why doesn't my second domain controller act like one?

[xyyz]

i noticed something while i took my first DC down to install some upgrades.

while i was able to log into the domain, the second wasn't able to do much because it said the active directory was unavailable.

any idea what's going on here? i thought DC's were were redundant. why is it when one was powered down, the remaining DC wasn't able to do what the downed one did?

 

[ITJunkie]

Well...do you have the second DC setup as Global catalog server too?

 

[Smilin]

Where to begin?

I'm assuming you're single-site, single-forest, 2-dc single domain.

What do your event logs say?

I would probably start by taking a peek at DNS. Ensure ldap, kerberos etc SRV records exist for the 2nd dc. You can do a "net stop netlogon & net start netlogon & ipconfig /registerdns" to ensure things are being automatically registered.

 

[xyyz]

thanks for the replies.

these are test systems. something i've setup to better familiarize myself and subsequently learn myself installation/administration of a w2k3/xp domain.

i'll take them one at a time:

Well...do you have the second DC setup as Global catalog server too?

i honestly don't know what this means. all i did with the second DC was join it to the domain as another domain server. i don't know if this set the second DS as a global catalog server.

Ensure ldap, kerberos etc SRV records exist for the 2nd dc.

they all exist for the second DC on the DC as well as the PDC.

what are the next steps i should take?

 

[Smilin]

Post the exact repro steps and error messages you are getting.

ie are you just trying to sign on to a workstation and get a particular error? if so what is it.


Check your event logs to see if you are throwing any errors or warnings on that DC.
Confirm that the workstation you are trying to log on to is using the same DNS that the DC is.
Ensure the KDC and netlogon are running.

 

[Schloonce]

Originally posted by: xyyz
all i did with the second DC was join it to the domain as another domain server. i don't know if this set the second DS as a global catalog server.

Did you run dcpromo and make it a domain controller, or did you just install 2k3 and walk away? Sounds like you have a DC and a member server.

TechNet article - http://technet2.microsoft.com/...-268f550d7c6b1033.mspx

 

[xyyz]

i'm going to remove the LAN connection on the PDC and give the exact error messages.

as for the dcpromo. my poor memory doesn't allow me to remember if i ran DCPromo or not (is there a command i can use to check?) However, looking at the "Configure Your Server Wizard" shows this server with a "Yes" next to "Domain Controller (Active Directory). The description says the server is configured as a domain controller.

EDIT:

i tried logging into the domain and it gave something along the lines of, the system cannot log into domain xxx because it is unavailable.

on the xp machine, the event viewer says something along the lines of the system not being able to resolve the name for the domain controller. i don't know if this is directly related or not. i don't know why this is the case. DNS as was verified previously is running on the machine.

 

[Schloonce]

If there are icons for Active Directory in your Administrative Tools folder, then (unless you've installed the admin tools) you are sitting at a DC.

You can always dcpromo it down to a member server, reboot, then dcpromo it back to a DC.

The login issues are probably related to DNS. Is your DHCP server pushing out your ISPs DNS (I tend to see this a lot coincidentally with domains named .com...) or your own DNS?

 

[stash]

I'm surprised I haven't seen this question yet: did you install DNS on the second DC?

If you shut down the first DC and that's the only DNS server, it won't work too well.

You can achieve the same negative effect by not listing a valid DNS server in your TCP/IP config, which has been mentioned a couple times now.

Please don't take this the wrong way, but are you the admin for this domain? Or is this just a test lab you're playing around with?

 

[xyyz]

issue resolved.

the server was running AD, and DNS was installed ages ago. the IP addresses are private. there was no issue with the machine getting IP addresses. as for DNS, i thought that was not an issue since this problematic DC had the DNS entries for ldap, kerberos, etc. populated. also, this DC is the first DNS server listed for all other machines. running nslookup shows the DNS on this DC is working perfectly. furthermore, iirc, you can't make a machine a DC if there is no DNS running on that machine.

i think ITJunkie had it. while i don't know what the global catalog does or is, i put a check mark in that box on this DC and viola, problem solved.

 

[stash]

furthermore, iirc, you can't make a machine a DC if there is no DNS running on that machine.

Not true.

while i don't know what the global catalog does or is, i put a check mark in that box on this DC and viola, problem solved.

A GC is required for logon in a native mode domain, since native mode domains can have universal groups. Universal groups are enumerated by querying a GC.