In the case of NTLM, the client is the application server, so it can't accept new clients until a working DC is selected. At this point, the client will go into a negative cache mode, and will fail later authentication requests. When a client selects the DC while in shutdown, NTLM or Kerberos requests will fail again. Also, the clients that received the error that the DC is in shutdown, won't avoid selecting the same DC on the later DC search. The server won't avoid responding to new clients on Netlogon User Datagram Protocol (UDP) queries. There is a code path where this issue doesn't happen. When the DC is in shutdown phase, it will normally tell current clients to use another DC for authentication using the error code 0xc00000dc (STATUS_INVALID_SERVER_STATE).
If you are using Kerberos, you may see Error 6, KDC_ERR_C_PRINCIPAL_UNKNOWN. In the diagnostic logs and network traces, you may see user logon errors logon failure, or the error 0xc0000064 STATUS_NO_SUCH_USER, which displays The specified account does not exist. In this situation, when you shut down a DC, the application might not authenticate users until both the DC isn't responding on the network, and the Domain Member has selected a different DC for authentication. It's not possible to turn these verifications off in all cases. Applications that use Kerberos may also be affected if Kerberos privilege attribute certificate (PAC) verification is used for authentications accepted by the application. Some applications have a pattern where the clients often reconnect to the application server.Īpplications are mostly affected when they use NTLM. The applications on the domain use NT Local Area Network Manager (NTLM) or Kerberos to authenticate users.
This article fixes an issue where the application can't authenticate users when you shut down a Domain Controller (DC).Īpplies to: Window 10 – all editions, Windows Server 2012 R2
0 kommentar(er)
