You are here: Blog Branch Office AD isn't working when the HQ AD is offline

Branch Office AD isn't working when the HQ AD is offline



Branch Office Domain Controller Active Directory isn't working when the HQ DC AD is offline. Hurricane Irma knocked power out at the HQ location. The HQ DC AD server was shut down to prevent any issues.

Branch offices across North America have DC's, AD's and DNS.

When users go to a local server share, they get the login box with an error message:
"Search Results The system cannot contact a domain controller to service the authentication request"

When I go to the AD Users & Computers, I get an error message:
"Active Directory Naming Information Could Not Be Located"

 The Users & Computers tree on the left hand side has an X for "Active Directory Users and Computers" and the center box is blank.



I make sure DNS is setup correctly:
DNS1: (SELF, always should be this way)
DNS2: (HQ1)
DNS3: (HQ2)

I make sure the FORWARDERS are set correctly:

And working:
nslookup where-ever.tld


Ping domain:
ping my-domain-name-here.com

Positive reply. So I know the domain and AD exists. I just can't reach it.

Next, I try a dcdiag /fix:
dcdiag /fix

"Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.

Bummer... it cannot reach a Global-Catalog. This is certainly the heart of the issue.

Next, I check to see if my server is a GLOBAL-CATALOG server:
repadmin /options *

Repadmin: running command /options against full DC DC-01.my-domain-here.com
Current DSA Options: IS_GC

Well, I now know that the server I am using is a GLOBAL-CATALOG.

Next, I check to see what servers are global catalog servers as stated in DNS:
nslookup gc._msdcs.my-domain-name-here.com

Server:  dc-al-01.my-domain-name-here.com

Name:    gc._msdcs.my-domain-name-here.com
Addresses:  10.162.300.291



The server is in the list on DNS as a GLOBAL-CATALOG.

Next, I try a dsquery:
dsquery server -isgc

dsquery failed:The specified domain either does not exist or could not be contacted.

Next, I try a nltest:
nltest /dsgetdc:my-domain-name-here.com
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

Next, I look at a registry value:
reg query "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters" /v SysvolReady

    SysvolReady    REG_DWORD    0x0


There is certainly more to this. The AD isn't setup correctly. Active Directory uses the _msdcs.my-domain-here.com sub-domain to host SRV records. These records are not automatically updated, even in 2012-R2. Consequently, there may be outdated servers listed. In addition, the new servers will be missing.

You can find the domain and the servers here:

DNS -> DC-SERVER-01 > FORWARD > my-domain-name-here.com > _msdcs


Since this list is not updated automatically, the old servers are not available to provide the info. The new servers are not in the list since it is not added automatic. That means that the only server in the list was the original server. Once that server is no longer available, AD is unavailable. So much for fault tolerance.


Workaround solution:

-type: echo y | reg add   "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters" /v SysvolReady /d 1

This makes the SYSVOL folder available and the AD Users-&-Computers should populate.

Permanent solution:

Once available, go to DNS -> DC-SERVER-01 > FORWARD > my-domain-name-here.com > _msdcs

Manually edit them. Remove the ones that don't exist and add the ones that do.

Contact Dak Networks

Please contact us at the following.