RE: [ActiveDir] IAS, Radius & AD

[Harding, Devon]

Well, first, we get this error stating that IAS could not find any DC for the specified domain:   Event Type:       Error Event Source:    IAS Event Category: None Event ID:           5052 Date:                11/18/2005 Time:                9:44:29 AM User:                N/A Computer:         SWSAD1 Description: There is no domain controller available for domain SWSNM.   Then, this is the next error for the username in UPN form:   Event Type:       Error Event Source:    IAS Event Category: None Event ID:           3 Date:                11/18/2005 Time:                9:44:29 AM User:                N/A Computer:         SWSAD1 Description: Access request for user [EMAIL PROTECTED] was discarded.  Fully-Qualified-User-Name = SWSNM\gstest-nm  NAS-IP-Address = 10.10.15.11  NAS-Identifier = <not present>  Called-Station-Identifier = <not present>  Calling-Station-Identifier = <not present>  Client-Friendly-Name = v1.domain.com  Client-IP-Address = 10.1.1.11  NAS-Port-Type = Virtual  NAS-Port = 5765  Proxy-Policy-Name = Use Windows authentication for all users  Authentication-Provider = Windows  Authentication-Server = <undetermined>  Reason-Code = 6  Reason = The server is unavailable.   I need to figure out why the IAS can’t find the DC’s.  All the DNS entries are correct, DCDIAG, NETDIAG & DNSLint all come out clean.  Just doesn’t make any sense.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Friday, November 18, 2005 8:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IAS, Radius & AD   Sorry, that should be: netsh ras set tracing * ENABLED Also take a look at the authentication flow over here: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=""> (it's W2K specific, but from my experience is not different from W2K3) It will help you correlate the logs with what is going on.   The error you are getting is quite generic – several times I have seen IAS trying to look for a non-existing domain (based on incorrect mapping of user account to account's domain) and resulting in this exact error. Remember that IAS receives a RADIUS authentication request, which (depending on the auth method: MSCHAPv2, EAP-TLS, PEAP, PAP, CHAP, etc…) might have the user/account pair in different forms. The result is that IAS needs to apply additional logic to figure out the account's domain.   Have you tried to authenticate with UPN or Kerb principal instead of domain\username ?     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Friday, November 18, 2005 00:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IAS, Radius & AD   The problem is the IAS server cannot find any DCs in those domains.  Also, I get the following error with the netsh command:   C:\>netsh ras tracing * ENABLED The following command was not found: ras tracing * ENABLED.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Thursday, November 17, 2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IAS, Radius & AD   Are members in those 2 domains having UPN suffix no in the namespace of the forest root ? Example: Forest root suffixes: @company.net Child suffixes: @child.forest.com   Are the users trying to logon using UPN or domain\samaccountname ? Have you tried implicit Kerberos principal ([EMAIL PROTECTED])   IAS is rather touchy when it comes to mapping UPNs to correct domains… You can also enable IAS debugging by issuing on the IAS server: netsh ras tracing * ENABLED   You will find detailed logs at %SystemRoot%\Tracing   Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, November 17, 2005 20:15 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IAS, Radius & AD   No replication errors at all.  Directory Service logs are clean.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Thursday, November 17, 2005 11:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IAS, Radius & AD   Hmm...  Any replication problems with those servers in the past (or currently)?  Any Kerberos errors?  Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, November 17, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IAS, Radius & AD I ran DNSLint and it returned SRV records for all DC’s in that domain.  I also ran ntdsutil to do a metadata cleanup of any possible orphaned server an noticed that I get the following RPC error when trying to connect to one of the existing DCs: ‘DsBindW error 0x6ba(The RPC server is unavailable.)’   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Thursday, November 17, 2005 9:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IAS, Radius & AD   DC's are located by querying DNS.  Check and make sure the proper SRV records for the two domains in question appears on the server that your IAS is using for DNS.  DNSLint may help you with this task. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, November 17, 2005 8:47 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] IAS, Radius & AD I have 15 child domains in my AD forest.  When using IAS (Nortel VPN) as a Radius server on my root AD server, I can get clients to successfully authenticate against all domains but 2.  On these two domains, I get an IAS event id error of 5052, ‘There is no domain controller available for domain SWSNM’.  I’ve ran DCDIAG and NETDIAG against these domain and the tests passes.   How does IAS locate domain controllers for authentication?  How can I troubleshoot this?   Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469   __________________________________ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.