We are small business intelligence company and we have a head office and a branch office. I have active directory running on windows 2012 R2 in the head office and another active directory running on windows 2012 in brnach office. Both offices are connected via site to site VPN.
When ever there is connectivity issues between two office or the PDC is down, the seconday AD server goes down as well. It is not configured as a RODC. when I try to check the domain settings under domains and trusts, I get the error
You cannot modify domain or trust information because a Primary Domain Controller (PDC) emulator cannot be contacted. Please verify that the PDC emulator for the current domain and the network are both online and functioning properly.
Users are unable to authenticate and when I try to access users and computers I get the following error below.
Naming information cannot be located because:
The specified doamin either does not exist or could not be contacted.
Contact your system administrator to verify that your doamin is properly configured and is currently online.
I see both the Domain Controllers are set as GC Servers. I am not an expert in active directory. I am hoping it is a minor issue some one should be able to help me fix it.
Best Answer
It sounds to me like you have configuration issues rather than it being an issue with AD.
If the DC holding the FSMO roles (including PDC emulator Role) goes down then things will be a bit tough but if you have a second DC users should be able to authenticate, you should be able to create new users and features like GPOs should still process.
Presuming that the 2nd DC is indeed a global catalogue server I would check the following:
1)Does the 2nd DC have a copy of the DNS zone that contains the SRV entries for your domain 2)Are the Clients and server at your remote site configured to use the 2nd DC as their DNS server? 3)Do you have sites and service configured, it sounds like you would need 2 AD Sites one for HQ and one for Branch, making sure you link the appropriate subnets to them and that the DCs are in the appropriate sites.
Losing the DC with the FSMO roles is a pain, you won’t be able the add new DCs or manage trusts and stuff but you will still be able to manage the Domain partition. You get an error when opening up AD Users and Computers, that’s OK. All you need to do once ADUC is open is right click Active Directory Users and Computers and then select change domain (to make sure you are connecting to the correct domain) and then right click Active Directory Users and Computers and then select change domain Controller and select the working DC that you want to use to administer Your objects.
Losing the Domain Naming master or any other FSMO role shouldn’t impact your network short term. The one to watch out for most though is losing the PDC emulator as (amongst other things) it acts as a time source on your network. If that is an issue at your branch, then you might want to consider setting up an alternate time source.