Thank you for your help.
However, please understand the DHCP Server is authorized in Active Directory, the problem is that the DHCP Server and DC are in the same AD SITE. The DC in the site is down from a reboot, the DHCP Server during its hourly authorization request sees that
the DC is down. As a result, the DHCP Server is unable to get its authorization.
My question is, why did the DHCP Server NOT attempt to contact another DC for authorization in another SITE if the DC in the same site is down.
It should try its own AD site first, then if no DCs are available, it should look elsewhere. But there's another thing that you MUST take into account - if a DC goes down, then it acts like any other machine when it logs on and it will "lock" on to
that server. You can check on any machine, DC, member server or workstation, to see what DC logged it on by running
echo %logonserver%
A lot of this has to do with the client resolver service, too. If the AD client side extensions have bound to a DC, then it will not send a GetDcList query to look for another and will wait until the client side resolve cache times out for the records. Apparently
your DC taking that long to boot, is probably still under the timeout of 15 minutes, assuming you didn't change TTLs on the records.
So in essence, I see your member server doing exactly what it should be doing. Now if you restart it while the DC is down, then it will find a DC in another site. You can test that with the above command.
More info on the way this works:
This blog discusses:
WINS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB). Troubleshooting the browser service.
Client side resolution process chart.
The DNS Client Side Resolver algorithm.
If one DC or DNS goes down, does a client logon to another DC or use the other DNS server in the NIC?
DNS Forwarders Algorithm and multiple DNS addresses (if you've configured more than one forwarders or more than one IP in the NIC's DNS list)
Client side resolution process chart
Published by Ace Fekay, MCT, MVP DS on Nov 29, 2009 at 10:28 PM 1764 1
http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx
DNS Clients and Timeouts (Part 1 & Part 2), karammasri [MSFT] Dec 2011 6:18 AM
http://blogs.technet.com/b/stdqry/archive/2011/12/02/dns-clients-and-timeouts-part-1.aspx
http://blogs.technet.com/b/stdqry/archive/2011/12/15/dns-clients-and-timeouts-part-2.aspx
-
FYI, regarding DC DNS NIC settings, if you have one DC in each site, I would point the first entry to itself, and the second to the other guy. Usually if there are two DCS in one site, DNS1 would be the other guy, and DNS2 would be itself or the Loopback.
This is the accepted method now after all of the debates and arguments on how to set it up since AD's inception in 1998. Matter of fact, if you have 2008 or newer, the AD BPA looks for this configuration.
I am concerned that it takes your DC 10 minutes to come back up. I thought to post some additional info below that you may find useful to make sure your AD infrastructure is sound, properly configured and running:
Please check all Event log errors (Application, System, and under Application and Services Logs on a DC for the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs. Copy and paste the Event ID errors,
please.
If any of the DCs multihomed (more than one NIC, IP, iSCSI interface, backup interface, and/or RRAS installed on them)? If yes, multihomed DCs can cause AD site issues, among numerous other issues.
-
You can check AD replication and communication status with the following:
1. ReplDIAG: (run it as repldiag > c:\repldiag.txt, then open it as a CSV in Excel choosing comma separated, to be able to clearly read the output)
Explained here:
Troubleshooting replication with ReplDiag.exe [part 1 of 4], Rob Bolbotowski [MSFT], 13 Oct 2010 12:04 PM
http://blogs.technet.com/b/robertbo/archive/2010/10/13/troubleshooting-replication-with-repldiag-exe-part-1-of-4.aspx
replDiag Downloadable from:
http://activedirectoryutils.codeplex.com/releases/view/13664
2. Download The Active Directory Replication Status Tool:
http://www.microsoft.com/en-us/download/details.aspx?id=30005
This tool requires .Net Framework 4. If it's not installed, download and install it:
Microsoft .NET Framework 4 (Web Installer)
http://www.microsoft.com/en-us/download/details.aspx?id=17851
3. Third Party Utility: Dynamic AD Replication Checker Tool not only checks AD Replication for all domain controllers in your organization but also provides monitoring capabilities. For any non-working Domain Controller you can use the various options available
to troubleshoot the issue.
Dynamic AD Replication Checker Tool Version 2.0 Released
http://blog.dynamicitkit.com/dynamic-ad-replication-checker-tool-version-2-0-released/
Download Dynamic AD Replication Checker Tool Version 2.0 (part of "Dynamic Pack")
http://www.dynamic-spotaction.com/index.html
-
If there are any replication issues, let's determine if there are any ports being blocked by making sure the antivirus on each DC has exclusions properly configured for what a DC needs. For example, SEP automatically excludes everything when it is installed
on a DC, but not if it was installed prior to promotion. They have a step by step with 14 different things to configure including registry entries. I find it easier uninstalling it and reinstalling it. Other AVs have their own methods - check with the vendor
site.
You can also check firewall ports being blocked between DCs using PortQry:
Run PortQry GUI choosing the "Domains & Trusts" option between each other (DCs). Run the test from a DC to a DC from both sides to each other, or you can also run it from a client to a DC. Post only errors with "NOTLISTENING, 0x00000001, and 0x00000002.
PortQryUI - GUI - Version 2.0 8/2/2004
http://www.microsoft.com/download/en/details.aspx?id=24009