Isolated member server won't authenicate with Isolated DC

  • Thread starter Thread starter David
  • Start date Start date
D

David

Hopefully someone can answer with the reason why this doesn't work.

I ran dcpromo on a server, and made it a DC. This DC has none of the
FSMO roles on it and is not a global catalog server. However everything
seems to work ok within the domain. I take this DC, power it off, and
hook it up to an isolated network. I take another member server in the
same domain, power it off, and plug it into this isolated network and
power it back on. Now there are 2 machines on an isolated switch; a DC,
and a member server. I can log in as administrator (presumably cached),
but not as any other user. It tells me the domain is unavailable. OH..
one other thing this isolated DC is also a DNS server and all the
setting are set up properly to see it. The only errors I am getting are
those replication stuff. I'm wondering if there is an obvious reason
that I'm missing. I don't have this setup anymore so I'd have put it
back into a test lab to duplicate.

-D
 
Hopefully someone can answer with the reason why this doesn't
work.

I ran dcpromo on a server, and made it a DC. This DC has none
of the
FSMO roles on it and is not a global catalog server. However
everything
seems to work ok within the domain. I take this DC, power it
off, and
hook it up to an isolated network. I take another member
server in the
same domain, power it off, and plug it into this isolated
network and
power it back on. Now there are 2 machines on an isolated
switch; a DC,
and a member server. I can log in as administrator (presumably
cached),
but not as any other user. It tells me the domain is
unavailable. OH..
one other thing this isolated DC is also a DNS server and all
the
setting are set up properly to see it. The only errors I am
getting are
those replication stuff. I'm wondering if there is an obvious
reason
that I'm missing. I don't have this setup anymore so I'd have
put it
back into a test lab to duplicate.

-D
Click to expand...

You said it yourself. The DC is not a GC and as it is the only non-GC
and DC in your testlab users will not be able to authenticate.
For logon a GC IS needed (to check for universal group memberships
throughout the forest if you use them or not). When no GCs are
available only the administrator can log on otherwise no one would be
able to troubleshoot (chicken and egg story)
 
A GC is really only needed in a Native Mode AD environment. And I am pretty
sure that you can change this, too....

It all depends on what David is going to do. Usually when you take a
production DC out of production and put it in an isolated test environment
you would have to do a metadata cleanup in the production lab ( aka: remove
all references to the 'lab' DC ) and seize the FSMO roles in the test lab
( via ntdsutil ). However, this assumes that this DC will not be put back
in the production environment. Well, not without a dcpromo cycle....

Also, it would be a really good idea to make that DC a Global Catalog
Server....eventhough I stated above that a GC is only really needed in a
Native Mode AD environment.

--
Cary W. Shultz
Roanoke, VA 24012

WIN2000 Active Directory MVP
http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)
 
hello , I have a similar problem except my 3rd DC is a global; catalog. I created the DC on a different network B with connectivity to the main network A , when the network link fails we cant authenticate on a node in that isolated network B to the DC in network B.
 
Back
Top