|
Well, first, we get this error stating that
IAS could not find any DC for the specified domain: Event Type: Error Event Source: IAS Event Category: None Event ID: 5052 Date: 11/18/2005 Time: 9:44:29
AM User: N/A Computer: SWSAD1 Description: There is no domain controller available for domain SWSNM. Then, this is the next error for the
username in UPN form: Event Type: Error Event Source: IAS Event Category: None Event ID: 3 Date: 11/18/2005 Time: 9:44:29
AM User: N/A Computer: SWSAD1 Description: Access request for user [EMAIL PROTECTED] was
discarded. Fully-Qualified-User-Name = SWSNM\gstest-nm NAS-IP-Address = 10.10.15.11 NAS-Identifier = <not present> Called-Station-Identifier = <not present> Calling-Station-Identifier = <not present> Client-Friendly-Name = v1.domain.com Client-IP-Address = 10.1.1.11 NAS-Port-Type = Virtual NAS-Port = 5765 Proxy-Policy-Name = Use Windows authentication for all
users Authentication-Provider = Windows Authentication-Server = <undetermined> Reason-Code = 6 Reason = The server is unavailable. I need to figure out why the IAS can’t
find the DC’s. All the DNS entries are correct, DCDIAG, NETDIAG
& DNSLint all come out clean. Just doesn’t make any sense. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sorry, that should be: netsh ras set tracing * ENABLED Also take a look at the
authentication flow over here: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=""> (it's W2K specific, but
from my experience is not different from W2K3) It will help you
correlate the logs with what is going on. The error you are getting
is quite generic – several times I have seen IAS trying to look for a
non-existing domain (based on incorrect mapping of user account to account's
domain) and resulting in this exact error. Remember that IAS
receives a RADIUS authentication request, which (depending on the auth method:
MSCHAPv2, EAP-TLS, PEAP, PAP, CHAP, etc…) might have the user/account
pair in different forms. The result is that IAS needs to apply additional logic
to figure out the account's domain. Have you tried to
authenticate with UPN or Kerb principal instead of domain\username ? From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of The problem is the IAS
server cannot find any DCs in those domains. Also, I get the following
error with the netsh command: C:\>netsh ras tracing
* ENABLED The following command was
not found: ras tracing * ENABLED. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Are
members in those 2 domains having UPN suffix no in the namespace of the forest
root ? Example:
Child
suffixes: @child.forest.com Are the
users trying to logon using UPN or domain\samaccountname ? Have you
tried implicit Kerberos principal ([EMAIL PROTECTED])
IAS is
rather touchy when it comes to mapping UPNs to correct domains… You can
also enable IAS debugging by issuing on the IAS server: netsh
ras tracing * ENABLED You will
find detailed logs at %SystemRoot%\Tracing From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of No
replication errors at all. Directory Service logs are clean. From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Joe Pochedley Hmm... Any replication problems
with those servers in the past (or currently)? Any Kerberos errors?
Joe
Pochedley From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of I ran
DNSLint and it returned SRV records for all DC’s in that domain. I
also ran ntdsutil to do a metadata cleanup of any possible orphaned server an
noticed that I get the following RPC error when trying to connect to one of the
existing DCs: ‘DsBindW error 0x6ba(The RPC server is unavailable.)’ From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley DC's are located by querying
DNS. Check and make sure the proper SRV records for the two domains in
question appears on the server that your IAS is using for DNS. DNSLint
may help you with this task. Joe
Pochedley From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of I have 15 child domains in my AD
forest. When using IAS (Nortel VPN) as a Radius server on my root AD
server, I can get clients to successfully authenticate against all domains but
2. On these two domains, I get an IAS event id error of 5052,
‘There is no domain controller available for domain SWSNM’.
I’ve ran DCDIAG and NETDIAG against these domain and the tests
passes. How does IAS locate domain controllers for
authentication? How can I troubleshoot this? Windows
Systems Engineer Southern
Wine & Spirits - BSG 954-602-2469 __________________________________ |
