|
Sorry, that should be: netsh ras set tracing * ENABLED Also take a look at the authentication flow
over here: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=""> (it's W2K specific, but from my experience
is not different from W2K3) It will help you correlate the logs with what
is going on. The error you are getting is quite generic
– several times I have seen IAS trying to look for a non-existing domain (based
on incorrect mapping of user account to account's domain) and resulting in this
exact error. Remember that IAS receives a RADIUS
authentication request, which (depending on the auth method: MSCHAPv2, EAP-TLS,
PEAP, PAP, CHAP, etc…) might have the user/account pair in different
forms. The result is that IAS needs to apply additional logic to figure out the
account's domain. Have you tried to authenticate with UPN or
Kerb principal instead of domain\username ? From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon The problem is the IAS server cannot find
any DCs in those domains. Also, I get the following error with the netsh
command: C:\>netsh ras tracing * ENABLED The following command was not found: ras
tracing * ENABLED. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Are members in those 2 domains
having UPN suffix no in the namespace of the forest root ? Example: Child suffixes:
@child.forest.com Are the users trying to
logon using UPN or domain\samaccountname ? Have you tried implicit
Kerberos principal ([EMAIL PROTECTED])
IAS is rather touchy when
it comes to mapping UPNs to correct domains… You can also enable IAS
debugging by issuing on the IAS server: netsh ras tracing *
ENABLED You will find detailed
logs at %SystemRoot%\Tracing From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of No replication errors at
all. Directory Service logs are clean. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Hmm... Any replication
problems with those servers in the past (or currently)? Any Kerberos
errors? Joe
Pochedley From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of I ran
DNSLint and it returned SRV records for all DC’s in that domain. I
also ran ntdsutil to do a metadata cleanup of any possible orphaned server an
noticed that I get the following RPC error when trying to connect to one of the
existing DCs: ‘DsBindW error 0x6ba(The RPC server is unavailable.)’ From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley DC's are located by querying
DNS. Check and make sure the proper SRV records for the two domains in
question appears on the server that your IAS is using for DNS. DNSLint
may help you with this task. Joe
Pochedley From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of I have 15 child domains in my AD
forest. When using IAS (Nortel VPN) as a Radius server on my root AD
server, I can get clients to successfully authenticate against all domains but
2. On these two domains, I get an IAS event id error of 5052,
‘There is no domain controller available for domain SWSNM’.
I’ve ran DCDIAG and NETDIAG against these domain and the tests
passes. How does IAS locate domain controllers for
authentication? How can I troubleshoot this? Windows
Systems Engineer Southern
Wine & Spirits - BSG 954-602-2469 __________________________________ |
- RE: [ActiveDir] IAS, Radius & AD Guy Teverovsky
- RE: [ActiveDir] IAS, Radius & AD Harding, Devon
