How to force a Member Server to connect to a specific Domain Controller server in Windows Server 2003

By gunnalagActive Directory

Issue:  Users unable to login to a domain member server and receives below error message:

Windows cannot connect domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear, contact your system administrator for assistance.

image

 

Environment:

You have two domain controllers each in a separate site.  The AD replication to the secondary site is down but you haven’t removed any of its DNS/other entries.

Member servers in the domain when contact the local site AD server logons will work fine.

But when they connect to the remote site AD server, users start receiving the error messages and will be unable to logon.

In Member server TCP/IP settings you have the DNS records of both the AD servers.  The remote site DNS server is setup as secondary DNS server, sometimes member servers attempt to connect to the remote site AD server.

When they attempt to connect to the remote site server which don’t accept the secure channel you notice that the LOGONSERVER environment variable is set to the local member server itself thus logons keep failing.

 

Troubleshooting:

Running systeminfo:

Domain: TESTLAB.LAN

Logon Server: \TESTLAB-MEMSRV01

Running Nltest:

C:>nltest /sc_query:TESTLAB

Flags: 0

Trusted DC Name

Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS

The command completed successfully

C:>

Running Dcdiag

C:>dcdiag /fix

Domain Controller Diagnosis

Performing initial setup:

***Error: TESTLAB-MEMSRV01 is not a DC. Must specify /s:<Domain Controller> or

/n:<Naming Context> or nothing to use the local machine.

C:>

 

Checking the LOGONSERVER environment variable value:

C:>set logonserver

LOGONSERVER=\TESTLAB-MEMSRV01

C:>

 

Checking DNS servers list:

C:>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : TESTLAB-MEMSRV01

Primary Dns Suffix . . . . . . . : TESTLAB.LAN

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : TESTLAB.LAN

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : HP NC373i Multifunction Gigabit Server Adapter

Physical Address. . . . . . . . . :

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : xxx.xx.xx.xx

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : xxx.xx.xx.1

DNS Servers . . . . . . . . . . . : 192.168.4.100

                                             192.168.7.100  (This is the remote site AD and DNS server)

NetBIOS over Tcpip. . . . . . . . : Disabled

C:>

 

FIX:

  1. Remove the remote site DNS server entry from the TCP/IP settings, so that this member server will not attempt to connect to the remote site DNS and this its DC server.
  2. Reset the Secure Channel using the nltest
  3. Update the LOGNSERVER environment variable value using Set command
  4. Run Dcdiag auto fix to address any of related issues
  5. Verify the new logons to the member servers

Fixing commands:

  1. Go to Network settings and empty the “Alternate DNS server:” value image
  2. Reset Secure Channel:

    3. C:>nltest /sc_reset:TESTLAB

    Flags: 30 HAS_IP HAS_TIMESERV

    Trusted DC Name \TESTLAB-DC01.TESTLAB.LAN

    Trusted DC Connection Status Status = 0 0x0 NERR_Success

    The command completed successfully

    C:>nltest /sc_query:TESTLAB

    Flags: 30 HAS_IP HAS_TIMESERV

    Trusted DC Name \TESTLAB-DC01.TESTLAB.LAN

    Trusted DC Connection Status Status = 0 0x0 NERR_Success

    The command completed successfully

    C:>

  3. Update LOGONSERVER environment variable:

    4. C:>set LOGONSERVER=\TESTLAB-DC01

    C:>set logonserver

    LOGONSERVER=\TESTLAB-DC01

    C:>

  4. Run Dcdiag /fix:

    5. C:>dcdiag /fix /s:TESTLAB-DC01

    Domain Controller Diagnosis

    Performing initial setup:
       Done gathering initial info.

    Doing initial required tests

       Testing server: TESTSITETESTLAB-DC01
          Starting test: Connectivity
             ……………………. TESTLAB-DC01 passed test Connectivity

    Doing primary tests

       Testing server: TESTSITETESTLAB-DC01
          Starting test: Replications
             ……………………. TESTLAB-DC01 passed test Replications
          Starting test: NCSecDesc
             ……………………. TESTLAB-DC01 passed test NCSecDesc
          Starting test: NetLogons
             ……………………. TESTLAB-DC01 passed test NetLogons
          Starting test: Advertising
             ……………………. TESTLAB-DC01 passed test Advertising
          Starting test: KnowsOfRoleHolders
             ……………………. TESTLAB-DC01 passed test KnowsOfRoleHolders
          Starting test: RidManager
             ……………………. TESTLAB-DC01 passed test Rid
    Manager
          Starting test: MachineAccount
             ……………………. TESTLAB-DC01 passed test MachineAccount
          Starting test: Services
             ……………………. TESTLAB-DC01 passed test Services
          Starting test: ObjectsReplicated
             ……………………. TESTLAB-DC01 passed test ObjectsReplicated
          Starting test: frssysvol
             ……………………. TESTLAB-DC01 passed test frssysvol
          Starting test: frsevent
             There are warning or error events within the last 24 hours after the
             SYSVOL has been shared.  Failing SYSVOL replication problems may cause
             Group Policy problems.
             ……………………. TESTLAB-DC01 failed test frsevent
          Starting test: kccevent
             ……………………. TESTLAB-DC01 passed test kccevent
          Starting test: systemlog
             ……………………. TESTLAB-DC01 passed test systemlog
          Starting test: VerifyReferences
             ……………………. TESTLAB-DC01 passed test VerifyReferences

       Running partition tests on : DomainDnsZones
          Starting test: CrossRefValidation
             ……………………. DomainDnsZones passed test CrossRefValidation

          Starting test: CheckSDRefDom
             ……………………. DomainDnsZones passed test CheckSDRefDom

       Running partition tests on : ForestDnsZones
          Starting test: CrossRefValidation
             ……………………. ForestDnsZones passed test CrossRefValidation

          Starting test: CheckSDRefDom
             ……………………. ForestDnsZones passed test CheckSDRefDom

       Running partition tests on : Schema
          Starting test: CrossRefValidation
             ……………………. Schema passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ……………………. Schema passed test CheckSDRefDom

       Running partition tests on : Configuration
          Starting test: CrossRefValidation
             ……………………. Configuration passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ……………………. Configuration passed test CheckSDRefDom

       Running partition tests on : TESTLAB
          Starting test: CrossRefValidation
             ……………………. TESTLAB passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ……………………. TESTLAB passed test CheckSDRefDom

       Running enterprise tests on : TESTLAB.LAN
          Starting test: Intersite
             ……………………. TESTLAB.LAN passed test Intersite
          Starting test: FsmoCheck
             ……………………. TESTLAB.LAN passed test FsmoCheck

    C:>

By gunnalag

You might also like:

FIX: Active Directory Replication errors: The RPC server is unavailable. Or The target principal name is incorrect. Or The Kerberos client received a KRB_AP_ERR_MODIFIED error.

FIX: DNS Manager fails with error: Access was denied.

Fix: The following Domain Controller could not be contacted – A local error has occurred.

Leave a Reply

Your email address will not be published. Required fields are marked *