Can't logon to one DC if other DC is down

[Steve Gould]

We have two DC's. DC1 holds all FSMO roles. Both are GC's. If DC1 is offline
I cannot logon to DC2. This points at the PDC Emulator being down which it
was. I still find it hard to believe that a DC can't logon to the domain if
the PDC Emulator is offline. Should this be the case?

 

[Jorge de Almeida Pinto [MVP - DS]]

no...

is the remaining DC also a DNS server?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Herb Martin]

"Jorge de Almeida Pinto [MVP - DS]"

no...

is the remaining DC also a DNS server?

Jorge is right. Make sure you always have a DNS
server up. If you only DNS is on the 'down DNS'
then you really don't have fault tolerance.

Also ensure (especially in Native or Win2003 Server
native mode domains) that you have a GC.

Generally in single domain forests all DCs should be
GCs (AD Sites and Services, DC's "server->NTDS->
properties.)

If these don't cover the problem then run DCDiag on
any DC (good idea anyway) and fix all WARNings
and ERRORs.

 

[Steve Gould]

I didn't think this was right. Thanks for confirming it for me. Both DC's
are GC's and both DC's are DNS servers. This issue should not have occured.
I must be brain dead to have forgotten to run DCDIAG. Thanks for the
reminder. I'll run it right now.

Steve

"Jorge de Almeida Pinto [MVP - DS]"

no...

is the remaining DC also a DNS server?

Jorge is right. Make sure you always have a DNS
server up. If you only DNS is on the 'down DNS'
then you really don't have fault tolerance.

Also ensure (especially in Native or Win2003 Server
native mode domains) that you have a GC.

Generally in single domain forests all DCs should be
GCs (AD Sites and Services, DC's "server->NTDS->
properties.)

If these don't cover the problem then run DCDiag on
any DC (good idea anyway) and fix all WARNings
and ERRORs.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Steve Gould]

DCDiag passed on both DC's. This morning, before running the tests, I
decided to move the PDC and RID roles back to DC1 as it is the authoritative
time server (runs a 3rd party time server app). I'm not sure it that may
have resolved something. I'm sure the original issue would be resolved
becuase of this, but I wonder what would happen if I moved all roles back to
DC2. I'm not going to test it in production though.

Thanks for your help Herb and Jorge.

Steve

"Jorge de Almeida Pinto [MVP - DS]"

no...

is the remaining DC also a DNS server?

Jorge is right. Make sure you always have a DNS
server up. If you only DNS is on the 'down DNS'
then you really don't have fault tolerance.

Also ensure (especially in Native or Win2003 Server
native mode domains) that you have a GC.

Generally in single domain forests all DCs should be
GCs (AD Sites and Services, DC's "server->NTDS->
properties.)

If these don't cover the problem then run DCDiag on
any DC (good idea anyway) and fix all WARNings
and ERRORs.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Jorge de Almeida Pinto [MVP - DS]]

time server (runs a 3rd party time server app).

WHY?

DCs have their own time sync mechanism and that works great. not saying you
have, but everyone until now that has been tweaking time sync things within
a forest/domain only have issues and a crap load of headaches

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

DCDiag passed on both DC's. This morning, before running the tests, I
decided to move the PDC and RID roles back to DC1 as it is the
authoritative time server (runs a 3rd party time server app). I'm not sure
it that may have resolved something. I'm sure the original issue would be
resolved becuase of this, but I wonder what would happen if I moved all
roles back to DC2. I'm not going to test it in production though.

Thanks for your help Herb and Jorge.

Steve

"Jorge de Almeida Pinto [MVP - DS]"

no...

is the remaining DC also a DNS server?

Jorge is right. Make sure you always have a DNS
server up. If you only DNS is on the 'down DNS'
then you really don't have fault tolerance.

Also ensure (especially in Native or Win2003 Server
native mode domains) that you have a GC.

Generally in single domain forests all DCs should be
GCs (AD Sites and Services, DC's "server->NTDS->
properties.)

If these don't cover the problem then run DCDiag on
any DC (good idea anyway) and fix all WARNings
and ERRORs.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Steve Gould" <steve.gould(at)apawood.org> wrote in message
We have two DC's. DC1 holds all FSMO roles. Both are GC's. If DC1 is
offline I cannot logon to DC2. This points at the PDC Emulator being
down which it was. I still find it hard to believe that a DC can't
logon to the domain if the PDC Emulator is offline. Should this be the
case?

 

[Steve Gould]

I admit that we have been using it since NT4. We use Tardis. It allows you
to vary your correction rates and to check a number of time servers which
allows for redundancy.


"Jorge de Almeida Pinto [MVP - DS]"

WHY?

DCs have their own time sync mechanism and that works great. not saying
you have, but everyone until now that has been tweaking time sync things
within a forest/domain only have issues and a crap load of headaches

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

DCDiag passed on both DC's. This morning, before running the tests, I
decided to move the PDC and RID roles back to DC1 as it is the
authoritative time server (runs a 3rd party time server app). I'm not
sure it that may have resolved something. I'm sure the original issue
would be resolved becuase of this, but I wonder what would happen if I
moved all roles back to DC2. I'm not going to test it in production
though.

Thanks for your help Herb and Jorge.

Steve

"Jorge de Almeida Pinto [MVP - DS]"
no...

is the remaining DC also a DNS server?

Jorge is right. Make sure you always have a DNS
server up. If you only DNS is on the 'down DNS'
then you really don't have fault tolerance.

Also ensure (especially in Native or Win2003 Server
native mode domains) that you have a GC.

Generally in single domain forests all DCs should be
GCs (AD Sites and Services, DC's "server->NTDS->
properties.)

If these don't cover the problem then run DCDiag on
any DC (good idea anyway) and fix all WARNings
and ERRORs.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Steve Gould" <steve.gould(at)apawood.org> wrote in message
We have two DC's. DC1 holds all FSMO roles. Both are GC's. If DC1 is
offline I cannot logon to DC2. This points at the PDC Emulator being
down which it was. I still find it hard to believe that a DC can't
logon to the domain if the PDC Emulator is offline. Should this be the
case?

 

[Herb Martin]

I admit that we have been using it since NT4. We use Tardis. It allows you
to vary your correction rates and to check a number of time servers which
allows for redundancy.

But it does make sense to run this on the (root forest)
PDC Emulator since that will be the master time source
for other DCs (and other PDC Emulators in multi-domain
forest.)

Less than 5 minutes of time difference is the default for
Kerberos to succeed.

But then if DCs had a time difference then the replication
would not be working either....


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

"Jorge de Almeida Pinto [MVP - DS]"

time server (runs a 3rd party time server app).

WHY?

DCs have their own time sync mechanism and that works great. not saying
you have, but everyone until now that has been tweaking time sync things
within a forest/domain only have issues and a crap load of headaches

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

DCDiag passed on both DC's. This morning, before running the tests, I
decided to move the PDC and RID roles back to DC1 as it is the
authoritative time server (runs a 3rd party time server app). I'm not
sure it that may have resolved something. I'm sure the original issue
would be resolved becuase of this, but I wonder what would happen if I
moved all roles back to DC2. I'm not going to test it in production
though.

Thanks for your help Herb and Jorge.

Steve

"Jorge de Almeida Pinto [MVP - DS]"
message no...

is the remaining DC also a DNS server?

Jorge is right. Make sure you always have a DNS
server up. If you only DNS is on the 'down DNS'
then you really don't have fault tolerance.

Also ensure (especially in Native or Win2003 Server
native mode domains) that you have a GC.

Generally in single domain forests all DCs should be
GCs (AD Sites and Services, DC's "server->NTDS->
properties.)

If these don't cover the problem then run DCDiag on
any DC (good idea anyway) and fix all WARNings
and ERRORs.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Steve Gould" <steve.gould(at)apawood.org> wrote in message
We have two DC's. DC1 holds all FSMO roles. Both are GC's. If DC1 is
offline I cannot logon to DC2. This points at the PDC Emulator being
down which it was. I still find it hard to believe that a DC can't
logon to the domain if the PDC Emulator is offline. Should this be
the case?

 

[Steve Gould]

Tardis has a client/server architecture. All the servers the client service
to sync to the master time server. We sync client workstations via logon
scripts (net time).

I admit that we have been using it since NT4. We use Tardis. It allows you
to vary your correction rates and to check a number of time servers which
allows for redundancy.

But it does make sense to run this on the (root forest)
PDC Emulator since that will be the master time source
for other DCs (and other PDC Emulators in multi-domain
forest.)

Less than 5 minutes of time difference is the default for
Kerberos to succeed.

But then if DCs had a time difference then the replication
would not be working either....


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

"Jorge de Almeida Pinto [MVP - DS]"

time server (runs a 3rd party time server app).

WHY?

DCs have their own time sync mechanism and that works great. not saying
you have, but everyone until now that has been tweaking time sync things
within a forest/domain only have issues and a crap load of headaches

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Steve Gould" <steve.gould(at)apawood.org> wrote in message
DCDiag passed on both DC's. This morning, before running the tests, I
decided to move the PDC and RID roles back to DC1 as it is the
authoritative time server (runs a 3rd party time server app). I'm not
sure it that may have resolved something. I'm sure the original issue
would be resolved becuase of this, but I wonder what would happen if I
moved all roles back to DC2. I'm not going to test it in production
though.

Thanks for your help Herb and Jorge.

Steve

"Jorge de Almeida Pinto [MVP - DS]"
message no...

is the remaining DC also a DNS server?

Jorge is right. Make sure you always have a DNS
server up. If you only DNS is on the 'down DNS'
then you really don't have fault tolerance.

Also ensure (especially in Native or Win2003 Server
native mode domains) that you have a GC.

Generally in single domain forests all DCs should be
GCs (AD Sites and Services, DC's "server->NTDS->
properties.)

If these don't cover the problem then run DCDiag on
any DC (good idea anyway) and fix all WARNings
and ERRORs.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Steve Gould" <steve.gould(at)apawood.org> wrote in message
We have two DC's. DC1 holds all FSMO roles. Both are GC's. If DC1 is
offline I cannot logon to DC2. This points at the PDC Emulator being
down which it was. I still find it hard to believe that a DC can't
logon to the domain if the PDC Emulator is offline. Should this be
the case?

 

[Jorge de Almeida Pinto [MVP - DS]]

so does AD....

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

I admit that we have been using it since NT4. We use Tardis. It allows you
to vary your correction rates and to check a number of time servers which
allows for redundancy.


"Jorge de Almeida Pinto [MVP - DS]"

time server (runs a 3rd party time server app).

WHY?

DCs have their own time sync mechanism and that works great. not saying
you have, but everyone until now that has been tweaking time sync things
within a forest/domain only have issues and a crap load of headaches

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

DCDiag passed on both DC's. This morning, before running the tests, I
decided to move the PDC and RID roles back to DC1 as it is the
authoritative time server (runs a 3rd party time server app). I'm not
sure it that may have resolved something. I'm sure the original issue
would be resolved becuase of this, but I wonder what would happen if I
moved all roles back to DC2. I'm not going to test it in production
though.

Thanks for your help Herb and Jorge.

Steve

"Jorge de Almeida Pinto [MVP - DS]"
message no...

is the remaining DC also a DNS server?

Jorge is right. Make sure you always have a DNS
server up. If you only DNS is on the 'down DNS'
then you really don't have fault tolerance.

Also ensure (especially in Native or Win2003 Server
native mode domains) that you have a GC.

Generally in single domain forests all DCs should be
GCs (AD Sites and Services, DC's "server->NTDS->
properties.)

If these don't cover the problem then run DCDiag on
any DC (good idea anyway) and fix all WARNings
and ERRORs.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Steve Gould" <steve.gould(at)apawood.org> wrote in message
We have two DC's. DC1 holds all FSMO roles. Both are GC's. If DC1 is
offline I cannot logon to DC2. This points at the PDC Emulator being
down which it was. I still find it hard to believe that a DC can't
logon to the domain if the PDC Emulator is offline. Should this be
the case?