Re: Authentication doesn't fail over to additional DC's by KimberlyPace
KimberlyPace
Thu Mar 27 09:54:00 PDT 2008
The one's who haven't logged on get the normal message about bad
username/password -- I think that if they tried several times and waiting 5 -
10 minutes, they would get logged on, however, they call the Helpdesk right
away. The biggest problem is our Intranet -- users see "code" but some of
the error messages indicate that the service account can't log on. Here is a
report from one of the developers.
Here are a few log entries that may be of interest in investigating the
problem that occurred this morning with iSITE's failure to authenticate with
CSQL1 using the VFSSystem account.
---
There are a few of these on WEB2 and WEB3:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 1/25/2008
Time: 9:14:06 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: WEB2
Description:
Object Open:
Object Server: SC Manager
Object Type: SERVICE OBJECT
Object Name: WinHttpAutoProxySvc
Handle ID: -
Operation ID: {0,7816790}
Process ID: 628
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: WEB2$
Primary Domain: CCCHSD
Primary Logon ID: (0x0,0x3E7)
Client User Name: NETWORK SERVICE
Client Domain: NT AUTHORITY
Client Logon ID: (0x0,0x3E4)
Accesses: Query status of service
Start the service
Query information from service
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x94
"Danny Sanders" wrote:
> What error do the users get trying to log in when this DC is down?
>
> hth
> DDS
>
> "Kimberly Pace" <KimberlyPace@discussions.microsoft.com> wrote in message
> news:05A07E59-5579-42D1-A131-80734BAD2E48@microsoft.com...
> > Each DC at the six sites are GC's. The 2nd server in the DC is a global
> > catalog. I have played with changing roles and moving the GC from one
> > server
> > to the other. I have split the roles between the two and have put all the
> > roles on one server, etc. Also, I've adjusted the logon cache settings in
> > group policy, thinking the workstations would try to re-authenticate with
> > the
> > last DC that logged them on.
> >
> > "Danny Sanders" wrote:
> >
> >> Which server is the global catalog?
> >>
> >> hth
> >> DDS
> >>
> >> "Kimberly Pace" <KimberlyPace@discussions.microsoft.com> wrote in message
> >> news:8D879F63-002D-4621-A135-C39BF0F6644B@microsoft.com...
> >> > Hi,
> >> >
> >> > I have 8 domain controllers in our enterprise. 6 are located at other
> >> > geographical sites and 2 are located in our central datacenter. All
> >> > domain
> >> > controllers are handling logon requests through the enterprise. I
> >> > assumed
> >> > I
> >> > should be able to shut down one of the DC's in the datacenter without
> >> > causing
> >> > logon issues, but that doesn't seem to be the case -- even if I
> >> > transfer
> >> > the
> >> > PDC emulator role to another DC. Users start calling the HelpDesk
> >> > saying
> >> > they can't log on but more importantly, our BizTalk server won't
> >> > authenticate
> >> > and all users are denied access to our intranet site which relies on
> >> > BizTalk.
> >> > Once the DC controller is back on line, everything goes back to normal.
> >> > I've talked with the team controlling the BizTalk server and they
> >> > assure
> >> > me
> >> > that don't have any dependencies written into the server configuration
> >> > requiring that one DC to be online. I can shut down other DC's with no
> >> > interruption to authentication. Any ideas?
> >>
> >>
> >>
>
>
>