Hi,

I have 8 domain controllers in our enterprise. 6 are located at other
geographical sites and 2 are located in our central datacenter. All domain
controllers are handling logon requests through the enterprise. I assumed I
should be able to shut down one of the DC's in the datacenter without causing
logon issues, but that doesn't seem to be the case -- even if I transfer the
PDC emulator role to another DC. Users start calling the HelpDesk saying
they can't log on but more importantly, our BizTalk server won't authenticate
and all users are denied access to our intranet site which relies on BizTalk.
Once the DC controller is back on line, everything goes back to normal.
I've talked with the team controlling the BizTalk server and they assure me
that don't have any dependencies written into the server configuration
requiring that one DC to be online. I can shut down other DC's with no
interruption to authentication. Any ideas?

Which server is the global catalog?

hth
DDS

"Kimberly Pace" <KimberlyPace@discussions.microsoft.com> wrote in message
news:8D879F63-002D-4621-A135-C39BF0F6644B@microsoft.com...

Quote:

Hi, I have 8 domain controllers in our enterprise. 6 are located at other geographical sites and 2 are located in our central datacenter. All domain controllers are handling logon requests through the enterprise. I assumed I should be able to shut down one of the DC's in the datacenter without causing logon issues, but that doesn't seem to be the case -- even if I transfer the PDC emulator role to another DC. Users start calling the HelpDesk saying they can't log on but more importantly, our BizTalk server won't authenticate and all users are denied access to our intranet site which relies on BizTalk. Once the DC controller is back on line, everything goes back to normal. I've talked with the team controlling the BizTalk server and they assure me that don't have any dependencies written into the server configuration requiring that one DC to be online. I can shut down other DC's with no interruption to authentication. Any ideas?

Each DC at the six sites are GC's. The 2nd server in the DC is a global
catalog. I have played with changing roles and moving the GC from one server
to the other. I have split the roles between the two and have put all the
roles on one server, etc. Also, I've adjusted the logon cache settings in
group policy, thinking the workstations would try to re-authenticate with the
last DC that logged them on.

"Danny Sanders" wrote:

Quote:

Which server is the global catalog? hth DDS "Kimberly Pace" <KimberlyPace@discussions.microsoft.com> wrote in message news:8D879F63-002D-4621-A135-C39BF0F6644B@microsoft.com... Hi, I have 8 domain controllers in our enterprise. 6 are located at other geographical sites and 2 are located in our central datacenter. All domain controllers are handling logon requests through the enterprise. I assumed I should be able to shut down one of the DC's in the datacenter without causing logon issues, but that doesn't seem to be the case -- even if I transfer the PDC emulator role to another DC. Users start calling the HelpDesk saying they can't log on but more importantly, our BizTalk server won't authenticate and all users are denied access to our intranet site which relies on BizTalk. Once the DC controller is back on line, everything goes back to normal. I've talked with the team controlling the BizTalk server and they assure me that don't have any dependencies written into the server configuration requiring that one DC to be online. I can shut down other DC's with no interruption to authentication. Any ideas?

What error do the users get trying to log in when this DC is down?

hth
DDS

"Kimberly Pace" <KimberlyPace@discussions.microsoft.com> wrote in message
news:05A07E59-5579-42D1-A131-80734BAD2E48@microsoft.com...

Quote:

Each DC at the six sites are GC's. The 2nd server in the DC is a global catalog. I have played with changing roles and moving the GC from one server to the other. I have split the roles between the two and have put all the roles on one server, etc. Also, I've adjusted the logon cache settings in group policy, thinking the workstations would try to re-authenticate with the last DC that logged them on. "Danny Sanders" wrote: Which server is the global catalog? hth DDS "Kimberly Pace" <KimberlyPace@discussions.microsoft.com> wrote in message news:8D879F63-002D-4621-A135-C39BF0F6644B@microsoft.com... Hi, I have 8 domain controllers in our enterprise. 6 are located at other geographical sites and 2 are located in our central datacenter. All domain controllers are handling logon requests through the enterprise. I assumed I should be able to shut down one of the DC's in the datacenter without causing logon issues, but that doesn't seem to be the case -- even if I transfer the PDC emulator role to another DC. Users start calling the HelpDesk saying they can't log on but more importantly, our BizTalk server won't authenticate and all users are denied access to our intranet site which relies on BizTalk. Once the DC controller is back on line, everything goes back to normal. I've talked with the team controlling the BizTalk server and they assure me that don't have any dependencies written into the server configuration requiring that one DC to be online. I can shut down other DC's with no interruption to authentication. Any ideas?

Hi
If you do a ipconfig /flushdns and try again does it work?
also check if helps or if it's related.
http://support.microsoft.com/kb/318803/en-us

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

The one's who haven't logged on get the normal message about bad
username/password -- I think that if they tried several times and waiting 5 -
10 minutes, they would get logged on, however, they call the Helpdesk right
away. The biggest problem is our Intranet -- users see "code" but some of
the error messages indicate that the service account can't log on. Here is a
report from one of the developers.

Here are a few log entries that may be of interest in investigating the
problem that occurred this morning with iSITE's failure to authenticate with
CSQL1 using the VFSSystem account.

---

There are a few of these on WEB2 and WEB3:

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 1/25/2008
Time: 9:14:06 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: WEB2
Description:
Object Open:
Object Server: SC Manager
Object Type: SERVICE OBJECT
Object Name: WinHttpAutoProxySvc
Handle ID: -
Operation ID: {0,7816790}
Process ID: 628
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: WEB2$
Primary Domain: CCCHSD
Primary Logon ID: (0x0,0x3E7)
Client User Name: NETWORK SERVICE
Client Domain: NT AUTHORITY
Client Logon ID: (0x0,0x3E4)
Accesses: Query status of service
Start the service
Query information from service

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x94


"Danny Sanders" wrote:

Quote:

What error do the users get trying to log in when this DC is down? hth DDS "Kimberly Pace" <KimberlyPace@discussions.microsoft.com> wrote in message news:05A07E59-5579-42D1-A131-80734BAD2E48@microsoft.com... Each DC at the six sites are GC's. The 2nd server in the DC is a global catalog. I have played with changing roles and moving the GC from one server to the other. I have split the roles between the two and have put all the roles on one server, etc. Also, I've adjusted the logon cache settings in group policy, thinking the workstations would try to re-authenticate with the last DC that logged them on. "Danny Sanders" wrote: Which server is the global catalog? hth DDS "Kimberly Pace" <KimberlyPace@discussions.microsoft.com> wrote in message news:8D879F63-002D-4621-A135-C39BF0F6644B@microsoft.com... Hi, I have 8 domain controllers in our enterprise. 6 are located at other geographical sites and 2 are located in our central datacenter. All domain controllers are handling logon requests through the enterprise. I assumed I should be able to shut down one of the DC's in the datacenter without causing logon issues, but that doesn't seem to be the case -- even if I transfer the PDC emulator role to another DC. Users start calling the HelpDesk saying they can't log on but more importantly, our BizTalk server won't authenticate and all users are denied access to our intranet site which relies on BizTalk. Once the DC controller is back on line, everything goes back to normal. I've talked with the team controlling the BizTalk server and they assure me that don't have any dependencies written into the server configuration requiring that one DC to be online. I can shut down other DC's with no interruption to authentication. Any ideas?

Hi,

I've played with all the DNS cache options -- flushing, group policy changes
to remove the cache, etc., these changes did not seem to have any affect.

"Jorge Silva" wrote:

Quote:

Hi If you do a ipconfig /flushdns and try again does it work? also check if helps or if it's related. http://support.microsoft.com/kb/318803/en-us -- I hope that the information above helps you. Have a Nice day. Jorge Silva MCSE, MVP Directory Services

Quote:

Accesses: Query status of service Start the service Query information from service

Is the network service started on this server? Go to the services applet on
each and sort by the startup type. Are any services set to start
automatically NOT started?


Also you might search eventid.net for the event ID 560.


hth
DDS
|
"Kimberly Pace" <KimberlyPace@discussions.microsoft.com> wrote in message
news:AE053B3E-E01D-4091-B4A2-1943C076792C@microsoft.com...

Quote:

The one's who haven't logged on get the normal message about bad username/password -- I think that if they tried several times and waiting 5 - 10 minutes, they would get logged on, however, they call the Helpdesk right away. The biggest problem is our Intranet -- users see "code" but some of the error messages indicate that the service account can't log on. Here is a report from one of the developers. Here are a few log entries that may be of interest in investigating the problem that occurred this morning with iSITE's failure to authenticate with CSQL1 using the VFSSystem account. --- There are a few of these on WEB2 and WEB3: Event Type: Failure Audit Event Source: Security Event Category: Object Access Event ID: 560 Date: 1/25/2008 Time: 9:14:06 AM User: NT AUTHORITY\NETWORK SERVICE Computer: WEB2 Description: Object Open: Object Server: SC Manager Object Type: SERVICE OBJECT Object Name: WinHttpAutoProxySvc Handle ID: - Operation ID: {0,7816790} Process ID: 628 Image File Name: C:\WINDOWS\system32\services.exe Primary User Name: WEB2$ Primary Domain: CCCHSD Primary Logon ID: (0x0,0x3E7) Client User Name: NETWORK SERVICE Client Domain: NT AUTHORITY Client Logon ID: (0x0,0x3E4) Accesses: Query status of service Start the service Query information from service Privileges: - Restricted Sid Count: 0 Access Mask: 0x94 "Danny Sanders" wrote: What error do the users get trying to log in when this DC is down? hth DDS "Kimberly Pace" <KimberlyPace@discussions.microsoft.com> wrote in message news:05A07E59-5579-42D1-A131-80734BAD2E48@microsoft.com... Each DC at the six sites are GC's. The 2nd server in the DC is a global catalog. I have played with changing roles and moving the GC from one server to the other. I have split the roles between the two and have put all the roles on one server, etc. Also, I've adjusted the logon cache settings in group policy, thinking the workstations would try to re-authenticate with the last DC that logged them on. "Danny Sanders" wrote: Which server is the global catalog? hth DDS "Kimberly Pace" <KimberlyPace@discussions.microsoft.com> wrote in message news:8D879F63-002D-4621-A135-C39BF0F6644B@microsoft.com... Hi, I have 8 domain controllers in our enterprise. 6 are located at other geographical sites and 2 are located in our central datacenter. All domain controllers are handling logon requests through the enterprise. I assumed I should be able to shut down one of the DC's in the datacenter without causing logon issues, but that doesn't seem to be the case -- even if I transfer the PDC emulator role to another DC. Users start calling the HelpDesk saying they can't log on but more importantly, our BizTalk server won't authenticate and all users are denied access to our intranet site which relies on BizTalk. Once the DC controller is back on line, everything goes back to normal. I've talked with the team controlling the BizTalk server and they assure me that don't have any dependencies written into the server configuration requiring that one DC to be online. I can shut down other DC's with no interruption to authentication. Any ideas?

check if the clients are using a internal Online dns server, check if you
have fw between the clients and that DNS and the DC, at last run dcdiag and
netdiag and search for output erros.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services