How AD Works

  • Last Post 17 November 2016
kitaab posted this 10 November 2016

We have around 4 DC's (Win 2008 Ent edition)

When we patch them duing monthly schedule , any user who is working at that time see's outlook disconnection , Lync disconnections . login prompts from IE (if hthey are connected to intranet sites)

ot All DC's restart at same time , so at any point atleast 1 DC's ia avilable.

All DC's are GC's and host DNS as well

I was hoping a DC going down should affect existing connected users since there will be other DC's availbe to serve

Is that correct

Order By: Standard | Newest | Votes
kebabfest posted this 10 November 2016

You should never patch all your dcs at the same time and they shouldn't be patched during working hours.


ken posted this 10 November 2016

For an environment with 4 DCs, that’s good advice. Though it doesn’t answer OP’s question.


It’s been a while since I last looked into it, but we have somewhat more than 500 DCs, and it’s not feasible to deploy patches for everything outside

business hours. There’s too many other higher priority changes hogging those change windows.




kitaab posted this 10 November 2016

Not** all DC's restart at same time .


kennedyjim posted this 10 November 2016

Similar to the below.  I had the issues the OP described until I got AD Sites set up correctly.  Have not seen it since then.



idarryl posted this 10 November 2016

This sounds like a DNS issue, not an AD issue.  On a client that experiences the issue, check that both it's DNS servers set in the DNS Client settings are valid IP addresses of the DC's (presuming they are also DNS servers), and check the DNS servers are indeed DNS servers by using nslookup:
nslookup <name of machine, or website> <IP address of DNS server>
@Ken 500 DC!  What's you user base?  I have 8000, and I'l trying to get ~60 to ~10.


ken posted this 11 November 2016

User base is ~40,000


We could probably manage to get by with 10-20 DCs for user authentication – we don’t have a huge user base. However, it’s not just users: we also

have resource domains, vendor domains, and then duplication of Production into Test and Development environments. Due to acquisition issues, we then have similar setups across a number of brands, plus a number of legacy environments/brands. Being in a regulated

industry (banking) we then have some of this structure duplicated in the overseas locations we run in (Regulator requirements to allow structural separation in case the parent goes bust etc.) Whilst we’re working to rationalise the environment, our problem

is not so much needing lots of DCs, but having lots and lots of domains, each of which requires a minimum of 2 DCs, but often has many more. Unfortunately the payoff from rebuilding machines into a new domain is very low, so the whole consolidation effort

usually needs to be tacked onto some other transformation project.


We have > 10,000 servers to give you an idea of the scale of the infrastructure environment. Everything from x86 through to multiple mainframes and

everything in-between.






MittlemanR posted this 17 November 2016

Ask the question this way:  “How Exchange Works”


Every 15 minutes Exchange servers check around to compile a list all the currently running GCs in the same site as Exchange.  If half are down for a patch-reboot,

they won’t make it into the list until the next check, 15 minutes later.


If, within the next 15 minutes, the first batch comes back up and you patch reboot the second half of the DCs in the site, the Exchange servers won’t find ANY

GCs to use, because the first batch didn’t make it back into their list and the second batch is now down.


Outlook clients don’t do anything so reasonable as checking DNS for a GC to use for the GAL – instead, they get that list from the Exchange server.  A FEW Outlook

clients may fail if the DC they’re currently using gets rebooted (although we haven’t gotten any calls on that in years...) – but if ALL the DCs in the Exchange site are unavailable (some because they’re rebooting, some because they were rebooting during the

most recent 15-minute check and aren’t on the list), many clients would report problems.


I don’t know if anything in the Exchange implementation has changed over the years, since the month we EXPERIENCED Outlook failures because I was just a little

bit too efficient patching the DCs in the Exchange site.  Ever since then, we’ve instituted a rule to wait 20 minutes before patching the second half of the DCs in the Exchange site. 


We’re currently running Exchange 2010, and our Exchange group tells me it still works this way.


The above explanation about Exchange definitely accounts for Outlook failures.  May not be the entire explanation for Lync disconnections or IE logon prompts.



michael1 posted this 17 November 2016

Lync piggybacks on Outlook’s connection (if one exists).


Outlook uses NSPI for online name lookups and OABs for offline name lookups. In earlier releases of Exchange, NSPI was only exposed by GCs and DSProxy referred

Outlook to an “appropriate” GC. In current releases, Exchange runs its own NSPI services. In Exchange 2010, DSProxy was eliminated and replaced by the Address Book Service. I cannot remember if, in Exchange 2010, the ABS just forwarded AB requests, or if it

satisfied the requests. In 2013 or later, it satisfies the requests.


Regardless of which, you are still right on the money. If you don’t let Exchange rebuild its DC lists in between DC reboots, it’s gonna seriously complain.