There are currently no logon servers available to service the logon request

January 10, 2015 - David Sokolik

There are currently no logon servers available to service the logon request

Error message when you try to log on to Windows Server based RODC: “There are currently no logon servers available to service the logon request”

So you are located at a remote branch site and are trying to login to your local server and suddenly you get “There are currently no logon servers available to service the logon request”

Many system administrators do not fully understand the way RODC (Read Only Domain Controller) works and therefore might experience this issue.

RODC’s are a great way to grant some active directory services to a remote site while preserving security so if those sites get breached they cannot affect your entire organization.

But what happens if the connectivity to the main site is no longer available or the local RODC server is down and requires maintenance?

The one thing almost every system administrator I have met are unaware is that those RODC cannot provide local active directory authentication by default to due the nature of the their design, therefore we must first configure the Password Replication Policy (PRP) before we can use this local RODC to provide us with any form authentication for our end users.

What is Password Replication Policy (PRP):

The PRP is what many refer to as credential caching. What PRP does is allowing the system administrator to define a set of users or security groups that need their credentials cached on an RODC.

For example assume we have an main office site (HQ) located in New York City with two branch sites, one located in California and one located in London.

How many of the users in New York will ever need to authenticate in California or London? and how many of the users in California or London will need to authenticate somewhere else?

If you have properly setup your active directory you either have security groups for users in those offices or have organization units (OU) with those users located in them.

With PRP we can define which groups or users will be cached in each desired RODC.

Consider creating a new security group for each RODC (but you can use the general ‘Allowed RODC Password Replication Group‘ if you want to grant the same users ability to login to all RODC’s).

How to configure the Password Replication Policy (PRP):

The PRP configuration occurs within a writeable domain controller (meaning NOT an RODC).

Open up the ‘Active Directory Users and Compuers‘ MMC snap-in

Inside the snap-in navigate to the OU where the RODC server is located and right click it and select ‘Properties‘ you will notice that there is a new tab labeled ‘Password Replication Policy‘ go into that tab.

Inside you will notice several pre populated security groups, the two groups you need to take a closer look at are: ‘Allowed RODC Password Replication Group‘ and ‘Denied RODC Password Replication Group

If you double click each group you will notice it also has several pre populated entries, the allowed group is blank by default while the deny group has a few entries the three must important ones are:

  • Domain Admins
  • Enterprise Admins
  • Schema Admins

The users within these three groups are usually your IT administrators and services that require access to various network wide locations such as Exchange, Active Directory or Files and Data.

So we must note the users within those groups by default will not be cached and will denied caching even if we add them to the ‘Allowed RODC Password Replication Group

I recommend that you will create an administrative account for each local RODC and grant it local administrator privileges for the related RODC.

If you have created a dedicated security group for each branch simply add it with the ‘Allow passwords for the account to replicate to this RODC‘ setting

Allow passwords for the account to replicate to this RODC

Allow passwords for the account to replicate to this RODC

Now wait for the active directory replication to finish

Server 2008/2008R2 / Server 2012/2012R2 Active Directory / Active Directory Replication / AD Replication / Read-Only Domain Controller / RODC /

Comments

  • Confused says:

    Hello Dave,

    I have a similar problem with server2012r2. I’m trying to log on to a server thats a part of a trust relationship using an admin acnt with all the groups required but receive the same error. Lets call the servers involved server1 and server2. Server1 is where the acnt is located “srvacntadmin” I want to login to server2 using the acnt I created in server1. Every time I try, I get hit over the head with this very same error. Any suggestions?

  • Is the trust between the two domain is one of a parent -> child or a domain / forest trust?

    This post describes the issue when the trust is parent / child or a secondary domain controller within the same domain and the PDC is unreachable.

Leave a Reply

Your email address will not be published. Required fields are marked *