Client long time logging into DC

RSorrentino · 2024-05-20T23:13:35.664Z

I have a 4 DC environment. 2 DC remote and 2 local (DC1 & DC2). Replications and DNS are working. DC1 local decided it did not want to work. DC1 local was causing other issues losing its secure channel and constantly having to reset the network password using netdom so I had to shut it down at this time. The AD roles, print and data were moved to DC2 local. I try logging into my computer and it takes a very long time to log in. almost 15 minutes. If DC1 is offline shouldn’t DC2 pick up the slack with authentication. DC1 and DC2 are located in the same building and on the same network. I restarted the Netlogon service and updated DHCP but that is on our router not the DC. What am I missing?

James404d · 2024-05-20T23:37:30.680Z

Where is DNS pointing on your client computer?

RSorrentino · 2024-05-20T23:46:31.107Z

The computers are pointing to the new DC.

PatrickFarrell · 2024-05-21T00:29:54.933Z

After you log in, if you open up a command prompt and type SET

What does it show your logonserver is?

RSorrentino · 2024-05-21T00:42:48.092Z

I couple I checked were pointing to the new DC. I have a couple that still point to the old server. Can I force the logonserver?

PatrickFarrell · 2024-05-21T02:29:15.901Z

No, logon server will be picked at random from a domain controller in the same site as the client computer (providing the subnet the client computer is in is asociated with the site in AD Sites and Services). I’m more concerned about your general AD health. What you described with the DC is obviously not normal. I’m going to say check DNS because so many times it’s DNS

Active Directory DNS Refresher Windows

It’s DNS. It’s always DNS. No, DNS is fine, it’s not DNS, trust me. It was DNS. I’m posting because in the last few weeks we’ve had a few posts that turned out to be misconfigurations with DNS in a domain environment. Things like Domain controllers pointing at themself first for DNS, or having a public DNS server on the NIC of the Domain Controller or the clients. Hopefully this will help some people get out in front of potential issues. The general rules for DNS in an AD E…

For your domain controllers I would have DNS on each DC set this way.

DC1 in site 1
Primary DNS: DC2 in site 1
Secondary DNS: DC1 in site 2
Tertiary DNS: 127.0.0.1

And no public DNS listed on the DC NIC or client NIC.

Follow the same pattern where you point to the other DC in the site first, a DC in a different site second, and 127.0.0.1 third. You can have more than 2 DNS servers if you go to the advanced button in TCP/IP settings and then the DNS tab. You may know this already but we get all levels of skill in the forums, and others may not.

I would bring your other DC back online and see if we can troubleshoot that.

RSorrentino · 2024-05-21T13:15:49.796Z

I have my DNS on the NIC as the following:
Remote Site 1
Remote Site 2
DC1 Site 1 (Server issue)
DC2 Site 1

DC1 Site 1 - DNS is set to Remote Site 1 & 127.0.0.1
DC2 Site 1 - DNS is Set to Remote Site 1 & 127.0.0.1
Remote Site 1 - DNS is Set to DC2 Site 1 & 127.0.0.1
Remote Site 2 - DNS is Set to DC2 Site 1 & 127.0.0.1

Should I add the Remote Sites in the DNS for DC1 & DC2 and vice versa?

RSorrentino · 2024-05-21T14:04:38.873Z

Also Replication between the DC in AD Sites and Services

DC1 replicates to DC2, Remote 1 and Remote 2
DC 2 replicates DC1, Remote 1 and Remote 2
Remote 1 replicates DC 2 and Remote 2
Remote 2 replicates DC 2 and REmote 1

Using repadmin, DC1 can replicate to the other servers but not the other way around. Replication is good between all servers except DC1. I have reset the netdom password multiple times but no luck with the other DCs connecting. Error: “The target principal name is incorrect”.

RSorrentino · 2024-05-21T14:51:42.618Z

After I just said that, now I have an issue with both DC1 and DC2 with The target principal name is incorrect.

Let me know if the DNS configuration should be.

PatrickFarrell · 2024-05-21T14:58:47.752Z

If it were me, I would do this for DNS

DC1 Site 1: DC2 Site 1, DC1 Site 2, 127.0.0.1
DC2 Site 1: DC1 Site 1, DC2 Site 2, 127.0.0.1
DC1 Site 2: DC2 Site 2, DC1 Site 1, 127.0.0.1
DC2 Site 2: DC1 Site 2, DC2 Site 1, 127.0.0.1

This way you check the other DC in the same site first, then a DC in the other site, then itself last.

RSorrentino · 2024-05-21T15:37:54.385Z

I made the DNS changes. Hopefully this reconciles the Target Name issue.

PatrickFarrell · 2024-05-21T16:33:00.689Z

You can also run this on the DCs to force it to recalculate links between the DCs

repadmin /kcc

RSorrentino · 2024-05-21T17:16:19.325Z

Thanks for your help.

I ran the command on each DC and all came back Consistency check on localhost successful. Should I restart all the servers after I made the DNS change.

Other issues.
When I open DNS Manager on each DC. DC1 Site 1 and DC2 Site 2 see DC 1 Site 2 and DC 2 Site 2.

DNS Manager on DC 1 Site 2 and DC 2 Site 2 do not see DC Site 1 and DC 2 Site 1. DC 2 Site 2 unable to connect to either DC 1 Site or DC 2 Site 1.

Alot of Kerberos errors when running dcdiag.

PatrickFarrell · 2024-05-22T18:43:51.357Z

Are there any firewalls in place between the locations that are blocking ports? Can you give us an example of the kerberos errors?