for some reason the GP did not replicate to the second server correctly and the workstation hung on loading the GP.

I will have to test this offline as I have my primary server back up heh.

Thanks,

Jason

 

[Daveyd123]

Hello..

I am having sorta the same problem.

I have 2 Domain Controllers with 1 DC holding all FSMO roles. Both DCs are DNS servers and Global catalogs.

I am in 2003 functional mode

If my PDC goes down, I cannot log into the Domain. I get Domain is not available.

After reading, I have come to the conclusion that the PDC has to be functioning in order for users to log into the domain.

If the PDC goes down, then you have to seize the FSMO roles in order for Domain functionality to occur

Here is the discussion I am in...

http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21449983.html#14173493

 

[Daveyd123]

Any luck?

 

[jstevens]

Unbelievable.

I can't believe this. In NT4 and all clients would roam between DC's depending on their location. You mean to tell me that the PDC of 2k, 2k3 is the only server that can run the PDCE role, and if the PDCE goes down clients can not logon until you transfer that role.

I do no think this is correct. To my knowledge XP does not need the PDCE role to logon, but it sure sounds like it does reading your other thread.

Well now my system is in an even worse situation. My PDC is taking very long to boot now and is having service failures. I am going to demote my secondary back and remove my dns and wins configurations.

This is sad,

 

[jstevens]

Well I was able to logon to my second DC, but it was very slow. However since bringing up a second DC I am having so many errors now I have had to demote it.

If anyone has had the joy of messing around with 8021 and 8032 errors you know what I mean.

NDS > AD

Jason

 

[jstevens]

As an update to this thread these are the errors I was getting during failure

“There are currently no logon servers available to service the logon request.”

I believe the server was unable to locate network resources by DNS or WINS or RPC had completly failed.

"DFS could not contact any DC for Domain DFS operations. This operation will be retried periodically."

"The PrintQueue Container could not be found because the DNS Domain name could not be retrieved. Error: 54b"

"The DHCP service failed to see a directory server for authorization."

"The Security System detected an authentication error for the server ldap/servername.domainname.com. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
(0xc000005e)".

On my 2000 servers I was getting alot of 8021,8032 failures.

On my PDC multiple services failed during boot as AD or DNS was not available.

Once I removed my second DC these errors stopped.

Jason

 

[Crazyfitz]

Just a check here but are the workstations attempting to connect to resources(esp mapped drives) on the Primary server? This would cause the longer logon times when the server is not available.

George
MCSA +Messaging (Win2k) A+, Net +

 

[jstevens]

Greetings Crazyfitz,

We have a logon script that runs and maps drives to that server however the part that is hangs is either at applying computer settings or just at a blank screen. I have our scripts set to run asynchronisouly(sp) and they run after the desktop is loaded.

It looks like the logon process hangs at loading the group policy. If I disable group policies the logon process is much much faster, but still not normal.

Jason

 

[Crazyfitz]

what i'd look for at this point are: what policies are in place that would require a connection to the primary server? folder redirection, software installation share points. What about printer connections? Is the PDCE also the print server? Are the user's home directories on the primary server?


Just trying to eliminate stuff that might be a problem.


George
MCSA +Messaging (Win2k) A+, Net +

 

[Daveyd123]

Crazyfitz...

Not to hijack the thread but I am in sorta the same situation as jstevens

To answer your last question as it pertains to me...My PDCE does contain Folder redirections and is the software installation point (office 2003) using Group Policies

 

[jstevens]

Heheh greetings Davey,

Currently I have no folder redirection or DFS replication, no network / administration software installs. Print queue's, home folders and primary file shares are on the PDC but the hangup occurs during logon processing and not desktop launching or logon script processing which is why I think it is a group policy or AD issue.

However since I have had so many problems setting up the second DC I have had to take it back down. My issues could be not related to this functionality of PDC/BDC but a separate DNS or AD issue.

I guess the question is, has anyone setup a second DC and then taken down the PDC and have seamless operation? If so then I know my problem is something different than what I originally thought. The original problem is not uncommon as other people have had the same issue to varying degrees. Some have not even been able to logon at all. In all of my previous multi-dc network setups, I never actually brought down the PDC and tested logon and network access. Doh.

Thanks for your help!

Jason