Alternate Domain Controller

I am an admitted Windows Active Directory newbie. Our organization
just built a Windows Server 2003 file server cluster. We have 2 domain
controllers A & B. As far as I know, they don't necessarily act as
"primary" and "secondary" DCs, but more like if one is down, the other
will transparently fill its role. Please correct me if I'm wrong here.

Anyway, since we created the 2nd DC and tested it out by bringing down
the 1st DC, it seems users accessing the file server can only
authenticate when the 2nd DC is up, i.e. users are never relayed to the
1st DC (up again) when the 2nd is down. When logging in with the 2nd
DC down and 1st DC up, I get the following error message:

"There are currently no logon servers available to service the logon
request."

Neither the DC A or B act as DNS servers, but both have update
privileges on our DNS BIND servers. I'm assuming our Active Directory
DNS entries need some tweaking to make the DC A the "active" DC again?
Is there a way to make the DC failover more transparent?

Its pretty transparent when your DNS infrastructure functions fine, and no
tweaking is required. You need to make sure that on the client side, correct
DNS server(s) is configured. It should be a server able to resolve
AD-related records in DNS. You can even test it manually using nslookup.

If both srv entries (for both DCs) are returned in a DNS query, then your
DNS functions fine. Else you have to fix DNS before touching anything else.

--
Dmitry Korolyov [(E-Mail Removed)]
MVP: Windows Server - Directory Services


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
>I am an admitted Windows Active Directory newbie. Our organization
> just built a Windows Server 2003 file server cluster. We have 2 domain
> controllers A & B. As far as I know, they don't necessarily act as
> "primary" and "secondary" DCs, but more like if one is down, the other
> will transparently fill its role. Please correct me if I'm wrong here.
>
> Anyway, since we created the 2nd DC and tested it out by bringing down
> the 1st DC, it seems users accessing the file server can only
> authenticate when the 2nd DC is up, i.e. users are never relayed to the
> 1st DC (up again) when the 2nd is down. When logging in with the 2nd
> DC down and 1st DC up, I get the following error message:
>
> "There are currently no logon servers available to service the logon
> request."
>
> Neither the DC A or B act as DNS servers, but both have update
> privileges on our DNS BIND servers. I'm assuming our Active Directory
> DNS entries need some tweaking to make the DC A the "active" DC again?
> Is there a way to make the DC failover more transparent?
>

David,

It sounds like your DCs are ok, but that DNS isn't functioning quite right.
If I understood you correctly you are using BIND as your primary DNS provider
and you set up records in BIND for the Windows servers?

Long story short, this configuration can work fine, but you've got to work
harder to set it up and maintain it. It's also important that it's a version
of BIND that's compatible with AD. I generally don't recomment using BIND in
a Windows environment, not b/c I don't think BIND is a great DNS platform but
b/c I'm for the simplest design that works, and adding BIND to a
Windows environment doesn't really keep to that theme in my mind.

Long story short, for a user to authenticate to a file server the file
server need to be able to check with a DC to see if the user has permission
to access the directory/file. It does this by doing an DNS query for a DC,
specifically it's looking for the SRV records in the domain DNS Zone, if you
only have one of your DCs listed there and it's not the one that's available
then, there you are...
--
James E. Price III
Fairway Consulting Group, Inc.
O: 954-727-5126
C: 305-970-4902
E: (E-Mail Removed)
W: www.fcgroup.us


"(E-Mail Removed)" wrote:

> I am an admitted Windows Active Directory newbie. Our organization
> just built a Windows Server 2003 file server cluster. We have 2 domain
> controllers A & B. As far as I know, they don't necessarily act as
> "primary" and "secondary" DCs, but more like if one is down, the other
> will transparently fill its role. Please correct me if I'm wrong here.
>
> Anyway, since we created the 2nd DC and tested it out by bringing down
> the 1st DC, it seems users accessing the file server can only
> authenticate when the 2nd DC is up, i.e. users are never relayed to the
> 1st DC (up again) when the 2nd is down. When logging in with the 2nd
> DC down and 1st DC up, I get the following error message:
>
> "There are currently no logon servers available to service the logon
> request."
>
> Neither the DC A or B act as DNS servers, but both have update
> privileges on our DNS BIND servers. I'm assuming our Active Directory
> DNS entries need some tweaking to make the DC A the "active" DC again?
> Is there a way to make the DC failover more transparent?
>
>

Thanks for the help guys...

Can someone direct me to some documentation on how the zone data file
for a Windows domain (with more than one domain controller) should look
like?

I noticed more weird behavior... While access to network shares only
seems to authenticate with the 2nd domain controller, it seems that
Windows logon can authenticate with either domain controller. Does
this indicate certain protocols are not being forwarded to EITHER
domain controller? Is there a particular section of the domain zone
data file I should be focusing on?

David,

Are both of your DCs Global Catalogs as well, if not which one is a GC.
When which one is off-line do you lose file share authentication?

As for what domain zone looks like, it's too difficult to explain in a
post, but if you email me I'll try to figure out a way to get the basic
content into an email for you. For what it's worth the _msdcs.yourdomain.com
zone file is discussed in some detail in chapter 3 of the Active Directory
for Microsoft Windows Server 2003 Technical Reference book from MS (ISBN
0-7356-1577-2). This reference has come in handy more than once for me.

Now for one possible sign of hope in all this when you promote a server
to a DC it writes all the the records needed by the Forest/Domain (as it
existed at that time) to a file called Netlogon.dns, it is located in the
%systemroot%\system32\config folder. If we're lucky you'll be able to find
this file on at least one of your DCs and use this file do build a correctly
populated _msdcs.yourdomain.com file on your UNIX system running BIND. If we
can get this working correctly then we'll move on to configuring BIND to
support dynamic updates from your DCs so hopefully you won't have problems in
the future.

It really drives me crazy when people ask me this, but are you really
dead set on integrating BIND with AD? Fear not I and others will stick with
you no matter what the answer, but I just felt compelled to ask.
--
James E. Price III
Fairway Consulting Group, Inc.
O: 954-727-5126
C: 305-970-4902
E: (E-Mail Removed)
W: www.fcgroup.us


"(E-Mail Removed)" wrote:

> Thanks for the help guys...
>
> Can someone direct me to some documentation on how the zone data file
> for a Windows domain (with more than one domain controller) should look
> like?
>
> I noticed more weird behavior... While access to network shares only
> seems to authenticate with the 2nd domain controller, it seems that
> Windows logon can authenticate with either domain controller. Does
> this indicate certain protocols are not being forwarded to EITHER
> domain controller? Is there a particular section of the domain zone
> data file I should be focusing on?
>
>