Main Menu

Domain server network connections unauthenticated or on “Public” network

Picture this:

Everything on your network is running fine, multiple sites, multiple VPNs, multiple domains. The site may or may not be virtualized.

Something dramatic happens (lets say a power cut to the head office). All the equipment comes back up in a strange order (servers before SAN, Exchange before AD etc).

You get the servers back online but strange things are happening. There are lots of errors in the event logs, relating to Active Directory and DNS. Failure to find domain, replication, zone transfer failures etc. All the fun stuff.

After a little investigation (and waiting for very unhappy exchange servers that cannot find AD to respond), you may find some strange behaviour.

Servers might have dropped onto the public network and are unable to replicate or communicate properly with the domain. I say properly, because some things will work and some things wont.

Exchange might have most of its services still starting, and it will be a total pain, and take a very long time to open ncpa.cpl (network control panel). If you manage to change the DNS servers on exchange to a non problematic DC, exchange will come up – or so it seems. Mail should flow and members of the domain that exchange is on will be able to login and get mail. Members of other (parent/child) domain who have mailboxes on the server may not be able to login to webmail though, and will get authentication errors on mobile devices.

Rebooting the servers or flushing DNS doesn’t resolve these odd issues. Closer investigation reveals that the servers (possibly AD) are on the public network, and other servers (possibly Exchange) are on the domain network with “(unauthenticated)” showing on the network connections.

Before you try removing and re-adding the vNic (this will take ages/forever for the server to recognise, don’t bother!) try this simple fix:

Open device manager (devmgmt.msc) and disable the network connection on the AD servers first. Re-enable it and it should drop back on to the domain profile. If not change the primary DNS of the server to a known good DC, ipconfig /flushdns and try again. Once you get all the DC’s in the domain (or at least the ones exchange is looking for for DNS), try the same with Exchange.

It should also then drop back onto the domain profile without “(unauthenticated)” after the NIC name. Once it has, restart the Exchange Active Directory Topology Service (check all the other exchange services restart OK), and after a little while mail should flow. Child/Parent domain users should be able to access their mailboxes too.




No comments yet.

Leave a Reply