We have two sites connected via site-to-site VPN. Each site has its own Domain controller, and both running win2k8R2. As soon as the site-to-site VPN link goes down, users aren’t able to authenticate to any network resources. DCDiag /a does show any errors and I attempted to force replications between the two DCs but still having the same issues. Times are sync’ed and network connectivity is solid between the two DCs. Am I missing something that is disallowing the 2nd DC take over authentication?<\/p>\n
\n
Also, all the FSMO roles are held by the 2nd DC (that one that doesn’t allow authentication once VPN link is down .)<\/li>\n<\/ul>","upvoteCount":12,"answerCount":34,"datePublished":"2016-11-27T19:46:30.000Z","author":{"@type":"Person","name":"mohamedshalabi","url":"https://community.spiceworks.com/u/mohamedshalabi"},"acceptedAnswer":{"@type":"Answer","text":"
Advertisement
Proper domain controller DNS setup is vital for Active Directory to work properly. Each Domain controller should be setup with a different DNS server as it’s primary, and itself (127.0.0.1) as it’s secondary. If you have more than 2 DNS servers in your domain or forest, you should setup a pattern whereby they all have different primary DNS partners, so that each server is used as someone else’s primary.<\/p>\n
If you have just 2 DC’s<\/p>\n
DC1: 192.168.1.2 \nDC2: 192.168.1.3<\/p>\n
Then<\/p>\n
DC 1 Static DNS should be: Primary: 192.168.1.3 Secondary 127.0.0.1 \nDC 2 Static DNS should be: Primary: 192.168.1.2. Secondary 127.0.0.1<\/p>\n
You MUST setup Sites and Services properly for AD to know how to deal with lack of connections between sites, and also how to deal with authentication at each site (where the clients authenticate with the local DC unless it’s down.)<\/p>","upvoteCount":5,"datePublished":"2016-11-27T21:17:53.000Z","url":"https://community.spiceworks.com/t/two-domain-controller-in-a-single-domain-not-failing-over/542872/7","author":{"@type":"Person","name":"overdrive","url":"https://community.spiceworks.com/u/overdrive"}},"suggestedAnswer":[{"@type":"Answer","text":"
Hey guys,<\/p>\n
We have two sites connected via site-to-site VPN. Each site has its own Domain controller, and both running win2k8R2. As soon as the site-to-site VPN link goes down, users aren’t able to authenticate to any network resources. DCDiag /a does show any errors and I attempted to force replications between the two DCs but still having the same issues. Times are sync’ed and network connectivity is solid between the two DCs. Am I missing something that is disallowing the 2nd DC take over authentication?<\/p>\n
\n
Also, all the FSMO roles are held by the 2nd DC (that one that doesn’t allow authentication once VPN link is down .)<\/li>\n<\/ul>","upvoteCount":12,"datePublished":"2016-11-27T19:46:30.000Z","url":"https://community.spiceworks.com/t/two-domain-controller-in-a-single-domain-not-failing-over/542872/1","author":{"@type":"Person","name":"mohamedshalabi","url":"https://community.spiceworks.com/u/mohamedshalabi"}},{"@type":"Answer","text":"
Are you running 2 DNS servers? Can you ping your local resources by name when the link is down? Is this for all users?<\/p>","upvoteCount":0,"datePublished":"2016-11-27T20:20:43.000Z","url":"https://community.spiceworks.com/t/two-domain-controller-in-a-single-domain-not-failing-over/542872/2","author":{"@type":"Person","name":"davidsmithwv","url":"https://community.spiceworks.com/u/davidsmithwv"}},{"@type":"Answer","text":"
how is your dns configured on each DC? Are they pointing to each other?<\/p>","upvoteCount":0,"datePublished":"2016-11-27T20:26:35.000Z","url":"https://community.spiceworks.com/t/two-domain-controller-in-a-single-domain-not-failing-over/542872/3","author":{"@type":"Person","name":"essjae","url":"https://community.spiceworks.com/u/essjae"}},{"@type":"Answer","text":"
Site 1 has DC1/DNS<\/p>\n
Site 2 has DC2/DNS<\/p>\n
DNS is configuration on both DCs = Primary DNS is DC1, 2ndary DNS is DC2<\/p>\n
Pingable via FQDN while link is down, and yes, this is for all users.<\/p>","upvoteCount":0,"datePublished":"2016-11-27T20:29:51.000Z","url":"https://community.spiceworks.com/t/two-domain-controller-in-a-single-domain-not-failing-over/542872/4","author":{"@type":"Person","name":"mohamedshalabi","url":"https://community.spiceworks.com/u/mohamedshalabi"}},{"@type":"Answer","text":"
Yes, Running two dns servers, one on each DC, and yes I can ping resources via name while link is down (except resources on the other site of course)<\/p>","upvoteCount":0,"datePublished":"2016-11-27T20:34:21.000Z","url":"https://community.spiceworks.com/t/two-domain-controller-in-a-single-domain-not-failing-over/542872/5","author":{"@type":"Person","name":"mohamedshalabi","url":"https://community.spiceworks.com/u/mohamedshalabi"}},{"@type":"Answer","text":"
I should probably note that currently, I don’t have different ‘Sites’ setup in AD. Both DCs are in the same default site …<\/p>","upvoteCount":0,"datePublished":"2016-11-27T20:35:40.000Z","url":"https://community.spiceworks.com/t/two-domain-controller-in-a-single-domain-not-failing-over/542872/6","author":{"@type":"Person","name":"mohamedshalabi","url":"https://community.spiceworks.com/u/mohamedshalabi"}},{"@type":"Answer","text":"
To add, DHCP Should be giving out the local DNS server first, then the remote DNS server, so at each site the local DC is handling DNS requests and they are not going across the WAN.<\/p>","upvoteCount":1,"datePublished":"2016-11-27T21:19:20.000Z","url":"https://community.spiceworks.com/t/two-domain-controller-in-a-single-domain-not-failing-over/542872/8","author":{"@type":"Person","name":"overdrive","url":"https://community.spiceworks.com/u/overdrive"}},{"@type":"Answer","text":"
Thank you! This makes sense … there’s no DHCP is setup setup, but I will try your suggestion including creating a new site in AD Sites & services, and will test.<\/p>\n
