This knowledge article is to describe the behaviour of Authentication Services when a domain controller (DC) goes offline or is unreachable.
How does Authentication Server determine what domain controller to communicate to?
Will Authentication Services failover to another domain controller when the one it is talking to goes offline?
How to Increase DC fail over speed during DNS/AD outage?
If the Domain Controller (DC) goes offline, Authentication Services will automatically failover to another available DC.
When Authentication Services needs to connect to a new DC, it examines the DCs it knows about, and selects an available DC using the following:
If no new DC can be found, QAS goes into "disconnected mode", where it will try every 30 seconds to find an available DC to communicate with.
1. mscldap-timeout =
Default value: 1
This option controls the timeout when performing a MSCLDAP ping against Active Directory Domain Controllers to determine site membership. In environments with long latencies, you may want to increase the default timeout. This timeout determines how long the VAS API should wait for any response from the available set of Domain Controllers for a given domain. However, when modifying this value, careful attention should be made with respect to other timeout settings. For example, a mscldap-timeout that equals vascache-ipc-timeout could affect the ability of vasd to resolve objects within the IPC timeout period.
2. server-unreachable-retry-max =
Default value: 1
Domain Controller Unreachable Threshold. Once a VAS client determines that it cannot reach a specific domain controller it is marked as unreachable for a period of time. During this period you are guaranteed not to attempt to connect to the unreachable domain controller.
3. kdc_timeout =
4. max_retries =
Commands to troubleshoot issue:
1. 'vastool status dc' will provide status information about known domain controllers in the forest. If the -d domain option is not used, all DC's in the forest will be checked. -p will perform a MSCLDAP ping. -u will perform a generic authenticated ldap search. -a will perform an anonymous ldap search, however, post 2000 Active Directory DC's do not allow any anonymous search and this ability is often disabled in most environments. If no options are specified, all tests will be performed.
2. 'vastool info servers'
Servers type = DC, domain = cs-unix.ca, site = Halifax:
3. 'vastool info cldap dc-03.cs-unix.ca'
Server IP: 10.4.66.88
Server Forest: cs-unix.ca
Server Domain: cs-unix.ca
Server Hostname: dc-03.cs-unix.ca
Server Netbios Domain: CS-UNIX
Server Netbios Hostname: DC-03
Server Site: Halifax
Client Site: Halifax
Flags: GC LDAP DS KDC CLOSE_SITE WRITABLE
Query Response Time: 0.0024 seconds