hi, i have head office and branch office. head office and branch office are connected. i have domain controller in head office, and all users in head office and branch office can login their computers with their domain accounts. everything ok. when the connection lost between head office and branch office, the users in branch office can logon with their domain accounts but cannot user network resources. when a user tries to open the network there is an error message comes out: there are currently no logon servers available to service the logon request. how i can configure domain controller that when the connection lost between head an branch office the network resources could be available to local computers.

Hi Babek, They had a firewall blocking the necessary ports to allow for the Domain controller to verify the accounts that were logging onto the server. What All Ports Are Required By Domain Controllers And Client Computers? http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/ActiveDirectory/WhatAllPortsAreRrequiredByDomainControllersAndClientComputers.html BrentPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

but the firewall is turned off in every computer in the network. what to do next?

Hi Babek, Is there any firewall between the head offices or on DCs? What operation system is running on the DCs and client computers? To get a complete overview, please upload the following output files to our workspace below: IPCONFIG /all > c:\ipconfig.txt (on DC and Client computer) dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt netdiag /v >c:\netdiag.txt [from each DC, netdiag may work but isn't supported with Windows server 2008 and higher] dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045) Meanwhile, you can pick "Domains and Trusts" and "Networking" to scan and the UI will scan all the relevant services on both DC and then show you the output on the bottom of the Port Query UI tool. How To: Mastering PortQry.exe http://www.windowsecurity.com/articles/Mastering-PortQryexe-Part2.html Workspace URL: (https://sftasia.one.microsoft.com/ChooseTransfer.aspx?key=e328cab0-cad0-4490-aaef-e115f0531b59) Password: 6#pMuccrvZ Brent Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

dc - windows 2003 r2 sp2 workstations xp sp2 there is no firewall between computers . yes

Hello, in short, you can't with this setup. Install an additional DC/DNS/GC in the branch office, configure AD sites and services accordingly and your problems are solved. In your current situation the user logon with cached credentials on the computer if the WAN link is not available. That way NO authentication could be done to verify the access permissions on the shared folders. This result in the error message you see. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

yes you right Meinolf, please tell me exactly what i should to in this case. please step by step with documentation. because i tried several times but with no success. thank you

Hi Babek, Please refer to the following articles How to Install a Replica DC in an Existing AD Domain on Windows Server 2003 http://www.petri.co.il/how_to_install_active_directory_replica_on_windows_2003.htm BrentPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Babek, Please refer to the following article: How to Install a Replica DC in an Existing AD Domain on Windows Server 2003 http://www.petri.co.il/how_to_install_active_directory_replica_on_windows_2003.htm BrentPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

ok i have done this method and it works. then what to do? what to configure next? what about the dns and gc?

Hello, on teh existign DC/DNS check that AD integrated zones are enabled and then install the DNS server role on the new DC, give time for replication and do nothing else in DNS management console. All zoens from the other DNS will be replicated. For enabling the global catalog see: http://support.microsoft.com/?id=313994Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Hello, on the existing DC/DNS check that AD integrated zones are enabled and then install the DNS server role on the new DC, give time for replication and do nothing else in DNS management console. All zoens from the other DNS will be replicated. For enabling the global catalog see: http://support.microsoft.com/?id=313994 Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

yes but the without main domain controller the branch office domain controller is not functioning.

yes but the without main domain controller the branch office domain controller is not functioning. Hello, of course it works. All DCs can work independent from another, at least for the tombstone lifetime on one point and until the RID pool is empty on additional DCs. Why do you think it doesn't function? Please describe the problems you see in detail and post complete erorrs from the event viewer or error messages you see.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

in my situation i have a domain controller (as i described before) in head office. If i install additional domain controller in existing AD Domain (without configuring DNS) then it will be just a secondary domain controller. from this documnetation i confugured the secondary domain controller. But when the connection lost between the the head office and branch office the users in branch office cannot logon to their computers with domain account. Hot to solve this problem? Moreover: 1. if i must configure also dns configuration for branch office, then what configuration i need to do? Please tell me. 2. Without primary domain controller, in secondary domain controller i even unable to create a domain user or an object. 3. My issue is to set a configuration that makes the secondary domain controller to work when tie connection lost with the primary domain controller.

in my situation i have a domain controller (as i described before) in head office. If i install additional domain controller in existing AD Domain (without configuring DNS) then it will be just a secondary domain controller. from this documnetation i confugured the secondary domain controller. But when the connection lost between the the head office and branch office the users in branch office can logon to their computers with domain account but cannot use shared resources. Hot to solve this problem? Moreover: 1. if i must configure also dns configuration for branch office, then what configuration i need to do? Please tell me. 2. Without primary domain controller, in secondary domain controller i even unable to create a domain user or an object. 3. My issue is to set a configuration that makes the secondary domain controller to work when tie connection lost with the primary domain controller.

Hello, "(without configuring DNS) then it will be just a secondary domain controller" As i wrote at the beginning, you have the need for a DC and DNS and GC in the branch office. 1. I already did, make sure to use AD integrated zones and then install the DNS server role on the second DC and wait for replication, take some time. To verify AD integrated zones, opejn the DNS management console, forward lookup zones, mark domainname.xxx and chhose the properties, in the General tab you see "Type", this should be set to Active directory integrated. Control also on the revverse lookup zone if configured. 2. incorrect, on each DC you can create objects until the RID pool is empty 3. i already explained it.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

as i understand, there are several steps which i should to configure. Please correct me if i am wrong. 1. to set up primary domain controller in head office. 2. to set up secondary domain controller in branch office 3. in secondary domain controller configure dns server as active directory integrated. And that is all? So in primary domain controller i shouldn't configure anything. Right?

Hello, make the branch DC also Global catalog server. During promotion of the second DC configure the NIC only to use existing DC/DNS as preferred on the NIC. After replication is done reconfigure the NICs to primary itself and secondary the other DC/DNS. On the first installed DC you should only adjust the secondary DNS to the new one.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Hello, make the branch DC also Global catalog server. During promotion of the second DC configure the NIC only to use existing DC/DNS as preferred on the NIC. After replication is done reconfigure the NICs to primary itself and secondary the other DC/DNS. On the first installed DC you should only adjust the secondary DNS to the new one. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. hi, i will do such settings: 1. in my head office's domain controller i changed dns settings to active directory integrated. Is that correct? 2. in the branch office i configured the dns service also active directory integrated and promoted the secondary domain controller. Am i right? Then what to do? The network settings in branch office, in the primary dns ip is its ip address. The secondary ip is the primary domain controller's. True?

Hello, 1. yes. 2. if you promote the second DC make sure to choose also the DNS server option, nothing more to do, replication will also cover the DNS zones. Verify that the DNS zones are complete replicated to the new server and check the DCs with "dcdiag /v" for errors and control replication with "repadmin /showrepl" DNS is ok that way. Please forget the terms PDC/BDC, this is not longer valid since the start from AD. All DCs are the same and the small difference is the FSMO role placement, but each DC can have the FSMO roles.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

ok. i did so. and the replication worked out. And i changed in the DNS settings to Active Directory integrated in head office domain controller. But the domain controller in branch office is unable to locate the dns server when i ask nslookup. why is that?

Hello, please post an unedited ipconfig /all from both DCs. Are you able to ping between the DCs with ip address, computername and FQDN?Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

hi, thank you for helping me friend. seems i have solved the problem. installed the secondary domain controller and then made it also global catalog. and give him a additional ip address as dns. s when the connection lost among head office and branch office, the secondary dns address becomes the main, and the secondary domain controller acts as a primary domain controller in the branch office for a while. thank you all for support and the documentation i list below: http://www.tech-faq.com/dns-and-active-directory-integration.html http://www.servernewsgroups.net/activedirectory/t13369-installing-second-dc-with-dns.aspx http://www.windowsitpro.com/article/dns/how-do-i-configure-active-directory-integrated-dns-.aspx http://technet.microsoft.com/en-us/library/cc733027(WS.10).aspx p.s. i am able to ping between domain controllers, and also with the name.

Hello, please elaborate "and give him a additional ip address". Again, please post an unedited ipconfig /all from the DCs. And as said before please forget the terms primary and secondary domain controller. All are the same, if more then one exist it is an additional DC, that's it. The only difference on domain controllers are the FSMO roles BUT any DC can have them according to some rules. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.