Windows – How to Authenticate Clients Against a Specific Domain Controller

active-directorydomaindomain-controllerwindows

I am having an issue with an active directory account not running login scripts. The scripts run fine in one location and not in the other.

Getting the following errors in the event logs:

GroupPolicy-Operational event ID 7007
Periodic policy processing failed for user domain\username in 1 seconds.
EventData
        PolicyElaspedTimeInSeconds  1
        ErrorCode   1265
        PrincipalSamName    domain\username
        IsMachine   0
        IsConnectivityFailure   false



nt ID 40960 LSA (LsaSrv)
-   System
        -   Provider
            [ Name]     LsaSrv
            [ Guid]     {199FE037-2B82-40A9-82AC-E1D46C792B99}

            EventID 40960

            Version 0

            Level   3

            Task    0

            Opcode  0

            Keywords    0x8000000000000000

        -   TimeCreated
            [ SystemTime]   2015-01-13T15:03:17.679126200Z

            EventRecordID   26015

            Correlation

        -   Execution
            [ ProcessID]    896
            [ ThreadID]     4656

            Channel System

            Computer    computer.domain.com

        -   Security
            [ UserID]   S-1-5-18

-   EventData
        Target  cifs/domain
        Protocol    Kerberos
        Error   "{Buffer Too Small} The buffer is too small to contain the entry. No information has been written to the buffer. (0xc0000023)"

# for hex 0xc0000023 / decimal -1073741789 :
  STATUS_BUFFER_TOO_SMALL                                       ntstatus.h
# {Buffer Too Small}
# The buffer is too small to contain the entry. No
# information has been written to the buffer.
# 1 matches found for "0xc0000023"

The Security System detected an authentication error for the server cifs/domain.com The failure code from authentication protocol Kerberos was "{Buffer Too Small}
The buffer is too small to contain the entry. No information has been written to the buffer.
(0xc0000023)".

Solution
http://technet.microsoft.com/en-us/library/cc733950(v=ws.10).aspx

Running a windows 2003 domain, desktop is Windows 7, domain controllers are a mix of 2008 and 2003 servers.

We haven't rebooted some of the 2003 DC's for over 3 years (different story) and these are scheduled to be decommissioned.

Is it possible to authenticate a windows AD account to a specific DC rather than the default DC, for the purposes of troubleshooting a login problem?

Best Answer

This is actually surprisingly difficult to do.

There are a couple workarounds, namely that you can create a new site for your client(s) and the Domain Controller you want them to use as a logon server, or that you can set the LdapSrvPriority registry setting on your domain controllers to give the highest priority to the DC you want used as the logon server. You can also configure the LdapSrvWeight registry setting on your domain controllers to assign a weighted priority for each one.

Note that editing the registry settings on the domain controllers is a global change that will apply to all clients, not just the one you're testing, just as putting a domain controller in a new site will impact all client authentications as well.

As noted in the linked article, though, these settings will only make your client(s) prefer a given logon server, not force them to use a given logon server, and the complexities of authenticating against a Windows domain mean that your client may switch logon servers partway through the process anyway, so you may be just plain out of luck.

Related Topic