0

Possible Duplicate:
What is Active Directory and how does it work?

How do you get workstations to (seamlessly) authenticate with a secondary Active Directory server when the primary one is down?

Background:

I added a secondary Active Directory server to a company's network, hoping that it would do authentication in the event that the primary Active Directory server was down.

Although, the Secondary Active Directory server seems to be replicating correctly, authentication doesn't occur while rebooting the primary Active Directory server.

Do I have a misunderstanding regarding the role of a secondary Active Directory server, or are there additional settings I must set to get the workstations to authenticate with it when the primary is down?

Community
  • 1
LonnieBest
  • 1,450
  • 4
  • 21
  • 36
  • 2
    Specifically check out the DNS section, thats most likely what you missed. – Brent Pabst Oct 11 '12 at 14:49
  • I'm assuming that both servers are also DNS servers for your AD DNS zone. If so, did you add the additional server as a secondary DNS server on the clients? – joeqwerty Oct 11 '12 at 15:05
  • That's helpful, but I'm still not clear on how to implement fail-back authentication. – LonnieBest Oct 11 '12 at 15:05
  • Yes, both servers are also doing DNS. DNS is being replicated successfully from primary to secondary. Yes, ipconfig /all shows the secondary dns on the workstations. – LonnieBest Oct 11 '12 at 15:07
  • 1
    Then the next step would be to verify your DNS - http://technet.microsoft.com/en-us/library/bb727055.aspx – joeqwerty Oct 11 '12 at 15:15
  • 1
    In addition to the link that joeqwerty mentioned, you can also verify if the workstations are correctly pulling the SRV records (http://support.microsoft.com/kb/816587) – Rex Oct 11 '12 at 15:57
  • Yep I'm guessing you've not stuck the secondary domain controllers IP address into DHCP? – Rhys Evans Oct 11 '12 at 15:04
  • Stuck it where? – HostBits Oct 11 '12 at 15:06
  • I have done that DHCP step you mention. If you do "ipconfig /all" on any workstation, it shows both DNS servers. – LonnieBest Oct 11 '12 at 15:10

1 Answers1

5

Well, there is no "Secondary" Active Directory Server. All DCs are fully functioning active Domain Controllers. DCs are found based off SRV records in DNS. Can you verify that all records on your 1st DC under your forward lookup domain zone> _msdcs, _sites, _tcp, _udp, etc are on your second DC as well and that they have both DCs mentioned?

Clients will cache only one DC name and it may not update it's cache to the other DC.

You could also use the following command to see what DC your client is talking to: 

nltest /dsgetdc:<your domain>

You'll need to install the support tools first: Windows XP Support Tools

If your client is still trying to authenticate to the restarting DC, you could try rebooting the client, or running nltest /dsgetdc:<your domain> /force.

Also check out the following hotfix: The domain controller locator cannot find an appropriate domain controller on a computer that is running Windows XP or Windows Server 2003

Hopefully that gets you going in the right direction to find your problem.

HostBits
  • 11,776
  • 1
  • 24
  • 39
  • Just like workstations can be set to have multiple DNS servers for resolving domain names, I wish each workstations was able to have awareness of multiple Active Directory Servers for authentication (to where it would try the second one when it is unable to authenticate with the first one it tries). – LonnieBest Oct 12 '12 at 14:15